Category: Network

Categories
Network Sophos Web

Set up Sophos UTM WAF with Let's Encrypt

This is a requested one, so will only sum up the important bits. The integrated web application firewall is very powerful. It allows you to host several web applications behind one IP. Both http and https are available. With the latter you can ise the built in LE integration. Try out this fast how-to to get started.

If you plan to use Let’s Encrypt, start by going to Certificate Management, Advanced, and tick Allow.

Allow Let’s Encrypt certificates

Next, create a certificate under Certificates.

Add Certificate
Name: Name of your certificate.
Method: Let's Encrypt
Interface: Where the certificate servers should connect to (WAN).
Domains: This can be one or several domains, the certificate can be used on multiple virtual webservers.

Go to Web Application Firewall, Real Webservers, and create a new server.

New Real Webserver
Name: Can be anything you want.
Host: Where your actual web server is.
Type: If the traffic is encrypted or not. It can safely be HTTP here, we will encrypt later.
Port: Port of your web service on the specified host.
Advanced: Leave default.

Save.

Go to Virtual Webserver and create new.

New Virtual Webserver
Name: Can be anything you want.
Interface: Where the traffic comes from (WAN).
Type: How you want the traffic to hit your WAF. Encrypted and redirect will redirect http to https.
Port: What you want to expose from the Internet.
Certificate: Your created certificate.
Domains: Check only the domains your want to associate with this web server.
Real Webserver: The real web server created earlier.
Firewall profile: Advanced features for a later time.
Theme: If you use Firewall profiles.
Advanced: Pass host header may be required by some web servers.

Save.

At this point you can enable the servers and be able to access your web application using the domain(s) used.

Categories
Network Software Web Windows

Update FreeDNS with PowerShell and Task Scheduler

After my long loved Raspberry Pi died I needed a new way to update a dynamic DNS. I recently discovered the Invoke-WebRequest cmdlet that lets you send an HTTP(S) request and parse pretty much whatever you get in return. My use for this is to keep a site-to-site VPN to my lab up and running.

# Change Path to desired log location and Uri to your Direct or Token URL from FreeDNS
$LogPath = "C:\Scripts\Update-FreeDNS.log"
$Uri = "http://sync.afraid.org/u/your_token/"

# No need to change this
Add-Content -Path $LogPath -Value "$(Get-Date) $(Invoke-WebRequest -Uri $Uri)"

Your log file will look something like this

11/13/2019 18:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 19:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 20:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update

Save these files to somewhere that makes sense, for example C:\Scripts.

  • Open Task Scheduler select Task Scheduler Library to the left and click Create Task to the right
  • Name your task “Update-FreeDNS” or something else explaining
  • You have to check “Run whether user is logged on or not” so if you do not want your credentials to be saved, create a new user and change to that
  • On the trigger tab you can create a schedule that suits your needs. I use every hour, but this is totally up to you
  • Under actions click New and paste the following
Program/scripts: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: "C:\Scripts\Update-FreeDNS.ps1"
  • At this point you are finished with the necessities, but feel free to click around to see if you need any more options
  • OK out and you will be asked for your password
  • Run the task on demand and see the result in the log file

As always, ask if anything is unclear.

Categories
Hardware Network Software Sophos

Sophos UTM

Yes! I have been looking forward to this one. In the following weeks I intend to publish a series of informative guides on Sophos UTM. My experience with XG is limited, but I have over five years of everyday configuration of the UTM.

My latest buy for the lab is a Sophos SG 330 which I plan to get working with a Home License. Lets see how it goes.

To be continued…

I have attached the brochures for anyone to see here, great read. 

Sophos SG Rev. 1

Sophos SG Rev. 2

Sophos SG Rev. 3

Sophos XG Rev. 3

Categories
Network Software

Using the UniFi line as wlan controller part two

As I started to use the new setup, I realized more and more that I needed access to my lab (outside of plain rdp), especially with my laptop and phone. I tried several ways to solve this. Without any knowledge about the USG I had to try and error for some time before I found a reasonable solution.

