Author: j2sw

Mac GeekLet for Network Info

Post author By j2sw
Post date February 4, 2016

As a network person running a Mac I find it hand to know what IP my various connections have, in addition to some other info. In order to do this, I use a program called Geektool . Once you have GeekTool up and going you can add the following code into a new Geeklet.

!/bin/bash varSSID1=`system_profiler SPAirPortDataType | grep -A 2 -e "Current Network Information:" | tr '\n' ' ' | tr ':' ' ' | awk '{print $4}'` varCHAN1=`system_profiler SPAirPortDataType | grep -e "Channel: " | awk '{print $2}'` varEXTERNAL1=`curl --connect-timeout 5 -s http://checkip.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"` varEXTERNALv6=`curl --connect-timeout 5 -s http://checkipv6.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"` varWIRED1=`ifconfig en0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'` varWIREDv6=`ifconfig en0 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'` varWIRELESS1=`ifconfig en1 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'` varWIRELESSv6=`ifconfig en1 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'` varSSL1=`ifconfig jnc0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`

if [ “$varEXTERNAL1” != “” ]
then
echo “External : $varEXTERNAL1”
else
echo “External : INACTIVE”
fi

if [ “$varEXTERNALv6” != “” ]
then
echo “External : $varEXTERNALv6”
else
echo “External : INACTIVE”
fi

if [ “$varWIRED1” != “” ]
then
echo “Wired : $varWIRED1”
else
echo “Wired : INACTIVE”
fi

if [ “$varWIREDv6” != “” ]
then
echo “WiredV6 : $varWIREDv6”
else
echo “WiredV6 : INACTIVE”
fi

if [ “$varWIRELESS1” != “” ]
then
echo “AirPort : $varWIRELESS1 SSID: $varSSID1”
else
echo “Airport : INACTIVE”
fi

if [ “$varWIRELESSv6” != “” ]
then
echo “AirPortV6 : $varWIRELESSv6”
else
echo “AirportV6 : INACTIVE”
fi

As you can see in the above screenshot it displays IP addresses (both IPv4 IPv6),external IP, and the Wireless SSID.

Tags geektool, ipv4, ipv6, mac, script, tools

Mikrotik

Lots of changes in RouterOS 6.34

Post author By j2sw
Post date January 29, 2016

Lots of changes in RouterOS 6.34
Some Standouts that will be of benefit to alot of folks I know
*) mipsle – architecture support dropped (last fully supported version 6.32.x);
*) btest – significantly increased TCP bandwidth test performance;
*) ssh – fixed possible kernel crash;
*) crs212 – fix 1Gbps ether1 linking problem;
*) tile – make sure that SFP rj45 modules that use forced 1G FD settings work correctly after system reboot;

What’s new in 6.34 (2016-Jan-29 10:25):

