blog.sarlok.com - Coffee!

System time:  Fri/03/24 : 02:38:22

Anyway

My new toys.

My experiences attempting to acquire a SIP trunk with a single DID were doubly disappointing. It seems the world is big on selling trunks to businesses, so picking something up for less than $expensive/month is out of the question. I'm sure I'm bound by some NDA which prevents me from going into details over the second disappointment, beyond saying I can very much relate to some of our (their?) customers.
That out of the way, it's significantly cheaper in the short and long term to buy an analogue line, and turn it into a trunk myself.
New problem: Good ATA's aren't inexpensive.
Not if you want something that won't generate scary echo, or scads of problems with Asterisk.
So, picked up an entire Cisco voice bundle and VWIC-2FXO for the same cost of two decent ATA's, so I'll probably just use that for the entire PBX setup.

Not sure what to make of the SRX yet. After playing with Olive, I was somewhat surprised to be presented with a FreeBSD prompt after logging in as root. Thought that was symptomatic of the Olive hacks.
Time will tell.

<rant>
Google strikes again.
Tried to setup my Apple TV to sign into my youtube account tonight. To coin a phrase, How hard can it be?
After failing to login after 4 attempts at my password, I figured something was up. I wouldn't have minded so much if I got a useful error message, though that one is probably on Apple.
It's also my fault for using two-factor authentication since my gmail account was compromised. So, time for random guessing. I figured out it was the afore-mentioned two-factor thing.
Great, setup an application specific password, punch it in. Spinner goes for a bit longer this time, and...

"This account cannot be used with Apple TV".

Seriously? What. The. блядь.
So, more screwing around, and apparently, one has to create a "Channel" in your account. Why, I'm not sure. The requirement of clicking some obfuscated link to feed you random garbage by default, seems like a bad idea in my mind. But I'm sure it made sense to someone at the time.

Also, second week with one of these. I am not impressed. I'm not sure why anyone would want to root them. I would rather wipe and re-flash it myself.
</rant>

Sigh.
Still working.
Bourbon's still nearly impossible to buy in this town.
Suppose it stands to reason I came across this after two days of solid rain. The instrumental version sounds amazing in the Volvo. Not sure which version I like best yet.

Astalabyebye

Screw The Plan

Falling behind on legitimate posts again... have about 3 cisco related things queued up for posting I should probably finish off.
Hmm. Placed an order for some VM time, also an SRX100, which I expect will take the place of portcullis.sarlok.com (which I just installed...) to force me to get a better feel for JunOS outside of an olive.
Got myr.sarlok.com racked. Backup for fluctuators VM's, as well as some more resources for the pool.

My new toy. Something other than my Volvo that I can ratbag, without being too upset if I wrap it around a telephone pole or something.

RIM seems to be slowly sabotaging apps on my 9900. Granted the Trillian thing is but happening on a per-user basis, but it's one of 6 apps I frequently use (used?) which have stopped working in no particular order. Perhaps my shockingly negative feedback for the Z10 is to blame. Although, it's their own fault for making it such a steaming pile of корма.

Me: you still has a blackberry?
Co-worker: Nope, iPhone 5
Me: msn via trillian still working on that?
Co-worker: Yep
Co-worker: Like this?
Me: weird. my blackberry's msn is half busted.
sez I'm not signed in, I see no contacts, but I receive messages you send me. wee
Me: but that could be because "Blackberry" I suppose
Co-worker: Trillian on blackberry, or the MSN client?
Me: sorry, the MSN account in Trillian.
Co-worker: Yeah... Blackberry would be my guess.
Co-worker: Maybe try upgrading to the HAHAHAHAHA

On a somewhat related note, no-one seems to be able to, or wants to sell me this.


I've wanted something along those lines for close to two years now.
Effectively what I'm looking for is a hosted PBX. John Doe phones my #, it rings to all my subscribed devices, regardless of location or connectivity method (Mobility Carrier, Wifi, Wired), and I answer at whichever device I please - or happen to be closest to.
At a cafe with wifi? iPod Wifi. Finished my coffee, and time to get going? Park the call, and pick it up on my Cellphone. Call goes on for far longer than it should, and I get home? Pick it up on my analog phone through an ATA (not pictured - I don't actually have a "phone" phone) wired into the house.
Google ruined GrandCentral and won't give me a Canadian number. Skype won't give me a Canadian number, their client isn't fully cross-platform, and has become outlandishly bloated of late. The countless third party offerings that exist are flawed, don't do anything like what I just mentioned, and/or are way, way too overpriced.
So, to hell with them all - I've finally started building something myself. Proof-of-concept testing has gone well so far... now if only TELUS wouldn't block SIP across their data network. Maybe, just maybe I can put an M2M SIM card in a phone, and run SIP over that...