The best option would be to make site-to-to IPsec to make use of all my old rules, but I could not get that working what ever I did. The USG still routed the traffic to the lab through wan and not through the tunnel. Anyway, next up was straight up static routes. Which is some what successful.

But, and this is a big one. Since the UniFi Controller does not expose any NAT rules in the UI there is no way (yes there is) to disable masquerading whenever an packet is leaving the wan interface. I have read by now that there are ways to manually add rules, but I feel that is for next time.

I read up on this article about how the firewall in the USG works (IN/OUT/LOCAL) and made all the necessary rules and finished with a deny rule for the rest. At the lab end there is simply an allow rule from the USG’s address. I found posts from Ubnt officials from back i 2017 saying NAT will be exposed in the Controller any time. We’ll see. For now this is OK.

Please feel free if there is anything I should do differently about this setup (or anything else).

Categories
Hardware Network

Using the UniFi line as wlan controller

Ever since IoT started to be a thing it has eaten up my IPs from the free 50 of the Sophos UTM Home license. Since I am currently some what invested in its features going away from the UTM is not an option at this time.

After some back and forth I decided to use an old trick – NAT. Simply put a new firewall behind a dedicated NIC on the UTM. Very few or non of my devices actually needs to talk to my lab, so all the traffic is then routed to WAN.

What I bought?

  • USG-PRO-4
  • UAP-NANOHD

The UniFi controller is deployed on an Ubuntu 16.04 VM with this install script. The reason for 16.04 LTS is because that is the last version SCVMM 2012 R2 will recognize. I have successfully deployed 18.04 too, but it is not known to the VMM.

To be continued.

Categories
Hardware Network Norwegian

Altibox – Bruke egen router

Oppdatering høsten 2019: Takk for at du besøker siden. Denne posten får meget mange treff, så det er en tydelig etterspørsel etter bruk av eget utstyr. Ta gjerne kontakt hvis noe er uklart i teksten, så skal jeg bistå så godt jeg kan. Se nederst for kommentar på de nye UHD TV-boksene.

Som mange andre med Altibox var jeg nysgjerrig på om det er mulig å gå utenom hjemmesentralen. Jeg fikk utlevert Zyxel P2812ac hjemmesentral og HET-3012 media converter. For å unngå feilkilder ønsket jeg å ta bort hjemmesentralen som sto i bromodus uansett.

Avhengig av hvor du har media converteren (Fiber til Ethernet) din trenger du minst én switch med VLAN-støtte. Tanken er altså å lage en trunkport som skal ta imot VLANene til Altibox og fordele de riktig innomhus. Selv bruker jeg Netgear GS724T i boden og GS716T i stuen og oppsettet fungerer meget bra.

Altibox bruker følgende VLAN;

  • IPTV – 101
  • Internet – 102

Som brannmur og router bruker jeg Sophos UTM. Det kan sammenlignes med pfSense og andre brannmurdistribusjoner. Grunnen til at jeg gikk for Sophos UTM for noen år tilbake var fordi den forholder seg til objekter på samme måte som for eksempel Cisco ASA, noe jeg synes er en meget ryddig og oversiktlig måte å fremstille aksessregler på. Og ikke minst får du en fullblods enterprise-løsning gratis for opp til 50 IP-adresser. Da jeg skrev denne artikkelen i 2016 holdt 50 adresser godt, men i 2019 og med voksende IoT er ikke lenger det tilfellet.

Avhengig om du skal bruke IPTV eller ikke er det to forskjellige fremgangsmåter. Hvis du kun er ute etter Internet kan du koble kabelen rett i valgte brannmur, hvis ikke må man sette en switch i forkant.

