The world is out of IPv4 addresses. While some can be bought and traded, ARIN is no longer issuing new assignments to organizations in the USA. My WISP, Black Mesa Wireless, came up against this problem last year when we asked ARIN for another block of IPv4 addresses and were told we were out of luck. While some ISPs NAT many customers through a few public IP addresses, there are many reasons not to do that and I refuse to. We assign each customer a public IP address. Now we will have to assign most of them IPv6 addresses only, and not IPv4.

It’s easy to get an allocation of IPv6 addresses, and there are so many that we should not run out for many times my lifetime, if ever. ARIN allocated us a /36 with very little difficulty or fanfare. The first thing we had to do was figure out how to split this up. After doing a bunch of reading about best practices, we came up with a sparse allocation scheme that should be OK should we grow to many times our current size. I will leave that for the reader to research, or maybe one day write a separate article.

All of that settled, we had to figure out how to provide good service to our customers even if they were running with only an IPv6 public address (or rather, subnet) on their WAN. T-Mobile has led the way on this, deploying 464XLAT on their network over the past few years. I have made use of this as a T-Mobile and then Project Fi customer, and it works just fine. While NAT64 is an option, it still breaks some applications and fails if IP literals (i.e. ip addresses written out rather than host names) are used in web sites or services. 464XLAT uses a scheme to NAT IPv6
traffic out IPv4 addresses and retains those mappings in a stateful way for the duration of a connection. This transparently works for pretty much everything.

Implementation

Deploying 464XLAT requires two special functions– client-side translation (CLAT) to translate client-side IPv4 traffic to encapsulated IPv6, and provider-side translation (PLAT), to translate from encapsulated IPv6 back to IPv4. At this time (December 2017) I am still not aware of any consumer routers that support CLAT out of the box. We would love it if our wireless CPE manufacturers (Ubiquiti and Mimosa) would support CLAT on their devices, or our preferred router manufacturer (Mikrotik) would support it on their devices, but none of them do yet. However, the OpenWRT and LEDE projects (which forked a while ago but are now merging back together) do support CLAT. Therefore, after some research, we found a few models of consumer routers that we could flash with LEDE, and deploy to customers. I will cover this in more detail shortly.

On the provider side, some routers such as Juniper routers do support PLAT, but we are already invested in Mikrotik, and they still do not. However, using the Jool project along with BIND9, it is possible to run PLAT on a Linux server with very minimal setup. We have a Proxmox VE HA cluster on which we run two PLAT nodes, which are set up to fail over using different OSPF costs, and additionally they will fail over to other machines in the cluster if one goes down. As these nodes are required for IPv6 customers to access the IPv4 internet, it is very important that they stay up. In the future we may consider moving to Juniper routers if Mikrotik doesn’t eventually address this need.

PLAT Implementation

Installing and configuring Jool and BIND9 is pretty easy. We are standardized on Ubuntu 16.04 LTS at the moment, so I will use that in my examples. Note that if you are doing this in a virtual machine (as we do), it needs to have full hardware virtualization, and not run in a container, as Jool is a kernel module.

Jool

Here are the instructions for installing the Jool kernel module. In this example we will use DKMS.

First, install dependencies:

root@plat-demo:~# apt -y install build-essential linux-headers-$(uname -r) dkms
... (output) ...
root@plat-demo:~# git clone https://github.com/NICMx/Jool.git
... (output) ...
root@plat-demo:~# dkms install Jool
... (output) ...
DKMS: install completed.

Now we must tell the machine to insert the jool module at boot with the correct settings. We are using the well-known prefix of

64:ff9b::/96

which is the default used by many CLAT devices on the IPv6 side. You will need to supply your own IPv4 subnet for translation. Here we use a documentation-reserved prefix. Open

/etc/rc.local

in your favorite editor and add the line:

/sbin/modprobe jool pool6=64:ff9b::/96 pool4=192.0.2.0/28

You will need to assign the pool4 addresses on the appropriate interface. We are doing this via OSPF so I will omit it for now. You could script it or add all the addresses on alias intefaces, we have it in our QUAGGA configuration. You will also need to make sure you are routing properly to the IPv6 prefix, which is beyond the scope of this writeup. Once all that is done, manually run the command you added to

/etc/rc.local

You should then be able to ping an IPv4 address through the PLAT device by pinging, for example,

64:ff9b::8.8.8.8

.

