MDT 2013: Bootstrap.ini

Suppose your BootSettings.ini file has been modified. Remember that when you update your deployment share, ensure you select the option labeled “Completely regenerate the boot images.” Otherwise the .wim file will retain the old BootSettings.ini and your changes will not be read upon boot.

AWS VPC BGP Configuration Note

So you’ve configured your customer gateway to advertise your internal networks to your AWS virtual gateway, and can confirm that internal traffic is being forwarded through the tunnels torwards Amazon, yet none of this traffic reaches your instances within VPC.

This is because the virtual gateway will not automatically install any routes being advertised by your on-premises customer gateway! You must define these networks by hand in the Routes section of your VPC.

To confirm this you can use CloudWatch to monitor the network interfaces of you instances and gateways.

Get WAN IP Address on Edgerouter

WAN interface configured with DHCP so address is changing constantly. Wanted to build a script that would determine IP address and upload to remote server using sftp or scp.

This is incomplete right now, it lacks the upload ability.

Schedule script to run every every 15 minutes using cron.

#!/bin/bash

# Print layer 2 and 3 interface statistics to file
 ifconfig pppoe0 > pppoe.txt

#Find line that includes IP addresses, remove pppoe.txt
 awk '/inet/' pppoe.txt > addresses.txt
 rm pppoe.txt

# Print 2nd field
 awk -F: '{print $2}' addresses.txt > address.txt
 # Remove addresses.txt, no longer needed
 rm addresses.txt

# Extract IP address from string
 temp=$(<address.txt)
 echo "$temp" | grep -o '[0-9]*.[0-9]*.[0-9]*.[0-9]* '
 # Remove address.txt, no longer needed
 rm address.txt

Ubiquiti Edgerouter Site-to-Site VPN with BGP Notes

Following Ubiquiti’s documentation is tricky as it currently refers to EdgeOS 1.7 and with EdgeOS 1.8 we received a new version of Strong Swan which deprecates the show vpn ike sa command.

I discovered this via a Ubiquiti forums thread. I thought it worth repeating as mentioned in there that Edgeos 1.8 the command show vpn ipsec sa now includes any information the deprecated show vpn ike sa provided.

Linux Packet Capture

Capture 1000 packets on interface eth0 and save to packets.pcap
~$ tcpdump -i eth0 -c 1000 -w packets.pcap

View packet capture from cli
~$ tcpdump -r packets.pcap

Capture just tcp packets on interface eth0
tcpdump -i eth0 tcp

Capture packets to and from port 22
tcpdump port 22

Capture packets from a specific source ip address
tcpdump src 172.31.3.1

Capture packets destined for a specific ip address
tcpdump dst 172.31.5.1

Ubiquiti Edgerouter PPPoE

So a few days ago I moved a DSL line over to eth0 on the Edgerouter Pro to serve as the WAN link. Previously a cable modem from Charter provided ethernet connectivity on eth0.

Before addressing what needs to be configured on the router I wanted to briefly summarize what typically happens when you’d like to use your router and firewall instead of that built-in to your modem.

Put the modem into bridge mode. This configures a DHCP server on the modem that will hand out addresses to any interface connected. Over ethernet, a pppoe client will be used to obtain an IP from your ISP. In this example eth0 was/is the ethernet WAN interface and pppoe0 is configured with our username and password to dial-into the DSL ISP.

Changes required on the Edgerouter Pro.

First, the Edgerouter Pro uses a zone based firewall and it occured to me that while the wan zone had interface eth0 assigned to it, the pppoe0 interface also needed to be assigned to my wan zone policy.

#set zone-policy zone wan interface pppoe0
#commit

Second, NAT was being performed on interface eth0 when it should reflect the fact that pppoe0 is now my gateway interface.

#set service nat rule 5010 description "Masquerade to WAN via pppoe0"
#set service nat rule 5010 log enable
#set service nat rule 5010 outbound-interface pppoe0
#set service nat rule 5010 type masquerade
The specified configuration node already exists
[edit]
#commit

Big thanks to the Ubiquiti forums member mrjester and Ubiquiti employee UBNT-Stig for their valuable contributions.

Resources:

ERL pppoe client connection established but no network access

Basic SOHO Home Config

Procurve disable LLDP per port

View the LLDP config of your switch.

lldp admin-status

The following command disables HP’s Link Layer Discovery Protocol ( LLDP ) on a specific port list.

Example:
lldp admin-status 4 disable

With LLDP enabled the switch periodically broadcasts info about your device, including the hostname and management address. You would likely want to disable this on any ports facing hosts on the other end, like your WAN interface, that do not need to hear this traffic.

Thanks to Packet Pushers

Palo Alto SSL Forward Proxy Connection Reset

Setting up a Palo Alto firewall I ran into a roadblock when attempting to configure SSL Decryption on outbound requests from clients.

Before attempting SSL decryption, clients sitting behind the Palo Alto were able to reach HTTP and HTTPS websites after configuring a Security Policy on the firewall  that permitted the application categories web-browsing and ssl.

Following documentation and watching this video helped me learn how to configure SSL Decryption using a Forward Proxy. Unfortunately I made a mistake.  See my first Security Policy was named “Permit HTTP and HTTPS” and was configured to permit web-browsing and ssl application category traffic.

When I ran show session all I discovered traffic associated with a client machine was getting dropped due to matching the new (as of PAN-OS 6.1) Interzone Security Policy that is configured by default to drop traffic.

So, make sure Security Policy #1 is named Untrusted to Trusted with source and destination zones, User may be user or known-user. Do not specify any application categories.

 

Windows Server Backup Email

I wanted to receive an email every day giving notice that my scheduled Windows Server Backup routines finish with success or failure. The wbadmin utility lacked all the features to do my job quickly and painlessly; it can only send emails using SMTP servers that do not require authentication.

I was hoping to use wbadmin to send an email after the utility finishes, but no luck as there was no way to configure this when creating the backup schedule.

As a result I decided to create a couple of scheduled tasks that would react to eventID’s written to the Windows-Server-Backup Operational Log. To learn more about this part, see this article I relied on. In summary I created two scheduled tasks, one for success and one for failure that calls the script to send the email.

I then built a prototype in Powershell that will handle authentication with the SMTP server, in our case Google Apps for Education. Included below is my script cobbled from the work of Chris Mugglie contributed on Stack Overflow.

$EmailFrom = “backupsadmin@corp.net” $EmailTo = “biokode@corp.net” $Subject = “Server 2 Backup Failed” $Body = “Server 2 Backup Failed” $SMTPServer = “smtp.gmail.com” $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPClient.EnableSsl = $true $SMTPClient.Credentials = New-Object System.Net.NetworkCredential(“backupmonitor@corp.net”, “idreamofbacon”); $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

OK, so i can only format all the text from the code above down as one format, not good!

Need to launch the powershell script this way in scheduled task: powershell.exe -file “C:\scripts\sendemail.ps1”