Ubiquiti Edgerouter Site-to-Site VPN with BGP Notes

Following Ubiquiti’s documentation is tricky as it currently refers to EdgeOS 1.7 and with EdgeOS 1.8 we received a new version of Strong Swan which deprecates the show vpn ike sa command.

I discovered this via a Ubiquiti forums thread. I thought it worth repeating as mentioned in there that Edgeos 1.8 the command show vpn ipsec sa now includes any information the deprecated show vpn ike sa provided.

Linux Packet Capture

Capture 1000 packets on interface eth0 and save to packets.pcap
~$ tcpdump -i eth0 -c 1000 -w packets.pcap

View packet capture from cli
~$ tcpdump -r packets.pcap

Capture just tcp packets on interface eth0
tcpdump -i eth0 tcp

Capture packets to and from port 22
tcpdump port 22

Capture packets from a specific source ip address
tcpdump src 172.31.3.1

Capture packets destined for a specific ip address
tcpdump dst 172.31.5.1

Ubiquiti Edgerouter PPPoE

So a few days ago I moved a DSL line over to eth0 on the Edgerouter Pro to serve as the WAN link. Previously a cable modem from Charter provided ethernet connectivity on eth0.

Before addressing what needs to be configured on the router I wanted to briefly summarize what typically happens when you’d like to use your router and firewall instead of that built-in to your modem.

Put the modem into bridge mode. This configures a DHCP server on the modem that will hand out addresses to any interface connected. Over ethernet, a pppoe client will be used to obtain an IP from your ISP. In this example eth0 was/is the ethernet WAN interface and pppoe0 is configured with our username and password to dial-into the DSL ISP.

Changes required on the Edgerouter Pro.

First, the Edgerouter Pro uses a zone based firewall and it occured to me that while the wan zone had interface eth0 assigned to it, the pppoe0 interface also needed to be assigned to my wan zone policy.

#set zone-policy zone wan interface pppoe0
#commit

Second, NAT was being performed on interface eth0 when it should reflect the fact that pppoe0 is now my gateway interface.

#set service nat rule 5010 description "Masquerade to WAN via pppoe0"
#set service nat rule 5010 log enable
#set service nat rule 5010 outbound-interface pppoe0
#set service nat rule 5010 type masquerade
The specified configuration node already exists
[edit]
#commit

Big thanks to the Ubiquiti forums member mrjester and Ubiquiti employee UBNT-Stig for their valuable contributions.

Resources:

ERL pppoe client connection established but no network access

Basic SOHO Home Config

Procurve disable LLDP per port

View the LLDP config of your switch.

lldp admin-status

The following command disables HP’s Link Layer Discovery Protocol ( LLDP ) on a specific port list.

Example:
lldp admin-status 4 disable

With LLDP enabled the switch periodically broadcasts info about your device, including the hostname and management address. You would likely want to disable this on any ports facing hosts on the other end, like your WAN interface, that do not need to hear this traffic.

Thanks to Packet Pushers

Palo Alto SSL Forward Proxy Connection Reset

Setting up a Palo Alto firewall I ran into a roadblock when attempting to configure SSL Decryption on outbound requests from clients.

Before attempting SSL decryption, clients sitting behind the Palo Alto were able to reach HTTP and HTTPS websites after configuring a Security Policy on the firewall  that permitted the application categories web-browsing and ssl.

Following documentation and watching this video helped me learn how to configure SSL Decryption using a Forward Proxy. Unfortunately I made a mistake.  See my first Security Policy was named “Permit HTTP and HTTPS” and was configured to permit web-browsing and ssl application category traffic.

When I ran show session all I discovered traffic associated with a client machine was getting dropped due to matching the new (as of PAN-OS 6.1) Interzone Security Policy that is configured by default to drop traffic.

So, make sure Security Policy #1 is named Untrusted to Trusted with source and destination zones, User may be user or known-user. Do not specify any application categories.

