Blog Archives

FIOS Update

So now that I’ve had FIOS for several months, I thought I would post an update. Here are my observations so far…

1. I love the ActionTec wireless router that comes with the service. It is a very flexible and fully featured with a firewall, MAC address filtering, port forwarding, and more. I took a little while to adjust to the settings on the router, as you have to click save in more than once place for your settings to be saved and applied, which is a little different, but once you figure out the little neuances of the router, you are good to go! It will do anything and everything I need and more.

2. My only gripe so far, is something that happened when my IP address changed. I had the service for probably over 2 months before my IP changed for the first time. When it did change, my home network lost internet connectivity and my dynamic DNS client was unable to connect to the internet to update my IP. This caused several hours of outage for my home e-mail and internet connectivity. I have not yet had another IP change, so I’m hoping the first time was just a fluke. (NOTE: This won’t be an issue for most people, unless you run DNS for accessing services on your home network like I do).

3. The speeds are consistent and fast, every time I run the Verizon speed test, it comes out over 20MBps down, and nearly 5MBps up, with only slight variations. The bandwidth is exceptional, very fast, and reliable. I have had not real service outages at all and am very pleased with the quality of service I am receiving.

4. In order to optomize the speed your computer will see on the FIOS network, it may be necessary to run the FIOS connection optomizer. This basically changes some TCP/IP settings in the registry to optomize throughput on the FIOS system. These are the same type of settings people have been adjusting since the internet was created, I’ve done it with dialup before, and this is just the most modern way to optomize the connection. Its no big deal, but you will see lower than advertized speeds unless you run the optimizer.

5. The price of the service is comperable to service with other providers in the area, but the speeds are much faster without increasing the cost of the service.

I am overall very pleased with Verizon FIOS service. I highly recommend it to anyone currently using a cable provider. I’ve been a cable user for years, and took a long time to make the decision to switch. I am happy that I did, and will never go back to cable. I would also point out that Verizon offers a 30 day money back guarantee, so you can always give it a try and test it out to see what you think. You can cancel at the service if you don’t want to keep it. Plus then your home will be wired for the service should you decide to use it again in the future.

Stuff just happens

Today, I found another example of something I hate. Nothing bugs me more than finding a problem that should have been an issue all along, but things were working fine until for no particular reason, the problem shows it ugly little head. Specifically, today, I discovered that certain messages sent to our domain (at work), were being bounced with a 552 error code (Exceeded storage allocation). I found this particularly frustrating since I know we don’t set any specific size limits, other than a global limit of 10-15MB. The spam server is an SMTP proxy and we use watchguard fireboxes with an SMTP Proxy. I did some searching online and found that there may be an issue with the watchguard firebox in relation to an RFC for SMTP:

The RFC for SMTP explicitly states that the length of a single unterminated line can be no more than 1000 bytes. Sometimes email is rejected at the firewall for this reason because by default it will drop the connection when an unterminated line length exceeds 1000 bytes.

So now it appears the culprit for the issue is our firebox, which boggles my mind, because we’ve used it forever and just recently started having this problem. I hate when stuff just breaks for no particular reason and has worked in the past just fine for years. I am also checking our our spam software support team, to make sure their software when acting as an SMTP proxy, won’t be vulnerable to the same type of thing. Hopefully there is an easy fix for our firebox and we won’t have any more trouble. I’ve read several other newsgroup posts that indicate the firebox as the cause of the problem. Although the actual cause is some mis-configuration of the senders mail system, (typically), the firebox is doing the disconnecting.

Another problem with McAfee mini-firewall

Yet again, I’ve run into a problem with the McAfee mini firewall component of the viruscan suite 8.0i. This time it has to do with email over SMTP. At my company we use I Hate Spam from sunbelt software as our SPAM filtering engine. We have a separate server running this IHS software as a gateway for incoming e-mail. Well, suddenly we started having problems receiving mail from IHS, it would queue at the IHS server, but would never get delivered to the exchange server. After a few days of diagnosis it was discovered that the McAfee mini-firewall was blocking the smtpsvc.exe and marking it as a worm. We had to add an exception for this service in McAfee to avoid having SMTP traffic stopped. This was a major pain and caused hours of downtime in my company for incoming e-mail. Makes me wish we were using Symantec rather than McAfee (which is my personal preference anyway).

