Skip navigation

Category Archives: Networking

Click here for a tl;dr version that just gives you the fix without the background.

At my school, we have a fairly robust iPad program, and the decision was made, when we began to ramp up the deployment of iPads, that users should be able to print to their iPads.

Like so many of Apple’s technologies, AirPrint is one of those things that works well in a home environment but pretty quickly breaks down when taken into an enterprise environment.  Sure, you could go out and buy all new printers that have AirPrint built in, but when you’ve got a dozen or more printers that you might want to have available for iPad users, that quickly becomes a very expensive proposition.

You can roll your own AirPrint solution using a Linux box running avahi, but most people and departments would rather have a pre-baked solution, and then there’s only really one option: Printopia Pro.  If you’re running any sort of Bonjour gateway, such as the one built in to Cisco’s wireless access point controllers or Aerohive’s HiveManager cloud controller, you don’t even need more than one instance of the software.

And then Apple broke it all.

An engineer at the company that now develops Printopia Pro told me that for iOS 8 and OS X Yosemite, Apple moved away from a widely-used open-source mDNS discovery daemon to their own, in-house-developed daemon, and that’s where all the trouble started.

In a best-case scenario, we could maybe advertise four printers, and we often had to manually restart the Printopia Pro service when even those printers disappeared.

There is a solution that should work for most deployment cases, though.


This solution works only on networks running IPv4 and assumes that your Printopia Pro server is using a static IP address.  No, I don’t know all the technical details behind the IPv4/6 portion of this fix; I could have asked, and would have been very interested to find out the answer, but I didn’t feel like I had time for a several-hour conversation at the time.

Log in to your Printopia server and open the Terminal application and run the following command

networksetup -setv6off Ethernet

networksetup -setv6off EthernetLike the option says, this command turns off IPv6, which can’t be done through the GUI.  Next, open Printopia’s Advanced Settings.

Open Advanced Settings (command + comma)Under the General tab, there is a box to check that says “Publish printers using IPv4 addresses only.”  Uncheck this box if it’s checked.  Yes, that may seem counter-intuitive, but remember that you just turned off IPv6.

Picture of General tab under Advanced Settings with arrow pointing towards bottom-most checkbox with directions to uncheck that option.At this point, it’s worth making sure that printers are being advertised only over the Ethernet interface.  For each printer group, click “Settings…”

Picture indicating location of Settings button for printer groupand, under the Network Interfaces tab, select the bottom radio button and then select only your Ethernet interface.

Network Interface tab opened with only the Ethernet interface, en0, selected.Finally, for good measure, restart the Printopia service from the General tab.  Within a minute of applying these changes, we went from seeing four printers advertised over Printopia to seeing all seven printers that we were sharing.  You can check to make sure that the printers are being advertised over your network using the free Bonjour Browser application.

Bonjour Browser application window showing printers being advertised.So far, this solution has been totally stable for us, though it’s also recommended that you update your instance of Printopia Pro to the most recent release, 1.0.3.2, which can be downloaded here.

Advertisements

As part of studying for my CCNA Routing and Switching certification, I set up a home lab: a couple of old Cisco routers and a couple more switches, all second-hand from eBay.  Let me tell you, if you can afford to do that (my lab came in around $150 with cables and a couple interface cards), or if you can get your job to pay for your lab, there’s nothing quite like actual hands-on time with equipment (and in some ways it’s less hassle setting up real equipment than it is configuring GNS3 properly so it doesn’t eat all your memory).

But.

You may encounter an issue with used equipment.  My routers seemed not to hold their configuration between boots, no matter how many times I told it to copy run start.

It would appear that this isn’t that uncommon of a problem, though, and it’s an artifact of the way that eBay sellers wipe equipment before sending it out.

So, if your used router boots to the initial configuration dialog every time, check this out.

On boot, cancel the dialog and enter privileged mode, then run show start. If the startup configuration shown is the same as the configuration you were running when you last shut down your router, check the Configuration Register by running show version. The Configuration Register will probably show 0x2142, which means the router is bypassing the startup config that’s stored in NVRAM, something that’s often invoked during password-recovery.

Fixing this is easy. Enter global configuration mode (conf t) and type config-register 0x2102, then end (or ^Z if, like me, you’re lazy). Another sh ver should now report

Configuration register is 0x2142 (will be 0x2102 at next reload)

Now just reboot your router (reload) and you’re back in business.

