Posts made by Mike Davis

I always thought it was weird that tracert was the dos command and traceroute was the linux command. Almost every other linux command is shorter.

I have a client that has a database of news paper article archives that wants to know how much it would cost to put them on a website. The archive won't be added to at this time as they have been using a new system for years now. It would just have to allow users to search for old articles on the site. They are open to any suggestion for hosting. Let me know if you are interested.

@aaronstuder said in Come Hear SAM Speak at SpiceCorps Auburn NY Tonight:

I would have to leave right this minute to be there on time.....

so save you a seat?

@aaron I told them what a pain tape drives were before I put it in and told them how much babysitting they need. They have to pay me every time I work on it, so they know.... They are otherwise a great client, so I'm not going to dump them for that.

It's purely security. It doesn't help my argument when things keep getting hacked.

4 drives in less than 3 years. When I was brought in backups were a big concern to them because the last guy did nightly backups to an external hard drive, but they discovered a quickbooks error and needed to go back a month. He was overwriting the backup every night, so they had nothing useful to work from.

I tried to talk them in to online backups, and eventually went for a USB tape drive because I needed something that work work through ESXi.

I'll have to see if the software will let me swap out USB drives with out re-configuring the backup job each time.

Unfortunately both sites have users that need to use facebook to do their job. Aside from that, the scammers can just buy ads on any site.

The good side is now I have some fresh content to put in a presentation I'm doing on Tuesday about how not to get scammed.

@Dashrender said in Tape drive alternative besides online backup for offsite backup:

I suppose USB flash drives could be OK for Off-site. I'd get 5, one for each business day of the week. Then at work (hopefully) you would only loose one day if the current drive failed.

I'm doing grandfather - father - son backups, which is why the cost of them matter. I'll need like 15 just to get started.

@travisdh1 What software are you using?

@Breffni-Potter Site to site is out because that's "online" as far as they are concerned...

@Breffni-Potter said in 2 sponsored facebook ad malware attacks in 2 days:

https://www.facebook.com/business/help/162606073801742

The blue screen only triggers when the user clicks on the ad right?

Thanks for the link. Hopefully since I submitted screen shots with full URLs they can do something.

@Breffni-Potter said in 2 sponsored facebook ad malware attacks in 2 days:

https://www.facebook.com/business/help/162606073801742

The blue screen only triggers when the user clicks on the ad right?

As soon as some clicks the facebook ad, it triggers the new tab and won't let them off it. You can't even close the browser because the pop up is open. You have to kill IE with task manager.

I've had two users hit with fake blue screen attacks via facebook ads in the last two days. Where do I go with that? I tought facebook filtered ads. Here's what it looks like:

If the user tries to close the pop up it comes back. Also if they try to go back to the facebook tab, it brings the other tab back up. Anyone else dealing with this?

@Breffni-Potter said in Tape drive alternative besides online backup for offsite backup:

Backup to a Synology box rather than a single USB. You can then get iSCSI mounting direct. A gigabit network will be faster than a usb 2.0 connection for backups. You want speed of restore as well as speed of backup.

I already have a local backup for speed. I need an offsite backup.

@momurda said in Tape drive alternative besides online backup for offsite backup:

portable usb hdd

Wouldn't that be 8 times more expensive, larger, and slower than a USB flash drive? What am I missing?

I have a client that refuses to use online backup. The only thing I could think of at the time to get an offsite backup was a tape backup. Long story short, I'm on my 5th tape drive (under warranty) and I'm really starting to wonder if it's a bad model of tape drive (HP DAT 160) , bad backup software (Barracuda Yosemite Server Basic), or the fact that I'm using USB passthrough in ESXi.

The backup job is backing up about 50GB of data each night. That would fit on a USB drive. Is anyone doing a backup to USB flash drive? Any other alternatives to tape that I'm not thinking of?

If you mean to "sync" and have it create accounts in AD, I don't think that's going to work. It doesn't even "sync" like that going in the other direction. It doesn't create a mailbox or anything in o365 until you assign a license.

Depending on the number of users you're talking about, (and group memberships, etc) I suppose you could script out the account creation on the AD side, and then start a sync. I'm not sure how well that would work though because the password would be newer on the prem side and it seems like it would over write the o365 side.

