Category

Uncategorized

Finally, a pfSense VPN Guide that works!

I’ve been tinkering with IPSec on pfSense for a while, but struggled to find a solution which worked for a range of devices reliably. Happily, I have found a guide which I’ve tested on Windows, Android and iOS.

So thanks to Kliment Andreev for writing this guide. https://blog.andreev.it/?p=3617

The only thing I did have to do (and this may be related to my specific config) but I did have to manually add the IPSec rules to the WAN interface.

pfSense WAN Interface rules for IPSec

Here you can see that I have three rules, one which is the ESP traffic, then two UDP rules, where the destination source port is NAT-T and ISAKMP respectively. Note, NAT-T and ISAKMP are ready created protocols so you don’t have to manually define the port rules.

FFMPEG HEVC_NVMPI RTMP HLS

Works to produce a (slightly unstable) HLS stream from an incoming stream, using the NVMPI accelerated encoder.

ffmpeg -hide_banner -re -i http://10.10.10.157:5004/auto/v107 -bufsize 16092k -analyzeduration 20000 -probesize 16092 -sn -dn -ignore_unknown -force_key_frames:v “expr:gte(t,n_forced*2)” -map_metadata “-1” -map_chapters “-1” -c:a copy -c:v hevc_nvmpi -num_capture_buffers 8 -x265-params “keyint=50:min-keyint=50:no-open-gop=1:scenecut=0” -level 4.0 -profile:v baseline -preset slow -rc vbr -movflags faststart+frag_keyframe -tag:v hvc1 -f hls -hls_time 2 -hls_list_size 6 -hls_flags delete_segments+append_list+split_by_time -hls_playlist_type event -g 50 /var/www/html/hls/videostream.m3u8

Seems to work fine until there is a network glitch.

Mimecast to Office 365 – Split Routing of Email Domains

We’re currently going through a migration from our existing legacy email provider to using Mimecast as our SPAM filter. We have some services which we can’t interrupt without planning, so need to deploy Mimecast to Office 365 for our ‘user’ domain without disrupting our ‘alerting’ domain. We also need to validate Mimecast configs and setup before impacting on users, so we also have a test domain to verify configuration.

We therefore wanted to add the email filtering staged in the following order over a number of days:
1) Test
2) User
3) Alerting

However, the Mimecast documentation isn’t great for describing split routing of email based upon the senders domain, and essentially assumes that you want to send all email out through Mimecast from the off.

This great article from Antonio Vargas really helped us out in understanding why the rule wasn’t intercepting messages from the domains to send out.

In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization

Once that was applied to our rule, we were immediately able to verify that the test domain was able to then route email through Mimecast from Office 365.

WD My Passport Pro – RClone Backup to Cloud (AWS S3)

I’ve setup my WDMPP to perform a regular cloud sync of my pictures into an Amazon S3 data store so that when it is on an internet connection, it will sit and run in the background and upload the pictures.

Note, I’m only backing up photos rather than video as I intend to run this on a 4G mifi hotspot and don’t want 4k video uploads to trash my data allowance.  I’ll run the risk of losing these in the event of a failure whilst mobile, but its something I can live with.

First all, you need to have rclone installed on your WDMPP which involves using the SSH terminal.  I’ll create a separate article at some point, but there is plenty of information about how to do this on the internet.

Create two files within the root of the harddrive

rclonescript.sh is the command which executes the backup script

rclone copy /media/sdb1/ AmazonS3:wdmpp.backup/ -v --log-file /media/sdb1/logs/rclone.log --copy-links --ignore-case --filter-from /media/sdb1/filestocopy.txt

Command Meaning
rclone copy Use the copy command in rclone
/media/sdb1/ Source root path to look for data
AmazonS3:wdmpp.backup/ Destination root path to send data. In this instance, I’m using AWS S3, but the same principle should work for other cloud services
-v Verbose mode
log-file /media/sdb1/logs/rclone.log rclone logs to this path (note, you’ll need to mkdir the logs directory)
–copy-links Follow Symlinks for copying – seems to be required
–ignore-case Because WDMPP backs up from a variety of devices, don’t be case sensitive when applying filters
filter-from /media/sdb1/filestocopy.txt This is the filtering definition rclone uses to identify the files to copy.

