Je eigen router / modem gebruiken met KPN Glasvezel

Nou, het werkt eindelijk allemaal..

Ik ben pas geleden overgestapt naar KPN Glasvezel en kwam tegen wat beperkingen aan (waar een normale gebruiker geen last van heeft)
Zo kon ik geen IPSec VPN tunnel meer opzetten met mijn servers, of met mijn Backup Locatie. Daarnaast ervoer ik ook een vertraging in mijn internet verkeer. Mijn snelheid was nog maar 70 mbit down en 65 mbit up. Terwijl ik toch echt voor een 100/100 verbinding betaal.

Een gedeelte van de vertraging zou komen door de dubbele NAT die plaatsvond.
Ik heb dus besloten om te kijken hoe ik dit op kon lossen. Bij Ziggo kon ik mijn modem in Bridge laten plaatsen. Maar dit bleek met de Experiabox v9 niet mogelijk. Wel is er een handleiding om dit te doen met de V8 modem. Maar die heb ik niet, en na herhaaldelijk aanvragen bij KPN en tot 6 keer een V9 toegestuurd te hebben gekregen heb ik besloten om het maar helemaal anders te doen.

Onderstaande tekening is een weergave van hoe ik het nu helemaal opgezet heb.

Ik heb wel een TV getekend in het plaatje, maar ik neem geen TV af via Ziggo. De TV kan ik ook via de Managed Switch laten lopen. Er komt dan een extra afsplitsing met een VLAN 4 naar de TV Decoders. Maar aangezien ik het niet nodig heb... Heb ik me er gemakkelijk af gemaakt.

Gebruikte hardware:

• Fibre : Genexis modem geleverd door KPN
• Switch: Zyxel GS1900-24E
• Firewall: Zyxel ZyWall USG-20
• ExperiaBox: Experiabox V9 geleverd door KPN

Gebruikte informatie: Netwerkje.com Eigen Router

KPN heeft het een en ander werkend opgeleverd, dat wil zeggen Internet doet het. Telefoon doet het (na nieuwe kabel getrokken te hebben)

Op de GS1900-24 heb ik als eerste VLANs aangemaakt. De VLAN IDs weet ik van Netwerkje.com

1 = Default
4 = IPTV
6 = DATA
7 = IP Telefonie
101 = Client LAN

Vervolgens hebben we die toegewezen aan de verschillende poorten.
Poort 2: VLAN 4,6 en 7 - Trunk - Tagged
Poort 4: VLAN 6 - Trunk - Tagged
Poort 6: VLAN 4 en 7 - Trunk - Tagged

Poort 8-24: VLAN 101 - UNtagged

Kabels aangesloten
Poort 2: Fibre modem
Poort 4: Firewall - WAN
Poort 6: Experiabox - WAN

Poorten 16-24 gevuld met de bekabeling in huis

De ExperiaBox kwam netjes online voor Telefonie, met een rode led voor Internet

Daarna kwam de uitdaging. De verbinding opbouwen. Aangezien er weinig documentatie is hoe dit te doen met de ZyWall heb ik dit uit moeten zoeken. Het bleek dat vooral de volgorde belangrijk was.

Als eerste gaan we de VLAN aanmaken waarop het internet leeft: (Configuration -> Network - Interface TAB:VLAN)

Let op dat het VLAN id op 6 staat,
dat de ZONE op WAN staat
en dat de interface op wan1 staat.

Dit resulteert in het volgende:


Vervolgens maken we een ISP Account aan: (Configuration --> Object - ISP Account)

Naam: KPN
Protocol: PPPoE
Authentication Type: Chap/PAP
Username: MACADRES Experiabox@internet
Password: kpn
Compression: On

Dan de PPP connectie aanmaken (Configuration -> Network - Interface TAB:PPP)

Interface Properties
Interface Name: KPN
Base Inteface : vlan6
Zone: WAN
---
Connectivity: Nailed-up
---
ISP-Setting
Account Profile: KPN
---
IP Address Assignment - Get Automatically

Na het opslaan van de laatste instelling zul je zien dat de verbinding meteen online is. Als dit niet het geval is klik dan op de connect button.

Ik hoop dat dit duidelijk is, en iemand er iets aan heeft in de toekomst.

