Sunday, December 07, 2014

Does A 6Gbps SATA Interface Actually Matter

As we've been told all our lives, bigger is better.  But as we also know, what we've always been told isn't necessarily right any more (and often wasn't ever right).  So, with that in mind, I present the 6Gbps SATA Interface!

First, for those who get confused by the nomenclature and numbering used in computing, a Byte (B) is a collection of 8 bits (b), a Kilobyte (KB) is 1,000 Bytes, a Megabyte (MB) is 1,000,000 Bytes (or 1,000 KB) and a Gigabyte (GB) is 1,000,000,000 Bytes (or 1,000 MB or 1 million KB).(1)

So, with that information at hand, we can do a few calculations to see what 6Gbps really means.  An added complication is the way that the data is encoded across the SATA interface using something called 8b/10b Encoding (and here's a link for the nerdy types) which results in a slight loss in data throughput across the SATA.  The end result of this data encoding means that a SATA 1.5Gbps (187.50MB/s) interface will deliver a total of 1.2Gbps (150MBps) of data.

SATA RevisionInterface Speed GbpsInterface Speed MBpsData Throughput GbpsData Throughput MBps
1.0  1.5Gbps  187.5MBps  1.2Gbps  150MBps
2.0  3.0Gbps  375.0MBps  2.4 Gbps  300MBps
3.0  6.0Gbps  750.0MBps  4.8Gbps  600MBps
3.1  6.0Gbps  750.0MBps  4.8Gbps  600MBps
3.216.0Gbps2000.0MBps12.8Gbps1600MBps

Right, now that we know the actual maximum data throughput of a bunch of different SATA standards, what we need to do is to look for drives that we can attach to these SATA interfaces and see how fast they can go compares to the data throughput speed of the SATA interfaces.

Drive ManufDrive ModelDrive CapacityMax/Sustained Read MBps
SeagateDesktop SSHD ST4000DX001   4TB 146MBps (from all zones)
SeagateDesktop SSHD ST4000DX001   4TB 190MBps (from NAND)
SeagateDesktop NAS HDD ST4000VN000   4TB 180MBps
SeagateLaptop SSHD ST1000LM014   1TB 100MBps
SamsungSSD Pro 840 MZ-7PD512  500GB 540/520MBps (Read/Write)
SamsungSSD 840 Evo MZ-7TE1T0  1TB 540/520MBps (Read/Write)
SamsungXP941 Gen 2 X4 M.2 SSD  512GB1170/950MBps (Read/Write)
PlextorM6E Gen 2 X2 M.2 SSD  512GB 705/638MBps (Read/Write)

As you can quite clearly see, all of the regular Hard Drives (and even the Hybrid SSD/HDDs) are pretty much around the same maximum or sustained transfer rate of somewhere under 200Mbps, which means that plugging one into anything faster than a SATA 3.0Gbps controller will give no performance improvement whatsoever.

This changes when we start to look at SSDs.  The regular Samsung SSDs will deliver up to 540MBps of read performance which is well in excess of the throughput of a 3.0Gbps SATA interface - to get the full performance from any modern SSD you will need to have a SATA 3.0 (6.0Gbps) to connect it to.  This goes for many current SSDs that all deliver up to around 550MBps from Samsung, Intel, Crucial, Transcend and others.

Things, however, start to really get interesting when we look at the newer M.2 (SATA Rev 3.2) devices.  These can deliver data across an older SATA 3.0 interface, or a PCIEx2 or PCIEx4 interface, depending on the configuration of the drive (and socket).  Currently, the Asrock Z97 Extreme6 is the only motherboard to support the X4 transfer rates, however more boards are sure to hit the market soon.  The Plextor M6E drive delivers just under 50% faster transfers using its PCIEx2 interface than can be achieved using the SATA specification, and impressively the Samsung XP941 512GB M.2 drive on an Asrock Z97 Extreme6 delivers over 1GBps in read performance!

So, basically, if you have any form of spinning metal disk, be it a hybrid or not, there's no need to upgrade to a 6Gbps SATA controller, though if you have one on your motherboard, it won't hurt to use it.  If, however, you have one of the current fast crop of SSD drives, then you will need to connect this to a 6Gbps SATA port to realise the full speed of the device.

If speed is your bag, baby, then a 6Gbps SATA port is not enough and you'll need to look at the newer M.2 X4 devices on a controller that will allow it to run at full speed and right now, the only onboard controller that will handle this is on the Asrock Z97 Extreme6 motherboard.  Plug in adapters that will support this spec include the BPlus M2P4S and the PEX16X-LTSSD-ADP adapter.  There may be others out there and Google may well help locate them! :)


Regards,

The Outspoken Wookie

Wednesday, December 03, 2014

BEASTly POODLEs

There have been a number of vulnerabilities detected in various security protocols over the past year or two including BEAST Attack, Heartbleed Bug and POODLE Attack.  At least 2/3 of these have names that give some indication of their severity and the remaining 1/3 leaves you with a rather interesting visual image.  But be ye not distracted by the names - they are all things that need to be addressed in various ways.

