Free DNS subdomains via afraid.org is a great resource for lab and test machines.
They also have a free Dynamic DNS service which is a great way to keep tabs on your Home IP address in the event it should change. In the past I would use this to make sure I can VPN back to the house but now I have a OpenVPN server in a Data Center in Canada that I use.
Since I mentioned it, KimsUfi is a great resource for cheap servers. Pro Tip look for a “flash sale” to get a nice discount on your bill for as long as you continue rent the machine.
TVIX +80% in ONE day. This is why we Day Trade.
This was June 11th, following the INSANE run up to 323.00 on the SPY index. It was WELL overdue for a correction and this is the result of Wall Streets Irrational Exuberance!
5.8% from ALL TIME HIGHS in the middle of a Pandemic! The is how Wall Street reacts to 6 Trillion in free (tax payer) money with the FED buying all of the risky junk bonds that the banks created.
While working on some older CCNP labs recently I needed to get rid of the frame relay that was used in the various labs since it’s no longer being used and is not supported in EVE-NG. I originally connected everything via a generic cloud and used ethernet interfaces since that is the only type Eve will support to the cloud. While this worked okay I did not like the direct connectivity I was seeing between the routers as it seemed like the DMVPN tunnel I was building was pointless.
Then I decided to use EBGP as the Underlay for the DMVPN Overlay. I choose a very simple implementation where the hub and spokes all connect to the same “ISP”. This makes the scenario much easier since the ISP is just redistributing connected subnets.
Now I’m using DMVPN in the place of Frame Relay for all of my labs and it’s working great. I had never worked with DMVPN before so this was a great lab. Originally it was just a simple OSPF lab that “morphed” into something far more interesting. I’ll post the configuration snippets below in case you are curious.
ISP-SINGLE-REDISTRIBUTED –> allowas-in (for multiple ISP’s)
router bgp 1 bgp log-neighbor-changes neighbor 184.108.40.206 remote-as 11 neighbor 220.127.116.11 remote-as 22 neighbor 18.104.22.168 remote-as 44 network 22.214.171.124 mask 255.255.255.0 network 126.96.36.199 mask 255.255.255.0 network 188.8.131.52 mask 255.255.255.0 end ip route 184.108.40.206 255.255.255.0 Null0 ip route 220.127.116.11 255.255.255.0 Null0 ip route 18.104.22.168 255.255.255.0 Null0 interface Serial1/0 ip address 22.214.171.124 255.255.255.252 serial restart-delay 0 interface Serial1/2 ip address 126.96.36.199 255.255.255.252 serial restart-delay 0 interface Serial1/3 ip address 188.8.131.52 255.255.255.252 serial restart-delay 0 end BGP#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 184.108.40.206/24 0.0.0.0 0 32768 i *> 220.127.116.11/24 0.0.0.0 0 32768 i *> 18.104.22.168/24 0.0.0.0 0 32768 i
interface Serial1/0 ip address 22.214.171.124 255.255.255.252 serial restart-delay 0 router bgp 11 bgp log-neighbor-changes distribute-list 10 in network 126.96.36.199 mask 255.255.255.0 neighbor 188.8.131.52 remote-as 1 end access-list 10 deny 184.108.40.206 access-list 10 permit any R1#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 220.127.116.11/24 18.104.22.168 0 0 1 i *> 22.214.171.124/24 126.96.36.199 0 0 1 i Hub#sh ip route bgp Gateway of last resort is not set 188.8.131.52/30 is subnetted, 1 subnets B 184.108.40.206 [20/0] via 220.127.116.11, 00:00:40 18.104.22.168/30 is subnetted, 1 subnets B 22.214.171.124 [20/0] via 126.96.36.199, 00:00:40 interface Tunnel1 ip address 10.1.110.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 10 ip ospf network point-to-multipoint ip ospf cost 64 tunnel source 188.8.131.52 tunnel mode gre multipoint end HUB#sh dmvpn | i 1 T1 - Route Installed, T2 - Nexthop-override Interface: Tunnel1, IPv4 NHRP Details 1 184.108.40.206 10.1.110.2 UP 01:02:32 D 1 220.127.116.11 10.1.110.4 UP 01:02:40 D router ospf 1 router-id 10.1.1.1 area 24 stub no-summary redistribute static subnets network 10.1.110.0 0.0.0.255 area 24 network 10.1.116.0 0.0.0.255 area 0 neighbor 10.1.110.2 cost 10 HUB#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 10.6.6.6 0 FULL/ - 00:00:33 10.1.116.6 Serial1/1 10.4.4.4 0 FULL/ - 00:01:56 10.1.110.4 Tunnel1 10.2.2.2 0 FULL/ - 00:01:36 10.1.110.2 Tunnel1
