Stuff I'm Up To

Technical Ramblings

Wrong Certificate! — June 15, 2017

Wrong Certificate!

“Your connection is not private!”

This was a game over message that was the result of installing the wrong type of certificate onto our new printers. We’re still working on getting the template right, but put simply we enabled a User certificate as the HTTPS management certificate. This caused any browser to throw up a serious security alert, serious enough that it doesn’t give you the option to continue to the management interface.

Even trying a factory reset on the printer didn’t take us back to factory settings for the management interface – that’s another bridge we have to cross.

Thankfully, within Google Chrome there is a secret instruction that allows us to continue even though we really shouldn’t.

So don’t use this carte blanche. It’s a get out of jail free card for a specific failure of our own making. If your browser is stopping you from getting to a web site, it’s usually doing so for a very good reason.

One the page where you are prevented access click anywhere inside the browser page and type “badidea“. As if by magic you are now able to visit the page and now we were able to correct our misconfiguration and change the HTTPS certificate back to a valid Web Server type.

If you find “badidea” doesn’t work try using “danger” instead.

 

References: https://www.quora.com/How-do-you-fix-the-privacy-error-in-Chrome-Your-connection-is-not-private

 

Unable to Logon as admin — June 5, 2017

Unable to Logon as admin

I managed to bork one of our test switches today. I was in the process of enabling “netlogin” using RADIUS as the authentication method, when I must have inadvertently enabled RADIUS authentication for the management interface instead of just for “netlogin”.

Using the Extreme documentation as a clue to resolve this kind of issue, but for a forgotten admin password, I was able to modify the instructions slightly to achieve a logon without resorting to a factory reset.

Continue reading

Bye, bye, Percona — May 25, 2017

Bye, bye, Percona

For quite a few years we’d been running Percona on our Nagios server with no issues. So no reason to change, until sometime over the past few days the repository’s public key expired and automated updates were failing.

I tried to update the key, searching key servers and eventually gave up. I resorted to removing the repo’s from my apt sources.list. Then I just installed the MySQL apt repo and installed MySQL. As it installs it warns you about having a backup as data already exists and may be lost after the install. However, for me it simply removed Percona for me, installed MySQL and was up and running without any issue.

So it maintained all my users, schemas and tables and performed as expected.

Not that there’s anything wrong with Percona, just that I took the easy option of going with what the majority of our install base uses.

 

Owncloud Upgrade and Maintenance Mode — May 22, 2017
Setting up Baofeng UV-5R for PMR 446 — May 11, 2017

Setting up Baofeng UV-5R for PMR 446

Yes, it is illegal so don’t press the transmit button

1. Reset the radio to factory defaults

Goto Menu 40 (Press Menu followed by 40 or use up down to scroll to RESET ALL)

Press Menu to move the select down to ALL, press Menu. Press Menu to confirm, then Menu again to reply to SOURCE? (Which I’m sure is a bad translation of SURE?)

2. Set the Language.

The Radio will restart and now speak in Chinese. Great if you speak Chinese.

Set it back to English by pressing Menu 14 to get to VOICE, press Menu to move the selector to CHI, press UP or DOWN to get to ENG, press Menu to confirm.

Turn off and on radio it should be in English now.

3. Set the Step to 6.25k

Goto Menu 1, press Menu to move the selector down. Press 2, and when it shows 6.25k press Menu to confirm.

4. Enter in the first PMR 446 frequency

Press VOF/MR to until it says “Frequency Mode”

Type in 446006, it will show 446.006 you’ll see a tiny 25 to the right of it.

5. Save this as channel 1

Goto Menu 27, press Menu to move the selector down, press UP until you reach 001 – this is channel 1. Press Menu to store this current frequency as channel 1.

6. Setup the other 7 channels

This shouldn’t require any more typing of channel numbers.

Press VOF/MR until it says “frequency mode”. You should see your 466.00625 channel

Press UP twice and it should show 446.01875 this is channel 2.

Save it into channel 2 using the same process as step 5.