*) mipsle – architecture support dropped (last fully supported version 6.32.x);
*) dude – The reports of my death have been greatly exaggerated;
*) dude – dude RouterOS package added for tile and x86 (CHR) architecture;
*) dude – package included by default to all CHR images;
*) dude – initial work on dude integration into RouterOS;
*) bgp vpls – fixed initialization after reboot;
*) mpls – forwarding of VRF over TE tunnel stopped working after BGP peer reset;
*) ipsec – improved TCP performance on CCRs;
*) btest – significantly increased TCP bandwidth test performance;
*) winbox – fixed possible busy-loop on v2.x with latest 6.34RC versions;
*) cerm – allow to sign certificates from imported CAs created with RouterOS;
*) ldp – fix MPLS PDU max length;
*) net – improve 64bit interface stats support;
*) routerboard – print factory-firmware version in routerboard menu;
*) snmp – add oid from ucd mib for total cpu load OID 1.3.6.1.4.1.2021.11.52.0;
*) winbox – add extra items automatically to multi-line fields if at least one of them is required;
*) winbox – implemented full ipv6 dhcp client;
*) winbox – update blocked flag if user changed blocked field in dhcp server lease;
*) mac-telnet – fixed backspace when typing login username;
*) sstp – allow ECDHE when pfs enabled;
*) lte – fixed info command for Cinterion EHS5-E modem;
*) fast-path – fixed kernel crash on on/off;
*) licensing – fixed that some old 7 symbol keys could not be upgraded;
*) ssh – fixed possible kernel crash;
*) console – fixed crash on creating variable with “?” in it;
*) chr – fix SSH key import on AWS;
*) crs212 – fix 1Gbps ether1 linking problem;
*) timezone – use backward timezone aliases;
*) lte – support serial port for DellWireless 5570;
*) lte – improved dhcp handling on interfaces that doesn’t support it;
*) ipsec – allow my-id address specification in main mode;
*) dhcpv6 client – fix remove when client reappears on restart;
*) default config – fix hAP lite with one wireless;
*) firewall – added inversion support for “limit” option;
*) firewall – added bit rate matching for “limit” option;
*) firewall – improved performance for “limit” option;
*) dhcpv6-client – fix ia lifetime check;
*) ipsec – prioritize proposals;
*) ipsec – support multiple DH groups for phase 1;
*) netinstall – fix apply default config;
*) tile – make sure that SFP rj45 modules that use forced 1G FD settings work correctly after system reboot;
*) wireless – added WPS buttons support on hAP and hAP ac lite;
*) upnp – added comment for dynamic dst-nat rules to inform what host/program required it;
*) webfig – recognize properly CHR;
*) chr – license fix for AWS and similar solutions;
*) arm – fix usb modem modules on ARM;
*) dhcpv6-client – fixed stopped state;
*) netinstall – sort packages by name;
*) firewall – do not allow to add new rule before built-in (reverted);
*) winbox – include FP in fast-path column names;
*) ipsec – fix phase2 hmac-sha-256-128 truncation len from 96 to 128
This will break compatibility with all previous versions and any other
currently compatible software using sha256 hmac for phase2;
*) ssh, ftp – make read, write user group policy aware;
*) tunnel – fix keep-alive (introduced in 6.34rc);
*) cerm – show last crl update time;
*) quicket – support CAP mode on all existing wireless packages;
*) wlan – add united states3 country;
*) fast-path – fix locking issue which could lead to reboot loop (introduced in 6.34rc20);
*) userman4 – try loading signup files from db path first;
*) sstp – allow to limit tls version to v1.2 only;
*) chr – make tool profile work on 64bit x86;
*) dhcpv6-server – added binding server=all option;
*) hotspot – added html-directory-override & recognize default hotspot user;
*) hotspot – fixed export of default trial user;
*) hotspot – fixed memory leak on https requests;
*) winbox – allow to specify amsdu-limit & amsdu-threshold on 11n wifi cards;
*) winbox – added multicast-buffering & keepalive-frames settings to wireless interfaces;
*) CHR – implemented trial support for different CHR speed tiers;
*) dhcpv6-client – fix add route/address;
*) usb – enable ch341 serial module;
*) lte – make sure that both LTE miniPCI-e cards are recognized;
*) winbox – show Common-Name of certificates in certificate list;
*) winbox – added units to PCQ queue fields;
*) net – do not break connection when interface is added to bridge;
*) hotspot – show cookie add/remove events in hotspot,debug log;
*) hotspot – allow static entries with the same mac on multiple hotspot servers;
*) hotspot – do not remove mac-cookie in case of radius timeout;
*) hotspot – added byte limits option for default-trial users;
*) ipsec – make sure that dynamic policy always has dynamic flag;
*) CAPsMAN – use CAP name in log when remote-cap is deleted (wireless-cm2);
*) hotspot – fixed login by mac-cookie when roaming among hotspot servers;
*) hotspot – add html-directory-override for read-only directory on usb flash;
*) hotspot – add uptime, byte and packet counter variables to logout script;
*) net – fix statistics counters jumping up to 4G;
*) firewall – SIP helper update for newer Cisco phones;
*) usermanager – fixed usermanager web page crash;
*) ipsec – fixed active SAs flushing;
*) hotspot – added option to login user manually from cli;
*) hotspot – fixed trial-uptime parsing from CLI to Winbox/Webfig;
*) lte – added support for multiple E3372 on the same device;
*) modem – added wpd-600n ppp support;
*) console – fixed incorrect disabled firewall rule matching to “invalid flag”;
*) dns – fix for situation when dynamic dns servers could disappear;
*) sfp – fix 10g ports in 1g mode (introduced in 6.34rc1);
*) CCR1072 – added support for S-RJ01 SFP modules;
*) trafficgen – fixed issue that traffic-generator could not be started twice without reboot;
*) dhcpv6-server – replace delay option with preference option.

