Wednesday, June 28, 2006

Netscreen 5GT Firewall & PPTP

It seems the Netscreen 5GT doesn't like PPTP VPN pass-throughs.

When I mentioned to the people who support our hospitality product that I was looking at a Netscreen as a possible alternative to the Cisco 1811, they told me that they'd looked at one previously but rejected it because it blocked outgoing PPTP sessions. I was skeptical and asked for more information.

They told me that the Netscreen would allow the outbound request to initiate a PPTP session but blocked the incoming IP Protocol 47 - GRE necessary to establish the session. They'd experienced this with a Cisco PIX as well, although I think Cisco subsequently issued a patch to the PIX firmware to address the issue.

Anyway, this morning I configured one of our SMC8014 modems as a PPTP server and tried to reach it from an XP box located behind the 5GT. No dice. The 8014 saw the incoming request but apparently the 5GT is blocking the incoming GRE traffic, just like the aforementioned PIX was.

To verify that the 8014 was setup properly I initiated PPTP sessions to it after connecting the XP box to a different 8014, and then a Motorola Surfboard. Yep, it's working correctly.

So, I emailed my contact at Juniper about this (I'd given him a heads up over lunch yesterday). If they fix it, great. If not, it's a show-stopper. We can't block hotel guests from contacting Microsoft VPNs.

New Survival Preps Blog

To keep my preps discussions focused, I decided to create a dedicate blog for it. Please check out my new Survival & Emergency Preparedness Blog.

Preparedness - 1

My parents have been over for dinner even more than usual lately, due to the fact that their kitchen is currently torn up and in the process of being completely remodeled. Since Judith and I get along with both sets of parents this isn't a problem. However, last night my mom said something that surprised me.

Mom is a liberal Democrat (I love her anyway), and works for Montgomery County. Earlier this week she attended a county training session on emergency preparedness, part of which was dedicated to a discussion of the possible effects of an avian flu epidemic. She mentioned how in the training it was recommended that people should have a supply of food and water on hand, in case they're shut in for an extended period.

What surprised me is that she isn't blowing this off. Mom and Dad (overall I'd rate him as a moderate Republican, except in a few areas where he's far right) are now looking at laying in some supplies. She has a list provided by the trainer. Of course, it doesn't include firearms for defense in the event of social breakdown or run of the mill crime, but thanks to Dad, that ain't an issue. ;-)

That a liberal Dem -- i.e., the type of person who by definition looks to the goobermint for help in times of need -- would take the responsibility to look out for herself in a disaster is refreshing, to put it mildly. One thing that the aftermath of Hurricane Katrina taught us is that you don't want to have to be dependent upon someone else in the event of a disaster.

It's still too early to know whether avian flu will become a real threat or a complete non-issue like the swine flu of the 1970s or the non-aftermath of Y2K, but there are plenty of other reasons to have a store of supplies on hand so you can weather an interruption of normal society, e.g.,

  • Hurricanes
  • Less severe but still serious weather
  • Winter storms
  • Power failures like the Blackout of 2003
  • Toxic waste spills
  • Riots
  • Terrorism.
Naturally, where you live will have a big influence on what's the most likely threat.

There are a ton of online resources available to help you get started with survival preps. is a good place to start. Also check out your state and local emergency management agencies, who often have checklists available on their websites.

You'll note that this post is title "Preparedness - 1." I'm planning to do a series of posts which will cover this general topic. Questions and suggestions for specific topics are welcome.

Monday, June 26, 2006

DSL Router Setup

Yesterday I went over to my brother's new apartment to setup the Netgear WGR614v6 router that I gave him as a housewarming gift. He wanted to get Comcast cable modem service but it's not available for him, so he got Verizon ADSL instead.

Verizon uses PPPoE on its ADSL connections and their online help pages were remarkably unhelpful. There's no information on their site showing you how to setup a router, for instance. As a matter of fact, they state that you cannot use any home networking equipment other than what they'll sell you to share one of their DSL connections. Verizon's "help" page claims that they work with vendors to specifically build equipment to work with their service, implying that it is totally proprietary.


The Netgear router has a setup wizard which will automatically detect the type of Internet connection it's plugged into, and configure itself accordingly. I ran the wizard and entered Josh's account information, and we were up and running.

Take that, you pinheads.

