Ubiquity EdgeRouter Lite on “Telfort” glass fiber VLAN config and configure VLAN masquerading rules

So, here is my EdgeRouter config, edited a little for security reasons.

I hope this may help you.

Cheers!

 

Short description:

I use glass fiber from my ISP “Telfort” which uses VLAN 34 on eth1.34 (eth1 vif 34, using dhcp from the ISP, even though they always give me the same IP).
This is how my ISP works, so I have to live with that and set it up this way.

This means I do not use eth1 itself, which has been set to nothing, but is not disabled.

I do not use IPv6.

I am not using interface eth2.

I have my home lan on eth0 and my dirty wifi for IoT and guests on eth0.111 (VLAN111)

To add the nat masquerading rules for a new interface, e.g. eth0.111, log in as admin on the CLI and type:

configure

and then add something like (rule 5010, may be 5011, or something, at least not a rule number that you have already in use.)

set service nat rule 5010 description "VLAN NAT for 192.168.111.0/24"
set service nat rule 5010 outbound-interface eth1.34
set service nat rule 5010 type source
set service nat rule 5010 protocol all
set service nat rule 5010 source address 192.168.111.0/24
set service nat rule 5010 type masquerade

Anyway, here is my config. you may want to  change YOUR-ISP-GATEWAY to the ip-address of the next hop, usually known as gateway, of your ISP.

firewall {
 all-ping enable
 broadcast-ping disable
 conntrack-expect-table-size 4096
 conntrack-hash-size 4096
 conntrack-table-size 32768
 conntrack-tcp-loose enable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
 default-action drop
 description "WAN to internal"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
 }
 name WAN_LOCAL {
 default-action drop
 description "WAN to router"
 rule 10 {
 action accept
 description "Allow established/related"
 state {
 established enable
 related enable
 }
 }
 rule 20 {
 action drop
 description "Drop invalid state"
 state {
 invalid enable
 }
 }
}
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
}
interfaces {
 ethernet eth0 {
 address 192.168.100.254/24
 duplex auto
 speed auto
 vif 111 {
 address 192.168.111.254/24
 description "DIRTY WIFI"
 mtu 1500
 }
 }
 ethernet eth1 {
 description "eth1 - not in use"
 duplex auto
 mtu 1512
 speed auto
 vif 34 {
 address dhcp
 description "eth1.34 - telfort"
 firewall {
 in {
 name WAN_IN
 }
 local {
 name WAN_LOCAL
 }
 }
 mtu 1508
 }
 }
 ethernet eth2 {
 disable
 duplex auto
 speed auto
 }
 loopback lo {
 }
}
protocols {
 static {
 route 0.0.0.0/0 {
 next-hop YOUR-ISP-GATEWAY {
 }
 }
 }
}
service {
 dhcp-server {
 disabled false
 shared-network-name LAN {
 authoritative disable
 subnet 192.168.100.0/24 {
 default-router 192.168.100.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name home.lan
 lease 86400
 start 192.168.100.150 {
 stop 192.168.100.250
 }
 }
 }
 shared-network-name VLAN111 {
 authoritative disable
 subnet 192.168.111.0/24 {
 default-router 192.168.111.254
 dns-server 8.8.8.8
 dns-server 8.8.4.4
 domain-name guest.wifi
 lease 86400
 start 192.168.111.150 {
 stop 192.168.111.250
 }
 }
 }
 }
 gui {
 https-port 443
 }
 nat {
 rule 5009 {
 description "Telfort Internet masq LAN"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.100.0/24
 }
 type masquerade
 }
 rule 5010 {
 description "Telfort Internet masq DIRTY"
 log enable
 outbound-interface eth1.34
 protocol all
 source {
 address 192.168.111.0/24
 }
 type masquerade
 }
 }
 ssh {
 port 22
 protocol-version v2
 }
 upnp {
 listen-on eth0 {
 outbound-interface eth1.34
 }
 }
}
system {
 domain-name home.lan
 host-name gateway
 ipv6 {
 disable
 }
 login {
 user admin {
 authentication {
 encrypted-password ****************
 plaintext-password ****************
 }
 full-name Leonard
 level admin
 }
 }
 name-server 208.67.222.222
 name-server 8.8.8.8
 name-server 8.8.4.4
 ntp {
 server nl.pool.ntp.org {
 }
 }
 options {
 reboot-on-panic true
 }
 syslog {
 global {
 facility all {
 level notice
 }
 facility protocols {
 level debug
 }
 }
 }
 time-zone Europe/Amsterdam
}
Posted in cli, Configuration, EdgeRouter, VLAN, wifi | Comments Off on Ubiquity EdgeRouter Lite on “Telfort” glass fiber VLAN config and configure VLAN masquerading rules

