IPv6 With Comcast and pfSense

I want to start learning about IPv6 so I went back to using pfSense as my router. While my Airport Extreme worked with IPv6 it masked a lot of the nuts and bolts behind a simple interface. Good for 99% of the time and easy to get going, but not if I wanted to learn.

It was fairly straight-forward to get an IPv6 address. But once I got the address my browser tests were all failing. The desktop had a perfectly acceptable IP address using Comcast’s prefix and seemed fine. The light-bulb went off when I could ping ipv6.google.com from the WAN interface (using the ping widget in pfSense) but not from the LAN interface or my Mac desktop. Firewall! So the last step in this precess is to set up a Firewall rule to allow all outgoing IPv6 traffic from my LAN interface. The complete process was as follows:

On your own:

Your ISP and cable modem will need to support native IPv6. Comcast seems to support it nationwide although there may be exceptions (Comcast seems to have moved their IPv6 documentation which used to be at www.comcast6.net). I think all DOCSIS 3 modems will support IPv6. My modem is a Motorola SB6121.

I did this with pfSense version 2.1.4-RELEASE (i386). An update was released as I was working on this so this isn’t the latest version, but I did’t want to change versions in the middle of my work. I did upgrade to 2.1.5 after enabling IPv6 and there weren’t any IPv6 issues.)

  1. In pfSense, go to the System -> Advanced -> Networking Tab and verify that “Allow IPv6” is enabled. (Mine already was, but I’m not sure of the default.)

    Screenshot showing IPv6 enabled
    Figure 1
  2. In pfSense, go to Interfaces -> WAN and select DHCP6 as the “IPv6 Configuration Type” (Figure 2).
    Screenshot showing DHCP6 enabled on WAN
    Figure 2

    The DHCP6 Client Configuration Panel will appear. Select 64 as the “DHCPv6 Prefix Delegation size” (Figure 3).

    Screenshot showing prefix delegation size
    Figure 3

    (If you run multiple subnets in your house or business Comcast seems to support a PD of 56 but I haven’t tested it.) Save the changes.

  3. In pfSense, go to Interfaces -> LAN and select Track Interface“ as the ”IPv6 Configuration Type“ (Figure 4).
    Screenshot showing LAN configuration
    Figure 4

    The ”Track IPv6 Interface“ section will appear. Select WAN and the IPv6 Interface and ”0“ as the ”IPv6 Prefix ID” (Figure 05).

    Screenshot showing LAN configuration
    Figure 5

    Save the changes.

  4. In pfSense, go to Firewall -> Rules and create the following LAN rule (Figure 6).

    Screenshot showing the firewall rule
    Figure 6
  5. Reboot pfSense.
  6. Reboot clients if they already had IPv6 enabled, otherwise enable IPv6 on the clients.

After this I scored 10/10 on Test your IPv6. with the only issue being that my browsers prefer IPv4 over v6, but that’s not a pfSense issue. I could reach IPv6 only sites such as ipv6.google.com. Now it’s time to start going through other apps and see if they use IPv6. Have you enabled IPv6 yet?

Synology DSM 5.0-4493 Update 4 Released

Support.

Synology has just released Update 4 for DSM 5. The updates fixes OpenSSL and Kerberos security issues among other things. The last Synology security exploit to hit the news was based on old vulnerabilities. So while it’s a pain you should plan to patch as soon as it’s practical. I updated my DS212J, DS212+ and DS1511+ without a problem. And so far, no new errors have surfaced.

 

Google dominates top 10 apps, says ComScore

Google dominates top 10 apps, says ComScore.

This is another “duh” survey. Android dominates in pure market share for smartphones (over 85%). The real story here is that Facebook is number 1. Maybe not a shocker, but people do have to install it and set it up.

Other non-Google apps are Instagram (owned by Facebook). Apple Maps and Yahoo News. Apple Maps surprised me being tied for #10. With all the bad press and the fact that Apple only has about 22% of the market this was unexpected.

 

This is What’s Wrong With Security Reporting

Yahoo news picked up this story and it trended to the top (many others also carried it with the same sensationalization . While the meat of the story may have some good information (although not new information), the headline and conclusions are meant to draw clicks.

Headline:

Your Gmail App Is Shockingly Easy to Hack

In the first paragraph:

..allows them access to mobile Gmail accounts with a 92 percent success rate.

What’s wrong with this? Well, for one the “hack” requires downloading a malicious app to your Android phone. And that 92% success rate? Only among those that download the malicious app.

Yes, it would be nice if shared memory could not me accessed. But that shared memory access also brings benefits (OK, I assume the benefits part. Don’t ask me to list them).

They didn’t test other mobile OS’s but say the hack should work on them too. I’m no developer but I thought on iOS shared memory wasn’t, well, shared by apps. Which resulted in many of the complaints about apps not working together. I’ve also read comments that apps don’t access shared memory on Windows Phone. So this calls into question that assumption by the researchers.

