Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X

OpenTTD Enhanced Gameplay

OpenTTD is an open-source clone of the Transport Tycoon series of transport business simulation games. While it’s a lot of fun to play, especially multiplayer, the default gameplay quickly becomes old or stale to experienced players:

  • There’s a runaway effect where if you accumulate enough wealth, it’s almost impossible to lose. The game quickly degrades into a painting game where you can run transportation networks virtually anywhere without penalty.
  • The variety of industries is low making it easy to connect all available industries in a short amount of time. There are only so many times you can transport the same type of cargo over and over before boredom sets in.
  • Industries disappear if you don’t transport cargo to them within a few years, leaving the map an empty wasteland instead of a puzzle of industries waiting to be serviced.
  • Rail upgrades are tedious when monorail and maglev become available. To upgrade from one type to another, you need to move all existing trains to a depot, sell them all, upgrade the tracks, then create all new trains of the new type. That’s not realistic, and it’s not fun.
  • Passengers are just cargo and don’t feel like a unique part of the rail network.

The runaway effect can be solved by changing the ‘Infrastructure Maintenance‘ option (set to false by default) to true. This means any infrastructure (such as rails and rail signals) have a recurring maintenance fee. This heavily penalizes random, long-distance builds, but rewards re-use and efficiency of infrastructure. It’s very easy now to bankrupt yourself even in the late game with this turned on, so builds need to be thought out strategically instead of just built out like a model railway set.

FIRS is a complete industry replacement set that’s been in development for years. The developers have carefully planned out complex economies that make for interesting, dynamic gameplay. For example, you might want to start with a company that specializes in transporting oil products, or metal cargoes. Each of these sub-economies are each individually more complex than the default OpenTTD economy.


(You should be able to see an enlarged, up to date version of the economy map here, but that link might go stale as this article ages.)

A lot of the economy in FIRS is circular. For example, you can run iron ore from a mine to a steel mill. The mill produces metal, which you can take to a smithy. Then the smithy makes engineering supplies from that metal, which you can run back to the iron ore mine. This increases production at the mine due to the increased efficiency of having engineering supplies on hand. This makes for very interesting and rewarding gameplay and solves the low industry variety problem of stock OpenTTD.

FIRS also allows you to manipulate how industries open or close. Changing “Allow secondary industries to close” to “off” fixes the ‘industries disappear’ problem. Now all industries on the map at generation time will remain there until the end of the game, presenting an interesting puzzle to be solved over time instead of a race against the clock to supply industries before they disappear.

FIRS combined with the Iron Horse train set completely eliminates monorail and maglev vehicles available in stock OpenTTD. This is because FIRS mainly concerns itself with transporting cargoes by regular rail only. Transporting passengers is possible (between towns and hotels), but such routes are not as profitable as a full industry loop is. FIRS is an industry-focused set. This leaves the door open to add in a few more sets to OpenTTD that concentrate on transporting passengers:

  • FooBar’s Tram Tracks for trams and trollies moving small numbers of passengers within a city or between two cities close to each other,
  • Metro Track Set to transport massive numbers of passengers over short distances,
  • Maglev Track Set which offers many high speed rail tracks capable of transporting passengers long distances at very high speeds.

Typically in the real world passenger rail networks (commuter rail, subways, or LRT’s) are segregated from heavy freight railway networks. These track sets allow the construction of unique passenger rail networks with distinctly different properties. Since FIRS doesn’t concern itself much with moving passengers around, these sets fit the missing piece of the puzzle very well.

Since FIRS combined with Iron Horse don’t provide monorail or maglev, there’s no need to upgrade your freight network from regular rail (be it steam, electric, or diesel.) Regular, “heavy” rail will remain in use throughout the game from beginning to end as a core part of gameplay, which wasn’t true in stock OpenTTD.

In the early game, simple tram stations stimulate city growth. In the late game, only high speed rail operates at very high speeds (up to 600kph), but since high speed rail can only transport passengers or mail, it can’t be abused like in stock OpenTTD to transport heavy industrial cargoes. This makes for much more interesting gameplay with a great amount of variety. It also eliminates the need to tediously upgrade your freight network from standard rail to maglev or monorail, and creates realistic passenger networks.

These late-game passenger networks take on a look similar to Taiwan’s High Speed Rail, or Japan’s Shinkansen network.

With all of these modifications, OpenTTD is transformed into a long-running, complex simulation with high difficulty and strong variation between games. It remains interesting throughout as key milestones are reached. We like to start at the year 1860 to allow for a long time to develop the freight networks:

  • 1860: Game begins, only steam locomotives available.
  • 1872: Trams become available, offering early city development opportunities.
  • 1900: Metro becomes available, high-density passenger transport over short distances.
  • 1919: Electric trains available, seamless upgrade of existing freight rail network to electric.
  • 1954: Diesel trains available.
  • 1984: High Speed Rail begins to unlock.
  • 2051: Game over.

The end result is a complex freight network that covers the entire map, densely built cities with tight metro systems, and long lines of high speed passenger railways.

As of this writing, here are the exact versions of each NewGRF set used. The station sets are cosmetic only, but are great for building unique stations:

A Fish Out of Water

Ever since I was a kid, I had a deep appreciation and respect for the demoscene. I instantly fell in love with Starshine, Ice Frontier, and Bridge to the Universe. Never in my life did I think I would have an opportunity to mingle with the talented computer hackers, musicians, and artists that made up the core of the demoscene engine. But, ten years ago, it happened. This is my story.

The Digital Garden

Ever since the mid 1990’s, I’ve been a fan of the demoscene. The only thing I had back then was a 386 with a couple megs worth of RAM and a few dozen megs worth of hard drive space. I was introduced to the demoscene by Damage on EFnet when he sent me a copy of Purple Motion’s “Starshine,” a tune that can still be found on my playlist to this day. I couldn’t really run any demos back then, my computer just wasn’t fast enough, but these days that’s not really a problem.