interface Serial1/2 ip address 18.104.22.168 255.255.255.252 serial restart-delay 0 end router bgp 22 bgp log-neighbor-changes distribute-list 10 in network 22.214.171.124 mask 255.255.255.0 neighbor 126.96.36.199 remote-as 1 end access-list 10 deny 188.8.131.52 access-list 10 permit any R2#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 184.108.40.206/24 220.127.116.11 0 0 1 i *> 18.104.22.168/24 22.214.171.124 0 0 1 i Spoke1#sh ip route bgp Gateway of last resort is 10.1.110.1 to network 0.0.0.0 126.96.36.199/30 is subnetted, 1 subnets B 188.8.131.52 [20/0] via 184.108.40.206, 00:00:40 220.127.116.11/30 is subnetted, 1 subnets B 18.104.22.168 [20/0] via 22.214.171.124, 00:00:40 interface Tunnel1 ip address 10.1.110.2 255.255.255.0 no ip redirects ip nhrp map 10.1.110.1 126.96.36.199 ip nhrp map multicast 188.8.131.52 ip nhrp map 10.1.110.4 184.108.40.206 ip nhrp map multicast 220.127.116.11 ip nhrp network-id 10 ip nhrp nhs 10.1.110.1 ip nhrp nhs 10.1.110.4 ip ospf network point-to-multipoint ip ospf cost 64 tunnel source 18.104.22.168 tunnel mode gre multipoint end Spoke1#sh dmvpn | i 1 T1 - Route Installed, T2 - Nexthop-override Interface: Tunnel1, IPv4 NHRP Details 1 22.214.171.124 10.1.110.1 UP 01:02:23 S 1 126.96.36.199 10.1.110.4 UP 00:16:21 S router ospf 1 router-id 10.2.2.2 area 24 stub network 10.1.110.0 0.0.0.255 area 24 network 172.30.24.0 0.0.0.255 area 24 distribute-list 10 in end Spoke1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 0 FULL/ - 00:01:53 10.1.110.1 Tunnel1 10.4.4.4 1 FULL/DR 00:00:39 172.30.24.4 Ethernet0/0
interface Serial1/3 ip address 188.8.131.52 255.255.255.252 serial restart-delay 0 end router bgp 44 bgp log-neighbor-changes distribute-list 10 in network 184.108.40.206 mask 255.255.255.0 neighbor 220.127.116.11 remote-as 1 end access-list 10 deny 18.104.22.168 access-list 10 permit any R4#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 22.214.171.124/24 126.96.36.199 0 0 1 i *> 188.8.131.52/24 184.108.40.206 0 0 1 i Spoke2#sh ip route bgp Gateway of last resort is 10.1.110.1 to network 0.0.0.0 220.127.116.11/30 is subnetted, 1 subnets B 18.104.22.168 [20/0] via 22.214.171.124, 00:00:40 126.96.36.199/30 is subnetted, 1 subnets B 188.8.131.52 [20/0] via 184.108.40.206, 00:00:40 interface Tunnel1 ip address 10.1.110.4 255.255.255.0 no ip redirects ip nhrp map 10.1.110.1 220.127.116.11 ip nhrp map multicast 18.104.22.168 ip nhrp map 10.1.110.2 22.214.171.124 ip nhrp map multicast 126.96.36.199 ip nhrp network-id 10 ip nhrp nhs 10.1.110.1 ip nhrp nhs 10.1.110.2 ip ospf network point-to-multipoint ip ospf cost 64 tunnel source 188.8.131.52 tunnel mode gre multipoint end Spoke2#sh dmvpn | i 1 T1 - Route Installed, T2 - Nexthop-override Interface: Tunnel1, IPv4 NHRP Details 1 184.108.40.206 10.1.110.1 UP 00:12:38 S 1 220.127.116.11 10.1.110.2 UP 00:12:38 S router ospf 1 router-id 10.4.4.4 area 24 stub network 10.1.110.0 0.0.0.255 area 24 network 172.30.24.0 0.0.0.255 area 24 end Spoke2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 0 FULL/ - 00:01:53 10.1.110.1 Tunnel1 10.2.2.2 1 FULL/BDR 00:00:36 172.30.24.2 Ethernet0/0
When I get some extra time I’ll add 2 more ISP routers so that each site it connecting to a different instance of AS1. Then I’ll use iBGP within AS1 to forward the routes accordingly and verify that the tunnel can still be built through various hops as opposed to all meeting on the same AS1 router. This method is a better approximation of a real world scenario.
