 © Rakhesh Sasidharan
|
Posted: May 24th, 2018 | Category: Books | § Every now and then Audible has some sale and I try a new author I haven’t heard of. I am not very good at exploring different authors or genres coz I don’t like leaving my comfort zone. But with Audible I can at least give something a shot, and then return the book if I don’t like it. Usually I try a new book based on the narrator or just the book cover. I read some of the review to try and get an understanding, but it’s difficult to judge a book by reviews as different people have different tastes (and I have found I don’t like most sci-fi stories that a lot of people rave about).
Anyways, City of Thieves by David Benioff is one such book I tried recently and I am loving it. I bought it coz of the cover and also coz it is narrated by Ron Perleman. It’s been a good listen so far and while I still have a long ways to go I thought I should mention it here. Ron Perleman narrates it good too with the different voices and all that.
While Googling on some of the places and authors in the book (most of which turns out to be fictional) I came across the following wonderful quote from this blog post:
Talent must be a fanatical mistress. She’s beautiful; when you’re with her, people watch you, they notice. But she bangs on your door at odd hours, and she disappears for long stretches, and she has no patience for the rest of your existence: your wife, your children, your friends. She is the most thrilling evening of your week, but some day she will leave you for good. One night, after she’s been gone for years, you will see her on the arm of a younger man, and she will pretend not to recognize you.
David Benioff has two other books but they don’t seem to be in Audible. Will have to read them the old fashioned way. :o)
Posted: May 21st, 2018 | Tags: Azure, log analytics, OMS | Category: Infrastructure | § This is by no means a big deal, nor am I trying to take credit. But it is something I setup a few days ago and I was pleased to see it in action today, so wanted to post it somewhere. :)
So as I said earlier I have been reading up on Azure monitoring these past few days. I needed something to aim towards and this was one of the things I tried out.
When you install the “Agent Health” solution it gives a tile in the OMS home page that shows the status of all the agents – basically their offline/ online status based on whether an agent is responsive or not.
The problem with this tile is that it only looks for servers that are offline for more than 24 hours! So it is pretty useless if a server went down say 10 mins ago – I can keep staring at the tile for the whole day and that server will not pop up.
I looked at creating something of my own and this is what I came up with –
If you click on the tile it shows a list of servers with the offline ones on top. :)
I removed the computer names in the screenshot that’s why it is blank.
So how did I create this?
I went into View Designer and added the “Donut” as my overview tile.
Changed the name to “Agent Status”. Left description blank for now. And filled the following for the query:
|
|
Heartbeat | summarize LastSeen = max(TimeGenerated) by Computer | extend Status = iff(LastSeen < ago(15m),"Offline","Online") | summarize Count = count() by Status | order by Count desc |
Here’s what this query does. First it collects all the Heartbeat events. These are piped to a summarize operator. This summarizes the events by Computer name (which is an attribute of each event) and for each computer it computes a new attribute called LastSeen which is the maximum TimeGenerated timestamp of all its events. (You need to summarize to do this. The concept feels a bit alien to me and I am still getting my head around it. But I am getting there).
This summary is then piped to an extend operator which adds a new attribute called Status. (BTW attributes can also be thought of as columns in a table. So each event is a row with the attributes corresponding to columns). This new attribute is set to Offline or Online depending on whether the previously computed LastSeen was less than 15 mins or not.
The output of this is sent to another summarize who now summarizes it by Status with a count of the number of events of each time.
And this output is piped to an order to sort it in descending. (I don’t need it for this overview tile but I use the same query later on too so wanted to keep it consistent).
All good? Now scroll down and change the colors if you want to. I went with Color1 = #008272 (a dark green) and Color 2 = #ba141a (a dark red).
That’s it, do an apply and you will see the donut change to reflect the result of the query.
Now for the view dashboard – which is what you get when someone clicks the donut!
I went with a “Donut & list” for this one. In the General section I changed Group Title to “Agent Status”, in the Header section I changed Title to “Status”, and in the Donut section I pasted the same query as above. Also changed the colors to match the ones above. Basically the donut part is same as before because you want to see the same output. It’s the list where we make some changes.
