KLGIT

Forum Replies Created

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • in reply to: CF card failures – WARNING. #51675
    KLGIT
    Member

    BTW, I don’t think Soekris is really at fault on that.
    For most routers designed to run from flash, writes to the flash devices are minimal or non-existent. Many devices log to ramdisk and update to the flash in bulk (ie daily, hourly etc.). This and other design choices greatly enhance the life of the Flash device.
    In the case of ZeroShell, this is a system designed without these optimizations that happens to also run from Flash. It was really designed for use with a hard drive. I think this makes it much harder on Flash storage when it comes to write cycles. Now add to that the heat the CF card has to deal with in an embedded router device, especially as compared to in a camera, and you have a recipe for early failure.

    The only real solutions (that I see) are:

    – Create a ZeroShell Flash edition with optimizations for reducing writes to storage
    – Setup ZeroShell to mount a remote network share and do all or most writes to that

    in reply to: CF card failures – WARNING. #51674
    KLGIT
    Member

    @SysEngBD wrote:

    Did you happen to have a SanDisk Ultra CF fail?

    When I bought our Soekris boxes I opted to get everything from them (Soekris) and the CF they sell is SanDisk Ultra. Both of the routers have been in production for 10 months so I’m wandering if I should get worried…

    (I’ve got an ALIX running ZS as well but it has a Transcend Industrial CF)

    Cheers,

    I don’t know specifically as I didn’t keep the first failed CF since I figured that failure was a fluke. So far I’ve had Verbatim, Kingston and I believe a Sandisk CF card failure. All were generic consumer grade CF cards purchased from local electronics stores.

    My recommendation to you is that you backup your profile every time you make changes to your Zeroshell boxes. I save my ZS profiles on our file server. If you do have a failure, you can be back up and running pretty quick.

    If you have a situation where you’re using a ZeroShell box with a configuration that will be pretty static once it’s initially setup then you should make backups at that time. For example, setup your router, make all your configs, test and tweak, then backup the profile. Now image that CF card to a file (I use Linux to do this, eg. dd if=/dev/ of=/server/backup/routers/ZS01/ZS01.img bs=4096).
    Then if you keep a few blank CF cards around, you can quickly replace a failed unit by imaging the backup onto a blank and slapping it into your ZS box.

    As for worrying about your configuration, not to spread panic, but you’re approaching the time frame when mine started to fail which was between 10-14 months. I guess you’ll find out if your San Disk CF’s are industrial grade or not.

    I was half tempted to try microdrive CF’s but that kinda defeats the purpose of using flash based storage in the first place.

    Anyway, get out ahead of this and take the chance to bring down your ZS boxes during off peak hours, image the CF cards, and get some spare CF’s in stock. Then you’ll be prepared for the worst.

    Honestly, I wish there were SSD’s in CF form factor.

    in reply to: QOS and VoIP #46260
    KLGIT
    Member

    I do exactly what you are talking about using ZeroShell routers.
    We have a 5Mbps symmetrical Internet connection that is shared with our LAN/WAN, VPN and VoIP systems.

    I have setup a ZeroShell router between our ISP’s access device and our firewall. I have setup QoS rules on the ZS router to prioritize VoIP traffic AND to reserve a minimum amount of bandwidth for VoIP use.
    I also setup rules to catch VPN traffic which in our case mostly carries remote terminal sessions between remote terminal clients and our application server. I gave these a responsive profile and priority second only to the VoIP traffic.

    I have several other rules to handle things like web and e-mail traffic, bulk traffic etc. as well as a rule to give IM/CHAT traffic a very low maximum bandwidth rate.

    This whole setup works quite well with up to 6 VoIP/SIP channels active (VoIP is guaranteed 512K of bandwidth) and there are no issues in our VoIP calls related to the router not doing it’s job. For example, I can be pulling down updates at a pretty high transfer rate, and if there’s no calls, the D/L rate will near max out our bandwidth. If I then make a call, I can watch the transfer drop speed as the VoIP call gets priority. The call will proceed clean and clear with no stuttering or dropping while the transfer continues at a reduced rate.

    Setting up your QoS rules is where the problem lies. Just picking the built in L7 SIP rule won’t cut it. You have to go through your setup and make custom rules for your configuration. This involves understanding the SIP protocol and how it works, what ports it uses etc. You’ll need to prioritize not just the voice packets but also the handshake and call setup traffic. Plus you may still need rules using the IP or address of your SIP provider and your internal SIP box. However, once you do this, it works like a charm. We’ve been running this way for over a year with no problems.

    That said, when we initially set this up, we were using DSL. While the setup did work, it was not as good as with our current setup. The reason is that the DSL system in use by our ISP introduces latency of it’s own.
    Add that to the fact that no QoS is done by ISP’s and the fact that you are sharing the capacity of the DSL backplane with other DSL users and you end up with periods of poor VoIP performance.

