Ubiquiti Unifi AP

The cheap linksys that I was using as a wireless access point is dying, so I replaced it with a UniFI AP from Ubiquiti. Here are a couple quick thoughts on it:

The Good

The install was as simple as downloading the Ubiquiti software and installing it on a vm on the same subnet as the access point.

I couldn’t be bothered to properly mount the AP, so it is definitely a plus that it works great from the floor . lol..

The GUI is pretty awesome, fast, and easy to use. I particularly liked how easy it was to upgrade the firmware on the AP.

Price. I paid about $67. That’s really good for the functionality that you are getting.

The Bad

The web GUI uses Flash. Why is anyone still using flash?

Linux is not an officially supported platform. Not cool Ubiquiti!!

It looks like there is a beta release for Linux, so I will have to check that out in the future.

The Ugly

Java problems. I couldn’t get the software to work with the latest version of Java so I had to downgrade. I can’t remember the last time I used a Java program that worked out of the box without a bunch of messing around with different versions. sigh..

 

Overall I’m pretty happy, but I wish Ubiquiti would fully support Linux and move away from Java and Flash.

 

Fedora 21 is out !!

Fedora 21 is being released December 9th. I will be installing it on my HP Z400 workstation, and if there are no major hang ups it will get installed on my Intel NUC as well.

The big change with 21 is that there are now three seperate versions of Fedora: workstation, server, and cloud. I’ll mostly be working with workstation, but I may dabble with server, and I believe cloud is meant for things like Docker, so that might see some use as well.

The big question for me over the next couple days will be what GUI I will be standardizing on. I’ve ran KDE pretty consistently on my Fedora 20 machines, but I am willing to give Gnome another chance.

edit: I’m liking Gnome so far :)

gnome2

Migrating to PFSense

I recently migrated from a SRX210H to PFSense for my internet edge device.

The main motivation for this was the SRX’s pretty awful Java+Flash GUI. The Juniper command line is fantastic, but I’m trying to remove flash from my life, I just can’t deal with it any more.

PFSense has a really nice GUI and it is Unix based, so it was an easy choice.

pfsense

The PFSense install is pretty straightforward, but here are a couple things that I tweaked for my setup (everything is pretty googleable):

  1. Keep an eye on your MBUF usage. That’s basically a memory buffer for your NICs. If you are running a quad port NIC you will probably have to increase it from the Unix command line like I did.
  2. Turn on the Intel temp sensors from the GUI (System>Advanced>Misc)
  3. Setup TRIM. I’m not sure if this was 100% necessary. If you are going to do it, don’t wait until after you rack the server like I did.
  4. Setup manual outbound NAT with a static port for Asterisk. Once again, I’m not sure this was necessary, but the internet claims it is needed for Asterisk to work properly.
  5. Create aliases for commonly used IP ranges (Firewall>Aliases). I have one for the private IPv4 range so that I can easily create outbound rules (! private_IPV4).
  6. Once you have everything working turn off logging for the default drop rules (Status>System Logs>Settings). Watching the logs for the default drop rule will be useful for troubleshooting, but it can be pretty distracting once everything is set-up.

The SSD Question

There seems to be some question on the Internet as to whether PFSense eats SSDs or not. The concern is that things like the state table, and all of the system logs cause SSDs to wear out really fast.

I’m using a 30GB Crucial M4 SSD in mine. I’ve been using SSDs in all of my systems for some time now without any issue, so I’m willing to take the chance.

I’ll update this post if it dies :)

Nortel / Avaya Switch Config Basics

Avaya CLI shares some Cisco commands, but some of the commands are pretty unique (and confusing). Here are a couple simple configs to get you started.

//restore factory defaults

#restore factory-defaults

//setup a switch IP and default gateway

(config)# ip default-gateway 10.10.10.1

(config)#ip address switch 10.10.10.50 netmask 255.255.255.0

//setup a console password

(config)# cli password serial local

(config)# username Reginald PASSWORD rw  //this is saved in clear text in the config :(

//vlan config

(config)# vlan create 55 type port

(config)# vlan name 55 “party LAN”

(config)# vlan add 55 1-24  //here i add ports 1-24 to the vlan

(config)# vlan port 1-24 pvid 55  //in avaya-land you have to manually set the pvid

//remember to save!

