Sunday, June 5, 2011

MikroTik RouterBoard: the ultimate networking swiss army knife

I've been on the hunt for a while now for a better router for the house. What I've wanted was the perfect marriage of cost, customizability, utility and ease of use. The features I've needed:

1. Basic NAT and Firewall with uPnP or NAT-PMP
2. DHCP client on WAN port, DHCP server on inside network
3. IPv6
4. Dynamic DNS
5. Uplink bandwidth prioritization / QoS

The closest I have come up to now has been the AirPort Extreme. It does most of what is on that list, but has some holes, particularly in its (lack of) ability to do QoS, and its limited DDNS implementation. It also lacks any sort of VPN server, but I'd been able to work around that with a combination of one internal machine with a DHCP reservation and an SSH port forwarding and/or MobileMe's "Back To My Mac" functionality.

But a few weeks ago, I discovered MikroTik.

My first product of theirs that I tried was their RB250GS. I bought it because I needed a switch with a tap port, and that was the cheapest switch I could find that did it. And I was happy with its performance and functionality. But that little introduction to their product line also brought me an introduction to their RB450G board, which intrigued me greatly.

It's a box with a CPU, 5 gigabit Ethernet ports, a serial port and a beeper. It runs a proprietary Linux distribution called RouterOS. Combined with a Windows (Windows, yes, but it runs perfectly under WINE) management UI, it's the swiss army knife of routers. Almost as good as a Cisco box costing hundreds (perhaps thousands) of dollars more.

I can hear a lot of you out there saying, "why not just install DD-WRT on a Linksys or Netgear router?" And indeed - that was what I thought I would wind up doing. And it may have wound up being every bit as capable as what I have. But the difference here is that the RouterOS that it comes with is every bit as capable, but the firmware is actually supported by the manufacturer - it's not as if you bought a Honda because you intend to remove the power-train and drop it onto a nitro funny-car chassis. It's certainly something that's done, but it's generally a lot more trouble than it's worth.

Now, MikroTik's products are not for everyone. For one thing, they come as bare boards. You have to actually pay extra (in most cases - depending on the reseller) for a chassis and power supply. They're also pretty poorly documented. If you want to play with them, you're going to have to know what you want, know what you're talking about, and do some googling around to figure out how to get it done.

But after a couple of days of work, I have a box that does everything I want it to do. It has one port dedicated to being the WAN port. There, a DHCP client gets a lease from our cable modem. It then uses dynamic DNS to set a hostname in our domain so I can easily find home from out on the Internet. The other four ports are bridged together, with one of them being a bridge tap port (in case that is ever needed again). It is a caching DNS and NTP server for the inside network as well as providing DHCP service. It also does the NAT and is the endpoint for an IPv6 tunnel from Tunnelbroker, and advertises that prefix to the LAN. It is configured to give priority to the two VoIP devices we have, so they get first crack at the bandwidth. It's also an L2TP VPN server, so we can get in from the outside, if necessary.

One box. About $100. And no having to shoehorn in third party firmware.

Saturday, March 19, 2011

Conan's surround mix

We've got a season pass to Conan, and I can't help but complain about the surround mix. There's way too much in the surround channels. It sounds like more of the show is happening behind you than in front.

It's particularly bad during the opening theme music. Andy's introductions are almost completely inaudible.

Now, I'm really, really, sure our system is set up right. And no other shows sound bad like this. We don't really watch anything else on TBS, so I'm not sure whether it's just Conan or everything on TBS. But it is messed the hell up.

But, of course, Conan's website doesn't have any contact information, and neither does TBS's. I could, I suppose, tweet to Conan about it, if I had ever bothered to sign up for twitter. So instead, since I have nobody better to complain to, I'll just whine to all of you. :)

Friday, March 18, 2011

AT&T hates their customers

AT&T is a case study in how not to treat your customers.

AT&T has made it abundantly clear that they don't care at all. The latest proof of this comes from this thread in AT&T's customer forums.

To recap, a paying customer posts a complaint about their service, and an AT&T employee replies telling them to return their phone and go away.

Mark my words, it's this kind of attitude that is going to be why AT&T is going to be transformed from a large company into a small one.

Thursday, March 17, 2011

A skeptical look at Unstoppable

Railroads hold an almost universal curiosity for most folks. Probably because of the fact that they're both familiar and somewhat mysterious. Most of us have been on a train of one sort or another, but almost no one knows how to work one. You might say that's the same for airplanes, yet there are half a million (or so) licensed pilots in the U.S. There aren't even 100,000 locomotive engineers. Anyone can own a share of a plane and there are lots of small aircraft fields. But trains run on tracks, and almost nobody owns their own railroad tracks (and almost none of that truly privately owned track is standard gauge).

