The First Maker Space and Tech Community For Markham, Richmond Hill, Thornhill, & Vaughan.

Disaster recovery in a briefcase. Part 1.

A ylab member has a requirement for a backup firewall… and more. At her company, they use a top-quality commercial firewall that provides and front-ends a suite of other services like,VPN access into the company and a captive portal to control to several outbound VPNs to customer. They use multiple internet connection with services distributed across them. That makes them very dependent on this firewall’s operations – which brought up some big questions:

  • What do they do if the firewall is down for maintenance or service?
  • What if they are blocked from their office and need a disaster recovery replacement?
  • What would it cost to duplicate the services?

The simple answer would be to replicate everything with the same hardware. But that’s a very costly exercise, and the existing gear takes up a lot of space. Could a simpler solution work?

Here’s how she solved the problem.

Dual Raspberry Pi: Firewall and Captive Portal With Zeroshell

This got me thinking… many modern firewalls have Linux at their core. Raspberry Pi (RPi)has Linux at its core. Current Raspberry Pi’s have as much power as full computers from just a few years ago.

Using RPi, could I build a compact, emergency firewall system that meets our requirements? The list is extensive:

  • Manage dual Internet connections:
    • One for internal general internet use.
    • One for protected gateway use.
  • Protected gateway zone – multiple external VPN access:
    • VLAN terminations for separate gateways to each VPN
    • Gateways require internet access.
    • Captive portal controlling gateway access.
    • Logging access for traffic from internal network to protected gateway network, including identification of VLAN gateway being accessed.
  • General internet usage is not behind Captive Portal (no authentication required).

Web searches pointed me to Zeroshell . You can look at the web page – the feature list is impressive. Multiple Internet connections; VPN capability; Captive Portal for that control required to the external VPNs. Management interface looks good. And great Raspberry Pi support.

I picked up new hardware to run the test – a Raspberry Pi 3B+ with two additional USB Ethernet adapters. With SD card, power supply, case and other bits, it cost me less than $150 (Canadian). Raspberry Pi 4 was announced the week before, but still not locally available.

Loading Zeroshell was simple. The provider of the Raspberry Pi kit recommended Balena Etcher software for loading system IMG files. It worked without problem for the Zeroshell image.

The Zeroshell management interface proved comprehensive and easy to use. I have more detail on the configuration sequence at the end of this post.

One big glitch: the Captive Portal configuration is all or nothing. That means a portal login would be required both for the access to the restricted outbound VPN gateways, and for general Internet access. That’s more than just a nuisance. It could be a problem for some of our automated systems.

I could spend a bunch of time trying to work around this… or just spend another $150 for a second RPi with all the bits to run the Zeroshell Captive Portal separately behind the firewall.

Would performance be adequate? Our Internet connections for this project are a couple of DSL lines. We ran throughput tests and found the Rpis with Zeroshell could sustain better than 88 Mbits/sec through firewall.

It worked. It passed all our tests. And it’s so compact, we could fit it in a briefcase with plenty of room to spare.

We’re looking at Phase 2 – what critical infrastructure and storage could we add to a briefcase for a completely portable disaster recovery solution?

Stay tuned!

Detailed configuration and setup

Basic Zeroshell configuration for the following network topology:



For each Raspberry Pi:

  1. Flash Zeroshell onto SD card using Canakit balena Etcher software.
  2. Boot and create a new Profile.  This will also allow you to specify the Management interface (ETH00)
  3. Configure IP addresses on Zeroshell as indicated in the network topology above.

For performance reasons, the Zeroshell RPi image is “headless” – i.e. no web browser. When you load it, all you are working with limited text-based interface. The management interface is provided through an Apache web server included in the Zeroshell installation. You access the graphical management interface from a web browser on another system.

After the network configuration and topology are set on the Zeroshell text interface, hook up a PC to the network for GUI access. You need to pre-configure the PC with an IP address on the same subnet as the Zeroshell management interface.

IP addresses changed in this post to protect whatever needs to be protected. Use your own.


