I have been able to set up a wireless mesh network using batman-adv running on a few Raspberry Pis. The Pis are able to detect each other on the mesh, communicate between each other, and share an internet connection if any Pi on the network is acting as a gateway.
The problem I am facing is that if multiple gateways exist on the network, the clients (devices which are receiving the internet connection by the gateway) will never switch to getting their internet connection from any other gateway than the one they initially obtained it from, even if the routing algorithm detects that they have a better connection to another gateway.
Each gateway is running a DHCP server to assign IP addresses to the clients accessing the internet through them. The DHCP server I am using is dnsmasq.
The expected behaviour is either:
the clients send a DHCP request to the gateway capable of providing the better connection and end their lease with their current DHCP server, or
the clients keep their assigned IP from the DHCP server and (magically?) start accessing the internet through the gateway capable of providing the better connection.
Neither of these scenarios are happening. If for whatever reason the gateway providing the internet to a client drops, the client will not attempt to create a new connection until the DHCP lease times out. However this is contradictory to what is claimed on the wiki for this package: https://www.open-mesh.org/projects/batman-adv/wiki/Gateways
Please advise on how to configure this mesh network so that either one of the expected behaviours will happen.
This is exactly the expected behavior at the IP layer.
If a DHCP server provides a default gateway, that gateway remains in place for the life of the lease. The DHCP client, by design, cannot definitively determine if the default gateway is down.
DHCP is a poll-based protocol; a DHCP server cannot proactively change the parameters of a lease until the DHCP client requests an update. The instructions in the link of your question indicates that (emphasis added):
To inform clients possessing a valid DHCP lease about a gateway
change (the link quality to the gateway could have dropped or the
client is roaming around) batman-adv will also inspect incoming DHCP
renewal packets. If their destination is not the currently selected
gateway and below a certain TQ threshold (currently defaulting to a TQ
of 50), the DHCP renewal packet is not forwarded, thereby forcing the
client to request a new DHCP lease from a better-connected gateway.
Note that the change happens by inspecting incoming renewal packets. Due to the nature of DHCP, you are stuck waiting for a lease renewal request to update the gateway.
You can set low lease times to increase the polling rate, but if you need real-time reaction to failed gateways, you will need to employ an actual routing protocol.
Related
I would like to know if it is possible in a standard MQTT bridge configuration with Mosquitto the dynamic subscription of topics from the MQTT clients to the remote broker.
That is, only if a client requests the subscription to a certain topic, it is Mosquitto who requests to the remote broker the subscription to that topic.
From what I have seen in the configuration it is possible to set it statically when starting the Mosquitto service but not dynamically according to the requirements of the MQTT clients who can decide at runtime to which topics they want to subscribe.
Is it possible in a Mosquitto bridge, a dynamic subscription scenario in which the subscription request of the clients is forwarded to the remote broker?
It is not possible, the broker does not support dynamically changing the bridge subscription.
It's also doing dynamic subscription forwarding won't work well in a situation where usernames/password and ACLs are implemented because the bridge connection acts as any other client connection. This means that the bridge connection can only subscribe/publish to topics allowed by the user assigned to the bridge.
Both brokers are likely to have very different sets of users and ACLs in place
Greeetings,
I have the following setup
Application Gateway -- Private Endpoints -- App Services
The application gateway is in its own resource group along with the virtual network in the 1.0.0.0 subnet.
The private endpoints and app services have a resource group per resource. So for me that would be 5 Services plus the main group with the AG.
I created all elements via the Portal.
After setting up the backend pool (for starters just for one service) and using the basic settings on all the elements (listeners, rules) I wanted to connect to the gateway public ip or dns name, however all I receive is a timeout, without any hint whatsoever in the monitoring as to what could cause the problem.
The application gateway does not even register a request.
Does anyone know what could be the cause of this? Could the Public IP be faulty for some reason? I even tried disabling the private endpoint on one of the services for debugging purposes but to no avail, seems like that is not the cause.
Any help is appreciated :)
Connection Timeout means that one or more than one server could not
complete your request within some period and does not receive a timely
response from another one that works as a gateway or proxy i.e; did
not complete within alloted time.
Initially try to reload the page in different browser or even on different devices.Clean the site from spam and cookies.
Please check if any of the below possible causes:
(main cause)REQUEST TIMEOUT : The number of seconds that
the application gateway will wait to receive a response from the
backend pool before it returns a “connection timed out” error
message.
When a user request is received, the application gateway applies the
configured rules to the request and routes it to a back-end pool
instance. It waits for a configurable interval of time for a response
from the back-end instance. By default, this interval is 20 seconds.
Solution: Reference >> Try Setting request-timeout :Application Gateway allows you to configure this setting via the
BackendHttpSetting,
Ex:
New-AzApplicationGatewayBackendHttpSettings -Name 'Setting01' -Port 80 -Protocol Http -CookieBasedAffinity Enabled -RequestTimeout 60
Also see App gateway
-troubleshoot-app-service-redirection-app-service-url.
