back to article Reg Oz chaps plot deep desert comms upgrade

It's been a while since The Reg travelled to the remote Australian community of Willowra to perform a Windows XP upgrade, and longer still since we updated readers on our plan to improve the internet connection in the town's adult learning centre. We'd like to fix the internet problem because the Wirliyatjarrayi Learning …

  1. Hazmoid
    Happy

    Possible onsite proxy/filter

    I know you are getting Internet through a 3rd party filter so that may make things a little complicated, but your wifi connects into Ethernet. Does it connect directly to the Satellite modem or is there a switch in the middle (I assume not)? If it connects directly to the Satellite modem then you may want to get a server with 2 nics and look at ClearOS (http://www.clearfoundation.com/ ) or Endian (http://www.endian.com/en/community/ ) as linux based filter/proxy servers. They have a free option and a paid option for those that need support. As pass through proxies they can save you a heap of traffic.

    1. steamrunner

      Re: Possible onsite proxy/filter

      This would be a good approach — although there is the issue of having a PC/appliance on-site that needs support and, if it goes wrong, it all falling apart if there is no 'ready-to-run' spare on-hand. My opinion: simplify what's on-site is much as possible.

      The article doesn't mention how many Wifi Access points the site has (for cost purposes), but one alternative might be to use something like a cloud-managed Wifi access point(s) like Meraki. Your 'login' click-though page would still (itself) be hosted elsewhere but you'd have content filtering effectively directly on the access point, with traffic reporting and details (i.e who's doing what and how much) accessible from the cloud management portal from anywhere (useful for those people managing the network who are *not* in the location ;-). Traffic leaving the network would still be normal/unencrypted (unless it was using SSL) and allow the Riverbed to optimise it. The access points need pretty much zero on-site support (plug in, leave alone).

      The only catch with network optimisation towards the Internet: all your traffic should probably be encrypted for safety anyway, so your optimisation may be limited (or no effect at all).

      1. Hazmoid

        Re: Possible onsite proxy/filter

        Trying to keep the proxy at the remote end to minimise traffic across the link. As another poster suggested, dns cache would help as well.

        considering the Proxy machine, you would be hard pressed not to look at something that uses SSD drives and fairly robust hardware. the benefit to most of the machines now is that this is becoming a standard. Is it essential that the link is always up or can it handle outages? ie look at the risks and how to mitigate them. Is there UPS power? Do you need to have a redundant copy of the machine on site? If the hardware is cheap enough it may be that the simplest solution is to have the 2 machines set up as mirror copies with regular DFSR replication (or look at setting them up as a failover cluster).

        All stuff that can be planned well before going out there. Now that you have been on site, you have a feel for what is and isn't required. plan for the worst and hopefully you will never need to take advantage of it. :)

    2. JeffyPoooh
      Pint

      O3b ground station - about $1M...

      Population 351 (2001), no 272 (2006), ah 220 (2011).

      So if the residents can come up with about $5k each, then they'd have fibre optic speed Internet via the O3b satellite network. They're in a qualifying latitude.

      Or just wait another ~20 years until the population of Willawra hits zero.

    3. Doug Burbidge

      Re: Possible onsite proxy/filter

      If filtering is a requirement, take a look at ContentKeeper. They're Australian, so they might be able to come to the party cost-wise, and (last time I dealt with them, a decade ago), their tech does not suck.

  2. Marco van Beek
    Boffin

    Silly question, maybe?

    If you have a satelitte connection, why is it coming back down in Australia at all? Why not use a service with a downlink in a country with a decent connection to the rest of the world, as well as A few spare IP4 addresses for local businesses to use for remote access?

    1. David Neil

      Re: Silly question, maybe?

      At a guess, I'd say a decent percentage of traffic is to Aus websites, but I do of course await correction.

      Can't imagine they are using Netflix on that link

  3. WraithCadmus
    Thumb Up

    Looking forward to what you do

    Long-distance and satellite stuff has always fascinated me, so seeing how you make all this work will be good.

  4. Peter Simpson 1
    Thumb Up

    Nobody's said it

    But good on ya, mates, for doing this. I suspect quality IT help is hard to find in that corner of Australia. Nice of El Reg to help out.

    Edit: just googled Willowra. It's miles from anywhere. Best of luck.

    1. JeffyPoooh
      Pint

      Re: Nobody's said it

      I Googled Willowra and got this snippet: "Location. Latitude:-21.14. Longitude:132.36. Infrastructure Specification. 1 HP Photosmart Premium Fax All-in-One Printer 1 PC..."

      Hmmm. Town's infrastructure: an all-in-one printer and a PC. Wow.

  5. Wzrd1

    Bloody hell!

    Optimize the network *before* you fully map and document it?

    A more sure plan to failure I have yet to witness.

    First, document the *entire* network. It's a pain in the ass, but it'll pay for itself in less heartburn medication.

    Second, learn the word proxy. It'll save you a lot of bandwidth.

    So, it'd go:

    User – WiFi router – Satellite modem – Satellite – ground station – proxy - Internet

    Of course, you can content filter with a proxy, either by crude blacklisting or via something like Websense.

