Viewing Category: Hardware  [clear category selection]

DNS for Private Networks through pfSense

I bought a new router for my home office. It's a Celeron J1900 2.0 GHz, 4 x 1 Gbps Intel NICs, 4GB DDR3 RAM, 8GB mSATA SSD sold by Protectli and preloaded with pfSense 2.3. It's a solid product. You can pick one up at Amazon. This replaced an older single-board computer running pfSense one point something. My motivation was to get something I could use to establish a site-to-site IPSec VPN between my home office network and Amazon VPC. More on that later.

The trouble I had after the initial setup of the new router was in DNS response queries for things that have private network addresses (RFC 1918). I'll give you a practical example so you don't think it's crazy to have a public DNS server returning addresses for private networks: one of my Vagrant configurations has a lot of private addresses that I share with my engineering team. We use a public DNS server to hold our development IP addresses. This keeps them all consistent and nobody needs to hack on their /etc/hosts (or gods forbid, C:\WINDOWS\SYSTEM32\drivers\etc\hosts) file. Anyway, responses for these internal addresses weren't arriving when my workstation made a request for them using the pfSense Unbound configuration. They mention this in the documentation. The solution is simple:

I'll write about setting up the VPN to AWS EC2 soon. Let me know if that seems interesting.

Running SpinRite on a Mac

I created a short screencast showing how to run SpinRite on the 750 GB SATA drive inside my MacBook Pro -- a conventional drive, not a SSD. It's available on YouTube. This blog post cointains details and references.

I needed to repair some file system problems that couldn't be fixed with Drive Genius, which I've never had great luck using. I needed to pull out the big guns.

I bought a G-Drive Mini from the Apple Store in Pasadena. Normally, I'd order via Amazon, but I was in a hurry and was willing to pay the retail price. It's a 500 GB, FireWire 800, bus-powered 2.5" drive, running at 7200 RPM. I ran the OS X Mountain Lion installer from the App Store and create a new copy of the OS on the external drive. I then booted from that and installed VirtualBox 4.2.12. I started up iShowU HD Pro from the external drive so I record the following steps.

First, I located the device name of the internal drive by running diskutil list, which lists the devices and the partiions and slices. In my case, the drive I needed to fix was at /dev/disk0.

As I read on a blog post while doing some research, it's necessary to change ownership of the device so the VM can read from it when it starts up:

sudo chown administrator /dev/disk0

That ownership change isn't permanent -- on the next reboot, it will be owned by root again.

I created a VirtualBox virtual machine for DOS. I disabled audio, network, and USB, althought that's probably not necessary. I connected my copy of the SpinRite ISO image to a virtual CD/DVD device. I started up that VM, just to see if SpinRite would boot; yup, no problems so far, however it doesn't have access to the hard drive. For that, it's necessary to create a raw disk descriptor file:

/Applications/ internalcommands createrawvmdk -filename /Users/administrator/VirtualBox\ VMs/SpinRite/raw-disk0.vmdk -rawdisk /dev/disk0

I then added the raw disk to the VM, but encountered a problem because the volume was currently mounted. I remember unmounting the volume shortly after booting, but I did it again so I could configure the VM. Then, as I was about to start it up, I got the same VERR_RESOURCE_BUSY error because something in the background kept mounting the volume. Maybe it was Spotlight or one of the utilities I use like Alfred. So, I unmounted it and quickly started up the VM. It booted normally and I was able to run SpinRite as usual. Because I was running it on the laptop's SATA interface, instead of trying to repair an external drive, it ran pretty quickly. I believe that iStat Menus showed the read rate of 45 Mb/sec. It only took a few hours to finish. It didn't find any troubled sectors, which is not uncommon if the brains on the drive repairs a problem that SpinRite has exposed. I booted up, but there was still some filesystem issues. Blargh.

To finally fix the problem, I took a full backup using SuperDuper! and restored back to the internal drive after wiping it clean. Bingo. Everything is running as it should now.

External SATA Drive Dock

I recently purchased a Vantec NexStar eSATA/USB dock for 3.5" and 2.5" drives. It's connected to Mac Pro with a PCI Express SATA II adapter with two eSATA ports and a 6' eSATA cable. The drive dock comes with USB and eSATA cables, but they're only 3' long — that's not long enough. I used the USB connector on the dock before the eSATA card was installed. It works as expected, but the performance of the external SATA is worth the effort to install the card.