Information about the Browser Exploit Against SSL/TLS (BEAST) Attack was released in September 2011 and involved attacking the lack of security in particular implementations of TLS 1.0 traffic.  This vulnerability has been pretty much mitigated today (Dec, 2014), however there are still some older, non-updated systems out there that are vulnerable to this attack.  The table below lists the earliest version of the products that have mitigated the BEAST Attack (and yes, Apple took an inordinately long time to patch for this vulnerability):

Apple iOSiOS 7.0
Apple OS-XOS-X 10.9 (Mavericks)
Google ChromeVersion 16
Microsoft WindowsMS12-006 on Windows 7/Server 2008 R2 and older
Mozilla FirefoxVersion 10

Following on from the BEAST Attack were the CRIME and BREACH attacks which, too, have been mitigated in current browsers and are a low-grade threat at worst these days.

The Heartbleed bug, publicly announced in April, 2014, affected anything running OpenSSL.  The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.  Yup, it is pretty nasty but this, too, is pretty much completely mitigated by the various vendors using this code.

For an easy to understand explanation of the Heartbleed bug, have a read of this XKCD comic.  To see if your website is affected by the Heartbleed bug, have a look at https://lastpass.com/heartbleed/ (Heartbleed bug only) and https://www.ssllabs.com/ssltest/index.html (Heartbleed and more).  Any site that you go to that uses the "https" protocol can be checked to ensure it is running a version of OpenSSL that is not vulnerable to this attack.  If the site *still* has not been updated, I'd suggest speaking with the vendor, outing them in social media and removing your account and changing any passwords and/or information that was stored in that site.

And now we come to what at first glance may be the fluffiest of all these vulnerabilities - the POODLE Attack.  Basically, there's the ability in browsers to request a lower level of security from the server if the browser doesn't support the version the server prefers.  This is called a security renegotation.  The POODLE Attack uses a recently discovered flaw in the now obsoleted and in the process of fast becoming deprecated SSL 3.0 protocol mixed with a renegotiation attack (forcing the server to drop from TLS 1.x to SSL 3.0).  The simple fix is to disable SSL 3.0 on all your web servers, however there are still some applications that use SSL 3.0 (again, speak with the vendor, expose in social media and seriously question your continued trusting of a vendor using 18 year old technology that's been superseded 3 times).

To read more on the POODLE Attack and how to ensure you're doing everything you can to protect against it, have a read of https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/ and then go to https://www.poodlescan.com/ and https://www.ssllabs.com/ssltest/index.html to confirm your server mitigations have been invoked.  There's also a funky little tool from Nartac Software called IISCrypto that can help you properly configure your Windows IIS to mitigate against POODLE and other vulnerabilities.

The table below lists the earliest version of the products that have mitigated the POODLE Attack:

Apple iOSiOS 8.1
Apple OS-XOS-X Security Update 2014-005 (Mavericks & Mountain Lion)
Google AndroidChrome - still waiting
Google AndroidSamsung Browser - still waiting
Google ChromeVersion 39
Microsoft WindowsTemporary Fix it released, also shows Group Policy fix
Mozilla FirefoxVersion 34

If you want to see if your client (browser) is susceptible to the POODLE Attack, go to https://www.poodletest.com/.  If your browser is vulnerable, don't trust it to keep your data secure.


Regards,

The Outspoken Wookie

Monday, November 10, 2014

Azure Needs To Be Introduced To 2012

I'd *REALLY* like to know how, if Microsoft is pumping so much time and energy into Azure, it cannot handle the VHDX format, let alone Generation 2 Virtual Machines from Hyper-V 2012?  I mean, we're now in 2014 and have the Windows Server 10 Technical Preview available to us and Microsoft still can't handle .VHDX files in their Azure virtual machines!

This is slack.  Really slack.  It means that even though we who use on-premises Hyper-V Servers can use the current Microsoft technologies for all of our current-release guests, we cannot do it using their Azure platform.  It means that we cannot even upload our virtual machines nor use SCVMM and replicate our Gen 2 VMs into Azure.

Come on Microsoft - bring the Azure infrastructure up to your current generation before you get severely left behind yourself! :(

Regards,

The Outspoken Wookie

Wednesday, November 05, 2014

Medical Woo-Woo Shits Me

Anyone who knows me knows that I'm not a fan of medical woo-woo.  So, to help people understand what these quasi-medical woo-woo terms mean, here's a Patient's Guide to Magical Medicine.

And in case someone is looking for the other common term for these practices, it is "SCAM" as in Supplements, Complementary and Alternative Medicine.

Regards,

The Outspoken Wookie

Tuesday, October 07, 2014

Windows 8.x Wireless Networking Issues

One of the more useful features of Windows 7 that has been completely removed from Windows 8.x for no apparently decent reason is the "Manage Wireless Networks" Control Panel applet.  It provided you with a wealth of knowledge and gave you the ability to, as its name suggests, manage wireless networks.

So, with the demise of this useful feature, along came the Kerkia group with their WinFi application to return the functionality of this tool in a nice, usable interface.  It allows you to re-order, delete, import and export network profiles and it also allows you to change a network profile between Current User and All Users.  All User profiles will connect before any user has logged in to the computer.