In the List section I put the following query:
|
|
Heartbeat | summarize LastSeen = max(TimeGenerated) by Computer | extend Status = iff(LastSeen < ago(15m),"Offline","Online") | sort by bin(LastSeen,1min) asc |
Not much of a difference from before, except that I don’t do any second summarizing. Instead I sort it by the LastSeen attribute after rounding it up to 1 min. This way the oldest heartbeat event comes up on top – i.e. the server that has been offline for the longest. In the Computer Titles section I changed the Name to “Computer” and Value to “Last Seen”. I think there is some way to add a heading for the Offline/Online column too but I couldn’t figure it out. Also, the Thresholds feature seemed cool – would be nice if I could color the offline ones red for instance, but I couldn’t figure that out either.
Lastly I changed the click-through navigation action to be “Log Search” and put the following:
|
|
Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(15m) |
This just gives a list of computers that have been offline for more than 15 mins. I did this because the default action tries to search on my Status attribute and fails; so thought it’s best I put something of my own.
And that’s it really! Like I said no biggie, but it’s my first OMS tile and so I am proud. :)
ps. This blog post brought to you by the Tamil version of the song “Move Your Body” from the Bollywood movie “Johnny Gaddar” which for some reason has been playing in my head ever since I got home today. Which is funny coz that movie is heavily inspired by the books of James Hadley Chase and I was searching for his books at Waterstones when I was in London a few weeks ago (and also yesterday online).
My blog posting has taken a turn for the worse. Mainly coz I have been out of country and since returning I am busy reading up on Azure monitoring.
Anyways, some quick links to tabs I want to close now but which will be useful for me later –
- A funny thing with Azure monitoring (OMS/ Log Analytics) is that it can’t just do simple WMI queries against your VMs to check if a service is running. Crazy, right! So you have to resort to tricks like monitor the event logs to see any status messages. Came across this blog post with a neat idea of using performance counters. I came across that in turn from this blog post that has a different way of using the event logs.
- We use load balancers in Azure and I was thinking I could tap into their monitoring signals (from the health probes) to know if a particular server/ service is up or down. In a way it doesn’t matter if a particular server/ service is down coz there won’t be a user impact coz of the load balancer, so what I am really interested in knowing is whether a particular monitored entity (from the load balancer point of view) is down or not. But turns out the basic load balancer cannot log monitoring signals if it is for internal use only (i.e. doesn’t have a public IP). You either need to assign it a public IP or use the newer standard load balancer.
- Using OMS to monitor and send alert for BSOD.
- Using OMS to track shutdown events.
- A bit dated, but using OMS to monitor agent health (has some queries in the older query language).
- A useful list of log analytics query syntax (it’s a translation from old to new style queries actually but I found it a good reference)
Now for some non-Azure stuff which I am too lazy to put in a separate blog post:
- A blog post on the difference between application consistent and crash consistent backups.
- At work we noticed that ADFS seemed to break for our Windows 10 machines. I am not too clear on the details as it seemed to break with just one application (ZScaler). By way of fixing it we came across this forum post which detailed the same symptoms as us and the fix suggested there (
Set-ADFSProperties -IgnoreTokenBinding $True) did the trick for us. So what is this token binding thing?
- Token Binding seems to be like cookies for HTTPS. I found this presentation to be a good explanation of it. Basically token binding binds your security token (like cookies or ADFS tokens) to the TLS session you have with a server, such that if anyone were to get hold of your cookie and try to use it in another session it will fail. Your tokens are bound to that TLS session only. I also found this medium post to be a good techie explanation of it (but I didn’t read it properly*).
- It seems to be enabled on the client side from Windows 10 1511 and upwards.
- I saw the same recommendation in these Microsoft Docs on setting up Azure stack.
Some excerpts from the medium post (but please go and read the full one to get a proper understanding). The excerpt is mostly for my reference:
Most of the OAuth 2.0 deployments do rely upon bearer tokens. A bearer token is like ‘cash’. If I steal 10 bucks from you, I can use it at a Starbucks to buy a cup of coffee — no questions asked. I do not want to prove that I own the ten dollar note.
