The number of network devices in our house has increased significantly recently. With two Apple TVs, a wii, iPad, two iPhones, a Kindle, an xbox, two laptops, a desktop and a nettop, my creaky old AirPort Extreme was struggling to cope, particularly streaming media across the network. I also need to bridge two sections of wired network and as I need to reach the work network from several devices at home, I wanted to share a VPN connection into the office. All of this took some figuring out and some heavy googling, so in the interests of helping out anyone with a similar problem, here’s what I did.

Network Layout

Hardware Requirements

• A simultaneous dual-band wireless-n router at the gateway
• A normal dual-band wireless-n router to bridge to the LAN
• Gigabit switches at both ends
• dd-wrt support on both devices (PPTP support at the gateway, and bridging or WDS at the LAN)
• Same chipset on both routers for compatability

I ended up with a Cisco Linksys WRT610n for the gateway router, and a Cisco Linksys WRT320n for the LAN bridge. Both second-hand/refurbished models from eBay. Total cost £80.

Gateway Configuration

1. Flash the WRT610n with dd-wrt.
2. Create two wireless networks. The 2.4GHz carries 802.11b/g/n for maximum compability. The 5GHz carries 802.11n for maximum bandwidth.
3. Add a virtual interface to the 5GHz network with its own SSID to carry the inter-router link.
4. Set WPA2 AES encryption on all networks with pre-shared key.
5. Connect to the cable modem, reboot and check that internet connection is established by connecting with the iPad to each of the wireless networks in turn and web surfing.

LAN Bridge Configuration

I wanted to use WDS to link the two routers but I ran into some problems. I could establish a connection, but the link bandwidth fluctuated significantly, and I also couldn’t get PPTP traffic to tunnel successfully. Data transfer over the VPN stalled for larger packets. This is a classic symptom of incorrect network MTU but despite resorting to packet sniffing, I couldn’t get this working properly. I ended up using dd-wrt Repeater Bridge mode which solved these problems straight away. The steps were:

1. Flash the WRT320n with dd-wrt.
2. Disable the WAN connection and give the router a static IP address (192.168.1.2) with the gateway router’s IP as the gateway address.
3. In “Advanced Routing”, set the Operating Mode to “Router”.
4. In Wireless Basic Settings, set the Wireless Mode to “Repeater Bridge”, and the Wireless Network Mode to “N-Only (5 GHz). Give it the same SSID as the inter-router link in step 3 of “Gateway Configuration”
5. Add the appropriate Security Mode, WPA Algorithm and WPA Shared Key in the “Wireless Security” section.
6. Under “Services -> Services”, Disable DNSMasq (which turns off the DNS and DHCP servers).
7. Reboot, connect the desktop PC to the gigabit switch on the bridge router, check it picks up an IP address from the gateway DHCP server and that it can reach the internet.

At this point, I added the rest of the wireless and wired devices to the network and checked that things were working properly. AirPlay working from an iPhone to one of the Apple TVs, streaming audio and video from the PC to the TVs and download content from the internet were all evidence that dd-wrt was correctly bridging between the different networks and things were behaving properly.

The final stage was the VPN, and this is where information online started to run a bit thin.

DD-WRT, PPTP VPN, routing DNS queries correctly and handling unqualified hostnames

The requirements for the VPN connection were:

1. The gateway router establishes the VPN connection and handles routing.
2. Only work traffic crosses the VPN – everything else gets routed straight to the Internet.
3. Home LAN access to the work LAN is NATted to remove the need to add routes back to the home LAN.
4. Unqualified hostnames are in use both on the host LAN and on the work network.
5. DNS resolution for the work domain should be handled by the work internal DNS servers; DNS resolution for the home LAN should be handled locally; everything else gets handled by my ISP’s DNS servers.
6. All LAN client configuration is done via DHCP, so that all devices including the iPhones and iPad will work immediate on connection.

Steps 1 to 3 are straightforward:

1. On the Gateway router, under Services->VPN, enable the PPTP Client.
2. Use the IP address rather than the DNS name for the server – this will not change frequently, and makes DNS configuration more straightforward.
3. Configure the remote Subnet and Subnet Mask as appropriate – my work uses an RFC1918 Class A address space.
4. I changed the MPPE Encryption settings to “mppe required,no40,no56,stateless”. This was in the middle of my “trial and error” phase of trying to troubleshoot WDS – it might not therefore be necessary but if it works, it won’t hurt!
5. Leave MRU and MTU as the defaults. Enable NAT and complete the User Name and Password fields as appropriate. NB if this is authenticating against a Windows domain, you need to put username in the form DOMAIN\\username.
6. Hit “Apply Settings”. Reboot the router.

If all is well, you should now be able to ping IP addresses of machines on your work network from client machines on the home LAN. traceroute should also show that this traffic is being carried across the VPN, where traceroute to www.bbc.co.uk goes via your gateway and across your ISP’s networks in several hops.

