udp multicast to tcp unicast proxy extended to be a vcr…

Some weeks ago I wrote about that UDP to TCP Proxy I wrote. And since I am mainly using it for DVB-S tv watching I always wanted it to be a VCR as well. So I extended YAPS to be a VCR.

At the moment I am redoing the Web-Interface of the VCR to give it a shiny and sleek finish, but in the meantime I want to give you the chance to take a look on YAPS+VCR in action, and of course an even deeper look into the sourcecode:

this is the “Add new timer…” screen

this is the home page of the vcr…showing one programmed timer..

So apparently some things happened the last days. I would appreciate any comments on the application and the sourcecode. So feel free to download and use. I am releasing it, as usual, under the BSD license.

You can download the sourcecode here: YAPS12.zip (375,35 KB)

Source: udp multicast to tcp unicast proxy YAPS revisited…and bugfixed

23C3: Who can you trust?

It starts fairly early this year: even FeM is already preparing and planning for this years live streaming and recording. The public wiki of 23c3 is online and even the Call for Participation screams: visit me!

So, remember: beside the official wiki pages, you can always come and check here for information about FeM activities on 23c3…(streaming, recording,…)

Source: http://events.ccc.de/congress/2006/cfp/

Source: FeM 23c3 recording and streaming project (no website, no link)

[UPDATE] nature…experimenting with HDR

UPDATE: I added the full resolution versions of the HDR pictures.

During FIWAK I had the chance to play a bit with a Canon EOS 20D. It’s proper DSLR and you can do many great things with it. All the pictures below where done without a tripod. As you can see there are a few ghost pictures but less than I expected in that mode. Nevertheless my Canon PowerShot A400 is better for panoramic views – the EOS is way to big and heavy, you surely need a tripod to do proper panoramic views whereas you can do quite good panoramic views with the A400 without a tripod.

discovering the “Wizard Wizard”: Canopus ProCoder 2

A couple of months ago we got us a Canopus ProCoder 2.0 educational version. Because we, well had to convert a shitload of MPEG2 and DV movies into several different formats. And because Canopus is telling us that their product is by far the best you could probably get on this planet, we were in.

There is a free demo version available which does not require the red glowing, blue plastic HASP hardware USB dongle key’i thing we got with the full version. Those kind of dongle stuff is really nasty. First of all it bugs you right after you got your Windows started up with an error message, just because you probably haven’t plugged the dongle in. The point here is though: Why checking this at the system start, why not when ProCoder 2.0 is started. And heck! Why a dongle key’i thingy anyways?

ProCoder 2.0 has a neat little feature, the only feature why I would use ProCoder personally, which is called “Watch Folders”. You take a ProCoder 2.0, set it up to watch a folder on a network storage or anywhere you like, and after you setup’d some target movie formats it’ll start to convert everything that appears in those Watch Folders and transcodes it to whatever you configured as a target. Great feature!

But here comes the dongle right back in: You need to go to the server room, find your powerful number crunching server park and stick the… well dongle… into… great. After you recovered from the headache and tinnitus (dramatisation!) you got your ProCoder “server” up and running. The point here is: Why all that fuss with that dongle usb stuff. What’s wrong with serial numbers which are necessary anyway for ProCoder 2.0? Piracy can’t be the answer here. Maybe they want to pretend that it’s worth even a dongle, like AutoCad was back when we called our operating systems DOS.

So back to the Canopus ProCoder 2.0 test: After the setup it comes in two different flavours: The fast and the furious, called “Canopus ProCoder 2.0 Wizard” and the all-inklusive one, called…you get the idea.

So first of all let’s cover the Wizard because the workflow of the Wizard is likely the same as in the ProCoder 2.0.

Step 1: Welcome dude!

oh there it is…Watch Folder!… but we want to convert a single file…

Step 2: Load a Source

I used the current Halo 3 Trailer for demonstration…it’s a WMV HD.

Step 3: Set Source In and Out Point

You can specify where the movie starts and where it ends. So you have some kind of cut-editing capability…well not really. I flinch from calling it cut-editing actually.

Step 4: Advanced Settings

Well Canopus things that Crop-Settings are advanced. But hey, there is a “Select Settings” button which opens a dialog where you can specify alternat audio, specific aspect ratio and so on. Nothing to yell about there.

Step 5: the fantastic and well thought of… ProCoder 2 Wizard Wizard (!!!1!)

Why hasn’t anybody else thought of this before? Use a wizard for the wizard. A master to teach the apprentice. A … oh well, it’s nothing special really. Because if you choose to use it just another dialog box comes up:

Step 6: Select Target

Tricky decision here. We want it HD!

Step 7: a question of format.

[don’t forget to put some text here]…

Step 8: High Definition Format…

Again the very tricky format decision. Rather than recommending a format you have to choose. I did not try what’s going to happen when my source has 29,97 fps and I select 25 fps here (or the other way around). Canopus says ProCoder can do a 3:2 pulldown. Great…

Step 9: Saving your file

Save the day.

Step 10: Job Summary

In the end the wizard sums everything up and you can press some more advanced output setting buttons. And if you’re done, you click “Convert”, finally.

