PowerShell: Remove IP Address Assignment Using Bluecat API

$bluecatUri='http://bluecat.kimconnect.com/Services/API'
$bluecatUsername='svc-bluecat-api'
$bluecatPassword='PASSWORD'
$configId=17
$ipv4Address='10.10.162.54'
$marker='toBeDeleted-'

function confirmation($content,$testValue="I confirm",$maxAttempts=3){
  $confirmed=$false;
  $attempts=0;        
  $content|write-host
  write-host "Please review this content for accuracy.`r`n"
  while ($attempts -le $maxAttempts){
      if($attempts++ -ge $maxAttempts){
          write-host "A maximum number of attempts have reached. No confirmations received!`r`n"
          break;
          }
      $userInput = Read-Host -Prompt "Please type in this value => $testValue <= to confirm. Input CANCEL to skip this item";
      if ($userInput.ToLower() -eq $testValue.ToLower()){
          $confirmed=$true;
          write-host "Confirmed!`r`n";
          break;                
      }elseif($userInput -like 'cancel'){
          write-host 'Cancel command received.'
          $confirmed=$false
          break
      }else{
          cls;
          $content|write-host
          write-host "Attempt number $attempts of $maxAttempts`: $userInput does not match $testValue. Try again or Input CANCEL to skip this item`r`n"
          }
      }
  return $confirmed;
}
function loginBluecat{
  param(
    [Parameter(Mandatory=$true)]$uri,
    [Parameter(Mandatory=$true)]$username,
    [Parameter(Mandatory=$true)]$password
  )
  $proxy = New-WebServiceProxy -Uri "$($uri)?wsdl"
    $proxy.url = $uri
    $cookieContainer = New-Object System.Net.CookieContainer
    $proxy.CookieContainer = $cookieContainer
    $proxy.login($username, $password)
  return $proxy
}

function removeIpv4Assignment{
  param(
    [Parameter(Mandatory=$true)]$proxy,
    [Parameter(Mandatory=$true)]$configId,
    [Parameter(Mandatory=$true)]$ipV4Address,
    [string]$marker='toBeDeleted-'
  )
  
  $erroractionpreference='stop'
  try{    
    $record=$proxy.getIP4Address($configId,$ipV4Address)
    if($record.id -eq 0){
      write-host "IP Address $ipv4Address does not exist in config ID $configId"
      return -1
    }else{
      $markedRecord=$marker+$record.name
      $record.Name=$markedRecord
      $proxy.update($record)
      $property=$proxy.searchByObjectTypes($markedRecord, "IP4Address", 0, 1)
      $confirmed=confirmation "Delete this record:`r`n$(($property|out-string).trim())"
      if($confirmed){
        $proxy.delete($property.id)
        return 0
      }else{
        write-host "User cancelled operation. IP Address $ipv4Address NOT removed."
        return 1
      }      
    }
  }catch{
    write-warning $_
    return 1
  }  
}

$bluecatProxy=loginBluecat -Uri $bluecatUri -Username $bluecatUsername -Password $bluecatPassword
removeIpv4Assignment -proxy $bluecatProxy -configId $configId -ipv4Address $ipV4Address

Ping Command’s First Packet Toward LDAP Server(s) Takes 2 Seconds to Start

Case 1: Are DNS servers working?
  • dig returns results right away => defined dns servers are working
  • dig returns results with a 2+ seconds delay or timeout => defined dns servers are NOT working

Recommendations:

  1. Test configuring client to use a different DNS server
    dig @dnsServer1.kimconnect.com ldapServerName
  2. Verify that routing and firewall rules are passing traffic from client to DNS servers
  3. Cleanup invalid DNS records in AD
Case 2: Is localhost able to cache hardware address?
  • apr -a command returns results right away, and the ldap server IP mac address is present => ARP is working fine
  • apr -a command takes awhile to populate => indication that localhost arp table is having issues, so it’s not caching mac to ip for fast lookups

Recommendations:

a. Add a static arp entry into localhost

Command:

arp -s ip-address-of-ldap-server hardware-address-of-ldap-server
# Example:
sudo arp -s 10.10.10.10 aa:11:bb:22:cc:44