Opprett ny VLAN-port på din brannmur og tag den med VLAN 102. Sett virtuell MAC lik den du har på din hjemmesentral. Altibox bruker MER (MAC Encapsulated Routing) for trafikken sin, så dette er et krav. Sett IP til DHCP og koble til kabelen. Du burde på dette tidspunktet få Internet via din egen brannmur.

altibox vlan 102

Hvis du skal ha IPTV i tillegg trenger du en switch med VLAN-støtte. Lag en trunkport med VLAN 101 og 102. Opprett en port med VLAN 101 som du bruker til TV-trafikk og en port med VLAN 102 som du kobler brannmuren i.

Oppsettet blir dermed som følger;
GS724T

  • Port 13 – T 101 og T 102 – fra media converter (veggen).
  • Port 15 – T 102 – til brannmur.
  • Port 24 – T 101 – til stuen.

GS716T

  • Port 16 – T 101 – fra boden.
  • Port 15 – U 101 – til TV.

Dette oppsettet fungerte knirkefritt med de eldre TV-boksene. Med de nye Android-enhetene (UHD) blir det noe mer komplisert for disse krever IGMP snooping. Oppsett av dette er forskjellig fra merke til merke og man må nesten google og prøve seg frem. Jeg er nysgjerrig på hva folk ønsker så ta gjerne kontakt for tips.

Categories
Hardware Network

Configure VLAN on Netgear switches

As I had to google this one for my self, I thought there could be one more article about configuring VLANs on Netgear switches. Multiple Virtual LANs will resolve how to move two or more separated networks to another room in your house with just one Ethernet cable. This could be LAN and WLAN, or in my case the two mentioned and TV over IP. The procedure is mostly the same on any switch with graphical user interface, but as I only own switches from Netgear the pictures will be from them.

First, define your VLAN identifiers. For my own documentation, I will use the one I use. You can basically use any number between 1 and 4093. For your consideration, I would use either 10, 11, 12 or 100, 101, 102 next time. To make things easy and not risk loosing connectivity, keep VLAN 1 and configure LAN on this ID.

  • VLAN 1 – LAN
  • VLAN 4 – WLAN
  • VLAN 5 – TV

The identifiers are also called tags. We have to tag the ports, or untag the ports. If we tag one port with more than one VLAN, it is called a trunk port. That is what we want between the storeroom and the living room.

Keep in mind. An untagged port can only be a member of one VLAN. Generally speaking, untagged ports is used to connect computers and tagged ports is used to connect switches and devices which also uses tagged VLAN.

Log in to your first switch and select Switching, VLAN. Insert new VLAN ID and new VLAN Name and hit Add. If there is a choice, select Static as VLAN Type.

Netgear vlan

When this is repeated for all the wanted VLANs on both switches, we are ready to move on to the tagging.

In the same menu, click on Advanced and VLAN Membership.

Netgear vlanmember

For reference, my VLAN 1 looks like this. As you can see, port 10 and 24 is used as trunk ports. Where port 10 is uplink to the firewall and port 24 is going to the other switch in the living room. All the untagged ports behave just as a normal port.

The other rules I have set is;

  • VLAN 4 – Port 10 T, Port 24 T
  • VLAN 5 – Port 23 U, Port 24 T

Which means that my subnet for WLAN is coming in tagged parallel with LAN from the firewall and is routed straight to the living room where my access point is. The TV signals are coming in untagged and is tagged on the way to the living room with the other networks.

If you are using a router without VLAN support, just plug that in to any untagged port and use only tagged ports between the two switches.

On a side note. It is not necessary in all cases, but you can assign and prioritize untagged ports in Port PVID Configuration. I had to set PVID Configured on Port 23 to 5 to get the TV to work.

When the first switch is done. Log in to your other switch and open the same menu.

Netgear vlanlivingmember

Tag the port from the other switch and untag all the others you want as LAN. As for the ports that has no T or U, they are assigned to WLAN and port 15 to TV, which are all untagged for the purpose. Here too I had to use the PVID Configuration to prioritize VLAN 4 and 5 on some ports.

You should now have a working set of VLANs.

Please give me feedback if something is unclear.