The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,861 other subscribers

Archive for the ‘Network-and-equipment’ Category

« Previous Entries
Next Entries »

Stop FortiClient from auto-starting (as it uses a truckload of Windows resources, often including 2 gigabyte of memory for their logger)

Posted by jpluimers on 2021/04/16

I see lot’s of negative reactions on FortiClient, as it is very closed source, many intermittent issues, and is a product that tries to be a jack of all trades (over a couple of versions, in addition of being a proprietary VPN client, they started doing vulnerability scanning, interfering with anti-virus products, they blocked saving of passwords and allowing password managers to paste them, and I could go on).

Sometimes you have to use it in order to access a FortiGate based VPN server, so the best is to defer starting it until as late as possible.

Here are some links to get that configured correctly:

–jeroen

Posted in FortiGate/FortiClient, Network-and-equipment, Power User, VPN | Leave a Comment »

How to remember password in FortiClient VPN? – Stack Overflow

Posted by jpluimers on 2021/04/12

In [WayBack] How to remember password in FortiClient VPN? – Stack Overflow, the consensus seems to be “it varies, and usually is unreliable”.

Time to write a tool that snifs the Windows GUI and auto-enters the credentials.

That would be much like the Linux expect solution: [WayBack] Continuous run Forticlient VPN using expect. Automatically restart VPN if get disconnected or session closed. · GitHub

Via: [WayBack] Forticlient 5.6 – Save Credentials | Fortinet Technical Discussion Forums

–jeroen

Posted in FortiGate/FortiClient, Network-and-equipment, Power User, VPN | Leave a Comment »

Need to do some reading on local domains on the internal network

Posted by jpluimers on 2021/04/09

A long time I wondered why I saw ESXi systems on my local network have two entries in their /etc/hosts file:

[root@ESXi-X10SRH-CF:~] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.71.91   ESXi-X10SRH-CF ESXi-X10SRH-CF

Then I bumped into someone who had a different setup:

[root@ESXi-X10SRH-CF:~] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.0.23    esxi.dynamic.ziggo.nl esxi

So now I knew that the first entry can have a domain resolving it (it still makes be wonder why ziggo is using a top-level domain to resolve local stuff; but searching for  dynamic.ziggo.nl did not get me further on that).

So I installed a quick ESXi machine on that local network, and got the same.

When back home the machine still thought it was esxi.dynamic.ziggo.nl, though clearly I was outside a Ziggo network

I wanted to get rid of it, but that was hard.

Since I forgot to take screenshots beforehand, I can only provide the ones without a search domain bellow.

Reminder to self: visit someone within the Ziggo network, then retry.

Normally you can edit things like these in the default TCP/IP stack. There are two places to change this:

Neither of these allowed me to change it to a situation like this, but luckily the console did.

In the below files, I had to remove the bold parts, then restart the management network (I did keep a text dump, lucky me):

[root@esxi:/etc] grep -inr ziggo .
./vmware/esx.conf:116:/adv/Misc/HostName = "esxi.dynamic.ziggo.nl"
./resolv.conf:2:search dynamic.ziggo.nl 
./hosts:5:192.168.71.194    esxi.dynamic.ziggo.nl esxi
[root@esxi:/etc] cat /etc/resolv.conf 
nameserver 192.168.71.3
search dynamic.ziggo.nl 
[root@esxi:/etc] cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain localhost
::1     localhost.localdomain localhost
192.168.71.194  esxi.dynamic.ziggo.nl esxi

Future steps

  1. Read more on local domains, search domains and related topics
  2. Configure a local domain on my local network, so DHCP hands it out, and DHCP handed out host names are put in the local DNS
  3. Test if all services on all machines still work properly

Reading list

Read the rest of this entry »

Posted in DNS, ESXi6.5, ESXi6.7, Hardware, Internet, Mainboards, Network-and-equipment, Power User, SuperMicro, Virtualization, VMware, VMware ESXi, X10SRH-CF, X9SRi-3F | Leave a Comment »

Build your own Infrared reader head for electriciti smart meters for around USD 6: haus-automatisierung.com [4K] – YouTube

Posted by jpluimers on 2021/03/24

In German, but very interesting IR-Lesekopf für SmartMeter selber bauen | haus-automatisierung.com [4K] – YouTube:

I could not find the promised follow-up video at haus-automatisierung.com – YouTube, but the manual steps and the site below have enough information for me.