Back then I had troubles running a 16-channel S3M on my slow 386 (I eventually could do it by selecting 8-bit mono for the sound settings,) but now demoscene music composers just release their music as MP3 or OGG. What my full-size desktop 386 couldn’t play 15 years ago, a tiny ipod the size of a cigarette lighter can play without missing a beat.

These days, the biggest hurdle for me and my ability to watch demos in their native environment is the fact that I choose to run Linux instead of Windows. Fortunately, groups are releasing their demos in all sorts of various movie formats (including full-HD formats,) something that really wasn’t possible (or at least easy) even in the early 2000’s. Being able to watch a demo in full 1080p with the sound booming is a great experience.

Once I found out that I was going to Germany – something that came about by pure luck – I decided to do some research on whether or not there would be any demoscene events happening while I was there. As luck would have it, the biggest pure demoscene event in the world, Breakpoint 2008, would be occuring over the Easter long weekend. I had long read about these parties, legendary events where people code for days on end and get next to no sleep. I was excited to watch the new demo releases, listen to demoscene music all day long, and possibly to meet some people from all over the demoscene.

After weeks of waiting, the tension from 14 years of demoparty denial having built up to a fevered pitch, the day finally came. I took an InterCityExpress (ICE) train to Frankfurt Airport, where my intention was not to board an airplane, but to transfer to another train heading due west to Bingen-am-Rhein.

On the train to Bingen, I met a devoted, long-time scener and tried to strike up conversation. He asked me what production I was bringing to the show. Sheepishly, the best I could muster were my recent efforts working with Synchronet. You see, the demoscene is about contribution. It does not tolerate ‘consumers’ who do not contribute. Even fanatic demoscene consumers (such as myself) were considered lamers. Contribution was required to be a member of this community.

Bingen-am-Rhein could easily be considered the crown jewel of Germany. I checked into my hotel overlooking the river, taking a few minutes to watch the trains gracefully slink around the opposing side of the river from my room. Gorgeous.

I caught the Breakpoint shuttle to the demoparty location, where I stepped into the first demoparty experience of my life. The party was set up in a large sports hall, with tables lined up one after another, seats arranged all around. Two gigabit switches were placed on each table. It’s about at this point when I realized that I had brought no CAT5 cable with me, so I had to spend 5 Euro to buy a short cable from the front desk. No matter, it would come in handy later.

As I toured the tables trying to find a place to sit, I noticed that each seat had a sheet of paper in front of it marked with the group that was designated to sit there. “TRSI,” “Farbraush,” “ASD;” these were all some of the biggest names in the demoscene. The huge projector to the front of the hall was displaying announcements on a fancy slideshow program. As I prowled through the mess of tables and chairs, it was becoming increasingly clear that there were just no seats available — the papers with group names were everywhere. Then, an announcement popped up on the screen at the front noting that the papers were all meaningless; all empty chairs were up for grabs and there was no such thing as a reserved seat.

So, I sat down in a seat marked for “Still,” at the very end, so that I wouldn’t inconvenience the group too much. Of course, about thirty minutes later, the guys from Still showed up and weren’t too impressed that I was taking up one of their seats. I think the only saving grace in that case was the fact that I was Canadian — it’s just so rare for a Canadian to show up to a demoparty that I was a bit of a spectacle all unto myself.

That seat marked my life for the next four days.

While I was at Breakpoint, I got to experience and witness some of the best programming talent on the planet. All of it was displayed in glorious 1080p for everyone to see. Farbraush wowed everyone with Masagin. TRSI showed off their ‘wannabee’ demo 2nd Element. The best I could muster was helping a kid who grew up in East Germany install a copy of XBMC onto his obsolete PC while the sweet tunes of “Remark Music” blared and coders more talented than I drunkenly pounded away at assembly code on their C64’s.

On the train back to Nürnberg, where my job as a “Microsoft Excel spreadsheet master” awaited, I felt inadequate. There was no way I could ever measure up to any of these people in my lifetime. They knew that too, but even so, they were polite enough to welcome me into their home for four days and have a glimpse at what they were up to. For them, Breakpoint was sacred ground, and they shared that with me. For that, I am eternally grateful.

A year later, I was watching the livestream of Breakpoint 2009 from home, where I was recovering from having my wisdom teeth pulled. This was where Rgba & TBC wowed the world with Elevated.

A year after that, Breakpoint was no more.

The Wizard – A Circle Tour

There hasn’t really been a comprehensive guide written yet about how to visit the most significant filming locations from the 1989 cult classic “The Wizard”. After researching the various filming locations, reading through newspaper articles, and doing a field visit, this should be the most comprehensive guide on the Internet as of this writing.

This guide will be focusing on the filming locations in the area of Reno, Nevada. The majority of the film was shot in the area. However, a minority of scenes were not:

This is the “Twin Peaks Motel”, one of the very few filming location that nobody’s been able to find. The phone booth does show a “Nevada Bell” sign, but the film makers have masqueraded locations in California as Nevada before. For example, these scenes filmed at Agua Dulce Airpark, a favourite Hollywood filming location that was also used in MacGuyver:

Also worth mentioning are the scenes filmed at Universal City and Cabazon in California. These are popular tourist destinations that speak for themselves.

The best and most obvious place to stage any tour of the remainder of The Wizard filming locations is Reno. Hotel rooms are plentiful and cheap, it itself was a filming location, it has a major commercial airport with on-site rental cars, and the filming locations make a circle that start and end there. Staying in downtown Reno will let you see how the strip along Virginia Street near the “Biggest Little City” sign has changed and evolved since The Wizard was filmed.

The Peppermill Casino, south of downtown Reno, was used as a filming location during the “training montage” scenes where Haley sits poolside while Corey relays messages to Jimmy from Nintendo. However, the Peppermill has been heavily renovated since then, so it’s now unrecognizable compared to what was shot for the film.