If you're feeling bored, I think I'm up another 50 images in the /random folder.

Adios.

Until the Sun Comes

Blocked in my own street by the new parade route's blockades.
Cut-off from both Granville's and Starbucks but the clouds of people and same said route.
Damn it.

Galaxy Bounce

On tonights episode of Too Damn Late... Because fCensoredk sleep!


I haz moar gifs for yooou...


ShaZAM!



Work in a few hours. Gonna try that whole sleeping thing again naow.
Toodle-oo!

Vandalism

Got everything.sarlok.com moved out of my old IP range. Running pf directly off my VM's now, having retired my NAT box in the process.
Finally setup an SQL counter to replace the text file I was using for the legacy site. This should stop the counter from re-setting to zero from colliding open/read/write operations. Added a dozen or so more gif's for giggles while I was at it.

Oh, yes... drowned about two-dozen more poor souls quite by accident. In my haste to irrigate some new farm plots, I forgot I had inadequate floodgates in place. Everywhere it went - upstairs to the common room, down 20 stories to the under-ground caverns my militia were investigating.
On the upside, once winter came and froze the river solid, my farm plots were sufficiently irrigated, and the channels were cleared for floodgate placement.

Made a start of sorting my vacation photo's. Might drop them in the gallery at some point if I can be bothered.

Dust off my apple developer account. Xcode has come a long, long way since the dawn of the so-called iOS. Busting things out is stupid easy.

Speaking of stupid... stupid iTunes. Can't get this song in Canada, just some stupid re-mix off a compilation album. Grr.
Thank god for Wiretap.


In The Sun

Nothing to see here.



Whatever Clever

Already up to 28.5 hours this week. Not bad for someone that works 7hr days and doesn't work overtime anymore.
HAH!

Cutting services out of the old IP block I've been sitting on for yonks. Doing so has given me a chance to play with rdomains. Think Cisco VRF, but in the BSD flava.
Currently, I'm running two httpd processes off the same VM host, each listens on a separate interface with a different rdomain (need that default route). The theory being, when the *sarlok.com A records update, nothing noticeable will go wrong.
Since I'm also currently migrating to a new firewall as well, that extra default route comes in handy.
I expect I'll be staring down the barrel of some imperfect connectivity come the morrow, but so far everything checks out connecting between rdomains without any nasty NAT tricks or the like.
Especially since I'm stupid bloody tired, but that does limit one's comprehension.
qmail, minecraft, and all that funky jazz will undoubtedly be next.

Slightly related note, maybe it's the lack of sleep, but;
Mind = blown.

There Might Be Coffee

Well, so much for this weeke... this mon... this year.
Sleep schedule got shafted this weekend. Guess I know what I'm doing tomorrow.

Queue random junk:

Me: also, the routing table thing is kinda cool.
http://127.0.0.1:65535/Orion/NetPerfMon/NodeDetails.aspx?NetObject=N:5
though I worry slightly at regularly polling that much information via SNMP.
Me: HAH. mobage support request form includes an "Emotional State" drop-down box. I am amused by this.
Co-Worker: Heh
Co-Worker: How come A01 only has BGP neighbours?
Me: probably for the same reason A02 only has BGP neighbours
Co-Worker: How come $NEWFEATURE only half-assed works?
Me: Because "Feature".

Queue cisco stuff:
Ran into the need to NAT traffic entering an 'outside' interface via a crypto map a while back. There were far more rational solutions to deal with this scenario, but, you know - the real world never has time for rational solutions.

In this case, ASA for SSL Mobility clients.
IPSEC Crypto-map from ASA to existing corporate gateway for LAN access (servers and junk). Could just NAT the ASA LAN traffic directly, but... real world, remember?
Traffic from 192.168.100.0/24 hits lo255 on R1, then gets NAT'd.
Queue visual aid:

Forgive the crudeness of the diagram. Diagramming on a laptop touch-pad and all that.

Since packets enter R1 from it's 'ip nat outside' interface, it's too late to NAT them directly. Can't use a pseudo 'tunnel' interface because of the ASA...
So, punt them ala route-map to an 'inside' interface so that NAT can occur, and then they're sent back out the interface from which they came.
Using 'set ip next-hop 192.168.255.2' in the route-map seemed to work much to my surprise rather than 192.168.255.1. I expect it has something to do with NAT order of operation, but I can't see why exactly.

