On Netgear WNR2000 Wifi Router (for Linksys ATA and Iomega NAS to work)

It has been almost 6 months since my last post... I believe I have collected sufficient information from using the Netgear WNR2000 wifi router for another post. By the way, this router is 3 years old and was released back in June 2008 (http://routers.productwiki.com/netgear-wnr2000/).

I purchased a Linksys ATA device and in the process of getting it work behind the Netgear router, there were several interesting findings with regards to the port-forwarding settings:

1. Using WNR2000 default settings, the Linksys ATA could only make out-going phone calls. Incoming phone calls resulted in a "person you are trying to call is unavailable..." message, despite successful SIP registration.

2. Netgear WNR2000 port forwarding settings only came into effect AFTER the router rebooted.

3. F.Y.I. I configured static IP address on the Linksys ATA device (which, by the way, only comes into effect after disabling DHCP on Linksys ATA)

The following Port Forwarding rules were referenced from another post, and the rule numbers on WNR2000 MATTERS. Have them configured the other way around and incoming calls would't work.

Rule 1: Permit UDP 5060, Linksys ATA static IP

Rule 2: Permit UDP 16384 - 16482, Linksys ATA static IP

I also own an Iomega NAS (with an Ethernet port). Interesting enough, everytime after I restarted my laptop, the NAS' share drives were no longer visible (The laptop connects to the same Netgear AP which the NAS is also connected to through a CAT5e). Out of interest, Wireshark capture indicated that when Iomega started up, it first multicasts MDNS queries (port 5353 rather than UDP 53 for standard DNS).

This was then followed by exchanging SMB messages (TCP 445) between the laptop and NAS. While I am no expert in SMB, I recall reading messages annoucing each of the shared directories.

As such, it would appear either the NAS stopped annoucing these messages after the TCP connection timed out (due to laptop restart), or the wireless router stopped new TCP sessions from being established.

The only workaround was to restart the wifi router. Afterwards, the NAS shared drives would magically become visible from my laptop again.

P.S. This morning the Netgear router finally gave in after several restarts. Both my laptop and iPhone had difficulty connecting to the AP. As a result, I have replaced this router with a TP-Link TL-WR740. Upgraded this box to the latest firmware and so far so good... the Linksys ATA was a matter of simply plug-and-play while the IP NAS has remained visible so far... perhaps I shall have more to add after another couple of months.

P.P.S. For convenience, the dialplan on the Linksys ATA has been simplified from
# Original dialplan, local calls only

(*xx|[3469]11|0|00|[2-9]xxxxxx|1xxx[2-9]xxxxxxS0|xxxxxxxxxxxx|<#0:>xx.<:@gw0>.)

To
# For dialing everything
(*xx|xxx.)

Utilizing Home VoIP Server from Remote (over internet)

Background

Once I had a chat with a colleague and he came up with this question, "How could I use my home's PSTN or VoIP line from a remote location?" For example, he were working overseas and wishes to contact his family at home (without using his company's mobile or the customer's phone), or the other way around. The most obvious answer would be to setup a SIP client on his laptop to register with a VoIP server located at home. 

To make it more interesting, the SIP client on his laptop would also be able to use his home's Asterisk server to dial out phone calls as well as receive them (virtual "call-forwarding", if you like).

First let's cover the easy part, setting up Asterisk server at his home to accept public client registration. This includes two basic operations: Registering the server's dynamic address using DynDNS and listening on port 5060 (UDP). Note: please take a look at a previous blog on setting up Asterisk on BSD to register with a public SIP server (and be assigned a public PSTN number):

http://homeopensource.blogspot.com/2010/03/setting-up-bsd-ata-box-with-asterisk.html

Configuration 

Firstly on the home's Asterisk server, setup a new SIP account by configuring the "sip.conf" file:

;XLite over Internet - Remote VoIP testing

[user-name]

type=friend

secret=secret

host=dynamic                   ; This device needs to register

nat=yes                        ; X-Lite is behind a NAT router

disallow=all

allow=ulaw

allow=alaw

Also, set Asterisk to listen on all interfaces, including internet-facing ones.

bindport=5060                   ; UDP Port to bind to (SIP standard port is 5060)

                                ; bindport is the local UDP port that Asterisk will listen on

bindaddr=0.0.0.0

On a personal note, I would prefer Asterisk to support the configuration option of setting "bindaddr" to a particular interface (e.g. em0) allowing for more user control. 