#wr mem

 

 

OpenMarmot: OSPF on CENTOS 7

I spent the afternoon building an OSPF router on CENTOS 7. I found a tutorial but it was pretty broken, so I will post my version.

If you are familiar with OSPF on a Cisco router than the syntax should be very familiar. Most of the same commands are used, and you can tab complete, search, and abbreviate just like on a Cisco or Avaya.

The following config was able to neighbor and talk routes with my Juniper gear.

—————————————————————
notes

starting with a centos 7 “infrastructure server” install
logged in as root.

SELinux is on

—————————————————————
—————————————————————
install

//install Quagga
#yum install quagga

//add zebra config rule for selinux. or just turn it off
#setsebool -P zebra_write_config 1

//”fix” permissions on quagga folder
# chmod -R 777 /etc/quagga

//disable firewalld
# systemctl disable firewalld
# systemctl stop firewalld

————————————————————–
————————————————————–
configuration

//the configuration file is located here:
// /etc/quagga/zebra.conf

//start zebra
#systemctl start zebra.service
#systemctl enable zebra.service

//launch command shell
#vtysh

//enter global config
#config t

//set the log file location
(config)# log file /var/log/quagga/quagga.logged

//exit global config
(config)# exit

//save config
#copy run start

//show interface information
#sh int

//configure an interface
#config t
(config)# int enp4s0
(config-if)# ip address 10.6.50.5/24
(config-if)# description “to ospf RAN”
(config-if)# no shutdown

// save config, and then exit vtysh (type “exit” a bunch of times)

—————————————————————-
—————————————————————-
enable ip forwarding using the linux kernel

//enable IP forwarding
# echo “net.ipv4.ip_forward = 1″ >> /etc/sysctl.conf
# sysctl -p /etc/sysctl.conf

—————————————————————-
—————————————————————-
configure ospf

//create config file
#echo “log stdout” >> /etc/quagga/ospfd.conf

//start and enable on startup
#systemctl start ospfd.service
#systemctl enable ospfd.service

//launch vtysh shell and enter global config
# vtysh
# config t

//enter ospf router config
(config)# router ospf

//add the networks for ospf
(config-router)# network 10.6.50.0/24 area 0

//set the ospf router id
(config-router)# router-id 10.6.51.4

————————————————————–

 

Dnsmasq on CENTOS 7

Dnsmasq is a great lightweight server that can provide DHCP, DNS, and TFTP services for a small network.

http://www.thekelleys.org.uk/dnsmasq/doc.html

I didn’t see any Centos 7 specific guides on the internet when I made this, so here is mine.

Dnsmasq will query the file you specify at the end of the config before looking at upstream resolvers (/etc/resolv.conf). Use the same syntax as you would in the host file.

—————————————-
notes

DNSMASQ setup for CENTOS 7

———————————————–

———————————————–
install

//install dnsmasq
#yum install dnsmasq

//turn on the server and make sure it starts on boot
#systemctl start dnsmasq
#systemctl enable dnsmasq

//firewalld configuration
# firewall-cmd –zone=public –add-port=53/tcp
# firewall-cmd –zone=public –add-port=53/udp

# firewall-cmd –permanent –zone=public –add-port=53/tcp
# firewall-cmd –permanent –zone=public –add-port=53/udp

——————————————————–
configuration

//the config file is located at /etc/dnsmasq.conf
//uncomment this line to turn off lookups from the host file
no-hosts
//uncomment and modify this line to add a new file for lookups
addn-hosts=/etc/hosts.dnsmasq

OpenMarmot Bash Script

Here’s a bash script that I am using on my Linux-based “OpenMarmot” switch.

I’m releasing it under APL (Andrew’s Public License) which states: “Use the code however you want. If you work at a cool company in Arizona, you should totally hire me.”  :)

#!/bin/bash

# OpenMarmot Network startup script
# version 1.0
# last edited 09/04/2014

echo “loading OpenMarmot”

# this command makes sure the vlan kernel module is loaded
modprobe 8021q

# logical interfaces

echo “building logical interfaces”
vconfig add eth2 11
vconfig add eth2 63
vconfig add eth2 65

