jgiam.com

CloudFlare Tunnel is a really useful feature that lets you host web applications on the Internet without exposing your server. Instead of opening ports and configuring firewall rules, CloudFlare Tunnel creates a secure outbound connection from your server directly to CloudFlare’s network. The best part? You don’t even need a public IP address. Your server connects to CloudFlare, and CloudFlare handles all incoming requests on your behalf. It’s a simple, elegant solution that significantly improves your security posture.

If you’ve gone through CloudFlare’s dashboard to create a tunnel, they recommend running cloudflared as a system service. The instructions seem simple enough: add the CloudFlare repository, install the cloudflared package, then run

sudo cloudflared service install

What if you accidentally install cloudflared on the wrong machine? Maybe you meant to install it on your web server A, but you ran the commands on a different server B instead. You will end up with an active connector, but it will fail with a 502 Gateway Error. Why? Because CloudFlare is trying to reach your web application on server B, but the application is actually on server A.

If, like me, you continued to install cloudflared on the correct server A, you would end up with multiple Connectors to both servers A and B, and worse, your web application will work half the time.

Unfortunately, CloudFlare’s documentation doesn’t explain how to remove a connector. But it’s actually quite simple on Debian and Ubuntu systems.

If you want to temporarily stop and disable the cloudflared service, run

sudo systemctl stop cloudflared

sudo systemctl disable cloudflared

To complete uninstall cloudflared (works on all OSes), run

sudo cloudflared service uninstall

Optionally, you can also delete the cloudflared repo by doing:

 sudo rm /etc/apt/sources.list.d/cloudflared.list

That’s it. The connector is now completely removed from your system, and you’re ready to install it on the correct machine.

Several months back, I changed my home Internet provider to Singtel. Unlike other ISPs that provide an Optical Network Terminal (ONT) device, Singtel uses an Optical Network Router (ONR), which is an ONT with a built-in router. The downside to an ONR is that if you want to use your own Wi-Fi router, you have to set it to AP (access point) mode. Since I have my own Netgear Orbi Wi-Fi mesh, I wanted to use that instead of the free Wi-Fi router that Singtel gave me.

Singtel issued me the ZTE ZXHN F620 ONR. Because I wanted a fixed LAN IP for my Orbi, I set up DHCP Binding (also known as DHCP Reservation) in the F620. On the Orbi, I also configured a static IP. I did the same for my NAS. For months, everything was great. Around two months ago, my Wi-Fi network would go down. Or rather, the network was there, but devices could not connect to it. My phone would show that it was trying to get an IP, then an error and disconnect from the Wi-Fi. Rebooting the Wi-Fi router helped. Then it happened a few more times, and rebooting the Wi-Fi router didn’t help. I tried rebooting the ONR, which helped a few times. After that, it didn’t help anymore. Once, this happened for around 12 hours. No amount of rebooting devices helped. The Orbi showed it was connected to Internet, but nothing worked. But suddenly, everything was working again when no one was home. Odd.

Recently, it happened once more. Fed up, I armed myself with a laptop and network cable, and started to troubleshoot. To my surprise, the laptop was able to get an IP, and had Internet. Yet the router was rejecting Wi-Fi connections. At one point, I thought my Orbi router was faulty. I brought it and connected it directly to the ONR, and suddenly everything worked. I brought it back to the living room, and the Wi-Fi broke again. So I thought it could be the network port/cabling. But my network cable tester showed the connection was fine. Connecting the laptop in the living room port was ok too. I was exasperated.

Since the Wi-Fi connection was failing because the device was unable to obtain an IP, I decided to do a “double NAT”, that is, I set up the Orbi in router mode, ensuring it was in a different subnet as the ONR, and connecting the ONR to the Internet port of the Orbi. Now my devices could connect to the Wi-Fi network, but without Internet. I checked the ONR settings, and noticed it had assigned a different IP to my Orbi. The MAC address was off by one. I updated the DHCP binding in the ONR settings. Then I rebooted the Orbi, but it was still assigned the old IP. However, after the lease expired, the ONR assigned the correct IP to the Orbi, and everything was back online again.

