npd6 – IPv6 neighbor proxy daemon – It lives!

As threatened in article IPv6 neighbor proxy daemon – npd6 and the associated design ramblings here, the npd6 project now lives and breathes.

EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out [...]

July 5th, 2011 | Tags: , , , , , | Category: FPage, Uncategorized | Leave a comment

Content filtering in a home network

With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.

As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.

And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?

Content filtering – 4 approaches

Broadly speaking there are four way of approaching content filtering in the home environment:

  • Workstation filtering
  • Network filtering
  • ISP filtering
  • DNS blocking

Continue reading Content filtering in a home network

February 7th, 2011 | Tags: , , , , , , , , , , | Category: FPage | Comments are closed

OpenVPN over IPv6

Previous articles have detailed various aspects of getting IPv6 running on a home-gateway router. The aim is to migrate as much as possible towards an IPv6-only situation.

Here I cover the steps required to implement a simple point-to-point OpenVPN (SSL) VPN tunnel using PSK over IPv6 infrastructure.

One key element for me is to migrate my VPN connection to a remote host I own off IPv4 and entirely onto IPv6. This was not entirely straightforward! In fact it took hours and hours of research and experimentation to get this working. The eventual config required is not so mind-boggling. But getting there was tricky. As I’ve found out so many times before with regard to IPv6, the building bricks are lying around, but there are very few sources of information to help you stack them up. Once the steps are laid out, as you’ll see below, it’s actually pretty easy.

Migrating from what to OpenVPN IPv6?

We’re going to migrate an IPv4 OpenVPN point-to-point PSK VPN tunnel on Linux to an equivalent on native IPv6 infrastructure. We’re not trying to have an IPv4 tunnel over IPv6, nor an IPv6 tunnel over IPv4 (both of which are possible and useful in different situations). Here I aim to have an IPv6 OpenVPN SSL tunnel over pure IPv6 infrastructure.

My current VPN set up is:

  • Home gateway running Ubuntu 10.04 (Lucid)
  • Remote host running the same
  • Fixed public IPv4 and IPv6 (global) addresses on each.
  • OpenVPN point-to-point tunnel between them.
  • Simple PSK authentication.
  • Shorewall config as appropriate to OpenVPN.

To put some detail on it, there is a standard build of OpenVPN installed, with a config file such as /etc/openvpn/otherhost.conf:

Continue reading OpenVPN over IPv6

June 21st, 2010 | Tags: , , , , , , | Category: FPage | 2 comments

Netgear EVA9150

My much-loved Pinnacle Showcenter (written about previously here, for example)  finally packed up. Not sure what killed it – did the obligatory open-it-up-and-buzz-it-a-bit routine. PSU  seemed OK, but when the main board was connected up, something was dragging the PSU down big-time. No obviously failed components, so you are left with the likelihood that some chip somewhere has gone bad in a big way. So after shedding a tear, one quickly cheers up and realises that it’s a perfect excuse to replace it with something new!

Not self-build?

I wanted a device with similar functionality, to play my large collection of videos stored on a server and also allow occasional photo browsing. I didn’t have many hard and fast requirements, but as far as they went they were:

  • support a wide range of media formats, particularly DivX variants and MKV hi-def.
  • support a wide range of output (today we still have a large but rather old normal-def TV – I am sure in the lifetime of a new device our TV will get replaced with something HDMI-ish)
  • smart networking: my house is a mixture of Ethernet-over-power and wi-fi, with little cabled Ethernet)
  • Open. Very important. No proprietary crap, either in terms of what it can play or what I am allowed to do with it.

Given this and my propensity for building my own kit, a self-build seemed like an obvious idea. I toyed with the obvious mini-ITX options, with appropriately funky video cards and one of the Linux TV-based distros. But when I did a rough calculation of both the cost and the work required I couldn’t help but check if there was anything ready-built which would also do the job. I didn’t expect to find anything, to be honest. It was almost a “Due Diligence” exercise which I had to perform so that when I then spent day after day getting my self-build working OK I could mentally justify the effort. However the formality of proving there was nothing which met my needs turned out to have a surprise ending. Continue reading Netgear EVA9150

June 10th, 2010 | Tags: , , , , , , , , , , | Category: FPage | Leave a comment

IPv6 at home – a guide to getting started

With IPv6 slowly becoming more visible, it was time to get to grips with it. While absolutely not essential (yet!) it seemed like a fun idea: my ADSL provider offers native IPv6 in parallel with IPv4, and my hosting provider is running an IPv6 beta. So I can do native IPv6 end to end between my home and a remote host. “Home” in this case consists of a Linux firewall running iptables, fronted by shorewall. Two ethernet ports: one to the ADSL modem (my “external” interface) and one to the house infrastructure (“internal”)

The Ubuntu server distribution in use is, like most Linux distros, fully IPv6 ready. For example, do an ifconfig and we see

Link encap:Ethernet  HWaddr 00:40:63:f5:f9:3c
inet addr:88.XXX.XX.XXX  Bcast:88.XXX.XXX.255  Mask:255.255.255.0
inet6 addr: fe80::240:63ff:fef5:XXX/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:14086899 errors:0 dropped:0 overruns:0 frame:0
TX packets:15607323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1837525573 (1.8 GB)  TX bytes:666354591 (666.3 MB)
Interrupt:16 Base address:0×8000

Now I may not know much about IPv6 on Linux yet, but I can see that I’ve got a line beginning “inet addr” which looks kinda IPv6-ish. Good start. Let’s go…

Continue reading IPv6 at home – a guide to getting started

February 24th, 2010 | Tags: , , , , , , , , , | Category: FPage | 8 comments