Next step is to confirm that you can reach your work DNS servers. Ping them first, and then attempt a hostname lookup: our intranet server is called “intranet” so “nslookup intranet <WORK DNS IP>” should return the correct IP address. To complete requirements 4-6, we need to use the dd-wrt DNS/DHCP server DNSMasq to manage home LAN DNS registrations, pass off work DNS queries to the work servers over the VPN, to send the rest to the ISP and to send appropriate search domain information to all LAN DHCP clients so unqualified hostname resolution will still work. I have to admit that these settings were reached through some trial and error so there could be a better way of doing this. But at least this works:

1. In “Services->Services”, under “Services Management” “DHCP Server”, add a local value to LAN Domain. I use “marlow.org.uk” here. This will be added to the hostnames of your LAN devices while they’re on the home network to give them an FQDN.
2. DNSMaq should already be enabled, but you should enable “Local DNS” and disable “No DNS Rebind”.
3. In “Additional DNSMasq Options”, add the following (changing the bits in red):

   dhcp-option=15,"workdomain.com homelandomain.org.uk"
   strict-order
   no-resolv
   no-poll
   server=/workdomain.com/ipaddressofworkdnsserver
   server=yourispprimarydnsip
   server=youridpsecondarydnsip

4. Hit “Apply Settings”
5. Renew the DHCP lease of one of your home LAN clients and check that DNS resolution is behaving as expected by pinging www.bbc.co.uk, followed by the unqualified hostname of a machine on the work network and then one of the clients on your home network.
6. Pour yourself a stiff drink.

We were the first generation to grow up with computers at home. Iain got one first – a BBC Micro, just as we were leaving primary school, but many of my friends got BBCs, Spectrums and Commodore 64s for Christmas 1983. Although 1984 has significance in the history of computing in other ways, it was the year when it became clear that this wasn’t just a fad; this was here to stay. My sister and I got an Acorn Electron for Christmas 1984.

The Electron was an interesting machine. It was an attempt to provide BBC Micro features for a ZX Spectrum price. Problem was – the games weren’t as good as the Spectrum and the limitations compared to the BBC were significant. Acorn struggled to manufacture enough units for sale until Christmas 1984 by which point it was a bit too late. But I couldn’t get enough of it. I read the manual cover to cover. We got Electron User and Acorn User, and I typed in all of the listings I could. My friend Daniel and I discovered that if he brought his official Acorn tape player round to ours and plugged it into my parents’ hifi, we could copy games. Good times.

Just before my fourteenth birthday, I read something which changed everything.

The May 1986 edition of Acorn User contained an article called Exploring the Mandlebrot Set by David Johnson-Davies. It blew my mind. In one article, a few lines of code and the hours of experimentation which came afterwards, I encountered complex numbers, the fascinating beauty of fractals – and the realisation that exploring these things was only possible with computers – but the computers that we now all had at home. Things like this were happening to lots of us (like Richard Kettlewell).

I read Natural Sciences and Chemical Engineering at university – but there was only one place I ever wanted to go. An early page of my Electron manual says “All correspondence should be addressed to: Technical Enquiries, Acorn Computers Limited, Fulbourn Road, Cherry Hinton, Cambridge CB1 4JN”. A lightbulb moment. Cambridge was where to find all the clever people doing clever stuff with computers. That’s what I wanted to do. I’ve worked for a couple of Cambridge colleges, for a couple of software companies and I ran the IT team at DAMTP, Stephen Hawking’s department at Cambridge. Now I’m at Red Gate and it’s 26 years since we got the Electron, and 20 years since I came down here – but I’m still doing what I’ve wanted to do since I was fourteen – working in Cambridge with clever people doing clever things with computers.

Footnote

Luke has just started secondary school. All of the kids have been given a Toshiba netbook, and when he was with us a couple of weekends ago, we struggled for a while to get it to connect to our wireless network. I tried to open a command prompt to diagnose, but the machines had been locked down so I couldn’t.

“Dad,” he said, last time he was down, “You remember when you couldn’t open that command prompt on my laptop? All you have to do is open notepad, type in command.com and save it on your desktop as a file called command.bat. Then if you double-click it…”

That’s my boy.

Watching Russell Brand on the PVR, and looking at the servers at work. Cube looks a bit busy.

Nupe. Quiet again. Cool. One more beer before bed?

Password Resets – please read

This message was sent with High importance.

Sent: 01 April 2009 08:31

To: Red-Gate

A few people have run into problems where they’ve been asked for their password, mid-afternoon while accessing file shares or Exchange. This is occurring because we’re changing our password expiry cycle from the current 1 year. We were reducing it bit-by-bit to avoid affecting everyone straight away – but we’ve realised that we need to accelerate this program.

The new policy will require you to change your password every 14 days, and this will come into effect at 12pm (noon) today. We will require you to have a stronger password than before, with more non-alphanumeric characters (i.e. punctuation). An example of an appropriate password would be @pr1!FuLe

If this is likely to cause you great inconvenience, we can arrange for a slightly more lenient reset frequency – we recognise it’s the job of the IS team to remove the treacle, so if you could write us a letter on company-headed paper, counter-signed by your line manager and both Neil and Simon, that would be great.

Have a good morning,

Gareth

–

Gareth Marlow, Head of Information Systems, Red Gate Software Ltd.

Pwned at least five people with that one. The more serious point is that there was an expectation that an IT department would even consider pulling a stunt like that. IT departments have bad PR but sometimes, we’re our own worst enemies.