Germany: Würzburg and Berlin

My first trip last Thursday, in hopefully a long series of trips, already went bust. Due to heavy delays caused by wind and lightning strikes I missed my connection, first in Düsseldorf, and later in Frankfurt Hbf. So I ended up sharing a cab in Frankfurt with more stranded people to go to Würzburg, payed for by Deutsche Bahn. In the end the delay was only 2 hours and 15 minutes and I made it to Mags! :)

vietnam
At Köln Hbf there was a funny advertisement for a holiday to Vietnam, for some reason exactly the same places we went last year for Hackerbeach, only now with expensive hotels instead of relatively cheap hostels and apartments we had. But for some reason my flight last year was already almost the same price :o

The Germans are really fond of their Christmas markets and Glühwein. The whole market place packed with people sipping the stuff from “rental” mugs and eating the traditional roasted sugared almonds (Mandeln) and chestnuts (Maronen). Oh and of course the sausage, see the “charming” picture :Psausage

Unfortunately, on Saturday evening the market was already closed around 21:30 so we had to go for cocktails instead, and getting Glühwein had to wait till Sunday. The children’s fruit punch I got on Friday apparently didn’t count :)mags

My Airbnb reservation for a place in Berlin I already made several weeks ago got canceled late last week. So I had to look for a new place on short notice. Luckily I found one very close to Kotti :)

After dropping my bag and connecting to the wireless network the plan was to go for a burger with bkero, but unfortunately the burger place was closed till 5pm and we were a bit early. We ended up at a cool Canadian Pizza place. I hope we didn’t get moose meat on the pizza, they are *way* too sweet to be eaten!

Today I’m going to enjoy more of the German bread, maybe go climbing or go the Jewish museum. I may also delay that for a bit and just relax in the nice apartment instead :) Tonight I’ll go to a discussion with Evgeny Morozov about the “smart new world” and the impact of technology on and the appification of everything in society in Freitag-Salon. More on this later.

End of an era: leaving my job, and what is next

Last Friday was the last day at SURFnet. I worked there for over 4 years. I had a great time, learned a lot and met a lot of interesting and nice people. Most important: the colleagues were amazing! I’m really gonna miss them badly. It doesn’t quite register yet, seems too strange to be true. However, judging from other people who left SURFnet it seems you can check out anytime you like, but you can never leave. So it probably won’t be the last time I set foot in the building :)

sn_exits

As for my plans now, I’ll be visiting a friend in Germany later this week for relaxing a bit and then travel on to my favorite city, Berlin, after the weekend for more relaxing, probably meet some people involved with the Unhosted project, and visit some of the museums I didn’t get around to visiting my previous times in Berlin. Also if it is not too cold I’ll go running at Tempelhof airport again, amazing place! Oh, and of course try to go to Freitag Salon with Evgeny Morozov.

After that, when Christmas and New Years are over, my plan is to go to Hackerbeach, Kenia in January to both relax in the sun and sea before looking into occupy.here and to see what can be done in combination with the awesome WakaWaka solar panel my colleagues got me when I left SURFnet, in addition to the notebook sleeve so I will remember them. Awesome:

tenfrus_presents

I may also start working again on some Unhosted projects like remoteStorage and SocketHub to save the world from the evil big data collectors :)

As for my next job. I already have some ideas, but I really want to go travel first and see (part of) the world. Currently my plan is to go to Thailand, Indonesia, Malaysia, Philippines, Australia, New Zealand, Japan and maybe China. I’ll probably save Canada and Russia for later. But, the plans are fluid. Anything is possible and everything can change :)

This is the first post in what I hope a regular log of my travels and activities. Feel free to suggest places that require visiting and things to see :-)

ADSL issues…

Of course nothing is as easy as it should be, and this is definitely true for installing a DSL connection at home. My previous internet connection was also ADSL, so I thought switching to a new DSL provider would be easy. Yeah sure.