In addition to this, there are some "netsh" commands you may well find useful if you like doing things via the command-line:



Showing Wireless Profiles

 netsh wlan show profile

- output will be something like:

Profiles on interface Wi-Fi:

Group policy profiles (read only)
---------------------------------
None
User profiles
-------------
All User Profile : SSID1
All User Profile : SSID2
Current User Profile : SSID3




Deleting Wireless Profiles

netsh wlan delete profile SSID2

- output will be something like:

 Profile "SSID2" is deleted from interface "Wi-Fi".



Exporting Wireless Profiles

To back up all Wireless Profiles
netsh wlan export profile folder="%UserProfile%\Desktop"

To back up all Wireless Profiles on a particular interface
netsh wlan export profile interface="interface name" folder="%UserProfile%\Desktop"

To back up a specific Wireless Profile on all interfaces
netsh wlan export profile "profile name" folder="%UserProfile%\Desktop"

To back up a specific Wireless Profile on a specific interface
netsh wlan export profile "profile name" interface="interface name"
folder="%UserProfile%\Desktop"


Note:
  • Substitute profile name (SSID) in the command with the actual SSID network profile name that you want to export as a backup.
  • Substitute interface name in the command with the actual name of the interface that the wireless network is on that you want to export as a backup.
  • If you want to back up the Wireless Key (password), add "key=clear" after the profile "profile name" section in each of the above commands (needs administrator rights)
For example:
netsh wlan export profile "SSID1" interface="Wi-Fi" folder="%UserProfile%\Desktop"



Exporting Wireless Profiles

To restore a Wireless Profile for the Current User only
netsh wlan add profile filename="\path\to\file.xml" user=current

To restore a Wireless Profile for All Users
netsh wlan add profile filename="\path\to\file.xml" user=all


Regards,

The Outspoken Wookie

Thursday, September 11, 2014

Microsoft's Broken Store Upgrade to 8.1

After spending well over 8 hours trying to work through this issue, including a reasonable amount of Google searching, it seems to me that Microsoft has royally fucked up the Microsoft Store Windows 8.1 Upgrade for Windows 8.0 users.  And now, I'll explain it in a little more depth...

For anyone who needs/wants to reinstall their Windows 8 (RTM), then activate with their license key, then install the updates needed (KB2871389 and KB2917499) to get the Windows 8.1 upgrade from the Microsoft Store and upgrade to Windows 8.1, you're in for a bit of a shock if you need to run applications that need the .NET Framework 3.5 (or 3.0 or 2.0) Feature that's normally installable via either the Control Panel or a particular invocation of the DISM command.

If you try and install via Windows Update, you'll be presented with the following error message:

Windows couldn't connect to the Internet to download necessary files. Error code: 0x800F0906 (which, of course, is bullshit if you've got a functional Internet connection - this is an erroneous error message)

If instead you try the DISM way, you'll see either the above error code or the following:

•0x800F081F: The changes could not be completed.

The reason for this, it seems, is because downloading the Windows 8.1 Upgrade from the Microsoft Store gives you the latest slipstreamed install of Windows 8.1 with almost all current Updates and HotFixes. Normally that would be great as it means that you don't need to bother performing a boatload of updates after installing the Windows 8.1 Upgrade, except that it seems that Microsoft has chosen to include in the slipstreamed Upgrade, HotFixes KB2966826 and KB2966828 (see: http://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/cant-enable-or-install-net-framework-35-in-windows/2f221b25-8d17-421f-8c37-1fed61649b4f) which are .NET 3.5 updates, meaning that until you uninstall these (which you cannot do if you've installed the 8.1 Upgrade from the Microsoft Store) you are what's known in the trade as SOL if you want to install .NET 3.5 (including 3.0 and 2.0) in a newly installed Win 8.0/8.1 from the Store.


As mentioned in that answers.microsoft.com thread, if these have been installed as part of the regular Microsoft Update regime before .NET 3.5 is even installed, it is a simple enough task to uninstall them, install .NET 3.5 and then reinstall these updates.  This is not the case with the slipstreamed Windows 8.1 Upgrade from the Microsoft Store as these updates seem to have been slipstreamed into the installer, meaning that they don't show as updates that can be uninstalled, therefore they can't be uninstalled, therefore you CANNOT install .NET 3.5 on this system - that leaves a lot of software that won't install nor run properly.

Out of interest, this thread also details issues with these updates - so it isn't just on Microsoft's own site that this issue has been discussed.

I have found - as expected - that even if you install .Net 3.5 in Windows 8.0 before performing the Microsoft Store upgrade to Windows 8.1, Windows 8.1 is installed with .Net 3.5 uninstalled.  As I said, I expected this behaviour and would have been rather surprised if this had actually worked.

It seems to me that the easiest fix for this is to re-release both of these HotFixes with better pre-requisite detection and also rebuild the Microsoft Store upgrade image so that these two HotFixes are not included, or alternatively, fix the Windows Update site so that if a Windows 8.1 system with these updates already installed, but .Net 3.5 not yet installed, goes out looking for the .Net 3.5 installation files, it provides a working set of files that will install the .Net 3.5 Feature.


Until then, good luck if you need to get the .Net 3.5 Feature installed on a Windows 8.1 system recently upgraded from Windows 8.0 through the Microsoft Store.

Regards,

The Outspoken Wookie

Friday, August 15, 2014

Companyweb on SBS 2003 stopping

We've all had those sites where, for some reason, Companyweb just stops, needs restarting then runs fine for a while and then stops again.  Gotta love it...

