@bnrstnr said in Who do you use for your domain registrar?:

@scottalanmiller said in Who do you use for your domain registrar?:

@Dashrender said in Who do you use for your domain registrar?:

@scottalanmiller said in Who do you use for your domain registrar?:

@Dashrender said in Who do you use for your domain registrar?:

Why buy at one, then move the registrar to another?

OH! Because CF doesn't let you buy, but that's where we want the account to be.

What account? CF will be the registrar, but only from transfers?
that sucks.

Yes, it's weird. You can only transfer to them, not buy directly.

You can renew there though?

yes, once you transfer you are all set. Just the initial purchase doesn't work.

@scottalanmiller
Nice, let us know how it goes.

Spanish or English would be fine. But, needs to be local to Barcelona. The only reason we are looking is for the physical side we cannot do from London or Calgary.

If you don't care what IP your guest network shows to the public, you should be able to do this.

You should simply need to create a source NAT rule for the traffic.

At various locations, I have fiber services delivered without an ISP router from the carriers. Part of that service is also a /29 block of IP addresses.

What I do in those instances is put the /30 public IP that would normally be on the ISP router on my router, then I create source and destination rules to handle the traffic.

ISP Assigned Router IP: 123.123.123.190/30
Routed IP block: 123.122.122.138/29

eth0 = WAN 123.123.123.190/30
eth3 = LAN 10.200.0.1/23
eth3.10 = Public Wifi 10.200.10.1/24

set interfaces ethernet eth0 address 123.123.123.190/30 set interfaces ethernet eth0 description 'AT&T FIber' set interfaces ethernet eth0 duplex full set interfaces ethernet eth0 firewall in name WAN_IN set interfaces ethernet eth0 firewall local name WAN_LOCAL set interfaces ethernet eth0 speed 100 set interfaces ethernet eth3 address 10.200.0.1/23 set interfaces ethernet eth3 description 'LAN' set interfaces ethernet eth3 duplex auto set interfaces ethernet eth3 firewall in name LAN_IN set interfaces ethernet eth3 firewall local name LAN_LOCAL set interfaces ethernet eth3 speed auto set interfaces ethernet eth3 vif 10 address 10.200.10.1/24 set interfaces ethernet eth3 vif 10 description 'Guest Wireless' set interfaces ethernet eth3 vif 10 firewall in name Public_WiFi_IN set interfaces ethernet eth3 vif 10 firewall local name Public_WiFi_LOCAL

Note that I do not assign the routed block to any interface.

Some firewall rules to prevent talking and such..

set firewall group address-group 10_0_0_0_8 address 10.0.0.0/8 set firewall group address-group 10_0_0_0_8 description 'Entire 10.0.0.0/8' set firewall group network-group Public_WiFI_LAN description 'Public WiFi LAN' set firewall group network-group Public_WiFI_LAN network 10.200.10.0/24 set firewall name Public_WiFi_IN default-action accept set firewall name Public_WiFi_IN description 'Public WiFi in to other interfaces' set firewall name Public_WiFi_IN rule 10 action accept set firewall name Public_WiFi_IN rule 10 description 'Allow response to existing connections' set firewall name Public_WiFi_IN rule 10 log disable set firewall name Public_WiFi_IN rule 10 protocol all set firewall name Public_WiFi_IN rule 10 state established enable set firewall name Public_WiFi_IN rule 10 state invalid disable set firewall name Public_WiFi_IN rule 10 state new disable set firewall name Public_WiFi_IN rule 10 state related enable set firewall name Public_WiFi_IN rule 20 action accept set firewall name Public_WiFi_IN rule 20 description 'Allow access to gateway' set firewall name Public_WiFi_IN rule 20 destination group address-group ADDRv4_eth3.10 set firewall name Public_WiFi_IN rule 20 log disable set firewall name Public_WiFi_IN rule 20 protocol all set firewall name Public_WiFi_IN rule 30 action drop set firewall name Public_WiFi_IN rule 30 description 'Block all other access to private networks' set firewall name Public_WiFi_IN rule 30 destination group address-group 10_0_0_0_8 set firewall name Public_WiFi_IN rule 30 log disable set firewall name Public_WiFi_IN rule 30 protocol all set firewall name Public_WiFi_IN rule 40 action drop set firewall name Public_WiFi_IN rule 40 description 'Block all SMTP' set firewall name Public_WiFi_IN rule 40 destination port 25 set firewall name Public_WiFi_IN rule 40 log enable set firewall name Public_WiFi_IN rule 40 protocol tcp set firewall name Public_WiFi_LOCAL default-action drop set firewall name Public_WiFi_LOCAL description 'Public WiFi in to router' set firewall name Public_WiFi_LOCAL rule 10 action accept set firewall name Public_WiFi_LOCAL rule 10 description 'Allow DNS' set firewall name Public_WiFi_LOCAL rule 10 destination port 53 set firewall name Public_WiFi_LOCAL rule 10 log enable set firewall name Public_WiFi_LOCAL rule 10 protocol udp set firewall name Public_WiFi_LOCAL rule 50 action accept set firewall name Public_WiFi_LOCAL rule 50 description 'Allow pings' set firewall name Public_WiFi_LOCAL rule 50 limit burst 1 set firewall name Public_WiFi_LOCAL rule 50 limit rate 62/minute set firewall name Public_WiFi_LOCAL rule 50 log enable set firewall name Public_WiFi_LOCAL rule 50 protocol icmp