After talking for more than half an hour with the helpdesk, making me go through endless modem settings while I was already convinced it was a line problem, I decided to just open the wall connection to see what is going on there. Apparently every land line (in The Netherlands) has two physical phone lines. Line 1 (red/blue wire pair) and line 2 (orange/white wire pair). The old ADSL connection was configured on line 2, and of course the new one on line 1. No one told me this, so with nothing to lose I decided to switch some wires and move to line 1 (red/blue). This turned out to solve the problem indeed. So, finally ADSL again after using 3G for way to long :)

POTS wires

The new Fritz!Box works fine, but takes a very long time to get ADSL line sync. The DrayTek Vigor 120 is much faster (I used this one initially to test my line hacking)… Not sure if this will be a problem in the future, but the Fritz!Box wizard was unable to successfully test the Internet connection after setting it up because the line wasn’t synced yet. Waiting another minute solved that.

Very helpful resource (in Dutch) that explains all about the wiring can be found here.

Linksys Surgery

So I bricked my Linksys WRT160NL last week, today the USB to serial device arrived by mail. The special thing is that it supports 3.3V on the serial port as opposed to the more traditional 5V that is used on PCs. A search on e.g. eBay for “rs232 to ttl” will show a lot of cheap devices you can get.

I opened the router and attached the cables that were included with the USB device to make the serial connection work. On the OpenWRT wiki some other information is included about using the external accessible serial port, but I didn’t want to risk frying the WAN/LAN port by fiddling with wires. So what I ended up with is this (click for larger version):

Linksys Surgery

After this I followed the TFTP flash procedure as described here which worked like a charm :)

I used Ubuntu 11.04 for this procedure with minicom (apt-get install minicom) and start it with minicom -D /dev/ttyUSB0. For TFTP upload I used the basic TFTP client, tftp (apt-get install tftp).

OpenWrt, 3G, IPv6

While waiting for ADSL from XS4ALL to be connected, I’m playing with the 3G UMTS dongle I got in the meantime. Configuring a dongle like this on Windows or Mac is a disaster, lots of crapware (you can install this from the CD-drive emulated by the stick) which never works and behaves like a virus. On Linux (tried with Fedora) with NetworkManager (or more specifically ModemManager) installing this is very easy. Just plug it in, select your provider (even XS4ALL is listed!) and you are in business.

It turns out it is also quite easy to get this to work on OpenWrt. I am using OpenWrt 10.03.1-RC5-testing on an Alix board with USB2 port. I tried first to do this on my Linksys WRT160NL, but unfortunately I “bricked” it for now and am waiting for a 3.3V serial cable to fix it :).

Alix and 3G modem

3G

I assume OpenWrt (the version specified above) is installed on the machine and you can access it using SSH (configuring the LAN and WLAN is out of scope here). First the network configuration in /etc/config/network:

config 'interface' 'wan'
option 'ifname' 'ppp0'
option 'device' '/dev/ttyUSB0'
option 'service' 'umts'
option 'proto' '3g'
option 'pincode' '0000'
option 'apn' 'umts.xs4all.nl'
option 'username' 'xs4all'
option 'password' '1234'

For this to work you need a number of packages from OpenWrt:

# opkg update && opkg install kmod-usb2 kmod-usb-serial-option kmod-usb-serial chat comgt kmod-ppp

I probably forgot a few, see also OpenWrt documentation here.

This should make everything work! No other fiddling around needed… Except, modifying the 3G dongle to not emulate a CD drive… See this site. I used AT^U2DIAG=0, that at least made my Vodafone 3G (K3765) adapter not emulate a CD drive. I didn’t try this on the one I got from XS4ALL (Huawei E180), as I have to return that at some point :). I issued this AT command in Linux to /dev/ttyUSB0 after ModemManager performed a usb_modeswitch to enable the modem instead of the CD drive. This way I didn’t need it on OpenWrt, and it would also work in for instance a FritzBox.

IPv6

As a fan of IPv6 I also wanted to get this to work. I didn’t feel like using a tunnelbroker so instead opted for trying out 6to4, something I wanted to do already for a while…

Turns out, this is also quite easy. You just install the 6to4 package, just add a new entry to /etc/config/network:

config 'interface' 'wan6'
option 'proto' '6to4'

Next modify one line in the firewall (/etc/config/firewall):

config zone
option name 'wan'
option network 'wan wan6'
...
...

To make it available on the LAN, install the package radvd and enable it with /etc/init.d/radvd enable. Bringing the interface wan6 up will configure radvd for you. Don’t forget to restart the firewall and bring up the interface:

# /etc/init.d/firewall restart
# ifup wan6

A last thing would be to make sure net.ipv6.conf.all.forwarding=1 is set in /etc/sysctl.conf.