BIND9

This is even easier than Jool.

root@plat-demo:~# apt -y install bind9

Once that is done, use your favorite editor to open

/etc/bind/named.conf.options

and make sure it looks like this:

acl my_net {
        // Use your public prefixes here, these are documentation prefixes.
        2001:DB8::/32
        198.51.100.0/24;
        203.0.113.0/24;
        // You may want to include any RFC1918 subnets you use on your network
        10.0.0.0/8;
        192.168.0.0/16;
};

options {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

        # This is the key. Note that you can write multiple of these if you need
        # more IPv6 prefixes.
        # "64:ff9b::/96" has to be the same as Jool's `pool6`.

        // use the well-known prefix
        dns64 64:ff9b::/96 {
                # Options per prefix (if you need them) here.
                # More info here: https://kb.isc.org/article/AA-01031
        };
        recursion yes;

        allow-recursion { my_net; };
};

Save it and restart with:

systemctl restart bind9

Assuming you have proper firewall and routing settings in place, you should now be able to get NAT64 by doing dns lookups to this server. For example, Slashdot still doesn’t have IPv6 deployed (shame on them). However, BIND9 will synthesize an IPv6 address for you:

root@plat-demo:~# dig AAAA @(dns-server-ip) slashdot.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> AAAA @(dns-server-ip) slashdot.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49918
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;slashdot.org.                  IN      AAAA

;; ANSWER SECTION:
slashdot.org.           292     IN      AAAA    64:ff9b::d822:b52d

;; AUTHORITY SECTION:
slashdot.org.           25241   IN      NS      ns2.dnsmadeeasy.com.
slashdot.org.           25241   IN      NS      ns1.dnsmadeeasy.com.
slashdot.org.           25241   IN      NS      ns3.dnsmadeeasy.com.
slashdot.org.           25241   IN      NS      ns4.dnsmadeeasy.com.

;; Query time: 33 msec
;; SERVER: #53()
;; WHEN: Sat Dec 23 09:52:52 MST 2017
;; MSG SIZE  rcvd: 156

As you can see, it has appended the well-known prefix. Now, we can ping this address from a host on the network with a route to the PLAT machine:

[brock@demo-client]-(~)-> ping6 64:ff9b::d822:b52d
PING 64:ff9b::d822:b52d(64:ff9b::d822:b52d) 56 data bytes
64 bytes from 64:ff9b::d822:b52d: icmp_seq=1 ttl=235 time=73.1 ms
64 bytes from 64:ff9b::d822:b52d: icmp_seq=2 ttl=235 time=72.9 ms
64 bytes from 64:ff9b::d822:b52d: icmp_seq=3 ttl=235 time=73.5 ms
64 bytes from 64:ff9b::d822:b52d: icmp_seq=4 ttl=235 time=73.4 ms

--- 64:ff9b::d822:b52d ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 72.912/73.277/73.587/0.421 ms

That completes PLAT setup!

CLAT Implementation

This is a bit more tricky– we have to provide customers with a router that will do CLAT, so that their internal IPv4 devices will send out traffic via IPv6. OpenWRT/LEDE firmware will do this, but you have to find one of the many devices that will support these firmwares, make a firmware image, and then deploy it.

We are using some older linksys routers that are quite adequate for the plans most of our customers use, the EA3500, primarily. We use the LEDE image builder to make a custom image that has what we need in it. You can download that here:

LEDE Imagebuilder for Kirkwood.

Note that on this hardware you currently need to install the openwrt factory image first, then the LEDE sysupgrade image.

You can download that here:

OpenWRT Factory Image

So, flash the router from factory with the OpenWRT image. Then, on Linux extract the imagebuilder and change into that directory. Run the following command to build with 464xlat:

umask 022
make image PROFILE=linksys-audi PACKAGES="464xlat luci-ssl"

When it finishes you should have a file:

bin/targets/kirkwood/generic/lede-17.01.4-kirkwood-linksys-audi-squashfs-sysupgrade.tar

You need to upgrade the router with that:

scp bin/targets/kirkwood/generic/lede-17.01.4-kirkwood-linksys-audi-squashfs-sysupgrade.tar root@192.168.1.1:/tmp/sysupgrade.tar
ssh root@192.168.1.1 sysupgrade -n /tmp/sysupgrade.tar

When that completes, you should be able to access the router running LEDE at https://192.168.1.1.

You need to log in (default is root, no password), go to network settings, and change the protocol for the IPv4 WAN to 464XLAT. In the IPv6 wan settings, change your DNS server to point to the IPv6 address of your PLAT device.

You should then be able to reboot the router, and 464XLAT should be working. Once you have a template router config just how you want it, you can extract the config files and give them as input to the image builder. This will give you a ready-to-go router firmware. We have done this plus additional scripting to set a wifi SSID and password, and print labels automatically.