Then I use NAT rules to specify how it routes out. I do not have a destination NAT rule here because there is no inbound traffic allowed. the NAT translation should handle the return traffic.

In your case, you could just tell it to use the IP on the WAN interface instead of some other IP.

set service nat rule 5995 description 'Outbound Public WiFi LAN Traffic' set service nat rule 5995 log disable set service nat rule 5995 outbound-interface eth0 set service nat rule 5995 outside-address address 123.122.122.140 set service nat rule 5995 protocol all set service nat rule 5995 source group network-group Public_WiFI_LAN set service nat rule 5995 type source

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

It depends on what you want to audit, and how much you want in your logs.

@Dashrender said in Phone solutions - something like Skype/Teams - why/why not?:

@scottalanmiller said in Phone solutions - something like Skype/Teams - why/why not?:

@Dashrender said in Phone solutions - something like Skype/Teams - why/why not?:

@scottalanmiller said in Phone solutions - something like Skype/Teams - why/why not?:

@Dashrender said in Phone solutions - something like Skype/Teams - why/why not?:

We have workflows that are station based - not person based - think call center.

Now this, Teams is not good at.

True - but often management is likely mis-sold on the idea that handsets are no longer needed, and instead the user uses their computer/cellphone as their device.

that's a totally separate issue that applies to all phone systems.

meh - it can apply to all phone systems, but I'm guessing it generally doesn't apply to those installing the Mitel/3CX's of the world. It's a mindset thing. It's also the sales person selling the stuff thing.

I don't know, 3CX pushes that pretty hard.

@maxi5005 said in Bitcoin:

I saw in some forums that Bitcoin can be availaed by Mining?

That is, indeed, how cryptocurrency works essentially by definition.

@DustinB3403 said in Unifi port blocking on specific networks:

@Dashrender said in Unifi port blocking on specific networks:

he's talking about ports - not URLS.. not sure that Pi-hole fixes this, unless he said the wrong word earlier.

I specifically mean to block ports on a specified wireless network, had I meant URL's I'd be using my pihole.

Assuming
wifi - 192.168.1.x
LAN - 192.168.2.x

You configure the router to not allow said ports on network 192.168.1.x

@iroal said in Migrate to O365 best method:

@Dashrender said in Migrate to O365 best method:

slick

I migrated 66 accounts from Exchange 2003 to O365, uploading the Pst to O365 cloud.

Hard work but worked very well.

I could see time consuming, but I would have expected it to be that hard.

Ok i found this and it looks to be a promising solution with the features I want.