First configure the RPI internet connection:
1. Configure the PC with the selected IP (192.168.0.100/24) and set its default Gateway to the address of the Rpi (192.168.0.1/24).
2. Connect to the web interface of RPI-internet:  https://192.168.0.1
3. Accept the certificate errors and add an exception to the browser.  NOTE: Fixing this certificate issue is outside the scope of this blogpost.

Management GUI of RPI-internet: Static Route Configuration

  1. Add static routing rule for protected VLAN access:
    1. Go to the Network > Router page.
    2. Click on Add to add a Static route.
    3. In the Static Route pop-up, add route for Destination network 192.168.7.0/30 using Gateway 192.168.2.2  
       

2. Configure NAT for internet access:
    2a. Go to Network > Router.
    2b. Click on NAT on main blue menu at top.
    2c. In Network Address Translation pop-up, add ETH01 to the NAT Enabled Interfaces list.
    2d. Save NAT rules.


3. Configure Firewall WAN, LAN, and protected gateway access:
    3a. Go to Security > Firewall.
    3b. Ensure you’re on the FORWARD page.
    3c. Change default policy from ACCEPT to DROP.
    3d. Add Firewall rules as shown below.  

    3e. Save firewall rules.
4. Test the Internet connection:
    4a. Go to the Network > Router page.
    4b. In the top corner, select Check IP.
    4c. In the pop-up dialog, enter IP to check:  8.8.8.8 (Google’s DNS).
    4d. Click Check and verify RPI-internet is able to connect.

5. Check Internet access from the PC.

To test the Captive Portal to the protected customer VPN network, I set up a Linux server running a web server… and more. I configured the server with KVM virtualisation and multiple VLANs managed by KVM. A web server VM was created with an attached interface associated with VLAN7. The KVM server will terminate the VLAN (set-up for KVM outside scope of this blog post). Assign the web server IP: 192.168.7.2/30.

From the Management GUI of the RPI:
1. Configure static route for internal network access (192.168.0.0/24).

2. Configure NAT.


3. Configure firewall rules using the same process as above, but with the following rules.

NOTE: There is logging here for access from ETH00 to each VLAN interface.
4. Configure Captive Portal:
    4a. Go to Users > Captive Portal.
    4b. Select an interface:  ETH00.
    4c. Click on Save.
    4d. Check Active on: ETH00.
    4e. Under Gateway Parameters, select Client Identify = Only IP Address.

    4f. Under Authenticator Validity, select 60 from drop down.
    4g. Click Save again.


5. Configure Users:
    5a. Go to Users > Users.
    5b. Click on Add in main blue menu at top.
    5c. Fill in details such as username and password.  First and Last name required.
    5d. Click on Submit.
6. Test VLAN access by pinging the web server at 192.168.7.2.  It follows the same process as above for testing the Internet connection except the IP is the web server IP.

On the LAN PC, browse to http://192.168.7.2:
1. Verify Captive Portal page shows up.  
2. Enter user credentials.
3. Verify the web server page appears.

On the 192.168.7.2 web server, verify connectivity to the Internet by pinging 8.8.8.8.  

Ylab invades a library. Again.

Richmond Hill’s Richmond Green Library held their third annual March Break Maker Week Kick-Off on Saturday March 9 2019 – and ylab was there.

It’s ylab… so of course we had light sabres!

Mandatory equipment: 3D printed DDO dome an light sabres.

A big hit with the kids was the hand-cranked generator, with good old analog meters and buttons to press. Beats an LED display any day.

Buttons! Real dials! A crank!

And no display would be complete without some robots running around.

ArduinoBot and RossBot. Which is which?

We had lots of other 3D printed and laser cut creations like the rope-making machine.

Count the cranks in this post. The generator crank, this rope-making crank, and some of the assorted ylab members.

Big thank you to Richmond Hill Public Libraries and all their staff for inviting us and putting up with us, and to ylab members Ross, Pek, Richard and Miro for taking a valuable Saturday – and all the planning and preparation time – to bring in all the stuff and make it all happen.

More robots! More mayhem!

Many of the early ylab members were brought together by their love of robotics, and on Tuesday February 19 they’ll be sharing the love with our first Robotycs open house since our re-opening. This will be the start our our monthly Robotycs nights.