McAfee mini-firewall issue

I had a server a few weeks ago that suddenly started experiencing blue screens of death for no aparent reason. It tooks a week or troubleshooting and digging to finally determine from a crash dump file, that the cause of the issue was the mini firewall component of McAfee viruscan 8.0i. I was able to disable the component in the registry and havn’t had a problem since. This server was an Iomega NAS p435m. So FYI – if anyone has any similar unexplained problems, check the mini firewall in McAfee, as it may be the cause, although in our case it took a memory dump file analysis to find out the cause.

Home Network – Part 3

Microsoft Active Directory:
My home network is built on Microsoft’s Active Directory. I use active directory to organize my user accounts (all two of them), my computer and group policies. With group policies I can set common variables for all my workstations, servers, etc. This way I don’t have to hand configure everything, its all automatic. Group Policies are a great way to manage your network workstations or servers. There are other solutions here, some people like to run Linux at home, and I’ll admit, I do too from time to time. I love linux, but there are still too many apps I use that require Windows. From time to time I demo some of the latest Linux distributions and try things out. I think its great, and if I had a 4th computer to run it on, I’d probably run a linux server or desktop as well. Some people like novell, some people like MAC, its up to you. This is just how I am doing thing. I have group policies set to add customization to my desktop mainly. Things like a browser title, automatic update settings, common software distribution, etc.

Domains, e-mail and more:
I guess I can’t go much further without explaining how I also do my domain names and websites. I’ll write more about this topic later on as a how to and what you should know for getting your own domain and website. But for now, I’ll keep it simple. I own several domain names which I use for various purposes. I have one domain that is for all my server equipment, like my hosting server that hosts my website and some other websites I host for people (for free unfortunately). These servers are in a data center and I simply “rent” the server from them on a month to month basis because its cheap and does what I want it to do. Plus they take care of maintenance and problems. Then I have a primary domain name I used to use for my hosting company’s website. The backend server domain ended with a .net and the primary domain is a .com. These extensions can be anything you like, but I stuck with a traditional format. Then I have a third domain for my personal website which is mainly for my family and my blog, etc. Here is where the bulk of my incoming and ougoing e-mail comes from, the other two domains are mainly for servers and a now closed hosting company. I do have some other domains, but don’t really used them yet. I’ll be expanding that later on as well.

E-mail:
So now you know I have a shared hosting server which hosts my websites and most functions of my domain names. Now when it comes to e-mail, you’d naturally assume this server also handled mail for my domains as well right? If you said yes, you’d be wrong. I’m using a service called Rollernet which is a mail forwarding service. Since my ISP restricts incoming traffic on port 25, it was necessary to setup SMTP on a non-custom port. However, this causes a problem because when someone on the internet sends me an e-mail, most mail servers only send mail on port 25. So if I’m running SMTP on a non-custom port, how do I get my mail? Here is how. Rollernet’s servers are listed as the MX records for my domains. This means, that when you send me an e-mail, its actually received on port 25 by rollernet. They take the mail, queue it, do some scans on it for viruses, spam etc, then they forward that mail to my home mail server on a custom SMTP port. Of course I have this port setup in my cable modem and firewall to allow it to be forwarded to my mail server which resided on my LAN. Now here is the complicated part. My home mail server received mail on a custom SMTP port and is received by NoSpamToday, which is my SMTP level SPAM filter. NoSpamToday (NST for short), filters for SPAM, viruses etc, and basically makes sure that the message is valid before it allows it in to my mailbox. Now NST is not a mail server, its just a SMTP server, so another component is needed here, thats where 602 Lan Suite (LS for short) comes in. NST received a message for me on a custom SMTP port. Once it makes sure that the message is valid, it then forwards that message to 602LS which receives the message on the standard SMTP Port 25. 602LS receives the message and performes a few checks of its own, like scanning it again for viruses, doing aother SPAM check and finally delivering it to my mailbox. 602LS also has a built in webmail server, so I can check my webmail from anywhere in the world. This is also where port forwarding comes in as the ports for webmail need to be setup to route to my home mail server from the outsite. Using my public DNS zone, I can add a record for webmail to my domain, so I can go to http://webamil.mydomain.com/mail and get to my web interface. This way I don’t have to use DynDNS or any of those services, since my public IP on my cable modem rarely changes. Now if it were to change, I’d have to manually update that in my DNS zone. So watch out for that if your using this scenario. I am aware of it and know what to do, so for me its not a big deal, but if your new to this, don’t set this up and wonder why it breaks 9 months later. Keep an eye on your public IP.