I finally realised the problem. When I switched the Orbi to router mode, the MAC address changed. This caused the ONR to assign a random DHCP IP address to the Orbi. However, the Orbi was configured with a static IP which is different. Devices connecting to Wi-Fi would perform DHCP request through the AP. The ONR sees the DHCP Request from the AP, which has an incorrect IP. The ONR would then send the DHCPNAK to the AP, preventing devices from getting an IP.

However, this doesn’t explain the intermittent Wi-Fi issues from before. My guess is that either the Orbi accidentally advertised the wrong MAC occasionally (seems like it has happened from Googling), causing a conflict with the DHCP and static IP, or the ONR DHCP server messed up and assigned the wrong IP temporarily, and rebooting got the MAC/DHCP/IPs back in order.

The solution to this? Use only one or the other – either DHCP Binding or Static IP, not both. For Static IP, best to set it to a range outside of DHCP range.

Here’s something that’s not too obvious. Recently I migrated from OneProvider to OVH. I installed Proxmox on the server, and bought additional failover IPs to be assigned to my VMs. However, what is not obvious is how to configure the VM to use the IP.

The gist of the configuration is that your VM uses the FAILOVER_IP on a /32 subnet, however, it needs the gateway of the dedicated server’s IP (DEDICATED_SERVER_GATEWAY x.x.x.254), which is outside the configured IP subnet.

The configuration using Netplan is this:

network:

    ethernets:

        ens18:

            addresses:

            - FAILOVER_IP/32

            routes:

             - to: default

               via: DEDICATED_SERVER_GATEWAY

               on-link: true

The step-by-step for OVH is as follows:

1. Purchase failover IP for your service
2. Add a virtual MAC for the failover IP
3. Configure the VM network device to the virtual MAC in step 2
4. Edit Netplan as above, the key config being
   on-link: true
5. Done! The VM should have Internet, and you should be able to ping FAILOVER_IP

I live in a 1000sqft apartment, and it is designed in a linear manner. This means that my WiFi router placed at one end is unable to reach the bedroom at the other end. I had been using a powerline adapter for years. Short of placing physical cables, HomePlug Powerline is the next best thing. Recently, my adapter malfunctioned, causing connectivity issues. Hence I started my hunt for a replacement. As of last year, WiFi Mesh has become a thing. Unfortunately, Wifi Mesh systems are exorbitantly expensive. Average prices for a WiFi Mesh system on Amazon are USD200 onwards. In Singapore, WiFi Mesh systems cost over USD400.

I love hunting for good technology at low prices, so I started my research. The only cheap option available in Singapore is the EnGenius EnMesh system, costing about USD250. I checked Amazon and found the system going for USD175. Then I found other cheap WiFi Mesh systems as well. Tenda Nova M6 at USD150, and the Luma system at USD140 (after a recent price cut). Seeing a Chinese brand, Tenda, led me to Taobao. There, I found an even cheaper option, the Huawei Honor Mesh Router (华为分布式路由器) going for a mere USD120. At this price, the WiFi Mesh is definitely more attractive than getting a new set of powerline adapters. After (agent and shipping) fees, I paid approximately USD150.

Why WiFi Mesh?

Briefly, there are four options to extend WiFi coverage in a home.

However, one of the key features of WiFi Mesh, is Fast Roaming and Hand-off. These are 802.11 specifications that allow APs to move clients to another AP with better signal. This is much like how cellular networks work. With my powerline adapter, it was common that when I went to the bedroom, my phone was still connected to the router in the living room, but at very low signal. The phone would have no network connectivity, and I would have to toggle the WiFi on my phone to make it connect to the AP in my room (with the same SSID). Also, there are some spots in the house where I would be connected to the WiFi with 2 bars, but network connectivity was intermittent. In theory, with WiFi Mesh, I would be blanketing the house with WiFi, and with better bandwidth.