Blogdown

So I set this up again on a new jump box today.

SSH attempts did not log until I changed the mode to ddos

@Pete-S said in Turns Out My New Client Has Colocation At CloudAtCost Datacenter In Waterloo:

@scottalanmiller said in Turns Out My New Client Has Colocation At CloudAtCost Datacenter In Waterloo:

@Pete-S said in Turns Out My New Client Has Colocation At CloudAtCost Datacenter In Waterloo:

But where are the proof for what you said?

Besides their corporate filings and postings online? We aren't claiming anything that they've not announced themselves. It's public info, not something in question or disputed.

Well, if it's truly the datacenter that is shady, then I would strongly urge my customer to move their gear elsewhere as quickly a possible. Locked rack or not.

Exactly, that's what we're thinking. It's the datacenter (aka Cloud@Cost) that is scary here.

@DustinB3403 said in Data Breach: PDL "Enrichment" Company 1.2B Peeps Impacted ... yeah, BILLION:

<s> To be fair, setting up SSL and a login name and password does take extra effort. . give the poor sod a break </s>

Yeah and they weren't even bothered to whitelist IPs.

They should have SSL and strict whitelist preferably to a VPN IP that requires authentication.

@Emad-R said in One Time, Non-Image, Windows Backup Client:

@scottalanmiller said in One Time, Non-Image, Windows Backup Client:

@Emad-R said in One Time, Non-Image, Windows Backup Client:

better to use it on another VM close to that VM

No other VM. If we open the only other VM, ESXi can't work. So that tool, I'd expect, couldn't actually run.

Oh you can run it from any where, as long as you can ping the ESXi or reach it. but i prefer a VM cause its faster

I see. That was a problem for us because we couldn't transfer off of the server, their network wasn't fast enough 😞

@Dashrender said in QoS on Edgerouter Lite:

@Romo said in QoS on Edgerouter Lite:

Just setup a traffic-policy shaper to test:

20% bandwidth for voip guaranteed with a ceiling of 100% bandwidth
30% bandwidth for USERS PC guaranteed with a ceiling of 100% bandwidth
50% bandwidth for ALL others guaranteed with a ceiling of 100% bandwidth

Does this sound reasonable?

if you parse off 50% for those things and they aren't in use, then the bandwidth is just being wasted... I know scott has mentioned that doing this is generally bad in the past because of the waste of resources.

You don't read clearly. He's talking minimum guarantee at 20/30/50 and max possible when available at 100 for all.

@WLS-ITGuy said in O365 & Spam filter:

I thought I read it somewhere. Thanks.

What about backups? I thought I read somewhere that O365 doesn't do backups. So if an end user deletes an email or accidentally deletes/moves a folder there is no way to retrieve that.

Although the backups are for Microsoft themselves see this
https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/high-availability-and-business-continuity

https://docs.microsoft.com/en-us/exchange/back-up-email

Same as what @JaredBusch said on a user level or even an admin.

@scottalanmiller Yep, I just wanted to share the configuration I use as my daily driver because it makes working in the terminal that much more efficient. The OP mentioned wanting something that was a bit slicker and more powerful, and I think in addition to your choice of terminal, your choice of shell and other tools contributes to having a better experience. I prefer FISH for my shell, and tmux is my terminal multiplexor of choice. ZSH is another great alternative shell as well.

@scottalanmiller
This may also help:
https://blogs.partner.microsoft.com/mpn/myth-busting-software-asset-management-and-compliance-audits/?ln=en-us
https://www.microsoft.com/en-us/licensing/learn-more/compliance-verification-faq

Things like:

Microsoft SAM programs are voluntary services... A compliance audit is a mandatory review of a company’s use of Microsoft’s products and services...
These compliance verifications are initiated across less than 5% of Microsoft’s licensing customers worldwide

But ignoring things like:

We believe that SAM can be a strategic advantage for all our customers

Worth noting that the issue comes back when you upgrade to Fedora 31 as well. Same fix still applies.

It will makes sense of all the alerts and centralize everything