This guide will be following a clockwise direction starting in Reno. Note that this is not the chronological order of scenes, which will be in a brief follow-up article after this one.

Total round trip, without accounting for “stop and look” time is about 6.5 hours. Adding 15 minutes per stop (there are ten stops total) brings this up to about 9 hours, so this is definitely a long tour that will take an entire day to complete! Please take the time to study the route carefully until you understand it all on your own. In winter, some of these routes might be dangerous or impassable, especially around Lake Tahoe.

1. Hirschdale, California

Take the I-80 west from Reno across the California border until you reach Exit 194 marked for “Hirschdale Road”.

Turn right on Hirschdale Road and you’ll drive by some cozy-looking country homes before crossing the Truckee River over a small bridge. Keep going along Hirschdale Road and it will eventually dead-end at where “Hirschdale Auto Wrecking” used to be.

If you look at the above picture closely, you’ll see the company name clearly on the banner near the top of the frame. Compare the picture to your location and you should be able to find the exact spot it was filmed.

The story goes that Hirschdale Auto Wrecking was forced to close and move away from the area due to environmental concerns.

From here go back the way you came along Hirschdale Road, until you go under the I-80 overpass. Pull over and look behind you – this is the exact spot where the kids were filmed walking under the overpass, towards Hirschdale Auto Wreckers, to spend the night in the wrecked truck cab.

2. Truckee, California

Continue along I-80 west until you reach Truckee. It’s a town that’s well signposted and easy to find. Downtown Truckee is where the “in the shorts” scene was filmed, as well as the brief part of the “Send Me An Angel” montage where the kids were sitting outside a shop holding a “Reno or Bust” sign.

3. Pyramid Lake

Take the I-80 eastbound back to Reno, and turn north onto Nevada Highway 445 (Exit 18). This is a long drive through some picturesque Nevada high desert. You’ll eventually connect with Nevada Highway 446, turn right (eastbound) here and enjoy the view of Pyramid Lake to your left. Drive until you reach the rest stop at the end of the lake. Not too far further east from here you should be able to find the tree on the right-hand side of the highway where the film’s opening sequences were filmed.

This article has some more specifics about this location. In particular, the opening sequence was a combination of two shots. Odds are good that the other shot was filmed around Pyramid Lake as well, so keep an eye out for it!

4. Hazen, Nevada

From Pyramid Lake, continue east on Nevada Highway 446 until you reach the intersection with Nevada Highway 447. Turn right (southbound) and continue until you reach Wadsworth and Fernley. Do not get back on the I-80 here, instead, take Main Street until it turns into US50 Alternate east. Continue east along US50 Alternate until you reach the small town of Hazen.

Once you reach Hazen, you’ll need to turn left to come back around to Hazen Market. Notice how in the film, US50 was a simple two-lane highway, but today, has been upgraded to four lanes. This is a big part of why, as of this writing, Hazen Market is permanently closed. The barrier separating westbound from eastbound traffic caused visits to this iconic market to drop significantly.

5. Fallon, Nevada

As you proceed east, US50 Alternate will meet up with US50 proper. Continue east until you reach 7227 Reno Highway just outside of Fallon. At the time of this writing, it was easy to spot thanks to the large “for sale” sign there:

This is the location of the old Star-Vu Drive-In Theatre. It’s mostly a barren field now, but the theater concession/projection building was still standing at the time of this writing, complete with old projectors inside. Here’s where Haley, Corey, and Jimmy talked after discovering the contents of Jimmy’s lunchbox:

Note that this is private property, so it’s important to obtain the owner’s permission before exploring around.

6. Historic Downtown Dayton

Turn around on the US50 back westbound until it intersects with US50 Alternate (the “Reno Highway”). Turn southwest towards Carson City to continue along US50 proper (the “Lincoln Highway”). Once in Dayton, turn right onto Main Street from US50, and you should be in the heart of historic downtown Dayton. The Fox Hotel is easily recognizable on the left-hand side.

7. Mound House

Not far west from Dayton along US50 is Mound House. Specifically, stop at 10087 Highway 50 East, and if you’re lucky, this “black widow” from the “Send Me An Angel” montage might still be there:

8. Gardnerville & Minden

Continue along US50 west until you reach Carson City. In Carson City, turn south and eventually you’ll reach the intersection of US50 and US395. Take US395 south until you reach Gardnerville.

In Gardnerville, turn left off of US395 onto Eddy Street. At the end of the street you’ll find Reid Mansion, or what was known as the “Greenriver Institution” in the film, where Corey absconded with Jimmy.

Take US395 back north until you reach Minden and turn left onto Esmeralda Avenue. This strip was used to film a variety of shots. For example, the bus station where Corey and Jimmy met Haley for the first time is now a casino:

Across the street, the Minden Inn was converted to a restaurant specifically for the film. The scene where Putnam pops the tires of Sam’s truck was filmed here, too.

9. Genoa, Nevada

Take the US395 north and turn left onto Genoa Lane, and about halfway between US395 and Genoa, you should find a view like this:

This is where Haley, Corey, and Jimmy were robbed of a few bucks by a group of cow farmers.

10. Tahoe Lake Overlook

Take US395 back north until it intersects with US50 again, but this time, turn left to go westbound towards Lake Tahoe. Once near the lake, turn right to take Nevada Highway 20 north. It follows the shore of Lake Tahoe a little and takes you through some picturesque vacation villages before intersecting with Nevada Highway 431. Turn right there to go eastbound and climb back up into the mountains. You won’t have to go far before finding this iconic outlook on the right-hand side:

Be sure to take the time to celebrate the end of the tour by playing “Send Me An Angel” as loud as you can while you drive along highway 431 back to Reno!

The Wizard – Opening Sequence

A small, but dedicated group of fans have done a lot of research into filming locations used in the 1989 cult classic film “The Wizard”, including this great article by Joey Crandall of the Carson Valley Times:

http://carsonvalleytimes.com/2015/06/12/when-hollywood-landed-in-carson-valley-an-oral-history-of-the-wizard/

The article is loaded with new information about how the film was created behind the scenes. It’s a great read, and if you’re a fan of the film but haven’t taken the time to check out Joey’s article, you should definitely do so.

