The First Maker Space and Tech Community For Markham, Richmond Hill, Thornhill, & Vaughan.

We’ve been quiet on the blog over the spring… and even quieter over the summer as we got distracted by vacation, herding kids around, long lazy evenings and other seasonal distractions.

We have a lot of news to catch up on, and we’ll start with the most important thing: our wonderful home at the City of Richmond Hill’s David Dunlap Observatory.

Richmond Hill Park and DDO PRO Awards of Excellence

On Thursday, March 28, Parks and Recreation Ontario (PRO) handed out their annual Excellence Awards, and Richmond Hill cleaned up!

Snakes and Ladders Park received the award for Parks or Facility Design, and the David Dunlap Observatory won the award for Operations Excellence.

The City (we can’t call Richmond Hill a Town anymore) and the PRO committee recognised both the efforts of the Parks and Recreation Department and the partners at the DDO – our friends at RASC Toronto Centre, the DDO Defenders, Western University and us, the ylab basement dwellers. And they invited us to the awards ceremony in Collingwood!

Our congratulations and thanks to the City and to all the other partners. It’s a privilege to be at the DDO – and we’re all just getting started!

Disaster recovery in a briefcase. Part 1.

A ylab member has a requirement for a backup firewall… and more. At her company, they use a top-quality commercial firewall that provides and front-ends a suite of other services like,VPN access into the company and a captive portal to control to several outbound VPNs to customer. They use multiple internet connection with services distributed across them. That makes them very dependent on this firewall’s operations – which brought up some big questions:

  • What do they do if the firewall is down for maintenance or service?
  • What if they are blocked from their office and need a disaster recovery replacement?
  • What would it cost to duplicate the services?

The simple answer would be to replicate everything with the same hardware. But that’s a very costly exercise, and the existing gear takes up a lot of space. Could a simpler solution work?

Here’s how she solved the problem.

Dual Raspberry Pi: Firewall and Captive Portal With Zeroshell

This got me thinking… many modern firewalls have Linux at their core. Raspberry Pi (RPi)has Linux at its core. Current Raspberry Pi’s have as much power as full computers from just a few years ago.

Using RPi, could I build a compact, emergency firewall system that meets our requirements? The list is extensive:

  • Manage dual Internet connections:
    • One for internal general internet use.
    • One for protected gateway use.
  • Protected gateway zone – multiple external VPN access:
    • VLAN terminations for separate gateways to each VPN
    • Gateways require internet access.
    • Captive portal controlling gateway access.
    • Logging access for traffic from internal network to protected gateway network, including identification of VLAN gateway being accessed.
  • General internet usage is not behind Captive Portal (no authentication required).

Web searches pointed me to Zeroshell . You can look at the web page – the feature list is impressive. Multiple Internet connections; VPN capability; Captive Portal for that control required to the external VPNs. Management interface looks good. And great Raspberry Pi support.

I picked up new hardware to run the test – a Raspberry Pi 3B+ with two additional USB Ethernet adapters. With SD card, power supply, case and other bits, it cost me less than $150 (Canadian). Raspberry Pi 4 was announced the week before, but still not locally available.

Loading Zeroshell was simple. The provider of the Raspberry Pi kit recommended Balena Etcher software for loading system IMG files. It worked without problem for the Zeroshell image.

The Zeroshell management interface proved comprehensive and easy to use. I have more detail on the configuration sequence at the end of this post.

One big glitch: the Captive Portal configuration is all or nothing. That means a portal login would be required both for the access to the restricted outbound VPN gateways, and for general Internet access. That’s more than just a nuisance. It could be a problem for some of our automated systems.

I could spend a bunch of time trying to work around this… or just spend another $150 for a second RPi with all the bits to run the Zeroshell Captive Portal separately behind the firewall.

Would performance be adequate? Our Internet connections for this project are a couple of DSL lines. We ran throughput tests and found the Rpis with Zeroshell could sustain better than 88 Mbits/sec through firewall.

It worked. It passed all our tests. And it’s so compact, we could fit it in a briefcase with plenty of room to spare.

We’re looking at Phase 2 – what critical infrastructure and storage could we add to a briefcase for a completely portable disaster recovery solution?

Stay tuned!

Detailed configuration and setup

Basic Zeroshell configuration for the following network topology:



For each Raspberry Pi:

  1. Flash Zeroshell onto SD card using Canakit balena Etcher software.
  2. Boot and create a new Profile.  This will also allow you to specify the Management interface (ETH00)
  3. Configure IP addresses on Zeroshell as indicated in the network topology above.

For performance reasons, the Zeroshell RPi image is “headless” – i.e. no web browser. When you load it, all you are working with limited text-based interface. The management interface is provided through an Apache web server included in the Zeroshell installation. You access the graphical management interface from a web browser on another system.