You will need to chmod +x this file to make it executable
chmod +x /media/sdb1/rclonescript.sh

/media/sdb1/filestocopy.txt is the filtering rules.

- /logs/
- /.USB/
- /.wdmc/
- /.wdcache/
- /.DS_Store/
- *.txt
+ *.jpg
+ *.png
+ *.heic
+ *.bmp
+ *.raw
- *

Include (-) / Exclude (+) File or Path Description
/logs/ Exclude the logs path where rclone writes its own log to
/.USB/ Exclude the system .USB path
/.wdmc/ Exclude the system .wdmc path
/.wdcache/ Exclude the system .wdcache path
/.DS_Store/ Exclude the system .wdcache path
*.txt Exclude any text files that exist (some of my camera devices create text logs which I’m not interested in copying).
+ *.jpg Copy any jpeg files with the extension jpg
+ *.png Copy any Portable Network Graphics files with the extension png
+ *.heic Copy any  High Efficiency Image File Format files with the extension heic (these come from my phone)
+ *.bmp Copy any bitmapped files with the extension bmp (Not expecting any of these, but heh)
+ *.raw Copy any RAW camera files (my camera uses the .raw extension
* Exclude anything else

You can obviously change your filters as you need to, for example including video files or whatever else you write to the disk. I had to put the excludes before the includes as I found otherwise it wouldn’t necessarily behave as expected.  This seems to work well for me.

Once you’ve tested that it works,  it can be added to cron
First, create the cron path

mkdir /var/spool/cron

Then create the crontab

crontab -e


8 * * * * /media/sdb1/rclonescript.sh >/dev/null 2>&1

In this crontab, it runs the script every 8th minute of each hour. If you’re not sure how to create a cron job, https://crontab-generator.org/ is a great website for building cron lines.

Skype for Business – Audio Conferencing Behaviour

If you have Skype for Business telephony services, including audio conferencing hosted by Microsoft (365), it is worth sharing the current workflow experience, which doesn’t seem to be well documented.

 

From a host, or moderator perspective, you dial into the meeting using your assigned phone number, shown on your Skype for Business invite.

  1. The Skype Meeting Attendant answers the phone, and asks you to enter the conference id, following by the # key.
  2. You enter the meeting number (again, shown on the invite).
  3. You’re prompted to press * if you are the leader – you’d press *
  4. You enter the pin assigned to your account
  5. You’re dropped into the meeting, and your name or number is announced if enabled.

From an end user perspective, the process is pretty much the same, except that if the leader has already joined, they’re not prompted to enter the pin number.

Unlike other ACPs, the control of the service appears to be pretty non-existent, and I think this is by design.  After all, control of the meeting can be done from the mobile app if you’re not near a desktop.
You’re not able to start a meeting recording, as this service is performed by the Skype client, recording into your local computer folder, so if this is required then that is your only option.

I think MS Teams may take a different approach, but I’ve not got my hands on telephony/audio in that product yet.

iPXE Booting OpenElec

Open Embedded Linux Entertainment Center (OpenELEC) is a small Linux distribution built from scratch as a platform to turn your computer into an XBMC media center. OpenELEC is designed to make your system boot fast, and the install is so easy that anyone can turn a blank PC into a media machine in less than 15 minutes.

This is a great live image for getting up and running with XBMC, or testing it before committing to installing to a harddisk.   I’ve set it up today to boot from the network to see how well it works on a machine I’m thinking about using for a media centre.  It was a bit of a pain to get it working,  but now that it is,  it works fine.

First of all, download a copy of OpenElec from http://www.openelec.tv/get-openelec/download – I got a the tarballed version entitled OpenELEC-Generic.x86_64-devel-20131026131436-r16293 from the developer sources, but I think stable versions will equally well.