Next, I had to setup the wireless part of his network. He has a 12" G4 PowerBook and wanted to be able to use the AirPort card from anywhere in the apartment. I changed the default SSID and enabled WPA-PSK encryption (which Apple calls WPA Personal in OS-X) and was able to the wireless working easily. After I tested it with my iBook and got his PowerBook connected, we disabled SSID broadcast, so that unless someone is using a wireless sniffer his network shouldn't even appear to other users.

I had Josh login to the router, pointed out various parts of the interface, and had him save a backup of the config to his laptop, in case he needs to default the box at some point.

Compared with my Comcast cable modem the Verizon speed is a lot lower. Josh was able to stream a video off Youtube easily, and checking my email presented no problems, but sending a large file attachment took a lot longer on the DSL connection than the cable modem. If I remember correctly, the upstream on the DSL is 128K. It's 384K on cable. For his uses, though, it'll suffice, and it sure beats 56K dial up.

Saturday, June 24, 2006

Locks of Love

Alexandra went and got a haircut this morning. Her hair was almost down to her behind and we didn't want all that to go to waste. So, the ~10" that was cut off is being donated to Locks of Love, a non-profit organization that provides prosthetic hairpieces to financially disadvantaged kids suffering medically-related hair loss, e.g. due to chemotherapy.

Anyway, here's Alexandra with her new look (and Amanda just because):

Thursday, June 22, 2006


Yet another sinus infection, hence the minimal blogging around here.

Before having kids in daycare I rarely got sinus infections. Now it seems like it's every couple of weeks. This sucks.

Now, if I could just come with an industrial use for snot, I'd be all set.

Wednesday, June 14, 2006

Netscreen 5GT Firewall

Yesterday I spent most of the day in the lab working with a Juniper/Netscreen 5GT firewall. We're looking at it for a possible two box solution for our hospitality Internet service. It's a potentially easier to configure alternative to Cisco's low end boxen, like their 1811.

The 5GTs come in a few flavors but we're evaluating the lowest end box. Compared with out current setup -- and SMC8013 cable modem router -- it's still quite powerful. Like the Ciscos, the Netscreen can be configured via the CLI, but it also has a very nice web GUI.

Juniper gave me a second box to play with and suggested I take it home. I'm working on getting a second cable modem for home and then I'll be able to leave my existing modem and Vonage router unmolested, while I put my network behind the 5GT. Since I generally have an IMAP connection running between my laptop and during the day, I plan on testing the VPN feature of the 5GT by setting it up as a VPN endpoint then getting my email through a VPN tunnel. This will give me an idea of the stablility of the box's VPN termination features. The unit I took home also has wireless, so I'll be able to see how that well feature works compared with my current Netgear consumer-grade WAP.

Monday, June 12, 2006

FreeBSD Mail Server Article, Part 2

Part 2 of my article, Building a Mail Server with Commodity Hardware and FreeBSD is now online at

Got fire?

Yesterday I learned how to be a BBQ grill mechanic.

A couple of weeks ago the piezo electric ignitor died on our four year old gas grill. (Had it been up to me, we would have a charcoal grill, but Judith bought it with some birthday money so I had no choice.) I was still able to use the grill but had to light it with one of those long kitchen lighter things. After singing some hair off my hand when lighting it I decided that it would be smart to install a new ignitor.

So, I picked up a new ignitor at Lowe's. After taking the grill apart I saw that the part of the burner bar where I'd be installing it was rusted away, so back to Lowe's I went for a new burner bar.

With all the parts in-hand, I actually RTFM and replaced the old stuff. I turned on the gas, crossed my fingers, and pushed the ignitor button a few times.


After letting the propane gas dissipate I rummaged around in the grill and discovered that the new ignitor electrode seemed to be touching its mount, which prevented spark generation. So I rearranged it, snugged down a bolt, and tried again.



Dinner last night was BBQed filet mignon and boneless chicken breasts, washed down with Yuengling Lager, a fine wrap up to the weekend.

Saturday, June 10, 2006

Rally Point After Action Report

The Rally Point shoot today went well. It was held at the Langhorne Rod & Gun Club, which I have to say is the nicest gun club I've seen since moving to Pennsylvania in 1979. For me, the gold standard for shooting ranges is the Associated Gun Clubs of Baltimore range in Marriotsville, MD. LRG&C was the first range I've seen which compares with the AGC range, though the New Holland Rod & Gun club out in Lancaster County comes close. I'm seriously considering getting a membership.