Use a Sonicwall directly on Telfort glass fiber VLAN using a virtual interface.

With the glass fiber in my home I got a louzy ethernet router from my isp Telfort.

Ofcourse I understand they want to keep things affordable for everyone so they hand out these routers free (free as in you lease them) with the connection that you order.

The -feeling- I have is that this thing is slow and/or lags. I haven’t exactly measured it, so it will stay a feeling.

Today I connected an older Sonicwall that I had laying around to play with to my home connection, and in my humble opinion it is a slightly better performing option for my home internet (100 Mbps).

In order to do this with this specific ISP, you have to create a Virtual interface on your main WAN interface, in my case X1.
Connect the ethernet cable that comes out of your fiber box to that X1 interface as well.

Now create a virtual interface (in Networking you can find this option) and apply the following settings:

Zone WAN
VLAN tag is 34 (-> ISP specific)
Parent interface X1
IP Assignment DHCP
Host name <empty>
Comment  <Up to you>
Management and user login <is up to you>

This should get you going with a Sonicwall on your home.lan with Telfort fiber (in the Netherlands).

Perhaps this could help you too configure a Sonicwall with externally incoming VLANS (as internet connection?). Maybe you don’t use DHCP, but set it static, anyhows…

Hope this helps you,

cheers.

 

 

Posted in News | Comments Off on Use a Sonicwall directly on Telfort glass fiber VLAN using a virtual interface.

mstsc credSSP error and client reg fix

CredSSP and mstsc authentication gives some error sometimes, after installing some needed updates, but e.g. youir server is not yet up to date.

You can set back a reg entry… this one:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

On the client, save it to a file with .reg extension, as tekst, and double click add to registry, you may need some rights for this.

You can now use mstsc again to your unpatched server, for a while.

Hope this helps.

Posted in credssp, fix, mstsc, News, registry | Comments Off on mstsc credSSP error and client reg fix

Exchange 2010 removing active sync devices, as removing devices hangs for the user in OWA.

Hiyall,

Today at an old server for a customer, a user wanted to finally add one last active sync device, but he already had some listed. Time to remove some, he thought, as he can do this through ye olde owa page. But that process seemed to hang.

Hence the question came to me.

We all love powershell, so we first get a list of the devices this user uses, with this command:

Get-ActiveSyncDevice -Mailbox USER |select Identity, DeviceOS, DeviceType, DeviceModel, Name

Where USER is the alias for the mailbox.

You can then use the cmd Remove-ActiveSyncDevice to remove the device on -Identity, such as:

Remove-ActiveSyncDevice -Identity "domain/org/users/Username and Lastname/ExchangeActiveSyncDevices/phone§%some%number%" -Confirm:$false

Repeated this for all his excess devices, problem solved.

Note that “-Confirm:$false” is not the same as “-Confirm $true”. It can be a little confusing as times. Note the “:”

Hope this may help you,
Cheers!

Posted in Exchange 2010 | Tagged , | Comments Off on Exchange 2010 removing active sync devices, as removing devices hangs for the user in OWA.

Local Exchange Management [power]Shell target info

This is the ‘target’ of a locally installed MS Exchange Management [power]Shell.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'D:\Exchange\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto -ClientApplication:ManagementShell "

(witih exchange installed on D-drive locally)

Just FYI, I needed this today.

cheers.

Posted in News | Comments Off on Local Exchange Management [power]Shell target info

Convert wav to wav from 8bit to 16bit with ffmpeg cmdline for 3cx from NEC SV8100

Today I had to convert audio messages from a NEC pbx to the format a 3cx pbx uses.
These are the digital audio intro messages etc. that you get when you call e.g. the main telephone number of a company.