—

*) winbox – show properly route-distinguisher for bgp vpn4;
*) winbox – show dhcp server name in dhcp leases;
*) ppp – make CoA work correctly with address-lists;
*) winbox – fixed tab names to correspond to console;
*) winbox – show only actual switch-cpu ports in switch setting combobox;
*) winbox/webfig – fixed version column ordering in ip neighbors list;
*) webfig – fixed switch port “default vlan id” has missing “auto” value;
*) webfig – fixed firewall connection-bytes option;
*) ipsec – fixed kernel failure after underlying tunnel has been disabled/enabled;
*) romon – allow to see device identity if it is longer than 31 character;
*) fastpath – show fp counters in /interface monitor aggregate;
*) bridge firewall – fix chain check (broken since 6.33.2);
*) bridge firewall – fixed crash when jump rule points to disabled custom chain;
*) smb – fix crash when changing user which has open session;
*) address-list – properly remove unused address-lists from drop-downs;
*) fetch – fixed closure after 30 seconds;
*) capsman – fix radius accounting stop message;
*) log – reopen log file if deleted;
*) packing – fix tcp/udp checksums when simple packing is used;
*) tile – fix ipsec freeze after SA updates;
*) upnp – fixed missing in-interface option for dynamic dst-nat rules;
*) tunnel – fix complaining about loop after ~248 days;
*) vrrp – make sure that VRRP gets state on bootup;
*) ppp – fixed rare kernel crash (introduced in v6.33);
*) ppp – do not allow empty name ppp secrets;
*) ssh – fix active user accounting.

Tags 6.34, mikrotik, routeros

Mikrotik

Mikrotik mipsle support ending

Post author By j2sw
Post date January 29, 2016
1 Comment on Mikrotik mipsle support ending

The last version of Mikrotik RouterOS that supports mipsle architecture is 6.32.x. As of this writing that appears to be 6.32.2

Tags 6.32, mikrotik, mipsle, routeros

Mikrotik Networking UBNT WISP xISP

MTIN introduces Mnet service for Mikrotik and Ubiquiti routers

Post author By j2sw
Post date January 26, 2016

MTIN is excited to announce our newest support offering, Mnet. Mnet allows customers using Milkrotik and Ubiquiti routers an option of a tiered support level on a per device basis. This allows customers a guaranteed support level at a fixed price. This is an enterprise level support option for critical infrastructure.

The way Mnet works is a customer purchases one of our tiered plans below. They register the serial number with us and we simply provide the paid level of support on that device. This support includes technical support on that device as well as the services included with the purchased Tier.

Tier I (Overwatch) $199 per year (only $16 per month)
This tier is designed for the user who needs the occasional support but wants to make sure things like backups and software are being looked after.

Basic Remote monitoring & notification of device
Software notification of upgrades and personalized recommendations on needed action.
Monthly configurations backup to online secured storage
Next business day support of issues.
Hardware replacement option available
Initial configuration review

Tier II (Operator) $399 per year (only $34 per month)
This tier is for the user who needs that extra bit of help when it comes to configuration and wants an extra set of eyes.
Tier II includes all of the Tier I services and adds

Weekly configuration backup via e-mail and online secured storage
Enhanced monitoring & notification of devices
Same business day support (6 hour maximum lead time)
Weekend and holiday support (6 hour maximum lead time)
Discount on consulting services

Tier III (Spec Ops) $599 per year (only $50 per month)
This tier is for absolute mission critical devices.
Tier III includes all of the previous tiers and adds

Same day business support (2 hour maximum lead time)
Weekend and holiday support (3 hour maximum lead time)
Weekly backups of configuration via e-mail and online secured storage
Quarterly review and recommendations on configuration

FAQ:

Do I have to get this on every device?
No, we recommend this on your critical routers or routers doing advanced services such as BGP or core routing functions.

