Wow, had a really busy four or five days in Moshi, Tanzania. Wish I would have had more time to relax and sight see, it usually ended up being 12 hour days for us. We got a lot down, though we ran in to a lot of issues that slowed us down.
The major projects we worked on while we were in Tanzania were setting up a new VSAT Internet connection, installing a remote access system, installing a network monitoring system, managing the bandwidth utilization, as well as connecting group of data computers here to the rest of the network.
For the VSAT connection, I was responsible for modifying the Cisco router configuration to work with the new connection. It was mostly a matter of adding NAT entries, changing a couple IP addresses, and adding a new default route. We also helped a satellite technician with aligning the satellite dish and configuring the primary and backup satellite modems. That turned out to be the more challenging aspect. Almost all of our first day here was spent working on that. One of the biggest issues we ran in to was a mis-understanding between our service provider and the satellite installer/technician. The technician thought the angle he was given was the angle of elevation for the satellite dish, however it was apparently the angle of the beam as it hits the ground, which doesn’t take some factors in to consideration. The satellite modems we received were also tricky to install. Some of the settings we had to set could only be accessed in in particular mode, and switching between modes required a arduously slow reboot. Unfortunately, there is no way of simply copying a configuration file over to these modems, it all had to be done manually, going through a clunky menu-based null modem cable connection.
For the remote access, we ended up going with Windows Server PPTP VPN. I tried to configure the Cisco Easy VPN and Cisco WebVPN, though I wasn’t able to get them to work with the limited about of time we had here. So instead we looked at the Windows Server VPN. While it isn’t very customizable, it was much easier to get working than I thought it would be.
If we would have had a Linux machine available at that time, I would have chosen OpenVPN. That’s what I configured at the project in Malawi, that’s what I use at home. The day after doing the VPN, we did end up installing Linux to use on a server here to work as a transparent web proxy for Squid. On our Cisco gateway router, I used a route map to forward port 80 traffic through our Linux squid machine. This is the first time I’ve actually used Squid in this fashion, seems to work fairly well once I was able to work out a few kink in the configuration. Because of the limited bandwidth, we’re limiting the maximum download or upload size to 20 MB. There is a separate static IP set aside for cases where someone has to be allowed through the proxy. (It’s just another line on the Cisco ACL that chooses traffic to send through the proxy.) I wish there was a way to automatically disable the route map if the proxy machine was down though, that would make me more comfortable with this setup. I’ll try to post the configurations for some of this later when I have more time, I’m at an internet cafe in Nairobi now.
Here are the pertinent parts of the Squid configuration.
acl lan src 220.127.116.11/24
# Block some websites all the time
acl always_block url_regex -i "/etc/squid/always_block.txt"
http_access deny always_block
deny_info http://18.104.22.168:8080/blocked.html always_block
acl work_hours time MTWHF 08:00-17:00
# Block some websites only during work hours
acl workhours_block url_regex -i "/etc/squid/workhours_block.txt"
http_access deny workhours_block work_hours
deny_info http://22.214.171.124:8080/blocked.html workhours_block work_hours
# Block Malware
acl malware_block url_regex -i "/etc/squid/malware_block.txt"
http_access deny malware_block
deny_info http://126.96.36.199:8080/malware.html malware_block
# limit downloads to 20 MB, uploads to 20 MB
reply_body_max_size 20000000 allow lan
request_body_max_size 20 MB
http_access allow lan
http_access deny all
http_reply_access allow all
http_port 3129 transparent
And here’s the configuration on the router, that forces all the web traffic to go through the proxy (except for traffic from a few servers). Fa1 is the inside LAN interface.
ip policy route-map WebFilterProxy
ip access-list extended WebFilterHosts
deny tcp any any neq www
deny tcp host 188.8.131.52 any
deny tcp host 184.108.40.206 any
deny tcp host 220.127.116.11 any
deny tcp host 18.104.22.168 any
permit tcp any any
route-map WebFilterProxy permit 5
match ip address WebFilterHosts
set ip next-hop 22.214.171.124