Posted by jpluimers on 2017/07/04
Just found out about these interesting links I had loved to use years ago, but alas, now I know (:
It looks similar to SSL VPN sometimes also called WebVPN:
Then there are non-VPN tunnels through WebSockets:
Since WebSockets can run over a proxy server you could route any kind of binary traffic through them even in places that disallow non-web protocols or layer-7 inspect https traffic.
Although ops might restrict stuff even further:
–jeroen
Posted in Internet, Network-and-equipment, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2017/06/23
For my blog archive as I already shared it on G+
[WayBack] With so many vulnerabilities out there, here is how to find out of if a fixed is applied to vulnerabilities on Debian/Ubuntu Linux using CVE. – Jeroen Wiert Pluimers – Google+
[WayBack] Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number – nixCraft
Explains how to view the changelog of an installed package on a Debian or Ubuntu Linux server to find out if a fix/patch applied via CVE number.
Hans Wolters:
And find all packages that belong to one cve :-)
zgrep -i cve /usr/share/doc/*/changelog.Debian.gz|grep 1000364
–jeroen
Posted in OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/06
The WAN sides of my Mikrotik CCR1009 are partly behind Fritz!Box routers that do NAT and contain a truckload of port-forwards.
A while ago, I wanted the CCR1009 to do PPTP as Fritz!Box 7360 and 7490: static routes over VPN don’t work (so I could only VPN to the WAN side of the CCR1009). However, it would not pass through the Fritz!Box from the outside.
It appears you need to forward both:
Maybe one day I will ditch the Fritz!Box 7490 and directly hookup the Mikrotik to the NTU: xs4all ftth en Mikrotik router – Google Groups.
But preferably I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)
–jeroen
via: VPNs einrichten mit PPTP – administrator.de: Achtung mit PPTP VPN Servern hinter NAT Firewalls !
Forward both PPTP TCP port 1723 and the GRE protocol
Posted in Fritz!, Fritz!Box, Fritz!WLAN, Internet, IPSec, MikroTik, Network-and-equipment, Power User, PPTP, routers, VPN | Leave a Comment »
Posted by jpluimers on 2017/04/25
MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.
So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.
- Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- Choosing ports for WAN and LAN
- Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
- Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
- Assign fixed / static IP address via Mikrotik DHCP server
- Notes:
- the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
- usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
/ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
- Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
- nslookup on the Mikrotik itself is called
put[: resolv ...] syntax: nslookup on Mikrotik – MikroTik RouterOS
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
put [:resolve shell.xs4all.nl]put [:resolve shell.xs4all.nl 8.8.8.8]put [:resolve 194.109.21.9]
- tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Manual:Upgrading RouterOS – MikroTik Wiki
- Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
- Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
- You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell):
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
After a few seconds the Winbox will update the SNTP Client dialog and a few seconds later, the Clock dialog will also update itself.
- Manual:IP/Firewall/NAT – MikroTik Wiki
- I like these ones as they use Winbox:
- Sharing Ideas … Mikrotik with Kannel/playSMS
- Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
- Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
- DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
- Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
- Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
- Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS- Using staged address list to perform Bruteforce login prevention – MikroTik Wiki
Very advanced stuff:
- VPN
- VLAN
- DNS Conditional forwarders with Mikrotik RouterOS | Dale Macartney
- Pointing Mikrotik RouterOS hardware logging to a remote Syslog server | Dale Macartney
- trying to setup CRS226-24G-2S+IN, could use some help : mikrotik
- Video: VLANs using the Switching chips do not take the brdige penalty when you can do switching
- Be carful with CRS226 and SFP+ link aggregation
- Vlans on Mikrotik environment – MikroTik Wiki
- Block traffic like WhatsApp.
- API Links – MikroTik RouterOS (in various language, for which I’m most interested in C#, Delphi, Perl and Python.
- Routing from mikrotik two IP addresses to same gateway – Server Fault
- RouterOS – public subnet routed and NAT-ed to internal clients – MikroTik RouterOS
- Known issues and bugs – a list – MikroTik RouterOS
- Tutorials blogs and other helpful RouterOS resources – MikroTik RouterOS
- ethernet ports overrunning – default interface queue (only-hardware-queue) not working well – MikroTik RouterOS
- MAC-Ping is described in Manual:Tools/Ping – MikroTik Wiki but *only* works for MikroTik devices having MAC-Ping Server enabled.
