So a few months ago I bought a Qnap TV-1635AX NAS for work to use as a backup to disk solution until my SAN arrived.
I bought this one because it has a ton of drive bays and 10GB SFP capabilities. Word of caution: DO NOT USE QNAPS 10GBE PCI CARDS
I wanted to use copper for my 10gb, so I also bought a Qnap QXG-10G1T card. It's supported and should be fine right? Except not. In my case I needed to backup roughly 19TB using Veeam and Robocopy. I started out enabling Jumbo frames to help things move along a bit faster. Within 5 hours of my job starting the unit would lockup. For the web gui totally unresponsive, however the local LCD panel showed it was good. Tried without Jumbo frames.. same thing except maybe 10 hours into the job. Locked up tighter than tight.
I spent time with support via emails.. they were no help. I wanted to hear from an engineer on this but no such luck.
Switched to a 10GB SFP module and so far no issues. I have not summoned up the courage to re-enable Jumbo Frames but I don;t have to now since my initial jobs are complete and it's just the deltas.
But moral of the story is, the PCI backplane in at this this model Qnap cannot support 10G over copper.
Monday, December 16, 2019
Friday, December 13, 2019
Ubiquiti Unifi Controller networks.. Corp LAN or VLAN?
So a couple weeks ago I setup my first Unifi Controller on top of Ubuntu 19.10 Server. I ended up following a script I found here and it worked beautifully!
I'll readily admit I don't always research as much as I should but I usually figure it out anyway. This time though I found something odd. So UBNT states that unless you have a USG in your environment (or another device performing Layer 3) then you should create all of your networks in the controller as VLAN objects.
My setup here at work is not special or out of the ordinary.. I have a Sophos firewall doing the firewall duties as well as DHCP for all my subnets and routing. When I create my wifi subnet under Networks as a VLAN DHCP traffic refuses to pass. I don't know why, nor do I want to suffer through the inhumanity that is UBNT's chat based support one more minute.
Long story, short I spent about 5 hours one evening fighting with support over this very thing. They say 'No you need VLANS'. I say 'Well my clients are not pulling DHCP leases from my firewall'.. they say 'You must have VLANS!' So it was a stupid cycle.
But about maybe 15 minutes after removing that Wireless VLAN and creating a Wireless Corp LAN my clients were pulling valid leases and everything was good.
I don't know why, nor do I care at this point. Just be aware, if you run into a similar issue try a Corp LAN instead.
I'll readily admit I don't always research as much as I should but I usually figure it out anyway. This time though I found something odd. So UBNT states that unless you have a USG in your environment (or another device performing Layer 3) then you should create all of your networks in the controller as VLAN objects.
My setup here at work is not special or out of the ordinary.. I have a Sophos firewall doing the firewall duties as well as DHCP for all my subnets and routing. When I create my wifi subnet under Networks as a VLAN DHCP traffic refuses to pass. I don't know why, nor do I want to suffer through the inhumanity that is UBNT's chat based support one more minute.
Long story, short I spent about 5 hours one evening fighting with support over this very thing. They say 'No you need VLANS'. I say 'Well my clients are not pulling DHCP leases from my firewall'.. they say 'You must have VLANS!' So it was a stupid cycle.
But about maybe 15 minutes after removing that Wireless VLAN and creating a Wireless Corp LAN my clients were pulling valid leases and everything was good.
I don't know why, nor do I care at this point. Just be aware, if you run into a similar issue try a Corp LAN instead.
Thursday, December 12, 2019
Ubiquiti and my configuration
So here at my new job I've been steam rolling the old network infrastructure. When I came here there was a Cisco 2602I wap, a GS series Netgear, and a Cisco SG200. And with what I was told this place wanted to be able to do those two devices had to go.
So because I've always wanted to try them, and I think their UI is neat as hell (and the switching performance is a definite improvement over the existing) I went whole-hog into UBNT.
I have a US-8-60W, a pair of US-48's, an AC-LR, AC-Pro and 2 AC-Lites. Setting up the Unifi controller on a local virtual machine was a breeze, and adopting and configuring things was a snap. Even migrating the controller from a Win10 guest to an Ubuntu server was overtly easy.