They were in the wrong format, and in such state, 3cx does not eat it.
From the NEC we got 8 bit 1 channel (mono) PCM files.
3CX accepts only 16 bit one channel (mono) PCM. Sample rate on both is 8k.

Don’t we love ffmpeg. Fixed!
I have an virus-unchecked exe for windows here if you like, just remove extension .file after download 🙂

Next cmd will fix this: welkcome123.wav was the audio file retrieved from the NEC SV8100.

ffmpeg -i welcome123.wav -acodec pcm_s16le -ac 1 -ar 8000 welcome123-16b.wav

See, it made the file approx twice the size 🙂
Not strange when you make 8 bits into 16 bits….

Input #0, wav, from 'welcome123.wav':
 Duration: 00:00:12.29, bitrate: 64 kb/s
 Stream #0:0: Audio: pcm_alaw ([6][0][0][0] / 0x0006), 8000 Hz, mono, s16, 64 kb/s
Output #0, wav, to 'welcome123-16b.wav':
 Metadata:
 ISFT : Lavf57.51.100
 Stream #0:0: Audio: pcm_s16le ([1][0][0][0] / 0x0001), 8000 Hz, mono, s16, 128 kb/s
 Metadata:
 encoder : Lavc57.58.100 pcm_s16le
Stream mapping:
 Stream #0:0 -> #0:0 (pcm_alaw (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
size= 192kB time=00:00:12.28 bitrate= 128.1kbits/s speed=7.52e+003x
video:0kB audio:192kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.039681%

NEC manual here if you like to see how that works.

I hope it may help you as well. Maybe not. who knows.
Have fun!

 

Posted in 16bit pcm, 3cx, 8bit pcm, ffmpeg | Tagged | Comments Off on Convert wav to wav from 8bit to 16bit with ffmpeg cmdline for 3cx from NEC SV8100

Turning on Windows Defender after manual deinstallation of Trend Micro

After a manual deinstallation of Trend Micro Worry Free Business Security 9.0,
Windows Defender did not automatically see that it could turn on its antivirus component.

Done as prescribed here: https://success.trendmicro.com/solution/1056867-manually-uninstalling-the-security-agent-sa-in-worry-free-business-security-wfbs#collapseOne

It took me a while to find this solution, so here is a repost.

Found at https://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/error-577-when-i-attempt-to-turn-on-windows/4bf7ef42-7a50-4fe3-88ce-9f13cc2ab0f5

  1. Press Win key + R. This will open Run.
  2. Type “regedit” and hit enter.
  3. Navigate to these keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
  4. Change value of ‘DisableAntiSpyware’ and ‘DisableAntiVirus’ from ‘0’ to ‘1’.
  5. After changing the values go to ‘C:\Program Files\Windows Defender’ and open ‘MSASCui.exe’ file.

If the gui is already open, close it first and then relaunch using MSASCui.exe.

Hope this helps you!

Posted in Defender, Trend Micro, Windows | Comments Off on Turning on Windows Defender after manual deinstallation of Trend Micro

HP Accesspoints and blinking LEDS

Here’s a list of blinking leds on HP MSM accesspoints and HP 425 accesspoint.

I was tired of looking it up all the time, and since these are end-of-life I may well copy that information from HP to my site for my own purposes, and perhaps for yours too.

MSM Access Points

Controlled mode

Power light blinks every two seconds.
The AP is starting up.

Power light blinks once per second.
The AP is looking for an IP address, or building the list of VLANs on which to perform discovery. The management tool is available until discovery occurs.

Power, Ethernet, and Radio lights blink in sequence from left to right.
The AP has obtained an IP address and is attempting to discover a controller.

Power light is on. Ethernet and Radio lights blink alternately.
The AP has found a controller and is attempting to establish a secure management tunnel with it.

Power and Ethernet lights blink alternately and quickly. Radio lights are off.
The AP has received a discovery reply from two or more controllers with the same priority setting. It is unable to connect with either controller until the conflict is resolved.