# How to reverse the change:
sudo arp --delete 10.10.10.10

# How to check the ARP Table:
sudo arp -avn # more verbose
sudo arp -n # simple view

b. Clear ARP cash & DNS cache

ip -s -s neigh flush all
arp -n
service nscd restart

How to configure Ubiquiti EdgeRouter to send logs to a Syslog Server

Method 1: using text editor

# Edit the syslog config
sudo vi /etc/rsyslog.d/vyatta-log.conf

# Change the @ = udp symbol to @@ = tcp
# add :PORTNUMBER after node name or IP if necessary
admin@EdgeRouter-4:~$ cat /etc/rsyslog.d/vyatta-log.conf
*.err	@graylog.kimconnect.com
*.notice;local7.debug	-/var/log/messages

Method 2: use sed to update texts

# Change from udp to tcp
sudo sed 's/@/@@/' -i /etc/rsyslog.d/vyatta-log.conf
cat /etc/rsyslog.d/vyatta-log.conf

# Change from tcp to udp
sudo sed 's/@@/@/' -i /etc/rsyslog.d/vyatta-log.conf
cat /etc/rsyslog.d/vyatta-log.conf

# Restart syslogd
sudo service rsyslog restart

PowerShell: Initiate Tests on Certain Ports

function initTestPort($portNumber=5985,$maxTests=3){

  function getIndexDifference {
    param(
      [String] $string1,
      [String] $string2
    )
    if ( $string1 -ceq $string2 ) {
      return -1
    }
    for ( $i = 0; $i -lt $string1.Length; $i++ ) {
      if ( $string1[$i] -cne $string2[$i] ) {
        return $i
      }
    }
    return $string1.Length
  }  

  $baseLine=(netstat -ano -p tcp|select-string "$portNumber"|out-string).trim()
  if(!$baseline){
      write-warning "$env:computername doesn't have any service listening on port $portNumber"
      exit
  }else{
      write-host "$env:computername is now listening on port $portNumber"
      do{
          $status=(netstat -ano -p tcp|select-string "$portNumber"|out-string).trim()
          if($status -ne $baseline){
            $maxTests--  
            $matchIndex=getIndexDifference $status $baseline
            $difference=$status.Substring($matchIndex).Trim()
            write-host "$maxTests remaining => $difference"
            $status=$baseline
            $null=ping 127.0.0.1 -n 1
          }
      }until(!$maxTests)
  }
}
# Test reachability from a client machine
$server='nameOrIpHere'
$port=5985
(new-object Net.Sockets.TcpClient).Connect($server, $port)

PowerShell: How To Test A Server Ephemeral Port

# Setup a listening port on server
# This session will automatically terminates after a number of test counts

function initTestEpheralPort{
  param(
    $port=59848,
    $testCount=3
  )
  $cmdlet="(new-object Net.Sockets.TcpClient).Connect('$env:computername', $port)"
  write-host "$env:computername is now listening on port $port"
  write-host "Please run this function at the client side:`r`n$cmdlet"
  $listener=[System.Net.Sockets.TcpListener]$port;
  $listener.Start();
  while($testCount) 
  {    
      $clientAccepted=$listener.AcceptTcpClient();
      if($clientAccepted){
          write-host "$((netstat -ano -p tcp|select-string "$port"|out-string))"
          $testCount--;
          Write-Host "Connection test $testCount remains!";   
      }
      $clientAccepted.Close();
      if(!$testCount){
          # Stop listening on the server
          $listener.Stop();
          write-host "Tests have completed."  
      }
  }
}

initTestEpheralPort 59848
# Test reachability from a client machine
$server='nameOrIpHere'
$port=59848
(new-object Net.Sockets.TcpClient).Connect($server, $port)

Some Useful Windows Networking Commands

# Checking WinRM connections
PS C:\Windows\system32> netstat -ano|select-string ":5985"
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    192.11.0.7:5985        192.12.128.106:63603   SYN_RECEIVED    4  ==> indicates normal working status from within the OS
  TCP    192.11.0.7:5985        192.13.64.44:51589     SYN_RECEIVED    4