OAuth 2.0 recommends using TLS (Transport Layer Security) for all the interactions between the client, authorization server and resource server. This makes the OAuth 2.0 model quite simple with no complex cryptography involved — but at the same time it carries all the risks associated with a bearer token. There is no second level of defense.
OAuth 2.0 token binding proposal cryptographically binds security tokens to the TLS layer, preventing token export and replay attacks. It relies on TLS — but since it binds the tokens to the TLS connection itself, anyone who steals a token cannot use it over a different channel.
Lastly, I came across this awesome blog post (which too I didn’t read properly* – sorry to myself!) but I liked a lot so here’s a link to my future self – principles of token validation.
* I didn’t read these posts properly coz I was in a “troubleshooting mode” trying to find out why ADFS broke with token binding. If I took more time to read them I know I’d get side tracked. I still don’t know why ADFS broke, but I have an idea.
Posted: May 12th, 2018 | Tags: greek, mythology, quotes | Category: Asides | § Listening to Stephen Fry’s Mythos and I loved this epitaph from one of the stories. That of Phaëthon, son of Phoebus Apollo the sun God, who rode his father’s sun chariot for a day but lost control and ended up scorching Africa in the process (thus creating the Sahara desert). This epitaph was offered by the American classicist Edith Hamilton.
Here Phaëthon lies who in the sun-gods chariot fared.
And though greatly he failed, more greatly he dared.
Posted: April 24th, 2018 | Tags: quotes | Category: Asides | § Was listening to “The Mystery of the Cardboard Box” in the bus after a particularly shitty day and loved this ending paragraph. It resonated with me.
“What is the meaning of it, Watson? said Holmes solemnly as he laid down the paper. “What object is served by this circle of misery and violence and fear? It must tend to some end, or else our universe is ruled by chance, which is unthinkable. But what end? There is the great standing perennial problem to which human reason is as far from an answer as ever.”
Posted: April 22nd, 2018 | Tags: Amazon, meetings, powerpoint | Category: Asides | § Liked this –
For every meeting, someone from the meeting has prepared a six-page, narratively structured memo that has real sentences and topic sentences and verbs. It’s not just bullet points. It’s supposed to create the context for the discussion we’re about to have.
Especially the point about creating context.
This is from an interview with Jeff Bezos where he mentions Amazon has banned PowerPoint presentations in meetings.
By forcing the presenter to creative a narrative it gets them thinking more about the topic and understand the topic well. Similarly by forcing the attendees to read the memo it forces them to not just skim through the slides but to internalize it. Nice!
Posted: April 13th, 2018 | Category: TV | § Feels funny writing this but I saw “Tiger Zinda Hai” and actually enjoyed it! I put it on thinking I’d find it silly but would watch it anyways, and while I did find the whole “super agent” thing silly I enjoyed the movie nevertheless. I guess it’s of the way it was taken. I dunno, the attention to detail I guess, or all the money spent. You (or I, rather) could see the director has taken his time crafting the movie and not spared much expenses. (And later I read in Wikipedia that this is one of most expensive Hindi movies produced).
I loved this Tera Noor song by Jyoti Nooran btw. Amazing fight sequence backed by a superb song.
I loved the background music too. I think that’s one more thing that caught my attention from the start. It wasn’t over-done but perfect for the situations and mood.
Update: Forgot a shout out to the amazing villain of Tiger Zinda Hai – Sajjad Delafrooz.
Posted: April 12th, 2018 | Category: PowerShell, Windows | § Simple PowerShell one-liner –
|
|
Get-ADGroupMember "GroupIWantToTarget" | %{ $UserObj = Get-ADUser $_; $OldUPN = $UserObj.UserPrincipalName; $NewUPN = $OldUPN.Replace("oldupnsuffix.com","newupnsuffix.com"); "$OldUPN -> $NewUPN"; Set-ADUser $UserObj -UserPrincipalName $NewUPN } |
The "$OldUPN -> $NewUPN"; can be skipped. That’s just for me to get output of the changes being done.