I NAT'd it's required ports to the outside and could access it from anywhere via the mobile app on the Cloud Access Portal.
Then I decided to take it one step further.. I need a USG for those oh so sweet ISP metrics and DPI.
So I ordered one. Now the idiot in me that does surface from time to time did not read the manual and did not checkout the help.ubnt.com articles. I jumped right in and uplinked it to my network via it's LAN1 port.
*BIG MISTAKE*
So did I mention my idiot? He's more of a part-time dumbass. I did not know that the USG would start plugging DHCP right out of the box and because I had snooping enabled in the controller I'm sure all sorts of backend havoc happened.
So after fighting with it myself for an hour I decided to give the Chat support a try. Fix thing the guy asks for in a screenshot of my config under Networks. When he sees their all Corp LAN object he immediately tells me to delete them and create VLAN objects. I had a bad feeling about this but, at his behest I did it anyway.
Long story, Short I lost communication to all my servers and the controller. When I regained control I spent the next 4 hours getting my switches and APs to re-adopt and to get the wireless network to pass DHCP traffic.
In the end I had to delete the Wireless VLAN and create it as a Corp LAN object. Then.. and ONLY then did DHCP traffic begin flowing and my clients started pulling valid leases from my firewall.
So moral of the story is, not every environment will work with the best practices.
So because I've always wanted to try them, and I think their UI is neat as hell (and the switching performance is a definite improvement over the existing) I went whole-hog into UBNT.
I have a US-8-60W, a pair of US-48's, an AC-LR, AC-Pro and 2 AC-Lites. Setting up the Unifi controller on a local virtual machine was a breeze, and adopting and configuring things was a snap. Even migrating the controller from a Win10 guest to an Ubuntu server was overtly easy.
I NAT'd it's required ports to the outside and could access it from anywhere via the mobile app on the Cloud Access Portal.
Then I decided to take it one step further.. I need a USG for those oh so sweet ISP metrics and DPI.
So I ordered one. Now the idiot in me that does surface from time to time did not read the manual and did not checkout the help.ubnt.com articles. I jumped right in and uplinked it to my network via it's LAN1 port.
*BIG MISTAKE*
So did I mention my idiot? He's more of a part-time dumbass. I did not know that the USG would start plugging DHCP right out of the box and because I had snooping enabled in the controller I'm sure all sorts of backend havoc happened.
So after fighting with it myself for an hour I decided to give the Chat support a try. Fix thing the guy asks for in a screenshot of my config under Networks. When he sees their all Corp LAN object he immediately tells me to delete them and create VLAN objects. I had a bad feeling about this but, at his behest I did it anyway.
Long story, Short I lost communication to all my servers and the controller. When I regained control I spent the next 4 hours getting my switches and APs to re-adopt and to get the wireless network to pass DHCP traffic.
In the end I had to delete the Wireless VLAN and create it as a Corp LAN object. Then.. and ONLY then did DHCP traffic begin flowing and my clients started pulling valid leases from my firewall.
So moral of the story is, not every environment will work with the best practices.
Friday, December 6, 2019
Quickbooks, Potential firewall issue?
Quickbooks.
Everyone I know that has to support it.. hates it.
I hate it.. because I have to support it.
Ok I won;t drone on here, but something stupid I ran into the other day. Three ladies with identical mapped drives to a server housing the database. Due to some DHCP weirdness one of them pulled an ip from a different subnet. So because I was in a hurry (and it really should not have mattered) I disconnected her original mapping and remapped using the primary IP address of the server which just so happens to be on a different VLAN.
She could ping it, she could SMB browse and see the DB and other files. However QB refused to open it citing some stupid shit about QB is not able to open the file due to a potential firewall issue.
Long story: Short.. I fought this nonsense for an hour before finally giving up. Remapping the drive to the original IP and BOOM it opened right up.
Everyone I know that has to support it.. hates it.
I hate it.. because I have to support it.