- How to auto-reboot if remote IP down for 5 minutes – MikroTik RouterOS
- ping, traceroute, log files, torch, sniffer, bandwidth tester, profile: Manual:Troubleshooting tools – MikroTik Wiki
- majbthrd/miksms: controlling external devices with Mikrotik RouterOS
- Howto Recover Mikrotik ADMIN account Forgotten Password | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik script to change PUBLIC ip from available pool | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts | Syed Jahanzaib Personal Blog to Share Knowledge !
- SIP Poblem with Mikrotik | Syed Jahanzaib Personal Blog to Share Knowledge !
- VPN/PPTP Static Routes Loose gateway when client reconnects | Syed Jahanzaib Personal Blog to Share Knowledge !
Packet flow (maybe the toughest part to wrap your head around):
Scripts:
Load balancing:
Syntax highlighting:
Pictures
Very well written blog:
Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.
Source: Mikrotik — Manito Networks
Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.
Source: Mikrotik-1 — Manito Networks
–jeroen
Posted in DNS, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN | Leave a Comment »
Posted by jpluimers on 2016/12/05
Time after time issues pop up related to MAC addresses that start with a4 or a 6.
[WayBack] nanog: Forwarding issues related to MACs starting with a 4 or a 6 (Was: [c-nsp] Wierd MPLS/VPLS issue)
The underlying issue has to do with switches interpreting too much information of (un)encrypted traffic and dropping them because they wrongly think it’s plain ethernet traffic they need to handle.
MAC addresses starting with a 4 or 6 have have a common bit pattern (likekly that fails with 12 and 14 as well) that cause failure in certain network equipment that’s hard to trace as there is limited.
[WayBack] Christian Vogel – Google+ (Physics, Electronics, Software) explains this way better at [WayBack] When your MAC address starts with 4 or 6, weird things can happen and it’s not always fixable… – Kristian Köhntopp – Google+:
Read the rest of this entry »
Posted in Internet, Network-and-equipment, Power User, routers, VPN | Leave a Comment »
Posted by jpluimers on 2016/07/18
Windows has the built-in ability to function as VPN server, although this option is hidden. This trick works on both Windows 7 and Windows 8. The server uses the point-to-point tunneling protocol (PPTP.)
Source: How to Create a VPN Server on Your Windows Computer Without Installing Any Software
One day this might come in handy though I need to investigate a bit more on PPTP security issues first: might need to go for L2TP/IPsec instead.
Later: indeed, I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)
–jeroen
Posted in IPSec, Network-and-equipment, Power User, PPTP, VPN, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 | 1 Comment »
Posted by jpluimers on 2016/03/28
Basically there are two opinions on Netflix and blocking:
- TL;DR: People use VPNs for security, Netflix fucks them up, they hate Netflix for that and just torrent that shit.
- tl;dr If you have issues with Netflix on public Wifi, contact the provider and forward tr@netflix.com to them so they can settle issues.
I’m not a netflix user (or user of any form of DRM) as I really dislike the fact that DRM means for any reason your license can be ended. I’ve seen too many players going out of business or taking decisions turning.
