All Posts By

verdegemn

Finally, a pfSense VPN Guide that works!

I’ve been tinkering with IPSec on pfSense for a while, but struggled to find a solution which worked for a range of devices reliably. Happily, I have found a guide which I’ve tested on Windows, Android and iOS.

So thanks to Kliment Andreev for writing this guide. https://blog.andreev.it/?p=3617

The only thing I did have to do (and this may be related to my specific config) but I did have to manually add the IPSec rules to the WAN interface.

pfSense WAN Interface rules for IPSec

Here you can see that I have three rules, one which is the ESP traffic, then two UDP rules, where the destination source port is NAT-T and ISAKMP respectively. Note, NAT-T and ISAKMP are ready created protocols so you don’t have to manually define the port rules.

FFMPEG HEVC_NVMPI RTMP HLS

Works to produce a (slightly unstable) HLS stream from an incoming stream, using the NVMPI accelerated encoder.

ffmpeg -hide_banner -re -i http://10.10.10.157:5004/auto/v107 -bufsize 16092k -analyzeduration 20000 -probesize 16092 -sn -dn -ignore_unknown -force_key_frames:v “expr:gte(t,n_forced*2)” -map_metadata “-1” -map_chapters “-1” -c:a copy -c:v hevc_nvmpi -num_capture_buffers 8 -x265-params “keyint=50:min-keyint=50:no-open-gop=1:scenecut=0” -level 4.0 -profile:v baseline -preset slow -rc vbr -movflags faststart+frag_keyframe -tag:v hvc1 -f hls -hls_time 2 -hls_list_size 6 -hls_flags delete_segments+append_list+split_by_time -hls_playlist_type event -g 50 /var/www/html/hls/videostream.m3u8

Seems to work fine until there is a network glitch.

Mimecast to Office 365 – Split Routing of Email Domains

We’re currently going through a migration from our existing legacy email provider to using Mimecast as our SPAM filter. We have some services which we can’t interrupt without planning, so need to deploy Mimecast to Office 365 for our ‘user’ domain without disrupting our ‘alerting’ domain. We also need to validate Mimecast configs and setup before impacting on users, so we also have a test domain to verify configuration.

We therefore wanted to add the email filtering staged in the following order over a number of days:
1) Test
2) User
3) Alerting

However, the Mimecast documentation isn’t great for describing split routing of email based upon the senders domain, and essentially assumes that you want to send all email out through Mimecast from the off.

This great article from Antonio Vargas really helped us out in understanding why the rule wasn’t intercepting messages from the domains to send out.

In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization

Once that was applied to our rule, we were immediately able to verify that the test domain was able to then route email through Mimecast from Office 365.

WD My Passport Pro – RClone Backup to Cloud (AWS S3)

I’ve setup my WDMPP to perform a regular cloud sync of my pictures into an Amazon S3 data store so that when it is on an internet connection, it will sit and run in the background and upload the pictures.

Note, I’m only backing up photos rather than video as I intend to run this on a 4G mifi hotspot and don’t want 4k video uploads to trash my data allowance.  I’ll run the risk of losing these in the event of a failure whilst mobile, but its something I can live with.

First all, you need to have rclone installed on your WDMPP which involves using the SSH terminal.  I’ll create a separate article at some point, but there is plenty of information about how to do this on the internet.

Create two files within the root of the harddrive

rclonescript.sh is the command which executes the backup script

rclone copy /media/sdb1/ AmazonS3:wdmpp.backup/ -v --log-file /media/sdb1/logs/rclone.log --copy-links --ignore-case --filter-from /media/sdb1/filestocopy.txt

Command Meaning
rclone copy Use the copy command in rclone
/media/sdb1/ Source root path to look for data
AmazonS3:wdmpp.backup/ Destination root path to send data. In this instance, I’m using AWS S3, but the same principle should work for other cloud services
-v Verbose mode
log-file /media/sdb1/logs/rclone.log rclone logs to this path (note, you’ll need to mkdir the logs directory)
–copy-links Follow Symlinks for copying – seems to be required
–ignore-case Because WDMPP backs up from a variety of devices, don’t be case sensitive when applying filters
filter-from /media/sdb1/filestocopy.txt This is the filtering definition rclone uses to identify the files to copy.

You will need to chmod +x this file to make it executable
chmod +x /media/sdb1/rclonescript.sh

/media/sdb1/filestocopy.txt is the filtering rules.

- /logs/
- /.USB/
- /.wdmc/
- /.wdcache/
- /.DS_Store/
- *.txt
+ *.jpg
+ *.png
+ *.heic
+ *.bmp
+ *.raw
- *

Include (-) / Exclude (+) File or Path Description
/logs/ Exclude the logs path where rclone writes its own log to
/.USB/ Exclude the system .USB path
/.wdmc/ Exclude the system .wdmc path
/.wdcache/ Exclude the system .wdcache path
/.DS_Store/ Exclude the system .wdcache path
*.txt Exclude any text files that exist (some of my camera devices create text logs which I’m not interested in copying).
+ *.jpg Copy any jpeg files with the extension jpg
+ *.png Copy any Portable Network Graphics files with the extension png
+ *.heic Copy any  High Efficiency Image File Format files with the extension heic (these come from my phone)
+ *.bmp Copy any bitmapped files with the extension bmp (Not expecting any of these, but heh)
+ *.raw Copy any RAW camera files (my camera uses the .raw extension
* Exclude anything else

You can obviously change your filters as you need to, for example including video files or whatever else you write to the disk. I had to put the excludes before the includes as I found otherwise it wouldn’t necessarily behave as expected.  This seems to work well for me.