Does this replace your normal consulting services?
No. This is an add-on to our consulting services. We find we have customers who need help with certain aspects of their network and this fills that gap.

Can I get quantity discounts?
Yes, contact us for a quote

I want to upgrade my router. How will this affect mNET?
We would simply transfer your support contract from the old device to the new one. Upgrade support is included.

What configuration support is included?
Technical support including configuration and troubleshooting is included on supported devices. Other devices can be included at our normal hourly consulting rate.

Do you make changes?
All changes are explained and signed off by customer before being implemented. Changes are done during an agreed upon maintenance window with a change management process.

How do I obtain support?
Customer is provided a login to the MTIN portal. Online tickets are the best method for opening a case. Telephone support is also included, but tickets are normally quicker.

How does the lead time work?
MTIN strives to meet customer expectations. Lead times are the maximum amount of time it will take. Some days this time may be measured in minutes, other times it may be longer.

Do you cover other devices?
Yes, we have plans for AirFiber, Mimosa, and other platforms.

Can I upgrade to a higher Tier?
yes, However it will take 3 business days for upgrades to process. During this time your Tier level will remain the same.

How is payment handled?
Payment is due at device registration.

Can I pay monthly?
No. If you need occasional support please see about hourly consultation services.

If you would like more information please fill out the form below.

Tags 24/7, enterprise, mikrotik, mnet, smartnet, support, UBNT

News

Managed services provided by MTIN

Post author By j2sw
Post date January 26, 2016

Did you know MTIN provides the following services?

-Reverse DNS services for your IP blocks
-Spam and Virus filtering
-Remote monitoring solutions
-App and web hosting
-Managed DIA services

Tags hosting, managed, monitoring, reverse dns, services

hosting News

MTIN introduces domain monitoring service

Post author By j2sw
Post date January 26, 2016

Do you have your own web domain name? If so, you may know how much of a complex procedure it can be to keep on top of expiration, fighting hijack attempts, and make sure your contact information is up-to-date.

MTIN.NET now has the solution for you. For $15 per year we will monitor up to 3 domains for things like:

-Hijack attempts
-Notifications of expiration
-Registration services
-Keeping your information secure
-Optimization and compliance issues

Let MTIN’s seasoned professionals make quick work of getting your domains secured and complaint manner. Contact us today for details on this service.

Tags domains, registration

Cambium

Cambium ePMP 2.6 released

Post author By j2sw
Post date January 7, 2016

Release 2.6 update includes:

RADIUS Authentication of Administrative Users – Allows for the centralization in a RADIUS server of passwords and administrative access to ePMP network elements
RADIUS Configuration of VLAN – Allows for configuration of VLAN settings on subscriber radios from the settings in the subscriber’s RADIUS profile
Support AP Lite License Keys – Allows customers to purchase a license key (Part Number: C050900S200A) that will allow AP Lites to be upgraded to support up to 120 subscriber modules
10 MHz and 5 MHz Channel sizes for enhanced PTP Mode of Operation – This will allow for easier deployment of ePMP Links in crowded spectrum environments
10 MHz Channel Sizes for AP WiFi and SM WiFi – This will allow for a greater degree of compatibility with existing WiFi based solutions
Networking and Operations Feature Enhancements that include Link Layer Discovery Protocol (LLDP) Support, Separate Management IP Address Port Forwarding, Wireless MAC Address Filtering for Network Entry, and Display at AP of distance to each SM
Improved Interference Tolerance at the AP for On-Channel Interferers

Tags 2.6, cambium, firmware

Networking Wireless WISP xISP

Why every ISP should be deploying hAP Lite to customers

Post author By j2sw
Post date December 24, 2015
1 Comment on Why every ISP should be deploying hAP Lite to customers

So Mikrotik has a very cheap hAP Lite coming out. This is a 4 port, 2.4 b/g/n router/access point which retails for $21.95. Baltic networks has pre-orders for $18.95.