Posted: April 12th, 2018 | Tags: displayport | Category: Gadgets | § I’ve always seen the DisplayPort and mini-DisplayPort ports on desktops and laptops but never paid much attention to them. I end up using the DVI or HDMI ports usually and DisplayPort was always that “inconvenient” port for which I’d need an adapter – like DisplayPort to DVI or HDMI. Today I learnt that DisplayPort has very high throughput and that DisplayPort 1.2 and above (we are currently on 1.4) supports something called Multi Stream Transport which lets you hook up more than 1 monitor to a single port using a hub like this. That is so amazing! So I no longer have to fuss about with extra graphics cards just to get an extra DVI / HDMI port. All I have to do is buy one of these hubs and I am set. Nice!
Posted: April 12th, 2018 | Tags: dns, dnscrypt | Category: Asides, Networks | § No point to this post except as a reference for my future self. I wanted to mention some of the links here to a colleague of mine today but couldn’t remember them. Finally had to search through my browser history. Easier to just put them here for later reference. :)
Via this Pi-Hole page – OpenNIC and DNS.Watch. Both are for uncensored results etc., with the former having additional TLDs too. Sadly neither supports edns-client-subnet so I can’t really use it. :( If I query www.google.com via one of these I get results that are 150-220ms away. Same query via Google DNS or OpenDNS gives me results that are 8ms away!
I hope to implement DNSCrypt-proxy on my Asus router this weekend (time permitting). Seems to be straight-forward to setup on Asus Merlin as there’s an installer and also available via AMTM. My colleague is currently using DNSCrypt.nl as the upstream resolver, but he also mentioned an alternative he hopes to try.
It’s funny there’s a lot more talk about DNS encryption these days. I happened to get on it coz I got the Asus Merlin running at home again recently and also coz of the CloudFlare DNS announcement. I’ve generally been in a geeky mode since then and checking out things like Pi-Hole etc. And just the other day I read an Ars Technica article about DNS encryption and today it turns out my colleague implemented DNSCrypt at his home just today morning.
Something else I hope to try – dunno where though – is the Knot DNS Resolver.
Lastly, totally unrelated but as a reference to myself – I didn’t know there was an open source version of the Synology OS called XPEnology, and I didn’t know of these picoPSU power supplies. So cool! Also, Netgear R7800 seems to be a good router to keep in mind for the future.
Posted: April 8th, 2018 | Tags: docx, formatting, word | Category: Windows | § Got the following error for a Word document at work.
Obviously your mileage may vary in terms of the fix but here’s what I did so there’s a starting point.
Since this is a docx file I extracted it using 7-Zip. Went through the XML files in it but they seemed fine. Next I extracted another working docx file and replaced the “[Content_Types].xml” file of the broken one with that of the working one. Zipped it all back into a docx file, double clicked, and I got a different error now but the document opened fine. It complained about comments or something missing, but all that was expected as obviously I had replaced a master file with another one. The fact that it opened fine (more or less) confirmed that this file must be the culprit.
Next I tried removing bits and pieces from the broken “[Content_Types].xml” file but that didn’t help. Finally I compared the two side by side, starting with the stuff I hadn’t removed. I noticed that the broken file had an entry like this:
|
|
<Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/> |
The same one in the working file was different:
|
|
<Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/> |
So I replaced the line in the broken file with the one in the working file, zipped it all back, double clicked and voila! it opens fine now. :)
From this MIME types document it seems like “application/vnd.ms-word.document.macroEnabled.12” is a “.docm” file so at this point my guess is that the user copy pasted something from another document and that possible corrupted his destination document? I don’t know.
Posted: April 8th, 2018 | Tags: Castro, pocketcasts, podcast | Category: Musings | § I am an avid podcast listener and have been a long term fan of Pocket Casts. I’ve even paid for their web-app even though I don’t use it much, coz I liked their iOS and Android apps and wanted to support them.