Turnout was pretty good, though I don't know yet how many people we had. At least twenty. I spent most of my time on the 50 yard smallbore/black powder/pistol range. Centerfire rifles are not normally permitted on that range but the club appears to have made an exception today. So, I was able to run about 105 rounds through the Rock-Ola M1 Carbine that I picked up a couple of weeks ago.

The M1 ran well except for a couple of malfunctions early on. I had one bolt over base failure to feed, and one instance when the last round in the magazine popped up and instead of feeding into the chamber, stovepiped. Both malfs were with the 15 round magazine that I got with the Carbine. This particular magazine has seen better days.

I have a single 30 round aftermarket M1 Carbine mag. It generally works OK in my Underwood, but I found out today it won't fully seat in the Rock-Ola. Unless I can find some excellent condition GI 30s, I'll still with the GI 15 rounders for anything serious, anyway.

The ammo I used today was 55 rounds of USGI Ball made by Remington in 1952. I got this on clips in bandoleers in a sealed spam can from a few years ago. It looks new and shoots great, although both of today's malfs occurred with it. I also ran 50 rounds of current production Remington 110 grain jacketed soft points through the Carbine without any issues. I will need to pick up some more of this ammo.

I let one of the other guys who is from NJ shoot the Rock-Ola. The rifles he brought were all Kalashnikovs -- a SAR-1, a SAR-3, and a Chinese model. To show you how fouled up and illogical New Jersey's gun laws are, the Kalashnikovs and AR15-type rifles are legal in NJ with a 15 round or less magazine, while the less-powerful M1 Carbine is banned by name in NJ's state assault weapons ban.

After finishing up with the M1 I drove down to the 200 yard big bore range. Even though it doesn't have a covered firing line like the small bore range, it's still very nice. While there I got to observe a Savage Model LE2B .308 WCF rifle fitted with a sound suppressor being fired. The reduction in the report was astounding. Full-power .308 sounded like .22 LR high speed ammo being shot from a carbine. The rifle's owner has a picture posted here.

"Soda Pop," the organizer of the Rally Point events was there selling Woolrich Elite tactical clothing, for which he's a distributor. It all looks extremely well made and designed. I got one of the vests, which for the purposes of either concealed carry or "tactical" applications, is much better designed than the generic photographer's vests or safari vests often used for such. For example, compared with the Woolrich safari vest which I bought a few years ago, the WR Elite vest has a canvas shell as opposed to a softer cotton weave. This should stand up to abuse much better. Also, the pockets on the Elite vest look to be more useful than on the safari vest.

Several new shooters got some good instruction as well, which is a major focus of these events.

Tuesday, June 06, 2006

Rally Point Reminder

Just a reminder: the next Rally Point shoot is going to be this Saturday, 6/10/06, at the Langhorne Rod & Gun Club. If you're in the area we'd love to have you join us.

If you're coming please let us know in the announcement thread.


Sunday and yesterday I answered some editorial questions regarding Part 2 of my FreeBSD mail server article, then sent them back to my editors. Part 2 should be online at next Monday.

At work I’ve been working on the formal evaluation paper for last week’s trip. This morning I shipped off the first draft to my boss and the engineer who accompanied me to CA. I’d like to have the thing done this week.

Monday, June 05, 2006

Build a Mail Server With Commodity Hardware & FreeBSD

Part 1 of my article, Build a Mail Server With Commodity Hardware and FreeBSD is now live at

Thursday, June 01, 2006


Today I made a couple of telephone calls from my iBook with SkypeOut. You may be aware that SkypeOut calls are free for American and Canadian residents to American and Canadian phones, through the end of 2006. I've had a Skype account for awhile but this was the first time I've used it.

Anyway, the first call was to my boss on his cell phone to check in with a daily update. My Internet connection was through a VOD/HSIA system, accessed via WiFi. The second call was to Judith on out Vonage line at home. In this case it was the wired Internet connection in my hotel, which I believe is fed via a T-1. In both cases it just worked. The sound quality was excellent, without any echoing or perceptable lag, and it worked full-duplex. I was quite impressed, especially for the first call, which in effect was like this:

Laptop <--> WiFi <--> NAT<--> Internet <--> PSTN <--> Cellular Network

Latency is bad for voice connections but any negative effects didn't seem to manifest themselves. The single biggest factor limiting sound quality on my end were the crummy speakers on my iBook, which just need to be a bit louder. If I'd had external speakers or better yet a headset, the calls would've sounded as good as a POTS call.