Because railroading is such a close-knit fraternity, there is relatively little documentation out where the rest of us can read it about how you drive a train.

I have done a little bit more research than the average joe on trains because of my CalTrain commute and I'm curious. I know at least a little bit about the signaling aspects and a little bit about mechanically how a modern diesel-electric locomotive operates. So I was super excited about seeing Unstoppable. And I liked the movie quite a bit. However, there were a few moments in the movie where I couldn't completely suppress the suspension of disbelief.

1. The police were shooting at a fuel cut-off switch. Ok, if such a switch existed, why didn't the hostler who lost control of the train just hit it when he realized the train was going to get away from him? This one is arguably defendable - the guy, after all, was not depicted as being a bright guy. You could say that he didn't think of it. But wouldn't it have been easier for them to try taking a long stick and poking at that switch from the truck while they were driving along side rather than trying to jump onto the ladder?

2. Why didn't the cops shoot the fuel tank full of holes and spill the fuel? Diesel fuel doesn't catch on fire when you shoot it. The mythbusters have been over that time and time again. Certainly dealing with the diesel spill would have been far better than the possibility of having to deal with the spilled phenol (or whatever the McGuffin chemical was).

3. Why were they trying to lower an engineer from a helicopter? Why didn't they just put a second guy on the locomotive that they got in front of the train and have him hop on from there?

4. I may be wrong about this, but I always thought air brakes were fail-safe. That is, the lack of air pressure makes the brakes close. If that were true, then the hostlers would not have been able to move the train at all without having all of the brake lines connected. It would take air pressure from the locomotive to open the brakes to let the train move. Someone who knows trains more than me should chime in on this one.

5. There's just no way that the attempted derailment they set up should have failed. If a portable de-railer had any chance of not working, then they could have just put a couple of sticks of dynamite under a rail and blown it up. It's not as if a derailment wasn't going to screw up that section of track anyway.

6. The hostler wouldn't have put the generator into notch 6. The notches are like gears in a car. What they do is connect up the windings of the generator being driven by the diesel motor in various combinations of series and parallel modes. This allows the generator to either generate high voltage and low current or vice versa for feeding into the traction motors (the electric motors that drive the driven axels). Higher notches generally mean higher speeds. The hostler was moving the train at basically walking speed. He'd have not been able to do his job any better by throwing it into "high gear" any more than that would have been a good move for a car with a stick shift.

7. The movie was, indeed, based loosely on a real-life incident that took place in Ohio. The so-called "Crazy Eights" train (CSX locomotive number 8888) was being moved in the yard and the hostler jumped out of the cab to realign a switch and failed to reboard. In that incident, the airbrakes not being connected was a normal yard procedure, and the hostler set the throttle to 100% believing the engine was configured for dynamic braking (in dynamic braking, the traction motors are converted into generators, and the energy they produce is dissipated in a large bank of air-cooled resistors as waste heat), which translates to full braking power. Instead, the engine was configured normally and full power was applied. He set the independent brake for the locomotive, but it was unable to overcome the engine and the train sped up. CSX was able to stop the train using the same technique that was successful in the film (without quite so much drama, of course). They also had a locomotive ahead of the runaway that they planned to place in front of the train to slow it further, but this was not necessary.

8. Applying the brakes at the end of a powered train poses a risk of "stringlining" if the train goes around a curve. To illustrate what stringlining means, imagine a piece of string sitting on a table. Now form that string into an arc (as if it were a train going around a curve). Now put your finger down on one end of the string, and pull the other forward along the tangent line. The string will deform the curve and eventually become a straight line. Tension in a train consist caused by either tail-braking or head-thrust while going around a curve will tend to cause the cars to want to pull to the inside of the curve - basically in concordance to the centripetal force required to turn the train. I believe this, in fact, was what Frank was up to by working the brakes of the trailing locomotive the way they did while the train was on the elevated curve in the film.

9. Why did it take them so long to try that truck trick to get someone into the cab (or, as mentioned above, to hit the fuel shutoff switch from outside)?

The only other complaint I might have about the film is actually a fairly common one for movies - a lot of technical dialogue that you see taking place between experts on film is often implausible because experts talking amongst themselves assume similar levels of technical expertise, and so leave out a lot of common knowledge. You can't really do that in a film, though, because the audience won't understand, so you have experts talking to each other using the sort of language they'd use to explain stuff to outsiders who don't have that common expertise. Particularly over the radio in crisis situations. It happens all the time in all sorts of genres, from trains to submarines, to airplanes, to computers... I don't envy the challenge that such situations pose to script writers, but it always sticks out like a sore thumb to me.