Too bad the site is way to big to fully archive in the WayBack machine. I only saved the top pages:

Related: [WayBack] MQTT-Grundlagen-Kurs – haus-automatisierung.com

–jeroen

Read the rest of this entry »

Posted in Development, Hardware Development, Hardware Interfacing, IoT Internet of Things, Raspberry Pi, Software Development | Leave a Comment »

🔎Julia Evans🔍 on Twitter: “ethtool… “

Posted by jpluimers on 2021/02/08

[WayBack] 🔎Julia Evans🔍 on Twitter: “ethtool… “

With a lot of responses, including:

–jeroen

Posted in *nix, *nix-tools, Network-and-equipment, Power User | Leave a Comment »

Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !

Posted by jpluimers on 2021/01/14

For my link archive: [WayBack] Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !

–jeroen

Posted in Development, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Fiber cables: speed and connectors

Posted by jpluimers on 2021/01/07

Similar to the CAT# designation for speed categories, fiber cables have an OM# designation. [WayBack] OM1 fiber, OM2 fiber, OM3 fiber and OM4 fiber overview explain this well, and has this quote and image tables:

There are four kinds of multimode fibers: OM1 fiber, OM2 fiber, OM3 fiber and OM4 fiber. The letters “OM” stand for optical multi-mode.

Both OM1 and OM2 work with LED based equipment that can send hundreds of modes of light down the cable, while OM3 and OM4 are optimized for laser (eg. VCSEL) based equipment.

I have combined the tables in html as:

OM1 OM2 OM3 OM4
Maximum distance for 100 Mbit/s 2000m 2000m 2000m 2000m 100BASE -FX
Maximum distance for 1 Gbit/s 275m 550m 550m 1000m 1000BASE-SX
Maximum distance for 10 Gbit/s 33m 82m 300m 550m 10GBASE-SR
Maximum distance for 40 Gbit/s not specified not specified 100m 150m 40GBASE-SR4
Maximum distance for 100 Gbit/s not specified not specified 100m 150m 100GBASE-SR10 / 100GBASE-SR4
Diameter 62.5/125µm 50/125µm 50/125µm 50/125µm
Jacket coulors (often also cable colours) Orange Orange Aqua Aqua
Optical source LED LED VCSEL VCSEL
Bandwidth 200MHz*km 500MHz*km 2000MHz*km 4700MHz*km

 

Unlike CAT cabling, fiber cables can have various connectors, of which SC and LC are the most common as explained in [WayBack] SC vs LC—What’s the difference? which has this quote and image table:

  • Size: LC is half the size of SC. Actually, one SC-adapter is exactly the same size as a duplex LC-adapter. Therefore LC is more and more common in central offices where packing density (number of connections per area) is an important cost factor
  • Handling: SC is a true “push-pull-connector” and LC is a “latched connector”, although there are very innovative, real “push-pull-LCs” available which have the same handling capabilities like SC.
  • The History of Connector: The LC is the “younger” connector of the two, SC is wider spread around the world but LC is catching up. Both connectors have the same insertion loss and return loss capabilities. Generally, it depends where in the network you want to use the connector, no matter SC or LC, even the other different kinds of connector.

In html:

Name Mating
cycles		 Ferrule
size		 Typical
insertion loss
(dB)		 IEC
specification		 Cost Ease
of
use		 Application
features
SC 1000 Ø 2.5mm
ceramic		 0.25-0.5 61754-4 $$ ••••• Mainstream, reliable, fast deployment, field fit
LC 500 Ø 1.25mm
ceramic		 0.25-0.5 61754-20 $$ ••••◦ High density, cost effective, field fit

Related:

–jeroen

Posted in Ethernet, Network-and-equipment, Power User | Leave a Comment »

Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

Posted by jpluimers on 2020/11/04

Multi-WAN routing always involves marking incoming connections to the replies go out on the same connection: [WayBack] Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

# Mirkotik IP Firewall Mangle Section
/ ip firewall mangle
# Mark traffic coming via WAN-1 link
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn
# Mark traffic coming via WAN-2 link
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn
# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1
# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2
# Finally Add appropriate routes in ROUTE section
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping

Related:

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

pfSense OpenVPN server configuration steps

Posted by jpluimers on 2020/09/28

Saving an initial configuration without changing anything gives these errors:

Self signed certificate

If you are OK with self-signed certificates, then the first is solved by using this as the Server certificate:

Certificate authority

The second needs an additional step: you have to select or create a certificate authority first at hostname/system_camanager.php?act=new where hostname is the hostname or IP address of your pfSense configuration.