However I also get bored of using the same thing again and again :) and I also wanted some way to manage my unlistened to podcasts. I tend to subscribe to a lot of podcasts (well at least I used to, I cut down on a lot now) and it is difficult to make time to listen to podcasts, audio books, and music – so I also wanted some way of keeping a “handle” on the podcasts. There are some podcasts that I would like to listen to every episode of, there are some podcasts I listen to in the background while working or doing other things, and there are some podcasts I listen to actively but I don’t necessarily want to listen to all episodes. I tried using playlists in Pocket Casts for this but that didn’t work out well; and I also tried other apps like Overcast (in combination with Pocket Casts so I have some podcasts on Overcast) but that didn’t work out well either. In fact, most people seem to rave about Overcast, but I didn’t like it much. The UI isn’t that great, and I generally found it confusing & cumbersome (don’t ask me what I found confusing – I just did).
Fast forward to last month and I discovered Castro. That was a great find and I loved their triage interface. Now I had the podcasts that I listen to in the background or which I wanted to listen all episodes to in Pocket Casts, and the ones I wanted to listen to actively but pick and choose episodes in Castro. I subscribed to the podcast of the creators too and overall it was a pleasant experience.
Some small niggles though. Castro seems to suck at downloading. Maybe it was my home WiFi coz it seemed to be ok over 4G/ LTE (and it blew up my allowance in the process last month!) but Pocket Casts had no issue downloading over the same WiFi so I am not sure. I also didn’t like the fact that when I wrote to their support address regarding this issue no one replied. It’s not a biggie but it put me off.
This past weekend however I came across a big niggle that totally put me off. I knew that Castro was an iOS only app and considering I am an iOS and Android user that’s something I was willing to put up with coz I liked Castro. But on the weekend I took out one of my other iPhones and discovered that Castro doesn’t do any sort of sync between iPhones either. That was a bummer! It can restore my subscriptions and episodes from the other phone but there’s no way to keep the two in sync. This was a biggie for me as I like to be able to keep things in sync at least within iOS. I like to change phones around and use multiple devices, so keeping things in sync is a basic necessity in my books (or at least I realized so this weekend). Castro, I love your interface and way of handling podcasts, but as long as you don’t have some way of keeping my subscriptions and progress in sync I am sorry I won’t be able to use you. :( Yes I don’t need it on a regular basis but that’s something I draw a line at in terms of not wanting to be tied down to a device.
So today I went back to Pocket Casts. Added all the episodes and subscriptions back to Pocket Casts and created playlists etc again. Dunno if I will be able to continue listening to podcasts as quickly as I was with Castro (coz of the triage interface where I could pick and choose and discard easily) but let’s see. Got to try again!
Update: Trying out Overcast in conjunction with Pocket Casts (i.e. as a replacement for the role previously filled by Castro basically). Thing with Pocket Casts is that even though I can make playlists I can’t sort them my way. It’s either oldest to newest, or reverse. There’s a few podcasts I am catching up on and I would like to have them in between my regular episodes, and there’s no way to do that with Pocket Casts. But I can do so with Overcast so thought I’d try again. So many people recommend it (including the Packet Pushers podcast whose weekly episode from yesterday had Greg and Ethan mention Overcast as being great) I must try again in case the issue is one of me being stubborn.
One niggle with Overcast though is that I can’t have some podcasts sorted a different way (unlike Pocket Casts). So it’s either everything sorted oldest to newest or newest to oldest. I can sort playlists however I want, including custom reordering (which is such a pleasure on Castro BTW – love their drag and drop!) so it’s not really a big deal.
Posted: April 7th, 2018 | Tags: ipv6 | Category: Networks | § Since enabling SLAAC as per my previous post I noticed that Android now has two IPv6 addresses (in addition to the link local one it already had) and Windows has the link-local one, a DHCPv6 one (marked as preferred), and two SLAAC IPv6 addresses (marked as “Temporary IPv6 Address”). Trying to find out why brought me to this superuser page that answered my question.
The long and short of it is that since SLAAC IPv6 addresses are not “centralized” (i.e. not from a DHCPv6 server), the client is at liberty to create multiple IPv6 addresses for privacy purposes. This is mainly to protect your privacy, so servers on the Internet are not able to track you consistently (nor try and collect your IPv6 address and try to make contact with your client I guess). Via the netsh interface ipv6 show addresses command on my Windows 10 machine I see that they have a duration of an hour after which they are presumably regenerated.
The netsh interface ipv6 show privacy command shows whether temporary IPv6 addresses are enabled or not. Linux has something similar.