Queue code:

hostname R1
!
crypto map gi0-0-out 10 ipsec-isakmp
  set peer 172.16.1.1
  set transform-set AES256
  match address 100
!
interface Loopback255
  description Loopback target for NAT hairpin
  ip address 192.168.255.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly
!
interface GigabitEthernet0/0
  ip address 172.16.0.1 255.255.255.0
  ip nat outside
  ip policy route-map TELECOMMUTER-HAIRPIN
  crypto map gi0-0-out
!
route-map TELECOMMUTER-HAIRPIN permit 10
  match ip address HAIRPIN
  ! Still a bit fuzzy on this one, but I believe redirect to a host on lo255's subnet \
  ! rather than the address, so the packets hit the 'interface'
  set ip next-hop 192.168.255.2
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
access-list 100 remark ASA Interesting Traffic
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
!
access-list 101 remark Don't NAT traffic to ASA LAN subnet, so it gets picked up by crypto map
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark Inside subnets to NAT
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended HAIRPIN
  remark For route-map to NAT traffic arriving via ASA crypto map
  remark Don't punt LAN-to-LAN traffic
  deny   ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  remark Redirect everything else
  permit ip 192.168.100.0 0.0.0.255 any
!
end



Queue another Youtube video. The name "Porter Robinson" conjures up something completely different from this in my mind. Not sure why.

Babylon Rising

Well. Still awake, so here's some random chunk of cisco config for that NAT thing I mentioned earlier.
Most of the examples I found in cisco doc's were for NAT Inside VRF, outside global. My use case was the opposite - IP NAT inside global, outside VRF. In particular, an NMS needed access to an otherwise hidden network. Since it's a Windows based NMS, relying on an IPSEC tunnel being up 24x7 seemed laugable, and also impractical in our case.
Plus, Windows... yeah.

ip vrf ThatVRF
  rd 172.16.0.0:1
!
ip nat source list GLOBAL-TO-VRF interface Vlan10 overload
!
ip access-list extended GLOBAL-TO-VRF
  permit ip host 10.10.10.1 172.16.0.0 0.7.255.255
!
interface GigabitEthernet0/0
  description Gobal to core
  ip address 10.11.128.1 255.255.255.248
  ip nat enable
!
interface Vlan10
  ip vrf forwarding ThatVRF
  ip address 172.16.180.2 255.255.255.248
  ip nat enable
!
! static to leak 172.16.0.0/13 into global at this hop
ip route 172.16.0.0 255.248.0.0 Vlan10
ip route 0.0.0.0 0.0.0.0 10.11.128.6
ip route vrf 172.16.0.0 255.248.0.0 172.16.180.1
!
end



I still needed to use the NVI trick ala 'ip nat enable' on the 3800 where this is running. using explicit ip nat inside/outside on respective interfaces didn't seem to go for some reason as I expected use of the NVI to only be for between VRF's.
The other caveat is having to leak routes into global for this to work, but not much else you can do (less do it properly in the first place). Statics ala interface routes seems pretty safe.
In production, policy-based routing gets the NMS traffic to this hop to prevent leaking routes any further beyond this point.

So that should be mostly right. I'll consider correcting any errors after some sleep or something.

Wee.

Fel Del Av Garden

Enabled tags for blog posts. Should put together a tag cloud gadget for either of the left or right navigation columns.
Keep meaning to say something about IP NAT inside global to outside VRF... maybe someday.

I have nothing more to say.

Chasin' You Around

So. I had no internet from November to around Jan 7th, then sank deeply into "Zomg! Must get all this sh!t done before you leave work!" mode which left my blogging enthusiasm at an all time low.
That aside, here's a post. Yay. I've got some interesting-ish things to blog about, but maybe later.

Kekekekeke....

portcullis#ping ipv6 FE80::208:7CFF:FEDE:8838 source FE80::21E:F7FF:FED3:FA20
Output Interface: fastethernet0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::208:7CFF:FEDE:8838, timeout is 2 seconds:
Packet sent with a source address of FE80::21E:F7FF:FED3:FA20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
portcullis#

This loosely translates into; http://6.issurroundedbyidiots.net/
Too bad 99.95% of the internet consumers at large won't be able to reach it.

And now for something, completely different.

Man of Constant Sorrow

Nothing of particular interest to say at the moment. More a quick test to see if my drupal5 DB is still functional after the upgrade staging from 5.x->6.x, 6.x->7.x after restoring from a backup.
Accidentally upgrading the production DB for the record, not cool.

That said though, the upgrade went well enough. Some issues converting the image gallery DB - all the source and derivative images are 'known', but not actually linked to in generated pages. Groovy.

Yeah, I know... moar music videos ala youtube - so sue me. I detect strong hint of Justice and something else I can't quite put my finger on.