In Joey’s article, then Nevada Film Commissioner Robin Holabird explains how the film’s iconic opening shot of Jimmy walking down the highway alone was filmed on the Pyramid Highway just outside of Reno.

This highway actually includes Nevada highways 445, 446, and 447 which together form a bit of a circle route from Reno to Pyramid Lake and back. So, it was a good place to start hunting for this elusive filming location, and a great drive besides.

What was not expected, though, was to instead discover that the opening sequence was actually filmed in two separate locations. But first, the key to figuring this all out revolved around a lone tree. You can see the tree (red arrow) and Jimmy just in front of it (yellow arrow). Note the outline of the mountains in the background, and the gentle slope to the right of the shot:

The image to the right was taken in 2016 at this location near Pyramid Lake – you can clearly see the tree in Google’s satellite view. Google provides a street view as well. You can compare the landscape and see that it’s an exact match to the shot from the film.

https://www.google.ca/maps/@39.841551,-119.4415852,168m/data=!3m1!1e3

Here’s an “up close” view of the tree without its leaves in winter:

But suddenly, the opening sequence of the film changes to a close-up of Jimmy’s journey:

Notice how the mountains in the background changed? There are also other inconsistencies in the opening sequence as well. Consider that the tree appears just to the left of the frame (but in front of the vehicle) where the officer stops Jimmy, but then the tree is nowhere in sight when the vehicle pulls away:

Even the colors of the shots dramatically shift from one cut to the next. The shots filmed near the tree were taken during the day, but the other shots taken at the unknown location during sunset. The slope to the right of the shot mysteriously disappears with the tree as well.

That’s one half of the puzzle solved, so far as where the opening sequence for “The Wizard” was filmed goes. The reasons why it was cut together from two separate filming locations will probably forever remain unknown. It’s possible that the film makers wanted to use one shot for the great aerial shot of Jimmy walking down the highway (from the airplane), and give a sense of Jimmy being tracked down by aircraft, but wanted to use the other shot to show off a sunset. But that’s just a guess.

In the meanwhile, if you’re in the Reno area and are a fan of this iconic 1980’s film, take some time to drive around and enjoy the sights – it’s well worth your time!

Game of Tunnels

game_of_tunnels

The many Houses of the Seven Kingdoms of Westeros have a problem. They need to send messages to each other, and in a way that’s both fast and secure.

game_of_thrones_map_of_westeros_-wallpaper-1920x1080

How do they accomplish such a task? Well, they use these guys:

raven_1x10

The way that the houses use these messenger ravens isn’t all that different from how IPsec is used on the Internet today to secure messages between two private networks. Both the ravens and IPsec use a public medium to deliver their message. They’re both susceptible to interception and tampering. They’re both at the whim of the environment – a forest fire is just as likely to be hard on the messenger ravens as packet loss is to an IPsec packet. In fact, both methods deliver their messages in “packets”: the ravens are just more efficient at it.

But the most important way that these two mediums are alike is that it all starts with an agreement. Two parties must meet somewhere, at some time, and agree to terms of how future messages will be exchanged. In Westeros, this might be done by meeting in secret at some point. In IPsec, we call this the “Phase 1” negotiation.

two-visitors-at-sycamore-gap-anational-trust-images-john-millar

It’s important to recognize that when an IPsec tunnel is established, it simply means that two parties have agreed to how they will exchange packets of information in the future. IPsec is not synchronous. It’s not like a traditional tunnel or most peer to peer tunnels where data is exchanged over a TCP stream. IPsec packets are marked as their own protocol (they are neither UDP or TCP), and it’s up to the sender of the packet to ensure that it’s sent in such a way that the recipient knows how to decode it.

A lot of products on the market today are a little misleading about how they present the status of IPsec tunnels. As human beings, we want to be able to look at the status of something and know whether it’s working or not right away. Take these examples from three popular firewall products:

ipsec-established-examples

All would lead you to believe that the tunnel is up and running (a green indicator is most popular.) But IPsec tunnels are not so simple. In fact, these are just indications that the Phase 1 negotiation has succeeded. The gateway is simply saying, “yep, we’ve negotiated an agreement!” It’s not actually giving you an indication of whether that agreement is working or not.

Firewall dashboards like these are great ways to check whether a tunnel was negotiated successfully, but they’re not a good way to check if a tunnel is operating properly.

Common IPsec Problems:
(post phase 1 negotiation)

  • Desynchronization
  • Public IP Changes
  • Internet Performance
  • Rekey Races

Desynchronization is a problem that happens when one member of the IPsec agreement gets out of sync with the other. Maybe one member was expecting the cryptographic cipher to change on a schedule, but the other member didn’t actually change it. Once the cipher has changed, the member that changed it can’t go back to using the old one: that would open up a vulnerability (by allowing someone to send a message with the old cipher much later.)

Public IP Changes are easy to detect, by verifying the real Internet IP address on both gateways participating. Depending on the software or equipment being used, it may or may not be possible to configure the gateway to use a dynamic hostname instead.

Internet Performance ultimately determines the performance of IPsec. This can be verified by troubleshooting the performance of the underlying Internet connection (for example, by pinging the other IPsec member’s gateway address.) It’s tempting on many firewall devices to reject all ICMP packets silently, but this is discouraged since all it does is make troubleshooting issues like this much more difficult.

Rekey Races are a rare issue that happens on some equipment when both members agree that it’s time to re-negotiate the Phase 1 agreement, but also re-negotiate some Phase 2 agreements at the same time. This has caused some IPsec gateways to become “confused” about what’s happening, and re-negotiate a new Phase 1 agreement while leaving some of the tunnels in the old Phase 2, where the other gateway has put those tunnels in the new Phase 2.