    The unfortunate fact is that MOST consumer grade DSL products sold by most ISP’s are not a good candidate for VoIP traffic. Sure, it works great some times, but it is not consistent.
    If your ISP has a business class DSL service and IF they prioritize that traffic over the consumer/residential DSL traffic, then DSL can work well for several channels of VoIP, especially if you can use a good CODEC like G.729.

    Anyway, it can be done, ZeroShell and DSL can do it, but many of the factors in a successful implementation are out of your control.

    Good luck

    in reply to: What affects the VOIP phone quality? #50257
    KLGIT
    Member

    You’ll almost certainly want to setup QoS to do bandwidth management and prioritize the VoIP traffic as well as reserve some guaranteed bandwidth for your VoIP channel(s).
    QoS / Bandwidth Management is currently my primary use for Zeroshell on our networks and Zeroshell works very well for this.

    There’s a QoS tutorial on this site.

    in reply to: VIA encryption acceleration support #48460
    KLGIT
    Member

    That’s exactly what the VIA offers. It has hardware encryption acceleration. But better than being on a separate card, it is built into the CPU.
    This has a lot of performance advantages over an add-on card. You can see this in the benchmark results vs. the Pentium D.
    The VIA chip was designed for exactly this kind of use. In an embedded VPN router application.
    I can confirm that enabling it not only improves encryption speeds, but lowers overall CPU usage.

    in reply to: L7 filter update instructions #48454
    KLGIT
    Member

    Unfortunately I was pressed for time and had to go live with those routers before I could work out this process. We’ve been able to get by with the existing L7 definitions and custom filters for now.
    Eventually I’ll need to setup a test system and work this out sometime in the future, but I’ve had a lot on my plate lately so it hasn’t been done.
    However, what I did originally was manually download the L7 filters from the main site to my PC and extract them to a folder. I then read the install docs for the filters and looked at the file structure layout of the uncompressed archive as well as where the docs said those files and folders should end up on the system they were to be installed on. I SSH’d into the zeroshell box, used the command line to find the matching subdirectory, then manually downloaded and installed the filter updates there. I then rebooted to get it to pick up the new filters.

    That’s the short version anyway. I wouldn’t do it on a production system the first time. It took me a couple of tries to get it right.

    I think this is something that someone with the skills and time should volunteer to fix for Fulvio since it’s a powerful feature. When I looked at my options for an OS for the routers I setup, Zeroshell was the only one (that I found) that could do a transparent filter bridge as well as meet my other criteria. I’m sure others will use it for this reason as well, especially those who need to setup VoIP. It’s absolutely necessary for running a VoIP system to have bandwidth management capability.

    I use the zeroshell system to reserve bandwidth for the VoIP system and prioritize it over the regular Internet traffic coming from our LAN.

    in reply to: Unable to Copy or Backup Active Database #48163
    KLGIT
    Member

    I’m using the 1.0beta12 release and I have QoS enabled. I just tried a profile database backup and it worked fine.

    By your description of the problem (starts, but doesn’t finish) I’m inclined to think this is a browser or network issue and not a particular ZS issue.

    Have you tried backing up from different browsers or a different PC?

    I’m using Firefox 3.x which seems to work fine. Maybe give that a shot if you’re using something else.

    If you’re using IE 8, there are a lot of compatibility issues with numerous sites. You might want to play with IE 8’s compatibility mode settings (also make sure you have the FULL compatibility mode addon pack installed).

    Anyway, that’s what came to mind when you described your problem. I’ve seen that a lot here. Keeping browser versions and settings compatible with all the sites and portals we use is a constant hassle.

    in reply to: ZeroShell support for VIA Eden Padlock Security Engine? #48448
    KLGIT
    Member

    tamws: That’s a good tip. I’ve just gone and added it to the OpenVPN command line options.

    In the bigger picture though, it would be nice to have the option to check one box and have all padlock supported functions be accelerated on supported hardware. This way you don’t have to add options or edit configs for every function individually. Given the number of VIA embedded platform options out there, this would be a good way for less technical users to take advantage of the encryption acceleration. It would even help more technical sysadmins as it would be much quicker than digging through the system to enable all accelerated functions plus it would make it less likely that one would be missed or that a typo in one would break something. Basically the KISS rule applied to the user interface.

    Thanks for the reply and the excellent tip.

    in reply to: VIA encryption acceleration support #48458
    KLGIT
    Member

    OK, apparently the current version of Zeroshell (1.0beta12) does support Padlock hardware. However it doesn’t appear to be detected and used by default.

    So, I’d like to change my request to allow Zeroshell users to enable Padlock support.

    It seems that the easiest way (at least for apps that use ssl_lib) is to let users choose to replace OpenSSL with a patched version. This causes all apps that use the lib to use the hardware acceleration engine.