Note: if this solution doesn’t work, well, I’m sorry.  For a lab environment, any lost configs are just another opportunity to practice, but if you’re using this equipment in a production environment, I hope that you’re backing up your configs.  If you’re not backing up your production router and switch configs, check out RANCID, the Really Awesome New Cisco confIg Differ.


Two Cisco 2950 switches mounted above two Cisco 2620 routers on an Ikea Lack table re-purposed as an equipment rack.Final note: if you’re looking to build your own CCNA practice lab, the setup I’m using is

2x Cisco Catalyst 2950 switches

2x Cisco 2620Xm routers (if you can, the 2621 and 2611 are better than the 2620 and 2610 because they have two built in fastethernet ports rather than only one).

Ten Internet Points™ to the first person who can tell me what I’ve done wrong in this picture.

image

For those of you with rack-mountable hardware (servers, network hardware, and even pro audio gear) who are still looking for a cheap, stylish, modular solution to mount it all, look no further; the Dutch have found the solution, and the solution is Swedish.

It turns out that the LACK side table from IKEA is perfectly sized to hold up to 8U worth of 19-inch rack-mount equipment, which is astounding when you consider that it comes in twelve colors and costs $10 (USD).  If you go on Amazon, Monoprice, or CDW, you’re going to pay a minimum of $50, and the color choices are black, black, or black.  The grey-turquoise LACK even looks like it would go well with the weird blue-green-grey plastic that Cisco uses for their bezels.

While the LACK is the cheapest option, it turns out that someone at IKEA really cares about people who use rack-mount equipment, since there are lots of other options for furniture with an internal spacing of 19 inches.

More information about the LACKRACK (including an IKEA-style manual for assembly) can be found at <http://lackrack.org>.

So our initial notifier messaged us when players were on our Minecraft server, but it always messaged us, even if we already knew there were players online.  That’s not brilliant.  Instead, let’s have the script create a little file that says there are players online.  The pseudo-code then would be:

if the .players file exists and isn’t empty
check if players are still online
if they aren’t, clear the .players file contents, otherwise do nothing
if the .players file doesn’t exist or is empty
check if players are online
if they are, write status to the .players file and message

In this case, the script ends up being a lot simpler-looking than the pseudo-code.

#!/bin/bash

if [ -s .players ]; then
lsof -iTCP:25565 -sTCP:ESTABLISHED > .players
else
lsof -iTCP:25565 -sTCP:ESTABLISHED > .players && echo "Players online" | /usr/bin/ssmtp email@domain.com
fi

Of course, this script will tell you when you log on to the server yourself, which you probably don’t need to know and might be annoying, but it’s getting there.

I like Minecraft, but sometimes, it can get a little dull just playing on my own.  Since I think setting up servers is fun, I set up a Minecraft server on an old Linux machine so I could play with my friends.  They’re on the other side of the country from me, though, so it can be hard to coordinate times to play when we’re all on.  So why not set up a little notifier to tell me when my friends are online?  If you’re running your Minecraft server on Linux, you can, too, with just a few minutes of work.

What you will need:

  • A Linux-based Minecraft server that you control (duh)
  • ssmtp (configuration instructions here)
  • lsof (should be installed on your system already)

The code is pretty straightforward if you just want to be pinged at some interval if there is anyone signed in to your Minecraft server.  If you want to only have it ping you if things have changed, that’ll be more complicated, and that’s not something I’m going to try to get into right now (because I haven’t written the spells yet).  Here’s the code:

lsof -iTCP:25565 -sTCP:ESTABLISHED && echo "Players online" | /usr/sbin/ssmtp email@address.com

Just pop that into your crontab to fire at whatever interval you’d like, and you’re good to go.  If you want to get fancy, you can even use the requisite sms/mms email gateway from this GitHub repo to have it text you when your friends are online, but maybe not if you’ve got it checking very often, since it will just keep firing off texts to you as long as there are players on your server.

Now the (quick) explanation.  lsof is a command that lists every open file on your system. Since in Linux, everything is a file, this includes network connections. The -iTCP:25565 flag indicates that you’re filtering only for network connections using TCP port 25565 (if your Minecraft server is running on an alternate port, you’ll need to change the port number accordingly). Finally, the -sTCP:ESTABLISHED flag tells it that you’re filtering only for connections with the status of “ESTABLISHED.”  If that command succeeds (the && part), then it’ll echo your notification through a pipe into ssmtp.