Friday, February 11, 2011

The latest Microsoft outrage

I am not a big fan of Microsoft. But I had been hearing relatively good things about Windows 7. I don't have a lot of use for Windows myself, but I do have a need on occasion to support others, so I figured it would be a good idea to upgrade my Fusion VM from XP to Windows 7, if for no other reason than to get some experience and learn where all the knobs moved.

So after checking the box very, very carefully to insure it was, I bought the box that included the Windows 7 Home Premium upgrade.

It is absolutely legitimate to upgrade from XP to 7.

While I was at it, I wanted to switch from 32 bit to 64 bit mode. The only way to do that is with a clean install.

Well, that's fine. When my Dad upgraded to Vista, his disk was unbootable, so we did a clean installation of Vista and called up the activation center and they engaged a special workaround that finessed it.

So a few days in, now, and Windows pops up the activation dialog. I put in the key in the box, and it complains that it's an upgrade key. So I call up Microsoft and they tell me to pound sand - that the only recourse is to reinstall XP and then install Windows 7 on top of that.

So, in short, once again, Microsoft takes something really, really simple, and makes it impossible, in a way that benefits absolutely nobody.

Sunday, February 6, 2011

ZFS and Cyrus

ZFS allows you to take snapshots of live filesystems, which is a great way to solve the 'oops, I deleted the wrong file' backup problem. 'zfs send' for snapshots allows you to effectively deal with the disaster recovery problem. Snapshots are smart in that they only make copies of new or modified files.

Where this breaks down, unfortunately, is things like databases, where relatively large files wind up being treated as modified and copied into each snapshot. It's much better to use the database's own tools to generate backups, which tend to be much smaller. They also are safer, as a snapshot of a running database may wind up not being cleanly recoverable (obviously they're supposed to be, if the database is fully ACID compliant, but there is always a difference between theory and practice).

Fortunately, zfs makes it cheap and easy to create separate filesystems for data that has different needs.

Cyrus IMAP, unfortunately, by default mixes two different flows of data together - each mailbox directory has one message per file, plus a handfull of opaque database files that are always changing as the content of the mailbox changes. What's more, these database files are entirely reconstructible, so backing them up is unnecessary.

The problem is that you want to snapshot the filesystem where the partition is, but the snapshot will also backup these index files, which is a pointless waste of space.

Fortunately, Cyrus 2.4 has added the ability to separate the meta-data from the partition. This way you can create snapshots of just the mail itself. The snapshots will wind up being much smaller, as a single message will only be present on the disk once (because with cyrus, once a message is written to disk, it's not touched after that).

Before I began, the imapd.conf file had in it:

partition-default: /home/imap-spool

I added to that

metapartition-default: /home/imap-meta

metapartition_files: header index cache expunge squat lock

I created a new zfs filesystem for /home/imap-meta, and chown'd and chmod'd it to match imap-spool. I then shut down the cyrus system.

At this point, there are two choices to migrate. I chose the safer path, which was to simply run 'reconstruct' and then 'find imap-spool -name cyrus\* -delete'. Unfortunately, this resulted in all of the messages being marked as unseen.

The other possible choice would have been to replicate the directory structure under imap-spool to imap-meta, and then move all of the files that don't match the pattern [0-9]*\. from imap-spool to imap-meta.

With either of these paths taken, you should be able to restart Cyrus and see that everything is basically unchanged and still works.

But having done this, you don't have to set up imap-meta for snapshots or backup.

Saturday, January 22, 2011


A few years ago (maybe it was in 2001. I don't remember), 2001: A Space Odyssey had a brief nationwide theatrical run. This was my first opportunity to see a movie that was made to be shown in a theater before I was born on a big screen, as it was intended. I had, of course, seen the film before, but always on Television, which until only recently meant NTSC video. Seeing it in the theater was a tremendous revelation. There was just an amazing amount of detail in the original film that I had never seen in all of the times I had seen the film on TV. The most striking example of this is in the scene when the lunar lander was being lowered into the moonbase. On either side of the elevator there are numerous windows, none of which were truly distinctly discernible on TV. There were actors walking around doing stuff and video screens displaying changing information while the lander was descending, all of which lent an extra air of reality to the scene. No doubt Stanley Kubrick went to a lot of extra trouble to add that in, knowing that people were going to be able to see it and that it would make the scene look just that much more realistic.

All that was nice and all, but I had my doubts that even HD would be able to present as much detail as that.

Turns out, I was wrong.

Just on a whim I decided to watch 2001 via Netflix Watch Now on the TiVo. Our Internet connection is good enough that we pretty routinely now get the highest quality streams available.

The stream they're showing now is every bit as nice as what I saw in the theater that day. All those details are clearly visible on our 50" TV from 8 feet away.

In hindsight, it should have been obvious to me. All you need to do is watch a little bit of an NFL game in SD and then HD to see the difference. It's not subtle. Not even a little.