Unfortunately it seems that at least Mac OS X prefers IPv4 over IPv6 when using a 6to4 tunnel, which makes sense I assume as 6to4 tends to be flaky…

DrayTek Vigor 120 as router without NAT hack

I got the DrayTek Vigor 120 ADSL2+ (Annex A) modem for use with SURFsnelADSL, offered by InterNLnet and SURFnet. The advantage of this Internet subscription is the ability to use multiple public IPs, as they offer you a public /29 address range (or more when requested) for use on your local network. This means, no more NAT! :)

Unfortunately, the Vigor 120 does not (officially) support this. Luckily I found a hack to solve this.

Configuring ADSL

First things first. To configure the ADSL connection I used the telnet interface of the Vigor 120, but it is also possible to use the web configuration interface. I assume you start out from a “factory default” configuration.


> adsl ppp 0 35 0 0 0 4 0 -1 fkooman@dsl.inter.nl.net PaSsWoRd
pvc no.=0
vci=35
vpi=0
encap=VC_MUX(0)
proto=PPPoA(0)
modu=MULTI(4)
AcquireIP: Dhcp_client(1)
Idle timeout:-1
Username=fkooman@dsl.inter.nl.net
Password=PaSsWoRd

This is enough the get everything working. A reboot of the modem may be required though. The default configuration will use NAT and any computer connected to the modem can use DHCP to obtain a private (RFC 1918) address in the 192.168.1.0/24 network. The Vigor itself will obtain the first available IP address from your /29 range on the PPPoA interface, which is a bit strange I would say in a routed network… The external interface should typically not have an IP address in the same range as the IP address on the LAN…

Hacking the Vigor

So far so good. Now to use the public IP addresses one needs to hack around in the web interface. There is no way to use the telnet interface to accomplish the use of the public IP addresses unfortunately. This seems to be left out on purpose and not restricted for a good (technical) reason.

Now if you go to LAN >> General Setup in the web interface you will see the following:

Before Firebug...


In the more expensive Vigor routers it is possible to also configure (LAN) IP addresses for routing, however here these configuration options are not visible, even though they are there! You can show these options by using Firebug or Google Chrome and “inspect” elements on the page. If you look around the HTML code you’ll find some page elements there are hidden using inline CSS. By deselecting the “hidden” property in Firebug for instance you can make them visible and actually use them, like this:

After Firebug...

As you see it becomes possible to add an IP range for routing. What I did was use the first IP address of the /29 network as well, so identical to the IP address on the PPPoA interface. Submitting the form will actually make it work. It still won’t show the configured options on page refresh, but they DO work.

Other Options

I also would like to be able to PING the modem (from the Internet), the telnet configuration option is a bit confusion (i.e.: it does the opposite of what you expect). The following will enable the PING functionality:


> mngt echoicmp disable
%% Echo ICMP packet disabled.

In the web interface, this options is a bit better explained. Also, I wanted to disable the DHCP server functionality in the modem, as the clients will configure the IP address they use statically:


> srv dhcp off

This function need rebooting router, please type "sys reboot" command to reboot router.

Using DHCP on the LAN with public IP address may work though, as the button “2nd Subnet DHCP server” is available above. I didn’t test this though.

Issues

Not all is fine though. There is an issue with this modem in the configuration as shown. The modem itself blocks all outgoing ICMP messages (except echo reply, see above). It does not do that for the machines on the LAN, so their ICMP responses are passed along. It seems impossible to configure this. Other types of ICMP messages that would be (very) helpful are time exceeded in-transit for traceroute and fragmentation needed for Path MTU Discovery.

It seems this fragmentation needed ICMP message type is really important for the case where the modem is used in PPPoE/PPPoA bridge mode. This was the mode of operation I was using first with some other router behind the Vigor 120. From the UK website:

The DrayTek Vigor 120 is an ADSL modem with an Ethernet connection; it is not a router but a true ADSL Ethernet Modem. By providing a PPPoE to PPPoA bridge, the connected device (firewall, router or PC) can log into the Internet (your ISP) directly and have full control over the ADSL connection – that makes the Vigor 120 a unique product. You can connect any device to the Vigor 120 which has a PPPoE client facility, which includes PCs, most Ethernet-WAN routers and the Apple Airport™ but the actual connection to your ISP is still PPPoA (unlike other modems which only provide PPPoE native bridging), which is the unique feature of this product and makes it compatible with all UK ISPs, where PPPoA is used as standard.