Power and Radio lights blink slowly.
The AP is attempting to establish a local mesh link to a master node.

Power and Ethernet lights blink slowly.
The AP is attempting to establish wired connectivity.

All three blinking together rapidly
The AP is in TFTP mode. This is a disaster recovery mode, and not used in normal operation. To put AP back to normal mode restore it to factory default settings. If this does not restore normal operation, contact Technical Support.


Autonomous mode

Power Off
The AP has no power.

Power Blinking
The AP is starting up. If the Power light continues to blink after several minutes, it indicates that the software failed to load. Reset or power cycle the AP. If this condition persists, contact HP support.

Power On
The AP is fully operational.

Ethernet Off
The port is not connected or there is no activity.

Ethernet Blinking
The port is transmitting or receiving data.

Radio Blinking
The radio is transmitting or receiving data.

All three
Blinking together rapidly
The AP is in TFTP mode. This is a disaster recovery mode, and not used in normal operation. 
To put AP back to normal mode restore it to factory default settings. 
If this does not restore normal operation, contact Technical Support.
HP 425

Green Flashing
1 flash/sec. The AP is booting.

Fading in/out At least one client is connected to the 2.4 GHz radio.

Blue Flashing 2 flashes/sec.
The AP is updating its system software image.

Blue Flashing 2 sec. on / 2 sec. off
The AP is booted and is registered to the controller. There is no client connected.

Blue Fading in/out At least one client is connected to the 5 GHz radio.

Orange On for more than 20 sec. 
An initialization exception has occurred.

Orange Flashing 1 flash/sec. 
There is a problem with the radio module.

Orange Flashing 2 flashes/sec.
Both radios are disabled or the Ethernet port is disabled while no local mesh peer exists.

Green/Blue Alternately fading green and blue
Clients are connected to both the 2.4 GHz and 5 GHz radios.

 

Hope this helps you.

Posted in Access Point, hp, led, wifi | Comments Off on HP Accesspoints and blinking LEDS

Retrieve MS-SQL version info without MS SQL Studio

After digging around for a customer to update their ms-sql server for an application, I had to find out the version they were using first.

Not having the Visual studio tools installed, there’s a cmdline tool that can do this.

As an authorative user, such as Administrator, in this case, I had to go to

C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn>

(you can already see the ‘100’ that says something about the version, it can be something else, like 80, 90, etc)

Then type

SQLCMD -S server\instance

Where server is your server and instance the instance you want to connect to

You can also do

SQLCMD -L

to see a list.

Then, at >1 you can type a command, at >2 type ‘go’ to execute it.

Such as:

1> select @@version
2> go

That gives something like this:

Microsoft SQL Server 2008 R2 (SP1) – 10.50.2500.0 (Intel X86)
Jun 17 2011 00:57:23
Copyright (c) Microsoft Corporation
Express Edition on Windows NT 6.2 <X64> (Build 9200: ) (WOW64) (Hypervisor)

Or type:

1> select serverproperty('EditionID')
2> go
  • -1253826760 = Desktop
  • -1592396055 = Express
  • -1534726760 = Standard
  • 1333529388 = Workgroup
  • 1804890536 = Enterprise
  • -323382091 = Personal
  • -2117995310 = Developer
  • 610778273 = Enterprise Evaluation
  • 1044790755 = Windows Embedded SQL
  • 4161255391 = Express with Advanced Services

Or type:

1> select serverproperty('Edition')
2> go

Which in my case said “Express Edition”

Hope this helps you!

Have fun!

 

Posted in Microsoft, MS SQL | Comments Off on Retrieve MS-SQL version info without MS SQL Studio

Exchange, Disable spam filter for a receive connector

You may want to disable the spam filter for e.g. a connector that sends your invoices.

Get-ReceiveConnector "SERVER\ReceiveConnector" | Add-ADPermission 
-User "NT Authority\Anonymous Logon" 
-AccessRights ExtendedRight -ExtendedRights ms-exch-ypass-anti-spam

Hope this helps you!

 

Posted in E-mail, Exchange 2016, smtp | Comments Off on Exchange, Disable spam filter for a receive connector