Last week, we provided updates 1, 2 and 3 on the City of Richmond Hill’s DDO activities over the spring and summer. Ylab helped out with all of them, but those were not our core maker activities.
Our makers quietly been up to all kinds of things in our basement lair. We’re now taking the time to catch up and update everyone on some of the more interesting projects.
Reliable 3D Printing. Finally.
We got our hands on a Qidi 3D printer earlier in the year. It’s a very flexible unit, with dual extruders capable of handling PLA, ABS and the related support filaments. But it was kind under-used as we worked out how to operate it reliably with PLA and ABS filaments, and with separate support material for the complex jobs.
After much trial and error, software tests, and burning through plastic like a trophy wife on shopping day (ed: we can’t take credit for that cheap line), we were confident enough to hold our first 3D printer certification class and let people at it.
The verdict: it’s a quality, super-reliable printer.
Our first real user was making some robotics parts out of ABS. Test passed, but it was a relatively short print job.
Another member is doing some consumer product re-design (we can’t talk about it), and ran a complex job with lots of support. 4 hour print time. It came out flawless.
The ylab member Craig of Halloween Electric Chair frame gave it a real challenge for his next project. 14-hour overnight job.
No problems. No jams. All good.
It’s a big step up in quality and reliability from the earlier units our members generously loaned us to get started.
Stay tuned for our next certification class, or just come in and we’ll give you a hand to get your project done.
On Friday August 23 the City of Richmond Hill and Deputy Mayor Joe DiPaola hosted their First Annual – Explore the DDO outdoor movie night. City staff invited DDO partners and other groups to participate. Ylab was asked to join the fun because of some shiny light things we’ve been known to make in our DDO workshop.
Some ylab members and friends are big Star Wars fans. They happily volunteered to add some character – and characters – to the event.
The costume efforts ranged from a quick trip to the local thrift store to years of detailed work.
Parks and Recreation staff came out to give tours of the Administration Building, and the RASC Toronto Centre crew gave tours of the telescope dome. Oh, yeah, and there was a movie – so much fun stuff going on that it almost became secondary to a great summer evening at the DDO site.
Big thank you to the City’s Explore the DDO, Parks and Recreation and volunteer teams for all their great work; to RASC Toronto Center for their tours of the dome, to all the other participating groups, and finally to ylab members Dan and Pek and friends Kristen and Mark for showing up in costume. Extra kudos to Dan for loaning out extra costumes and making it up and down the telescope stairs in wookie stilts.
We occasionally work alongside the Heritage group. On May 19 2019, the DDO was included for the first time as a Doors Open Ontario site. and it was a huge success. Ylab provided tours of the basement workshops In prior years, a successful Doors Open Richmond Hill site might get 500-600 visitors. The Heritage Team told us over 1500 people went through – and they had to close off access at the end of the day to stop more from coming in.
And apparently history attracts history. On Sunday August 18, the Heritage Team hosted the Ontario Ford Model A Owners Club at the DDO, and ylab again participated in the tours. Beautiful summer day. The DDO. Old cars. History is so cool.
Snakes and Ladders Park received the award for Parks or Facility Design, and the David Dunlap Observatory won the award for Operations Excellence.
The City (we can’t call Richmond Hill a Town anymore) and the PRO committee recognised both the efforts of the Parks and Recreation Department and the partners at the DDO – our friends at RASC Toronto Centre, the DDO Defenders, Western University and us, the ylab basement dwellers. And they invited us to the awards ceremony in Collingwood!
Our congratulations and thanks to the City and to all the other partners. It’s a privilege to be at the DDO – and we’re all just getting started!
A ylab member has a requirement for a backup firewall… and more. At her company, they use a top-quality commercial firewall that provides and front-ends a suite of other services like,VPN access into the company and a captive portal to control to several outbound VPNs to customer. They use multiple internet connection with services distributed across them. That makes them very dependent on this firewall’s operations – which brought up some big questions:
What do they do
if the firewall is down for maintenance or service?
What if they
are blocked from their office and need a disaster recovery
What would it
cost to duplicate the services?
The simple answer would be to replicate everything with the same hardware. But that’s a very costly exercise, and the existing gear takes up a lot of space. Could a simpler solution work?
Here’s how she solved the problem.
Dual Raspberry Pi: Firewall and Captive Portal With Zeroshell
This got me thinking… many modern firewalls have Linux at their
core. Raspberry Pi (RPi)has Linux at its core. Current Raspberry Pi’s
have as much power as full computers from just a few years ago.
Using RPi, could I
build a compact, emergency firewall system that meets our
requirements? The list is extensive:
Manage dual Internet connections:
One for internal general internet use.
One for protected gateway use.
Protected gateway zone – multiple external VPN access:
VLAN terminations for separate gateways to each VPN
Gateways require internet access.
Captive portal controlling gateway access.
Logging access for traffic from internal network to protected gateway network, including identification of VLAN gateway being accessed.
General internet usage is not behind Captive Portal (no authentication required).
Web searches pointed me to Zeroshell . You can look at the web page – the feature list is impressive. Multiple Internet connections; VPN capability; Captive Portal for that control required to the external VPNs. Management interface looks good. And great Raspberry Pi support.
I picked up new hardware to run the test – a Raspberry Pi 3B+ with two additional USB Ethernet adapters. With SD card, power supply, case and other bits, it cost me less than $150 (Canadian). Raspberry Pi 4 was announced the week before, but still not locally available.
Loading Zeroshell was simple. The provider of the Raspberry Pi kit recommended Balena Etcher software for loading system IMG files. It worked without problem for the Zeroshell image.
management interface proved comprehensive and easy to use. I have
more detail on the configuration sequence at the end of this post.
