Categories
Hardware Network

Using the UniFi line as wlan controller

Ever since IoT started to be a thing it has eaten up my IPs from the free 50 of the Sophos UTM Home license. Since I am currently some what invested in its features going away from the UTM is not an option at this time.

After some back and forth I decided to use an old trick – NAT. Simply put a new firewall behind a dedicated NIC on the UTM. Very few or non of my devices actually needs to talk to my lab, so all the traffic is then routed to WAN.

What I bought?

  • USG-PRO-4
  • UAP-NANOHD

The UniFi controller is deployed on an Ubuntu 16.04 VM with this install script. The reason for 16.04 LTS is because that is the last version SCVMM 2012 R2 will recognize. I have successfully deployed 18.04 too, but it is not known to the VMM.

To be continued.

Categories
Server Software Ubuntu

Landscape 18.03 on Ubuntu 16.04 LTS

You can read how to upgrade your older installation here.

Install on-prem and add clients

install landscape-server

Before installing anything. Be sure to check /etc/hosts and correct your FQDN to what ever you want it to answer to. User only lower cases, or Lanscape may give errors.

sudo add-apt-repository ppa:landscape/18.03
sudo apt-get update
sudo apt-get install landscape-server-quickstart

install landscape-clients

sudo apt-get update
sudo apt-get install landscape-client

install cert

To install on other computers, it needs to trust the serve. Add the certificate to allow this.

sudo scp username@landscape.agurk.net:/etc/ssl/certs/landscape_server_ca.crt /etc/landscape/server.pem

sudo nano /etc/landscape/client.conf
ssl_public_key = /etc/landscape/server.pem

register client

The last line will guide you through the registration.

sudo landscape-config --computer-title "servername" --account-name standalone --url https://landscape.agurk.net/message-system --ping-url http://landscape.agurk.net/ping

The last step is to accept the registrations in https://landscape

https://help.landscape.canonical.com/
https://help.landscape.canonical.com/LDS/QuickstartDeployment18.03

Categories
Hardware Network Norwegian

Altibox – Bruke egen router

Oppdatering høsten 2019: Takk for at du besøker siden. Denne posten får meget mange treff, så det er en tydelig etterspørsel etter bruk av eget utstyr. Ta gjerne kontakt hvis noe er uklart i teksten, så skal jeg bistå så godt jeg kan. Se nederst for kommentar på de nye UHD TV-boksene.

Som mange andre med Altibox var jeg nysgjerrig på om det er mulig å gå utenom hjemmesentralen. Jeg fikk utlevert Zyxel P2812ac hjemmesentral og HET-3012 media converter. For å unngå feilkilder ønsket jeg å ta bort hjemmesentralen som sto i bromodus uansett.

Avhengig av hvor du har media converteren (Fiber til Ethernet) din trenger du minst én switch med VLAN-støtte. Tanken er altså å lage en trunkport som skal ta imot VLANene til Altibox og fordele de riktig innomhus. Selv bruker jeg Netgear GS724T i boden og GS716T i stuen og oppsettet fungerer meget bra.

Altibox bruker følgende VLAN;

  • IPTV – 101
  • Internet – 102

Som brannmur og router bruker jeg Sophos UTM. Det kan sammenlignes med pfSense og andre brannmurdistribusjoner. Grunnen til at jeg gikk for Sophos UTM for noen år tilbake var fordi den forholder seg til objekter på samme måte som for eksempel Cisco ASA, noe jeg synes er en meget ryddig og oversiktlig måte å fremstille aksessregler på. Og ikke minst får du en fullblods enterprise-løsning gratis for opp til 50 IP-adresser. Da jeg skrev denne artikkelen i 2016 holdt 50 adresser godt, men i 2019 og med voksende IoT er ikke lenger det tilfellet.

Avhengig om du skal bruke IPTV eller ikke er det to forskjellige fremgangsmåter. Hvis du kun er ute etter Internet kan du koble kabelen rett i valgte brannmur, hvis ikke må man sette en switch i forkant.

Opprett ny VLAN-port på din brannmur og tag den med VLAN 102. Sett virtuell MAC lik den du har på din hjemmesentral. Altibox bruker MER (MAC Encapsulated Routing) for trafikken sin, så dette er et krav. Sett IP til DHCP og koble til kabelen. Du burde på dette tidspunktet få Internet via din egen brannmur.

altibox vlan 102

Hvis du skal ha IPTV i tillegg trenger du en switch med VLAN-støtte. Lag en trunkport med VLAN 101 og 102. Opprett en port med VLAN 101 som du bruker til TV-trafikk og en port med VLAN 102 som du kobler brannmuren i.