Well, I have a site we're in the process of migrating from SBS 2003 to Essentials 2012 R2 + Office 365 where this started happening a few days ago, so I decided to sort out a scheduled script to take care of this for me.

@Echo Off
if exist default.aspx del default.aspx

"C:\Program Files\GnuWin32\bin\wget.exe" --user=administrator --password="Seriously, you think I'd post that on my blog?" --timeout=30 --tries=1 http://CompanyWeb/default.aspx

find /C "SharePoint Team Web Site" default.aspx

IF ERRORLEVEL 1 cscript C:\WINDOWS\system32\iisweb.vbs /start companyweb

I'm running this script every 5 minutes which places bugger all extra load on the server, but means that it isn't long after the Companyweb site stops that it is restarted.

Oh, and run it as "nt authority\system" so it doesn't pop up a command prompt window on the user's desktop (ie, the administrator's desktop).

Regards,

The Outspoken Wookie

Wednesday, July 30, 2014

APNs

OK, so I'm sick and tired of visiting various sites to find the APNs for the carious 3G/4G providers our clients use at work and at home, so here's my own list...


Provider3G/4GAPNAccount typeCommentsURL
Aldi Mobile3Gmdata.net.auPersonalNo business use - see 1.4.1.d here.Aldi Mobile
Amaysim3GinternetAmaysim
ApexN3GOptus based plansApexN
Bigpond3G/4Gtelstra.bigpondUsername and password required
BoostMobile3Gtelstra.internet
Mainly personal use - see 1.1 here.BoostMobile
Exetel3Gexetel1PremiumOlder Optus-based plans
Exetel3GconnectStandardNewer Optus-based plans
Exetel4GyesinternetNew Optus 4G plans
Internode3Ginternode
Optus3Ginternet
Best optionOptus
Optus3Gyesinternet
Use if "internet" doesn't workOptus
Optus4GyesinternetOptus
Pacnet3GinternetStatic IPOptus infrastructurePacnet
Pacnet3GpacnetStatic IPOptus infrastructurePacnet
Telstra3G/4Gtelstra.internetBusiness accountThis is the Telstra 10. private NATted network. Code is "GPTCOMB3".
Telstra3G/4Gtelstra.iphAny account typeThis is their "iPhone" APN. Call and ask for the "GPDWLES3" code to be added to your account.Whirlpool
Telstra3G/4Gtelstra.extranetBusiness account (10 digits)This gives you a real, usable dynamic IP. Call and ask for the "GPTEXB3" code to be added to your account.
Telstra3G/4Gtelstra.corpBusiness account (10 digits)This is for Telstra Wireless IP WAN users. Call and ask for the "GPCORPB3" code to be added to your account.
Vodafone3G/4Glive.vodafone.comThis is NATted on the 10.0.0.0/8 networkVodafone
Vodafone3G/4Gvfinternet.auThis gives you a real, usable dynamic IP.  Or so it appears.  But it is NATted through 10.64.64.64 still.  Ggrrrr...
Voicetalk3Gsplns357Try getting any sense out of VoiceTalk!

There are some other sites out there with useful collections of APN configuration information:
Whirlpool APN - Access Point Name


Regards,

The Outspoken Wookie

Friday, July 18, 2014

Samsung Galaxy Note 2 Factory Mode

OK, after trying everything I could find on the 'Net (unsuccessfully, obviously) I decided to do one final search before buying a new handset and came across http://www.444android.com/showthread.php?p=86539 which is the only thing I found that worked - my Samsung Galaxy Note 2 no longer continually boots into factory mode, which means that it is no longer as useful as a 80.5 x 151.1 x 9.4 mm, 182.5g brick!

Having then found this, I followed another too many hours and too many links to eventually get the LiquidSmooth 4.4.4 ROM installed (basically involving needing to use the TWRP Recovery environment to reset permissions and reformat the entire device (http://teamw.in/project/twrp2/115) and then the ClockworkMod recovery environment from https://www.clockworkmod.com/rommanager to load the LiquidSmooth 4.4.4 ROM (http://galaxynote2root.com/sprint-galaxy-note-2-roms/liquidsmooth-rom-for-galaxy-note-2-android-4-4-4/)), I found that the phone still had no signal at all.  It looks like the phone chip really has died.  Oh, well - here comes a Note 3! :)

Regards,

The Outspoken Wookie

Tuesday, June 24, 2014

Embedded "Security" with IPMI and UPnP

First, let me say that I've been outspoken about UPnP on gateway devices since UPnP was first released - it is simply a Bad IdeaTM.

Recently released information on an IPMI vulnerability involving UPnP on server motherboards has been published by Cari.net here.  Basically, it details how the BMC authentication details of almost 32,000 servers are available online, easily, in plain text - from the servers themselves.  Add to this the older Linux kernel versions some BMCs were running (any old version of any operating system will contain unpatched vulnerabilities that can be exploited for nefarious purposes) and you have a great recipe for easy and effective hacking of servers.

Not good.  Not good at all.

So, again, can I ask that people administering systems actually do their jobs properly and keep up to date with patches and updates and - particularly - disable vulnerable services from gateway devices and implement decent firewall rules to limit access to systems that are supposed to be protected behind these firewalls.