There have been a lot of advances s since the last time we had a Robotycs meetup. Technology has moved from simple range finders to full-room LIDAR scanners. Costs have dropped dramatically, with some amazing deals on Arduino-based kits that give you lots of room to learn and to innovated.

Our Robotycs evenings all start off with show-and-tell, where you can bring in your creations to demonstrate, or just to ask for help and advice.

We’ll be giving an overview of what’s in the new kits and why we like it.

Register here to come out and join the fun.

YLab Robotics Logo

Not him. The plastic.

The end of 2019’s first January cold snap brought out a whole lot of members and new visitors to our What’s This Laser Cutter Stuff All About? open house. Ylab’s Richard gave an extensive presentation on the materials you can use and the types of engraving you can make.

Great attendance from visitors and members

The highlight was some of his work with plastics and plexiglass, building up components in layers to make a complex manifold, and threading the plastic to hold screws and other fittings.

Explaining how it’s done – using a solvent to melt and bond

The meltdown happens when you bond together the plastic walls and layers to form a manifold. Instead of glue, you use the appropriate solvent for the plastic. The two surfaces melt a tiny bit and bond when pressed together. He’s tested the resulting piece to 60 PSI. He’s used the same techniques for water and air devices.

Best of all, participants in next week’s laser cutting class (sold out!) will learn to do it for themselves.

Did it or didn’t it?

Ylab isn’t the only group haunting the DDO. We’re responsible for the strange sounds emanating from the basement – the things that go bump in the nights we are there. OK, more than bumping. Sparking, zapping, banging… On the upper floors we have the Royal Astromical Society of Canada Toronto Center (RASC), and the DDO Defenders (DDOD), delivering great astronomy programs for adults, families and kids. We often see them hosting hordes of Scouts and Girl Guides earning their astronomy badges.

Astronomers are often makers. We know that from our telescope makers night a few years ago. Our friend Eric from RASC, upon reading our post on the Big Lathe, put up a theory that the lathe was used to make the 19-inch telescope sitting in one of the domes on top of the DDO administration building. Eric pointed us to this 1930 RASC Journal paper by R.K. Young on the design and construction of that telescope. Young built it himself. That paper has become required reading for telescope makers.

Young was more than a telescope builder. He was Director of the DDO from 1935-1945, and, according to RASC’s bio, an astronomer’s astronomer. He had a big role in the design of the DDO’s flagship 74-inch telescope.

According the RASC bio, Young built his 19-inch telescope between 1926 and 1928. In the RASC Journal, Young says:

“It has been completed with the aid of a very modest workshop and occasional help for such work as could not be done on a lathe.”

But did Young use this lathe for his 19-inch design?

Plaque on the lathe. This is generally considered to be a clue.

The Big Lathe was donated by Young to the DDO in 1934. Was it a new equipment for the DDO, or was it donated after using it to construct his telescope?

In our earlier post, we said the lathe was built in 1926. That’s according to a number on the cast into the iron base. Our lathe expert Miro said that’s probably a couple of years too early. The manufacturing process at the time involved casting the base, letting it sit around for a couple of years to ensure the metal was completely stabilised, and then completing the assembly. Better to look at the serial number, Miro says. The last two digits for a South Bend lathe indicate the production year. They read 28. As in 1928. It would then have to make it’s way from South Bend, Indiana to A.R. Williams, the Toronto machinery dealer, and to whoever purchased it.

Is that time frame too tight for completing Young’s telescope in 1928? Would a lathe have been used early or late in the process? Is the Big Lathe too big for what Young describes as a “very modest workshop”? Was Young being modest about his workshop? This Toronto Star archive photo shows the telescope in a location that is definitely not one of the DDO domes.

Inquiring minds want to know!

All this just to pop a balloon???

While ylab maker space is for adults, it doesn’t stop us from helping out with some stuff for kids. If you’ve come to one of our open houses, you’ve seen some of the things we’ve put together for Scout groups and camps. This fall we provided some assistance for a Rube Goldberg machine project.

