From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id B02773BA8E for ; Thu, 7 Feb 2019 14:09:26 -0500 (EST) Received: from dooku.sandelman.ca (CPE84948c92cd73-CM84948c92cd70.cpe.net.cable.rogers.com [99.248.195.121]) by relay.sandelman.ca (Postfix) with ESMTPS id EABE41F8BE for ; Thu, 7 Feb 2019 19:09:25 +0000 (UTC) Received: by dooku.sandelman.ca (Postfix, from userid 179) id 2BA4C14ED; Thu, 7 Feb 2019 20:08:38 +0100 (CET) From: Michael Richardson To: cerowrt-devel X-Attribution: mcr X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Date: Thu, 07 Feb 2019 20:08:38 +0100 Message-ID: <7437.1549566518@dooku.sandelman.ca> Subject: [Cerowrt-devel] upgrading from CeroWRT --- seeking advice on rule testing X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 19:09:26 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable For the past 9 months I've been trying to replace my 3800 running CeroWRT with an 18.06 openwrt build running on another 3800. Thank god for serial consoles.... It's proving not so trivial. No complaints against you Dave: you did an awesome job, but openwrt wasn't ready for many of your ideas. I drank all your koolaid and added more flavour. Routed wifi, 172.30.42.x. CeroWRT replaced a power-hungry NetBSD 1U system, and at a similar time, I also replaced multiple 16-port unmanaged switches with a single 24-port GE managed switch. So I used multiple VLAN in/out of the 3800 for routing between my 3+ subnets. ("trusted", "service", "voip/media", 4 wifi. I also have a VLAN for NFS traffic, which the 3800 does not see). My uplink is PPPoE over VDSL2 (external SmartRG in modem mode), and I have native IPv6, and a static IPv4/28 routed as /32s to systems that need it. Most systems are IPv6 only with a Jool box providing NAT64, and other systems having DualStack with NAT44. In the fall I moved the wifi off the 3800 to a gen-one Turris machine that got located in the kitchen, closer to the wifi users. I have numerous netifd issues (the 32-bit int indexed by ifindex bug bites me), and DHCPv4 and RA has just stopped working on one network. No understanding why... something deeper than the ifindex issue. And I know that there are known vulnerabilities in some of the system components. Thus my strong desire to upgrade. A backup/restore didn't work.... and so since network is critical to my day-to-day work, and my family gets pissed if I break Netflix and youtube, I can only test for short periods of times when the family is out, and I'm exceptionally lucid. The naming "se00" vs "ethXX" gets in the way. I have weird problems where machines behind the gateway can ping 8.8.8.8, but I can't ping it from the gateway. The details don't matter. I'm mostly writing this for future peop= le googling. I spent another two hours today trying to debug (the first time, I had no working uplink, and I was missing tcpdump on the new unit. I was convinced my ISP had dropped my static routes)...=20 So I will be starting again from scratch (total factory reset), get it going, and then add my custom configuration. I particularly find the per-port vs 802.1q VLAN stuff difficult to sort out, as both come in to the eth0 interface in some kind of tagging, and I'm totally unclear if I can have the four LAN switch ports come in as seperate networks, and *also* have stuff coming in as 802.1q tagged on those ports. The UI gets it right, but it's hard to use the UI if you've toasted the network, and are reduced to serial console.=20=20 Aside from any further advice on the switch/vlan issue in the 3800, I'm wondering if there are any recent innovations in firewall configuration testing. What I'd like (and I've done this before in the distant past, but always manually) is to have a script that I run from an untrusted cloud location, that basically just does a series of TCP and UDP (v4 and v6) connections to verify that I've got everything configured sanely. That is, it should verify that my mail server answers port 25, but nothing else does, that my DNS server answers authoritatively, but not recursively, and that my web servers answer with all the right virtual hosts. Unit and regression testing for firewalls. I used to do this with a hand-craft shell script that used nc/telnet/wget/d= ig. I'm hoping that the state of the art has progressed.... maybe there is a service out there for this? =2D-=20 ] Never tell me the odds! | ipv6 mesh network= s [=20 ] Michael Richardson, Sandelman Software Works | network architect= [=20 ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails = [=20 =09 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEERK+9HEcJHTJ9UqTMlUzhVv38QpAFAlxcgjUACgkQlUzhVv38 QpC07gf/Tte9ym1COLladEWwMN7Cto3G39qfsTNve2lfohVkb6tilGU6NrHwrw6J akVBm1KfAPiUWD/DIuxsRYZNpCEIHirOuFb2s1LBQCdvylBsKhhNOwsTyCHqxvAA EwgEIlarr55bVtj/eRsQCb+RSQIIQNcCTDJgxa4RgMqz3R4CgJmmfZn1o9fPP3xv vNra+z3fM9/guh7PzX8t2Nvp5MwVj+s9zm6eaXhHn3mLv9HnjH0VW+KQWTyUni0H WSbV8eIVRC9aSZPF3xKFrV4pV/0HIMPuET+pnURNZZ3AhjWPB/4js9gIjUoSZKOh 16K1l9fRf3i4OqTLA9OmeM+k9wozSQ== =xmex -----END PGP SIGNATURE----- --=-=-=--