Why should you deploy this little gem and how? We have found over the years routers account for more than half of the support issues. In some networks this number is closer to 80-90%. Whether it be a substandard router, one with out of date firmware, or poor placement by the customer.

Deployment of the hAP lite can be approached in one of two ways. Both ways accomplish the same goal for the ISP. That goal is to have a device to test from that closely duplicates what the customer would see. Sure you can run tests from most modern wireless CPE, but it’s not the same as running tests m the customer side of the POE.

Many ISPs are offering a managed router service to their customers. Some charge a nominal monthly fee, while others include it in the service. This is a pretty straightforward thing. The customer DMARC becomes the wireless router. The ISP sets it up, does firmware updates, and generally takes care of it should there be issues. The managed router can be an additional revenue stream in addition to providing a better customer experience. Having a solid router that has been professionally setup by the ISP is a huge benefit to both the provider and the customer. We will get into this a little later.

Second option lends itself better to a product such as the hAP lite. With the relative cheap cost you can install one as a “modem” if the customer chooses their own router option. The actual method of setup can vary depending on your network philosophy. You can simply bridge all the ports together and pass the data through like a switch. The only difference is you add a “management ip” to the bridge interface on your network. This way you can reach it. Another popular method, especially if you are running PPPoE or other radius methods, is to make the “modem” the PPPoE client. This removes some of the burden from the wireless CPE onto something a little more powerful. There are definite design considerations and cons for this setup. We will go into those in a future article. But for now let’s just assume the hAP is just a managed switch you can access.

So what are the benefits of adding one of these cheap devices?
-You can run pings and traceroutes from the device. This is helpful if a customer says they can’t reach a certain web-site.
-Capacity is becoming a larger and larger issue in the connected home. iPads, gaming consoles, tvs, and even appliances are all sharing bandwidth. If you are managing the customer router you can see the number of connected devices and do things like Torch to see what they are doing. If a customer calls and says its slow, being able to tell them that little Billy is downloading 4 megs a second on a device called “Billy’s xbox” can help a customer. It could also lead to an upsell.
-Wireless issues are another huge benefit. If the customer bought their own router and stuck it in the basement and now their internet is slow you have a couple of tricks to troubleshoot without a truck roll. If the hAP is in bridge mode simply enable the wireless, setup an SSID for the customer to test with and away you go. This could uncover issues in the house, issues with their router, or it might even point to a problem on your side.
-Physical issues and ID10T errors can be quickly diagnosed. If you can’t reach your device it’s either off or a cabling issue. If you can reach the hAP and the port has errors it could be cabling or POE.

These are just a few benefits you can gleam from sticking a $20 Mikrotik device on your customer side network. It becomes a troubleshooting tool, which makes it money back if it saves you a single truck roll. The implementation is not as important as having a tool closer to the customer. There several vendoars you can order the hAP lite from. Baltic Networks is close to me so they are my go-to. http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html .

This isn’t practical for business and Enterprise customers, but you should already be deploying a router which has these features anyway right? 🙂

Tags cpe, customer, dmarc, hap, isp, managed router, mikrotik, troubleshooting

Security

SHA-1 Certificates EOL

Post author By j2sw
Post date December 23, 2015

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to besince at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

https://googleonlinesecurity.blogspot.ro/2015/12/an-update-on-sha-1-certificates-in.html

Tags certificate, security, SHA-1

BGP Mikrotik Networking

Quick and dirty DDoS mitigation for Mikrotik

Post author By j2sw
Post date December 23, 2015

Update: This article is not meant to be a permanent solution. It’s a way to stop the tidal wave of traffic you could be getting. Many times it’s important to just get the customers up to some degree while you figure out the best course of action.