Regards,

The Outspoken Wookie

Wednesday, June 18, 2014

CPU Cores, NUMA Nodes and Performance Issues

I have a client who has been suffering from performance issues on a Remote Desktop Server guest that's running on a Hyper-V server.  I suppose some details may help here:

Original Configuration
Dell PowerEdge T410 Server
2 * Intel Xeon E5649 CPUs @ 2.53GHz
4 * 8GB 1333MHz DDR3 modules (32GB total)
Windows Server 2008 R2 Standard SP1 as the Hyper-V Host OS
 - Windows SBS 2011 (Server 2008 R2 SP1) as a Hyper-V Guest
 - Windows Server 2008 R2 SP1 (Remote Desktop and LOB Server) as a Hyper-V Guest

Current Configuration
Dell PowerEdge T410 Server
2 * Intel Xeon E5649 CPUs @ 2.53GHz
8 * 8GB 1333MHz DDR3 modules (64GB total)
Windows Server 2012 R2 Standard as the Hyper-V Host OS
 - Original Windows SBS 2011 (Server 2008 R2 SP1) as a Hyper-V Guest
 - Original Windows Server 2008 R2 SP1 as a Hyper-V Guest
 - New Windows SBS 2011 (Server 2008 R2 SP1) as a Hyper-V Guest (will replace original instance)
 - New Windows Server 2008 R2 SP1 (RDS) as a Hyper-V Guest (will replace original instance(1))
 - New Windows Server 2008 R2 SP1 (LOB) as a Hyper-V Guest
 - New Windows Server 2012 R2 (LOB) as a Hyper-V Guest

Now, we took this particular client over recently and they have been suffering various performance-related issues as well as LOB-related issues since the new system was installed (Aug-Sep, 2012). We'll just speak about the performance-related issues here...

This system has always been under-performing, sluggish and unstable. None of those are good things and we found a few causes for some of the issues, but realistically we felt the best result would be achieved by upgrading the RAM in the server and by rebuilding all the servers (software) and adding some more for application isolation purposes - we're not fans of doing what was originally done here (running LOB applications on an SBS 2011 box) or what was then tried as a fix (running LOB applications on a Remote Desktop Server). So, as Server 2012 R2 is the current Windows Server release, that's what we decided to run with - and also because its Hyper-V implementation gives us a lot more options such as live exports and much improved Hyper-V replication.

The one remaining major issue, after the RAM and Host OS upgrade, is still the sluggish performance of the original 2008 R2 RDS guest. It was topping its CPU out (in the guest) whilst barely using any host CPU resources (16%). Yes, the latest Hyper-V Integration Components are installed (for those wondering).

So, under the original Hyper-V Host (ie, 2008 R2), there were 4 Virtual Processors assigned to each guest, which is the maximum number of Virtual Processors that any guest can have under 2008 R2 Hyper-V.

Now, as this is a 2*6-core host (i.e. 12 real cores), which means a total of 24 Logical Processors including HyperThreading, we assigned 8 cores to the original RDS guest and 4 cores to the original SBS guest and moved on to other things such as building the new servers. Apparently, that's not all we needed to do - the SBS box was running fine using 16% of the host CPU resources however the RDS box was CPU-starved.

After a fair bit of investigation, fiddling, Googling, asking questions of people such as Kyle Rosenthal from WindowsPCGuy and general head scratching, hair pulling and frustration (all-round, from both the client and ourselves) I found the issue earlier this afternoon.

But first, things that COULD well have been the issue, but weren't:

1. I thought I bumped the CPU count up but hadn't
2. The host was actually flat-lining its CPU
3. I needed to install the latest Hyper-V Integration components
4. I needed to reinstall the latest Hyper-V Integration components over the top of the existing (latest) components (yet to find a way to actually achieve this)
5. I needed to uninstall and reinstall the latest components (again, yet to find a way to uninstall them)
6. I needed to drop the number of assigned logical processors from 8 back to 4, reboot, then bump from 4 to 8 and reboot again
7. I needed to drop back to a single logical processor, reboot, then up to 8 and reboot again

And now what I found to be the actual issue: "msconfig" seems to have been run in that 2008 R2 RDS virtual guest and then under Boot/Advanced, the # processors was limited to 4. I first thought about something like this after seeing that Device Manager showed all 8 virtual processors, but Task Manager/Perfmon only showed 4. So I had a look in "msconfig" and lo and behold - there was a limit of 4 CPUs set. I unchecked this option, rebooted and amazingly (well, OK, not really), all 8 CPUs were showing.

So, for good measure, I increased this to 12 virtual processors, rebooted again, and all 12 were showing in Task Manager. WOOHOO!!!

Once you go past 12 virtual processors (in this dual 6-core server), NUMA comes into play. NUMA (Non-Uniform Memory Access) is a way of allowing a processor (in hardware) or a virtual machine (in software) to access local memory faster than remote memory - in hardware, "remote" memory counts as memory connected directly to the bus of a different physical CPU. Now, NUMA not only comes into play when you start adding a large number of cores to a virtual guest, but also when you add more RAM than is physically available on one CPU to a guest - you get an approximately 20% performance hit when crossing a NUMA boundary. Because of this performance hit, you can actually get a performance reduction by adding too many logical processors and/or too much RAM to a virtual guest.

