The First Maker Space and Tech Community For Markham, Richmond Hill, Thornhill, & Vaughan.

Don’t be a hero.

Many pages on the Internet tell you how to make a spot welder from a discarded microwave oven. We always thought it was a crazy idea. And then a couple of the more experienced ylab members told us it made sense and would not result in electrocution or being nuked into a medium-rare meat sack.

That explains some of the microwave parts that were lying around our workshop.

Like any good project and action hero movie, there has to be a critical failure and despair moment. Ours happened during disassembly.  Newer microwaves don’t have the kind of transformer you need for the project.

This isn’t what microwave transformers look like on all those other web pages.

 

Yeah, manufacturers cheap-out nowadays. You gotta do something to get that price down to $79.

Fortunately, some of the ylab packrats better-equipped members have accumulated some gear over the years and may be under pressure to clean out basement/storage shed/living room/all of the above. A nice one was donated to the cause, along with some awesome copper channels for the spot-welder arms.

This is what a *real* transformer looks like.

 

Channeling our excess energy with copper.

 

We won’t get into the detail of how the transformer was modded because (a) other websites have that info and (b) please don’t sue us. That big black cable may have been added as part of the process.

Since spot welder transformers allegedly produce some heat, we decided to make use of the microwave fan.

And that nice, shiny stainless steel enclosure… can’t let that go to waste. A bit of sawing, bending and shearing later, we have a pretty good cover.

Microwave enclosure – before surgery.

 

An old light switch a PC power cable, some drilling and tapping or the copper channels, and the project is moving ahead nicely.

Action hero movies always have moments of suspense. So we’ll leave you in suspense and post later on how this wraps up. Because we haven’t wrapped it up yet.

Because action hero movies have sequels.

Ylab’s metal master

Ylab’s hosts at the David Dunlap Observatory have a nice simple reception desk – but they want the ability to lock  up whatever is on top. You know, big things than won’t fit in a drawer. Which is kind of impractical because there are  no drawers on the desk.  They asked us if we could do something about it. We like a challenge. We put ylab member Metal Master Miro to work on it.

Aluminum panels can cover the opening, but they need support. The requirement is to make them removable and have them discretely stored.

We started with some solid 1/4” square aluminum bars. We milled a channel on the aluminum to hold the panels, and drilled and countersunk holes for the mounting screws.

Aluminum bars, before and after milling and drilling

Nicely mounted on the desk to hold the panels.

Then we worked the panels. Aluminum sheets in the thickness we use is not quite rigid enough for the span, so we made reinforcement bars and riveted them to the sheets.

Miro knows the drill.

A riveting process, followed by shot peening the rivets.

For all the pieces, a copious amount of filing and elbow grease was required to soften up rough edges.

Not the filing cabinet you expected.

 

We made and mounted supports for discretely storing the panels when not in use.

No visible means of support. At least not when looking from the top.

And finally, it all goes together in four simple steps.

Slide in the top…

… snug it up into the hidden support brackets…

… slide down the front panel…

… and tuck in the locking tabs.

Case closed.

Just add padlock. We’ll take off the protective plastic layer and clear coat it after it’s been inspected.

And with all the milling,  drilling and filing, we got our money’s worth out of this guy.

My job sucks.

It’s alive! And reliable!

Last week, we provided updates 1, 2 and 3 on the City of Richmond Hill’s DDO activities over the spring and summer. Ylab helped out with all of them, but those were not our core maker activities.

Our makers quietly been up to all kinds of things in our basement lair. We’re now taking the time to catch up and update everyone on some of the more interesting projects.

Reliable 3D Printing. Finally.

We got our hands on a Qidi 3D printer earlier in the year. It’s a very flexible unit, with dual extruders capable of handling PLA, ABS and the related support filaments. But it was kind under-used as we worked out how to operate it reliably with PLA and ABS filaments, and with separate support material for the complex jobs.

After much trial and error, software tests, and burning through plastic like a trophy wife on shopping day (ed: we can’t take credit for that cheap line), we were confident enough to hold our first 3D printer certification class and let people at it.

The verdict: it’s a quality, super-reliable printer.

Our first real user was making some robotics parts out of ABS. Test passed, but it was a relatively short print job.

Another member is doing some consumer product re-design (we can’t talk about it), and ran a complex job with lots of support. 4 hour print time. It came out flawless.

The ylab member Craig of Halloween Electric Chair frame gave it a real challenge for his next project. 14-hour overnight job.

The start of a long night of overtime work.

No problems. No jams. All good.

It’s a big step up in quality and reliability from the earlier units our members generously loaned us to get started.

Stay tuned for our next certification class, or just come in and we’ll give you a hand to get your project done.

How did he get hold of that?

Sometimes, ylab is just plain silly fun.

On Friday August 23 the City of Richmond Hill and Deputy Mayor Joe DiPaola hosted their First Annual – Explore the DDO outdoor movie night. City staff invited DDO partners and other groups to participate. Ylab was asked to join the fun because of some shiny light things we’ve been known to make in our DDO workshop.