Another option would be to use EBGP and have each site use a different ISP. Then make the different Autonomous Systems talk to each other to form the tunnel, another very likely real world scenario and one of the whole reasons for using DMVPN.
Happy to say that I passed my CCNP re-certification after letting it expire in 2016. It felt good getting back in the lab and running through various routing and switching problems. I used EVE-NG to study with, it’s simply amazing software.
If you support systems @ scale than you must read the Google SRE book! Do yourself and your team a favor by making sure you don’t repeat the mistakes in this book! This should be required reading for all managers and front line engineers.
You may have recently seen the article about the FBI recommending that all IOT devices be placed onto their own networks for security purposes. The reason being that security in IoT devices has been notoriously bad and in some cases, non-existent.
That got me thinking about the chromecast that was sitting on my LAN and looking for solutions to make it more secure. The unfortunate thing about the chromecast is that it does not support WPA-EAP Security, only WPA-PSK. Lucky for me I also have an “Ultra” version which supports 4K and has an Ethernet port, without this Ethernet port I would be forced to dumb down my wifi to make the chromecast work.
What I found out, through much trial and error, is that chromecast uses mDNS to find the various network components needed to make the necessary connectivity. All of my attempts were failing due to the fact that the mDNS was not propagating across broadcast domains. The missing piece was “Avahi“, available in PfSense, which forwards mDNS requests across broadcast domains.
Once this package was in place, the chromecast was able to configure itself correctly in the wired DMZ portion of my network. Moreover, with the mDNS being forwarded across selected broadcast domains, WiFi clients are able to stream to the IoT device using the much more secure WPA-EAP protocol that is not supported via the wireless NIC on the chromecast, it only supports WPA-PSK.
This solution has the added benefit of allowing clients on the Guest WiFi (WPA-EAP VLAN99) to cast to the IoT device sitting in the DMZ. All of this is accomplished without enabling “Guest Mode” on the chromecast and without having to drop down to a less secure version of wifi security. Moreover, I found that I now have the ability to cast content from my PLEX server, connected over VPN , via LAN, DMZ, or the guest WiFi.
Therefore I’ve essentially setup my IoT device to work securely from 4 different networks while isolating it into a DMZ network with a little trial and error. Of course there are lots of firewall rules to make it all happen, if you want to know more head to the Home Lab section for the configuration specifics and some examples.
This is worthy of a share if you are interested in TSL. Facebook, Cloudflare, and Mozilla are working together with the ITEF to develop a new protocol for handling the private keys for SSL certs. Facebook Engineering gives a great overview in the article below.
Today I upgraded my email provider to Tutanota. They provide encrypted email hosted on servers in Germany. In addition to the encrypted inbox you can easily send end to end encrypted emails with users of other services like Gmail. Fellow Tutanota users have their emails automatically encrypted end to end with no effort at all on their part as it’s built into the service by default.
I opted for the premium service and was able to set this up using my own domain name and was provided 5 email aliases. Price was very reasonable and it was a HUGE security improvement over the crappy email service my hosting provider was giving me. I highly encourage everyone to checkout this open source email service that focuses on privacy and security and ditch your Gmail account that scans your emails to deliver ads!
Website is back online after a small hiatus. I’m pretty sure my old wordpress instance had been hacked so I nuked the entire site and left it dormant for awhile. Now I’m starting to rebuild it to highlight some of the things I’m interested in.
It’s a work in progress so bookmark the site and check back if you like, but it will probably be hacked again since my hosting provider sucks so bad at security. I’ll need to look into alternatives after reading an article about how easy it is to hack their console site 🙁