# Search MAC table on localhost
$macAddress="xx:xx:xx:xx:xx:xx"
arp -a | findstr $macAddress

# Checking network configs
PS C:\Windows\system32> Get-NetIPConfiguration
InterfaceAlias       : Ethernet 2
InterfaceIndex       : 3
InterfaceDescription : Microsoft Hyper-V Network Adapter #2
NetProfile.Name      : kimconnect.com
IPv4Address          : 192.12.134.21
IPv6DefaultGateway   :
IPv4DefaultGateway   : 192.12.134.1
DNSServer            : 192.12.130.100
                       192.12.130.101
# List adapters
PS C:\Windows\system32> Get-NetAdapter
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
NIC2                      Broadcom NetXtreme Gigabit Ethernet #2       29 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC4                      Broadcom NetXtreme Gigabit Ethernet #4       26 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#4      25 Up           xx-xx-xx-xx-xx-xx        40 Gbps
NIC Team1                 Microsoft Network Adapter Multiplexo...      23 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 5                Intel(R) Ethernet Converged Networ...#2      21 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 4                Intel(R) Ethernet Converged Network ...      15 Up           xx-xx-xx-xx-xx-xx        40 Gbps
NIC3                      Broadcom NetXtreme Gigabit Ethernet          13 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC1                      Broadcom NetXtreme Gigabit Ethernet #3       11 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#2       8 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 2                Remote NDIS Compatible Device                 5 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#3       4 Up           xx-xx-xx-xx-xx-xx        40 Gbps

# List Physical adapters
PS C:\Windows\system32> Get-NetAdapter -Physical
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 5                Intel(R) Ethernet Converged Networ...#2      21 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 4                Intel(R) Ethernet Converged Network ...      15 Up           xx-xx-xx-xx-xx-xx        40 Gbps

# Get advanced properties of a NIC
$nicName="Ethernet 2"
Get-NetAdapter -Name $nicName | Get-NetAdapterAdvancedProperty

PS C:\Windows\system32> Get-NetAdapter -Name $nicName | Get-NetAdapterAdvancedProperty
Name                      DisplayName                    DisplayValue                   RegistryKeyword RegistryValue
----                      -----------                    ------------                   --------------- -------------
Ethernet 2                IPv4 Checksum Offload          Rx & Tx Enabled                *IPChecksumO... {3}
Ethernet 2                IPSec Offload                  Auth Header and ESP Enabled    *IPsecOffloadV2 {3}
Ethernet 2                Jumbo Packet                   Disabled                       *JumboPacket    {1514}
Ethernet 2                Large Send Offload Version ... Enabled                        *LsoV2IPv4      {1}
Ethernet 2                Large Send Offload Version ... Enabled                        *LsoV2IPv6      {1}
Ethernet 2                Max Number of RSS Processors   16 Processors                  *MaxRssProce... {16}
Ethernet 2                Network Direct (RDMA)          Disabled                       *NetworkDirect  {0}
Ethernet 2                Maximum Number of RSS Queues   16 Queues                      *NumRssQueues   {16}
Ethernet 2                Packet Direct                  Disabled                       *PacketDirect   {0}
Ethernet 2                Recv Segment Coalescing (IPv4) Enabled                        *RscIPv4        {1}
Ethernet 2                Recv Segment Coalescing (IPv6) Enabled                        *RscIPv6        {1}
Ethernet 2                Receive Side Scaling           Enabled                        *RSS            {1}
Ethernet 2                RSS Base Processor Number      0                              *RssBaseProc... {0}
Ethernet 2                Maximum RSS Processor Number   15                             *RssMaxProcN... {15}
Ethernet 2                RSS Profile                    NUMA Scaling Static            *RSSProfile     {4}
Ethernet 2                TCP Checksum Offload (IPv4)    Rx & Tx Enabled                *TCPChecksum... {3}
Ethernet 2                TCP Checksum Offload (IPv6)    Rx & Tx Enabled                *TCPChecksum... {3}
Ethernet 2                UDP Checksum Offload (IPv4)    Rx & Tx Enabled                *UDPChecksum... {3}
Ethernet 2                UDP Checksum Offload (IPv6)    Rx & Tx Enabled                *UDPChecksum... {3}
Ethernet 2                Forwarding Optimization        Disabled                       ForwardingOp... {0}
Ethernet 2                Hyper-V Network Adapter Name                                  HyperVNetwor... {--}
Ethernet 2                Network Address                --                             NetworkAddress  {--}
Ethernet 2                Receive Buffer Size            8MB                            ReceiveBuffe... {8192}
Ethernet 2                Send Buffer Size               1MB                            SendBufferSize  {1024}
Ethernet 2                VLAN ID                        0                              VlanID          {0}