Troubleshooting Steps:

  • Verify Local Internet Connectivity
  • Ping Remote Gateway Internet IP Address
  • Check Phase 2 Associations
  • Verify Traffic Over Phase 2 Tunnels
  • Ping Remote Address via Phase 2 Tunnel

As you proceed through these troubleshooting steps, collect the information as you go, as you may need it to report tunnel trouble to your IPsec partner. Nobody likes to receive a “tunnel down” report with no other information, so having the information available up front will help get the problem resolved faster.

Verify Local Internet Connectivity first, including the actual public Internet IP address that the gateway is using. Many services on the Internet will verify this for you, including http://www.whatismyip.com/ and via Google:

dig o-o.myaddr.l.google.com @ns1.google.com txt +short

Ping Remote Gateway Internet IP Address, which will reveal whether the remote gateway is reachable, and, whether any packet loss is occurring. Keep the ping running continuously, since packet loss can be intermittent, it may take some time to observe it.

Check Phase 2 Associations for desynchronization. This will usually manifest itself on firewall dashboards as seeing multiple SPI associations. A healthy IPsec tunnel will have only one SPI association (and multiple only for the time it takes to rekey.) Long-term, multiple associations for the same network pairs are not normal.

Verify Traffic Over Phase 2 Tunnels by looking for byte or packet counters incrementing. IPsec will not generate traffic on its own: it needs traffic to be flowing over the tunnel for the traffic counters to increment. If you see traffic incrementing on one side but not the other (for example, a receive counter incrementing but not a transmit counter), then that’s a strong indication that one member of the IPsec association is desynchronized.

Ping Remote Address via Phase 2 Tunnel, and try multiple IP addresses. It’s possible that the issue is local to one system on the private network only. If you’re able to ping a system on the remote side, then the tunnel is functioning.

IPsec Misconceptions:

  • Ping a Gateway from Gateway
  • Tunnel Reset

Generally speaking, you cannot Ping a Gateway from Gateway. This is because the gateway doesn’t know what IP address to originate the traffic from (since the gateway has multiple network interfaces), and, a lot of IPsec implementations are done in ‘user space’ instead of in ‘kernel space’. This means that since the IPsec service is not part of the system’s core networking stack, it can’t originate traffic from itself. Always test traffic through the tunnel, never from the endpoints.

Doing a Tunnel Reset from one side rarely accomplishes much. For example, if one gateway is desynchronized, doing a tunnel reset on the other won’t cause the desynchronization to go away. Some IPsec implentations don’t actually clear all of the SPI associations cleanly on a tunnel reset, in which case only a reboot of the equipment will ensure the old associations are cleared. Once traffic is passing over the tunnel again, fixing the root issue is necessary, otherwise the problem will ultimately occur again.

IPsec Best Practices:

  • Perfect Forward Secrecy
  • Rekey Lifetimes
  • Time Synchronization

Perfect Forward Secrecy should be enabled, not only because of the security implications (it makes captured encrypted traffic more difficult to break), but because it forces a renegotiation of the Phase 2 tunnels to happen more often. The more time that passes between renegotiations, the more time you’re allowing an IPsec tunnel to become desynchronized.

Rekey Lifetimes should be as short as possible, and the Phase 2 should be set to two-thirds of the Phase 1 rekey time. This ensures that Phase 2 tunnel renegotiation doesn’t happen at the same time as the Phase 1 so often.

Time Synchronization from a reliable time source or NTP server is important since it’s used to calculate rekey times. A clock on a device that drifts (because it has no time source, or an unreliable time source) can cause desynchronization issues. Some equipment ships with hard-coded time sources, so this can’t be helped, but where it’s possible to configure it, reliable NTP servers should be used.

If all else fails, before you contact your IPsec partner, have the information you recorded during the troubleshooting steps ready. Providing as much information as possible will help the partner troubleshoot the issue. Including additional information (such as the physical location of the equipment being used and what networks are being transmitted over the tunnel) will also help.

IPsec Issues Checklist:

  • Both Gateways Public Internet IP Addresses
  • Physical Location and Description of Equipment
  • Source and Destination Inside IP’s
  • Steps Taken (reboot, tunnel reset, traffic observed, duplicate SPI’s)
  • Information/Screenshots from Dashboard

IPsec is a powerful and flexible service, but like the messenger ravens from Game of Thrones, taking a little care and attention will yield the best performance.

141124-got-sights-1024

Kobolds – Tales of a Casual Legacy Player

I’ve been playing Magic: The Gathering since I was introduced to it by a high school librarian in 1994.  Most of my experience with Magic has been at the casual level.  The goal for the most part was to find as many friends as possible, play huge multiplayer games around a dining room table, and worry more about having fun than being competitive.  I have great memories of Sol Ring, Demonic Tutor, Royal Assassin, and Rocket Launcher just being huge bombs in these games.

sol-ring  demonic-tutor  royal-assassin  rocket-launcher
In about 2014, I slowly made the switch to becoming a more competitive player thanks to the rise in popularity of real-time streaming (Twitch) and produced content (Youtube.)  These have been invaluable tools for helping a casual player understand competitive play and the strategies involved.  However, I still love revisiting my casual roots from time to time, and there’s been one challenge in particular that I’ve been obsessed with since those early days of Magic, and that is the kobold deck.