Exit the menu (Press Exit) and you’re back at your frequency 446.01875

Now it’s just a case of pressing UP twice to raise the frequency to the next channel and save each channel until you reach 8.

The full list of channels should look like:

  1. 446.00825
  2. 446.01875
  3. 446.03125
  4. 446.04375
  5. 446.05625
  6. 446.06875
  7. 446.08125
  8. 446.09375

7 . Deleting Channels

If you want to delete channels 0 and 127 just goto Menu 28, press Menu to drop the selector down, press UP or DOWN to choose the channel to delete and confirm by pressing Menu.

8. Show Channels instead of Frequencies

Just my preference, but in Channel Mode I want it to show the channel number not the 446 frequency.

Goto Menu 21 (MDF-A), press Menu to drop the selector, use UP or DOWN to scroll to CH. Do the same for Menu 22 and now you’ll see CH-001 etc. on the screen when in Channel Mode.

Orphaned RIP Route — May 10, 2017

Orphaned RIP Route

After making some changes to the way our network was setup I ran into a problem with RIP.

We started out with a VLAN spanning a pair of switches and using a tagged uplink port to connect and span the two. This worked fine, but with the new design favouring routing I thought we’d take the opportunity to change the configuration.

As the edge switch was being replaced it was easy enough to just rebuild the new switch and configure it for RIP. But on the core switch it meant I needed to delete the VLAN that would no longer be needed. This is what stopped me in my tracks.

Continue reading

Broken ARP — April 26, 2017

Broken ARP

Not a fun morning. We spent an hour or two trying to figure out why our GUEST networks was unable to route any packets to the Internet.

For many a GUEST network may be a trivial network, but for us we also us GUEST for unauthenticated devices to access our Virtual Desktop System – primarily including devices that are re-purposed laptops/desktops that no longer require a full Windows PC for domain access and just provide a VMware Horizon Client. So we had a large number of users unable to connect to the back office systems.

The strange thing here was that all other network traffic from the trusted networks worked as expected.

Continue reading

Sophos UTM HA —

Sophos UTM HA

We encountered a few problems with licensing when we looked at moving from the UTM525’s to UTM430’s so we had to delay the project until yesterday. On the one hand it gave us plenty of time to plan for the eventualities like Martians and be confident that the configuration restore testing worked whilst testing.

The one thing we didn’t expect was problem getting the two UTM430’s to configure themselves using High Availability (HA).

Continue reading

HTTPS on the Synology NAS — April 25, 2017

HTTPS on the Synology NAS

I love this Synology NAS. It’s so versatile and immensely capable. I use it for streaming my TV, movies and music. It also acts as my Couchpotato, Sonarr and NZBGet system. I think I’ll definitely get another when the time comes.

But enough glorification.

Using the free certificate services from Let’s Encrypt you can obtain a FREE TLS/SSL certificate that you can use on any of your encryption services with the one caveat that it will expire every 3 months.

Continue reading

Sophos UTM Up2date CLI — April 4, 2017

Sophos UTM Up2date CLI

After buying some replacement UTM430’s to replace the UTM525’s the new 430’s came in with some ancient firmware. As I’ve not got them plugged into the network right now I want to get them up to the same firmware as the current 525’s.

In our case the shipped firmware was 9.311 and the current 525’s was 9.411. There’s quite a few updates between those releases!

Continue reading

Preventing Martians —

Preventing Martians

In the process of changing firewalls and routers around we encountered the Juniper detecting what it suspected were malicious MAC address changes that no longer match the IP address it last used. Which is understandable as we’re giving the same IP address to new hardware.

This MAC mismatch error triggers some Martian alerts, which results in the IP addresses for the new devices becoming unroutable. To try and prevent this we should try clearing down the IP ARP cache tables for various devices.

Juniper (ScreenOS)

-> clear arp [192.168.0.254]

or

-> clear arp all

Extreme Switches (XOS)

# clear iparp [192.168.0.254]

or

# clear iparp vlan [TRUST]

Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

Netsh Commands for NPS — April 3, 2017