Ok I won;t drone on here, but something stupid I ran into the other day. Three ladies with identical mapped drives to a server housing the database. Due to some DHCP weirdness one of them pulled an ip from a different subnet. So because I was in a hurry (and it really should not have mattered) I disconnected her original mapping and remapped using the primary IP address of the server which just so happens to be on a different VLAN.
She could ping it, she could SMB browse and see the DB and other files. However QB refused to open it citing some stupid shit about QB is not able to open the file due to a potential firewall issue.
Long story: Short.. I fought this nonsense for an hour before finally giving up. Remapping the drive to the original IP and BOOM it opened right up.
Sunday, October 13, 2019
OPNSense on a Barracuda 410 Web Filter
So in the past I've ran both pfSense and OPNSense on various hardware platforms.. vSphere, Dell Optiplex, a Nokia IP330 and now a Barracuda 410.
I picked this guy up for free yesterday from a friend specifically for this project. Now if you've Googled much you'll find people have had all sorts of issues running this hardware and it all boils down to the nic's 'Cuda decided to use. Their fairly proprietary and in the Cuda implementation, software controlled via a set of relays and the LPT port.
Now I don;t know how the Cuda folks code it, but a few people have had luck using the writeio and BCHW binaries as seen here: Netgate Forums
But me, being who I am and since this control, IMO, is more electrical than software driven I followed a suggestion from the link above.. sorting out the blue and black wires on the LPT header connector.
Using a tiny piece of solid conductor wire from some plenum rated CAT5e I shorted those two pins together with the connector unplugged from the header. During power up I cannot hear the relays click closed, but during power off you can hear them click open. In my testing so far (about 2 hours now) they have remained closed and a constant ping from my workstation has no dropped a packet yet.
So see, my figuring is, since there's separate wires leading from the RJ45 header on the two NICs to this relay board (and the front RJ45 ports) that the relays are acting as an on/off switch for this connectivity. I mean it's a shady thing to do but it does help Cuda maintain some *control* over the reuse of the hardware. I mean for folks like me.. I know this box is powered by a normal MSI motherboard with a decent Celeron proc. But I WANT to use it for the front network ports. To me there is no other reason to use this box without those ports.
So anyway, this works for me. And it involved zero packages, binaries nor messing with rc.d to make sure they work after a reboot.
Enjoy.
I picked this guy up for free yesterday from a friend specifically for this project. Now if you've Googled much you'll find people have had all sorts of issues running this hardware and it all boils down to the nic's 'Cuda decided to use. Their fairly proprietary and in the Cuda implementation, software controlled via a set of relays and the LPT port.
Now I don;t know how the Cuda folks code it, but a few people have had luck using the writeio and BCHW binaries as seen here: Netgate Forums
But me, being who I am and since this control, IMO, is more electrical than software driven I followed a suggestion from the link above.. sorting out the blue and black wires on the LPT header connector.
Using a tiny piece of solid conductor wire from some plenum rated CAT5e I shorted those two pins together with the connector unplugged from the header. During power up I cannot hear the relays click closed, but during power off you can hear them click open. In my testing so far (about 2 hours now) they have remained closed and a constant ping from my workstation has no dropped a packet yet.
So see, my figuring is, since there's separate wires leading from the RJ45 header on the two NICs to this relay board (and the front RJ45 ports) that the relays are acting as an on/off switch for this connectivity. I mean it's a shady thing to do but it does help Cuda maintain some *control* over the reuse of the hardware. I mean for folks like me.. I know this box is powered by a normal MSI motherboard with a decent Celeron proc. But I WANT to use it for the front network ports. To me there is no other reason to use this box without those ports.
So anyway, this works for me. And it involved zero packages, binaries nor messing with rc.d to make sure they work after a reboot.
Enjoy.
Wednesday, March 6, 2019
Determine IP address from MAC address, in Linux
Found a switch in a closet.. not documented and I'm too lazy to haul a laptop over and try to hit the console so I took a picture of the MAC label and stumbled across this literal GEM of a one-liner:
It literally just works.
nmap -sP <subnet>/24 >/dev/null && arp -an | grep xx:xx:xx:xx:xx:xx | awk '{print $2}' | sed 's/[()]//g'
It literally just works.