Step 11:

And the evil boffins in your number crunching server park are starting to convert your source movie into whatever target you selected. If it doesn’t do this. Well you will never know why it didn’t do it. Because Canopus choosed to not use any error messages or logging. You can be lucky if you get a dialog box telling you that it just won’t do it. In 9 out of 10 cases it just wasn’t telling anything.

It’s not particularly slow. In fact, if you just transcode something and you’re not using any additional filtering it’s as fast as any other transcoding tool (which come sometimes without dongles, you might have heard that).

So that’s quite everything what’s to be told about the Canopus ProCoder Wizard. Finally let’s take a look at the one feature I love: Watch Folders.

So let’s fire up the ProCoder 2 (watch out to have the dongle plugged in!):

I just want to say something about the GUI of ProCoder 2. About GUI design in general. And I want to start with a simple question: What is wrong with standard system controls?

Why are many software companies are writing their own scrollbards, buttons, dialogboxes, tabs. Why can’t they just use the system wide available ones? The ones that actually work. The ones that draw correct on any machine. The ones that I’ve never seen blinking or be drawn incorrect. In case of Canopus ProCoder 2.0 the custom-made scrollbars sometimes even disappeared and you could see that they where just drawn above the system scrollbars. You software companies. If you take an advice from me: stick to doing the user software and leave the multi-purpose GUI elements to the operating system.

Back to ProCoder 2 and to the precious Watch-Folders. If you click on the “Watch” button you get this dialog box:

Nothing really to write more about than: Everything is intuitive and works out of the box. Select a folder. Select a target. And you’re done. It just works as promised. And if you’re in luck and your movies are in a format that ProCoder 2.0 can read without hassle it even will work with your movies.

The target in this case, if you are curious, is a pre-configured format specification. You can use the wide variety of available pre-configured targets, or you can configure your own. (this is quite tricky and not so intuitive)

Since there’s nothing to complain about the pre-configured formats you are certainly not going to have much fun setting up very very custom things. Like the time when I wanted to just setup my own MPEG-4 target. Which isn’t that easy because when you select the MPEG format you only can choose from MPEG-1/2 formats. Or the other time when I wanted to do it in H.264. That format is available, but you have to find it. It’s deeply burried into the third dialog-layer.

In the end you get quite a good transcoding application with this neat Watch-Folder feature. You also get an awfully rubbish GUI with no error messages at all. If something goes wrong you’ll never know why.

In our case everything went fine and in only one case in my testing I found something that the Windows DirectShow could decode but ProCoder 2.0 could not. I really recommend it for video encoding servers. It’s one of it’s kind when it comes to that discipline and the money is well spend.

Source: http://www.canopus.com

setting up the 6509-ng

So our test-drive 6509 is setup-and-going in the local junk server room. As you can see the room is obviously used for two different purposes. On the one hand it’s a windowless central network service point…and on the other it’s… oh dear…take a look for yourself:

When you come closer…you see…:

TWO 6509!!!!..
an old one(in the rack) and the new one (on the ground)

And to raise some pulses -a module listing:

c6509-ng#sh module
Mod Ports Card Type Model Serial No.
— —– ————————————– —————— ———–
3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxxxxxxxxxx
4 24 CEF720 24 port 1000mb SFP WS-X6724-SFP xxxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B xxxxxxxxxxx
7 6 Firewall Module WS-SVC-FWM-1 xxxxxxxxxxx

Mod MAC addresses Hw Fw Sw Status
— ———————————- —— ———— ———— ——-
3 0000.0000.0000 to 0000.0000.0000 1.0 12.2(14r)S5 12.2(18)SXD7 Ok
4 0000.0000.0000 to 0000.0000.0000 2.3 12.2(14r)S5 12.2(18)SXD7 Ok
5 0000.0000.0000 to 0000.0000.0000 4.4 8.1(3) 12.2(18)SXD7 Ok
7 0000.0000.0000 to 0000.0000.0000 3.0 7.2(1) 2.3(4) Ok

Mod Sub-Module Model Serial Hw Status
— ————————— —————— ———— ——- ——-
3 Centralized Forwarding Card WS-F6700-CFC xxxxxxxxxxx 2.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC xxxxxxxxxxx 2.0 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B xxxxxxxxxxx 2.1 Ok
5 MSFC3 Daughterboard WS-SUP720 xxxxxxxxxxx 2.3 Ok

Oh…something that raised our pulses… a 6513 in one of the other Network Service Points…yummi:

At the moment the ahzf and cosrahn are playing with the machine…so more stuff is definitly to come soon.

German CISCO Expo 2006 review

German CISCO Expo 2006 is finally over and from our point of view it was truly a great success.
There were very interessting sometimes cool presentations and demos, a lot of food & snacks and
very colorful light at the party. Over all it was a much better event than all those cisco
CeBit exhibitions I’ve been to before… the new (cisco) economy seem to be back on stage ;)


CISCO’s new vision for next generation networking got a new name: “Intelligent Information Network”!
Now all the routers and switches should become more intelligent, be aware of the users actual location
and connection type (ethernet, wlan, UMTS, …) and voice, data, video are integrated services of
IIN. Doesn’t sound this familiar? Yes! In the days of web 2.0 I think German Telekom would call
this reinvention of the wheel just ISDN 2.0… let’s hope that it will work better this time ;)

BTW: During the T-Systems keynote they showed us a _real hacker_ *huu-hoo* and demonstrated
the unbelievable security risks of unencrypted VoIP by using ARP Spoofing *hu-hoho*. So don’t
ask T-Systems if you have a _real_ security problem.


