Multi-Tenant pfSense Setup

Posted March 5, 2017 by jeremyrnelson
Categories: Uncategorized

I’ve run across a number of situations where you have a number of smaller clients behind a single firewall, using VLANs.  This is an attempt to document what you’d need to do this on the firewall side.  We use separate hardware, but here’s a great write up about virtualizing pfSense using VMWare:

http://www.jonkensy.com/multi-tenantvlans-behind-a-virtualized-pfsense-firewall-in-esxi/

Here are a number of issues we’re trying to handle:

  1. It goes without saying that somehow these clients all have to be in separate address spaces.  Avoiding this isn’t in scope here.
  2. Segregating users from one another (obviously)
  3. Multiple WAN connections
  4. VPN to remote sites (using pfSense – other routers are out of scope)
  5. VPN to remote individual clients (using both MacOS & Windows)
  6. DHCP Relay
  7. DNS Forwarding

 

Swann NVR’s from Costco

Posted December 18, 2016 by jeremyrnelson
Categories: Uncategorized

I had an irritating experience where Swann NVR’s we purchased at Costco didn’t have a model number listed, so I couldn’t find the right firmware to fix the problems we’d be having sending emails through GMail.  Hopefully this helps somebody else.

Here’s how Costco lists the item:

Swann 16 Channel HD IP NVR with 3TB HDD, 8 3MP HD – Item# 956587

Turns out it’s an NVR16-7090 – here’s the latest firmware:

http://support.swann.com/customer/portal/articles/2544490

The annoying thing with this setup is that it’s a 16-port NVR, but only 8 ports are PoE.  If you buy extra cameras, you can use PoE bricks, but that’s kind of awful beyond 2-3.  The other annoyance is that you can’t use them across closets/buildings.  Here’s how to set them up using a separate camera VLAN:

  1. Set up a separate VLAN for your cameras.
  2. Set up a computer on 172.16.1.254/24 so you can hit the cameras with a web browser.
  3. Log into the web interface of the NVR (172.16.1.1:85 by default).  Identify the IP for each camera.
  4. Log into each camera (default username/pw is admin/12345), and set it to a static IP. I like 172.16.1.101-116 for readability.
  5. On the NVR web interface, change the ports from Plug N Play to Manual. Set each port to the same static IP set in #4.
  6. Once the cameras are on static IPs, you can put them in any building/closet that is on the same VLAN.  Set up a port on your switch dedicated to that VLAN, and plug it into one of the non-PoE ports on the NVR.
  7. You can probably put a router in and run them across different subnets/VLAN, but that exercise is left up to the user….

 

Ubiquiti Unifi Showing 0 bps transmit

Posted December 14, 2016 by jeremyrnelson
Categories: Uncategorized

Weird problem – I had an access point that didn’t allow access to the guest network, but worked fine on the corporate network. Strangely, the affected devices were reporting in the controller as a full data rate on receive, but 0 bps transmit (tx).

The problem turned out to be that the switch the access point was connected to had excluded the guest VLAN on that port. Re-enabled that VLAN and all was well…

EM Directory Problems UC 5.3

Posted September 18, 2015 by jeremyrnelson
Categories: Uncategorized

We found what may be a bug in Polycom UC 5.3 – EM Directory didn’t show up as a menu option under Utilities in the web interface.  Upgrading to 5.4 did the trick.  Hope this helps somebody else!

Uninstalling LogMeIn

Posted June 25, 2015 by jeremyrnelson
Categories: Uncategorized

Tags: , ,

We used LogMeIn for nearly 2 years before dumping it in favor of ScreenConnect.  LogMeIn had some nice features, but it was really buggy at times, especially on Macs, and we’ve never been sorry we switched.  They’ve really gotten ridiculous with their pricing over the last year.

One of the things we really hated about LogMeIn was how difficult it was to uninstall and reinstall because of their screwy auto-update process.  After many hours of figuring stuff out, we put together this “brute force” script that more or less gets it ripped out.  It’s not perfect, but it sure beats doing it manually on 300+ machines!  I hope we can save somebody else the pain and make it easier to transition away from LogMeIn.

As an unsolicited plug for ScreenConnect, it’s a perpetual license, and you pay per concurrent license, not per client under management, so we’ll save a bundle.  Some great features include:

  • Super easy entry of interactive commands on one or more guests.
  • Clean and simple uninstall and reinstalls (Macs could be simpler, but still really good).
  • When a machine drops offline, your host connection goes gray and automatically restarts after the machine comes back online.
  • Preview of what’s going on at the guest machine.
  • Reboot into safe mode and ScreenConnect still works
  • Lightweight and easy to push out with group policy
  • Much less cumbersome to start a remote session

There’s a couple of features I’d like to see (FQDN’s in the host listing for one and command results compiled into a common dialog for #2), but those are far outweighed by everything else.

Have fun tearing out LogMeIn!