After the network configuration and topology are set on the Zeroshell text interface, hook up a PC to the network for GUI access. You need to pre-configure the PC with an IP address on the same subnet as the Zeroshell management interface.

IP addresses changed in this post to protect whatever needs to be protected. Use your own.


First configure the RPI internet connection:
1. Configure the PC with the selected IP (192.168.0.100/24) and set its default Gateway to the address of the Rpi (192.168.0.1/24).
2. Connect to the web interface of RPI-internet:  https://192.168.0.1
3. Accept the certificate errors and add an exception to the browser.  NOTE: Fixing this certificate issue is outside the scope of this blogpost.

Management GUI of RPI-internet: Static Route Configuration

  1. Add static routing rule for protected VLAN access:
    1. Go to the Network > Router page.
    2. Click on Add to add a Static route.
    3. In the Static Route pop-up, add route for Destination network 192.168.7.0/30 using Gateway 192.168.2.2  
       

2. Configure NAT for internet access:
    2a. Go to Network > Router.
    2b. Click on NAT on main blue menu at top.
    2c. In Network Address Translation pop-up, add ETH01 to the NAT Enabled Interfaces list.
    2d. Save NAT rules.


3. Configure Firewall WAN, LAN, and protected gateway access:
    3a. Go to Security > Firewall.
    3b. Ensure you’re on the FORWARD page.
    3c. Change default policy from ACCEPT to DROP.
    3d. Add Firewall rules as shown below.  

    3e. Save firewall rules.
4. Test the Internet connection:
    4a. Go to the Network > Router page.
    4b. In the top corner, select Check IP.
    4c. In the pop-up dialog, enter IP to check:  8.8.8.8 (Google’s DNS).
    4d. Click Check and verify RPI-internet is able to connect.

5. Check Internet access from the PC.

To test the Captive Portal to the protected customer VPN network, I set up a Linux server running a web server… and more. I configured the server with KVM virtualisation and multiple VLANs managed by KVM. A web server VM was created with an attached interface associated with VLAN7. The KVM server will terminate the VLAN (set-up for KVM outside scope of this blog post). Assign the web server IP: 192.168.7.2/30.

From the Management GUI of the RPI:
1. Configure static route for internal network access (192.168.0.0/24).

2. Configure NAT.


3. Configure firewall rules using the same process as above, but with the following rules.

NOTE: There is logging here for access from ETH00 to each VLAN interface.
4. Configure Captive Portal:
    4a. Go to Users > Captive Portal.
    4b. Select an interface:  ETH00.
    4c. Click on Save.
    4d. Check Active on: ETH00.
    4e. Under Gateway Parameters, select Client Identify = Only IP Address.

    4f. Under Authenticator Validity, select 60 from drop down.
    4g. Click Save again.


5. Configure Users:
    5a. Go to Users > Users.
    5b. Click on Add in main blue menu at top.
    5c. Fill in details such as username and password.  First and Last name required.
    5d. Click on Submit.
6. Test VLAN access by pinging the web server at 192.168.7.2.  It follows the same process as above for testing the Internet connection except the IP is the web server IP.

On the LAN PC, browse to http://192.168.7.2:
1. Verify Captive Portal page shows up.  
2. Enter user credentials.
3. Verify the web server page appears.

On the 192.168.7.2 web server, verify connectivity to the Internet by pinging 8.8.8.8.  

Ylab invades a library. Again.

Richmond Hill’s Richmond Green Library held their third annual March Break Maker Week Kick-Off on Saturday March 9 2019 – and ylab was there.

It’s ylab… so of course we had light sabres!

Mandatory equipment: 3D printed DDO dome an light sabres.

A big hit with the kids was the hand-cranked generator, with good old analog meters and buttons to press. Beats an LED display any day.

Buttons! Real dials! A crank!

And no display would be complete without some robots running around.

ArduinoBot and RossBot. Which is which?

We had lots of other 3D printed and laser cut creations like the rope-making machine.

Count the cranks in this post. The generator crank, this rope-making crank, and some of the assorted ylab members.

Big thank you to Richmond Hill Public Libraries and all their staff for inviting us and putting up with us, and to ylab members Ross, Pek, Richard and Miro for taking a valuable Saturday – and all the planning and preparation time – to bring in all the stuff and make it all happen.

More robots! More mayhem!

Many of the early ylab members were brought together by their love of robotics, and on Tuesday February 19 they’ll be sharing the love with our first Robotycs open house since our re-opening. This will be the start our our monthly Robotycs nights.

There have been a lot of advances s since the last time we had a Robotycs meetup. Technology has moved from simple range finders to full-room LIDAR scanners. Costs have dropped dramatically, with some amazing deals on Arduino-based kits that give you lots of room to learn and to innovated.

Our Robotycs evenings all start off with show-and-tell, where you can bring in your creations to demonstrate, or just to ask for help and advice.