Add an extension for this SIP client locally by configuring the "extensions.conf" file:

[outbound-local]

exten => 12345678,1,Dial(SIP/user-name)

In this example, the extension given to SIP client is 12345678. "outbound-local" is binded to the locally attached PSTN phone, remember to include this under "default" context.

  

DynDNS - Remote Access over Internet

DynDNS (http://www.dyndns.com/) provides free reverse DNS service. The idea behind this service is that, you can basically access your home computer via the internet, by typing a domain name of your choice. Diving into more details... a dyndns client is installed on your home computer. Whenever the home computer receives a public ip address, it registers with its allocated URL on the DynDNS server. The DynDNS server then updates the DNS record and make it publicly available. So, when you access your home computer using its URL, DNS lookup returns your home computer's latest registered public IP.

It is a free service, as mentioned, as a matter of fact I have seen lots of DSL broadband routers providing this setting also... which opens up opportunities for other applications such as remote home monitoring, but I shall leave those for another blog. 

Configuration for Dynamic DNS.

There is a good tutorial on DynDNS page for setting up "ddclient", along with configuration step-guide (http://www.dyndns.com/support/kb/using_ddclient_with_dyndns_services.html)

Herewith my configuration: 

/usr/local/etc/ddclient.conf

# Basic configuration file for ddclient

#

# /etc/ddclient.conf

daemon=600

cache=/tmp/ddclient.cache

pid=/var/run/ddclient.pid

ssl=yes

use=web, web=checkip.dyndns.com/, web-skip='IP Address'

login=

password=

protocol=dyndns2

server=members.dyndns.org

wildcard=YES

custom=yes, example.com

XLite Configuration

XLite is a free Windows program. Setting it up as a VoIP client is quite straightforward. Just configure the username, password and domain (home Asterisk server's URL). Once the registration is successful, you are ready to go. 

Testing Scenarios

Moment of truth. My colleague and I have tried the following scenarios with their results attached. 

XLite calls homephone                           OK

XLite calls local number                         OK*

(caller is PSTN number, however after mobile denies incoming call, XLite is still ringing)

homephone calls XLite                          OK (extension 12345678)

Mobile calls XLite                                 Not OK.

(This is because the extension is not registered to the public PSTN network... )

In conclusion, this exercise shows that it is possible to setup a VoIP server at home and offloading most of its functions onto a light-weighted VoIP client registered over the public internet. To fully offload the SIP server's functions onto the VoIP client, the PSTN phone number must also be set for the VoIP client - effectively removing the home phone usage. 

Cost Comparison between EoP versus Wifi

Background/ Requirements
I have moved home recently. There are two TV sets connected to a Western Digital Live Media Player and XBMC respectively. Both requires wired Ethernet connection to a Netgear wireless router located in a separate room, in order to access the internet:

The TV connected to XBMC is sitting in a different room. I am reusing the previously built solution DD-WRT Wifi client http://homeopensource.blogspot.com/2010/03/converting-wifi-adapter-into-80211g.html

This setup has proven to be quite reliable, although its throughput is only around 5Mbps. For example, copying a 1.36GB file (DVD) from my laptop to the XBMC takes around 37minutes.

While this is ample bandwidth for Standard Definition video streaming (and of course internet radio stations ~128kbps), the video quality degrades significantly when, say, I am using my laptop to access the internet. 

I would like to calculate the cost of setting up internet connection for the WD Media Player, connected to the second TV through HDMI. It is intended to stream High-Def contents so the bandwidth required will be higher than 11g. Also, I would prefer my YouTube videos being unaffected by wireless internet connection.

