Posts Tagged ‘router’

Configure Stand-Alone Bridge on Debian

I like to start my Xen networking by creating two (or more) bridges, one connected to the physical interface on the dom0 and another which is only connected to by virtual machines. This lets me set up an internal private network for cross-VM interaction and administration which is insulated from the DC’s network. If you put a router VM on both bridges which occupies your public IP addresses you can use 1-1 NAT to stack services from different VMs behind one IP and firewall the virtual machines. This is particularly handy where your address space is small but your VMs are many.

Unfortunately, the Debian interfaces configuration scheme doesn’t like setting up bridges with no bridge_ports directive so we have to give it a little boost. You will end up with a configuration file that looks something like this:

auto lo
iface lo inet loopback

iface eth0 inet manual

auto extbr0
iface extbr0 inet static
        bridge_ports eth0
        address x.x.x.x
        network x.x.x.0
        broadcast x.x.x.255
        gateway x.x.x.1

auto intbr0
iface intbr0 inet manual
        pre-up    brctl addbr $IFACE
        post-down brctl delbr $IFACE
        up        ifconfig    $IFACE up y.y.y.y
        down      ifconfig    $IFACE down

Where y.y.y.y is an internal IP you can use to access the dom0. For example you might prefer not to expose SSH on your dom0 to the wild, you would make sshd listen on this IP and shell in over a VPN.

ClearOS 6.3: I am an Access Point and So Can You

Despite the crappy things I’ve had to say about 6.3 I’ve decided to tough it out on my new home router. Normally, where the modem and router-ap are separate pieces of equipment you can simply turn off DHCP on the old router and keep using it as an access point by plugging the switch side of it into the local network and moving its LAN IP somewhere it won’t conflict with the new router. Unfortunately, my ISP has made the “step up” to all-in-one modem-router-APs and the only way to bypass the limitations of the built-in router is to put the device in “bridged mode;” effectively turning it into a modem and sacrificing all of its other functionality. This would require either purchasing a separate, stand-alone access point or adding AP functionality to the ClearOS router to keep wifi going.

I settled on the Ralink 3090 because at about $10 it’s the cheapest 802.11n card offered on eBay at present. Unfortunately, the kernel module for this card seems to be the only Ralink module missing from those distributed with ClearOS by default – necessitating building and swapping in a new kernel.

First, it’s necessary to install the build environment:

yum --enablerepo=clearos-developer,clearos-epel install clearos-devel

Now we’ll grab and install the kernel sources:

# wget
# rpm -iv kernel-2.6.32-279.2.1.v6.src.rpm
# cd ~/rpmbuild

Now we need to install a few dependencies and patch the kernel according to the rpm spec:

# yum install xmlto asciidoc elfutils-libelf-devel binutils-devel newt-devel python-devel "perl(ExtUtils::Embed)" hmaccalc
# rpmbuild -bp --target=x86_64 SPECS/kernel.spec
# cp -a BUILD/kernel-2.6.32-279.2.1.el6/ /usr/src
# ln -s kernel-2.6.32-279.2.1.el6/linux-2.6.32-279.2.1.v6.x86_64/ linux

We need to install ncurses-devel to run make menuconfig.

# yum install ncurses-devel

Since we’re rolling our own kernel we can’t rely on the stock initrd to get us booting. Once you’re in menuconfig be sure to compile these modules into the kernel statically:

  • Your disk controller module(s)
  • Ext4
  • Multiple devices driver support (RAID and LVM)
  • Device mapper support
  • Wired network devices (optional but I’m fond of guarantees)

Once you’ve configured your kernel and module selection compile and install them:

# make
# make modules_install
# cp arch/x86_64/boot/bzImage /boot/vmlinuz-new

Now modify /boot/grub/grub.conf and copy-paste the existing entry so you have two identical entries. Modify the first one to reference the new kernel’s file name and leave the second intact so if we can’t boot the new kernel we can still get back in to do more tweaking without having to break out a livecd.

Your wireless card will probably require external firmware to be loaded with its module. Be sure to install the firmware image to /lib/firmware so it can be found easily on bootup. For the RT3090 a .bin image is available in the linux source code zip at

You may at this point reboot, and if successful should be looking at a new interface (i.e. wlan0):

# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wlan0     IEEE 802.11bgn  Mode:Master  Frequency:2.462 GHz  Tx-Power=27 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

imq0      no wireless extensions.

imq1      no wireless extensions.