Kobolds are unique in the fact that the smallest members of the tribe cost nothing to cast.  When they were first introduced in Legends, the only synergy they had in the set was with their fellow creatures, and this made for a very weak tribe.

kobolds-of-kher-keep kobold-taskmaster kobold-overlord kobold-drill-sergeant crookshank-kobolds crimson-kobolds
The rare legendary kobold “bomb” lord of the set was terrible, even by the standards of the day.  Could you imagine opening your pack of Legends and getting this guy as your rare?

rohgahh-of-kher-keep

So the best that a kobold deck could hope for at this point was to get a few of the 0/1 kobolds on board, maybe attach a Giant Strength or play Blood Lust, and combined with a Kobold Taskmaster or two, swing in for a bunch of damage.  The problem is that this plan was easily ruined by the usual suspects: a strategic Lightning Bolt on Kobold Taskmaster wipes out damage from a bunch of kobolds.  From Legends specifically, Pyrotechnics could be a four-for-one in some circumstances, and Chain Lightning did a lot of work against the kobold deck as well.

lightning-bolt pyrotechnics chain-lightning giant-strength blood-lust
Kobolds in this form were not really playable (even casually – the deck was easily wiped out by every other deck out there), until the advent of Urza’s Legacy with Falter and Bravado.  Attaching Bravado with five or more kobolds on board was great value at two mana, and with the addition of Falter, at least the Kobolds had a way to punch through a defensive line to deal damage.  Combined with Final Fortune, it could do it again to get lethal damage through.  Card draw at the time was fixed by having Wheel of Fortune in the deck, but this usually worked against the kobolds deck as the opponent’s “fuel in hand” was a lot more potent than anything the kobold deck could draw.

bravado falter final-fortune wheel-of-fortune
When Kamigawa block was released, the deck took an interesting turn: by adding green.  Since the 0/1 kobolds cost nothing to cast, it made Glimpse of Nature very powerful.  Now the strategy shifted to finding a source of green, playing as many kobolds as possible, drawing as many kobolds as possible, and then closing it out with a few big attacks.  Green also allowed the addition of Yavimaya Hollow, which allowed you to protect some of your more valuable kobolds by regenerating them, and Alpha Status, which made it easy to create massively-sized kobolds.  At this point, the deck also included Lotus Petal so as to help ramp into these cards.

alpha-status glimpse-of-nature lotus-petal yavimaya-hollow
But the most impactful addition to the kobold deck, the card that has caused the deck to win more than any other card, is by far Shared Animosity.  Combined with Glimpse of Nature, it was possible to get an entire army of kobolds on the board quickly, and then attack as a team the next turn for massive damage.  If you were lucky enough to get a Kobold Overlord or Kobold Drill Sergeant on the board, then that meant this team had first strike and/or trample as well, and would come in for over twenty damage with just five kobolds on the table.  Shared Animosity replaced Bravado entirely and launched the kobold deck from unplayable to explosive – it actually started to function like a red aggro deck should.

shared-animosity

It was around this time that I had learned of Duels of the Planeswalkers 2014, which I spent a considerable amount of time playing.  A lot of people might slam it for not being “real Magic”, but Duels made Magic sound and feel more like an arcade game, and it let me experiment and have fun with a lot of casual decks.  Really, Duels of the Planeswalkers is everything a casual or beginning player could ever dream of.  The scripting language used to code cards within the game was easily modified, so I even cooked myself up the kobold deck in Duels of the Planeswalkers – here you can see me taking it for a spin against “Chant of the Mul-Daya”, a green ramp Eldrazi deck.

2015-05-31 16.42.17

My prized kobolds even looked great in the new card frame:

crookshank-kobolds

Shortly thereafter, I decided to become more serious about the way I played Magic, and joined Magic Online.  Surprisingly, aside from the massive amount of experience I gained playing competitively on Magic Online, there was also a thriving group of casual players.  Having put together a kobold deck on MTGO and put in a lot of repetitions with it in the casual play area, I tweaked the deck some more and the end result looks something like this (click to see a clearer, larger version):

2015-05-31_kobold_deck_mtgo

You’ll notice that Wheel of Fortune is gone, and in its place is Browbeat, which works great for the red aggro player either way (as opposed to Wheel of Fortune, which fueled your opponents hand as well as yours, Browbeat only draws you cards, if that’s what your opponent chooses.)  Lotus Petal was shed, Mikokoro was added for some extra card draw, as well as Gamble to help you find that missing piece (best used when you have a grip full of disposable kobolds so as to minimize odds of the fetched card being thrown away.)  The deck also adds Steely Resolve from the sideboard now for some protection against decks with heavy removal – you side out Alpha Status for those.  I’m still torn on the role of Adaptive Automaton and Door of Destinies though, and I’m still experimenting with the best balance for these cards from the sideboard:

2015-05-31_kobold_deck_sideboard_mtgo

Playing the deck itself aside, it’s been a lot of fun to talk to people about the deck, too.  It’s not meant to be a competitive deck, and I’ve had some great discussions with people in the MTGO “just for fun” room about it, even if they’re quick one-liners like “cool deck.”  Then, there are the not-so-great experiences with people who take “casual Magic” a little too seriously.  Take this conversation I had with a friend of mine about one particularly salty opponent:

kobolds-mtgo-casual-meta

I guess if opponents are scooping to the deck round one, turn one, I’m okay with that.  As of this writing, the deck is about $60 to buy through the various bots on Magic Online, which I think is very affordable so far as casual legacy decks go.

This deck has been a lot of fun to play throughout the twenty or so years and hundreds of repetitions.  Kobold creatures present a very unique Magic challenge in the sense that they’re very bad from a card advantage point of view: you’re wasting a card to be a very weak 0/1 body that does nothing on the board for the most part.  The deck is ridiculously weak to removal, it’s very linear, and doesn’t really interact with the opponent.  Trying to figure out a way to turn these dysfunctional creatures into something fun and powerful at the same time has been a great challenge, and one that I hope to keep up with for many years to come.

VGDB – The VideoGame DataBase

The VideoGame DataBase (VGDB, or vgdb.ca) was first inspired by the Digital Press Collector’s Guide as a way not only for collectors to keep track of which games they owned, but to track the values of video games as well. Video game pricing is an ever-changing marketplace, so the intention of VGDB was to be an amalgamate of data from across the Internet in regards to game values. Collectors would be able to track which games they owned, and their respective ‘buy’ and ‘sell’ values.

