Re-post from LYN forum. Credit to ansonlos.

After much try and error and research, I’ve managed to get pfSense to work with UniFi’s IPv6 allocation. For a bit of a background, I’m running the latest release of pfSense i.e. 2.2.1 and also I got this to work with my office’s UniFi which is on Biz 10.

I’d just like to share my settings here to benefit those who might want to get IPv6 to work for their pfSense box.

1. Under “System -> Advanced -> Networking”, make sure “Allow IPv6” is checked. Then go to “Interfaces”, click on “WAN”. Under IPv6 Configuration Type, choose “DHCP6”. MTU should be 1492.

2. Under DHCP6 client configuration section, put a tick mark on “Request a IPv6 prefix/information through the IPv4 connectivity link”. In the drop down list for DHCPv6 Prefix Delegation size, choose “56”. (I have no idea why this is the case, but the allocated subnet for both the PPPoE and LAN are actually 64. I’ve tried choosing 64 here, but it doesn’t work. Maybe 56 is for a Biz account. If 56 doesn’t work for you, try choosing 64 especially if you’re on home UniFi account.)

Also, put a tick mark for “Send an IPv6 prefix hint to indicate the desired prefix size for delegation”. Click on “Save”.
Interface_WAN

3. Now, go to “Interfaces”, click on “LAN”. Under IPv6 Configuration Type, choose “Track Interface”. Type 1492 for MTU.

4. Under Track IPv6 Interface section, ensure IPv6 Interface “WAN” is selected and as for IPv6 Prefix ID, just type 0 (zero) here.

5. Under Private networks section, ensure “Block Bogons networks” is unchecked. Then, click “Save”.

Interface_LAN

6. Finally, I’ve read that IPv6 requires ICMP to work. So under Firewall -> Rules, I’ve also created a rule to allow ICMP IPv6 traffic for both WAN and LAN.

I’m not entirely certain what the security implications are with the above settings to the firewall, so please be forewarned.

With the above settings, I’m able to get IPv6 addresses for PPPoE and LAN interfaces for pfSense and also devices connected to the LAN. Hope this helps those who are using pfSense.

Option 1 – Quick and Dirty

You can quickly turn on logging by typing in the following into the server shell:

[code]rndc querylog[/code]

Then you can follow the information in the standard syslog.

[code]tail -f /var/log/syslog[/code]

You should see output like the following letting you know that queries are now logged:

[code]Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on[code]

<h3>Option 2 – Full and Stored Logs</h3>
If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.

Logon to your shell as usual, and type the following:
[code]nano /etc/bind/named.conf[/code]

Put in the following code at the bottom:

[code]logging {
channel query.log {
file “/var/log/query.log”;
severity debug 3;
};
category queries { query.log; };
};[/code]

Now we need to create the log:

[code]touch /var/log/query.log[/code]

Make it writable by the BIND process:

[code]chown named.named /var/log/query.log[/code]

Give BIND a reboot:

[code]service bind9 restart[/code]

And now you should be able to follow the queries as any other log:

[code]tail -f /var/log/query.log[/code]

References:
http://www.gypthecat.com/how-to-log-bind-queries-on-ubuntu-12-10
http://linuxmantra.com/2011/04/logging-bind-queries.html

0805_transmission_587

Connect to xbian using ssh

Default username xbian password raspberry

Perform package update and upgrade

[email protected]:/home/xbian#apt-get update
[email protected]:/home/xbian#apt-get upgrade –y

Install xbian optimized transmission binary

[email protected]:/home/xbian#apt-get install -y -o Dpkg::Options::=”–force-confdef” -o Dpkg::Options::=”–force-confold” xbian-package-transmission

Notes:

1. Default download location is at /home/xbian
2. Access webui via http://xbianip:9091
3. Default webui login admin password raspberry

It seems that Ubuntu/Debian (or perhaps other distros as well) prefer IPv6 DNS records instead of IPv4 when applicable and some times this results in loss of connectivity or similar problems.
I ran into this issue today while trying to update an old VPS with apt-get/aptitude. Specifically, security.ubuntu.com was being resolved in an unreachable IPv6 address and I had to wait some minutes for timeout every time.
Fortunately, there is an easy fix for this; you just have to edit the file located at: /etc/gai.conf which is the configuration for getaddrinfo(). There you have to uncomment line ~54 which reads: “precedence ::ffff:0:0/96 100″, and you are all set! (assuming that every other option is commented out by default as in my case).

gai

Reference: http://bruteforce.gr/make-apt-get-use-ipv4-instead-ipv6.html

Network Topology

Problem:
From Dashboard-Network Topology-click on any nodes and getting this error “It appears as though you do not have permission to view information for any of the services you requested…
If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI
and check the authorization options in your CGI configuration file.”
Solution:
Edit /omd/sites/xxx/etc/nagios/cgi.cfg, look for below variable and change to * (all authenticated users)
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

Then restart apache

Reference:
http://serverfault.com/questions/502862/nagios-new-user-doesnt-get-enabled-permissions
http://lists.mathias-kettner.de/pipermail/checkmk-en/2014-September/013249.html

Posted in NMS.