Clean the exchange server logfiles

At a client I found that disks were filling up with logfiles. Most but not all logfiles were cleared automatically after 7 or 14 days but that left a few logfiles filling up the disk..


I created a scheduled task which runs every night (after the backup run) and removes all old logfiles:

It is a powershell one liner:

powershell.exe Get-ChildItem 'c:\Program Files\Microsoft\Exchange Server\V15\Logging','C:\inetpub\logs' -Directory | Get-ChildItem -Include '*.log','*.blg' -Recurse | ? LastWriteTime -lt (Get-Date).AddDays(-7) | Remove-Item

 This script will remove all logfiles older than 7 days.

Outlook for Android and iOS

A lot of sites are now reporting the insecurity of the application Outlook which appeared januari 29th in the Apple AppStore. (Warning – Microsofts Outlook app for iOS breaks your company security) and (Microsoft Wants to Improve Your Mobile Email Experience with the New Outlook for iOS and Android) This is the same application (some rebranding has been done) as the Accompli app which is now purchased by Microsoft.

What is the problem with this app?
It is a good app. It looks very need, but to do what is does it needs a little something from you and it will store this information on the servers in the cloud (Now at AWS but soon Microsoft Azure)
What is this information it needs?.... That is your Username and Password.
What does it do with this information? .... It starts downloading your entire mailbox, and caches this in the cloud.
Why is this a problem? .... For a private person not so much.... You probably share all the information on Facebook, twitter etc anyway, and don't have secrets in your mail which other instances / agencies are interested in.... But for companies this might be a large issue. They usually have something setup which is referred to as a company security policy. This policy mostly states the following items:

• Device must have a pincode or password
• Device must be encrypted
• In case of lost the device must be wiped
• etc.

All these things are not possible with the new App. From an App it is NOT possible to set device settings such as encryptions and passwords. A wipe is also not possible (In some cases the mailbox is reported to be removed)....


What to do now?
Firewall
Block the application from entering your network. If possible do this on your firewall with an User-Agent filter.
Filter for the following user agents:

• Outlook-iOS-Android
• Outlook for iOS and Android

Exchange (Exchange 2010 and Higher)
You can also add an rule on your Exchange server which will block access to the mail environment.

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block

Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

Future
Microsoft is busy with this application, updating and modifying it. So it is important to keep an eye on the changes which will occur in this application.
I do think that the application has a lot of potential and is a way to go, but first some issues have to be resolved. But for now "Hands Off"

Exchange services

Today I was at a client which had an issue with their Exchange environment. They were installing updates and one of the Exchange servers was giving trouble after that.
When I logged on to the server I noticed that all services were disabled, and since I am lazy I scripted the recovery for this ;-)

I though I shared it with you. Maybe there can be a check before if the service is running or not, or if it is really disabled.. But mostly this is a quick fix for your Exchange environment.

get-service "msexcha*" | Set-Service -StartupType automatic
get-service HostControllerService | Set-Service -StartupType automatic
get-service wsbexchange | Set-Service -StartupType automatic
get-service FMS | Set-Service -StartupType automatic
get-service W3SVC | Set-Service -StartupType automatic
get-service IISADMIN | Set-Service -StartupType automatic
get-service pla | set-service -startuptype automatic
get-service RemoteRegistry | set-service -startuptype automatic
get-service SearchExchangeTracing | Set-Service -StartupType automatic
get-service "MSExchangeImap4" | set-service -StartupType manual
get-service "MSExchangeImap4BE" | set-service -StartupType manual
get-service "MSExchangePop3" | set-service -StartupType manual
get-service "MSExchangePop3BE" | set-service -StartupType manual

get-service HostControllerService | start-service
get-service FMS | start-service
get-service "msexcha*" -StartupType automatic | start-service
get-service wsbexchange | start-service
get-service W3SVC | start-service
get-service WinRM | start-service
get-service pla | start-service
get-service RemoteRegistry | start-service
get-service IISADMIN | start-service
get-service SearchExchangeTracing  | start-service

How to operate a secure Synology system...

With the current hype around the outbreak of #SynoLocker, a ransomware virus which encrypts all your files and only allows decryption after paying a ransom fee ($400), it is nice to have your Synology protected as good as possible to minimize the attack vectors (ways people can compromise the security) to a minimum without loosing any end-user usability and ease.

