──────────────────────────────────────────────────────────────────────────────────────────────────────────────── ════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Getting the LAN Services Right: dhcpd, bind8, Squid and Adzapper ──────────────────────────────────────────────────────────────────────────────────────────────────────────────── ════════════════════════════════════════════════════════════════════════════════════════════════════════════════

│ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║

C:\LINUX\HOMERO~1>type gettin~1.htm

Getting the LAN Services Right: dhcpd, bind8, Squid and Adzapper

The DSL line is there now and the Debian box on the 486 can already boot and go online. That was the first important check. But that alone does not make it a real router replacement.

The real pain is not only getting one machine online. The real pain is making one machine useful for the whole LAN.

This is the part where a lot of nice migration ideas die. One machine can route, yes, but does it really replace the old box? That means:

clients must get addresses
clients must resolve names
web must go through a proxy if I want the same traffic saving as before
and all this must survive reboot

Only then it is serious.

So this is what I do now on the Debian Potato install on the 486. The disk is still in the 486. The Cyrix Cx133 is still the production router. The old machine is still serving the flat. This is good because it gives me space to break things on the 486 without immediately making everybody angry.

First I want the boring things

I noticed already some time ago that good router work is mostly boring work.

The exciting things are:

first successful dial
first firewall rules
the syslog hack
the DynDNS update

But the part which decides if people trust the router is boring:

DHCP must just work
DNS must just work
Squid must just work

If these things fail, then nobody cares how clever the rest is.

So my goal with the 486 is not elegance. The goal is: one by one make the LAN services boring.

dhcpd: the service which becomes annoying because the old router is still alive

I install dhcpd from the Potato package set, which means ISC DHCP 2.0 generation. The config itself is not very exotic. One subnet, one range, one gateway, one resolver.

Something small like this:

1
2
3
4
5
6
7
8
9


default-lease-time 600;
max-lease-time 7200;

subnet 192.168.42.0 netmask 255.255.255.0 {
  range 192.168.42.100 192.168.42.140;
  option routers 192.168.42.254;
  option domain-name-servers 192.168.42.254;
  option domain-name "home.lan";
}

Nothing special. The problem is not the syntax. The problem is that there is already another dhcpd on the network: the one on the current production router.

So now I have the classic transition-phase nonsense:

the new router should answer
the old router must keep serving the LAN
but if both answer, testing becomes stupid

At first I try to be clever. I think maybe I can just test with one client and time it right. That is not nice. Sometimes the old one answers first, sometimes the new one, and then the result is unclear and I get angry at the wrong machine.

After that I stop pretending and just do it properly. For a test window I disable dhcpd on the old router, then I bring up dhcpd on the 486 and check one client cleanly. That is much better. The client gets:

address
gateway
resolver

and then I know at least that the DHCP part itself is correct.

This was a little more hassle than I expected, but it also showed me again that migration work is very often not about software difficulty. It is about two valid systems existing at the same time.

bind8: keep it boring and forwarding

For DNS I use bind8, which in Potato is BIND 8.2.3. I do not want to make anything fancy from it.

No authoritative zones.
No big internal DNS kingdom.
No strange split-horizon ideas.

I only want:

clients ask the router
the router forwards to upstream resolvers
answers get cached

That is enough.

The config is small and I like that. A router which serves the LAN should do small things very reliably before it does big things very impressively.

The practical effect is immediately visible. When I move a test client to the 486 as resolver and start doing repeated lookups, the difference is small but nice. The first lookup goes out, the later ones are local and faster. More important than the speed is the centralization: now the router is the one place where I can see DNS behavior.

And debugging becomes simpler when one machine owns one concern.

That is maybe the general theme of this whole router story now. I keep moving functions into the router not because I want one giant monster box, but because I want one place where the edge behavior is visible and manageable.

Squid comes back, but cleaner

Squid was already a good idea in the ISDN phase. On ISDN it was almost impossible to dislike the idea of caching. If one image or one stupid page element comes a second time through the line, then I want it local.

On DSL the pressure is smaller, but I still want the proxy. Partly for cache, partly for control, partly because I just like the idea that the router can shape traffic a little bit instead of only forwarding it.

Potato gives me Squid 2.2 and that is fine.

The basic proxy setup is not the hard part. The hard part is always the tiny things:

browser config on test clients
access rules
cache directory init
making sure the daemon really starts on boot and not only when I am standing next to it

After some tries it works. Pages load through the proxy and repeated fetches feel good. Then the funny extra comes back.

Adzapper is still one of my favourite things

I know Adzapper is not some deep engineering masterpiece, but I still like it a lot.

It does exactly the kind of practical thing I enjoy:

one small tool
put in the right place
removes a lot of stupid traffic and ugly banners

When it works, the browser gets the page, but where there used to be a banner or other useless graphic, there is now a placeholder image saying “This ad zapped”.

Perfect.

This is useful in three ways at the same time:

less traffic
cleaner pages
a visible sign that the proxy is really doing something

And honestly the third point is maybe the one I enjoy most. A cache is invisible most of the time. Adzapper is visible. It says: yes, the router is not only passing traffic, it is protecting me from some nonsense too.

I install it and immediately like the result again. On ISDN it directly saved connection time and almost directly money. On DSL it still saves bandwidth and makes browsing less ugly.

The web is not getting better by itself, so I do not feel guilty doing this at all.

Testing order matters

At some point I write a checklist because without one I start jumping between services and then I lose the clear state.

My testing order becomes:

DSL up after reboot
local interface up
dhcpd lease works
DNS forward/cache works
Squid proxy works
Adzapper visibly works
second reboot
test again

The second reboot is important. Too many things work once because the admin is standing there. I want it to work when nobody is standing there.

That is maybe the difference between “nice evening success” and “router success”.

The 486 as preparation table

By now I am completely convinced that the 486 is the right preparation machine for this migration.

If I had tried to do all this directly on the production router, I would already hate myself by now.

Because then every DHCP mistake means:

no client gets a lease
DNS becomes unclear
web breaks
and the whole flat knows about my learning curve

On the 486 it is different. The mistakes are still annoying, but they are private mistakes first. That is much better.

Also, it gives me the nice psychological effect that the new router already exists before the swap. The disk already has a personality. The services already exist. The machine already behaves like the new router. The final swap is then more hardware logistics than system creation.

What is still missing before the swap

Even now I do not want to rush it.

Before I move the disk to the Cyrix box, I still want:

one more cold boot test
one clean DHCP test with the old router quiet
one browser test with Squid and Adzapper on more than one client
one simple long-running check that nothing stupid dies after two hours

Only then I will trust it enough.

The migration itself is actually the smaller dramatic action. The bigger question is whether all these little LAN services are really boring enough.

And I think that is where the real router quality lives.

The syslog hack was more exciting.
The first ISDN dial was more exciting.
The first stable DSL sync was more exciting.

But this part is maybe more important.

Because when the disk finally goes from the 486 into the Cyrix box, I do not want a nice Debian install. I want a real replacement for the old router.

That is now very close.

▲

▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ █ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒

▼