The Mac Pro Quad-Core Intel Xeon 2.8 GHz (early 2008) has 4 PCI slots (two 16x and two 4x). The eSATA card must be installed in one of the 4x slots. I understand that the Mac Pro has two available SATA ports, but I didn't research the connector kits to expose those to external drives. The card I received was manufactured by Best Connectivity and uses a Silicon Image SiI3132 controller chip. A driver CD is included, however my SOP is to download the current version. In this case, the drivers are provided directly by the Silicon Image support page. Before purchasing the card, I did a bit of Googling to make sure it worked with Mac OS X 10.5. The results weren't totally convincing, but I decided to give it a try. The driver installs a kernel driver clearly marked:

nikki:Desktop joseph$ kextstat | grep -i sil 53 0 0x86782000 0x14000 0x13000 com.SiliconImage.driver.Si3132 (1.1.9) <52 17 12>

The adapter card and dock are working well now. The transfer speed is very good, and it's really convenient to swap drives so easily. Of course, the drive gets warm without active cooling, but it's only meant for temporary use. I need a solution for indexing drives to make locating files contained on offline drives easier.

MacBook Pro Hard Drive Repair

The hard drive in a friend's MacBook Pro (MacBookPro1,2) was causing I/O errors in the console log for the disk0s02 device. I suggested connecting the 120 Gb SATA 2.5" drive to a PC on my bench and running SpinRite to correct the issues, if possible. The SATA data and power connectors are the same on the laptop-sized drives as the 3.5" desktop form, so no adapter is needed as was the case for the old 2.5" IDE drives. Getting the drive out of the laptop is fairly involved. Other World Computing has a great instructional video that exactly matched this particular MacBook Pro.

SpinRite ran for about 12 hours, and found some sectors with unrecoverable data. The SMART data shows that the drive is doing error correction like crazy to preserve the data integrity. When the drive hit the bad portion of the disk, it would just stall and block all I/O, so hopefully SpinRite remapped those sectors.

SpinRite Config

SpinRite Working

SpinRite Summary

SpinRite Error Sector

SpinRite Error Counts

This laptop hadn't been burning DVDs successfully prior to this hard drive repair. After putting it back together, I tried a burn; it worked perfectly. I'm thinking that the drive halted on the bad portion of the media until the burn had a buffer underrun. It's working well now, but I think the best course of action would be to juice it up with a new Seagate Momentus (7200 RPM, 500 Gb, 16 Mb) drive.

Workstation Satisfaction

My current workstation is a Mac Pro (2 x 2.8 GHz Quad-Core Intel Xeon, 10 Gb 800 MHz DDR2-FB) with dual 22" displays. Until recently, I had been using the single SATA drive that came with the machine. I don't trust any system that doesn't redundant storage of some sort. Finally last weekend I corrected the situation by adding three 250 Gb SATA drives. Incidentally, it takes about 45 seconds to add a drive to the Mac Pro chassis -- what a beautiful machine. I moved the stock 320 Gb drive the last drive bay. With SoftRAID, I created a RAID-1 mirror plus a spare. I moved the data from the original drive to the new mirror with SuperDuper!. I reinitialized the old drive, and turned it into a Time Machine volume. It would have been cool to create a RAID-5 device, but SoftRAID 3.x doesn't support that. My system has all sorts of CPU power to waste on a software stripe. Then again, a mirror is dead simple. I would use a different set of spindles for scratch space in Final Cut, obviously.

I still need to figure out a better solution for preventing all my virtual machine images from filling up the Time Machine archives. The virtual disks are split into 2 Gb pieces, so hopefully the timestamps aren't all changed when running; that's probably wishful thinking. Maybe I should exclude the VMs from Time Machine, and use a periodic copy of the important ones to another location.

New Firewall, Less Power

For the past couple years, I've been using the Astaro Security Gateway Linux product for a firewall and router. It worked very well, and the software has more features than I'd ever think about using. However, the machine I was using was an old 4U rack server filled with NICs. It probably burned 200 watts being alive. Next to the firewall was a dedicated 1U server providing DNS and DHCP service to the LAN -- another 100 watts at least.

In an effort to reduce the amount of juice that my server room sucks up, I started looking for an open source firewall solution that would run on a low-power embedded PC. It also had to provide custom DNS and DHCP service for the network. I went with pfSense -- a fork of m0n0wall, based on a very lightweight distribution of FreeBSD. To test the software, I put it on a spare beige box. After booting the Live CD, I configured the system to replace the Astaro Security Gateway. I also setup DNS and DHCP with all the MAC addresses of my network devices. Everything works very well.

I looked around for a single-board PC to use as the replacement hardware. I selected a Netgate m1n1wall 3E 2C1, based on the ALIX.2C1 system board. It has no moving parts, and consumes about 6 watts at peak CPU activity. It will sit right next to my DSL modem in the premise wiring rack.

My Southern California Edison rate for power (transmission + generation) is about 18 cents per kilowatt-hour. If I shave roughly 300 watts off my 24/7 usage, I'll save about $39 a month. Not too shabby.

24 hours * 30 days * $0.18 per kWh * 0.3 kWh = $38.88

So, in less than six months, the cost of the new router hardware will have been saved by not running the two conventional servers.