This was accomplished by scraping various websites that provided pricing data. Digital Press was the source of the base video game lists.


2014-12-28-151556_614x810_scrot

VGDB was also used by a major retailer for tracking store inventory and buy/sell prices for games. This data was also blended with the data scraped from the web. This has since been discontinued, but in the three year span that this was in place, VGDB recorded 15,115 transactions for this retailer from 2011 through 2014.

During this period, the top ten games that saw the most trading activity include:

1. Super Mario World (SNES)
2. The Legend of Zelda: Ocarina of Time (N64)
3. GoldenEye: 007 (N64)
4. Mario Kart 64 (N64)
5. The New Super Mario Bros. (DS)
6. Diddy Kong Racing (N64)
7. Super Mario All-Stars (SNES)
8. Super Mario 64 (N64)
9. Perfect Dark (N64)
10. (tied) Donkey Kong Country (SNES)
10. (tied) Super Mario Kart (SNES)

This data supports the idea of a ‘curve’ in video game collecting. The idea is that around the time people become older (their late 20’s or early 30’s), they want to re-purchase the games they remember from childhood. At the time period that this data was captured, that’s clearly the Super Nintendo on the downslope of the curve, and the Nintendo 64 rising above it.

Unfortunately, without someone to focus time and energy into improving the site, VGDB rapidly became outpaced by its competitors. In particular, Video Game Price Charts was registered a year before VGDB and became the de-facto source for video game pricing data on the Internet.

Given that there’s no point to maintain a site that is no longer in active use, and with out-of-date pricing data, the site has been retired. This blog entry remains as a memorial for the short experiment that it was – if you want current, relevant pricing data for your games, please visit Video Game Price Charts.

Disk Jockey

A company called Diskology makes a great product called the Disk Jockey (“DJ”). I personally own two of these (one attached to my server at home, and another attached to my workstation.) This is a fantastic product, albeit with a few minor quirks that you should be aware of before using the device.

2014-09-28 16.05.45

In its simplest form, the DJ operates like any of your run-of-the-mill hard drive dock. Even better, it can function as a two disk dock. On the back are connectors for eSATA and USB, although I tend to prefer eSATA for performance reasons.

When the disk jockey is not plugged in to a computer, it operates as a stand-alone device that can perform a variety of functions: disk copying, wiping, and verification. For any of us who frequently need to duplicate disks, wipe disks, or verify that two disks are identical, these standalone functions are invaluable and a great time saver.

However, the greatest power of the DJ comes from its drive combining options. For example, you can connect two disks to the DJ in what it calls a ‘mirror’ or ‘combine’ volume. When you select one of these options, the DJ then presents itself to your workstation as a logical volume. In the case of a ‘mirror’, it’s a bit like RAID1, and in ‘combine’, it’s a little like RAID0. However, it’s important to realize that the DJ’s ‘mirror’ and ‘combine’ modes are different from traditional RAID.

Mirror: In a traditional RAID1 mirror, the controller has a way to verify the consistency of the volume. That is to say, if you connect two drives in a RAID1, write some data, then remove one drive and replace it with another, it will realize a drive is inconsistent and begin matching up the drives to be consistent with one another. The DJ’s ‘mirror’ mode works differently: any writes go to both drives, but any reads only come from the disk connected to the ‘source’ side of the DJ.

This is an important distinction, because if you manage to connect the wrong disk to the ‘destination’ side of the DJ, it won’t realize that there’s a mismatch and then will blindly overwrite the data there.

We can test this by connecting two disks to the DJ in ‘mirror’ mode and writing a sequence of entirely null bytes to the volume. Examining the disks individually will show that both disks are full of nothing but null bytes. Now, connect one disk of the pair and overwrite the entire disk with hex 0x01. After, reconnect the pair, but keep the disk overwritten on the ‘destination’ side. Write hex 0xFF bytes to the first 512 bytes.

Examining the disks individually will show that both drives indeed have 512 bytes worth of 0xFF at the top. But the first disk will have 0x00 for the remainder, while the second will have 0x01. There is no consistency checking on the DJ.

Combine: This mode of the DJ operates like RAID0, except again, without consistency checking. Thus, it’s easy to accidentally swap the two drives, and the DJ will happily create a stripe without checking that the drives are connected backwards. This isn’t as fatal as in the ‘mirror’ scenario, but can be if the user continues with some kind of write operation.

So long as you’re aware of these quirks, the DJ is an excellent device of superb quality. The mirrored mode is especially useful as part of a on-site/off-site backup strategy. Its standalone functions are great time savers. The eSATA connectivity ensures fast transfer speeds, too. This device is well worth the money.

Backups

Everyone knows that they should take backups of their digital media. It also seems that everyone knows that everyone else rarely does so. As human beings, we tend to get a little sloppy about things that aren’t strictly necessary or of an immediate need.

Jamie Zawinski has a pretty good article about backups here, and you should read it.

Of course, everyone’s situation is different. I have a large RAID array (24TB), which meant deploying a single external disk for a backup wasn’t possible. I also tend to be a little extra paranoid about my data, so I had the following requirements:

  • Physically Redundant Storage: A copy of the backup must reside in two physical locations, so that if one burns to the ground, all of the data is safe at another.
  • Intensive Integrity Checking: It’s not good enough to just let a backup disk sit spinning and then write the changes to it. There must be a way to frequently check all of the data on the backup disk to ensure that it’s still a good backup when the time comes.
  • Ease of Use: An automated process that will begin backups automatically, without supervision, and then report backup success or failure after.

Problem #1: Physically Redundant Storage

A company called Diskology makes a great product called the Disk Jockey (“DJ”). The DJ allows you to connect two SATA disks to it to make quick on-the-fly disk mirrors, stripes, and also serves as a basic SATA disk dock as well. The version I picked up has USB and eSATA connectors. In the case of backups, I connect two disks of equal size to the DJ, select “mirror” mode, and then the DJ appears to the OS as a single disk. (For example, if there are two 2TB disks connected to the DJ, it shows up as one 2TB disk to the OS in “mirror” mode.)