So I buy CDs, DVDs, BlueRays or DRM-free media files. Now it’s my problem of making proper back-ups to ensure future access to them (:
The DRM walls and ladders war^w game has gone so far that in this case, Netflix is blocking even though the WiFi provider / proxy / VPN is in the same country like the below imgur image:
Read the rest of this entry »
Posted in Cloud, Infrastructure, Netflix, Network-and-equipment, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2016/03/28
20150412 ping statistics from WiFi -> ADSL -> VPN -> fiber (where ADSL and fiber both are Fritz!Box machines having LAN-LAN VPN to each other):
PING 192.168.71.1 (192.168.71.1): 56 data bytes
64 bytes from 192.168.71.1: icmp_seq=0 ttl=63 time=19.190 ms
...64 bytes from 192.168.71.1: icmp_seq=1 ttl=63 time=18.905 ms
64 bytes from 192.168.71.1: icmp_seq=2 ttl=63 time=19.261 ms
64 bytes from 192.168.71.1: icmp_seq=3 ttl=63 time=19.982 ms
64 bytes from 192.168.71.1: icmp_seq=4 ttl=63 time=19.332 ms
64 bytes from 192.168.71.1: icmp_seq=5 ttl=63 time=26.800 ms
64 bytes from 192.168.71.1: icmp_seq=6 ttl=63 time=20.139 ms
64 bytes from 192.168.71.1: icmp_seq=7 ttl=63 time=19.498 ms
64 bytes from 192.168.71.1: icmp_seq=8 ttl=63 time=18.915 ms
64 bytes from 192.168.71.1: icmp_seq=9 ttl=63 time=19.200 ms
64 bytes from 192.168.71.1: icmp_seq=10 ttl=63 time=18.948 ms
64 bytes from 192.168.71.1: icmp_seq=11 ttl=63 time=19.524 ms
64 bytes from 192.168.71.1: icmp_seq=12 ttl=63 time=19.511 ms
64 bytes from 192.168.71.1: icmp_seq=13 ttl=63 time=20.417 ms
64 bytes from 192.168.71.1: icmp_seq=14 ttl=63 time=19.350 ms
64 bytes from 192.168.71.1: icmp_seq=15 ttl=63 time=18.690 ms
64 bytes from 192.168.71.1: icmp_seq=16 ttl=63 time=18.632 ms
64 bytes from 192.168.71.1: icmp_seq=17 ttl=63 time=18.912 ms
64 bytes from 192.168.71.1: icmp_seq=18 ttl=63 time=19.397 ms
64 bytes from 192.168.71.1: icmp_seq=19 ttl=63 time=19.257 ms
64 bytes from 192.168.71.1: icmp_seq=20 ttl=63 time=18.147 ms
64 bytes from 192.168.71.1: icmp_seq=21 ttl=63 time=18.601 ms
^C
--- 192.168.71.1 ping statistics ---
22 packets transmitted, 22 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.147/19.573/26.800/1.657 ms
same but LAN –> fiber -> VPN -> ADSL
Pinging 192.168.24.1 with 32 bytes of data:
Reply from 192.168.24.1: bytes=32 time=19ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=18ms TTL=63
Reply from 192.168.24.1: bytes=32 time=18ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=18ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=18ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Reply from 192.168.24.1: bytes=32 time=17ms TTL=63
Ping statistics for 192.168.24.1:
Packets: Sent = 24, Received = 24, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 19ms, Average = 17ms
–jeroen
Posted in ADSL, fiber, Fritz!, Fritz!Box, Internet, Network-and-equipment, Power User, routers, VPN | Leave a Comment »
Posted by jpluimers on 2016/03/18
Nice summary for just saying “Use Tunnelblick”
This howto article explains how to obtain and setup a Mac openvpn client to connect to the OpenVPN Access Server.
Source: How to connect to Access Server from a Mac
–jeroen
Posted in Apple, Mac, Mac OS X / OS X / MacOS, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, OpenVPN, OS X 10.11 El Capitan, OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, Power User | Leave a Comment »
Posted by jpluimers on 2016/02/01
This is cool, as it allows to run VPN over HTTPS or even over ICMP or DNS. Impressive: 1. Ultimate Powerful VPN Connectivity – SoftEther VPN Project.
Equally impressive is the range of operating systems covered:
- Windows (98 until Server 20012 with x86 and x64 implementations).
- Linux Kernels 2.4, 2.6 and 3.x on Intel x86, x64, ARM, MIPS and PowerPC platforms.
- FreeBSD 5.x, 6.x, 7.x, 8.x and 9.x are supported on Intel x86 and x64 platforms.
- Solaris 8, 9, 10 and 11 on Intel x86, Intel x64, SPARC (both 32 bit and 64 bit) platforms.
- Mac OS X 10.4, 10.5, 10.6, 10.7 and 10.8 on Intel x86, Intel x64, PowerPC (32 bit) and PowerPC G5 (64 bit) platforms.
–jeroen
Posted in Network-and-equipment, Power User, VPN | Leave a Comment »
The Wiert Corner - irregular stream of stuff 