Wireless Connection (G/N Dual-Band)

Initially, I considered using g/n dual-band setup with the Access Point supporting both G and N clients simultaneously. A forum post indicates this setup works quite well (http://forums.whirlpool.net.au/archive/1226195) and should be able to support up to 80Mbps throughput - more than sufficient for HD streaming. There is only the additional cost of purchasing a 11n client with a Ethernet port, but unfortunately, they are hard to come by. As most of the commercially available wireless routers' firmware only allows the device to be configured as an Access Point, if I were to go for a wireless router, then it must support DD-WRT.

Ethernet over Power (EoP) 

This device essentially transmits data signal across the residential circuit using a different frequency band to that of electrical, in another words it acts bit like a frequency modulator. Its operation is straightforward, there is no software driver nor any configuration required, simply plug-and-play. I have managed to find an extensive review on TP-Link TL-PA201 EoP adapters (http://www.tp-link.com/products/productDetails.asp?pmodel=TL-PA201), along with its throughput performance http://www.vitocassisi.com/archives/790/6, which is quite similar to that of 802.11n.

Price Point
I searched www.msy.com.au, and found a DLink DIR-600 WirelessN router selling for $50.00, whereas the TP-Link TL-PA201 EoP adapter pair is selling for $109.00 - roughly $60.00 difference. The wireless solution is still significantly cheaper than the EoP adapter pair.


Conclusion

This analysis is rather preliminary in terms of its application (streaming video to TV). Consider when additional users require internet access. Most importantly, the smartphones definitely cannot benefit from a pure Network over Power setup. In another words, NoP effectively hinders internet mobility. This means a wireless router is needed nonetheless. Whereas in a pure wireless environment, we would see a degrade in performance as the number of devices grow, which is bad news for bandwidth sensitive IPTV applications.  

In summary, EoP shows lots of potential (e.g. ease of use, high-throughput, operates independently to wireless internet and no new wires across home required), but it is the pricing and limited application at this stage, that hinders its popularity. In fact, I see these two technologies complimenting each other more than one is better than the other.

Note: 

For those who are interested, please take a look at the FAQ for EoP on Netgear's website, it contains lots of good information including the recommended (maximum) number of EoP adapters, expected throughput etc...

Some useful UNIX commands

Haven't done a post for awhile, so thought I should do a quick one on some handy UNIX commands...

A couple of days ago, I was doing some admin work on a BSD system. "df -kh" showed me that the /var partition had 35G used, taking up over 98% of its allocated space...

I found this nice command displaying the disk usage of each file/ directory:

# cd /var

# du -sk *

"du" stands for disk usage, the "k" option means KBytes (alternatively, use "m" for MB).

It turned out the /var/spool/clientmqueue/* was full, possibly because one of the programs kept trying to send mail (although I had sendmail disabled under /etc/rc.conf, but that's a different story).

There were so many files under this directory that a "rm -rf ./*" returned a "Argument list too long" error. Instead, I had to use:

# ls | xargs rm

Which pipes the outputs from "ls" to "rm". Unfortunately, there were also too much arguments for "ls" to handle.

As I was about to head off, I decided to remove the entire directory:

# nohup rm -rf /var/spool/clientmqueue/* &

"nohup" lets the process run after I have logged off, with "&" putting it into the background... and problem solved.

Implementing Network Intrusion Detection for Home Network

My home gateway is providing wireless internet access for all home computing devices, including the computer which I am writing on. For an added layer of security, I have recently added network intrusion detection (NIDS) function on the unix box using Snort.

Snort is an open-source Network Intrusion Detection System capable of analyzing packets and identify potential security threats, and BASE is a php-based program providing a graphical interface, analyzing network statistics and data collected by Snort. [http://en.wikipedia.org/wiki/Snort_(software)].

Having done some research online, I came across this great guide on installing "Snort and BASE on FreeBSD". [http://rackerhacker.com/2007/05/27/install-snort-and-base-on-freebsd/]

Giving credit to the guide mentioned above, I pretty much referenced it throughout the entire installation of Snort, except for the BASE part which isn't covered. Here is my interpretation of the entire "HowTo" base on my installation experience:

- Update BSD ports collection using "portsnap fetch extract update"

- Install Snort (enable MySQL option) and Oinkmaster under /usr/ports/security

- Install MySQL from /usr/ports/database/mysql50-server. I used version 50 while newer versions are available, because MySQL client was already installed on my system and their versions need to match.