Oppsettet blir dermed som følger;
GS724T

  • Port 13 – T 101 og T 102 – fra media converter (veggen).
  • Port 15 – T 102 – til brannmur.
  • Port 24 – T 101 – til stuen.

GS716T

  • Port 16 – T 101 – fra boden.
  • Port 15 – U 101 – til TV.

Dette oppsettet fungerte knirkefritt med de eldre TV-boksene. Med de nye Android-enhetene (UHD) blir det noe mer komplisert for disse krever IGMP snooping. Oppsett av dette er forskjellig fra merke til merke og man må nesten google og prøve seg frem. Jeg er nysgjerrig på hva folk ønsker så ta gjerne kontakt for tips.

Categories
Server Software

Two-factor Authentication with Duo Security

Duo Security two-factor authentication is a breeze to set up. And deserves a look at by everyone who wants to make their appliances or other logins more secure. Whether it is for but not limited to Microsoft RDP or WordPress. As an example you can see how the two-factor authentication works for RDP in the image below.

two-factor-rdp-network-diagram

My search for a way to use two-factor authentication began when I decided to open for any IP to my remote desktop sessions. As always, I used google to come up with several options. But Duo seems to be the best and most flexible out there. It got tons of options, great documentation, and even a free plan for personal use. What I will miss most when the trial runs out is the option for white listing IP addresses. So that when I am at home or at any of my Site-to-Site locations I can log straight in.

The account creation may be a bit more than you are used to from other sites. You are asked to set up the application on your phone and verify a few things before you are let in. After creating your account, the rest is mostly self-explanatory. I followed two guides. One to set up RDP and one for WordPress just to get me started.

When signing in to those places now, you will get a notification on your phone asking for access. If this is you, simply hit the green button and you are logged in. The process is painless and is literally over in a matter of seconds. If you are outside the cover of cellular data, you also have the option to use codes which is pre-added in the application on your phone.

 

Categories
Hardware Network

Configure VLAN on Netgear switches

As I had to google this one for my self, I thought there could be one more article about configuring VLANs on Netgear switches. Multiple Virtual LANs will resolve how to move two or more separated networks to another room in your house with just one Ethernet cable. This could be LAN and WLAN, or in my case the two mentioned and TV over IP. The procedure is mostly the same on any switch with graphical user interface, but as I only own switches from Netgear the pictures will be from them.

First, define your VLAN identifiers. For my own documentation, I will use the one I use. You can basically use any number between 1 and 4093. For your consideration, I would use either 10, 11, 12 or 100, 101, 102 next time. To make things easy and not risk loosing connectivity, keep VLAN 1 and configure LAN on this ID.

  • VLAN 1 – LAN
  • VLAN 4 – WLAN
  • VLAN 5 – TV

The identifiers are also called tags. We have to tag the ports, or untag the ports. If we tag one port with more than one VLAN, it is called a trunk port. That is what we want between the storeroom and the living room.

Keep in mind. An untagged port can only be a member of one VLAN. Generally speaking, untagged ports is used to connect computers and tagged ports is used to connect switches and devices which also uses tagged VLAN.

Log in to your first switch and select Switching, VLAN. Insert new VLAN ID and new VLAN Name and hit Add. If there is a choice, select Static as VLAN Type.

Netgear vlan

When this is repeated for all the wanted VLANs on both switches, we are ready to move on to the tagging.

In the same menu, click on Advanced and VLAN Membership.

Netgear vlanmember

For reference, my VLAN 1 looks like this. As you can see, port 10 and 24 is used as trunk ports. Where port 10 is uplink to the firewall and port 24 is going to the other switch in the living room. All the untagged ports behave just as a normal port.

The other rules I have set is;

  • VLAN 4 – Port 10 T, Port 24 T
  • VLAN 5 – Port 23 U, Port 24 T

Which means that my subnet for WLAN is coming in tagged parallel with LAN from the firewall and is routed straight to the living room where my access point is. The TV signals are coming in untagged and is tagged on the way to the living room with the other networks.

If you are using a router without VLAN support, just plug that in to any untagged port and use only tagged ports between the two switches.

On a side note. It is not necessary in all cases, but you can assign and prioritize untagged ports in Port PVID Configuration. I had to set PVID Configured on Port 23 to 5 to get the TV to work.

When the first switch is done. Log in to your other switch and open the same menu.

Netgear vlanlivingmember

Tag the port from the other switch and untag all the others you want as LAN. As for the ports that has no T or U, they are assigned to WLAN and port 15 to TV, which are all untagged for the purpose. Here too I had to use the PVID Configuration to prioritize VLAN 4 and 5 on some ports.

You should now have a working set of VLANs.

Please give me feedback if something is unclear.