    I've been at places where I had 2000 users hanging off of a one meg pipe. I've been at places where 6000 users hung off of a 6 meg pipe. In both instances, our proxy was aged and failed (HD failure dropped it), I stuck a squid proxy on a spare server running Linux. Watched a struggling network become operational, if slow on internet things.

    I set squid for relatively primitive filtering and set to work rebuilding the array on the *real* proxy.

    I won't even go into the bastardized mess I set up when higher command fucked up and didn't renew our Websense license, which left us in an unlawful position of unfiltered internet.

    I'll just suggest that those senior officers did not enjoy my, erm, candor.

    The license was swiftly renewed.

    But, the *only* path to improvement is complete documentation, down to every endpoint.

    I don't envy you the task, as having done so a few times, but if I were in the same nation, I'd give a hand. Heh, those roads aren't so challenging to someone who spent nearly three decades in military service. We'd have to go to Antarctica or the northern ice cap to find conditions I've not operated under.

    1. pro-logic

      Re: Bloody hell!

      Since it's the sat link that's the slow bit wouldn't it be better to go?

      User – WiFi router – Proxy –Satellite modem – Satellite – ground station – Internet

  6. Andrew van der Stock

    You should check out what the OLPC folks have done in similar (or worse) circumstances. I know some of the folks involved in that effort, and get you in touch.

    I'm unsure of why you have filtering mandated. I'd feel a bit miffed if I was a local being told what I can look at and what I can't look at, but I'll assume you're in parts of the NT where the Intervention is taking place.

    I'd move the proxy, a caching DNS server, and filtering to be local, using something that can be managed remotely as required, preferably via secure web site and SSH as these don't suffer from latency issues as badly as VNC or RDP sessions.

    Looking up a DNS request over a 300 ms link can be hugely latency inducing if it can be satisfied by a locally cached DNS entry (<1 ms). Modern websites, such as Facebook look up over 40-50 DNS names for all the third party advertising and analytics and games, etc.

    The other thing you can do is tweak the local cache to cache very big objects, as well as setting up a local patch management solution for the most common platforms in use by the locals. That way patches and iOS updates don't chew huge bandwidth.

    Using Riverbeds is a good idea as long as most traffic is unencrypted, but as things move to HTTPS by default (e.g. Facebook, all of Google), you will get less bang for your buck. The main thing you could have a look at is to use QoS to prioritise certain traffic over other traffic. Get this wrong and you have entirely new problem of your own making. I've seen some terribly managed QoS policies that made things far, far worse. That said, unless you can get the Riverbeds for a good price (and it does require two of them), you'd be better off investing that money in a fatter pipe.

  7. oceanhippie

    mikrotik

    If your looking for a cheap, reliable and outback proof wifi. Take a look at mikrotik routers. They are cheap, have built in radius, hotspot and proxys. They're very very adaptable.

    I made a hotspot/ticket system for a caravan park out bush in the NT, on satellite, a couple of years back which is still working fine and has not bankrupted them.

    Since they have every routing protocol you can think of and a firewall based on iptables with a pretty neat interface, they make great point to point links.

  8. jjcoolaus

    When hardware replacement occurs, chromebooks?

    Interesting set of articles in this series.

    When the machines reach the end of their useful life, I wonder if they would be replaced by Chromebooks perhaps? Very cheap on electricity, google is very good at compressing web pages and reducing data use, etc.

    I can't imagine there would be a huge number of windows specific apps that need to run, but this could be done in a VM to one Windows machine on the premises (all within the local LAN, so latency doesn't impact it), Surely that would be a cheaper hardware replacement route?

  9. Jon Etkins

    Sophos UTM

    Have you considered running something like the Sophos UTM software appliance on a cheap but reliable box at the remote site? Sophos makes a fully-functional, all services enabled, license available to home users, and I daresay they might be willing to work with you on this project. Their UTM provides most if not all of the functionality you're looking for, including filtering, authentication, QOS, hotspot, and remote management.

  10. Bob H

    This might help you, it is a compressing proxy with pre-rendering and image compression. Not ideal for security but working on plain HTTP it should offer optimisations, especially if combined with Squid.

    http://ziproxy.sourceforge.net/dia/

    I don't think it is too risky to use a small server at the remote location. Squid will do transparent proxying and you can always set up a fail-over without much expense. There are lots of embedded machines that don't have the foibles of a full PC and if the OS is on a separate disk from the cache you won't have much risk.

  11. Jellied Eel Silver badge

    Build or buy/rent..

    Sounds like you may want something like this-

    User – WiFi router – Riverbed - Satellite modem – Satellite – ground station – Riverbed - Internet

    Riverbed appliances I think can act as authentication servers, so if WiFi can authenticate against the local Riverbed/proxy it'll reduce the initial setup delay. And give the Riverbeds a cleaner path to do their optimisation/caching magic. Riverbeds aren't cheap, but it's the usual support cost tradeoff between building your own cache/proxy vs getting one ready made with a GUI and support. It's a standard config I've used in a few jobs via satellite connections.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020