Many of the Denial of Service (DDoS) attacks many folks see these days involve attacks coming from APNIC (Asia Pacific) IP addresses. A trend is to open as many connections as possible and overwhelm the number of entries in the connection table. You are limited to 65,535 ports to be open. Ports below 10000 are reserved ports, but anything above that can be used for client type connections.

Now, Imagine you have a botnet with 10,000 computers all bearing their weight on your network. Say you have a web-site someone doesn’t like. If these 10,000 machines all send just 7 legitimate GET requests to your web-server you can bring, even a big router to a grinding halt. Firewalls, due to the extra CPU they are exerting, are even more prone to these types of attacks.

So, how do you begin to mitigate this attack? By the time you are under attack you are in defensive mode. Someone, or alot of someone’s, are at your door trying to huff and puff and blow your house down. You need to slow the tide. One of the first things you can do is start refusing the traffic. A simple torch normally shows many of the attacking IPs, are from APNIC. If this is the case, we enable a firewall rule that says if the IP is not sourced from the below “ARIN” address list go ahead and drop it.

add chain=forward comment="WebServer ACL" dst-address=1.2.3.4 src-address-list=!ARIN action=drop

The above rule says if our attacked host is being contacted by anything not on the “ARIN” list go ahead and drop it.

Make sure to paste this into /ip firewall address-list . These were copied off the ARIN web-site as of this writing. APNIC and other registries all have similar lists. Keep in mind, this won’t stop the traffic from coming to you, but will shield you some in order to have a somewhat functional network while you track down the issues.

Some people will say to blackhole the IP via a BGP blackhole server, but if you have production machines on the attacked host taking them offline for the entire world could be a problem. This way, you are at least limiting who can talk to them.

add address=23.0.0.0/8 list=ARIN
add address=24.0.0.0/8 list=ARIN
add address=45.16.0.0/12 list=ARIN
add address=45.32.0.0/11 list=ARIN
add address=45.72.0.0/13 list=ARIN
add address=50.0.0.0/8 list=ARIN
add address=63.0.0.0/8 list=ARIN
add address=64.0.0.0/8 list=ARIN
add address=65.0.0.0/8 list=ARIN
add address=66.0.0.0/8 list=ARIN
add address=67.0.0.0/8 list=ARIN
add address=68.0.0.0/8 list=ARIN
add address=69.0.0.0/8 list=ARIN
add address=70.0.0.0/8 list=ARIN
add address=71.0.0.0/8 list=ARIN
add address=72.0.0.0/8 list=ARIN
add address=73.0.0.0/8 list=ARIN
add address=74.0.0.0/8 list=ARIN
add address=75.0.0.0/8 list=ARIN
add address=76.0.0.0/8 list=ARIN
add address=96.0.0.0/8 list=ARIN
add address=97.0.0.0/8 list=ARIN
add address=98.0.0.0/8 list=ARIN
add address=99.0.0.0/8 list=ARIN
add address=100.0.0.0/8 list=ARIN
add address=104.0.0.0/8 list=ARIN
add address=107.0.0.0/8 list=ARIN
add address=108.0.0.0/8 list=ARIN
add address=135.0.0.0/8 list=ARIN
add address=136.0.0.0/8 list=ARIN
add address=142.0.0.0/8 list=ARIN
add address=147.0.0.0/8 list=ARIN
add address=162.0.0.0/8 list=ARIN
add address=166.0.0.0/8 list=ARIN
add address=172.0.0.0/8 list=ARIN
add address=173.0.0.0/8 list=ARIN
add address=174.0.0.0/8 list=ARIN
add address=184.0.0.0/8 list=ARIN
add address=192.0.0.0/8 list=ARIN
add address=198.0.0.0/8 list=ARIN
add address=199.0.0.0/8 list=ARIN
add address=204.0.0.0/8 list=ARIN
add address=205.0.0.0/8 list=ARIN
add address=206.0.0.0/8 list=ARIN
add address=207.0.0.0/8 list=ARIN
add address=208.0.0.0/8 list=ARIN
add address=209.0.0.0/8 list=ARIN
add address=216.0.0.0/8 list=ARIN

Tags addresses, ARIN, BGP, ddos, ips, mikrotik