Once you’ve tested that it works,  it can be added to cron
First, create the cron path

mkdir /var/spool/cron

Then create the crontab

crontab -e


8 * * * * /media/sdb1/rclonescript.sh >/dev/null 2>&1

In this crontab, it runs the script every 8th minute of each hour. If you’re not sure how to create a cron job, https://crontab-generator.org/ is a great website for building cron lines.

WD My Passport Pro SSD – SMBv2 / Win 10

To enable SMBv2 compatibility on the Western Digital My Passport Pro SSD, so that it supports Windows 10, go through the following steps.

1) Enable SSH access via the admin console
2) Use PuTTy/etc to log into the console
3) nano /etc/samba/smb.conf
4) add the line
[global] workgroup = WORKGROUP
server string = MyPassport Wireless Pro
netbios name = MyPassport
protocol = SMB2

5) run /etc/init.d/S75smb restart
6) try and browse to the \\ IP of the disk drive
7) If you can’t login (username admin) reset the password by typing
8) /usr/bin/smbpasswd -a admin
Enter the new password
9) Finally restart Samba again (per 5)
10) Profit?

Note, if your username/password isn’t recognised, use [email protected] as the username within Windows.

Skype for Business – Audio Conferencing Behaviour

If you have Skype for Business telephony services, including audio conferencing hosted by Microsoft (365), it is worth sharing the current workflow experience, which doesn’t seem to be well documented.

 

From a host, or moderator perspective, you dial into the meeting using your assigned phone number, shown on your Skype for Business invite.

  1. The Skype Meeting Attendant answers the phone, and asks you to enter the conference id, following by the # key.
  2. You enter the meeting number (again, shown on the invite).
  3. You’re prompted to press * if you are the leader – you’d press *
  4. You enter the pin assigned to your account
  5. You’re dropped into the meeting, and your name or number is announced if enabled.

From an end user perspective, the process is pretty much the same, except that if the leader has already joined, they’re not prompted to enter the pin number.

Unlike other ACPs, the control of the service appears to be pretty non-existent, and I think this is by design.  After all, control of the meeting can be done from the mobile app if you’re not near a desktop.
You’re not able to start a meeting recording, as this service is performed by the Skype client, recording into your local computer folder, so if this is required then that is your only option.

I think MS Teams may take a different approach, but I’ve not got my hands on telephony/audio in that product yet.

Replicating Linux Machines across a Network

This command will replicate a running machine into a remote machine container.
The source machine can be online and running, the remote machine should be booted via a Linux Live Image.   The destination machine should also have the same or larger disk size than the source machine.

Sending Machine
dd if=/dev/sda bs=16M conv=sync,noerror status=progress | gzip –9 -cf | nc destinationmachineip preferredport -q 10

Receiving Machine
nc –l –p preferredport | gzip –dfc | dd bs=16M of=/dev/sda

It is worth doing some test copies if you have a large image to send, or are on a slow network, altering the block size (bs=) and gzip compression amount (-9).  Particularly on the latter, on a fast network, you may be better off using lower compression, as the CPU cycles required for compression may in fact take longer than sending the data uncompressed or at a lower compression rate.

You can also use other compression programs like pigz to achieve better performance.

Booting Windows 2016 on HP G8 Microserver MicroSD Card

As good as FreeNAS has been, most of the clients on my home network are Windows based and speak CIFS/SMB,  and I’ve not had great success with FreeNAS reliably/stably serving these protocols.   Under load, the shares sometimes lock up and stop responding, and permissions can be a bit hit and miss.

FreeNAS support forums drink their own special brand of cool aid, so I’ve decided to try Windows, which, whilst being part of their own borg collective has a much wider base of users and obviously native integration with my client base.  So I’m piloting Windows Server 2016 with its various storage capabilities to see how it compares.
I’ve got a HP Microserver G8 which as well as 4 disk trays, supports a fifth SATA device via an additional ODD port, an internal USB and a MicroSD port, as well as various external USBs.
My FreeNAS is a previous N54L Microserver, which installs and boots easily to a USB drive, but Windows is a bit more pig-headed at booting from USB/MicroSD devices.
However, with the help of Daniels Tech Blog https://www.danielstechblog.info/how-to-deploy-windows-server-2016-tp3-onto-an-sd-card/  I have managed to get my Microserver booting from the MicroSD Card
Daniels instructions are more or less spot on, except for one change.
diskpart
list disk
select disk x
clean
create partition primary
format quick fs=ntfs label="SD"
active
assign letter=C
exit
dism /Apply-Image /ImageFile:D:sourcesinstall.wim /index:2 /ApplyDir:C:
bootsect /nt60 C: /force /mbr
bcdboot C:Windows

I couldn’t get that final line to write to the MicroSD. I kept getting errors about BCDBOOT not being able to write the files, or unable to find the source location. However, I read the documentation about BCDBOOT at Microsofts MSDN site https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/manufacture/desktop/bcdboot-command-line-options-techref-di and happened upon the command for writing to USB devices.

bcdboot C:Windows /s C: /f ALL

This seems to work fine, and a reboot allows Windows 2016 to boot.