There were several talks about eLearning, eEducation, about the CISCO networking academy, and
the Scottish Schools Digital Network. If we belive in the given facts and figures people with
deep knowledge in networking will have a great time to earn a lot of money during the next years.
But from our point of view there is still no real funding of university research (URP is not that
great). The NetAcad program might be good for people willing to learn how to configure cisco
switches, but not when you are more interessted in building next generation routers, switches, and
networking concepts. So for us this program is more or less just marketing…

Technology power sessions

WLAN is still a lot of fun… Much more interessing was the talk about the modular IOS, EEM, and
Gold. CISCO is rewritting their os from ground and the new one will have some really nice features…
For example a real filesystem with virtual files like /sys (*hu-hoo* think about this twice ;),
embedded event management, processes for more or less every protocol in use and best: an TCL
scripting environment! If you send enough emails to the dev team embedded perl could also
become available. You can win a box of sparkling wine when you implement tetris within TCL *g*

RFID sponsored by German Telekom… great… :/

Burn venture capital, burn!

The party was really a great! Thanks to the orga team… but I still don’t like this “booooming”…

review and pictures by Ahzf

Source: http://www.ahzf.de

5. Ilmenauer Newcomer Festival “Vorsicht Band! 2006”

Today it’s once again time for the Ilmenau Newcomer Festival “Vorsicht Band! 2006”. And this time again there’s FeM involved. But first the facts:

16 Newcomer bands from all across germany are going to perform in the next two days. Since the 16 where chosen from 272 you can bet that there’s only the best the newcomer scene has to offer these days.

And now to the juicy facts from FeM: You can watch the whole Newcomer Festival “Vorsicht Band! 2006” over the internet for free. Just connect to one of the following Windows Media livestreams:

Broadband Internet (1 Mbit and above): mms://streaming.fem.tu-ilmenau.de/vorsichtband2006
Narrowband Internet (below DSL): mms://streaming.fem.tu-ilmenau.de/vorsichtband2006_modem

To be precise:


And some facts for the nerds: 3 stages, 9 cameras, 30 people, 10.000m cableing,…

Source 1: http://streaming.fem.tu-ilmenau.de

Source 2: http://www.ilmenau-festival.de

Promise VTrak training in Dortmund

Here are some impressions of the training in Dortmund. Quite many information and hopefully a brand new e-class test setup in the next months.

Impressingly enough: the 1.8l 4 cylinder engine of this Toyota made 100km with about 25l… the display even showed 90,9l/100km from time to time…quite frightening.

Oh and some words to the Toyota itself: bad gearbox, even worse the ride. The clutch: nightmare. To be fair: everything was brand new: the car only had 57km on the clock. Oh: It’s no SIXT rental car…I never got any japanese plastic-bombers from them… THANK GOD!

And small panoramic view of the training room:

Promise and QLogic event tomorrow

I am about to attend an event by Promise Germany and QLogic. The two partners are going to present their current products and focus on the technical side of storage area networks and current solutions (VTrak… remember? We have several of them…)

I just got the car from the rental so expect some pictures of the journey and the event tomorrow.

Source: http://de.promise.com

Windows Media Server 9 live statistics tool

André wrote an small but handy CLI application that shows you the currently connected clients and the number of maximum connected clients on a Windows Media Server (version 9.0). It creates a HTML file with the statistical information.

“Copyright notice: pubstats is written by André Helbig (software@thamthon.de). You are allowed to use, copy and change this program as you want. You are not allowed to sell or rent this program. If you make changes, please keep a notice, that this program war originally written by me as long as an essential part of my work is stil left in the program.”


pubstats [-p publishingpoint] [-d path to datafile] [-h path to html-file] [/?]

-p publishingpoint for which statistics should be generated

-h html-file for output.

-d current data will be saved in and old data will be retrieved from this file
every time you open pubstats. If no file is specified, only current will be
-? show help

Download-Link: pubstats1.0.zip (5,81 KB)

Source: http://streaming.fem.tu-ilmenau.de/wiki/index.php?title=Pubstats

Yet another proxy server… how to turn multicast into unicast…

We are using multicast to deliver more than 20 MPEG-2 encoded video+audio streams in our network. The advantages of using multicasting in a network of more than 2000 machines are well known. But there are several scenarios when multicasting is not the right choice.

For example: in wireless environments you have to use some sort of multicast group management which is not always as flexible as a more simple solution. You would end up multicasting all 20 streams into the wireless network – which would just explode or something. (our multicasting traffic volume is around 125 Mbit/s…which is… quite much)

I started writing such a solution two days ago and now I want to make the first lines of code available for everybody to try out.

To speak simple: it’s just another proxy server. It’s a HTTP Server that can be triggered to join a multicast group (hardcoded in this version) and forward the traffic from that multicast group directly to the client that asked for it. It’s as simple as it can get and to be more technical: the proxy receives udp multicast packets and sends them as tcp unicast packets.

