Windows 2008 / NAT / Direct connections

Yesterday I ran into an interesting problem with Windows 2008’s implementation of NAT (don’t ask – this was the best solution – I certainly don’t recommend using Windows for this purpose).

Whenever I enabled the NAT service, I was unable to reliably connect to the machine via remote desktop or even any other service that machine was offering. Packets sent to the machine were dropped as if a firewall was in between, but it wasn’t and the Windows firewall was configured to allow remote desktop connections.

Strangely, sometimes and from some hosts I was able to make a connection, but not consistently.

After some digging, this turned out to be a problem with the interface metrics and the server tried to respond over the interface with the private address that wasn’t routed.

So if you are in the same boat, configure the interface metrics of both interfaces manually. Set the metric of the private interface to a high value and the metrics of the public (routed) one to a low value.

At least for me, this instantly fixed the problem.

802.11n, Powerline and Sonos

I decided to have a look into the networking setup for my bedroom as lately, I was getting really bad bandwidth.

Earlier, while unable to stream 1080p into my bedrom, I was able to watch 720p, but lately even that has become choppy at best.

In my bedroom, I was using a Sonos Zone Player 100 connected via Ethernet to a Devolo A/V 200MBit power line adapter.

I have been using the switch integrated into the zone player to connect the bedrom MacMini media center and the PS3 to the network. The idea was that powerline will provide better bandwidth than WiFi, which it initially seemed to do, but as I said, lately, this system became really painful to use.

Naturally I had enough and wanted to look into other options.

Here’s a quick list of my findings:

  • The Sonos ZonePlayer actually acts as a bridge. If one player is connected via Ethernet, it’ll use its mesh network to wirelessly bridge that Ethernet connection to the switch inside the Sonos. I’m actually deeply astonished that I even got working networking with my configuration.
  • Either my Devolo adaptor is defective or something strange is going on in my power line network – a test using FTP never yielded more than 1 MB/s throughput which explains why 720p didn’t work.
  • While still not a ratified standard, 802.11n, at least as implemented by Apple works really well and delivers constant 4 MB/s throughput in my configuration.
  • Not wanting to risk cross-vendor incompatibilities (802.11n is not ratified after all), I went the Apple Airport route, even though there probably would have been cheaper solutions.
  • Knowing that bandwidth rapidly decreases with range, I bought one AirPort Extreme Base Station and three AirPort Expresses which I’m using to do nothing but extend the 5Ghz n network.
  • All the AirPort products have a nasty constantly lit LED which I had to cover up – this is my bedroom after all, but I still wanted line of sight to optimize bandwidth. There is a configuration option for the LED, but it only provides two options: Constantly on (annoying) and blinking on traffic (very annoying).
  • While the large AirPort Extreme can create both a 2.4 GHz and a 5 GHz network, the Express ones can only extend either one of them!

This involved a lot of trying out, changing around configurations and a bit of research, but going from 0.7 MB/s to 4 MB/s in throughput certainly was worth the time spent.

Also, yes, these numbers are in Megabytes unless I’m writing MBits in which case it’s Megabits.

Google Apps: Mail Routing

Just today while beginning the evaluation of a Google Apps For Your Domain Premium account, I noticed something that may be obvious to all of you Google Apps user out there, but certainly isn’t documented well enough for you to notice before you sign up:

Google Apps Premium has kick-ass mail routing functionality.

Not only can you configure Gmail to only accept mails from defined upstream-server, thus allowing you to keep the MX to some already existing server where you can do alias resolution for example. No. You can also tell Gmail to send outgoing mail via an external relay.

This is ever so helpful as it allows you to keep all the control you need over incoming email – for example if you have email-triggered applications running. Or you have email-aliases (basically forwarders where xxx@domain.com is forwarded to yyy@other-domain.com) which Google Apps does not support.

Because you can keep your old MX, your existing applications keep working and your aliases continue to resolve.

Allowing you to send all outgoing mail via your relay, in turn, allows you to get away without updating SPF records and forcing customers to change filters they may have set up for you.

This feature alone can decide between a go or no-go when evaluating Google Apps and I cannot understand why they have not emphasized on this way more than they currently do.

Managed switch

Yesterday I’ve talked about configuring a VLAN in my home network.

VLAN is a technology using some bits in Ethernet frames to create virtual network segments on the same physical network, but just go ahead and read the linked Wikipedia article as it’s more detailed than what I would want to go into.

To really make use of VLANs, you are going to need at least one managed switch (two in my case). I knew this and I was looking around for something useful.