Microsoft has some information on NUMA that states (basically) the maximum memory in a NUMA node is the amount of physical RAM divided by the number of logical processors. That information seems to be rather outdated when you use current multi-core CPUs. If you're looking for some more updated information regarding NUMA node boundaries, I strongly suggest having a read of the article on Aidan Finn's blog found at http://www.aidanfinn.com/?p=11945 which refers to this blog post
http://www.benjaminathawes.com/2011/11/09/determining-numa-node-boundaries-for-modern-cpus/

Regards,

The Outspoken Wookie

Firewall with Hyper-V Synthetic NIC Support

I've been looking for a while to try and find an Open Source firewall for use in a Hyper-V environment. There's a number out there that will install and work, however trying to find a product with support for the Hyper-V Synthetic NICs instead of just the slower Legacy NICs has been... well... tedious.

I've looked at IPFire before - mainly as it was originally a fork of the IPCop project which is a fork of the SmoothWall project that I was on the development team of for some time. I was re-introduced to IPFire recently on a site visit to try and see if we could find causes for ADSL speed issues and then again at a friend's place last week who was running it in his home office.

So, on a whim, I thought I'd give it another go and see if it supported the Hyper-V Synthetic NICs on Hyper-V 2012 R2 and, well, kinda. During the installation, both the legacy NICs I added to the Hyper-V Guest were detected as was the default installed Synthetic NIC I'd not removed. So, I stopped the install, removed the Legacy NICs, added another Synthetic NIC and restarted the install. During installation, I chose the appropriate NIC for Green and Red, and off we went.

The first boot was great - the IPFire VM came up NICs blazing. :) I fiddled with the web interface a bit then rebooted. That's when it started to look like things weren't quite as I'd hoped - during the boot, I received an error message stating that "Interface green0 doesn't exist", however red0 worked fine. I re-ran "setup" and re-assigned the NICs and rebooted and this time "Interface red0 doesn't exist" was reported. Hhmmm...

So it seemed that Hyper-V Synthetic NICs were kinda supported. I had a look to see if the modules were being loaded properly and noticed a distinct lack of Hyper-V modules in /etc/sysconfig/modules. After a little Googling, I found the found the following information on the IPFire Install Guide:

Hyper-V
IPFire includes the modules required to work properly in a Hyper-V environment, but those modules are not enabled by default. To enable those modules, add the following four lines to the file /etc/sysconfig/modules and reboot:
hv_blkvsc
hv_netvsc
hv_storvsc
hv_vmbus

So, after adding these modules and rebooting a few times to test, all seems fine and IPFire is running with Hyper-V Synthetic NICs. :)

Now, for the speed testing results. I ran this test using 35.0GB of data consisting of some .iso files of around 4GB and also 7.8GB of smaller files of varying sizes (ie, extracted Windows Server 2012 R2 Standard and Windows Server 2012 R2 Essentials ISOs) with the following results.

Test 1 - Legacy NICs, across a 1GbE L3 switch from a physical server's USB-attached drive to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Test 2- Synthetic NICs, across a 1GbE L3 switch from a physical server's USB-attached drive to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Test 3- Synthetic NICs, across a 1GbE L3 switch from a physical server's SAS RAID-5 HDD Array to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Results:

ScenarioNIC TypeSourceSpeedComments
Test 1LegacyRemote USB20.113GB/minYes, Legacy NICs are as slow as this!
Test 2SyntheticRemote USB21.62GB/minuteThis is about the speed expected from USB2
Test 3SyntheticRemote SAS Array4.32GB/minuteThis is much more bearable!

So, it shows that the implementation of the Hyper-V Synthetic NIC drivers in IPFire definitely live up to expectations and provide much better performance than the old Legacy NICs can ever dream of.


Regards,

The Outspoken Wookie

Internet and WAN Connectivity - WTF are all these terms?

As we are all aware, the ICT (Information and Communication Technology) industry seems to exist solely to create new TLAs (Three Letter Acronyms) and ETLAs (Extended Three Letter Acronyms) and one of the most confusing places that these TLAs and ETLAs are used and abused is relating to networking in general and more specifically to Internet and WAN (Wide Area Internet) connectivity. So, I'll make an attempt here to help and clarify this a bit...

There are many ways to break Internet and WAN connectivity down, however there are two main types of Internet connection available today – asynchronous and synchronous. ADSL (Asynchronous Digital Subscriber Line), ADSL2 and ADSL2+ are all asynchronous connections – they have a faster download (inbound) speed than upload (outbound) speed. ADSL speeds are generally available up to 8192Kbps down and 384Kbps up and ADSL2+ speeds are generally available up to 24Mbps down and 1.2Mbps up. There’s also an ADSL2+ Annex M standard that is available in maximum speeds of around 20Mbps down and 3.2Mbps up. All these speeds are "best case" and basically will only be achieved if you are located in a building next to a telephone exchange, with these speeds dropping off as the distance from the exchange increases.

A business grade ADSL2+ service with 200GB or so of data is likely to cost in the vicinity of $100-$150 per month.