Now, using this bridging functionality means that the MTU of the connection is not 1500 like it is in my current setup, but 1492. 8 bytes are used for the PPPoE connection. With blocking the fragmentation-needed ICMP response message, Path MTU Discovery breaks and remote hosts won’t be able to find out the MTU to your modem is actually only 1492 and not 1500. This results in a “black hole connection” (See Path MTU Discovery link above). For TCP this can be fixed by using MSS Clamping by specifying the maximum size as 1492 bytes. This will work for TCP connections, but not for UDP traffic! So with the wider deployment of DNSSEC this will certainly mean trouble! DNSSEC uses UDP packets with bigger than usual sizes and will run into this fragmentation issue. In case the fragmentation-needed ICMP message can’t be delivered back to the sender the DNSSEC response will never arrive. A great test to confirm this problem is running the ICSI Netalyzr.

It would be helpful if DrayTek could confirm (and fix if needed) these issues before DNSSEC is widely deployed as I have only limited ability to test this… For this reason I was unable to use the PPPoE/PPPoA bridging functionality, one of the reasons for buying this otherwise awesome device!

Update (20110129): DrayTek support responded to (some) of the issues above. They will fix (I assume make visible) the LAN routing option in the Vigor 120 firmware:

I’ve applied the hacked/ 2nd routing subnet be visible and usable issue with ID G31067 for R&D’s fixing.

As for the fragmentation of packets, it seems not quite clear to them what the problem is. They suggest setting wan DF_check on on the modem, but this does not work as far as I can see in PPPoE/PPPoA bridging mode (with MTU of 1492) unfortunately. In the “router” mode it can’t be tested as the MTU is 1500 in that case and the hop before the modem would already discard the packet if the DF bit was set.

The issue with the ICMP was not addressed to make traceroute work properly (in routing mode).

Update (20110427): The end result of contact with DrayTek is now that DrayTek will make it impossible in the future to use the true routing mode (through the web interface hack) with a firmware update. The other issues were not looked into at all or even responded to. Further mails to DrayTek support were ignored.

Update (20110628): It seems with XS4ALL Path MTU Discovery works fine with MTU of 1492 instead of 1500 using the PPPoE/PPPoA bridging mode! So it seems to indeed be an ISP issue…

Echt anonieme Bonuskaart

Al een tijdje vraag ik me af of het niet mogelijk is om echt een anonieme bonuskaart te hebben. Ik weet het, het is al een tijdje geleden dat mensen zich druk maakten om het privacyaspect en regelmatig wisselden met collega’s om de verzamelwoede van Albert Heijn te frustreren.

Natuurlijk kun je bij AH een “anonieme” bonuskaart aanvragen, echter deze zal nog steeds al je aankopen waarbij je je bonuskaart gebruikt aan elkaar koppelen en waarschijnlijk ook koppelen met je bankrekeningnummer als je betaalt met bankkaart.
Het ruilen van de bonuskaart met collega’s of vrienden is achterhaald sinds het mogelijk is om via “Mijn Eerdere boodschappen” op de AH-website te bekijken welke producten recent zijn gekocht.

De oplossing voor dit probleem dient zich aan als je bij AH afrekent en zegt dat je je bonuskaart bent vergeten. De cassière kan in dat geval besluiten een algemeen bonusnummer aan te slaan wat impliceert dat je aankopen niet afzonderlijk worden geregistreerd (mits je natuurlijk niet met PIN betaalt). Het bonusnummer dat gebruikt wordt is 2610400000012 en kan eenvoudig omgezet worden in een EAN-13 barcode. Door nu deze barcode uit te printen en onopvallend op je bonuskaart te plakken zul je voortaan anoniem gebruik kunnen maken van de bonuskorting zonder dat je de cassière hoeft te vertellen dat je je kaart bent vergeten.
AH_anoniem
Het is ook mogelijk om het nog wat professioneler aan te pakken en geheel zelf een bonuskaart te maken zoals bijvoorbeeld hier te zien is.