Monday, January 17, 2011

Cisco Ūmi - say what?

Let's just call it what it is. The Cisco Ūmi is FaceTIme for your living room. As such, it's a pretty cool idea.

Cisco wants you to pony up $600 and $25/mo for the privilege.

Are they nucking futs?

For the same amount of money you literally could buy a mac mini and a webcam and plug that in your TV. You could then download Apple's FaceTime software for free and chat with your similarly equipped friends with no monthly cost at all (besides your Internet connection, which you'd have to pay for with Ūmi anyway).

I may have been born on a Saturday, but it wasn't last Saturday.

Tuesday, January 11, 2011

Verizon iPhone

Welcome, Verizon.

It'll be interesting to see how many people jump ship from AT&T and how many people trade in various other Verizon phones for iPhones.

At the moment, AT&T and Verizon offer a Morton's Fork to the phone connoisseur: AT&T's network is fast, when it works properly, but has lots of holes, even around here (AT&T is notoriously bad in Palo Alto, for instance). Verizon's network may have somewhat better coverage, but it's as slow as EDGE for data.

Maybe it'll be better with LTE, but of course, the Verizon iPhone isn't going to do LTE (which is only fair - the first iPhone was EDGE). We'll have to wait for that for probably at least another year.

The big news is the word that the Verizon phone will include a WiFi hotspot feature. It'll be interesting to see whether AT&T will add this feature, and how they'll price it (it really should be added for free to their existing tethering feature).

What has been left unsaid so far is whether or not Facetime will be supported without a WiFi connection (that is, over CDMA data). There's a much better case to be made for restricting it on CDMA given the constricted bandwidth compared to HSUPA.

My prediction is that Verizon will offer Facetime without restriction, which will force/shame AT&T into dropping the restriction on Facetime, and AT&T will follow suit with the wifi hotspot for folks who have the tethering plan.

Friday, January 7, 2011

No more POTS lines

I am about to cross a generational rubicon.

I am, sometime in the next week or two, going to call up AT&T and cancel our last remaining POTS line.

This line was "under" our DSL connection, and I had it on the cheapest measured-rate service I could get, because at the time you couldn't get Naked DSL. And, at the time, we had DirecTV receivers that required a connection to a land-based phone line, and we had our alarm system and we used the number to receive faxes.

Well, within a space of about 2 months, I've managed to make all of those justifications vanish. We tossed DirecTV and bought a TiVo Premiere and Comcast cablecards; we replaced our DSL connection by moving the server off into the cloud and buying a cable modem; I've equipped the alarm with a GSM modem and an AT&T prepaid SIM card; and the fax receive capability broke when I shut the server down, and wasn't really being used for anything anyway.

So now the only RJ-11 wiring in the entire house runs between the Vonage box, the cordless phone base, and our printer (for fax sending). Everything else we do is either via cell phones or IP.

How different it was 15 years ago. In 1995 I had a dialup ISP in my home with dialup PPP connectivity to the Internet that cost 4 times what I pay now for 50/10 megabit service. I subsidized the cost of the Internet connection with the ISP business. I had, at the height of it, 5 dialup modems and a couple dozen users. From 6 copper phone lines, down to 0.

Mac App store first impressions

I've perused the Mac App Store. There are some nice apps in there, but I have to say that just based on the value to me being offered, almost every single paid app I've seen so far has been a minimum of double the price I'd be willing to pay for that app. I'd be happy to pay $10 for Daisy Disk, but not $20. Maybe $15 (more like $10) for Earthdesk, but not $25. The one exception is the Contact Cleaner and Calendar Cleaner apps. I don't know if they're any good or not, because my calendar and contacts are clean enough for me at the moment, but if, for example, I had my Mother's calendar and contacts, it'd for sure be worth $5 to fix them.

We'll see if the market as a whole shares my view. Early indications are that at least some developers who got in on the ground floor are ecstatic about first day sales, but I do suspect that, as with the iPod/Pad/Phone app store that preceded it, prices will plummet as we see a race for the bottom.

Saturday, January 1, 2011

iPhone and IPv6

I've been a devotee of IPv6 for years now. I bought, and continue to use, an AirPort Extreme because of it's support for 6to4 and tunneling.

Long story short, I've discovered that when an iPhone with IOS 4.x is connected to a WiFi network that's got an IPv6 router serving a globally reachable prefix, it will, in fact, use it!

Here's proof: The Dancing Kame on an iPhone.

This page has logic on it to detect whether or not you are fetching it with IPv6 or not, and though you can't see the animation in the screenshot above, the text surrounding it is different than what you get over IPv4.

So, Apple.... what's stopping you from at least optionally supporting 6to4 over 3G?