In any event it works on other mobile OS’s, even for Android the headline should be “Installing malicious app will cause security issue!” But I guess that falls into the non-clickworthy “duh” category.

Synology DS212+ Rebuild

Synology feature image tile - blackI recently ran out of system drive disk space on my Synology 212+ NAS. While I was able to free up the space and resolve the immediate problems I was still having less critical problems. Photos were no longer being indexed and thumbnails weren’t being created. In addition, the system monitor application and widget weren’t reporting any usage information. There may have been other issues but I stopped looking once I decided that a rebuild was the fastest way to recovery. I already had good and verified backups. Since the NAS was accessible again I was able to verify configuration settings to make sure I had the latest information.

Attempts to fix the problem while trying to preserve the data and not do a full firmware wipe and re-install all failed to resolve the problem. Most of the rebuild was easy enough, simple file copies from my backups, but there were some issues worth mentioning.

Configuration Backup

In addition to the file backups I also backup the Synology configuration once a week but I did it again just to make sure I have the latest configuration.

This is done through the Control Panel as show in the following screenshots. The results is a single file with a .dss extension.

Synology DSM 5 Control Panel
Select “Updates and Restore” from the Synology Control Panel
Synology Configuration Backup
Select the “Configuration Backup” tab then click the “Backup Configuration” button
Confirm the backup
Confirm the backup by clicking “Yes”

Reset Procedure

The reset procedure worked as described, with one change. In step 6 I had to do the reboot manually, otherwise the NAS was in “Migratable” mode and not install mode.

DSM 5 Synology Assistant
Migratable – not what I want – it didn’t fix my problems.
DSM 5 Synology Assistant
Not Installed – what I want

The reset procedure is:

  1. Have the Synology system in the ready state.
  2. Look at the back of the Synology System, find a small reset hole near the USB ports.
  3. Using a paper clip, gently depress and hold down the recessed button for about four seconds.
  4. The system will beep once.
  5. After hearing the system beep once, release the button and press it again for another four seconds.
  6. The system will beep three times and execute a reboot. This is where I had to manually reboot.
  7. After rebooting, launch the Synology Assistant and install the firmware.
  8. Restore the configuration file.

The configuration file restore is done through the same screens as the configuration backup except the “Restore Configuration” button is selected.

Share Creation & Package Installs

I had to recreate my shares. While the user IDs were restored with the configuration I did have to set the share permissions and any disk quotas.

Packages also had to be re-installed and any configuration manually entered. Any package which requires an index needs to rebuild that index. For me this was Audio Station, Video Station and Photo Station. Photo Station was a hassle and gets a section dedicated to it down below.

Photo Station Re-Install

Photo Station was the biggest hassle among all of this. This was mainly due to the DSM 5 Photo Station Uploader. I has actually just used the DSM 4 Photo Uploader to move the Photos to my DSM 212J and it wasn’t bad. But I upgraded to the DSM 5 uploader to be on the latest version, which in theory is always best.

The DSM 5 uploader definitely uploaded the photos faster than the DSM 4 uploader, but it missed many of the thumbnails so the Synology NAS started to do its own, much slower, thumbnail creation.

The Photo Uploader does the thumbnail creation on the computer (which in my case is a Mac Mini). I could see multiple convert processes running during the upload and my Mac wasn’t otherwise busy. I had to group the uploads in relatively small batches. Because of my directory structure this was at most 2,000 files per upload. I definitely had problems anytime I tried to upload more than 4,000 files. It’s like something started to break around 2,000 files and it came completely off the rails after about 3,000.

But even this wasn’t perfect. There were several times I went in and deleted directory trees where the upload failed to upload thumbnails. The re-upload then worked OK. But this was tedious and in the end out of about 40,000 uploaded files Synology told me it had about 8,000 files to index. This took a few days.

The uploader is capable of running multiple upload windows on the desktop . This made things worse when I tested it so only doing one upload process at a time is recommended based on my experience.

If the NAS is busy, say with an unrelated file copy, the photo upload will also miss more thumbnails than it uploads. I quickly learned not to even try uploading the photos until the rest of my files were restored.

While not a bug, one thing to keep in mind is the way that Photo Uploader handles the “skip files that have been uploaded” option. In my testing it seems the uploader only looks at the file name and not any other attributes. For example, I put all my original photos in specific directory tree (albums). I have other albums (directories) with “best of”, edited photos or by a topic for viewing. The same name is frequently used across all albums even if there is some minor editing. With this option selected only the first file encountered gets uploaded and the rest are skipped. The file names are remembered from session to session.

Using the photo uploader as part of the reset process does work, it’s just very time consuming. I’ll be testing the built in application backup to see if it works any faster.

Wrapping Up

The good news is I was able to completely restore my Synology NAS from my standard backups without any lost data. Under lessons learned I need to look for a better way to restore the Photo Station files. I like Photo Station and expect the number of photos it manages to grow. Hopefully the application backup will work faster.