    The patch is available at:
    http://www.logix.cz/michal/devel/padlock/

    see the section …
    Once you get bored with patching heaps of client programs have a look at this patch from Cecilia: openssl-0.9.8e-engine.diff, 2008-09-12 22:01
    “The openssl-0.9.8e patch will make the ssl-library to load the padlock engine. This means, if you apply the openssl-0.9.8e patch, you do not have to apply any other patches or modifications, since every time the ssl-library is called, the padlock-engine is initialized by the ssl-library.”
    In other words – Patch for OpenSSL to always load PadLock engine.

    in reply to: ZeroShell support for VIA Eden Padlock Security Engine? #48446
    KLGIT
    Member

    aseques posted this, I believe in answer to THIS post, but accidentally replied it to another post of mine.
    I’ll quote here and then answer here to bring the conversation back here.

    Doing a fast search it seems that there’s no problem to have it in Linux (as far as you’ve the right versions).

    Kernel newer than 2.6.19 (like zeroshell) should have support build in:
    http://www.logix.cz/michal/devel/padlock/

    Portable openssh has support too:
    https://bugzilla.mindrot.org/show_bug.cgi?id=1437

    Openssl 0.9.8e should have it included too (lenny’s version is 0.9.8g)

    So have a look to the versions on zeroshell, and please post the results

    You are right! Zeroshell 1.0beta12 does seem to have Padlock support built in. At least for OpenSSL. I’ll test more later.

    For now, here are my results for OpenSSL.


    root@zeroshell root> openssl speed -evp aes-128-ecb
    Doing aes-128-ecb for 3s on 16 size blocks: 2514961 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 670904 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 171155 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 43010 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 8192 size blocks: 5384 aes-128-ecb's in 3.00s
    OpenSSL 0.9.8k 25 Mar 2009
    built on: Sat May 9 12:34:22 CEST 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    available timing options: TIMES TIMEB HZ=100 [sysconf value]
    timing function used: times
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k

    Now with Padlock


    root@zeroshell root> openssl speed -evp aes-128-ecb -engine padlock
    engine "padlock" set.
    Doing aes-128-ecb for 3s on 16 size blocks: 8347197 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 5318052 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 2197573 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 717930 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 8192 size blocks: 106649 aes-128-ecb's in 3.00s
    OpenSSL 0.9.8k 25 Mar 2009
    built on: Sat May 9 12:34:22 CEST 2009
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
    available timing options: TIMES TIMEB HZ=100 [sysconf value]
    timing function used: times
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87k

    As you can see, the performance increase with Padlock enabled is HUGE.

    Here are the final numbers again for comparison


    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    no padlock aes-128-ecb 13413.13k 14312.62k 14605.23k 14680.75k 14701.91k
    w/ padlock aes-128-ecb 44518.38k 113451.78k 187526.23k 245053.44k 291222.87k

    In the 8k block size, the performance improvement is 20X !

    For reference and to see just how fast Padlock is, here is the same test run on my Dell server with a 3GHz PentiumD-64bit


    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
    aes-128-ecb 97745.47k 104677.59k 110004.92k 111115.99k 110676.65k

    Now I just have to figure out how to get all everything in Zeroshell to use padlock by default.

    Also, if I find any other benchmarks or tests, I’ll run and post them.
    Meanwhile, this is something to consider if you want to put together a high bang for the buck router.
    This one I’m testing on cost under $500 Canadian with a 1GHz CPU and 1GB of RAM.

    FYI


    root@zeroshell root> cat /proc/cpuinfo
    processor : 0
    vendor_id : CentaurHauls
    cpu family : 6
    model : 10
    model name : VIA Esther processor 1000MHz
    stepping : 9
    cpu MHz : 997.611
    cache size : 128 KB
    fdiv_bug : no
    hlt_bug : no
    f00f_bug : no
    coma_bug : no
    fpu : yes
    fpu_exception : yes
    cpuid level : 1
    wp : yes
    flags : fpu vme de pse tsc msr pae mce apic sep mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
    bogomips : 1997.89
    clflush size : 64
    
    
    		
    	
    in reply to: Change CF Image size #47890
    KLGIT
    Member

    I did the opposite. I could only get a 2GB CF. I imaged it as usual, then plugged it into a card reader on one of my SuSE boxes and used the partition tool there to expand the partition. I now have 1.4GB for profile / log storage instead of 400MB.

    The same should certainly work in reverse. Use your Linux distro’s partition tools to shrink/grow the partition.

    in reply to: Installing ZS D-Link Dir-635 #48368
    KLGIT
    Member

    I think you are confusing ZeroShell with projects like DD-WRT and OpenWRT.

    You can look at those, but I don’t think they’ll support your router. Not a lot of D-Link routers work with replacement firmware.

    However, you can build your own wireless router with ZeroShell.

    You could look at a product like IBT’s FWA7304* appliance with a wifi card installed in it and run ZeroShell on that.

    Otherwise, you’ll need a compatible consumer router that works with a replacement firmware like DD-WRT, OpenWRT, Tomato, etc. See the compatibility lists on their websites. The Linksys WRT54G series are the primary models for these projects.

    Good luck!

    *Not an ad, I just happen to have purchased one after looking for compatible HW myself.

Viewing 12 posts - 1 through 12 (of 12 total)