The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,861 other subscribers

Archive for the ‘Network-and-equipment’ Category

« Previous Entries
Next Entries »

Mikrotik CCR devices based on NAND memory will eventually die

Posted by jpluimers on 2021/08/16

If you own a Mikrotik CCR device based on NAND memory, then be prepared that it will die.

I had this on a (now discontinued [WayBack] MikroTik Routers and Wireless – Products: CCR1009-8G-1S-1S+PC, superseded by the less functional [WayBack] MikroTik Routers and Wireless – Products: CCR1009-7G-1C-1S+PC, which is also NAND based).

Many more people had this or very similar problems:

It also happens due to bad capacitors on the (also discontinued) [WayBack] MikroTik Routers and Wireless – Products: RB1200:

There have been quite a few NAND related changes to the firmware over the years that have to do with handling corruption:

If you are really lucky (I was not), then it is a bad power supply: [WayBack] bootloop on CCR1036-12g-4s (almost 5 years old) [SOLVED] – MikroTik.

Sometimes you can partially recover using the Console port or NetInstall, but eventually you will trip another part of the faulty NAND storage and it will die again, until it has spent all its lives.

Unlike a cat, those are usually far less than 9 lives.

If you do need to recover, the links might help you:

–jeroen

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

It looks like a volunteer has been found to maintain the openvpn chocolatey

Posted by jpluimers on 2021/08/09

The chocolatey package for OpenVPN has not been updated for quite a while. It looks like it has to do with the current dependency to verify the OpenVPN signature.

The current [Wayback] Chocolatey Software | OpenVPN 2.4.7 version is both outdated on the major version number ([Wayback/Archive.is] Release OpenVPN v2.5.3 release · OpenVPN/openvpn) and minor version ([Wayback/Archive.is] Release OpenVPN v2.4.11 release · OpenVPN/openvpn). The version 2.4 Windows installers are now called “Legacy Windows Installers”.

Luckily less than a day after the start of the [Wayback/Archive.is] RFM – openvpn · Issue #1024 · chocolatey-community/chocolatey-package-requests, a volunteer stepped forward.

Hopefully by now the package is being maintained again.

–jeroen

Posted in Network-and-equipment, OpenVPN, Power User, VPN | Leave a Comment »

Factory reset a MikroTik hEX PoE RB960PGS using the reset button

Posted by jpluimers on 2021/08/02

[WayBack] Manual:Reset – MikroTik Wiki:

 unplug the device from power

2) press and hold the button right after applying power

Note: hold the button for 5 seconds (USER LED will start flashing)

3) release the button to clear configuration.

Icon-note.png Note: If you wait until LED stops flashing, and only then release the button – this will instead launch Netinstall mode, to reinstall RouterOS.

Initial configuration

(see also [WayBack] Manual:First time startup – MikroTik Wiki)

  1. Connect your machine to port 1 on the Mikrotik hEX PoE RB960PGS (after the reset, this port will have IPv4 address 192.168.88.2 with netmask 255.255.255.0)
  2. Ensure your local machine to IPv4 address 192.168.88.2 with netmask 255.255.255.0 (otherwise WinBox might not see the router, not even in discovery mode):

  3. Have WinBox auto discover it:

  4. Connect with user admin and no password:

     

  5. Configure your Mikrotik hEX PoE RB960PGS as router or switch

For switch, I prefer a setting like this (the bold portions are different from the default configuration):

/interface bridge
add admin-mac=64:D1:54:13:98:E6 auto-mac=no comment=defconf name=bridgeLocal
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridgeLocal
/ip dns static
add address=192.168.88.1 name=router.lan
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="RB960PGS <<location-name>>"
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

–jeroen

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Updating a Unifi Controller (either a Cloud Key, or a local installation like a VM)

Posted by jpluimers on 2021/07/27

Note that by now, Unifi Controller is usually named Unifi Network Management Controller (somewhere in between it was called Unify Network Controller).

You can either run a local installation on a Linux box (usually Ubuntu), for instance the CloudKey ESXi Appliance, or from a Cloud Key (if you do, do not get a version 1 Cloud Key; too much SD card and other hardware trouble)

Steps to update both the Unifi Controller Firmware (Cloud Key only) and the Unifi Controller software (both Cloud Key and local installation) are below.

I am assuming that 192.168.71.50 is the IP address of your Cloud Key, and for brevity, I included few screenshots, but opted for URLs.