Now we need to install hostapd, which will take care of WPA authentication and putting your card into Master mode:

# yum install hostapd

Edit /etc/hostapd/hostapd.conf to reflect your environment:


# Some usable default settings...

# Uncomment these for base WPA & WPA2 support with a pre-shared key


# Most modern wireless drivers in the kernel need driver=nl80211

# Customize these for your local configuration...

# Wireless N

Now start hostapd and add it to the appropriate runlevels:

# /etc/init.d/hostapd start
# chkconfig --level 2345 hostapd on

If you want the wireless to be on the same subnet as your wired LAN you must bridge the wireless and wired interfaces using standard ifcfg config files and restart networking; webconfig will not allow you to edit a bridge interface’s IP settings so these must be included in the ifcfg file. Otherwise, assign a different subnet to the wireless device and choose the LAN role to allow routing between the two subnets. Alternatively, choose the Hot LAN role if you want to keep wireless clients from poking around on your wired network (probably a good idea!).

Be sure to enable DHCP for your bridged or wireless interface and congratulations on your new ClearOS access point.

ClearOS 6.3 is Godawful, Keep Using 5.x

I’m sure anyone who works for ClearFoundation and sees this will think “well, you can’t please everyone!” but this is a list of things they have managed to horribly screw up that every admin needs to know before plunging head first into ClearOS 6.3 or worse, an earlier 6.x:

  • You can no longer limit or reserve bandwidth for a whole IP or IP range. I know the documentation says you can. You can’t. This was apparently done in 6.2 then carried into 6.3 to make bandwidth management play along with multiwan – something that seemed to be possible for years until now. From the app’s review tab:

    by Asad Siddiqui – June 20, 2012

    Following modifications are required;The bandwidth limitations are on network card interface only, there is no option of limiting bandwith on the basis of single IP address or range of IP addresses. Although this was provided in Clark Connect.This option may kindly be added in this application

  • Speaking of apps: WTF, apps? 6.x is clearly the Foundation’s idea of caching in on “cloud” and “app” clichés. Software is no longer packaged, it is apped and you don’t get your apps from a repo you get them from the marketplace. It’s like they’ve tried to make a routing distribution appeal to a twelve year old girl. Routers are not something that should be built by people who have no concept of routing and making it approachable to those who do not is aggravating to those who do. This is not a desktop distribution, why are they trying to broaden their target demographic?

    I see what you did there. I couldn’t disapprove more.

  • There is no way (at least that I’ve found so far) to uninstall apps in the webconfig. You must feel around and guess the package name then yum erase it.
  • Every god-damned page in the webconfig now has a huge, unnecessary app column taking up valuable space in the hopes that they might up-sell you on the commercial apps you already passed up on install. Fsck off, I’m trying to configure my firewall – I don’t give a crap how many stars it has.
  • Even more of the setup process is done in the web interface now and god help you if you happen to put in a wrong name server or you may find yourself wondering why it’s taking forever to not time out when it looks for new packages.
  • Registering with ClearSDN is now mandatory; you’re SOL if you think you can set up the router without an active connection and drop it in later. Wonderful. ET phone home!
  • Kernel-devel doesn’t actually contain the kernel sources and kernel-sourcecode is missing. You have to do it the hard way:
    rpm2cpio kernel-2.6.32-279.2.1.v6.src.rpm > kernel.cpio
    cpio -idmv < kernel.cpio
    cd rpmbuild/SOURCES/
    cp linux-2.6.32-279.2.1.el6.tar.bz2 /usr/src/
    cd /usr/src/
    tar xjf linux-2.6.32-279.2.1.el6.tar.bz2
  • “Development Tools” package group has been replaced with clearos-centric clearos-devel. This pulls in 170 packages meant to help you design apps and whatnot but mostly useless if all you need is a C build environment.
  • No more free IPsec! There is still a paid-for “Dynamic VPN” app which provides this functionality but the old IPsec module has been dropped for good.

Doubtless I will have plenty more nasty things to say about this new major version as time goes on and it reveals its sins to me. Do check in from time to time.

The only nice thing I have to say is way to go on the 64 bit version – now if only they would provide Xen images in addition to every other virtualization platform that should NOT be used to run a router…


Return top
Online Marketing Toplist
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Bad Karma Networks

Please Donate!

Made in Canada  •  There's a fox in the Gibson!  •  2010-12