With powershell you can rename a UPN suffix. Pretty easy with powershell:
https://blogs.technet.microsoft.com/canitpro/2015/07/07/step-by-step-changing-the-upn-suffix-for-an-entire-domain-via-powershell/

It depends how many users and all that, but you could start with the script:
https://gallery.technet.microsoft.com/office/List-all-Users-Distribution-7f2013b2
to get all your groups and then use the commands in:
http://o365info.com/manage-distribution-groups-by-using/
to build them in the new tenant.

Deos it bluescreen, or just power off? For a blue screen, you can also try whocrashed:
http://www.resplendence.com/whocrashed
to see if it's a driver or something along those lines.

Others have posted some tools that will stress the hardware to see if you can reproduce the problem.

@JaredBusch Thank you for all the tips. I inherited this config and didn't understand why some things were done the way they were. Between your information and a firmware update we should be able to get this router in to shape.

Between what you said and some information from @coliver I learned that the Meraki is not behind the Edge, but in fact there is a switch between each of the routers and the ISP, so they both have direct access to the internet. Information from a tech on site lead me to believe otherwise, which is why the config didn't make sense.

@Dashrender The Meraki WAN address is a public one that is assigned by DHCP.

@JaredBusch

Show Tech-Support



CONFIGURATION



EdgeOS Version and Package Changes

Version:      v1.6.0
Build ID:     4716006
Build on:     10/31/14 17:31
Copyright:    2012-2014 Ubiquiti Networks, Inc.
HW model:     EdgeRouter PoE 5-Port
HW S/N:       44D9E7058BC3
Uptime:       15:55:52 up 2 days, 14:30,  2 users,  load average: 0.29, 0.25, 0. 26


UBNT offload
:

IP offload module   : loaded
IPv4
  forwarding: enabled
  vlan      : disabled
  pppoe     : disabled
IPv6
  forwarding: disabled
  vlan      : disabled
  pppoe     : disabled

IPSec offload module: loaded


Configuration File

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
:
    name WAN_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
:
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "Allow Traffic To client-Web01"
            destination {
                address 192.168.2.120
            }
            log disable
            protocol all
        }
        rule 4 {
            action accept
            description "Allow traffic to RDS"
            destination {
                address 192.168.2.115
            }
            log disable
            protocol all
        }
    }
:
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
:
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description 5060
            destination {
                port 5060
            }
            log enable
            protocol udp
        }
        rule 4 {
            action accept
            description "Allow 10000-20000"
            destination {
                port 10000-20000
            }
            log enable
            protocol udp
        }
        rule 5 {
:
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log enable
            protocol udp
        }
        rule 6 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 7 {
            action accept
            description "Accept Ext ICMP"
            log enable
            protocol icmp
        }
        rule 8 {
            action accept
            description saphttps
:
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 9 {
            action accept
            description RDS2
            destination {
                port 3389
            }
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
:
        address [redacted].83.168.51/22
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
:
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
:
        address 192.168.2.253/23
        mtu 1500
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description PBX-RTP
        forward-to {
            address 192.168.1.92
            port 10000-20000
        }
        original-port 10000-20000
        protocol udp
    }
    rule 2 {
:
        description PBX-SIP
        forward-to {
            address 192.168.1.92
            port 5060
        }
        original-port 5060
        protocol udp
    }
    rule 3 {
        description SAP
        forward-to {
            address 192.168.2.120
            port 443
        }
        original-port 443
        protocol tcp
    }
    rule 4 {
        description RDS
        forward-to {
            address 192.168.2.115
            port 3389
        }
:
        original-port 3389
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    static {
        route 192.168.1.0/24 {
            next-hop 192.168.2.254 {
            }
        }
    }
}
service {
    gui {
        https-port 443
    }
    nat {
        rule 5001 {
            log disable
            outbound-interface eth0
            type masquerade
        }
:
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    gateway-address [redacted].83.168.1
    host-name ubnt
   
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
:
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
:
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                  

                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.2.180
                stop 192.168.2.199
            }
:
            dns-servers {
                server-1 192.168.2.3
                server-2 192.168.2.117
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret [redacted]
                }
                ike-lifetime 3600
            }
            outside-address [redacted].83.168.51
            outside-nexthop [redacted].83.168.1
        }
    }
}

@thwr yes, it's only a "Source NAT rule" Doesn't that mean that anything coming in on eth0 is going to be NATed?