This order is actually explained in [WayBack] OpenVPN – The Open Source VPN: HOWTO and [WayBack] OpenVPN Configuration (pfSense) – ELITS, but I like stronger security.

For the Internal Certificate Authority (CA), use at least these settings:

  • “Key length (bits)” at least 2048 bits, but I prefer 3072 bits (to be safe after about 2030) as per
  • “Digest Algorithm” at least sha256, but I prefer sha512 as it will be safe for a longer period of time.
  • “Lifetime” by default is 3650 (10 years); can you keep your VM safe for that long? If longer, you can increase the lifetime, but also have to ensure you take large enough values for the Key length and Digest Algorithm.

You can view the possible settings in [WayBack] pfsense/system_camanager.php at master · pfsense/pfsense · GitHub.

Straightforward parameters

Further encryption hardening

  • DH Parameter Length
    • One problem here is that pfSense ships with pre-generated Diffie Helman (DH) parameters:

      This means they can potentially be re-used as an attack-vector, so you need to manually re-generate them as per [WayBack] DH Parameters – pfSense Documentation by using /usr/bin/openssl dhparam

      In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.

      This can take quite some time as it depends on /dev/random as a pure random number source, which will wait if there is not enough initial entropy available yet (see [WayBack] prng – differences between random and urandom – Stack Overflow).

      In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.

      On a single-coreIntel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz, the timings of these

      /usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024
      /usr/bin/openssl dhparam -out /etc/dh-parameters.2048 2048
      /usr/bin/openssl dhparam -out /etc/dh-parameters.4096 4096

      using the [WayBack] FreeBSD Manual Pages: time command are (each measured twice):

      • ~4.5 seconds for 1024 bits:

      • ~23 seconds for 2048 bits:

      • ~150 seconds for 4096 bits:

      • You see that even within the same length, the duration varies highly.
    • Given you already burned those CPU cycles, choose the largest one: 4096
  • Encryption Algorithm
  • Enable NCP(Negotiable Cryptographic Parameters)
    • I enabled this, because I consider the ones below safe enough. If you just want to go for one algorithm, then disable this.
  • NCP Algorithms
    • See the previous one; only list the algorithm-length-mode combinations that you want to allow.. Since I am on AES, prefer GCM, and all key sizes are considered safe, my list is the one on the right:

      This is in decreasing order of secureness:

      • AES-256-GCM
      • AES-192-GCM
      • AES-128-GCM
  • Auth digest algorithm
  • Certificate depth
    • For now it is 1 (as it is self-signed)
    • In the future I will experiment with proper (hopefully Let’s Encrypt) signed certificates. I am not yet sure if that might need a larger depth.

Other settings

All networks are in CIDR notation, like 192.168.3.0/24.

  • IPv4 Tunnel network
  • IPv6 Tunnel network
    • I still need to implement IPv6 in full, so that is empty for now.
  • IPv4 Local networks
    • These are my local networks. Still need to test how well routing works, but given the default gateway knows about them too, I do not suspect problems.
  • IPv4 Remote networks
    • Empty as I do not use site-to-site VPN yet.
  • IPv4 Remote networks
    • I still need to implement IPv6 in full, so that is empty for now.
  • Concurrent connections
    • Still need to measure performance, so empty for now.
  • Compression
    • I kept the default “Omit Preference (Use OpenVPN Default)”.
    • I might choose compression lz4 or compression lz4-v2 in the future.
  • Push compression
    • Kept to unchecked: I dislike other VPN connections to push settings to me, so I do not want to push settings to others.
  • Type-of-Service
    • Kept to unchecked, although I might opt for checked later on: need to do some testing first.
  • Inter-client communication
    • Kept to unchecked: I do not want clients to talk to each other in this particular network, though I might for some specific OpenVPN setup
  • Duplicate Connection
    • Kept to unchecked
  • Dynamic IP
    • I have enabled this as I expect clients to switch IP addresses because of switching between networks
  • [WayBack] Topology: choose subnet (use net30 only for old 2.0.9 client compatibility on Windows; use p2p if you only have non-Windows clients)
  • Advanced client options
    • All defaults, as currently I do not run an internal DNS, but those will probably change in the future:
      • DNS Default Domain
      • DNS Server enable
      • DNS Server 1..4
      • Force DNS Cache Update
  • Custom options
    • None, but I will need to do some deeper reading on the possibilities here
  • UDP Fast I/O
    • Disabled as experimental
  • Send/Receive Buffer
    • Default, although I might increase this if speed is too slow.
  • Gateway creation
    • I choose the default Both
  • Verbosity level
    • Default