When you tell MPlayer to trigger the proxy by asking for /hr.ts you would get something like this (if you have a multicast group on that IP/Port):

As you can see: MPEG2-Transport Stream inside. So it works as designed. There are some glitches I am afraid to say: one known bug is that there are 12 bytes to much in the outgoing data stream which corrupts the picture. If anyone here can fix it: Do it please ;) I tried one day and I could not find a solution for the problem.

Anyways: It’s doing what it’s supposed to do. And that’s why I am making it available for everyone:

Sourcecode: YAPS.zip (11,18 KB)

It compiles with Microsoft.NET 1.1/2.0 and Mono. There’s a Visual Studio 2005 solution file inside to help you compile it. (Should work with Visual C# Express Edition). Oh… and I am releasing it under the BSD license which is included with the package.

Feel free to comment and contribute.

the knowledge of our time: Berkeley courses available for free download (audio)

Berkeley University of California just made a great number of their audio courses available for free download on iTunes. Just tune in and get a taste of cal.

I actually got a taste of the incomparability of two universities… The courses are great!

ACCESS & DOWNLOAD COURSES on your computer or MP3 player
LISTEN TO EVENTS about the Arts, Education, Politics, Science and Technology
BE CONNECTED with what’s happening at UC Berkeley

But Berkeley is not the only university which has some sort of online-courses. FeM e.V. offers you a growing number of complete courses of the TU-Ilmenau with video+audio.

Source 1: Berkeley on iTunes

Source 2: FeM e.V. Streaming TU-Ilmenau

parts coming together…

The last two days I configured an Activedirectory+Exchange+Sharepoint combination for the first time… and well it was worth the work. When you see all the parts coming together, forming a fully working and flexible overall picture.

welcome to the domain…

Outlook Web Access

the Sharepoint… nearly empty… but it’ll get crowded once
the user accounts are created

22c3 recordings – release this week?

So here are some news about the 22c3 recordings:

According to the last information I got, 130 of 146 recordings are ready to go. I don’t know why the team decided to release them all at once only but unfortunately you’ll have to be patient.

The release is planned for THIS WEEK. So stay tuned and check back for more information.

Source: http://22c3.fem.tu-ilmenau.de

How to setup secure 802.1x WPA2 enterprise wireless lan on a linksys WRT54G / GS Revision 4

This article is in german, but I am going to make a translated english version available soon. Thanks to Volker -cosrahn- Henze for writing this great how-to.

Für Feedback und/oder Fragen bitte die Kommentarfunktion verwenden.


Dieses Howto ist ein bischen anders als andere. Es ist ein “Monolitisches” Howto. Wir haben sozusagen einen Snapshot des, bis dato, aktuellen OpenWRT auf unseren Server gezogen und werden damit das gesamte System aufbauen. Es wird keine Updates geben. Das ist natürlich nicht gut aber wir haben diesen Ansatz gewählt um ein Howto zu realisieren bei dem keine Fragen offen bleiben. Also wenn Du es GENAU so machst wie wir hier, solltest Du danach einen wunderschönen Linksys haben der dir einen sicheren und komfortablen Weg bietet dein WLAN vor Unbefugten zu schützen aber trotzdem schnell und einfach Freunden, Bekannten und Nachbarn den Zugriff zu gewähren oder wieder zu enziehen. Warum kein Customized-Image? Wir müssten es testen und dazu felht einfach die Zeit und die Hardware. Aber ich denke das wir demnächst evtl. solch ein Image bauen werden. Allerdings hat solch ein Howto auch den Vorteil das ihr wisst was in eurem Linksys steckt und nicht einfach sagt “Ich glaub der Klumpen da in der Ecke macht das…” Gut dann viel Spass!


  • Linksys WRT54GS Revision 4

  • Ein Rechner mit telnet und SSH (SSH für Windowser gibt es hier)

  • Möglichkeiten Dateien per scp zu übertragen (mit scp, WinSCP usw.)

  • Grundkenntnisse mit dem Umgang mit Maus und Tastatur


Linksys auspacken. Die Warnung “Zuerst CD laufen lassen, dann die Kabel anschließen.” kann man getrost überlesen. Und steckt nun das beiliegende Kabel an den Port 1 und an einen beliebigen Rechner. Nun bekommt man eine IP (, die IP des Linksys ist die also mit in deinem Browser kommst Du auf das Webinterface. Login: admin und Passwort: admin

Die Logindaten sollten auch auf der beiliegenden
Dokumentations-CD zu finden sein.

So sieht das Webfrontend von Linksys aus. Nach dem Flashen wir der Linksys kein
Webfrontend haben. Man kann allerdings eines Nachinstallieren.
Aber dies ist ein anderes Howto…


Die entsprechende Firmware erhält man hier: openwrt-wrt54gs_v4-jffs2.zip (1,61 MB) – Dies ist ein Mirror des openwrt.org-Downloads.

!!!!!!!!!! ACHTUNG nun wirds heiß !!!!!!!!!!
Überprüfe unbedingt noch einmal ob nicht doch ein Stromausfall angekündigt wurde oder der Nachbar versucht mit dem Föhn baden zu gehen. Ein Stromausfall wäre fatal für den Linksys.

Klick auf Administration->Firmware Upgrade

Die Datei openwrt-wrt54gs_v4-jffs2.bin angeben

laufendes Update


Nun ist es soweit. Wenn alles geklappt hat kannst du dich per telnet einloggen.