With all the net neutrality stuff circulating around, and in my position as netadmin/sysadmin at my school, I’ve started thinking about teaching a civics lesson on the subject.  I mean, I won’t, obviously, because I like my job, but that doesn’t stop me from thinking about it.

We have separate networks for students, teachers, and guests on campus, and which networks you can get on is dictated by what your MAC address is associated with in our RADIUS database.  Now, it wouldn’t be too difficult for me to set up a “Premium” student network, then throttle the bandwidth available to students on the standard student network.  Heck, with a bit of work, I could even block access to sites like facebook to those on the standard student network.  Then, I just ask that students who want access to the “Premium” student network just pay me $5 for the privilege.

The other reason I wouldn’t do this, obviously, is that I’m not a villain (and I don’t think there are many students, at least who are at or near voting age, who aren’t already for net neutrality).

If you’d like to make your voice heard, the Electronic Frontier Foundation (EFF) has put together a nice tool over at DearFCC.org to submit your thoughts on the public record about the FCC’s proposal.

Security: it’s hella important, yo.

I’m not going to try to get into all the technical details of Heartbleed–the OpenSSL team covers it a lot better than I probably ever could.  I’ll just say this: if you run a web server, and if you deal in any secure traffic, then do yourself and your users a favor and check to see if your version of OpenSSL is vulnerable to this MASSIVE security hole.  Various script-kiddies flocking together under the name of “Anonymous” are already gleefully distributing versions of the exploit code (which I have lots of opinions about, but now is a time for action, not for yelling about punks), but the exploit has been in the wild for two years now.

You can run your own tests on your servers, but the easiest way to get a little peace of mind is to run tests from here.

Do the responsible thing.  Keep the web safe for everyone.

After the revelatory nature of the information I shared earlier this week, I felt on top of the world, but that illusion quickly shattered when I attempted to upgrade some of our newest (but still autonomous) access points, only to have my tftp requests time out.  A quick ? showed me that I could instead use scp (which has made appearances on this blog before), but the syntax was left as a mystery to me.  I have finally found the syntax, though (hint: it’s not quite the same as the normal *nix command) and have had considerable success upgrading our remaining autonomous units with that method.

Whereas with tftp, you simply entered the server address followed by the path to the file (relative to the tftp server folder), the Cisco version of scp is a bit more complicated.  My main tripping point was discovering what the file path for the image being downloaded was relative to.  I assumed it would start at the root of the filesystem, / but instead the path is expressed relative to the home folder of the username specified.  I don’t know if using ../ will let you back out of your home folder, but it’s simple enough to copy the image to your home folder.  So, to use scp to download an image from your machine to a Cisco access point, you would use

archive download-sw /reload /overwrite scp://username@server/path/to/image.tar

where the image path is relative to the home folder of username.

That’s all.  Happy scp-ing!

A quick post today, but no less informative, I hope.

We just installed a brand new Cisco wireless controller, and that means converting our older, autonomous access points to lightweight mode so they can interface with the controller.  Cisco would like you to use their (Windows-based) tool, which I tried initially.  While it may be easier and faster in an ideal situation, those are so rare.  I looked around but couldn’t find a good text-based tutorial for doing the upgrade, but I did find some youtube videos, one of which brought me my solution.

Before you get started, you’ll want to collect a few things.  First, you’ll need a recovery image specific to your access point.  You can download the image you need from Cisco–you’ll want the recovery image, which will crucially contain the string “rcv” in its file name.  Download the image and move it to your tftp server root (if you’re using Ubuntu, there’s a good guide for setting up a tftp server here if you don’t already have one).  Don’t worry about extracting the tarball–the access point will handle that for you.

If you’re not upgrading your access points in place, you may also want a serial connection to the AP so you can watch its progress the whole time, but this is optional.  I use minicom for my serial terminal on Ubuntu, though you may already have a package you prefer.

Now that you’ve got everything in place, telnet (or ssh) into your access point (and enter enable mode, but not configure mode) and run the following:

archive download-sw /reload /overwrite tftp://(ip address of your tftp server)/(name of recovery image tarball)

After the access point finishes downloading the image, it should restart automatically, but if there are any unsaved changes lingering on the system, use reload to restart the switch.  The switch will reboot, and if you’re watching on your serial console, you should see the access point going through the process of loading the recovery image, contacting the controller, and then downloading a full image before finally restarting again and coming under full control.