SanDisk Mobile Ultra Micro SDHC
Screen Shot 2014-12-14 at 11.36.02 PM

SanDisk Ultra Micro SDHC
Screen Shot 2014-12-14 at 11.36.25 PM

There’s no differences in term of performance or physical appearance. I found this solid answer:

I rang Technical Support at SanDisk to ask what’s the difference between “Mobile Ultra” and “Ultra”

“Mobile Ultra” and “Ultra” are the same card, the name difference was just for marketing purposes, to show people the card could be used in mobiles. However the plan backfired and people thought they couldn’t use “Mobile Ultra” in their camera, so the name was dropped.

To decipher the codes such as SDSDQUA-032G-U46A:
SDSD=sd card
Q =class 4 (black) available in 2,4,8,16,32GB
QY =class 6 “Ultra” (red & grey) available in 4GB (8,16,32gb discontinued but still on sale)
QUA=class 10 “Ultra” 8,16,32=SDHC 64=SDXC* (UHS-I = UHS class 1 = 10mb/s #)
QUI=class 10 “Ultra” apparently “designed for cameras” and NOT the same card (black packaging)
-032G=32GB
-U46=EU [email protected]
-A11=US [email protected]
-FFP=Amazon frustration free [email protected]
A=picture of android on package

NOTES
* Compatible devices only
# If used in a non UHS-I compliant phone, it will revert to class 10
@ If it doesn’t have a code at the end, it’s not covered by SanDisk warranty

Source:
http://forums.sandisk.com/t5/Mobile-memory-professional-cards/No-difference-between-Mobile-Ultra-and-Ultra/m-p/289540/highlight/true#M1911

What is SSL Cipher Suite?
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol

Below bash script gets a list of supported cipher suites from OpenSSL and tries to connect using each one. If the handshake is successful, it prints YES. If the handshake isn’t successful, it prints NO, followed by the OpenSSL error text.
[code language=”bash”]
#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=192.168.1.11:443
DELAY=1
ciphers=$(openssl ciphers ‘ALL:eNULL’ | sed -e ‘s/:/ /g’)

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher…
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d’:’ -f6)
echo NO \($error\)
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
[/code]

Here’s sample output showing 3 unsupported ciphers, and 1 supported cipher:


[@linux ~]$ ./test_ciphers
Obtaining cipher list from OpenSSL 0.9.8k 25 Mar 2009.
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES

Reference:
http://en.wikipedia.org/wiki/Cipher_suite
http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
https://www.ssllabs.com/ssltest/index.html

Posted in OS.

Scenario:

Using Microsoft Windows built in VPN Client to connect to remote PPTP VPN server through Cisco ASA firewall.

Symptom:

Error 619

Solution:

In ASA Firewall, enter below command.
ASA-active#conf t
ASA-active(config)#policy-map global_policy
ASA-active(config-pmap)# class inspection_default
ASA-active(config-pmap-c)#inspect pptp
ASA-active(config-pmap-c)#exit
ASA-active(config)#access-list $Inbound_Interface_ACL permit gre $source_ip/network any
ASA-active(config)#access-list $Inbound_Interface_ACL permit permit tcp $source_ip/network any eq pptp

Common Troubleshooting in Windows VPN Client

1. Open VPN Properties window, go to Security tab.
2. Change “Type of VPN” to PPTP

Problem

Received error “Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Address already in use” when adding log input using UDP 514 (default syslog port).

Explanation

In UNIX/LINUX, assigned port 1024 and below require root privilege. Either you run graylog2 as root (not recommended) or follow below workaround.

Solution

1. Create new Syslog UDP inputs and listen to any port (ex: 5514).
2. Manipulate traffic using iptable:
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514

Scenario

I have 4 dhcp server (in 2 failover cluster) running in Windows Server 2012 R2 with Mac filter enabled.

Problem

Failover cluster will not synchronize Mac filter database, for adding new record we have to do it manually in all dhcp server.

Solution

PowerShell script to add Mac filter to multiple server
[code language=”powershell”]$mac = Read-Host ‘ENTER MAC ADDRESS’
$des = Read-Host ‘ENTER DESCRIPTION’
Add-DhcpServerv4Filter -List Allow -MacAddress $mac -Description $des -ComputerName dhcp01.domain.local -Verbose
Add-DhcpServerv4Filter -List Allow -MacAddress $mac -Description $des -ComputerName dhcp02.domain.local -Verbose
Add-DhcpServerv4Filter -List Allow -MacAddress $mac -Description $des -ComputerName dhcp03.domain.local -Verbose
Add-DhcpServerv4Filter -List Allow -MacAddress $mac -Description $des -ComputerName dhcp04.domain.local -Verbose
[/code]