The Huawei Honor Mesh Router

Important Caveat

Usage of the Huawei Honor Mesh Router requires a Huawei account (called Huawei ID) that is registered for China region. In order to register a Chinese Huawei ID, you need a Chinese mobile number for verification. You also need the Huawei SmartHome app for the initial setup. However, at the time of writing, the SmartHome app on Play Store is version 9.0.0.317, which does not support the Huawei Honor Mesh Router. You need the newer version 9.0.0.321. This version is available on the Huawei App Gallery, but you need a Chinese Huawei ID to download it.

Thoughts

Once I got the Huawei ID and correct app installed, setting up was a breeze. The app is in English. I placed the router and APs in a linear fashion, with the first AP in the first bedroom, and the second in the third bedroom. The app shows how devices are connected. Interestingly, the second AP is connected directly to the router in the living room. I would have thought it would connect to the first AP. Sometimes it does, but rarely.

Most of the times, the switch between APs is seamless. I have WiFi connectivity throughout the home, and all the dead spots are gone. My phone shows 3 to 4 bars of WiFi signal wherever I go. Occasionally, my phone gets disconnected from WiFi for a short few seconds, and then reconnects back. But this is much better than having a sticky WiFi connectionat 1 bar that doesn’t work.

Unfortunately, and this may be a big minus point for some, the Huawei system has poor WiFi bandwidth.

Bandwidth tests

As reference, these are Speedtest and FAST tests on my D-Link DIR-868L.

This is connected to the Huawei main router.

This is connected to the first AP.

Finally, at the second AP.

Here is a summary of the tests:

SmallNetBuilder reviewed the EnGenius EnMesh with performance benchmarks (against the TP-Link Deco M5 and Google Wifi) which seems to show the Huawei router is seriously under performing.

Conclusion

The Huawei Honor Mesh Router is the cheapest WiFi Mesh system in the market, certainly for Singapore. While WiFi performance leaves a lot to be desired, in reality, even 40Mbps is enough for Netflix and Youtube video streaming in HD. And the 64Mbps FAST speed in my room is a marked improvement over the powerline adapter, which averaged 40Mbps or less, and with connectivity issues mentioned earlier. I am definitely enjoying the strong WiFi connectivity throughout my home.

The Tenda Nova M6 and Luma are also strong contenders for a cheap WiFi Mesh, and are definitely reasonably priced to get started with this technology.

I was exploring a low-cost method to get mobile broadband in the car. The Huawei E122 was the cheapest 3G dongle on ebay – only USD19.99. I bought it, along with the TP-Link TL-WR703N, a compact, USB-powered router that supports 3G dongles. The E122 isn’t listed as a supported 3G modem, and it indeed isn’t supported.

My next step was to flash OpenWRT on it. To my surprise, it didn’t work either. I Googled and tried several things, but nothing worked until I tried the commands I found in an over three-year-old thread on Ubuntu Forums. The very last post by the thread starter himself, mvip, posts a wvdial config file that he says he managed to get working for his E122. I simply translated it into a chatscript (used by OpenWRT). And…

It worked!

Now I have Wi-Fi in my car, cobbled together for under USD50.

My chatscript for the E122:

ABORT BUSY
ABORT 'NO CARRIER'
ABORT ERROR
REPORT CONNECT
TIMEOUT 10
"" "ATE0"
OK "ATZ E0 V1"
OK "AT+CFUN=1"
OK 'AT+CSCS="UCS2"'
OK "AT+CREG=2"
OK "AT+CGREG=2"
OK "AT+COPS=3,2;+COPS?"
OK 'AT+CGDCONT=1,"IP","$USE_APN"'
SAY "Calling UMTS/GPRS"
TIMEOUT 30
OK "ATDT*99***1#"
CONNECT ' '