PS C:\Windows\system32> get-netadapter -name 'NIC Team1 - VLAN101' | Get-NetAdapterAdvancedProperty
DisplayName                    DisplayValue                   RegistryKeyword RegistryValue
----                      -----------                    ------------                   --------------- -------------
NIC Team1 - HyperV...0001 Encapsulated Task Offload      Enabled                        *Encapsulate... {1}
NIC Team1 - HyperV...0001 Header Data Split              Enabled                        *HeaderDataS... {1}
NIC Team1 - HyperV...0001 IPv4 Checksum Offload          Rx & Tx Enabled                *IPChecksumO... {3}
NIC Team1 - HyperV...0001 IPsec Offload                  Auth Header & ESP Enabled      *IPsecOffloadV2 {3}
NIC Team1 - HyperV...0001 Large Send Offload Version ... Enabled                        *LsoV2IPv4      {1}
NIC Team1 - HyperV...0001 Large Send Offload Version ... Enabled                        *LsoV2IPv6      {1}
NIC Team1 - HyperV...0001 Recv Segment Coalescing (IPv4) Enabled                        *RscIPv4        {1}
NIC Team1 - HyperV...0001 Recv Segment Coalescing (IPv6) Enabled                        *RscIPv6        {1}
NIC Team1 - HyperV...0001 Receive Side Scaling           Enabled                        *RSS            {1}
NIC Team1 - HyperV...0001 TCP Checksum Offload (IPv4)    Rx & Tx Enabled                *TCPChecksum... {3}
NIC Team1 - HyperV...0001 TCP Checksum Offload (IPv6)    Rx & Tx Enabled                *TCPChecksum... {3}
NIC Team1 - HyperV...0001 UDP Checksum Offload (IPv4)    Rx & Tx Enabled                *UDPChecksum... {3}
NIC Team1 - HyperV...0001 UDP Checksum Offload (IPv6)    Rx & Tx Enabled                *UDPChecksum... {3}
NIC Team1 - HyperV...0001 Virtual Machine Queues         Enabled                        *VMQ            {1}
NIC Team1 - HyperV...0001 Virtual Machine Queues - Sh... Enabled                        *VMQLookahea... {1}
NIC Team1 - HyperV...0001 Virtual Machine Queues - VL... Enabled                        *VMQVlanFilt... {1}
NIC Team1 - HyperV...0001 MAC Address                    --                             NetworkAddress  {--}

# Check hardware information
PS C:\Windows\system32> Get-NetAdapterHardwareInfo
Name                           Segment Bus Device Function Slot NumaNode PcieLinkSpeed PcieLinkWidth Version
----                           ------- --- ------ -------- ---- -------- ------------- ------------- -------
NIC0                                 0   1      0        2             0      5.0 GT/s             8 1.1
NIC1                                 0   1      0        1             0      5.0 GT/s             8 1.1
NIC2                                 0   1      0        0             0      5.0 GT/s             8 1.1
NIC3                                 0   1      0        3             0      5.0 GT/s             8 1.1

# Set Mac address of an adapter
$macAddress2="xx-xx-xx-xx-xx-xx"
Set-NetAdapter -Name "vEthernet" -MacAddress $macAddress2

Installing IBM VPN Client

On a Linux Machine

# Install VPN Client
shellScript=https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/downloads/pkg_9_4_0_385/MP_Linux_1.2.9/MotionPro_Linux_Ubuntu_x64_build-8.sh
cd Desktop
wget $shellScript
sudo ./MotionPro_Linux_Ubuntu_x64_build-8.sh

# Start VPN daemon
sudo /usr/bin/vpnd

# Connecting
remoteHost=vpnserver.kimconnect.com
username=adminguy
password=PASSWORDHERE
sudo /usr/bin/MotionPro --host "$remoteHost"

