Self Learner | Information Technology Enthusiast | Hamba Allah

My photo
Pribadi yang berdzikir itu : kalau bicara, bicaranya dakwah, diamnya berdzikir, nafasnya tasbih, matanya penuh ramat Allah, telinganya terjaga, pikirannya baik sangka, tidak suka sinis, pesimis dan tak suka memvonis. . dia tidak sibuk mencari kesalahan orang lain dan asik memperbaiki dirinya . . (Ust.Muhammad Arifin Ilham)

Tuesday, October 14, 2014

Free WAN Optimizer appliance "OpenNOP"



If an organization want to connecting their datacenter to another site via private link, usually they will use leased line from Service Provider and they will be charged depend on how much bandwidth leased. 5, 10, 20, 50, 100 Mbps or higher so it will be affected to cost :)

The challenge is with minimum bandwidth link which leased, how they can achieve it being double, triple, quadruple or even decuple, is it possible ? ah, that is so impossible, keep in mind that money talks :D,  the value of quality is straight with value of cost.

Actually it can be reached with WAN Optimization, WAN optimization also known as WAN acceleration, is the category of technologies and techniques used to maximize the efficiency of data flow across a wide area network (WAN). In market review, there are some WAN Optimizer appliance with various vendor which has ability to optimize the traffic, the one is Steelhead from Riverbed, I think till now it’s the most popular and being a market leader in WAN Optimizater product. The big problem is that appliance so very expensive, for SMB segment the capital expenditure is unreachable.

But don’t worry, there is an opensource WAN Optimizer appliance, that is called “OpenNOP” :)  . I have tried this appliance and working on it, I think the result is not bad. Check it out !


How to Install OpenNOP
 
These are a steps which you have to take for implementing OpenNOP as a WAN Optimizer in your organization, even it used with fully mesh topology, peer to peer or client server.

Before you perform installation, please check some minimum hardware requirements below for this appliance :
  • CPU: Dual-Core
  • Memory : 1024MB 
  • Disk: 40GB
  • NIC: 10/100Mb (2 interfaces)
If you have makesure that the hardware requirements already fixed so do these steps :

1. Download iso files from https://www.dropbox.com/s/50e0qubxfctcmhq/OpenNOP.x86_64-0.5.0.preload.iso

2. Install it to your physical server or virtual machine, both are possible to do.
Do Installation steps just with follow the wizard. Just for your information, This appliance is based on OpenSUSE 12.3 version, so all command prompt must following OpenSUSE command.

3. OpenNOP already installed and login to the system with credentials : User: root / Pass: linux

4. Configure the network configurations:
  • Setting IP Address eth0 : vi /etc/sysconfig/network/ifcfg-eth0
BOOTPROTO=static
IPADDR=192.168.2.110
NETMASK=255.255.255.0
NETWORK=192.168.2.0
BROADCAST=192.168.2.255
MTU=1500
ONBOOT=yes
USERCONTROL=no
STARTMODE=auto
ETHTOOL_OPTIONS=
MTU=
REMOTE_IPADDR=
  •  Setting IP Address eth1 : vi /etc/sysconfig/network/ifcfg-eth1
 BOOTPROTO=static
IPADDR=172.16.10.1
NETMASK=255.255.255.0
NETWORK=172.16.10.0
BROADCAST=172.16.10.255
MTU=1500
ONBOOT=yes
USERCONTROL=no
STARTMODE=auto
ETHTOOL_OPTIONS=
MTU=
REMOTE_IPADDR=
  •  Setting default gateway: vi /etc/sysconfig/network/routes
 default 192.168.2.1
  •   Setting DNS (Name Server): vi /etc/resolv.conf
 nameserver 8.8.8.8 
  •  Restart networking configuration: # service network restart
And verify all networking configuration, is it any improperly configuration?, or is all configuration already working fine ? test by ping to gateway


5. Disable firewall
There are 2 steps to deactivate the firewall in OpenNOP, with “yast” or using Command. if you want using “yast” it very simple, just type “yast” enter then select “Security and users” > Firewall > then disable firewall in startup tab like in screenshoot below :





Or in another option, you can turn-off the firewall with just typing this simple command :

# /sbin/SuSEfirewall2 stop           (option start/stop/status)

Whatever step do you want to take to activate it, all of them are effective to do.


6. Enable IP Forwarding
Each OpenNOP instance is running as a gateway in topology for every hosts behind it which would to be optimized. IP forwarding needed to enabled for make the connection/traffic from host able to goes through over this appliance.

For enable ip forwarding just using simple command below:

First step is checking is the IP Forwarding already activated or not by enter command :
# sysctl net.ipv4.ip_forward   
if the result is “net.ipv4.ip_forward = 0” which means that IP forwarding not active yet and you have to enable it using this command:
# sysctl -w net.ipv4.ip_forward=1
Then the result will be showing “net.ipv4.ip_forward = 1” which means that IP Forwarding successfully activated

7. Upgrade Appliance
My experience in the LAB stuff, OpenNOP installer from this source isn’t working due to need to be upgraded, so we have to upgrade this appliance first with following steps :
  • run: # zypper install perl
  • run: # zypper install glibc-locale
  • run: # zypper refresh
  • run: # zypper dup
  • run: # reboot
8. Install dependencies module
And we need to install additional software to this appliance, just install it with following run steps:
  • run: # zipper install libnfnetlink-devel
  • run: # zipper install libnetfilter_queue-devel
  • run: # zypper install libnl-devel
 9. Start OpenNOP Service
For the first we need to setup and start the kernel module before starting service with the command below :
# service opennop setup
# modprobe opennopdrv
# service opennop start
Now we get OpenNOP already running in our appliance and also with Optimization traffic which through over it.