- Modify "oinkmaster.conf" file (copied from /usr/local/etc/oinkmaster.conf.sample), and specify rule file's location:

url = file:///snortrules-snapshot-2860.tar.gz

The rules file has to be .tar.gz format. In my case, it is saved to hard-drive, so for the above example I used "file" option. Oinkmaster also supports retrieving rules file over the internet, allowing for periodic update using crontab (see other examples in the configuration file for more details).

Note, register with Snort to obtain the latest rule files, and download from their site is only permitted once every 15 minutes for security reasons.

- Extract Snort rules to rules directory

# oinkmaster -o /usr/local/etc/snort/rules/

- Configure MySQL database. Create database "testdb" using "# mysql -u snort -psnortpassword testdb < /usr/local/share/examples/snort/create_mysql", and the database will be where Snort writes to and BASE reads from.

- Grant user "snort" access to database "testdb". Login to MySQL as root user, using "mysql -u root".

> GRANT ALL PRIVILEGES ON testdb.* TO 'snort'@'localhost' IDENTIFIED BY 'snortpassword';

- To confirm, login to MySQL as snort using "mysql -u snort -p". You will then be prompted for password.

> show databases;

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| testdb |

- Configure "snort.conf" file under /usr/local/etc/snort/ and uncomment the lines:

# config detection: search-method lowmem

# output alert_syslog: LOG_AUTH LOG_ALERT

# output database: log, mysql, user=snort password=snortpassword dbname=testdb host=localhost

Ensure the database name matches that previously created.

- Configure "rules" file - I was using rules file snortrules-snapshot-2860.tar.gz, and noted quite alot of errors (e.g. data_type not known) when I test run Snort. So, I commented out some lines in the following rules in addition to "local.rules":

> web-client.rules

> x11.rules

> attack-responses.rules

> backdoor.rules

> spyware-put.rules # I had to comment this file out entirely due to large number of errors...

Finally, update "/etc/rc.conf" so it starts automatically:

### Snort/BASE Solution ###

mysql_enable="YES"

snort_enable="YES"

snort_interface="tun0" # I am using PPPoE access at home

Start Snort using "/usr/local/etc/rc.d/snort start", if there are no errors then the following messages should appear in /var/log/messges:

Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5998:4] P2P Skype client login startup [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50854 -> 212.8.163.76:12350

Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5999:4] P2P Skype client login [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 212.8.163.76:12350 -> 192.168.2.10:50854

Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5998:4] P2P Skype client login startup [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50854 -> 212.8.163.76:12350

Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5693:4] P2P Skype client start up get latest version attempt [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50855 -> 204.9.163.158:80

BASE Installation

- Install BASE (enable MySQL) and adodb from /usr/ports/security/base and /usr/ports/database/adodb respectively.

I already have apache (HTTP Server) previously installed on my system, otherwise it is located under /usr/ports/www/apache22 and there are lots of good tutorials on how to get your web-server up and running.

The following is for configuring BASE:

# /usr/local/etc/apache22/httpd.conf

DocumentRoot "/usr/local/www/base"

...

# This should be changed to whatever you set DocumentRoot to.

...

Allow from All

# Enable PHP in apache

LoadModule php5_module libexec/apache22/libphp5.so

AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

Update $Dblib variable to /usr/local/share/adodb/ in /usr/local/www/base/base_conf.php

$DBlib_path = '/usr/local/share/adodb/';

$DBtype = 'mysql';

/* Alert DB connection parameters*/

$alert_dbname = 'testdb';

$alert_host = 'localhost';

$alert_port = '';

$alert_user = 'snort';

$alert_password = 'snortpassword';

Lastly, MySQL by default listens over network. This means anyone can connect to the database over the internet; an unnecessary security risk. Disable MySQL listening to network connection:

# cp /usr/local/share/mysql/my-large.cnf /usr/local/etc/my.cnf

# vi /usr/local/etc/my.cnf

# Don't listen on a TCP/IP port at all...

skip-networking

If things go well, Snort and BASE system should be up and running and you should see the following (as you can see, my database name is "snort_log"):