Conclusion

I have seen very good throughput on this setup, basically limited by the client (CLAT) router’s wireless connection or CPU, the PLAT is pretty performant on VMs on some old Xeon servers. However, you need to make sure that the servers have ethernet offloading disabled as per this documentation. For me it made the difference between 0.5Mbps and 150Mbps throughput.

I highly recommend you test your setup with this IPv6 tester site.

I am happy to answer questions about this and also to take suggestions. Happy routing!

They can’t do standard virtual media — you have to specify a SMB share with an ISO on it to mount. Once you do that, you have to make it bootable in the BIOS and move it up the boot order.

I wasted about an hour trying to figure out why I couldn’t enable the device “PepperC Virtual Disc” in the boot order — the answer is, you have to use the ‘x’ key to remove unused devices from the 8 available boot slots, then you can select the PepperC device and use the ‘x’ key to enable it, and then you can move it up/down the boot order with the +/- keys.

Hopefully this saves someone else some grief, I was losing my mind trying to figure out the problem.

I also wanted to enlarge the swap. I use LVM on top of software RAID, and encrypted home directories on top of that, which means the Ubuntu automatically set up encrypted swap for me. I had a non-encrypted swap volume at:

/dev/vg0/swap

I didn’t have much luck finding information about how the cryptswap is set up by the installer, which is why I’m writing this. It turns out that the crypt swap is configured in /etc/crypttab, where I have a line like this:

cryptswap1 /dev/vg0/swap /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

What this means is that the system will create a crypt device called /dev/mapper/cryptswap1 at boot using a random seed, on top of /dev/vg0/swap. It will then run mkswap and swapon on the encrypted device.

This latter part is specified in /etc/fstab like:

/dev/mapper/cryptswap1 none swap sw 0 0

So, if your base unencrypted swap partition is an LVM logical volume, all you have to do is use lvextend to make it larger and (the easiest way) reboot. On reboot the larger device will automatically be used in its entirety.

Use:

• Filtering and forwarding all emails received by exim4
• Filtering by specific email components (sender information, subject, etc.)
• Forwarding all filtered emails to a specific email address or email addresses

Assuming a working instance of exim4:

Create a filter file for exim4 using the appropriate filters and syntax as found in the exim4 filter documentation here: http://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-exim_filter_files.html

You may want to create a directory for exim4 filters and place the file in that directory, like:

/etc/exim4/conf.d/filters/filter_name

For our particular use, a conditional section and  deliver command were the only necessary components. A filter file will look something like this:

#Exim filter <<== do not edit or remove this line!

##Filter description, so you remember what you were trying to do.

if
  $sender_address is “sender@address.example” and 
  $header_subject does not contain “foo” and 
  $message_body contains “bar”
then
  deliver “recipient@other.example”
endif

Filters will then be placed as the first router in the exim4 router config ( found at /etc/exim4/conf.d/router/router_name ). Depending on your configuration the router name may vary, or you may need to add one. The filter should be formatted as follows:

filter_name:
  driver = redirect
  allow_filter
  file = /path/to/filter (in this case /etc/exim4/conf.d/filters/filter_name)
  user = exim4_user

It is essential that the  user variable match the user that owns exim4.  If not, the filter will not function and email traffic will not pass through the first filter to the remaining filters and all regular email processing will stop. You can probably figure this out by checking the init script for exim4 or using the command:

ps aux | grep exim4 

to see whom exim4 is running as.

After the filter file has been generated and correctly referenced in the router config, rebuild the exim4 config using:

sudo update-exim4.conf.template -r

And restart the service

sudo service exim4 restart

Test the email server to ensure that it is working as intended.

This configuration will prevent emails from arriving at their intended destination, which was our need. Also, if the incoming email does not meet all of the requirements above, it will pass through to the next router in the router configuration file.

To combat this, I use pepper spray. To keep the pepper spray handy, I use this simple device I found on Amazon.com. I was skeptical when I first saw it that it would be stable enough, but actually it has worked quite well. I use Fox OC spray with it, and it has never failed to stop an aggressive dog.

The spray is a bit pricey, but if you ride the same route or routes regularly the dogs eventually start to learn and you don’t need it that much.

I have a dog and I don’t like pepper spraying dogs, but irresponsible owners have created dangerous conditions for me and other cyclists and pedestrians, so it has come to this.

Ride safely.

What is the frequency deviation for a 12.21-MHz reactance-modulated oscillator in a 5-kHz deviation, 146.52-MHz FM-phone transmitter?

The answer is given as 416.7 Hz, but I looked and couldn’t find an explanation. Finally I found one here, sort of. After reading about how the FM phone modulation is done and puzzling a bit at the numbers it became clear.

