The Screaming Viking

It’s year end for the school, and with that comes the onslaught of ordering.  I like this time of year because I get a chance to play with a few new things.  It also gives me the opportunity to set things up the way I’d like them setup.  Like I’ve said before, there is nothing wrong with the way the previous guy configured things…I just have a different idea of how I want it to work.  I want to move towards a more “enterprisy” environment.  I want to be able to manage all the machines from one central point, and I want to do it as cheaply as possible.

So far we have received approval to build out 2 business computer labs.  I’m going to use iMacs for these labs running both lion and win7.  They are going to be setup to dual boot.  I think this gives us maximum flexibility.  For one of these labs they are looking at teaching multimedia applications and some web design.  We’re looking at dual monitor setups and all that.  I think it will be pretty decent by the time we are done.  The only real concern I have is getting enough data pipe to these machines.  I don’t think the network drops in that room was ever really designed to push as much traffic as these machines will potentially push/pull.  What I’m going to do is build out the room the way I want, then I’ll look at going back and attacking the networking situation later.  The way the building is segmented there is no real main switch closet.  There are a couple of locations that have auxiliary switches.  In the next few years I would like to run fiber…but I’m not sure how much that is going to cost.

Something else I want to do is replace all the ancient macs we have here.  There are 90 or more emacs, which at this point are long past their usefulness.  I wonder how much we’d save on power alone if these were replaced…  My thoughts are instead of replacing X amount each year, we finance it…replace them all at once and pay it off over a few years.  This is going to be quite a bit of work for me, but I think this would jump start us on to a regular replacement schedule.  Also, in five years maybe we would be looking at some kind of 1 to 1 initiative where we can downsize the desktop machines.  Right now I don’t know how that would work…but we’ll see.

If all this replacement action gets approved, it will keep me fairly busy over the summer.  Physically setting them up and moving things around will take a little bit of time, but the big time sink will be putting images on the machines.  With deep freeze it has to copy the size of the frozen disk with each image…that’s what takes all the time.

We’re also ordering a few iPads.  Not a whole bunch, I will probably have around 20 to mess with and get ready for the school year.  The management of the ipads is something that is a bit tricky.  I’ve decided to quite expecting that people won’t use them for personal stuff.  As long as they are ready for school and they have them for that…I don’t care what they are used for.

Gonna be a busy summer.

Man, it has been a challenge getting the smoothwall working the way I wanted it to out in the sticks.  One of the initial problems I had was that ancient box I was using.  It was good enough for awhile, but it was starting to go to hell on me.  It was throwing disk errors sometimes, wouldn’t connect sometimes…one of the ports was going bad…it was just not a good situation.  I replaced that with a newer one, and that was working alright…but I wasn’t getting quite what I expected out of the QoS.

QoS for smoothwall worked decently in town..it never really did what I thought it should though.  What it actually does do on the smoothwall box is cut down the % of the overall bandwidth you have for each service.  If I set p2p on “low” it will give it 50% max of my total connection, “slow” looks to be about 25%.  This allows you to prioritize some traffic, but it isn’t exactly what I want.  When the connection is sitting idle, I’d like whatever is using pipe to use all it can…when the connection is used by something with more higher a priority it gets the majority of the pipe and the lower stuff gets cut back.  I did increase my headroom to 10%, this seems to have helped some but it still doesn’t do what I want.  I’ve done some reading about this and apparently to get QoS working any better on smoothwall is quite a challenge.  Some guys who know way more than I do about networking have hacked away at it and had some measure of success.  One of these guys has his own customized version of smoothwall…so I thought I’d give that a go.

Just like any admin, before I whacked the box I decided to make a backup *.iso of the machine.  I’d done this several times before on the old box and even restored it a couple of times without issue.  For this build I had the image I’d created right after I set it up completely and now this new one I created about a week later.  I burnt them both to disk and proceeded to load the new modified version smoothwall.  On the new hardware I’m using things load really fast…I was done going through the process in probably 15min (the old box would take an hour or so).  Fired it up, looked at the QoS tab…nadda, exactly the same.  The screen shots I was seeing something different.  I thought maybe it just worked better so I configured my port rules and gave it a go…nope exact same thing.