Das erste Telnet

root@OpenWrt:~# telnet
Connected to
Escape character is ‘^]’.
=== IMPORTANT ============================
Use ‘passwd’ to set your login password
this will disable telnet and enable SSH

BusyBox v1.00 (2006.03.27-00:00+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
WHITE RUSSIAN (RC5) ——————————-
* 2 oz Vodka Mix the Vodka and Kahlua together
* 1 oz Kahlua over ice, then float the cream or
* 1/2oz cream milk on the top.

Nach dem einloggen erstmal ein Reset da die Dateisysteme noch read-only sind:

root@OpenWrt:~# reboot

Nach diesem Reboot kann man sich wieder einloggen. Als erstes muss ein neues Passwort gesetzt werden:

root@OpenWrt:~# telnet
root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:
Password changed.

Nun loggen wir uns wieder aus, da Telnet nicht besonders sicher ist
und jeder mitlesen könnte was wir eingeben.

root@OpenWrt:~# exit
volker@buran ~ $ ssh root@
root@’s password:

BusyBox v1.00 (2005.07.18-21:49+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
WHITE RUSSIAN (RC2) ——————————-
* 2 oz Vodka Mix the Vodka and Kahlua together
* 1 oz Kahlua over ice, then float the cream or
* 1/2oz cream milk on the top.


Nun sollte man sich um Internet kümmern. Dies ist aber nicht Teil dieses How-To da es da einfach sehr viele Möglichkeiten gibt einen Linksys mit dem Internet zu verbinden. Deshalb die, meiner Meinung nach, zwei gängigsten hier und noch mehr Infos dazu gibt es hier.

FeM-Net oder andere größere LANs

Hier die Vorgehensweise wenn ihr das Gerät an einem größeren LAN wie dem FeM-Net betreiben wollt. Bitte achtet darauf das der Internet-Port(das ist der der ein Stückchen weiter weg ist on den anderen) des Linksys mit dem LAN verbunden ist. ACHTUNG wenn ihr einen anderen Port mit dem FeM-Net verbindet wird euer FeM-Net-Port deaktiviert.

Jetzt braucht ihr die MAC-Adresse des Linksys um ihn im FeM-Net freizuschalten. Das ist ganz einfach.

root@OpenWrt:~# ifconfig vlan1
vlan1 Link encap:Ethernet HWaddr 00:14:BF:CA:FE:01
inet6 addr: fe80::214:bfff:feca:fe01/64 Scope:Link
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 MiB) TX bytes:0 (0.0 MiB)

Bei unserem Gerät wäre die MAC-Adresse “00:14:BF:CA:FE:01”.


Das ist leicht. Einfach ein paar NVRAM Variablen setzen und das DSL-Modem an den WAN-Port des Linksys stecken.

nvram set wan_ifname=ppp0
nvram set wan_proto=pppoe
nvram set ppp_idletime=10
nvram set ppp_mtu=1492
nvram set ppp_passwd=
nvram set ppp_redialperiod=15
nvram set ppp_username=
nvram set pppoe_ifname=vlan1
nvram commit

Wenn du fertig bist schalte das WAN-Interface ein mit:

ifup wan


Jetzt machen wir erstmal ein Update der Softwarepakete. Wir stellen eine Packet-Sammlung bereit um sicherzustellen das alles genauso funktioniert wie wir es beschrieben haben. Das heißt aber nicht das diese Howto auch nicht mit späteren Versionen funktionieren wird.

root@OpenWrt:~# cp /etc/ipkg.conf /etc/ipkg.conf.old
root@OpenWrt:~# vi /etc/ipkg.conf
* Taste “i” drücken (Insert-Modus)
* nun die folgenden Einträge ändern
src whiterussian http://downloads.openwrt.org/whiterussian/packages
src non-free http://downloads.openwrt.org/whiterussian/packages/non-free
src whiterussian http://www.technology-ninja.com/whiterussian/packages
src non-free http://www.technology-ninja.com/whiterussian/packages/non-free
den Rest lassen wir einfach so
* Taste “Esc” drücken (Kommando-Modus)

Jetzt kann man mit einem ipkg update die Paket-Informationen holen.

root@OpenWrt:~# ipkg update
http://www.technology-ninja.com/whiterussian/packages/Packages …
Connecting to www.technology-ninja.com[]:80
Packages 100% |******************************************|
121 KB 00:00 ETA
Updated list of available packages in /usr/lib/ipkg/lists/whiterussian
http://www.technology-ninja.com/whiterussian/packages/non-free/Packages …
Connecting to www.technology-ninja.com[]:80
Packages 100% |******************************************|
568 00:00 ETA
Updated list of available packages in /usr/lib/ipkg/lists/non-free


Dieser Schritt ist wichtig da ihr mit diesem Tool den Linksys mit der Zeit im Internet syncronisieren müsst. Der Linksys besitzt keine Pufferbatterie und kann seine Zeit nicht zwischenspeichern. Die Zeit wird aber unbediengt gebraucht damit die PKI(das mit OpenSSL erstellte Zeug) funktioniert.

root@OpenWrt:~# ipkg install ntpclient

Downloading http://www.technology-ninja.com/whiterussian/packages/
ntpclient_2003_194-2_mipsel.ipk …
Connecting to www.technology-ninja.com[]:80
ntpclient_2003_194-2 100% |*******************************************|
9555 00:00 ETA
Unpacking ntpclient…Done.
Configuring ntpclient…Done.