Some ylab members and friends are big Star Wars fans. They happily volunteered to add some character – and characters – to the event.

This was early. Before the crowds and the line-ups for pictures.

The costume efforts ranged from a quick trip to the local thrift store to years of detailed work.

Parks and Recreation staff came out to give tours of the Administration Building, and the RASC Toronto Centre crew gave tours of the telescope dome. Oh, yeah, and there was a movie – so much fun stuff going on that it almost became secondary to a great summer evening at the DDO site.

Chris from RASC Toronto Center. He’s the one with the hat.

Big thank you to the City’s Explore the DDO, Parks and Recreation and volunteer teams for all their great work; to RASC Toronto Center for their tours of the dome, to all the other participating groups, and finally to ylab members Dan and Pek and friends Kristen and Mark for showing up in costume. Extra kudos to Dan for loaning out extra costumes and making it up and down the telescope stairs in wookie stilts.

History is so cool.

Just in case you didn’t hear or see the news elsewhere…

On July 31 2019, the Government of Canada officially designated the David Dunlap Observatory a National Historic site.

Our congratulations to Maggie Mackenzie and Heritage Richmond Hill for all their hard work. In digging through ylab’s lair in the basement of the DDO, we occasionally find some really cool historical thingies, and it’s always a pleasure to get these over to the Heritage team.

We occasionally work alongside the Heritage group. On May 19 2019, the DDO was included for the first time as a Doors Open Ontario site. and it was a huge success. Ylab provided tours of the basement workshops In prior years, a successful Doors Open Richmond Hill site might get 500-600 visitors. The Heritage Team told us over 1500 people went through – and they had to close off access at the end of the day to stop more from coming in.

And apparently history attracts history. On Sunday August 18, the Heritage Team hosted the Ontario Ford Model A Owners Club at the DDO, and ylab again participated in the tours. Beautiful summer day. The DDO. Old cars. History is so cool.

We’ve been quiet on the blog over the spring… and even quieter over the summer as we got distracted by vacation, herding kids around, long lazy evenings and other seasonal distractions.

We have a lot of news to catch up on, and we’ll start with the most important thing: our wonderful home at the City of Richmond Hill’s David Dunlap Observatory.

Richmond Hill Park and DDO PRO Awards of Excellence

On Thursday, March 28, Parks and Recreation Ontario (PRO) handed out their annual Excellence Awards, and Richmond Hill cleaned up!

Snakes and Ladders Park received the award for Parks or Facility Design, and the David Dunlap Observatory won the award for Operations Excellence.

The City (we can’t call Richmond Hill a Town anymore) and the PRO committee recognised both the efforts of the Parks and Recreation Department and the partners at the DDO – our friends at RASC Toronto Centre, the DDO Defenders, Western University and us, the ylab basement dwellers. And they invited us to the awards ceremony in Collingwood!

Our congratulations and thanks to the City and to all the other partners. It’s a privilege to be at the DDO – and we’re all just getting started!

Disaster recovery in a briefcase. Part 1.

A ylab member has a requirement for a backup firewall… and more. At her company, they use a top-quality commercial firewall that provides and front-ends a suite of other services like,VPN access into the company and a captive portal to control to several outbound VPNs to customer. They use multiple internet connection with services distributed across them. That makes them very dependent on this firewall’s operations – which brought up some big questions:

  • What do they do if the firewall is down for maintenance or service?
  • What if they are blocked from their office and need a disaster recovery replacement?
  • What would it cost to duplicate the services?

The simple answer would be to replicate everything with the same hardware. But that’s a very costly exercise, and the existing gear takes up a lot of space. Could a simpler solution work?

Here’s how she solved the problem.

Dual Raspberry Pi: Firewall and Captive Portal With Zeroshell

This got me thinking… many modern firewalls have Linux at their core. Raspberry Pi (RPi)has Linux at its core. Current Raspberry Pi’s have as much power as full computers from just a few years ago.

Using RPi, could I build a compact, emergency firewall system that meets our requirements? The list is extensive:

  • Manage dual Internet connections:
    • One for internal general internet use.
    • One for protected gateway use.
  • Protected gateway zone – multiple external VPN access:
    • VLAN terminations for separate gateways to each VPN
    • Gateways require internet access.
    • Captive portal controlling gateway access.
    • Logging access for traffic from internal network to protected gateway network, including identification of VLAN gateway being accessed.
  • General internet usage is not behind Captive Portal (no authentication required).

Web searches pointed me to Zeroshell . You can look at the web page – the feature list is impressive. Multiple Internet connections; VPN capability; Captive Portal for that control required to the external VPNs. Management interface looks good. And great Raspberry Pi support.

I picked up new hardware to run the test – a Raspberry Pi 3B+ with two additional USB Ethernet adapters. With SD card, power supply, case and other bits, it cost me less than $150 (Canadian). Raspberry Pi 4 was announced the week before, but still not locally available.

