Category Archives: Networking

Cable colour coding?

Blue – network, PC connections (network cabinet)
Red – IP phones (network cabinet)
Orange – interconnections between switches
Grey – Phone connection (desk)
Black – PC connection (desk)
Green – Tills
Yellow – PDQs

ARP address mismatch

The normal ARP request/response is like below.
A ask who is B.
B replies B is xx-xx-xx-xx-xx-xx.
However, in some cases the behavior will like this.
A ask who is B.
C replies B is xx-xx-xx-xx-xx-xx.
When Vigor detects this behavior, Vigor will send the ARP mismatch messages.
This abnormal ARP was blocked by Vigor with former firmwares.
However, some networks will have this ARP so Draytek allows this in most of new firmwares.

Neopost franking machine and Draytek router

The issue was with the franking machine not able to connect to their central server.
I have tried multiple things with no avail.
Then my intuition told me to check VPN settings and voila!
SSL VPN was enabled which in case of Drayteks sticks to port 443 which is exclusively used by franking machine service.
This VPN SSL port has to be changed to something else away from 443 then franking machine should work again.
Good luck

Initial pings taking too long?

Either its the DNS lookup taking that extra seconds or the ARP request taking too long.
Either way its because everything after the first request is cached, so in my case it was the DNS that caused the initial pings to get lost in space.

SFP ports

Probably you have noticed some SFP ports on your switches and wonder how to utilize them.
Few points about the SFP port:
1.RJ-47 port connects at 1Gbps and the SFP port connects at 1Gbps – they are the same, there is no advantage to using one over the other. To make use of SFP you need adapters that will cost you more.
2. SFP is most commonly used when two switches are over the 100m distance limitation of Ethernet then you connect using fiber via the SFP port.
3. If you have a switch that do not have Gbit ports, but do offer an SFP port, you can go SFP from one switch into another switch that is already 1Gbit on every port – both ends do not have to be the same.
4. If you really need more than 1Gbps between switches you can consider “stackable” switches vs. using LAG ports vs. switches with 10Gb ports.

Juniper: warning: dhcp-service subsystem not running

I have done custom binding in DHCP
set system services dhcp static-binding 01:0x:0x:0x:0x:0x fixed-address 192.168.0.120
and wanted to clear a previous one.
root@juniper> clear dhcp server binding 192.168.0.105
warning: dhcp-service subsystem not running - not needed by configuration.

What?

There are actually two completely different DHCP daemons in Junos now – dhcpd and jdhcpd.
When you configure statements under system / services / dhcp you are using dhcpd and will need to use:
show system services dhcp server binding
restart dhcp

When you configure statements under system / services / dhcp-local-server you are affecting jdhcpd and need to use:
show dhcp server binding
restart dhcp-service

So in this case I need to run this command:
clear system services dhcp binding 192.168.0.105

Find out if your device is dual band

Dual band means that it supports 2.4GHz and 5GHz.
Not many devices support it, neither home wireless access points.
To check it on you Linux system use this command:
iwlist wlo1 freq
In my case wl01 is my wireless adapter.
If you can see just 2.4GHz channels in the output that means it has no 5GHz capabilities.
Usually Apple products have support for 5GHz like laptops and time capsules.
Technically most of the Android tablets have hardware support for 5GHz, but unfortunately Android does not support it.

Strengthening SSH

Ideally you should allow access to you router from outside only to trusted IPs and/or using key-based authentication where the key is also password protected.
However if you don’t want to do this you should definitely add these 3 things to your configuration. At least it will reduce the number of password brute forcing attempts on the default SSH password.

services {
ssh {
root-login deny;
protocol-version v2;
rate-limit 3;
}
}

Such a shame, but I haven’t found any instructions how to effectively shift SSH away from the default port 22. As far as I know it is not possible and the only way is to “If you want to block connections to port 22, we can use firewall filter or if you want to use some other ports to do SSH, we can use destination NAT rule to redirect requests coming to any other ports to port 22.”

Continue reading Strengthening SSH

Juniper: Securing root access

Setup one additional user with superuser rights and also one operator, so you can use the operator more often than the superuser.
Make sure that the accounts name is meaningless and it is not your forename or surname for instance.
cli
conf
edit system login

set user walker class superuser
set user walker authentication plain-text-password

It would be even better to use SSH key based login for the superuser.

set user walker class operator
set user walker authentication plain-text-password

Login Classes

run show system users
conf
set system services ssh root-login deny

1e100.net

Probably you have notices a lot of connections to multiple hosts in this domain 1e100.net
This is the explanation:

1e100.net is a Google-owned domain name used to identify the servers in our network.

Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com. We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.

Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).

It is Google Safebrowsing feature.
This feature is checking sites and tell you if that site is “Attack Site”

Create domain user profile over VPN? Windows 7

It is easily possible if you have point to point VPN setup between networks.
If you use client VPNs you need to make sure that VPN connection is live before log in.
To do this for instance on obsolete PPTP you log in as local user to establish a VPN connection.
Instead of logging off from that user you just SWITCH USER and then try to log in as domain user to create brand new user profile on a desktop PC or laptop.

Technicolor DNS change

Finally got rid of OpenDNS that improves security, but manipulates DNS definitely too much.
To check: http://www.opendns.com/welcome/
To check IPv6: http://test-ipv6.com/

This commands does not change DNS advertised by DHCP. These are internal Technicolor DNS’es that will override DHCP ones.

{admin}[dns server route]=>add dns=x1.x1.x1.x1 metric=10 intf=Internet
{admin}[dns server route]=>add dns=x2.x2.x2.x2 metric=15 intf=Internet
{admin}[dns server route]=>..
{admin}[dns server]=>..
{admin}[dns]=>..
{admin}=>saveall