Lets now talk about outgoing mail. I don’t know if your like me, but I find myself in situations at work and abroad where I find that my company network or hotel network restricts SMTP servers to their own servers and won’t let you send mail using your own SMTP configuration. For example, at work I run a simple server monitor that sends alerts. But my company has a firewall in place that limits outgoing SMTP traffic on port 25. Now I bet your wondering where the SMTP component from IIS comes in to the picture from my previous post. Here it is. I am running IIS on my mail server but only the SMPT component. So I setup Microsoft’s SMTP service to listen on a custom port (different from my incoming SMTP port for normal e-mail from Rollernet). This way, I can setup my monitoring server to use my custom SMTP server at home to send the alerts. So in my situation, my monitor program detects a problem with a server in my office, it sends an alert to my home mail server on a custom SMTP port. My SMTP server then relays that message to my shared hosting server which then sends it to the desired recipient on a standard SMTP port. This way, I can use SMTP wherever I am, still get my messages or alerts sent and accomplish my tasks. This custom SMTP service is protected by a username and password and relaying with it is denied. Relaying on NST is also forbidden. Ok, so how about my home PC? Ok, simple, we use outlook on our home PC, so outlook is setup to send/receive mail from 602LS through POP3 and standard SMTP. We send a message from outlook, it is received by my home mail server on port 25, which then forwards that mail to my shared hosting server. Some ISPs also restrict outgoing SMTP traffic, so here you may need to setup a custom port on your public SMTP server and configure your mail server to send all outgoing mail over a “SmartHost” or custom SMTP configuration. My shared hosting server then delivers the mail over standard SMTP to the recipient’s mail server.

So in summary, yes this is a complicated setup, and no it may not be for everyone. But I will say this, there is a degree of pride that goes into setting soemthing like this up. Now I’m a Microsoft Engineer, so I’ve been doing networking for a long time. No this is not the way to go about setting up a business or large company. Obviously I’d recommend using Exchange or more powerful mail servers and betters ISP connections. But if your a techie and want to setup a really cool home network, this guide might just help point you in the right direction.

Other Services:
Lets talk remote access. So how do I manage this home network when I’m not home. Easy, RDP. There are lots of people around that don’t like RDP, its not very secure, and has its issues like any other software or technology. For me however, its perfect. I simply forward port 3389 from my cable modem to my firewall and from my firewall to my PC, I can remotely manage any machine on my home network. Now I took it a step further, and actually setup a custom RDP port on my other machines, like my servers and second desktop. This has the advantage of being easy to individually RDP into any machine on my home network without first having to remote into my home pc and then into another machine. In conjunction with DNS for easy naming, its a snap. All you need to remember is the custom port number for each machine. I only have a few so its no big deal, if you have many machines I’d recommend finding a better way, such as VPN. Through RDP I can remote control, and virtually manage any server or desktop on my home network.

Web management: I also use a program called Remotely Anywhere (www.remotelyanywhere.com). Its a great application that runs as a service on Windows. With it, you can remote control, Transfer files, totally manage all aspects of the machine right from a web browser. Its very robust and powerful, with tons of additional features too numberous to mention. Its one of the best web based remote control/management solutions I know of. This can also be setup on a custom port, so it will need port forwarding configured for it as well.

FTP: I used to have a NAS server with FTP setup so I could FTP directly to my RAID5 storage device. Now that its gone, I don’t really use FTP anymore so I removed it. I use an FTP site on my shared hosting server temporarily if I ever need to send anything through FTP. I can grab it from home later.

Internet Access: Because my cable modem and firewall do NAT, its very easy to provide for internet access to my workstations and servers on my home network. The firewall is the gateway on my network, and Microsof’t DNS handles all DNS related operations on my network. My DNS server is configured to forward all requests for external host names to my ISP’s DNS server. It then caches the results and can reply much faster to any requests my workstations or servers make. Internet access is basically a simple NAT solution provided by my firewall and cable modem.