Nun schnell die Zeit syncen.

root@OpenWrt:~# ntpclient -h timesrv1.tu-ilmenau.de -s

Ggf. kann hier statt timesrv1.tu-ilmenau.de ein beliebig anderer Zeitserver verwendet werden.

Und ein Startscript welches beim einschalten des Linksys die aktuelle Zeit aus dem Internet holt.

root@OpenWrt:~# echo “#!/bin/ash” >/etc/init.d/S70ntp
root@OpenWrt:~# echo “ntpclient -h timesrv1.tu-ilmenau.de -s” >>/etc/init.d/S70ntp
root@OpenWrt:~# chmod a+x /etc/init.d/S70ntp

Geschaft, nun haben wir, so Gott will, immer die richtige Uhrzeit auf unserem Linksys.


Installation der propritären Tools. Auch wenn es nicht schön ist, diesen Schritt kannst Du nicht überspringen. Der propritäre NAS und die WL-tools müssen nachinstalliert werden.

root@OpenWrt:~# ipkg install nas

Downloading http://www.technology-ninja.com/whiterussian/packages/non-free/
nas_3.90.37-16_mipsel.ipk …
Connecting to www.technology-ninja.com[]:80
nas_3.90.37-16_mipse 100% |******************************************|
75771 00:00 ETA
Unpacking nas…Done.
Configuring nas…Done.
root@OpenWrt:~# ipkg install wl

Downloading http://www.technology-ninja.com/whiterussian/packages/non-free/
wl_3.90.37-1_mipsel.ipk …
Connecting to www.technology-ninja.com[]:80
wl_3.90.37-1_mipsel. 100% |******************************************|
40906 00:00 ETA
Unpacking wl…Done.
Configuring wl…Done.

Der NAS wird benötigt um die Kommunikation zwischen WLAN-Device des Linksys und dem Radius-Server. Die WL-Tools werden benötigt um alle Funktionen des propritären WLAN-Treibers zu nutzen.


Mit OpenSSL wird nun eine Root-CA erstellt. Dies bietet die Möglichkeit dynamisch Zertifikate an beliebige Personen zu verteilen ohne das ihr euch kompliziert Pre-Shared-Keys zuflüstern müsst. Außerdem kann man Zertifikate zurückziehen wenn man jemanden nicht mehr leiden kann. Das ist besonders in größeren Infrastrukturen sehr sinnvoll. Installiert euch openssl-utils auf eurem, mittlerweile liebgewonnen, Linksys. Im übrigen ist es ratsam die Root-CA auf einem anderen PC zu erstellen. Hier der Einfachheit-wegen direkt auf dem Linksys.

root@OpenWrt:~# ipkg install openssl-util

Legt euch ein Verzeichnis an in dem die Root-CA gespeichert wird.

root@OpenWrt:~# cd /usr/share/
root@OpenWrt:/usr/share/CA# mkdir CA
root@OpenWrt:/usr/share/CA# cd CA

OpenSSL brauch ein paar Verzeichnisse, in dem es seinen sinnlosen Mist ablegen kann.

root@OpenWrt:/usr/share/CA# mkdir certs crl newcerts private users

Erstelle die Seriennummer und die Indexdatei für die Root-CA.

root@OpenWrt:/usr/share/CA# echo “01” > serial
root@OpenWrt:/usr/share/CA# cp /dev/null index.txt
root@OpenWrt:/usr/share/CA# cp /etc/ssl/openssl.cnf .

Mach eine Kopie der Orginal OpenSSL-Konfig-Datei und ändere es wie Du es benötigst.

root@OpenWrt:/usr/share/CA# vi openssl.cnf
* Taste “i” drücken (Insert-Mode)
* mit den Pfeiltasten nach unten scrollen bis zum Feld [ CA_default ]
* den Parameter
dir = ./demoCA
* tauschen gegen
dir = ./
* Dann die beliebigen Anpassungen machen
* Taste “ESC” drücken (Kommando-Modus)

Für die Client Zertifikate benötigt man spezielle Windows XP Extensions. Dazu legen wir eine neue Datei mit dem Namen xpextensions an.

root@OpenWrt:/usr/share/CA# vi xpextensions
* Taste “i” drücken (Insert-Mode)
Die Zeilen hinzufügen
[ xpclient_ext ]
extendedKeyUsage =
[ xpserver_ext ]
extendedKeyUsage =
* Taste “ESC” drücken (Kommando-Modus)


Sie ist 1095 Tage gültig. Das kann natürlich nach belieben angepasst werden in dem man die Zahl nach der Option -days verändert.

root@OpenWrt:/usr/share/CA# openssl req -new -x509 \
-keyout private/cakey.pem -out cacert.pem -days 1095 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase: “Das_Root-CA_Passwort”
Verifying – Enter PEM pass phrase: “Das_Root-CA_Passwort”
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailadress

Tipp: Merkt euch das Passwort. Und dieses sollte niemals in falsche Hände geraten.