Devices steps

  1. Logon to your Cloud Key at https://192.168.71.50:8443/manage
  2. Go to the devices page https://192.168.71.50:8443/manage/site/default/devices/1/50/uap
  3. Ensure the filter is “APs” (either through the dropdown when your tab is narrow, or the button when the tab is wide)
  4. Press the “Start rolling update” button.
  5. Confirm the rolling update
  6. Wait for the rolling update to finish

Screenshots for selecting “APs” with narrow and wide tab widths:

 

Read the rest of this entry »

Posted in Cloud Key, Network-and-equipment, Power User, Unifi-Ubiquiti | Leave a Comment »

Did not realise that a 2018 Mikrotik vulnerability made it to the top of the CBL (SMTP composite black list) warning page for quite some months as the first ever device

Posted by jpluimers on 2021/07/02

Having it accidentally made it to the CBL (Composite Blocking List – Wikipedia) a long time ago, I discovered the page started with (WayBack link mine):

IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the [WayBack] Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.

It wasn’t one of my Mikrotik devices, as first of all they had all being patched out of the box from a really empty internal network before being externally exposed to the internet or more busy internal networks, and second because the CBL entry was a one off on one specific day where someone used our guest network.

Some CBL entries in the range where it was displayed, quite a while after CVE-2018-14847 became public:

If you want to try for yourself or harden it: [WayBack] Exploiting Mikrotik for Good ? | Syed Jahanzaib Personal Blog to Share Knowledge !

So I did some more digging.

First of all, it seems that if you ever had an infected Mikrotik system, then you have to factory reset it, then upgrade and configure from scratch. Otherwise at least the SOCKS and Web proxy services can still send out spam: [Archive.is] spammer behind mikrotik or mikrotik is the spammer : sysadmin. There, the best advice was

aliterCogitare, Jr. Sysadmin: 

Your mikrotik has been compromised then, I would suggest either going on site and rebuilding the router from scratch, or looking at a few things:

  1. Check System -> Scheduler for any schedules running( that you haven’t configured yourself)

  2. Check Systems -> scripts for any installed scripts that are running and delete, also look for running jobs and terminate them.

  3. Finally check the file explorer for any suspicious files or scripts, and delete any you find. A default library should look like this: flash (the partition) -pub -skins anything else that you havent put there yourself, Delete.

Anything else that I have mentioned above should be empty. Also you need to re-evaluate the security of your network. If you happen to be on site, reset the router and remove the default configuration on the boot prompt. Create two rules:

  • Allow input chain source IP from your default local network, if i remember correctly its 192.168.88.0/24

  • create an explicit drop rule on input chain for all interfaces and addresses + ports

  • disable IP – services except winbox Finally work your way up on what your network needs step by step by creating rules to accept traffic. And be sure to put your explicit rule on the bottom of the list by drag-and-dropping. That is all I can say, I hope I could be of help.

This means the advice in these two links might not be enough:

Another helpful resource [WayBack] Router Sending Spam – MikroTik which discusses the firewall rules, socks and web proxy services.

Second, there are a truckload of these devices around: [WayBack] Thousands of Compromised MikroTik Routers Send Traffic to Attackers and [WayBack] Thousands of MikroTik routers are snooping on user traffic | ZDNet write that in September 2018, at least 7500 devices were known infected and about 370-thousand endpoints vulnerable.

Third, you should be able to use [WayBack] Manual:Tools/Netwatch – MikroTik Wiki to check if you are on the CBL: [WayBack] Probing CBL blacklist – MikroTik.

Read the rest of this entry »

Posted in Firewall, Internet, MikroTik, Power User, routers, SPAM | Leave a Comment »

Fritz!Box as DMZ behind an Experiabox version 10A

Posted by jpluimers on 2021/06/17

First of all: incoming Fritz!Box VPN behind an Experiabox version 10A fails, because the DMZ implementation of the Experiabox is faulty.

This worked just fine with the Fritz!Box as DMZ host behind a Ziggo Connectbox ([WayBack] Connectbox | Klantenservice | Ziggo).

First a few things to get regular TCP stuff to work: having your Fritz!Box as the DMZ host of an Experiabox.

I had a hart time figuring out some of them, so further below are also quite a few links just in case you bump into simular things.

  1. On the back of the Experiabox version 10A you find the SSDI and WiFi password on what appears to be a sticker, but is in fact a small piece of cardboard paper.

  2. Behind that cardboard paper is a sticker with the initial administrator password: shove out the piece of cardboard to reveal the sticker.
  3. After login (you cannot change the username, which is ADMIN or KPN) you have to choose a new password, which has these undocumented restrictions:
    • It cannot be the old password
    • The password must contain at least 1 special character (!@#$%^&*()_+|~- =\`{}[]:";'<>?,./).
    • The password must contain at least 1 number character.
    • The password must contain at least 1 uppercase letter.
    • Other restrictions I have not bumped into
  4. The default address of the Experiabox V10a is 192.168.2.254. Do NEVER change it, as KPN totally does not support that scenario and will force you to reset it before starting to help you out with anything. Logon as Administrator to the Experiabox at 192.168.2.254.
  5. Setting fixed DHCP leases was hard to find (I was looking for fixed DHCP, not DHCP reservation): Network -> LAN -> LAN DHCP (dropdown next to LAN) -> DHCP Reservation (up to 10 computers).