In the different forums you find the following advices:
* Disable the default Admin Account
* Change the default ports on the services
* Use SSL
* Don't use 3rd party applications
* etc.

Below I will describe what is in my opinion a good way to protect your Synology for attacks. I will be using 3rd party applications from the SynoCommunity repository.
Starting point is an up to date Synology system and you are logged on as an Admin user (Admin or a different user with admin-rights)

Below are the links to a series of posts to secure your Synology:
1. Make sure your synology is up to date
2. Publish the applications through HAProxy
3. More to come..

Synology : Publish through HAProxy

This is the second article in a series to secure your Synology NAS.

HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. https://dsm.mydemonas.synology.me would redirect me to the admin interface of my NAS.

To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is: http://packages.synocommunity.com

What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.

I hope this will help you ;)



Add the repository
First open the package center:

When in Package center select Installed and click the button Settings

Click on Add, and fill in the following information:
Name: Syno Community
Location: http://packages.synocommunity.com

On the left hand side click on community and then refresh.

A lot of packages will appear here.

Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.

Go to Control Panel

 Open Security

Click on the TAB Certificate

Click on Create Certificate

In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here,  or you can create a certificate request which you can send to a certificate authority.

Fill-in your information

At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply

Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.

Open Control panel

Open Terminal en SNMP

 Select Enable SSH Service and click Apply

Installation of the Package

Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center

 Select Community

Look for the package python and click install

Wait until the installation is finished

Look for the application HAProxy and click install

HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next

Make sure the checkbox is ticked to run the application, and click apply

With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.

Download putty

Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password

Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg

Commands:
  cd /volume1/@appstore/haproxy/var/
  vi haproxy.cfg

When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]

Now the package will run when we start it.

Conclusion
HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!

Synology : Make sure it is up to date and you are informed of updates.

My first in a series is the advice to make sure your system is always up to date. The press release of Synology states that the current versions of the software where NOT vulnerable for this virus. So first we make your system send you emails if there is an update for your Synology.

Click on the start button (Top Left corner) and open Control Panel

Open Notification

If you have information of sending emails through a SMTPServer (Mail Server) you can use the first tab (Email) to enter this information.

Be sure to test the configuration. 

If you don't have access to an email server to send the emails you can choose to use the Synology notification email server. you find this on the tab "Push Service"
Fill in your emailaddress, click Apply, after a few seconds a new button appears. Click on this button "send verification mail", open your email box and click on the verification link in this email.
Email notifications will now be send. 

In the "Advanced" tab you can select which notifications you want to receive. I have selected all notifications



In the left menu go to "Update & Restore", in the page click on the button "Update Settings" and make sure that the system is checking for New and All updates and that the checkbox is checked to check and download these updates.

Next close all the open pages, and open the Package Center

When the Package Center opens click on the Settings button

Make sure both options are selected on the General Tab

On the tab Auto Update you can choose to Auto Update the Synology Packages

Now you will receive emails if there are updates available for your Synology System or applications.

Apple OSX 10.10 Yosemite sluggish and unresponsive or snappy as expected??

Last week Apple presented Mac OSX 10.10 Code name Yosemite. Now with better integration with your phone and ipad.... Off course I have to try this so I installed iOS 8 on my Phone(s) and OSX 10.10 on my Mac.

And then the troubles began... Not on the phone but on my Mac. It was unresponsive, memory hogging and throughout terrible. I even considered reverting back to OSX 10.9 Mavericks.
But I am not a quitter so the search for a solution started...

There is a side note that there is a NDA on OSX 10.10 and therefor there is little found on the internet about it and the problems which are found..

When I started looking at the resource usage I couldn't find anything off other than that kernel_task was using a lot of memory, but other than that nothing wrong... But whenever I switch between applications the screen froze and a colourful skippybal came in place of my cursor.. Since I have a lot of tweaks installed, I instantly started blaming them, and cleaned them away from my system.. But it didn't solve anything...

Maybe it where the add-ins I am using such as dropbox and bitcasa.. so deleted those. Still no response from my system..
In the meantime a forum was started for Yosemite where people started sharing their problems. On that forum someone shared that he had an unresponsive system and no sound. I had sound, but still worth a look. (http://forums.macrumors.com/showthread.php?t=1740460) In this thread it was suggested to remove a driver from a third-party add-on.
I checked if I had the same driver on my system, but no such luck.