Sure enough when I now visit https://www.whatismyip.com/ on my browser it no longer shows the DHCP assigned IPv6 address but one of the temporary ones (and no, it does not even show the SLAAC generated IPv6 address based on the EUI-64 MAC address; it’s a temporary random address that appears in ipconfig or netsh interface ipv6 show addresses as temporary).
|
|
Interface 5: Ethernet Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Dhcp Preferred 14h5m25s 14h5m25s 2001:xxxx:yyyy:1045::1fd1 Temporary Preferred 59m57s 59m57s 2001:xxxx:yyyy:10d9:bc07:d511:755d:7940 Public Preferred 59m57s 59m57s 2001:xxxx:yyyy:10d9:e94e:24bf:7bd:58d6 Other Preferred infinite infinite fe80::e94e:24bf:7bd:58d6%5 |
Posted: April 7th, 2018 | Tags: dnsmasq, ipv6 | Category: Linux BSD, Networks | § Discovered that my Android phone only had a link-local IPv6 address and learnt that it doesn’t support DHCPv6 (who thought?!). So I want to enable SLAAC in addition to DHCPv6 in my network. Was checking out Dnsmaq options (as Asus uses that) and came across its various modes.
IPv6 Router Advertisement (RA) messages can contain the following flags:
- M (“Managed address configuration”) – indicates that IPv6 addresses are available via DHCPv6. This is also referred to as Stateful DHCP.
- O (“Other configuration”) – no IPv6 address, but other configuration information like DNS etc. are available via DHCPv6. This is also referred to as Stateless DHCP.
- A (“Autonomous Address Configuration”) – indicates that the prefix present with the flag can be used for SLAAC (StateLess Auto Address Configuration).
Note that if the M flag is present the O flag doesn’t matter – coz clients are getting information via DHCPv6 anyway.
Dnsmasq allows the following modes when defining an IPv6 range (from its man page):
For IPv6, the mode may be some combination of ra-only, slaac, ra-names, ra-stateless, ra-advrouter, off-link.
ra-only tells dnsmasq to offer Router Advertisement only on this subnet, and not DHCP.
slaac tells dnsmasq to offer Router Advertisement on this subnet and to set the A bit in the router advertisement, so that the client will use SLAAC addresses. When used with a DHCP range or static DHCP address this results in the client having both a DHCP-assigned and a SLAAC address.
ra-stateless sends router advertisements with the O and A bits set, and provides a stateless DHCP service. The client will use a SLAAC address, and use DHCP for other configuration information.
ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host’s IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an AAAA record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-names can be combined with ra-stateless and slaac.
ra-advrouter enables a mode where router address(es) rather than prefix(es) are included in the advertisements. This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option is also included, as described in RFC-3775 section 7.3.
off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
This is a bit confusing so thought I should put it into a nice table. Note that this is my understanding, I could be wrong:
| ra-only |
no M or O flags; only A flag
|
clients can use the RA to configure their SLAAC IPv6 address. no DHCPv6 is offered. |
| slaac |
if a DHCPv6 range is specified then M and A flags; else only A flag. no O flag, but as I said above the O flag doesn’t matter anyways if M flag is present.
I’d say M and A flags always (see my point in the next column)
|
clients can use RA to configure their SLAAC address. DHCPv6 too is offered if a range is configured. thus clients can have two IPv6 addresses – a SLAAC one and a DHCPv6 one.
slaac sounds like ra-only if no DHCP range is configured. I wonder why the DHCP range is presented as it is an optional thing. The DHCP range is what makes slaac different from ra-only, so you kind of actually need it.