Points of Failure:
With a system like this there are other considerations that need to be taken into account. Amoung them are power, redundancy, damage, replacement, etc. For example, if my power goes out what happens. Well for me I have my critical equipment on a UPS. Since this is a home network and not a critical system, the UPS will keep my servers and internet connection up and running for 5 minutes. This should be sufficient as long as the power isn’t out for long, which is isn’t usually. What if my firewall or cable modem goes bad. Well then I have a problem, as with my ISP I have to have them come and activate a new cable modem. So I’d first have to buy a replacement and then have them install it. This can be done usually by the next day. So what if my mail server or other network equipment is damaged. Well, for mail, if my home mail server becomes unavailable, mail will queue at rollernet, so I won’t loose any e-mail. I can even redirect that mail to my shared hosting server if I wanted to so I could get to it. If some of my network gear fails, it will obviously need to be replaced. I’d try to repalce it with exactly the same modem so that if it had a configuration with it, I could easily restore a backup config file to immediately get my network back up and running.

Security: What about security, how secure is this setup? Very secure. Even considering I have ports forwarded into my LAN from the outside. This often makes security experts very nervous and for good reason, but again, this is not the NSA, I don’t have anything on my home network worth anything to anyone but me. That is not an excuse for having bad security. First, I have a double NAT solution, so even if someone could hack in past my cable modem, they couldn’t get further than my firewall. If they could get past my firewall by some miracle, they would not be able to access anything on my network, since all network traffic between workstations and server is encrypted through Kerberos. The worst they could do if map out my network and find my IP addresses. DOS attacks are also a possability, but there isn’t much that can be done about that anyway. Again, I’m not saying good security isn’t important, and the measures I’ve taken are sufficient for my needs. Please don’t think I’m advocating bad security measures.

Thanks for taking time to read this post, I know it was long. Keep an eye out for more tech posts in the near future. I’ll also post some images giving you a visual of how all this works. Here is a simple visual aid of what I’m talking about above.]]>

Home Network – Part 1

1. First, lets talk basics. Connection type for example. I’m using a cable modem connection to the internet at home from Bright House Networks (RoadRunner). I only have a 5MB down and typically 45kbs up. I’m planning on upgrading this soon to 10MB down and 1MB up. Speed here is important, because getting into your home network is fast, incoming speed (download speed) is the fastest. So if your sending your home server a file or receiving a large e-mail attachment, your going to need that faster bandwidth. Upload speed is equally important, because any mail you send out of your home network or file your uploading are going to be slower due to upload speed restrictions from your ISP. I highly recommend getting the faster upload speeds if your going to attempt anything remotely similar to what I’m about to explain to you.

Hardware:
Cable Modem – Motorola SBG900 (previously used SBG1000)
Firewall/router – Netgear Prosafe firewall/router (not wireless)
Wireless AP – Intel 802.11G Access Point
Dell 16 port switch

The cable modem is your gateway to the internet. If your like me, your cable modem uses NAT (Network Address Translation), and has a built in switch. This is useful because you can directly connect your various devices to your cable modem if you wish and not need to purchase a standalone router to share your internet connection. Note: your standard ISP cable modem probably won’t have this feature. Also, if you use the USB cable to connect to the internet, none of what I’m about to write about will work for you. You must go ethernet if this is to work. Plus, USP doesn’t use NAT (typically), you will end up getting the public IP of your cable modem if you go that route. This will open up your PC to attack from the outside and is not secure.

What I do:
I have a variation of a DMZ setup on my home network. My cable modem has a switch so I can use it to connect any devices I don’t care about and easily want to make accessible to the internet. One of those ports (I have 4), goes into the internet interface of my netgear firewall/router. So to the firewall, my cable modem is the gateway to the internet. I let DHCP give the firewall/router’s public (internet) interface its IP address. You can set this to static if you want, but if you get a firmware upgrade or your cable modem gets an update, your likely going to loose any port forwarding entries or custom setup, so using DHCP will save you time later, and keep your home internet connection from breaking. (I’ll tell you a story about this later). Now the firewall/router also has a LAN ethernet interface, so I have a cable (cat5 ethernet), going to a 16 port switch for other devices to connect to. In my cable modem, I setup all the outside services I want to have available to forward those ports to my firewall/routers internet interface. This is still a private address (non-routable), but will still work as intended. So the cable modem is listening on various ports for various services I have running on my home network accessible via my cable modem’s public IP address. When the cable modem received traffic on a particular port, it has a port forwarding entry that says, “ok, you ware coming in on this port, you go to the firewall”. The firewall is sitting there listening for those same ports, and has various rules setup to deal with traffic on different ports. So when traffic comes from the cable modem on a particular port, the firewall says “Ok, your coming from someone I trust (the cable modem), on a port I know about, and this port is supposed to go to this IP address on the LAN. The firewall then forwards that traffic to the server/device or PC on my LAN that I want it to go to. Port forwarding is key here, so first you setup port forwarders in your cable modem to forward to your firewall. The firewall then needs to have rules setup for the ports you want to use, specifying which internal (LAN) host you want the ports forwarded to. Examples of ports to forward are POP3 for e-mail, SMTP (although usually must be on a non-standard port), etc.