There is a module that smoothwall uses to detect the p2p traffic.  That isn’t work out well on mine.  Fine, no biggie, I hard coded the ports I use into the settings file, nope…still doesn’t throttle it properly.  I could live with the QoS the way it’s setup in smoothwall, but it would be really handy if it detected the ports properly.  This is something new after I moved.  The old box I had would connect to cable one via dhcp, when I brought it up to the farm the only change was to have it connect via PPPoE.  This caused a problem with the port forwarding rules as they are not in effect after a reboot.  For some reason I need to disable/enable them after the smoothwall connects.  I posted a question in a message board about this and the useful response was that the Red (external) IP needs to be established before port forwarding rules can take effect.  I assume this isn’t happening and things get borked.  I’m wondering if this is also happening with the QoS…but then why wouldn’t it work after I enable/disable it…like the port forwarding rules do.  It seems like it identifies all the other ports correctly…but not the p2p ports.  Even if I put those ports on a different heading (gaming for example) it doesn’t filter them properly.  I don’t get it.

I also had a problem installing this modded version that was going to make it impossible for me to use anyhow.  While it was loaded it failed to create the swap as well as subsequent partitions.  I dropped into the shell and commented out creating these partitions just to see if it was worth my time to monkey with getting it to actually install properly.  I did get it installed…but as I mentioned above things didn’t work anyhow.  There was also quite a few disk errors because of my hack…no biggie but if I was going to run this reliably obviously that had to be fixed.  The problem appeared to be that it didn’t drop the sda2 partition into /dev…I’m not sure why and didn’t feel like messing with it anymore.  I popped my restore disk in, rebooted…”can’t detect hard drive”…ta hell?  Reboot, same…power down, restart…same.  Pop in the disk for the modded install, finds the disk fine…but still doesn’t install properly.  I have no reason to expect there might be problems with my hd, but maybe there was.  I have moved recently, maybe things go banged around too much.  It was late so I didn’t feel like screwing with it.  The wife relies on the connect for work, so I do have a backup linksys router that will handle the network for us.  Even if I just used the linksys router and not a Linux firewall…I’d still have two of them.  If one goes to hell or something she needs to be back up quickly.  I don’t expect anything would, be I’ve got a couple of them so it’s not like I’m buying extra hardware.  My need for redundancy stops at the extra equipment I already have…

I downloaded a new smoothwall iso at the school and installed it the following weekend…everything installed fine and it’s up and running like I expected it to be.  It has the problems I outlined initially, but once they were identified it was fairly simple (albeit a little bit of a hassle) to work through.  I set up my smoothwall with Red (external) Green (trusted internal) and Orange (DMZ) interfaces.  The idea is to run the internal network off the Green interface and the wife’s work machine off the Orange.  I have some mods installed on the smoothwall for nicety enhancements, adzap, dansguardian, clamav…etc.  Anything on the orange connection should bypass these mods and just have a straight connection to the interwebs.  Also, this segregates her from my network.  Not that I’m worried about her machine, but if something from my network happened to get on her machine or she attached to my network storage without thinking about it I’d rather she didn’t get in trouble.  On thing I did find out though is that it doesn’t seem like she completely bypassed all of adzap.  I’m not sure exactly why this is…although, after thinking about it while I’m typing this it is possible that chrome had the page in question (a recipe site) cached and wasn’t trying to reload the images.  (the wife goes to this recipe site and some of the images wouldn’t load.  Found out a while ago that adzap was whacking them.  I fixed it, but after the reload I had to “refix” it)  When we went to si.com or the inforum, the ads loaded….so I should have looked in to this a little better, but it was late and I wanted it to just work for now.  I would have had to add that PASS rule for adzap as she might look at the site from an internal machine anyhow.

Why all this hassle?  Well, like I’ve said before…a linux firewall is about all that will handle all the connections I create…and because tinkering with things is what has given me the knowledge to get the jobs as I’ve gone though life.  Just today I called up smoothwall corporate to ask for pricing on their content filter app and hardware for the school.  I wouldn’t have known about these guys if I hadn’t used their open source software at home.  While I might have been able to find -something- that would have worked, the base knowledge I built on my own with content filtering can’t be a bad thing.