 

net stop LMIGuardianSvc
REG add "HKLM\SYSTEM\CurrentControlSet\services\LMIGuardianSvc" /v Start /t REG_DWORD /d 4 /f
net stop LogMeIn
REG add "HKLM\SYSTEM\CurrentControlSet\services\LogMeIn" /v Start /t REG_DWORD /d 4 /f
net stop "LogMeIn Maintenance Service"
REG add "HKLM\SYSTEM\CurrentControlSet\services\LogMeIn Maintenance Service" /v Start /t REG_DWORD /d 4 /f
"C:\Program Files (x86)\LogMeIn\x86\logmein" uninstall
"C:\Program Files (x86)\LogMeIn\x64\logmein" uninstall
"C:\Program Files\LogMeIn\x86\logmein.exe" uninstall
"C:\Program Files\LogMeIn\x64\logmein.exe" uninstall

REM *** MsiExec Uninstalls ***
MsiExec.exe /x{0832D8C1-4A3D-44A8-86CB-1B51EF71ED31} /qn
MsiExec.exe /x{32979D13-6A63-4CAC-A328-60A6624F853E} /qn
MsiExec.exe /x{386625D9-3BD3-45F3-BF41-6A890A913F12} /qn
MsiExec.exe /x{53E10F4E-B361-45D7-8DBD-A6BF073236F0} /qn
MsiExec.exe /x{58CF302E-2281-46D3-BDF0-540B11ADCED2} /qn
MsiExec.exe /x{697E7F08-CB6F-442A-83CD-D44F54654272} /qn
MsiExec.exe /x{6A38EDD8-66E4-4FD1-B7D0-DDC37285F44B} /qn
MsiExec.exe /x{72B46C07-7EB2-4146-9B03-422296E12C4E} /qn
MsiExec.exe /x{7FEA5E41-0106-451E-BC88-71B9CD3B0F41} /qn
MsiExec.exe /I{9905E4C1-14D8-4522-88FE-FD00B51A20DC} /qn
MsiExec.exe /x{A8E20B99-B1A2-4FC0-B38A-A255033D339A} /qn
MsiExec.exe /x{AF17B3CE-F7DA-4DDE-A8C8-7AAADB5CD551} /qn
MsiExec.exe /x{AFBB4CC8-12D3-40B0-BE53-80FA37496C63} /qn
MsiExec.exe /x{CB7AF84A-1B7F-4C6B-8A58-EB7CDE48C23A} /qn
MsiExec.exe /x{D8FDCAEB-351D-4FFF-B1FD-B8C3564C1CAD} /qn
MsiExec.exe /x{F099EA75-A298-4A13-93CB-D2446436B137} /qn
MsiExec.exe /x{F93EE340-3735-4032-8B74-0A3E489017A0} /qn

REG DELETE HKEY_CURRENT_USER\Software\LogMeIn /f
REG DELETE "HKEY_LOCAL_MACHINE\Software\LogMeIn, inc." /f
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\LogMeIn /f
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\LogMeIn /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run\logmein gui" /f
REG delete "HKLM\SYSTEM\CurrentControlSet\services\LMIGuardianSvc" /f
REG delete "HKLM\SYSTEM\CurrentControlSet\services\LogMeIn" /f

REM******
REM Only after running the install string for each product should these be deleted
REM(Use the product number referring to logmein)
REM Also in HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
REM ***
reg DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\99B02E8A2A1B0CF43BA82A5530D333A9 /f
reg DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9D5266833DB33F54FB14A698A019F321 /f

REG delete “HKLM\SYSTEM\CurrentControlSet\services\LMIGuardianSvc” /f
REG delete “HKLM\SYSTEM\CurrentControlSet\services\LogMeIn” /f
REG delete “HKLM\SYSTEM\CurrentControlSet\services\LogMeIn Maintenance Service” /f

Grandstream GXW-4004 configuration file problems

Posted April 12, 2015 by jeremyrnelson
Categories: Uncategorized

I had a frustrating problem where my Grandstream GXW-4004 wouldn’t accept an uploaded configuration XML file.  I ended up turning on syslog so I could see what’s going on and found this:

PROVISION: Failed parsing cfg.xml (Error 217)

Through a series of trial-and-error steps over several hours, I discovered that the dial plan lines were causing the problem (maybe because of the braces { } ?)  Either way, I removed those, the configuration loaded just fine, and I was able to re-add those lines through the interface and get back to work.

Extracting voicemails, prompts, etc. from Cisco Unity Express (CUE) backups

Posted December 13, 2014 by jeremyrnelson
Categories: Uncategorized

Tags: , , , , ,

There is very little explaining how to do this, so I thought I would add what I’ve learned.  We’ve been doing a painful move from a UC560 that never worked very well to FreePBX that’s a lot cheaper and works better.

You have to log into CUE (via the CME “service-module Integrated-Service-Engine 0/0 session” command), then set the backup server and run the offline backup procedure.

CUE backups are basically postgres databases.  If you can FTP the backups from CUE to your machine and strip off the top 16 lines of junk that Cisco adds, you can use pg_restore to restore them and extract the data in a usable format.

Here’s how I imported the VoiceMail backup (you need to run as user postgres) – this gets voicemail greetings as well as saved messages:

tail -n +16 VoiceMail_1.backup > VoiceMail_1.backup.new && pg_restore -C VoiceMail_1.backup.new | psql

Once they were loaded, here’s the line I used to save out all of the wav files:

for lo in `pg_dump aesop  | grep lo_open | cut -d\' -f2`; do echo "\lo_export $lo $lo.wav"|psql aesop; done

Here’s how I exported the user greetings (from LDIF file Core_1.backup):

for wav in `cat Core_1.backup | tr '\n' '\t' |sed -e "s/\t\ //g"|tr '\t' '\n' |grep CCNatWaveFile|cut -d: -f 3`; do ( echo $wav | base64 -d -i > `date +%s%N | cut -b1-13`.wav ); done

My organization was small –  I just dumped all of the wav files and listened to them to name them rather than get fancy and automatically name them properly.  Since we’re moving to FreePBX, I was able to just drop these in place on the new server and be up and running quickly.

This isn’t too terrible if you know what you’re doing, but since there’s very little documentation on this, it makes it quite a pain to figure out…