Now for wireless connectivity, my cable modem does support 802.11G wireless access, but it would be access to my DMZ, which is not helpful to me because the things I want to access when using my wireless are on my LAN. Now I could setup more security and custom routes, to make this work, but its much easier to just throw an 802.11G access point into the mix and set it up on your LAN. This way you get access to only the network you want access to. I also don’t typically encrypt my traffic using wireless only because I’m not doing anything secure or sending authentication or password traffic in the mix. Typically its good to add encryption to your wireless traffic. I use MAC address filtering to allow only wireless devices I know about access to my LAN. This in itself can be forged and hacked, so be careful when setting up security on your wireless network. Don’t just go buy a wireless Access Point and throw it in your LAN without configuring it. It will grant access to anyone with a wireless device to your network resources.

Ok, so thats the nuts and bolts of what I’m using for hardware and a touch of networking on my home network. Next we’ll talk about server, software and services.]]>

Home Network – Mail setup change

1. Changed MX records for my two main public domain names to route mail only to my mail redirection service’s mail servers.

2. Installed noSPAMtoday on sisko and configured to listen on my custom port (the port the SMTP redirection service uses to send mail to my home mail server).

3. Changed 602 LAN Suite to listen for SMTP on port 25.

4. Configure noSPAMtoday to send good mail to 602LS on port 25. So it now acts as a true SPAM Proxy.

Using this new configuration, I’m no longer accepting mail directly on my shared hosting server. Mail now gets routed to my SMTP redirection service. Mail gets queued on their servers and then sent directly to my home mail server (Sisko) on a custom SMTP port. NoSPAMToday is installed on Sisko listening on that custom SMTP port which if forwarded into my LAN from my firewall. NoSPAMToday does RBL checks, basyian checks, and various other checks for SPAM Messages. Right now I have it set to reject/deliver, so it still sends a bounce message to the SPAM sender, but goes ahead and delivers the message to me anyway. I’m going to leave it setup like this for a week or to in order to ensure that I have everyone I receive mail from either on my whitelist, or ensure NoSPAMtoday does not mark them as SPAM. Once I’m happy with the results, I’ll switch modes to reject/delete so I won’t even see messages it considers SPAM anymore. I’ll only receive valid wanted email.

Once a message is validated by NoSPAMtoday, it then gets sent through normal SMTP on port 25 to sisko on the internal LAN. 602 LAN Suite then accepts the mail and delivers to the appropriate mailbox. Right now it accepts mail for my two main E-mail addresses, and for Liz. The free version of NoSPAMToday is free for non-commercial use for up to 10 E-mail addresses.

Once 602 LS has my mail, I can download them with POP3 or use its built in webmail application. I usually stick with POP3 since my company uses fatpipe technology which causes a problem with my originating IP address, making webmail inaccessible since my public IP address changes at any given time. 602 LS is configured on its own internal domain and has a default masquerade domain of my main public domain name. User accounts in 602 LS are standalone user accounts, and are not physically related to my public domains. When we send mail, the identity information in our outlook profiles handles the E-mail addressing and name information. 602 LS is then configured to send mail out using my shared hosting server, but can be configured to send directly to the recipient mail server should the hosting server go down. My SMTP redirection service has two physical servers on different subnets served by multiple ISPs, so its unlikely that I’ll ever loose any E-mail. Even if sisko goes down, mail will spool at my redirection service.

Pretty cool stuff! Maybe overkill for a 2-3 user home network??
]]>