I haven’t had much time to type up any blogs outside of the coaching updates from time to time.  Between work, coaching and some time at home I find that I am really quite busy lately.  There were a lot of changes implemented over the summer and that caused the shake down period to be a bit longer than in previous years.  After things have been hammered out a bit, I’m back down into regular maintenance.    For as busy as the summer was, I am satisfied with the way the majority of things are running.  There is some stuff that is going to have to be updated…but that is going to cost a bit of money that I’m sure the school is not able to spend at the moment.  I have around 80 emacs that need to be replaced.  At 1200 per, that adds up pretty fast.  We’ll just have to work with what we have.

One of the opportunities for me in moving up here is a little bit of consulting type work for some of the small businesses in the area.  Yesterday I had my first “interview” with a small business.  When I say small I am referring to the number of employees they have…I do not know what volume of business they do.  It’s possible they are bursting at the seams with clients, which is great for them and me.  I worked at a company a few years ago that was struggling (workforce) and it wasn’t a good feeling.  I also don’t think interview is the right word.  It’s more of a meeting where they can decide if my service is right for them and I can also see if their environment is going to be right for my services.  We discussed their needs/wants, I compared that to my work experience and abilities and it looks like a pretty good fit.  I left the meeting feeling pretty good that we would come to an agreement and this morning I received an email that confirmed that sentiment.  To finalize the deal we’ll need to work out the numbers and work through some transition time.  I’m not going to be posting the company name and/or what they do.  I don’t think it’s good practice to be talking about various companies on a blog site and certainly not without their permission. Read the rest of this entry »

This weekend I decided to build myself a new firewall.  The obvious question is, “why would you need a firewall at all?”.  I released about a year ago that I was going to need something a little better than a consumer class router to handle my home networking needs.  It’s not that I do anything all that fancy or need more functionality, the little router was not able to handle all the connections I was creating via torrents.  It would last for maybe a couple of days then services would slowly die.  The dhcp server might crash, the wireless might go down, then blamo it would hard lock.  I’d have to reset the power and everything would be fine for a couple of days again..rinse repeat.  I decided to build a smoothwall on free hardware just to see if it’s something I would use.  Fast forward a year and as it turns out the smoothwall is something that was kind of handy to have.  The machine I have it on though it starting to show it’s age in a bad way.  It may or may not boot up completely after a power outage.  One of the NIC’s is starting to get finicky about the connection..the hard drive sounds like it’s on it’s last legs…it’s time for a new one.  On top of all that, it would be nice to have something a little bit faster.  I decided to repurpose my old desktop for the new firewall box.  This machine has a 2.2ghz athlon with 2gig of RAM and an 80ish gig SATA hd.  That should be enough horse power to run a firewall pretty smoothly.  I ordered a couple more NICs so I could configure things the way I wanted…and I was off and running.

There isn’t much to say about the install, smoothwall goes on really easy.  The only “tricky” part about it is knowing what NIC it’s talking about when it asks you what to use for the various interfaces.  I configured it and rebooted..good to go.  The difference between this machine and the old one is nothing short of incredible.  It responds so much faster, it runs quieter…it’s just an all around better box.  I mentioned in the last paragraph that I ordered 3 NICs.  I set one up as the “RED” (external) interface, one as the “GREEN” (internal) interface, and the last as the “ORANGE” (DMZ) interface.  What having the orange interface allows me to do is put a machine on that NIC and keep it segregated from my internal network as well as have it unaffected by the various mods I put on the firewall (content filter, adzapper…etc).  I’m going to connect the wife’s work machine into this NIC.  It isn’t going to increase her speed or anything like that, but it will allow me to say that any problems she is having are not caused by the firewall.  Of course that won’t stop her from asking me about every issue as soon as it comes up…

I dig on being able to create as many connections as possible and this firewall still handling them without a hiccup…and I take for granted all the ad’s the adzapper actually does take care of for me.  The content filter isn’t something I’d really need per se…but it keeps the wife happy that the kid isn’t seeing something we don’t want her too.  The 2nd install of smoothwall went much better than the first time I did it…I can’t imagine what the difference might be….