Off to more digging into this issue, but still no luck in finding something. resetting the SMC and PRAM both didn't help and all other suggestions found on the internet for versions since 10.5

At that time I started looking at all open processes and applications. All tweaks where already removed but legitimate application such as VMWare Fusion, Parallels and Microsoft where still on my machine. Only one application was still running and that was Parallels Access. I had never used it and had always thought it part of parallels itself.
So I searched for problems between Yosemite and Parallels Access. But couldn't find any. I did find a post that it is an agent which allows you to use your iPad to control the Mac (http://forums.macrumors.com/showpost.php?p=18300289&postcount=25) Since it is not something I use, and I was in a PenTesting class where we just learned not to have anything installed you are not using since that might get attacked, I decided to uninstall the agent. In the link in the post was a link to a knowledge base article from Parallels in how to remove it (http://kb.parallels.com/en/117142) in which they have a script (Parallels Access Uninstall script) to remove the software. Just sudo run the script from terminal and it is gone...

One reboot later my system was responsive, snappy and nice to work with again..

I am not going to share any details and screenshots just yet, but I like that I can answer SMS texts on my laptop now :)

When you logon to Facebook....

When you logon to facebook you get the question: "How is it going, Bas?"...

Today I felt like answering the question. Below my answer.

Dear Facebook,

Thank you for asking... I am currently recuperating from a very hectic weekend.

I started the final migration of a dutch company on friday. It was the end of 4 months preparation. But although we didn't invite Murphy, he decided to show up anyways...

For the past 4 months our migration efforts were brought back to 7 or 8 scripts running at scheduled intervals. Daily manual checks were done of the logfiles and runtimes and we were very confident that the migration would be a success.

And there was Murphy and his Law (The prick)
Everything that could go wrong went wrong. Scripts failed to complete due to offline databases, disabled users, and rebooting servers.... (Who forgot to include the support team to suspend the maintenance windows)
Nothing is more frustrating than working on fixing a script to adapt to the new situation, having found the solution and than some ass decides to reboot the server you are working on...

So friday I clocked a 14 hour workday (hours after 12 are on saturday) to have finally migrated everything.... As that was what we believed... I was glad to have taken an hour of to visit Tian Dao to be treated for my high blood pressure and that was very relaxing... Thanks for that...

Saturday morning after about 3 hours sleep I started to check the logfiles. And found that all the steps are completed successful. Ahhhh Weekend was the thought.. and queue Murphy..

In this company there are some strict naming rules for users.... Which are not followed of-course. So when you want to migrate Jan Jansen you look for j.jansen conform the naming standards... And migrate someone totally different since the logon name for jan was JanJ... And you wonder why you cannot find him...

So after another long day (again 14 hours on the clock) we check into bed... for a nights rest... And a good night rest it was..

Sunday, fun day... Yeah.. last day of migration.. In the input list we found that several users were not given an email forward address to the new mail. and since a script flawless processes what you input the mail for those users were not forwarded.. Works as designed, but not as desired... So the torubleshooting starts... and remigrating those accounts.. But I managed to make it a shorter day, and after sleeping in I only managed to clock 8 hours of after care this day..

After a handover to my colleague for the aftercare on monday I went to bed for a good nights rest....

And a good nights rest it was...

So to answer your question Facebook. I am doing alright. A bit tired but fulfilled with a job well done...

So and now back to work and finish these reports which are due..

Goodday,

Bas Steelooper

In the pocket: Core Solutions of MS Exchange Server 2013 Customer Preview

Today I saw that another IT pro passed his exam and I thought about the beta exams I did for Microsoft Exchange 2013...

So I took al little trip to https://www.register.prometric.com/CandidateHistory.asp and found out that I passed the "Core Solutions of MS Exchange Server 2013 Customer Preview" (071-341) exam... To bad that I failed the "Advanced Solutions of MS Exch Serv 2013 Customer Preview" (070-342) exam..

But with the lack of experience I was able to obtain since I couldn't install Exchange 2013 in my Exchange 2010 environment I think I did rather well with only reading about all there is on Technet and other Tech blogs...

I hope to find the time to install Exchange 2013 soon in my environment and update all the scripts to this version...