To understand the question, you must understand that the reactance-modulated oscillator produces a carrier frequency of 12.21 MHz (as specified). With no input, this is multiplied by some circuits aptly called multipliers that result in the output frequency, given here as 146.52 MHz. Simply dividing 146.52/12.21 shows you that a multiplier of 12x is in effect in this question.

Now, what the question is asking (and this took me a while to figure out) is what change in modulation of the reactance-modulated oscillator will result in a 5 kHz deviation of the output? Since we know that whatever change happens in the oscillator is going to be multiplied 12x, we can divide the output deviation (5 kHz) by the multiplier (12) to get 416.7 Hz. In other words, a 416.7 Hz deviation in the reactance-modulated oscillator will be multiplied 12x to 5 kHz by the multipliers before being output.

However, once logged in, users still have all their DNS requests proxied through the routers. A lot of users want to use their own DNS (like OpenDNS or Google Public DNS), and that’s fine with me, but a user ran the namebench utility and found that their DNS was being forcibly proxied.

It took some hunting, but I finally found this post on the Mikrotik forums which details how to get around this. Basically:

• The hotspot adds dynamic DNS redirect rules. If you go to /ip firewall nat and just print, these rules don’t show up. If you do print dynmic they do. The relevant lines are:
  
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 log=no log-prefix=""
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 log=no log-prefix=""

• We still want non-logged-in-users to have their DNS redirected, so we need to add something here that will enable authenticated hotspot users through. The magic incantation here (because it’s entries 2 and 3) is set 2,3 hotspot=!auth, which results in the following:
  
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp hotspot=!auth dst-port=53 log=no log-prefix=""
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp hotspot=!auth dst-port=53 log=no log-prefix=""


And now namebench works as expected.

I have a network running OSPF internally, and advertising routes to the upstream ISP over BGP at two separate edge routers (multi-homed, single ISP). We discovered last night that internally bringing down any of the subnets we advertise results in the dropping of those routes from the tables of the edge routers (as expected). This drops the advertisements. What we did NOT expect was that flap damping from upstream of us then null-routes that subnet for up to a few hours.

So, how do we retain our adaptive internal routing (OSPF) while avoiding route flap? I was a bit stumped about this, but I found a more complex article that describes a multi-homed BGP setup. A key part of that setup was a little trick to avoid this problem. Nameley, set up a static, black hole route for the subnet on the edge router, with maximum distance. This way, even if the OSPF route disappears, the router still “knows” a route to the subnet and won’t drop the advertisement.

For example, if you want to advertise the subnet 1.1.1.0/24, you should add a static route like


/ip route add dst-address=1.1.1.0/24 type=blackhole distance=254 comment="prevent flapping of the route over BGP"


I’ve tested it and it seems to work as expected. The route is not active as long as the OSPF route is in the routing table. If it disappears, the black hole route becomes active.

Comments? Suggestions?

Worth linking again. Too late to overthrow the American gov't with guns. Be a grown-up and get politically active. http://t.co/ROwk8yQrvy

— Les Orchard (@lmorchard) October 17, 2014

The founders of the US thought it was so important to protect the right to keep and bear arms that they listed it in the bill of rights right after freedom of speech (which I agree is more important). It’s common to hear arguments that “only a well-regulated militia” — sometimes interpreted to be the military — is supposed to bear arms, but a review of the prior drafts of the amendment and other statements by those that drafted it makes it clear they meant the whole of the citizenry were the militia, and the constitution was never meant to be interpreted to bar law-abiding citizens the right to keep and bear arms. Recent decisions by the Supreme Court have supported this interpretation. For example, here is an early version proposed by Samuel Adams:

And that the said Constitution be never construed to authorize Congress to infringe the just liberty of the press, or the rights of conscience; or to prevent the people of the United States, who are peaceable citizens, from keeping their own arms. (citation)

Furthermore, it was thought by them that an unarmed citizenry was a citizenry destined to be ruled by tyranny. Wikipedia does a pretty good job of covering his here, but here are some choice quotes:

As civil rulers, not having their duty to the people duly before them, may attempt to tyrannize, and as the military forces which must be occasionally raised to defend our country, might pervert their power to the injury of their fellow citizens, the people are confirmed by the next article in their right to keep and bear their private arms. — Tench Coxe, 1792 (ibid.)

This may be considered as the true palladium of liberty…. The right of self defence is the first law of nature: in most governments it has been the study of rulers to confine this right within the narrowest limits possible. Wherever standing armies are kept up, and the right of the people to keep and bear arms is, under any colour or pretext whatsoever, prohibited, liberty, if not already annihilated, is on the brink of destruction. In England, the people have been disarmed, generally, under the specious pretext of preserving the game : a never failing lure to bring over the landed aristocracy to support any measure, under that mask, though calculated for very different purposes. — St. George Tucker (ibid.)

