Stuff I'm Up To

Technical Ramblings

Squid3 changes for Debian Jessie — July 21, 2017
Juniper HA Woes — July 6, 2017

Juniper HA Woes

I spent quite some time messing around with a pair of Juniper SRX320’s trying to get the HA clustering setup. The documentation seems pretty straight forward, but I kept tripping over one fatal flaw.

Initially I configured HA using the J-Web interface and it configured successfully. I made some changes, set things up to test and then decided I didn’t like the direction I was taking and wanted to factory reset the devices.

The reset seemed pretty straight forward but then everything went wrong when I tried to follow the Command Line instructions for setting up an Active/Passive configuration. Every time I put the two systems into cluster mode and set the cluster ID and node the secondary node (node 1) always showed as lost and disabled.

Continue reading

OpenVPN DNS — July 4, 2017

OpenVPN DNS

Using OpenDNS on a Linux system that uses resolv.conf requires that the OpenVPN script is able to update the DNS servers sent by the remote dhcp options. To do this you must amend your OpenVPN config file to include the following lines.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Then when you establish your connection your DNS search domain and servers will be added successfully.

References: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Wrong Certificate! — June 15, 2017

Wrong Certificate!

“Your connection is not private!”

This was a game over message that was the result of installing the wrong type of certificate onto our new printers. We’re still working on getting the template right, but put simply we enabled a User certificate as the HTTPS management certificate. This caused any browser to throw up a serious security alert, serious enough that it doesn’t give you the option to continue to the management interface.

Even trying a factory reset on the printer didn’t take us back to factory settings for the management interface – that’s another bridge we have to cross.

Thankfully, within Google Chrome there is a secret instruction that allows us to continue even though we really shouldn’t.

So don’t use this carte blanche. It’s a get out of jail free card for a specific failure of our own making. If your browser is stopping you from getting to a web site, it’s usually doing so for a very good reason.

One the page where you are prevented access click anywhere inside the browser page and type “badidea“. As if by magic you are now able to visit the page and now we were able to correct our misconfiguration and change the HTTPS certificate back to a valid Web Server type.

If you find “badidea” doesn’t work try using “danger” instead.

 

References: https://www.quora.com/How-do-you-fix-the-privacy-error-in-Chrome-Your-connection-is-not-private

 

Unable to Logon as admin — June 5, 2017

Unable to Logon as admin

I managed to bork one of our test switches today. I was in the process of enabling “netlogin” using RADIUS as the authentication method, when I must have inadvertently enabled RADIUS authentication for the management interface instead of just for “netlogin”.

Using the Extreme documentation as a clue to resolve this kind of issue, but for a forgotten admin password, I was able to modify the instructions slightly to achieve a logon without resorting to a factory reset.

Continue reading

Orphaned RIP Route — May 10, 2017

Orphaned RIP Route

After making some changes to the way our network was setup I ran into a problem with RIP.

We started out with a VLAN spanning a pair of switches and using a tagged uplink port to connect and span the two. This worked fine, but with the new design favouring routing I thought we’d take the opportunity to change the configuration.

As the edge switch was being replaced it was easy enough to just rebuild the new switch and configure it for RIP. But on the core switch it meant I needed to delete the VLAN that would no longer be needed. This is what stopped me in my tracks.

Continue reading

Broken ARP — April 26, 2017

Broken ARP

Not a fun morning. We spent an hour or two trying to figure out why our GUEST networks was unable to route any packets to the Internet.

For many a GUEST network may be a trivial network, but for us we also us GUEST for unauthenticated devices to access our Virtual Desktop System – primarily including devices that are re-purposed laptops/desktops that no longer require a full Windows PC for domain access and just provide a VMware Horizon Client. So we had a large number of users unable to connect to the back office systems.

The strange thing here was that all other network traffic from the trusted networks worked as expected.

Continue reading

Sophos UTM HA —

Sophos UTM HA

We encountered a few problems with licensing when we looked at moving from the UTM525’s to UTM430’s so we had to delay the project until yesterday. On the one hand it gave us plenty of time to plan for the eventualities like Martians and be confident that the configuration restore testing worked whilst testing.

The one thing we didn’t expect was problem getting the two UTM430’s to configure themselves using High Availability (HA).

Continue reading

HTTPS on the Synology NAS — April 25, 2017

HTTPS on the Synology NAS

I love this Synology NAS. It’s so versatile and immensely capable. I use it for streaming my TV, movies and music. It also acts as my Couchpotato, Sonarr and NZBGet system. I think I’ll definitely get another when the time comes.

But enough glorification.

Using the free certificate services from Let’s Encrypt you can obtain a FREE TLS/SSL certificate that you can use on any of your encryption services with the one caveat that it will expire every 3 months.

Continue reading

Sophos UTM Up2date CLI — April 4, 2017

Sophos UTM Up2date CLI

After buying some replacement UTM430’s to replace the UTM525’s the new 430’s came in with some ancient firmware. As I’ve not got them plugged into the network right now I want to get them up to the same firmware as the current 525’s.

In our case the shipped firmware was 9.311 and the current 525’s was 9.411. There’s quite a few updates between those releases!

Continue reading

Preventing Martians —

Preventing Martians

In the process of changing firewalls and routers around we encountered the Juniper detecting what it suspected were malicious MAC address changes that no longer match the IP address it last used. Which is understandable as we’re giving the same IP address to new hardware.

This MAC mismatch error triggers some Martian alerts, which results in the IP addresses for the new devices becoming unroutable. To try and prevent this we should try clearing down the IP ARP cache tables for various devices.

Juniper (ScreenOS)

-> clear arp [192.168.0.254]

or

-> clear arp all

Extreme Switches (XOS)

# clear iparp [192.168.0.254]

or

# clear iparp vlan [TRUST]

Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

Extreme Networks – Routing (RIP) — March 22, 2017

Extreme Networks – Routing (RIP)

Rather than tagging uplink ports with a load of VLAN’s and spanning those VLAN’s out to every switch you need them spanned out to. Create a separate VLAN and IP Scope on each switch (stack) location. Then use a single VLAN subnet (192.168.254.0/24) for routing between locations.

# create vlan Routing
# configure vlan Routing tag 1000
# configure vlan Routing ipaddress 192.168.254.254
# configure vlan Routing add port 1:46 tagged
# enable ipforwarding vlan Routing

Add RIP to the Routing VLAN so that when you create VLAN’s on the switch they are added to the central routing tables automatically.

# enable rip
# enable rip export direct cost 1
# configure rip add vlan Routing
# configure rip vlan Routing rxmode v2only

Continue reading