 

Windows Server Backup Email

I wanted to receive an email every day giving notice that my scheduled Windows Server Backup routines finish with success or failure. The wbadmin utility lacked all the features to do my job quickly and painlessly; it can only send emails using SMTP servers that do not require authentication.

I was hoping to use wbadmin to send an email after the utility finishes, but no luck as there was no way to configure this when creating the backup schedule.

As a result I decided to create a couple of scheduled tasks that would react to eventID’s written to the Windows-Server-Backup Operational Log. To learn more about this part, see this article I relied on. In summary I created two scheduled tasks, one for success and one for failure that calls the script to send the email.

I then built a prototype in Powershell that will handle authentication with the SMTP server, in our case Google Apps for Education. Included below is my script cobbled from the work of Chris Mugglie contributed on Stack Overflow.

$EmailFrom = “backupsadmin@corp.net” $EmailTo = “biokode@corp.net” $Subject = “Server 2 Backup Failed” $Body = “Server 2 Backup Failed” $SMTPServer = “smtp.gmail.com” $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPClient.EnableSsl = $true $SMTPClient.Credentials = New-Object System.Net.NetworkCredential(“backupmonitor@corp.net”, “idreamofbacon”); $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

OK, so i can only format all the text from the code above down as one format, not good!

Need to launch the powershell script this way in scheduled task: powershell.exe -file “C:\scripts\sendemail.ps1”

 

Perc 6i Foreign Configuration

My sys admin arrived to find the box in a bsod or locked up state. Upon reboot we got the foreign config error. The box was an aged Dell Poweredge 2950 with a Dell Perc 6i RAID controller was reporting a foreign configuration present on the adapter.

Now we know this was a raid0 array using 3 disks. I know, I know, this is a horrible configuration that was inherited and should never be used if the data is important.

I knew the three disks present were the original 3 disks in the array. Using the raid configuration console accessible at boot using Ctrl-R I was able to inspect the configuration on the disk and controller.

The adapter reported a 2 disk configuration while the foreign reported 3 disks.

We choose to import the foreign configuration present on disk two of a disk 1,2,3 array.

Smooth as butter!

Sources:

  1. http://en.community.dell.com/support-forums/servers/f/906/t/19661149
  2. http://en.community.dell.com/support-forums/servers/f/906/t/19658876
  3. https://en.community.dell.com/support-forums/servers/f/906/t/19675982
  4. http://en.community.dell.com/support-forums/servers/f/906/t/19678951
  5. http://en.community.dell.com/support-forums/servers/f/906/t/19587490
  6. https://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/support-live-image
  7. http://en.community.dell.com/support-forums/servers/f/906/t/19654034

Palo Alto Export Configuration using TFTP

Export the Active Configuration ( running-config for Cisco folks )  to a TFTP store running on Ubuntu 14.

Jump into your Ubuntu box and install the tftpd-hpa package using apt-get.

#apt-get install tftpd-hpa

Configure a few properties of the TFTP daemon.

#vi /etc/default/tftpd-hpa

#TFTP_DIRECTORY=”/var/lib/tftp”

#TFTP_ADDRESS=”192.168.1.253:69″

TFTP_OPTIONS=”-c -v –secure”

Create and chmod /var/lib/tftp to allow writing to this directory by group “others”.

mkdir /var/lib/tftp

chmod o+w /var/lib/tftp

Export the active configuration.

tftp export configuration remote-port 69 source-ip 192.168.1.1 from running-config.xml to 192.168.1.253

 

Subnetting a class C address in your head

In our example we apply the subnet mask 255.255.255.128 [ /25] to the network 192.16.11.0.

Subtract 25 from 32 total mask bits to leave 7 unmask bits which give way to host bits. Find the total address, including subnet and broadcast, per subnet chunk by raising 2 to the power of unmask bits.

Remember 2^8 = 256

2^7 = (2^8) / 2 = 128

Count from 0 by increments found in your computed answer to 256.

In this case we established two subnets using the /25 netmask.

Subnet     First Host     Last Host     Broadcast

0                 1                      126                 127

128             129                 254                 255