Abolitionist Lysander Spooner, commenting on bills of rights, stated that the object of all bills of rights is to assert the rights of individuals against the government and that the Second Amendment right to keep and bear arms was in support of the right to resist government oppression, as the only security against the tyranny of government lies in forcible resistance to injustice, for injustice will certainly be executed, unless forcibly resisted. (ibid.)

The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. — Thomas Jefferson (citation)

People, even those generally sympathetic to Second Amendment rights, rightly point out that the government, with bombers, nuclear weapons, the NSA, and a large standing military could easily put down an insurrection. (Is it time for a violent revolution?). That article does a pretty good job of being realistic in evaluating the pros and cons of such a revolution. I am going to make clear that I think it’s definitely a Bad Idea. That doesn’t mean an armed citizenry is worthless. A very interesting and recent example is the Bundy Standoff and its contrast with the Ferguson unrest. Before I get going let me state that I think Bundy (aside from being a racist and generally a moron) was/is in the wrong. I in no way support his claims.

What I find fascinating is that Bundy and his well-armed supporters were able to raise the cost of the government’s intervention enough to get them to back down. The government can be viewed as a massive, powerful monolith, that doesn’t need the approval of the people to do what it wants, but that’s a mistaken view. The federal government is made of real people with consciences and scruples. Furthermore, if it loses enough public support, and support from a significant portion of the military, it may even leave itself vulnerable to being overthrown. Therefore it’s in the interests of the government and its members not to do things that will widely be perceived as pernicious and overreaching. I think the BLM and Las Vegas PD decided that shooting Bundy and his supporters over some cattle grazing on public lands would have been widely condemned. Without that resistance, I’m fairly certain the BLM would have had their way (which, to be clear, I think was right). I didn’t realize until today that the LVPD actually took steps to tone down their response to Bundy in order to avoid provoking them.

Metro officers deal with large crowds all the time, but nothing like this. The crowd included former military men and ex-cops, people with various motives, their fingers poised just above the triggers of powerful weapons. With so much firepower in so many hands, a small incident could have set off a bloodbath and left nearly two dozen officers dead.

Assist. Sheriff Joe Lombardo:”We were outgunned, outmanned and there would not have been a good result from it.”
I-Team reporter George Knapp: “A lot of scenarios could have played out that would have left a lot of dead officers.”
Assist. Sheriff Joe Lombardo: “If you just have a backfire, somebody pops a firecracker, then it’s over. We’re done. We are going to lose that battle that day.”

Metro pointedly did not allow officers to put on helmets or protective gear for fear it might be seen as a provocation. At the urging of Cliven Bundy, the crowd moved toward the BLM compound. Rhetoric grew more heated, and guns were pointed at officers.
citation

What you see there is that the Bundy protesters made the cost of a powerful, armed showing by the police higher than the police were willing to bear. Contrast that with the events during the protests in Ferguson, MO after the police shooting of Michael Brown.

Sharpshooter aims at unarmed protesters CC BY 2.0 – Jamelle Bouie – https://www.flickr.com/photos/jbouie/14907066986/in/set-72157646091879339

Contingent of police in riot gear with military-type armored vehicles – By Loavesofbread – CC-BY-SA 4.0

The Ferguson PD had no such qualms about making a show of force, and it almost certainly agitated the protesters, but for a variety of reasons, most of them were not visibly armed. There’s a whole separate line of reasoning here that the protesters in Ferguson were black, and the folks at the Bundy incident were white, and that’s why the police didn’t crack down on them the same way. I buy that that had some influence, but I don’t think it nearly covers the issue. The quote from LVPD above should make that clear.

What this comes down to, for me, is that even though private ownership of firearms (especially “military-type” firearms that “nobody needs” — which were used by Bundy’s supporters) may not be sufficient for an ex-nihilo overthrow of the government, that private ownership is nonetheless essential to raising the cost of abuse of power by the government.

But in other civilized countries…

There’s another common rebuttal that other countries don’t have the degree of allowed firearm ownership that the USA has, and yet they are able to resolve their problems democratically. All I can say to this is that there are very few democracies that have been around very long on a historical time scale, and we will have to wait and see. Certainly in places like England, which have slowly had their firearms rights (once considered inviolable natural rights) taken away, people have lost much of not only the ability but the right to self-defense. (See Guns and Violence: The English Experience for a fascinating history.) That’s something I’d like to see the USA avoid.