To Stop OpenNOP service just enter commands:
# service opennop stop
# rmmod opennopdrv
 10. Verify
Let we verify that OpenNOP service was running on the appliance.




Ok, Have a lot of fun :)

Donny Achmadi,
(14 October 2014)

~ Spending my boring time ~

Wednesday, October 1, 2014

The Difference between VLAN Tagged, Untagged and Exclude


Many people confusing the difference between TAGGED, UNTAGGED and EXCLUDE when configuring VLAN.

Especially with VLAN configuration in HP Procurve Switch, So do i.
It so made me confuse, because it's quite different  with another common switch platform, where VLAN which need to be tagged to the port as either with access or trunk.

For the sample in cisco switch, if we want to tagging VLAN in one port or more so we just need tag that VLAN to the port, it's clear and so simply, but not with this HP Procurve Switch. because we need to determine all ports in each VLAN which added on switch.

There are terms for VLAN in HP Procurve switch, such as Untag, Tagged and Exclude, here is my definitions about mean of it :
1. Untag    : Port which configured access and tagged with specific VLAN
2. Tagged    : Port which already tagged with another VLAN
3. Exclude    : Port which exist with no one of VLAN ID, ussualy configured with Trunk

To make this describe clearly, let we see in this scenario.

In HP Procurve we have 24 ports and there is exist 2 VLAN ID; which are VLAN 10 and 20 with VLAN allocation on port below :

Port 1-12 for VLAN 10
Port 13-23 for VLAN 20
Port 24 set as Trunk

Then the configuration on HP Procurve switch will looks like below :



VLAN 10
port 1-12 untagged
port 13-23 tagged
port 24 exclude all

VLAN 20
port 1-12 tagged
port 13-23 untagged
port 24 exclude all

Trunk
port 24


This is knowledge, experience and what i got from my friends about configuration in HP Procurve v1810-24g, likely the concept of this VLAN is similar with Switch of Dell and others.

(Spare time at Office on 1 October 2014)

Monday, September 29, 2014

Configuring VPN IPsec vShield Edge to Mikrotik


Not like with another common router platform, configuring VPN IPsec of vShield Edge (vCloud Director) tunneling with mikrotik Router is not easy, because the VPN parameters on vShield Edge are so limited. so we have to do adjustment for VPN Ipsec parameters which exist provided by peering devices; such as DH-Group, lifetime, PFS Group, etc which exist on Mikrotik, Cisco ASA, Checkpoint, pfSense, Vyatta, and another Routers platform.

For this LAB, i will perform setup VPN connection between vShield Edge on vCloud Director with Mikrotik RouterOS based on the topology below :




Based on any sources from internet about compatibility configuration VPN on vShield Edge, actually there are some parameters which being template configuration that have to applied on peer devices (mikrotik)



Configuration on vShield Edge

For the first, I have to setup VPN configuration on vShield Edge (cloud site) with the configuration below :


  • Name    : VPN to Office (name of VPN Profile) and then check enable button
  • Description    : Put the description of VPN Profile*
  • Tunnel to    : a Remote Network
Peer Settings
  • Peer IP Address    : 202.179.188.32 (IP Public or IP WAN of Mikrotik)
  • Peer Gateway    : 172.16.0.1 (IP address which attached on interface LAN Mikrotik and acts as a gateway)
  • Peer Subnet Mask    : 255.255.255.0 (Subnet mask for LAN/internal Network Mikrotik)
Tunnel Settings
  • Encryption Protocol    : 3DES
  • Shared Secret    : 123KarenaAllahlahKitaKuatDanKitaMampu (at least minimum 32 character, and must be same in both site)
  • Show key    : Optional to ensure the shared-key which typed is correct 
  • MTU    : 1500 (use default value)


Configuration on Mikrotik Router

We have to configure VPN IPsec on Mikrotik Router which adjusted with suitable parameter on vShield Edge. i have found the fix parameters for this Mikrotik and already tested too with the success result and stable connection.

All of the scripts below are adjusted with the topology above, so you can just copy this command that already fixed to Mikrotik Console and change the parameters which highlighted with underline, and then adjust it with your network details.



/ip ipsec proposal add name=VPN_Cloud auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none


/ip ipsec policy add dst-address=192.168.0.0/24 proposal=VPN_Cloud sa-dst-address=103.7.0.3 sa-src-address=202.179.188.32 src-address=172.16.10.0/24 tunnel=yes protocol=255 action=encrypt level=require ipsec-protocols=esp priority=0


/ip ipsec peer add address=103.7.0.3/32 port=500 enc-algorithm=3des lifetime=8h nat-traversal=yes secret=123KarenaAllahlahKitaKuatDanKitaMampu passive=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 dh-group=modp1024 generate-policy=no dpd-interval=120 dpd-maximum-failures=5


/ip firewall filter

add chain=forward dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept

add chain=forward dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept



/ip firewall nat

add chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept

add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept


=================================================
type /ip ipsec export in console from mikrotik, then check and verify all of parameters, is it already input correctly.

So, let's perform testing in both side by test ping from LAN user in Cloud (vShield Edge) site to LAN user in another (Mikrotik) site and do the opposite. why ? because tipically the IPsec will be up soon after triggered by flowing traffic between site (in this case is trigger by ping)

I have ran these steps in my LAB, and tunneling between vShield Edge to Mikrotik success established.

Let try my steps and let me know if you get the problem.

Please give your input, comment, or anything that would be improve me :)

Regards,
Donny Achmadi
(at Night on 29 September 2014)