We’ll be giving an overview of what’s in the new kits and why we like it.

Register here to come out and join the fun.

YLab Robotics Logo

Not him. The plastic.

The end of 2019’s first January cold snap brought out a whole lot of members and new visitors to our What’s This Laser Cutter Stuff All About? open house. Ylab’s Richard gave an extensive presentation on the materials you can use and the types of engraving you can make.

Great attendance from visitors and members

The highlight was some of his work with plastics and plexiglass, building up components in layers to make a complex manifold, and threading the plastic to hold screws and other fittings.

Explaining how it’s done – using a solvent to melt and bond

The meltdown happens when you bond together the plastic walls and layers to form a manifold. Instead of glue, you use the appropriate solvent for the plastic. The two surfaces melt a tiny bit and bond when pressed together. He’s tested the resulting piece to 60 PSI. He’s used the same techniques for water and air devices.

Best of all, participants in next week’s laser cutting class (sold out!) will learn to do it for themselves.

Did it or didn’t it?

Ylab isn’t the only group haunting the DDO. We’re responsible for the strange sounds emanating from the basement – the things that go bump in the nights we are there. OK, more than bumping. Sparking, zapping, banging… On the upper floors we have the Royal Astromical Society of Canada Toronto Center (RASC), and the DDO Defenders (DDOD), delivering great astronomy programs for adults, families and kids. We often see them hosting hordes of Scouts and Girl Guides earning their astronomy badges.

Astronomers are often makers. We know that from our telescope makers night a few years ago. Our friend Eric from RASC, upon reading our post on the Big Lathe, put up a theory that the lathe was used to make the 19-inch telescope sitting in one of the domes on top of the DDO administration building. Eric pointed us to this 1930 RASC Journal paper by R.K. Young on the design and construction of that telescope. Young built it himself. That paper has become required reading for telescope makers.

Young was more than a telescope builder. He was Director of the DDO from 1935-1945, and, according to RASC’s bio, an astronomer’s astronomer. He had a big role in the design of the DDO’s flagship 74-inch telescope.

According the RASC bio, Young built his 19-inch telescope between 1926 and 1928. In the RASC Journal, Young says:

“It has been completed with the aid of a very modest workshop and occasional help for such work as could not be done on a lathe.”

But did Young use this lathe for his 19-inch design?

Plaque on the lathe. This is generally considered to be a clue.

The Big Lathe was donated by Young to the DDO in 1934. Was it a new equipment for the DDO, or was it donated after using it to construct his telescope?

In our earlier post, we said the lathe was built in 1926. That’s according to a number on the cast into the iron base. Our lathe expert Miro said that’s probably a couple of years too early. The manufacturing process at the time involved casting the base, letting it sit around for a couple of years to ensure the metal was completely stabilised, and then completing the assembly. Better to look at the serial number, Miro says. The last two digits for a South Bend lathe indicate the production year. They read 28. As in 1928. It would then have to make it’s way from South Bend, Indiana to A.R. Williams, the Toronto machinery dealer, and to whoever purchased it.

Is that time frame too tight for completing Young’s telescope in 1928? Would a lathe have been used early or late in the process? Is the Big Lathe too big for what Young describes as a “very modest workshop”? Was Young being modest about his workshop? This Toronto Star archive photo shows the telescope in a location that is definitely not one of the DDO domes.

Inquiring minds want to know!

All this just to pop a balloon???

While ylab maker space is for adults, it doesn’t stop us from helping out with some stuff for kids. If you’ve come to one of our open houses, you’ve seen some of the things we’ve put together for Scout groups and camps. This fall we provided some assistance for a Rube Goldberg machine project.

The Scouts from 8th Richmond Hill group are a fixture at Richmond Hill and other area events –  the Santa Claus Parade, camping out in the snow at the Richmond Hill Winter Carnival (coming up on Feb 2 & 3 2019), the  Remembrance Day March, helping out at York Region Amateur Radio Club’s hamfest… and generally keeping your kids out of the kind of trouble you don’t want them into, and into the kind of fun  trouble you get into at Scout camps and events.

The group has a Technical Venturers company that we’ve worked with to develop amateur radio certification material. This fall they were participating in the Blue Springs Scout Reserve Rube Goldberg Machine contest.

The result – with all components built by the youth – is a monumentally complex system to pop a balloon. They used Meccano, Lego, Hot Wheels and other old toys; a steam engine; Arduino electronics… and the list goes on. Check out the video of the creation here on youtube. It filled a basement. No, it wasn’t our DDO basement. 

Yes, that’s a steam engine… popcorn maker… old Meccano… bits of Lego… and that’s just the first step.

Video submission for the contest was Dec 31, and they are eagerly awaiting completion of the judging some time in January.

Come out to the maker space, learn some new skills, and you can have a lot of fun spreading the knowledge by helping out with other groups. Might even be your own kid!