This was copied to my NAS server, and untarred using the command.
 tar -xvf OpenELEC-Generic.x86_64-devel-20131026131436-r16293.tar
This then spat out what I presume to be an OpenElec live-cd or some such (but who cares – we don’t do CD’s do we? 🙂  ).    Within the created folder, there is a ‘target’ folder, which contains the images you need to boot from.  

Make sure the target folder is in a location where it is accessible from both HTTP and NFS.  Note,  I’ve not been able to make this boot using HTTP, and I’m not sure its possible, because it seems to use NFS as a persistent storage location for your configuration.

Next, create a folder for storing your persistent information (I created a folder called persistent within my target folder.

Now update your iPXE menu.

:OpenElec
echo Booting OpenElec Media Centre
echo HTTP and NAS Method 
kernel http://boot.server/openelec/OpenELEC-Generic.x86_64-devel-20131026131436-r16293/target/KERNEL boot=NFS=10.222.222.50:/boot.server/openelec/OpenELEC-Generic.x86_64-devel-20131026131436-r16293/target/ disk=NFS=10.222.222.50:/boot.server/openelec/persistent/ netboot=nfs ssh ip=dhcp
boot 

So this loads the kernel using http from the server, and passes the boot partition nfs and persistent nfs location.  Note, neither of the latter two define the files,  just the folder paths.  The Kernel knows what its looking for when it boots.
The final variables tell the kernel that it is being booted with nfs required,   to enable ssh (if you want it) and to get the IP using DHCP.    There are a number of other modes for debugging, text only mode, that sort of thing, but that is not discussed here.

Anyway,  other than configuring the iPXE menu to call :OpenElec,  that’s all there is too it.

A little Comic Relief

The annual or bi-annual charity appeals are always fun, but also somewhat predictible as to what we’ll end up seeing.  So, whilst I urge you to donate,  you can also have a bit of fun whilst watching.

So here’s the rules of the drinking game we’re playing by:


The rules are simple:
Define your own measure,  be it a shot,  finger’s width or even a whole glass.

One Measure
– A disease is mentioned
– An African Child is seen with a fly on its face
– Every time a celebrity does something ‘exciting’
– A giant cheque is produced
– A celebrity holds an African child
– A celebrity crys
– The Phone Number is read out
– Man dressed as a woman, or a woman dressed as a man

Two Measures
– The total so far is read out
– We see the phone call takers up BT Tower
– When the guest presenters change
– When the presenters look confused because they don’t know what they’re going to next
– If we’re shown a picture of BBC TV Centre

Three Measures
– When the presenter runs his/her fingers along the screen as the number is read out.
– When someone mouths the number at the back of shot
– When someone makes the ‘phone call’ symbol
– News Presenters doing something ‘wacky’
– When an African child is made to wear a red-nose

Four Measures
– Wogan or Pudsey Appears

Penalties:
Penalties require a CR donation
– Spillage – £1
– Fall Over – £1
– Vomit – £5
– Pass-out – Whatever you can shake out of their wallet/purse.

Remember Kids, Drink Responsibly,  as little African Kids often can’t.   Give Generously!

Sugru – A Brief Update

I just wanted to provide a brief update on my thoughts of Sugru.  Its a wonderful product, ideal for fixing and personalising things.  However,  the biggest bugbear of all is the shelf-life.

Unlike duck/duct tape,  superglue,  epoxy resin, putty  and other more commonly known fixing materials and methodologies,  Sugru ‘sets’ after about 6 months,  whether you’ve opened it or not.  This means that one of the big bags I had became useless as I wasn’t able to use the sachets before they’d all set.

And because Sugru isn’t available in most shops,  you can’t just pop and get some more – you have to wait for the postman to bring it for you.  This is fine if you have a non-urgent fix, but when you need to do something straight away,  you either have to ensure you have some fresh Sugru in,  or find an alternative option.  Its often the latter.  So reader beware!

One final point,  Sugru reckon if you keep it in the fridge, it will keep for 18 months;  I’ll have to pick some up and try it.