Monday, March 4, 2019
Powershell: Scripting, copying one users group membership to another
At $work I've been working on a new On-Boarding script, and to make things easy part of this script prompts to enter an existing users SamAccountName to copy the memberof to the new user.
It took me an hour or more of solid Google-Fu but here's the result and it works perfectly:
Cheers.
It took me an hour or more of solid Google-Fu but here's the result and it works perfectly:
Get-auser -identity $copyuser -properties memberof | select-object memberof -ExpandProperty memberof | add-adgroupmember -members $newuser
Cheers.
Wednesday, February 27, 2019
OPNsense and PIA (Private Internet Access)
So.. I'm finally getting around to setting up my homelab, it helps to be buying a house, lol.
Ok so onward, a very good buddy of mine allows me to share his PIA account, and since I recently rolled from pfSense to OPNsense I decided to night to set it up. To help create this I logged into the PIA account and generated an OpenVPN .ovpn config file, everything you need is within..
First things first, you need to create a new Certificate Authority via System -> Trusts -> Authority. Copy and paste the
Then goto System -> Firmware -> plugins and install the OpenVPN client.
Once complete, we will configure it.. VPN -> OpenVPN -> Clients and Add a new one.
Now here I and used what was in it.. so
Once complete I checked teh status at VPN -> OpenVPN -> Connection Status and saw it was connected. Now you will want to create a new Interface; Interfaces -> Assignments -> New then pick the latest addition.. in my case it was "ovpnc1".
Then head over to Firewall -> Rules -> LAN and create a new rule:
And set the gateway tot eh new interface you created.. (obviously edit the Source ip to whatever IP your machine is using that you want the traffic to traverse this new VPN connection).
And there you go.. all done.
Ok so onward, a very good buddy of mine allows me to share his PIA account, and since I recently rolled from pfSense to OPNsense I decided to night to set it up. To help create this I logged into the PIA account and generated an OpenVPN .ovpn config file, everything you need is within..
First things first, you need to create a new Certificate Authority via System -> Trusts -> Authority. Copy and paste the
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
parts into the Certificate data field.. make sure to name is something descriptive.
Then goto System -> Firmware -> plugins and install the OpenVPN client.
Once complete, we will configure it.. VPN -> OpenVPN -> Clients and Add a new one.
Now here I and used what was in it.. so
Then head over to Firewall -> Rules -> LAN and create a new rule:
And set the gateway tot eh new interface you created.. (obviously edit the Source ip to whatever IP your machine is using that you want the traffic to traverse this new VPN connection).
And there you go.. all done.
Thursday, February 14, 2019
Linux/Windows Dual Boot, "The disk contains an unclean file system"
I'm not running a dual-boot system between KDE Neon (My current favorite Linux distro) and Windows 8.1 (Because I think 10 sucks ass), Why Windows you say? Because no ones ported Far Cry 5 over yet ;)
Anyway I have a shared 'storage' drive between the two.. it's formatted as NTFS and just holds some backup stuff and I use it as a go between. Last night I'm pretty sure I told Windows to shut down. Turns out it left this disk in an unclean state. SHAME......SHAME.......SHAME lol.
The resolution is *ntfsfix*, installed by default on Ubuntu since like.. hell IDK like a number of major versions back. Any how this is your savior.
skeer@spektr /media/skeer sudo ntfsfix /dev/sda1
Mounting volume... The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
FAILED
Attempting to correct errors...
Processing $MFT and $MFTMirr...
Reading $MFT... OK
Reading $MFTMirr... OK
Comparing $MFTMirr to $MFT... OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/sda1 was processed successfully.
skeer@spektr /media/skeer sudo mount -a
skeer@spektr /media/skeer
BOOM, Done.
I can now write to the disk from Neon.
Peace Out.
Anyway I have a shared 'storage' drive between the two.. it's formatted as NTFS and just holds some backup stuff and I use it as a go between. Last night I'm pretty sure I told Windows to shut down. Turns out it left this disk in an unclean state. SHAME......SHAME.......SHAME lol.