 

Enabling AES

Even if the underlying Intel/AMD processor supports AES, it is not enabled by default in pfSense as per web UI home page:

Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
AES-NI CPU Crypto: Yes (inactive)

I was quite surprised, but then remembered that enabling RDRAND in the OpenVPN settings was also non-default and dug a bit deeper into ….

There I found you have to go to the System menu, choose Advanced, then the Miscellaneous tab:

From there, browse down (or search for Hardware) to “Cryptographic & Thermal Hardware”, then enable the CPU based accelleration:

After pressing the Save button at the bottom, you are done:

AES-NI CPU Crypto: Yes (active)

I got this via [WayBack] AES-IN Inactive?, which also mentions this:

  • AES-NI loads aesni.ko
  • BSD Crypto loads cryptodev.ko
  • AES-NI and BSD Crypto loads both

Note that AES – as of FreeBSD-10 – AES-NI and other hardware implementations are only indirectly incorporated into /dev/random. The Linux kernel already did this in an indirect way. I think that is a good idea as when multiple entropy sources are merged together, it makes it much harder to influence to total entropy. FreeBSD implemented this using the Yarrow algorithm – Wikipedia and now has moved to a successor, the Fortuna (PRNG) – Wikipedia.

More background information:

padlock ACE support

Note there is a message about ACE support on the console and in the boot log that is related to AES:

padlock0: No ACE support.
aesni0: <AES-CBC, AES-XTS, AES-GCM, AES-ICM> on motherboard

The cause is that in the past, VIA PadLock Advanced Cryptography Engine (ACE) in the mid 2000s introduced encryption acceleration (see [WayBack] VIA PadLock support for Linux) a few years before AES-NI, so ACE is incompatible with AES-NI. AES-NI is now much more widespread than ACE, even the wikipedia VIA page padlock information has been removed.

An odd thing: unlike AES-NI which needs to be specifically enabled, VIA Padlock is always enabled, see

OpenVPN Client Export Package

Ensure you install the (optional, but highly recommended) [WayBack] OpenVPN Client Export Package:

Allows a pre-configured OpenVPN Windows Client or Mac OS X’s Viscosity configuration bundle to be exported directly from pfSense.

These config files work with Tunnelblick as well, which is a great free and open source OpenVPN tool on Mac OS X / MacOS:

Creating and exporting users

I have yet to cover these two; for now read [WayBack] How to setup OpenVPN on pFSense? | IT Blog and [WayBack] OpenVPN Remote Access Server – pfSense Documentation.

Further reading

I like this overview a lot:

–jeroen

Read the rest of this entry »

Posted in Internet, pfSense, routers | Leave a Comment »

During pfSense boot: syslogd “operation not supported by device” messages

Posted by jpluimers on 2020/09/25

If during a pfSense reboot you get one or more messages from syslog about “operation not supported by device” on various log files, then they are likely corrupt.

I had this when a pfSense 2.4.x RELEASE version VM was accidentally power-cycled during initial setup.

A side effect was that no logs showed in the web UI either, nor would clog on any file in the /var/log directory.

The solution was to choose option 8 (Shell), then in the /var/log directory, remove all files with extension .log, then reboot.

Now the messages were gone and the web UI showed logs. clog /var/log/system.log showed content as well.

Solution based on these posts:

–jeroen

Posted in Internet, pfSense, Power User, routers | Leave a Comment »

« Previous Entries
Next Entries »