One big glitch: the
Captive Portal configuration is all or nothing. That means a portal
login would be required both for the access to the restricted
outbound VPN gateways, and for general Internet access. That’s more
than just a nuisance. It could be a problem for some of our
I could spend a
bunch of time trying to work around this… or just spend another
$150 for a second RPi with all the bits to run the Zeroshell Captive
Portal separately behind the firewall.
Would performance be
adequate? Our Internet connections for this project are a couple of
DSL lines. We ran throughput tests and found the Rpis with Zeroshell
could sustain better than 88 Mbits/sec through firewall.
It worked. It passed
all our tests. And it’s so compact, we could fit it in a briefcase
with plenty of room to spare.
We’re looking at
Phase 2 – what critical infrastructure and storage could we add to
a briefcase for a completely portable disaster recovery solution?
Detailed configuration and setup
Basic Zeroshell configuration for the following network topology:
Flash Zeroshell onto SD card using Canakit balena Etcher software.
Boot and create a new Profile. This will also allow you to specify the Management interface (ETH00)
Configure IP addresses on Zeroshell as indicated in the network topology above.
For performance reasons, the Zeroshell RPi image is “headless” – i.e. no web browser. When you load it, all you are working with limited text-based interface. The management interface is provided through an Apache web server included in the Zeroshell installation. You access the graphical management interface from a web browser on another system.
After the network configuration and topology are set on the Zeroshell text interface, hook up a PC to the network for GUI access. You need to pre-configure the PC with an IP address on the same subnet as the Zeroshell management interface.
IP addresses changed in this post to protect whatever needs to be protected. Use your own.
First configure the RPI internet connection: 1. Configure the PC with the selected IP (192.168.0.100/24) and set its default Gateway to the address of the Rpi (192.168.0.1/24). 2. Connect to the web interface of RPI-internet: https://192.168.0.1 3. Accept the certificate errors and add an exception to the browser. NOTE: Fixing this certificate issue is outside the scope of this blogpost.
Management GUI of RPI-internet: Static Route Configuration
Add static routing rule for protected VLAN access:
Go to the Network > Router page.
Click on Add to add a Static route.
In the Static Route pop-up, add route for Destination network 192.168.7.0/30 using Gateway 192.168.2.2
2. Configure NAT for internet access: 2a. Go to Network > Router. 2b. Click on NAT on main blue menu at top. 2c. In Network Address Translation pop-up, add ETH01 to the NAT Enabled Interfaces list. 2d. Save NAT rules.
3. Configure Firewall WAN, LAN, and protected gateway access: 3a. Go to Security > Firewall. 3b. Ensure you’re on the FORWARD page. 3c. Change default policy from ACCEPT to DROP. 3d. Add Firewall rules as shown below.
3e. Save firewall rules. 4. Test the Internet connection: 4a. Go to the Network > Router page. 4b. In the top corner, select Check IP. 4c. In the pop-up dialog, enter IP to check: 220.127.116.11 (Google’s DNS). 4d. Click Check and verify RPI-internet is able to connect.
5. Check Internet access from the PC.
To test the Captive Portal to the protected customer VPN network, I set up a Linux server running a web server… and more. I configured the server with KVM virtualisation and multiple VLANs managed by KVM. A web server VM was created with an attached interface associated with VLAN7. The KVM server will terminate the VLAN (set-up for KVM outside scope of this blog post). Assign the web server IP: 192.168.7.2/30.
From the Management GUI of the RPI: 1. Configure static route for internal network access (192.168.0.0/24).
2. Configure NAT.
3. Configure firewall rules using the same process as above, but with the following rules.
NOTE: There is
logging here for access from ETH00 to each VLAN interface. 4.
Configure Captive Portal: 4a. Go to Users >
Captive Portal. 4b. Select an interface: ETH00.
4c. Click on Save. 4d. Check Active on:
ETH00. 4e. Under Gateway Parameters, select
Client Identify = Only IP Address.
4f. Under Authenticator Validity, select 60 from drop down. 4g. Click Save again.
5. Configure Users: 5a. Go to Users > Users. 5b. Click on Add in main blue menu at top. 5c. Fill in details such as username and password. First and Last name required. 5d. Click on Submit. 6. Test VLAN access by pinging the web server at 192.168.7.2. It follows the same process as above for testing the Internet connection except the IP is the web server IP.
On the LAN PC, browse to http://192.168.7.2: 1. Verify Captive Portal page shows up. 2. Enter user credentials. 3. Verify the web server page appears.
On the 192.168.7.2 web server, verify connectivity to the Internet by pinging 18.104.22.168.
Richmond Hill’s Richmond Green Library held their third annual March Break Maker Week Kick-Off on Saturday March 9 2019 – and ylab was there.
It’s ylab… so of course we had light sabres!
A big hit with the kids was the hand-cranked generator, with good old analog meters and buttons to press. Beats an LED display any day.
And no display would be complete without some robots running around.
We had lots of other 3D printed and laser cut creations like the rope-making machine.
Big thank you to Richmond Hill Public Libraries and all their staff for inviting us and putting up with us, and to ylab members Ross, Pek, Richard and Miro for taking a valuable Saturday – and all the planning and preparation time – to bring in all the stuff and make it all happen.
Many of the early ylab members were brought together by their love of robotics, and on Tuesday February 19 they’ll be sharing the love with our first Robotycs open house since our re-opening. This will be the start our our monthly Robotycs nights.
There have been a lot of advances s since the last time we had a Robotycs meetup. Technology has moved from simple range finders to full-room LIDAR scanners. Costs have dropped dramatically, with some amazing deals on Arduino-based kits that give you lots of room to learn and to innovated.
Our Robotycs evenings all start off with show-and-tell, where you can bring in your creations to demonstrate, or just to ask for help and advice.
We’ll be giving an overview of what’s in the new kits and why we like it.