The Scouts from 8th Richmond Hill group are a fixture at Richmond Hill and other area events –  the Santa Claus Parade, camping out in the snow at the Richmond Hill Winter Carnival (coming up on Feb 2 & 3 2019), the  Remembrance Day March, helping out at York Region Amateur Radio Club’s hamfest… and generally keeping your kids out of the kind of trouble you don’t want them into, and into the kind of fun  trouble you get into at Scout camps and events.

The group has a Technical Venturers company that we’ve worked with to develop amateur radio certification material. This fall they were participating in the Blue Springs Scout Reserve Rube Goldberg Machine contest.

The result – with all components built by the youth – is a monumentally complex system to pop a balloon. They used Meccano, Lego, Hot Wheels and other old toys; a steam engine; Arduino electronics… and the list goes on. Check out the video of the creation here on youtube. It filled a basement. No, it wasn’t our DDO basement. 

Yes, that’s a steam engine… popcorn maker… old Meccano… bits of Lego… and that’s just the first step.

Video submission for the contest was Dec 31, and they are eagerly awaiting completion of the judging some time in January.

Come out to the maker space, learn some new skills, and you can have a lot of fun spreading the knowledge by helping out with other groups. Might even be your own kid!

Historical precision

Jan 6 2019 update: 1926… or 1928? Learn more about the mystery here.

An important part of ylab’s activities in our home at the David Dunlap Observatory is ensuring we respect the historic nature of the facility. Sometimes this includes the great privilege and responsibility of maintaining some of the workshop equipment that we’ve been entrusted with – like the magnificent old workbench.

We’ve now taken the big South Bend metalwork lathe under our care. Markings indicate it was built in 1926. It has an 8 foot bed and 16 inch throw (largest diameter we can work with), which can be increased to 24 inches when taking advantage of a removable section of the bed.

So what on earth do we do with this beast?

Our good luck, as always (we’re in the DDO, right?), brings us a solution. Ylab member Miro, a professional engineer, has a wealth of experience with exactly this type of equipment.

Miro’s preliminary assessment? “WOW! It’s barely broken in!”

Almost every piece of machine shop equipment of this vintage was put to work in the World War II production effort. Most of it was heavily worn during the process, if not completely scrapped when superseded by more modern tooling. Our lathe was used primarily – and apparently very lightly – for the maintenance of the DDO telescopes. Miro suspects it may be in better shape than any other one in the world.

We started with a thorough check-out.

First a general clean-up. We don’t know when it was last maintained… but the amount of crud we pulled out tells us it’s been a while. We made the arbitrary, executive decision that the crud is not historically significant and could be removed and disposed of. We trust nobody is upset by this. If this upsets you, let us know and we’ll send you some crud. Deadline for request: next garbage day.

If it’s supposed to move… WD 40 won’t do here. Moving parts need lubrication. We identified and bought the right grade of non-detergent oil. A careful end-to-end inspection revealed 31 separate lubrication points that include small holes, holes closed by screws, small caps, big caps, plugs and various surfaces. We found and refilled a historic oil can to do the job.

Missing and worn-out parts. We spotted some missing oil-hole cover screws. We made replacements. The carriage has metal caps that press felt pieces against the tracks to push metal bits out of the way as it slides back and forth. Two of the caps were missing – but we rummaged through the cabinets and found them. We put in new felt pieces and screws.

Old cruddy felt. New felt. The missing caps. And two different models of steel-toed safety shoes.
Big wheel keeps on turning to move the carriage back and forth along the bed.

So how well does it work? The big test.

We manually moved all the parts, hand-turning everything. With fresh lubrication, Miro’s preliminary assessment was confirmed. Everything that should move was moving beautifully. Like new.

Time to turn on the power and see how this fat lady sings.

We tested with some 6-inch long, 1 inch diameter metal rods.

The lathe cuts the mustard… and the metal.

You can see the steps and the results below.

What we started and ended with.

We used precision micrometers and vernier calipers to measure the progress and final results. We tested all the major gears, parts and settings. We cut and re-cut different diameters. We made screw threads on the end. And it’s unbelievable.

Almost 100 years old, and reliably delivering 1/1000 inch precision.

There are many more parts and options to test. Watch this space for more updates.