Whatever writes you make to the DJ will be written to both disks in mirrored mode. Whatever reads you do from the DJ will be read from one. This has some interesting implications that you should be aware of, and I talk about them in greater detail here.

The result of all of this is that I keep one disk off-site at work. I bring home one side of the disk mirror from work every day, then attach it to the DJ along with the other side of the mirror I keep at home. When going to work in the morning, I do the opposite.

Problem #2: Intensive Integrity Checking

The problem with most “set and forget” backup regimes is that you might need some obscure piece of data from the disk down the road, only to find that the section of the disk where that data is has long gone bad. You don’t know that it’s gone bad because you’ve never tried to read it (in the case of data that rarely changes.) The solution to this is to always read the entirety of your backup disk during every backup cycle, and then report failures immediately.

The default behaviour of rsync is to simply check the modification time and file size, and if there’s a match, it doesn’t read the file on the backup disk at all. Many other backup solutions operate in a similar fashion.

I chose to solve this problem by using rsync’s –checksum (-c) option. This forces rsync to read each and every file on both sides of the backup to compare whether it should be replaced on the backup disk or not. The downside is that this is very slow, so in my case, a backup run will typically take 12 hours or longer.

An alternative to this would be to simply blow away the backup volume, and then do a complete backup on every backup run. There’s a big problem with this approach, though: if something happens during the backup run, you have an incomplete backup. The checksumming method ensures that the data on the backup volume is never erased ahead of time.

Problem #3: Ease of Use

So the backup procedure I have is now very simple:

  • After work, I attach the drives to the DJ,
  • A backup script runs automatically overnight,
  • I detach the drives from the DJ, keep one at home, and bring one in to work.

The script does all of the heavy lifting. It splits my array into easily managable chunks. The backup script has a –info flag that allows me to quickly see the status of all of my backups:

   Last Backup                  Used Free UUID
M  Tue Sep  2 20:00:04 PDT 2014 1.3T  66G 18e61a61-6502-6510-8086-0065d1917f97
S  Wed Sep  3 20:00:05 PDT 2014 1.4T 487G 0cfdeff4-6502-6510-8086-145408f4e658
Tb Sun Sep  7 20:00:06 PDT 2014 2.4T 374G c54d93c9-6502-6510-8086-7395b84d22d7
Z  Mon Sep  8 18:00:04 PDT 2014 627G 291G 57df37aa-6502-6510-8086-a9ac378f85d5
Ta Tue Sep  9 18:00:04 PDT 2014 2.2T 519G 45ff4122-6502-6510-8086-cf0a1f0ea6d7
Y  Tue Sep 16 18:00:14 PDT 2014 1.6T 295G 385afa54-6502-6510-8086-82120fc9d546
G  Wed Sep 17 18:00:03 PDT 2014 1.6T 264G 44d010a8-6502-6510-8086-f1032299ef49
A  Mon Sep 22 18:00:04 PDT 2014 1.5T 393G 08ece419-6502-6510-8086-59d4cb0e617c

The backup runs every day at 6:00pm (formerly 8:00pm – I had to push it back because the backup times were running too long for me to pick it up before work.) Regardless, I find that an hour between quitting time and backup start time is sufficient to connect the drives to the DJ. If I miss a backup day, it’s not such a big deal – you can see in this example, the oldest backup is about three weeks old.

Each letter to the far left represents a logical collection of files on the array. The “T” series is so large that it needs to span two 3TB disk pairs. Each disk contains a simple ext4 volume so that if the worst happens, it’s as simple as mounting it on virtually any Linux rescue boot image, and doing a single “rsync” to get the contents back.

If something goes wrong with a backup, it will be flagged in the status display.

The downside to all of this is that it’s possible for data to go for a long time without a backup (in this example, eight pairs of backup disks means it will take two weeks’ worth of working days before wheeling around to the first disk pair again.) That’s a risk I’m willing to take.

Ultimately it’s up to you how you craft your backup solution, but they should generally all fit the same mold: redundant, stable, and easy to use.

Cassette Tape Preservation

A few months ago, my grandfather passed away. He was 88 years old, and had lived a long, happy, and fulfilling life – there were no regrets or sour feelings about his passing.

While his belongings were being sorted through, they happened upon this:

2014-08-17 11.00.59

I have no doubt that this kind of thing happens all the time when someone passes away. I can’t imagine the number of unknown or blank CD’s, VHS, cassette tapes, and all kinds of other media that must be discarded as garbage. Who knows what they contain? At some point, it was probably important to the person who kept it.

So, I decided to preserve this tape and listen to what was on it. The first step was to dig through my box of USB miscellanea and revive some old hardware:

2014-08-17 11.01.29

This is an Ion Tape Express. It’s more or less the size of a walkman, but connects to your computer via USB. There’s a C-Media audio-to-digital chip within the enclosure which helps to minimize how far the analog signal must go before it’s converted to digital. You can pick one of these up at Radio Shack for about $60, and they’re fully Linux compatible.

I have no doubts that a better analog-to-digital conversion could be done with both a high-end tape deck and analog-to-digital converter. But for household amateurs such as myself, the Ion Tape Express is a good intersection of price and space (after all, how many tapes do you convert in a year?) I have no interest in taking up a lot of space with high end audio gear that won’t get used all that often.

The conversion is as simple as pressing “play” on the Ion, and then record in your favourite audio editing/recording software. In my case, I decided to use Audacity.

2014-08-17-175030_631x287_scrot

In the end, only the first 30 minutes of the first side of the tape had content. I recorded all 90 minutes of the tape and preserved it as a 41khz .wav file. Ultimately, the tape contained nothing of real value, but disk storage is so cheap and dense that it doesn’t matter: I’ve now digitally preserved something of my grandfather’s that should last for all time so long as it’s stored and backed up correctly by those who come after me.