  6. The DMZ setting was not where I expected it: Network -> Firewall -> DMZ (dropdown next to Firewall)

 

External port checker: [WayBack] Open Port Checker & Scanner | Test Port Forwarding | Internet Protocol Tools

Related:

–jeroen

Posted in Network-and-equipment, Power User, VPN | Leave a Comment »

CloudKey ESXi Appliance – Google Search

Posted by jpluimers on 2021/06/07

Via [Archive.is] CloudKey ESXi Appliance – Google Search:

–jeroen

Posted in *nix, Cloud Key, ESXi6, ESXi6.5, ESXi6.7, Internet, Network-and-equipment, Power User, Unifi-Ubiquiti, Virtualization, VMware, VMware ESXi | Leave a Comment »

Reminder to self: get less dependent on the various clouds

Posted by jpluimers on 2021/06/04

For my link archive: [WayBack] Grote Google-storing trof Gmail, YouTube en diensten van derden – IT Pro – Nieuws – Tweakers.

It has some interesting tips for IoT video doorbell products that are less depending on single-choice clouds:

EvilPlatypus 
@terradrone • 3 juni 2019 10:38
Er bestaan er minimaal eentje; smart deurbel met camera en evt speaker, eigen intern netwerk, compatible met SIP (en video), zelf verantwoordelijk voor opnamen, etc. Enige nadeel is dan wel de prijs, het is een Duits kwaliteitsproduct, dus reken rond de 350 euro voor het absolute basismodel. Doorbird heet het; oa te koop bij Robbshop en CoolBlue of direct bij de fabiraknt’s website.
seba
@controvi • 3 juni 2019 15:49
Nee hoor, ze hebben een LAN API: https://www.doorbird.com/downloads/api_lan.pdf?rev=0.25

 

dasiro
@controvi • 3 juni 2019 17:52
Je moet je huis flink geautomatiseerd hebben wil je echt nut van die api willen hebben.

als je alles zelf in de hand wil hebben doe je dat ook. Je zorgt er zelf voor dat je webinterface via een externe URL bereikbaar is en dan is het enkel je eigen hardware en internetverbindingen die als SPOF dienen en je kan dan ook makkelijker van solution-provider wisselen zonder vast te zitten.

 

mahsalti
@controvi • 3 juni 2019 13:24

wellicht is dit een oplossing voor jou?

https://www.instructables…oorbell-for-Less-Than-40/

 

–jeroen

Posted in Cloud Apps, Internet, IoT Internet of Things, Network-and-equipment, Power User | Leave a Comment »

Fritz!Box repeater and other devices: “Radar detection enabled. At the moment no wireless LAN connection (5 GHz) is possible; please wait.”

Posted by jpluimers on 2021/05/31

If any of your Fritz!Box devices under “Wireless” -> “Radio Channel” -> “5-GHz band”  the indicates “Radar detection enabled. At the moment no wireless LAN connection (5 GHz) is possible; please wait.” – Google Search:

  1. Click on the “Refresh Auto Channel” button
  2. Wait until it has chosen a new 5Ghz channel
  3. Verify you can connect over 5Ghz
  4. If you still cannot connect, retry steps 1…3 once.

I had this only happen on 1750E repeaters so far, but others seem to have had it on other Fritz!Box devices as well.

In the Netherlands, potentially affected channels seem to be 52 through 140.

Related:

–jeroen

Posted in Fritz!, Fritz!Box, Fritz!WLAN, Internet, Power User | Leave a Comment »

Unifi Cloud Key: “We have detected that your SD card is missing. Please insert it and reboot your Cloud Key or disable automatic backup.”

Posted by jpluimers on 2021/04/23

Got this a while ago with 5.10.17:

“Missing SD card”

“We have detected that your SD card is missing. Please insert it and reboot your Cloud Key or disable automatic backup.”

This might be a hardware issue with [Archive.is] Ubiquiti UniFi Cloud Key, UC-CK: AmazonSmile: Computer & Zubehör

Reading the 1-star reviews, SD-card problems seem paramount: [Archive.is] Amazon.de:Kundenrezensionen: Ubiquiti UniFi Cloud Key, UC-CK.

For me, most of the times this solved the problem:

  1. Power down the Cloud Key
  2. Remove the SD card
  3. Insert the SD card
  4. Power up the Cloud Key

Read the rest of this entry »

Posted in Cloud Key, Hardware, Network-and-equipment, Power User, Unifi-Ubiquiti | Leave a Comment »

« Previous Entries
Next Entries »