NOTE: If your connections are getting dropped at less than the request
time out seconds set, then we need to find which connection is
trigged. And may need to Contact azure support
In addition to server timeouts, there are other causes
See if it due to default health check probe:like 1) Back-end VMs or
instances of virtual machine scale set are not responding to the
default health probe. 2) Invalid or improper configuration of custom
health probes. 3) Azure Application Gateway's back-end pool is not
configured or empty.
Troubleshoot problems-with-default-health-probe and custom healtH probe : Application gateway automatically configures a
default health probe using properties of the BackendHttpSetting but
Custom health probes allow additional flexibility to the default
probing behavior where you can configure the probe interval, the URL, the path to test, and how many failed responses to accept
before marking the back-end pool instance as unhealthy.
Also check the app service time outs : see appgw-timeouts and app
service time out setting
Other causes to check
Slow server, Problems with the firewall,network connection
If NSG, UDR or Custom DNS blocking access to backend pool members.
If VMs or instances in virtual machine scale set are healthy.
For those : Check the logs and DNS records and try by disabling the proxy or temporarily disabling the CDN
References:
Azure application gateway throws 502 when application sends 401 -
Stack Overflow
Azure Application Gateway error 502 when using application gateway
-Stack Overflow
We're looking to use Application Gateway as a frontend\proxy for a website we host onsite. The website has a public IP but we'd like to restrict access to the site to only traffic coming from the Application Gateway. Is there a way to determine what IP the traffic would be coming from as it exits Azure? Is it like other Azure traffic where it could come from any IP subnet they have assigned to that specific region? I haven't seen this question asked and it's not directly referenced in any of MS documentation that I can find.
Thanks!
Not sure why you want to restrict access to the site to only traffic coming from the Application Gateway because if you configure it and add the website in the backend of Application Gateway. The traffic from a client will always reach the website through the Application gateway as the Application Gateway works as an application proxy by accepting traffic and based on rules that are defined with it, routes the traffic to the appropriate back-end instances.
You may want to know to restrict access on the application gateway subnet via NSG. Then the inbound or outbound traffic in the Application Gateway subnet will be filtered via NSG.
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this will help, let me know if you have any other concerns.
Update
If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.
I am trying to add my application on app store but it returns this error
that my application not support ipv6 and people told me that i should create ipv6 network to test my app.
now i have data on server but server which have this data doesn't support IPV6 only support IPV4 should it support IPV6 or it's ok to use IPV6 to get data from server that doesn't support IPV6
Your server can receive requests over IPv6 in two ways:
1) Your server support IPv6 and has IPv6 address (Also most hosting support this feature).
2) Some device (hardware or Linux router) in front of the server should support both IPv6 and IPv4. It will receive requests over IPv6 and transmit them to your server over IPv4.
You may try to answer Appstore, that your hosting provider on server side do not support IPv6. For my case It worked.
This is a sensitive topic and many people have wrong knowledge about it.
Your app MUST support IPv6-only networks. But your server MAY NOT support IPv6: it is up to you, to decide to support it or not.
In-depth explanation: Apple expects your client application to work correctly when connected to an IPv6-only network, but that IPv6-only network MUST help your application by offering a DNS resolver that is DNS64 compliant (RFC 6147) and also offering a NAT64 (RFC 6146) IPv6-to-IPv4 translation gateway. This means your client application makes a DNS request to www.myipv4onlyserver.com and the resolver replies with a fake IPv6 address routed to a NAT64 gateway. Thus, your client application talks with IPv6 to this gateway and this gateway translates the data channel to your IPv4 server, like a transparent proxy.
To be compliant with Apple expectations, use high-level network libraries and address-agnostic APIs, such as getaddrinfo() and getnameinfo(). Use hostnames or FQDN, not IP adresses.
See this Apple forum article and this Apple networking guide for further explanations.
I'm developing a web service that needs to connect to another web service and register a web service endpoint that notifications can be sent to.
e.g. Server A sends a registration request to Server B, containing the URL on which notifications will be sent (HTTP PUT).
If Server A (the development server) was on a public IP, all would be well, but at the moment its on my development laptop which is connected to the internet via a Wifi router which connects to Personal Hotspot on my iPhone. This is actually the most useful internet connection I have available most of the time. Neither the router nor Personal Hotspot (AFAIK) allow port forwarding or DMZ.
For development purposes I would like the notifications to come through to the service under development on my laptop. I can specify a static IP address when registering with the third-party web service, and a specific port number if needed.
My only thought was to use a VPN connection from the laptop to the internet, therefore masking the existence of the inbound route.
The VPN would therefore need to allow inbound packets through to the server. I've looked at the VPN service by VPNUK.info who I currently use, and they have both a dynamic IP and static IP version of their product, and the static version seems to suggest that inbound is possible.
Can anyone suggest how or if this would work? Any specific setup instructions? I presume once the VPN is established, and requests to the VPN Static IP address will be handled by the server on the development laptop (which is the device starting the VPN connection).
The development laptop is a Macbook running OS X Yosemite.
The web server is built using Node.js and Express.
I ended up signing up with VPN UK for a dedicated static IP VPN service. This gives a single publicly accessible IP address to the VPN connection.
Once the Macbook establishes the VPN, any requests to that IP address are routed to the Macbook as requested, so it doesn't matter where its located or the type/complexity of the internet connection.