Loading Zeroshell was simple. The provider of the Raspberry Pi kit recommended Balena Etcher software for loading system IMG files. It worked without problem for the Zeroshell image.

The Zeroshell management interface proved comprehensive and easy to use. I have more detail on the configuration sequence at the end of this post.

One big glitch: the Captive Portal configuration is all or nothing. That means a portal login would be required both for the access to the restricted outbound VPN gateways, and for general Internet access. That’s more than just a nuisance. It could be a problem for some of our automated systems.

I could spend a bunch of time trying to work around this… or just spend another $150 for a second RPi with all the bits to run the Zeroshell Captive Portal separately behind the firewall.

Would performance be adequate? Our Internet connections for this project are a couple of DSL lines. We ran throughput tests and found the Rpis with Zeroshell could sustain better than 88 Mbits/sec through firewall.

It worked. It passed all our tests. And it’s so compact, we could fit it in a briefcase with plenty of room to spare.

We’re looking at Phase 2 – what critical infrastructure and storage could we add to a briefcase for a completely portable disaster recovery solution?

Stay tuned!

Detailed configuration and setup

Basic Zeroshell configuration for the following network topology:



For each Raspberry Pi:

  1. Flash Zeroshell onto SD card using Canakit balena Etcher software.
  2. Boot and create a new Profile.  This will also allow you to specify the Management interface (ETH00)
  3. Configure IP addresses on Zeroshell as indicated in the network topology above.

For performance reasons, the Zeroshell RPi image is “headless” – i.e. no web browser. When you load it, all you are working with limited text-based interface. The management interface is provided through an Apache web server included in the Zeroshell installation. You access the graphical management interface from a web browser on another system.

After the network configuration and topology are set on the Zeroshell text interface, hook up a PC to the network for GUI access. You need to pre-configure the PC with an IP address on the same subnet as the Zeroshell management interface.

IP addresses changed in this post to protect whatever needs to be protected. Use your own.


First configure the RPI internet connection:
1. Configure the PC with the selected IP (192.168.0.100/24) and set its default Gateway to the address of the Rpi (192.168.0.1/24).
2. Connect to the web interface of RPI-internet:  https://192.168.0.1
3. Accept the certificate errors and add an exception to the browser.  NOTE: Fixing this certificate issue is outside the scope of this blogpost.

Management GUI of RPI-internet: Static Route Configuration

  1. Add static routing rule for protected VLAN access:
    1. Go to the Network > Router page.
    2. Click on Add to add a Static route.
    3. In the Static Route pop-up, add route for Destination network 192.168.7.0/30 using Gateway 192.168.2.2  
       

2. Configure NAT for internet access:
    2a. Go to Network > Router.
    2b. Click on NAT on main blue menu at top.
    2c. In Network Address Translation pop-up, add ETH01 to the NAT Enabled Interfaces list.
    2d. Save NAT rules.


3. Configure Firewall WAN, LAN, and protected gateway access:
    3a. Go to Security > Firewall.
    3b. Ensure you’re on the FORWARD page.
    3c. Change default policy from ACCEPT to DROP.
    3d. Add Firewall rules as shown below.  

    3e. Save firewall rules.
4. Test the Internet connection:
    4a. Go to the Network > Router page.
    4b. In the top corner, select Check IP.
    4c. In the pop-up dialog, enter IP to check:  8.8.8.8 (Google’s DNS).
    4d. Click Check and verify RPI-internet is able to connect.

5. Check Internet access from the PC.

To test the Captive Portal to the protected customer VPN network, I set up a Linux server running a web server… and more. I configured the server with KVM virtualisation and multiple VLANs managed by KVM. A web server VM was created with an attached interface associated with VLAN7. The KVM server will terminate the VLAN (set-up for KVM outside scope of this blog post). Assign the web server IP: 192.168.7.2/30.

From the Management GUI of the RPI:
1. Configure static route for internal network access (192.168.0.0/24).

2. Configure NAT.


3. Configure firewall rules using the same process as above, but with the following rules.

NOTE: There is logging here for access from ETH00 to each VLAN interface.
4. Configure Captive Portal:
    4a. Go to Users > Captive Portal.
    4b. Select an interface:  ETH00.
    4c. Click on Save.
    4d. Check Active on: ETH00.
    4e. Under Gateway Parameters, select Client Identify = Only IP Address.

    4f. Under Authenticator Validity, select 60 from drop down.
    4g. Click Save again.


5. Configure Users:
    5a. Go to Users > Users.
    5b. Click on Add in main blue menu at top.
    5c. Fill in details such as username and password.  First and Last name required.
    5d. Click on Submit.
6. Test VLAN access by pinging the web server at 192.168.7.2.  It follows the same process as above for testing the Internet connection except the IP is the web server IP.

On the LAN PC, browse to http://192.168.7.2:
1. Verify Captive Portal page shows up.  
2. Enter user credentials.
3. Verify the web server page appears.

On the 192.168.7.2 web server, verify connectivity to the Internet by pinging 8.8.8.8.