ADSL and ADSL2+ connections can also be configured to sacrifice a lot more of their download speed for increased upload speed, hence the availability of ADSL connections at 0.5Mbps/0.5Mbps and ADSL 2+ connections at 2Mbps/2Mbps. As you can see, these speeds are now synchronous, yet still delivered over one form of ADSL connection - way to help keep things clear...

Synchronous connections are delivered in 2 main formats – over copper or over fiber. Fiber connections can go faster (up to 1Gbps and higher), but the installation costs can be in the region of $5000. Synchronous connections over copper are generally available up to 40Mbps and are often referred to as “Ethernet in the First Mile” (EFM), “Ethernet Over Copper” (EOC) and “Mid-Band Ethernet” (MBE) and these terms are, to all intents and purposes, interchangeable.  Installation costs on an EOC connection are in the region of $1200.

A 10Mbps EOC connection with 200GB or so of data is likely to cost in the vicinity of $250-$500 per month, and on Fiber this will likely cost around $500-$750 per month depending on the service provider and the distance from the exchange.

Historically, asynchronous connections were more than acceptable for most individuals and businesses as most of the time people were *downloading* things like files and web pages from the Internet and rarely *uploading* information, but as time has progressed this has become more the exception than the norm for many businesses as they are using online storage for documents, photos and so on, online email and groupware servers and connections between multiple offices. This is where synchronous connections have become more popular for businesses.

The National Broadband Network (NBN) here in Australia is a bit of an odd one out. It is an asynchronous connection, but delivered at speeds of up to 100Mbps down and 40Mbps up – so it delivers very decent outbound speeds, with even faster inbound speeds. Of course, this is for those lucky enough to have had this rolled out before the Federal Liberal/National Party decided that high speed Internet was too scary - people get easy access to educational material - and destroyed Australia's chance at decent Internet speeds.

A 100/40Mbps NBN connection with 200GB or so of data is likely to cost in the vicinity of $120-$170 per month, depending on the service provider and extras included in the plan.

Now, just because you have an ADSL2+ or EOC connection doesn't necessarily mean it is connected directly to the Internet. Many larger, geographically diverse businesses will have an ADSL2+, Fiber or EOC tail connected to their multiple locations that are all brought back into their ISP's network and from there, connected to the Internet. This is the "WAN" part of the "Internet and WAN" in the article title. These sorts of connections are often referred to as an MPLS (Multi-Protocol Label Switching) Network, VPLS (Virtual Private LAN Service) Network or simply a Private Network.

Another way to interconnect multiple locations is across the Internet using a VPN (Virtual Private Network). This is where each site is connected directly to the Internet and across this Internet connection is run a secure pipe (the VPN) that connects the multiple sites. Types of VPN connection include EoIP (Ethernet over Internet Protocol), IPSEC (Internet Protocol Security), L2TP (Layer 2 Tunneling Protocol), PPTP (Point-To-Point Tunneling Protocol) and SSTP (Secure Sockets Tunneling Protocol).

Another term you may have heard is "Contention Ratio". What this means, basically, is the number of customers of a particular ISP (Internet Service Provider) who are sharing the bandwidth that you are paying for. So, if you see a 1:1 contention ratio, this means that the speed of the connection you are paying for is reserved for you into the ISP's core network. A contention ratio of 4:1 means that you're sharing that bandwidth into the ISP's core network with 3 other customers. Residential contention ratios are significantly higher than those for business customers, which is one of the reasons that residential connections are priced lower than business grade connections.

Finally, you may have heard the terms "Layer 2 Connection" or "Layer 3 Connection" which are a little more complex to explain as compared to the previous terms, however the simple way to look at it is a L3 Connection will have all traffic from the ISP's network sent to you at a single QoS (Quality of Service) level - you can't ask for inbound VoIP (Voice over Internet Protocol) to have higher priority than general web browsing, email, file downloading or anything else. A L2 Connection will allow you to have inbound traffic prioritized from the ISP to your network, so a large inbound email won't stomp on a VoIP call from a potential client. This may help explain why L2 Connections are often a little more expensive than a L3 Connection.

So, back to the big question - what do I want and when do I want it?

If your Internet requirements don't involve a lot of VoIP, video conferencing, Private Network, VPN or general outbound traffic, an ADSL2+ service will likely suit quite nicely. However, if you do utilise VoIP, VPNs to other sites or remote workers, video conferencing or have various cloud-based services such as hosted email, hosted file services or have a requirement for a better SLA (Service Level Agreement) than "we'll try to get it running again... sometime", some form of EoC or Fiber network connectivity (Internet or WAN) would likely be a better option.


Regards,

The Outspoken Wookie

Tuesday, June 17, 2014

pfSense in Hyper-V 2012 R2

As of May 2012, Microsoft has supported FreeBSD running as a guest on Hyper-V (see this article for more info).  That's nice as pfSense runs on a FreeBSD base, and if all was well in the world, the recently released pfSense 2.1 would have supported these new drivers.  If.

Unfortunately, pfSense 2.1 doesn't include the required drivers, so we're still stuck with Legacy NICs.  :(  Oh, well...