|
| ra-stateless |
only O and A flags; no M flag |
clients can use RA to configure their SLAAC address and look to DHCPv6 for the DNS etc. information. |
| ra-names |
no M or O flags; only A flag |
this one didn’t make much sense to me; but then again it is meant for dual stacked clients and I am not looking at that scenario. it sounds like ra-only, the difference being that Dnsmasq will assume the client’s SLAAC IPv6 address is based on its MAC address and thus derive a possible IPv6 address and ping it and if there’s a reply then create an AAAA record mapping the client’s name to this SLAAC IPv6 address. |
| ra-names,slaac |
M and A flags (assuming it is same as the slaac mode) |
same as above, just that clients will have a DHCPv6 address in addition to the SLAAC one. and Dnsmasq will create the AAAA DNS record. |
| ra-names,ra-stateless |
O and A flags; no M flag |
same as above, just that clients don’t have any DHCPv6 address but use RA to configure DNS etc. |
| ra-advrouter |
ignoring it for now – it’s to do with mobile IPv6 and didn’t make much sense to me :) |
|
| off-link |
ignoring for now; didn’t make much sense to me |
|
So in my case it looks like I have to enable the slaac mode. This way all my clients will have both DHCPv6 and SLAAC addresses (with the exception of Android who will get the SLAAC address only).
Posted: April 6th, 2018 | Tags: ipv6 | Category: Networks | § Whee! I enabled IPv6 at home today. :)
It’s pretty straight-forward so not really an accomplishment on my part actually. I didn’t really have to do anything except flip a switch, but I am glad I thought of doing it and actually did it, and pretty happy to see that it works. Nice!
Turns out Etislalat started rolling out IPv6 to home users in Dubai back in November 2016. I obviously didn’t know of it. Nice work Etisalat!
Also, my Asus router supports IPv6. Windows and iOS etc. supports IPv6 too, so all the pieces are really in place.
All I had to do on the Asus router was go to the IPv6 section, set Connection Type as “Native”, Interface as “PPP”, enable “DHCP-PD” and enable “Release prefix on exit”. DHCP-PD stands for “DHCP Prefix Delegation”. In IPv4 the ISP gives your home router a single public IP and everything behind the home router is NAT’d into that single pubic IP by the router. In IPv6 you are not limited to a single public IP. IPv6 has tons of addresses after all, so every device can have a pubic IP. Thus the ISP gives you not a single IPv6 address, but a /64 publicly accessible prefix itself and all your home devices can take addresses from that pool. Thus “DHCP-PD” means your router asks the ISP to give it a prefix, and “Release prefix on exit” means the router gives that prefix back to the ISP when disconnecting or whatever.
I also decided to use the Google DNS IPv6 servers.
Here’s a list of IPv6 only websites if you want to visit and feel good. :p
Check out this website to test IPv6. It also has a dual stack version that checks if your browser prefers IPv4 over IPv6 even though it may have IPv6 connectivity. Initially I was using this test site. The test succeeded there but I got the following error: “Your browser has real working IPv6 address – but is avoiding using it. We’re concerned about this.”. Turns out Chrome and Firefox start an internal counter when a site has an IPv6 and IPv4 address and if the IPv4 address responds faster then they prefer the IPv4 version. Crazy huh! In Firefox I found these two options in about:config and that seemed to fix this – network.http.fast-fallback-to-IPv4 (set this to false) and network.notify.IPv6 (set to true – I am not sure this setting matters for my scenario but I changed it anyways).
Here’s Comcast’s version of SpeedTest over IPv6.
Back to my router settings. I decided to go with “Stateful” auto configuration for the IPv6 LAN and set an appropriate range. With IPv6 you can have the router dole out IPv6 addresses to clients (in the prefix it has) or you have have clients auto configure their IPv6 address by asking the router for the prefix information but creating their own address based on that. The former is “Stateful”, the latter is “Stateless”. I decided to go with “Stateful” (though I did play around with “Stateless” too). Also, leave the “Router Advertisements” section Enabled.
That’s pretty much it.
In my case I ended up wasting about an hour after this as I noticed that my Windows 10 laptop would work on IPv6 for a while and then stop working. It wasn’t able to ping the router either. After a lot of trial and error and fooling around I realized that it’s because a long time ago I had disabled a lot of firewall rules on my Windows 10 laptop and in the process dis-allowed my IPv6 rules that were enabled by default. Silly of me! I changed all those to their default state and now the laptop works fine without an issue.
Before moving on – double check that the IPv6 firewall on your router is enabled. Now that every machine in your LAN (that has an IPv6 address) is publicly accessible one has to be careful.
|