root@OpenWrt:/usr/share/CA# openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem \
-out caroot.p12 -cacerts -descert
Enter pass phrase for private/cakey.pem: “Das_Root-CA_Passwort”
Enter Export Password: “caroot_p12_Passwort” (kann auch leer sein)
Verifying – Enter Export Password: “caroot_p12_Passwort” (kann auch leer sein)
root@OpenWrt:/usr/share/CA# openssl pkcs12 -in caroot.p12 -out caroot.pem
Enter Import Password: “caroot_p12_Passwort”
MAC verified OK
Enter PEM pass phrase: “caroot_pem_Passwort”
Verifying – Enter PEM pass phrase: “caroot_pem_Passwort”

Und für Windows.

root@OpenWrt:/usr/share/CA# openssl x509 -in cacert.pem \
-inform PEM -out cacert.der -outform DER


root@OpenWrt:/usr/share/CA# openssl req -nodes -new -x509 -keyout radius-req.pem \
-out radius-req.pem -days 730 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘radius-req.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailaddress
root@OpenWrt:/usr/share/CA# openssl x509 -x509toreq \
-in radius-req.pem -signkey radius-req.pem -out radius-tmp.pem
Getting request Private Key
Generating certificate request

Zertifizieren des Request Bitte achte hier auf die Reihenfolge “-infiles radius-tmp.pem” ist die letzte Option in der Kommandozeile.

root@OpenWrt:/usr/share/CA# openssl ca -config openssl.cnf \
-policy policy_anything -out radius-cert.pem -extensions xpserver_ext \
-extfile xpextensions -infiles radius-tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/share/CA/private/cakey.pem: “Das_Root-CA_Passwort”
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Not Before: Jan 1 05:15:35 2000 GMT
Not After : Dec 31 05:15:35 2000 GMT
countryName = DE
stateOrProvinceName = Thueringen
localityName = Ilmenau
organizationName = FeM e.V.
organizationalUnitName = Technik
commonName = Cosrahn
emailAddress = somemailaddress
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Dec 31 05:15:35 2000 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Konvertieren des Zertifikats in PKCS12-Datei damit es lesbar für Outlook; MSIE; Mozilla wird. (dieser Schritt ist nicht unbedingt nötig, da unser Radius kein PKCS12 benötigt).

openssl pkcs12 -export -in radius-cert.pem -out radius-cert.p12\-inkey radius-req.pem -descert


Dieser Schritt muss für jeden Client wiederholt werden.

root@OpenWrt:/usr/share/CA# openssl req -nodes -new -x509\
-keyout client-req.pem -out client-req.pem -days 730 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘client-req.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailAddress
root@OpenWrt:/usr/share/CA# openssl x509 -x509toreq -in client-req.pem \
-signkey client-req.pem -out client-tmp.pem
Getting request Private Key
Generating certificate request

Zertifizieren der Request – Bitte achte auf die richtige Reihenfolge “-infiles client-tmp.pem” ist die letzte Option auf der Kommandozeile.

root@OpenWrt:/usr/share/CA# openssl ca -config openssl.cnf -policy policy_anything \
-out client-cert.pem -extensions xpclient_ext -extfile xpextensions \
-infiles client-tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/share/CA/private/cakey.pem:
DEBUG[load_index]: unique_subject = “yes”
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Not Before: Jan 1 05:37:37 2000 GMT
Not After : Dec 31 05:37:37 2000 GMT
countryName = DE
stateOrProvinceName = Thueringen
localityName = Ilmenau
organizationName = FeM e.V.
organizationalUnitName = Technik
commonName = Cosrahn
emailAddress = somemailAddress
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Dec 31 05:37:37 2000 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Konvertieren des Zertifikat in PKCS12-Datei (Outlook; MSIE; Mozilla).

openssl pkcs12 -export -in client-cert.pem -out client-cert.p12 \
-inkey client-req.pem -descert

Um grössere Sauerein zu vermeiden hab ich den obigen Teil zu einem kleinen Script zusammen gefasst. Dieses kleine Script hilft beim erstellen eines neuen Clients. Man findet die erstellten Zertifikate in /usr/share/CA/users/[clientname].

Hier das Skript: mkclient.sh.zip (,43 KB)

Man kann nun zB. einfach mit:

root@OpenWrt:/usr/share/CA# ./mkclient.sh Paul

ein Zertifikat für den User “Paul” erstellen.


Um den Verschlüsselungsspass komplett zu machen brauchen wir noch eine random-Datei und eine Diffi-Hellmann-Parameter Datei. Dazu gehen wir wie folgt vor.

root@OpenWrt:/usr/share/CA# openssl dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
root@OpenWrt:/usr/share/CA# dd if=/dev/urandom of=random bs=1k count=1


Wir haben jetzt viele Dateien generiert aber welche ist jetzt wozu da? Also werden wir das jetzt mal aufdröseln.

radius-req.pem – der Key
radius-cert.pem – das Zertifikat
cacert.pem und cacert.der – das CA-Zertifikat
dh1024.pem – das DH Parameter
random – beinhaltet einfach nur zufällige Daten


Der Client:

diese Dateien müssen auf den Rechner der sich in das WLAN einloggen will.

Die Dateien für den Radius behandeln wir später.