The resolution is *ntfsfix*, installed by default on Ubuntu since like.. hell IDK like a number of major versions back. Any how this is your savior.
skeer@spektr /media/skeer sudo ntfsfix /dev/sda1
Mounting volume... The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
FAILED
Attempting to correct errors...
Processing $MFT and $MFTMirr...
Reading $MFT... OK
Reading $MFTMirr... OK
Comparing $MFTMirr to $MFT... OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/sda1 was processed successfully.
skeer@spektr /media/skeer sudo mount -a
skeer@spektr /media/skeer
BOOM, Done.
I can now write to the disk from Neon.
Peace Out.
Wednesday, January 23, 2019
Netplan error: Unknown key version
If you get the error: Unknow key version when trying to 'try' or 'apply' a netplan config file re-check your indentations. They are off.. that's what causes this error.
Enjoy
p.s. yaml is 4 spaces for each indent.
Enjoy
p.s. yaml is 4 spaces for each indent.
Tuesday, January 15, 2019
Juniper EX switch, config backup and restoration.
Recently we bought a Juniper EX2300-48MP switch based off much research and many reviews.. in addition the price point and performance beat out a comparable Cisco Catalyst.
Anyway yesterday morning the switch ran into issues that resulted in a support call and an RMA'd unit being sent out. FF to today and I've got the new switch in hand so now it's time to backup and restore the working config from old to new.
I won;t bore you with details bu suffice to say it took a helluva lot of Googling to finally find a process that works. Seems the vast majority of Juniper guides out there are for their routers.
Anyway setup an FTP server locally, then SSH into your source switch and run:
Anyway yesterday morning the switch ran into issues that resulted in a support call and an RMA'd unit being sent out. FF to today and I've got the new switch in hand so now it's time to backup and restore the working config from old to new.
I won;t bore you with details bu suffice to say it took a helluva lot of Googling to finally find a process that works. Seems the vast majority of Juniper guides out there are for their routers.
Anyway setup an FTP server locally, then SSH into your source switch and run:
- cli
- config
- save ftp://username:password@ip_address/filename
On the destination device:
- cli
- config
- load replace ftp://username:password@ip_address/filename
- commit
Yes I know.. it's pretty easy but trust me when I say it took me a good hour to find this so I wanted to document it here.
Friday, January 11, 2019
Rebuilding the homelab.
So now that we're settled again,things at work and here at home have quieted down a bit I've decided to begin rebuilding my homelab/stack.. this time using more Docker.
I was able to upgrade one of the kids rigs for X-mas so I have the old box, an HP Z400 workstation. It's got an older Xeon and I scrounged up 32 gigs of DDR3 and mirrored a pair of 500gb Sata WB Blues.
Installed Vsphere 6.5 last weekend and this weekend I'll be setting up the docker host and possibly a few of the first containers.
So the plan for far is the following:
Portainer (because duh)
librenms
Ubuntu (or something with bash to upload images to Wunderground)
Plex (if I can find a suitable replacement for my dead NAS)
Guacamole
Provided I can replace the NAS I'll roll couchpotato and radarr, also thinking about a web server to provide remote access to my networked camera.. still unsure on that one.
All of this being built on top of Vsphere 6.5 because it's the best hypervisor out there. (KVM/QEMU still get some love tho)
I was able to upgrade one of the kids rigs for X-mas so I have the old box, an HP Z400 workstation. It's got an older Xeon and I scrounged up 32 gigs of DDR3 and mirrored a pair of 500gb Sata WB Blues.
Installed Vsphere 6.5 last weekend and this weekend I'll be setting up the docker host and possibly a few of the first containers.
So the plan for far is the following:
Portainer (because duh)
librenms
Ubuntu (or something with bash to upload images to Wunderground)
Plex (if I can find a suitable replacement for my dead NAS)
Guacamole
Provided I can replace the NAS I'll roll couchpotato and radarr, also thinking about a web server to provide remote access to my networked camera.. still unsure on that one.
All of this being built on top of Vsphere 6.5 because it's the best hypervisor out there. (KVM/QEMU still get some love tho)
Subscribe to:
Posts (Atom)