# create bridges
echo “building bridges”
brctl addbr br-vlan11
brctl addbr br-vlan63
brctl addbr br-vlan65

# bring the bridges up
ip link set br-vlan11 up
ip link set br-vlan63 up
ip link set br-vlan65 up

# add interfaces to the bridges
brctl addif br-vlan11 eth2.11
brctl addif br-vlan11 eth1
brctl addif br-vlan11 eth3
brctl addif br-vlan11 eth4
brctl addif br-vlan11 eth5

brctl addif br-vlan63 eth2.63
brctl addif br-vlan65 eth2.65

#enable stp
brctl stp br-vlan11 on
brctl stp br-vlan63 on
brctl stp br-vlan65 on

#bring physical interfaces up
ip link set eth1 up
ip link set eth2 up
ip link set eth3 up
ip link set eth4 up
ip link set eth5 up

# bring the logical interfaces up

ip link set eth2.11 up
ip link set eth2.63 up
ip link set eth2.65 up

echo “setup complete”
echo “welcome to OpenMarmot”

Juniper SRX OSPF Setup

My little Juniper SRX 210H is taking on more and more roles. Over the weekend I worked on building a OSPF network so that all of the routers on my test rack could connect to the internet.

The route export for the default route ended up being pretty simple:

ospf

One thing that tripped me up for awhile is that there is no implicit rule for inter-zone communication. It turns out that if you are trying to pass traffic between two interfaces that are in the same zone then you need a rule to basically “allow all” communication from “zone_A” to “zone_A”. I’m kind of surprised that I haven’t run into this before.

Other than the inter-zone traffic issue, everything else went pretty smoothly. I have a Cisco 1812, a SRX, and a Fortigate chatting away happily.

updates

I haven’t posted on here in a bit because I haven’t really made any real progress on anything. I’ve been working a lot, and I’ve been concentrating on learning C in my free time. Learning C has been distracting me from studying for the CompTIA Linux+, so I will try and get back to studying this weekend if work doesn’t intervene.

I rebuilt my laptop recently and I did not install flash. I’m going to see if I can go without it, and if so I will remove it from my desktop as well. So far I think the biggest challenge is going to be music. All of the online music streaming that I use (pandora, amazon,..) seems to be flash based. Most of the newer youtube videos use HTML5 (?) so that works at least. Flash for Linux is several versions behind other platforms (not a big priority for adobe i guess) and I consider it to be a big security risk.

Proxmox 3.3 has been released. I’m pretty excited about this, mostly because they went to a HTML5 Console. The old one is Java based, and can be kind of a pain to use. I’ll probably get a test server up and running in the next week or so.

There’s been some noise lately about some Linux vulnerabilities that have been discovered (openSSL, bash,..). I wish people would treat their Linux gear like their Windows gear: it needs to be patched on a regular basis, and enterprise hardware should be replaced after a reasonable service life. Linux systems aren’t invulnerable; they needs to be maintained like anything else.

 

 

Studying For Certifications

I’ve started studying for the CompTIA Linux+, and unfortunately I’m not making much progress. I’m kind of stuck on figuring out how I am going to study for it.

My old process that I used for the CCNA was to buy a study guide on Amazon and read through it and take paper notes. This ended up being a big waste of time. Paper notes are really hard to study from. I took paper notes on the entire CCNA book but I didn’t use them once for studying. Instead I created documents for each chapter on my computer. This worked pretty well but I ended up spending a lot of time struggling with the formatting in Calligra and libreOffice (MS Office is one of the few things I miss from my Windows days).

calligra_font[Calligra changes the font style seemingly at random]

The JNCIA was my first attempt to study based off of the published exam objectives. I broke the objectives into two massive documents, and slowly went through them filling out the information for each objective. This worked pretty well because Juniper had published two PDF study guides that followed the objectives pretty much in order. I was still struggling massively with Calligra. Unfortunately LibreOffice had a major bug where it wouldn’t open files from a network share so it was unusable as well.

Now I am working on the CompTIA Linux+ and unfortunately the study guide I have does not follow the exam objectives at all. I don’t want to spend a ton of time reading the book, only to end up with a bunch of useless notes. Instead I am going to make text files with the objectives, and then hunt through the book to fill in the details. That is going to be kind of a slow process, but it seems to be the best way to do it.

If I get another Juniper cert it is going to get even worse. As far as I can tell there  aren’t any study guides for the Juniper exams past the JNCIA. I have no idea how people study for them, other than just relying on work experience and crossing their fingers..

© 2014 Marmotsoft

Theme by Anders NorenUp ↑