Nach dem wir das geschaft haben, können wir mit dem Radius-Server weiter machen. Wenn Du schon einen funktionierenden Radius-Server in deinem Netz benutzt, kannst Du diesen Schritt überspringen. Um den FreeRadius-Server zu installieren geht man wie folgt vor:

root@OpenWrt:~# ipkg install freeradius

root@OpenWrt:~# ipkg install freeradius-utils

root@OpenWrt:~# ipkg install freeradius-mod-eap

root@OpenWrt:~# ipkg install freeradius-mod-eap-md5

root@OpenWrt:~# ipkg install freeradius-mod-eap-peap

root@OpenWrt:~# ipkg install freeradius-mod-eap-tls

root@OpenWrt:~# ipkg install freeradius-mod-eap-ttls

root@OpenWrt:~# ipkg install freeradius-mod-files

root@OpenWrt:~# ipkg install freeradius-mod-pap


Bitte achte darauf dass du kein Paket vergesst.

Damit der RADIUS auch nach einem reboot zur richtigen Zeit startet, muss das Startscript noch umbenannt werden.

mv /etc/init.d/radiusd /etc/init.d/S41radiusd

Dann die erstellten OpenSSL-Zertifikate kopieren.

mkdir /etc/freeradius/ca
cp /usr/share/CA/cacert.pem /etc/freeradius/ca
cp /usr/share/CA/radius-req.pem /etc/freeradius/ca
cp /usr/share/CA/radius-cert.pem /etc/freeradius/ca
cp /usr/share/CA/dh1024.pem /etc/freeradius/ca/
cp /usr/share/CA/random /etc/freeradius/ca/

Die wichtigen Dateien für die Radius Konfiguration sind

  • clients.conf
  • eap.conf
  • radiusd.conf
  • users


client {
secret = Das_RADIUS_Passwort
shortname = localhost
nastype = other




Nun wollen wir einfach mal unsere 802.1X Umgebung aktivieren.

root@OpenWrt:~# nvram set wl0_akm=wpa wpa2
root@OpenWrt:~# nvram set wl0_auth_mode=radius
root@OpenWrt:~# nvram set wl0_crypto=aes+tkip
root@OpenWrt:~# nvram set wl0_radius_ipaddr=
root@OpenWrt:~# nvram set wl0_radius_key=Das_RADIUS_Passwort
root@OpenWrt:~# nvram set wl0_radius_port=1812
root@OpenWrt:~# nvram set wl0_ssid=My_8021X_Network
root@OpenWrt:~# nvram set wan_hostname=My_8021X_Gateway
root@OpenWrt:~# nvram set wl0_wep=aes+tkip
root@OpenWrt:~# nvram commit

Nun sollte nach einem Reboot der Zauber beginnen. Viel Spass!


ipkg install wireless-tools
ipkg install webif


WPA2 Enterprise-Howto http://wiki.openwrt.org/OpenWrtDocs/Wpa2Enterprise
NAS-Howto http://wiki.openwrt.org/OpenWrtDocs/nas
OpenWRT Konfig Hilfen http://wiki.openwrt.org/OpenWrtDocs/Configuration
OpenSSL PKCS12 http://www.openssl.org/docs/apps/pkcs12.html
OpenSSL X509 http://www.openssl.org/docs/apps/x509.html
FeM-Wiki https://info.fem.tu-ilmenau.de/wiki/index.php/Sicheres_WLAN_mit_einem_Linksys

How-To mount a network share at login / startup on OSX

When I first worked with a Mac I had many problems finding things and doing things that worked just out of the box on a Windows machine. One thing that was very annoying was that the Mac apparently is not able to mount a network volume at startup. On Windows you are just doing something like this:

But that’s not possible on the Mac. So I had to find another way. The easiest way is to write a script that is executed at startup. And so I did.

Go to your applications folder where you probably find the “Applescript” folder in which you’ll find the “Script Editor“. Start it and you’re ready to write the script which looks like this:

    mount volume "smb://bietiekay@femflawlessfs/1"
end try

Whereas “smb://” is the protocol and “bietiekay” is the username followed by the servername “femflawlessfs” and the share name “1“.

When you did that you can check if it works just by clicking on the “Execute” button in the icon bar of the script editor. Normally you’ll be asked for a username+password. If so enter your username and password and add it to the key chain by activating the checkbox in the username+password dialog. You have to do that to allow the script to mount the share without asking you for the username+password again the next time it runs.

When you checked that everything is working you do a “File->Save as“. Give it a name and most important select “Application” instead of “Script” in the file format select box. I recommend to deselect the “startup dialog” checkbox so you would not get bothered by another dialog at startup…

Now you have a script and the executable application.

Go to the “Apple menu->System Configuration->Users” dialog where you can configure the applications that run at startup/login. Click on the “+” symbol under the startup list and select the application you just made with the script editor.

That’s all. You’re set-up to test this… start your machine and see if it works.

3 more terabytes please…

So here we are with another Promise VTrak m500i and another 14 250 GByte drives…

This time it seems that everything is working – even the DHCP request did not result in a complete crash of the appliance…

This time we won’t use the complete 3.1 Tbyte storage space as one humongous volume. This time the m500i serves as a boot-up platform for several XEN powered virtual machines.

And for that purpose 3 Tbyte should do it. If we have the time (since this particular m500i is planned to go into production very soon) we will test how it will work together with the already existing m500i. If we don’t have the time – we have to wait for the other m500i that is to be ordered…

Source: more info about the “m500i-odysee”