In the end, I ended up with two HP ProCurve 1800-8G’s: I wanted something that has at least 8 ports and was Gigabit capable as I was feeling the bandwidth cap on the previous 100M connection between shion and my media center when streaming 1080p content.

That’s something I hope to solve with the 1G connection, though the drobo may still be the limiting factor here, but theoretical 480Mbit is better (where are the MacMinis with the Firewire800 interface?) than the 100MBit I was constrained to with the old setup.

The ProCurves are fanless, provide 8 ports and have a really nice web interface which is very easy to use and works on all browsers (as opposed to some linksys things which only work with IE6 (not even IE7 does the trick)). Also, the interface is very responsive and it even comes with an excellent online help.

With only 10 minutes of thought going into the setup and another 5 minutes to configure the two switches I was ready to hook them up and got instant satisfaction: In my server-room I plugged a test machine to any of the ports 2-7 and got onto VLAN1 (the internal network). Then I plugged it into port 8 and promptly was on VLAN2 (as evidenced by the public IP I got).

I have only three minor issues with the configuration of the two switches so far:

  1. They come with an empty administration password by default and don’t force you to change it. Now granted, on a switch you cannot do as many mischief as on a router or worse, a NAS or access point, but it’s still not a good thing.
  2. They come preconfigured with the address 192.168.2.10 and DHCP disabled, practically forcing you to configure them locally before plugging them. I would have hoped for either DHCP enabled or, even better, the possibility of configuring them using RARP. Or they could provide a serial interface which they do not.
  3. To reset them, you have to unplug them, connect port 1 with port 2 and restart them. While this prevents you from accidentally resetting them, the procedure is a pain to do and when the time comes that I will have to do this, I’ll probably have forgotten the procedure.

But these are minor issues. The quick web interface, the excellent online help and the small fanless design make this the optimal switch once you have advanced requirements to fulfill despite not needing more than 8 ports.

There’s a larger 24 port cousin of the 1800-8G, but that one has a fan, so it was no option in my case – especially not in the sideboard where I’m now at the end of the 8 port capacity.

VMware shared folders and Visual Studio

ver since I’ve seen the light, I’m using git for every possible situation. Subversion is ok, but git is fun. It changed the way how I do developement. It allowed me to create ever so many fun-features for our product. Even in spare-time – without the fear of never completing and thus wasting them.

I have so many branches of all our projects – every one of them containing useful, but just not ready for prime-time feature. But when the time is right, I will be able to use that work. No more wasting it away because a bugfix touches the same file.

The day I dared to use git was the day that changed how I work.

Now naturally, I wanted to use all that freedom for my windows work aswell, but as you know, git just isn’t quite there yet. In fact, I had an awful lot of trouble with it, mainly because of it’s integrated SSH client that doesn’t work with my putty pageant-setup and stuff.

So I resorted to storing my windows development stuff on my mac file system and using VMware Fusion’s shared folder feature to access the source files.

Unfortunately, it didn’t work very well at first as this is what I got:

Error message saying that the 'Project location is not trusted'

I didn’t even try to find out what happens when I compile and run the project from there, so I pressed F1 and followed the instructions given there to get rid of the message that the “Project location is not trusted”.

I followed them, but it didn’t help.

I tried adding various UNC paths to the intranet zone, but neither worked.

Then I tried sharing the folder via Mac OS X’s built in SMB server. This time, the path I’ve set up using mscorcfg.msc actually seemed to do something. Visual Studio stopped complaining. And then I found out:

Windows treats host names containing a dot (.) as internet resources. Hostnames without dots are considered to be intranet resouces.

celeswindev worked in mscorcfg.msc because celes, not containing a dot, was counted as an intranet resource.

.host contains a dot and this is counted to be an internet resource.

This means that to make the .NET framework trust your VMWare shared folder, you have to add the path to the “Internet_Zone”. Not the “LocalIntranet_Zone”, because the framework loader doesn’t even look there.

Once I’ve changed that configuration, Visual Studio complained that it was unable to parse the host name – it seems to assume them not starting with a dot.

This was fixed by mapping the path to a drive letter like we did centuries ago.

Now VS is happy and I can have the best of all worlds:

  • I can keep my windows development work in a git repository
  • I have a useful (and working) shell and ssh-agent to actually “git svn dcommit” my work
  • I don’t have to export any folders of my mac via SMB
  • Time Machine now also backs up my Windows Work which I had to do manually until now.

Very nice indeed, but now back to work (with git :-) ).