So, if you want to configure a pfSense Hyper-V 2012 R2 guest, you'll have to stick with the 100Mbps limitation of the Legacy NICs and a little bit of time synchronization funkiness due to the Hyper-V Host CPUs entering into low power mode and pfSense not handling this all that well, resulting in a number of "calcru: runtime went backwards" error messages.  :(

So, at this point in time pfSense 2.1 works adequately for a testing environment under Hyper-V, but I wouldn't recommend using it for a production environment.


  1. The latest pfSense is available from: http://mirror.optus.net/pub/pfSense/downloads/ - choose the LiveCD-x.y-RELEASE-amd64.iso.gz or LiveCD-x.y-RELEASE-i386.iso.gz file, check its checksum after downloading, and extract the ISO image
  2. Create a Gen 1 Hyper-V Guest with one CPU, 512MB RAM, 2 * Legacy NICs (and no Synthetic/native ones) and disable the Time Synchronization option.  Make a 5GB or so fixed VHDX file and assign the ISO as the DVD.  Boot away
  3. After the LiveCD boots and the two NICs (de0 and de1 have been assigned), you have the option to install to HDD - take this option and remove the ISO after the install and before the reboot happens
  4. Ensure the IPs of the two interfaces are configured appropriately.  I configured de0 to connect to the physical interface and de1 to connect to a Private Network for the guests inside the pfSense firewall.  Check that you can ping 8.8.8.8 from the console.
  5. Configure a guest on the Private Network, check it can ping 8.8.8.8 and www.google.com
  6. Hit the pfSense web page from inside the network and configure any options you need.
  7. On the pfSense console, you may need to type the following to ensure the NICs are restarted properly.  This used to be a significant issue with earlier pfSense releases, however it seems to have been fixed in 2.1 - YMMV:
    echo "ifconfig de0 down" >> /etc/rc.local
    echo "ifconfig de0 up" >> /etc/rc.local
    echo "ifconfig de1 down" >> /etc/rc.local
    echo "ifconfig de1 up" >> /etc/rc.local
  8. To try and help a little with the time sync issues, you will likely also need to type:
    echo "sysctl kern.timecounter.hardware=TSC" >> /etc/sysctl.conf
  9. That's pretty much it.  You'll have a somewhat functional pfSense Hyper-V guest.  It would be nice if the pfSense team had incorporated the Hyper-V drivers - let's hope they actually do this for pfSense 2.2.


Regards,

The Outspoken Wookie

Saturday, April 19, 2014

Jesus never said "Fiddle with the little children"

It seems to me that in this time of retrospection for the church (it is the Easter period for the christian church, which was, admittedly, like much of their religion, borrowed from pagan and other traditions that existed before christianity did - after all, Easter was not celebrated until the catholic church, around 155AD, decided to take on the Asherah celebrations as their Easter celebrations) that maybe, just maybe, they could take a look at how they behave - from an outsider's perspective - and learn a thing or two.

Now, not only is the catholic church suffering because of its institutionalized support for pederast priests and ensuring victims of the church are unable to claim compensation, but here in Australia, the Salvation Army is being brought under the spotlight thanks to the Royal Commission into Institutional Responses to Child Abuse.  We've had Commissioner James Condon (then a Captain) make the claim that he and Lt Colonel James Haggar (then Major (from memory)) went to the police to report Haggar's sexual abuse of an 8 year old girl in 1989, however the Police have no records that this report was made - they have no records of questions to the Salvation Army officers, nor to the family of the girl in question, nor to the victim herself.

And to add insult to injury, it appears that Haggar's wife has sent a "personal Facebook email" to the woman (the Salvation Army's Captain Michelle White) who was the whistle blower on James Haggar, accusing her of causing "devastation and incredible pain to many innocent people" through her actions.  Poor Kerry Haggar seems unable to tell the difference between reporting a pedophile who is actively working as a minister and the damage this pedophile (and others like him) have done to the children they have raped.

Now, we've got Salvation Army Major Peter Farthing, who supported Haggar's application for a Blue Card in 2002 by not revealing the 1989 pedophilia incident.  This same guy, who counseled Haggar for 18 months after he was dismissed in 1990 for the sexual assault, has now claimed to The Royal Commission that he doesn't consider Haggar a pedophile.  Haggar was re-hired by the Salvation Army in 1993 as an Officer.  Of course, after he was hired Haggar and his wife continued to live in Salvation Army accomodation and Haggar worked in a hostel for adolescent boys.

That's right, apparently "fingering" an 8 year old girl (and the girl reported this happening another 2 times later on) is not considered pedophilia to the Salvation Army - at least not when the perpetrator was one of their own Officers.  How utterly revolting.

When will people wake up and realise that the way the church views its own moral stance is not the way that general society views it?  General society has a much higher moral stance than the church does today - and the church is supposed to be representing their god who is claimed to have created all things.  If this is how their god shows his love - by having his trusted representatives rape the children brought unto them - then that god is disgusting and unworthy of love, honor, respect nor worship.

Have a read of the Australian, the Australian (again), the Daily Telegraph, the Daily Telegraph (again), SMH, SMH (again), Derryn Hinch and particularly Lewis Blayse (amongst others) for more information on how the Salvation Army is handling the situation arising from Royal Commission into Institutional Responses to Child Abuse.  It is far from good.

Regards,

The Outspoken Wookie