# Stopping the VPN daemon
sudo pkill vpnd

On a Windows Machine

# Download
$fileUrl='https://support.arraynetworks.net/prx/000/http/supportportal.arraynetworks.net/downloads/pkg_9_4_0_327/SSLVPN_9.0.1.115/ArraySSLVPNSetup.msi'
$outFile='C:\Temp\ArraySSLVPNSetup.msi'
Invoke-WebRequest -Uri $fileUrl -OutFile $outFile

# Install - this doesn't work as of this writing
$dateStamp = get-date -Format yyyyMMddTHHmmss
$logFile = '{0}-{1}.log' -f $outFile,$dateStamp
$MSIArguments = @(
    "/i"
    ('"{0}"' -f $file.fullname)
    "/qn"
    "/norestart"
    "/L*v"
    $logFile
)
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow

PowerShell: Improve Network Speed of Windows on 20 Mbps or Faster Connections

This has been tested on Windows 10 – will not work on a Server OS:

$networkRegistry='REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
$keyName='IRPStackSize'
$keyValue=32
$previousValue=(Get-ItemProperty -Path $networkRegistry -Name $keyName).$keyName
if($keyValue -ne $previousValue){
    set-itemproperty -path $networkRegistry -Name $keyName -Value $keyValue
    $setValue=(Get-ItemProperty -Path $networkRegistry -Name $keyName).$keyName
    write-host "$keyName previous value $previousValue has been changed to $setValue"
}else{
    write-host "$keyName current value of $previousValue is already matching the intended set value."
}

Setup PXE Client Booting for Microsoft Deployment Toolkit with Multiple VLANs

Part A: Configure Clients

Ensure that machines on the network would boot on a predetermined order of priorities such as:
1. Internal hard drive
2. USB Thumb drive or CD ROM
3. Network PXE Boot

Moreover, there are Legacy BIOS vs Unified Extensible Firmware Interface (UEFI) booting modes. The former is straightforward as it’s applicable to older equipment that has support for a maximum of 2.2 terrabytes of storage. The latter, UEFI mode will embed drivers to support drives up to 9 zettabytes (or 9216 terrabyes). This is most likely the mode where newer devices would boot.

As mentioned above, when a machine has exhausted its boot options, such as CD Roms and local hard drives, it would then search for a Preboot Execution Environment (PXE) Server on the network, which is usually a directory entry given by a DHCP Server.

Part B: Configure Router

In an environment with multiple virtual local area networks (VLANs), a DHCP Server may not reside on the same subnet as all of its clients. Therefore, an ip helper-address is required to be set at each VLAN. For most networking vendors, this is the command:

L3 Switch$ enable
L3 Switch(config)$ configure
L3 Switch(config)# vlan X
L3 Switch(vlan-X)# ip helper-address x.x.x.x
Part C: Configure DHCP Server

Here’s an example on setting directory pointers on a Microsoft DHCP Server:

Dhcpmgmt.msc > right-click DHCP > Add Server > select the correct DHCP Server with the IP Helper-Address being set on various VLANs > right-click IPv4 > DHCP Vendor Classes > create these three (3) entries as definitions for vendor classes:

1. Name = PXEClient (UEFI x86) | value = PXEClient:Arch:00006
2. Name = PXEClient (UEFI x64) | value = PXEClient:Arch:00007
3. Name = PXEClient (BIOS x86 & x64) | value = PXEClient:Arch:00000

Expand DHCP > select the scope of the VLAN subnet where PXE Clients would reside > right-click Policies > New Policy > set name = PXEClient (UEFI x86) > Next > click Add > select the Values drop-down menu > pick PXEClient (UEFI x86) > put a check mark next to Append wildcard(*) > click Add > OK > Next > select ‘No’ as the answer for ‘Do you want to configure and IP address range for the policy’ > Next > set these three (3) options on the Configure settings for the policy window:

1. option 060 = PXEClient (set this option ONLY if the DHCP server is same as the PXE Server. Otherwise, do NOT add this)
2. option 066 = FQDN or IP-Address of PXE Server
3. option 067 = boot\x86\wdsmgfw.efi for WDS (or ipxe32.efi if using FOG Server)

Repeat for PXEClient (UEFI x64)

1. option 060 = PXEClient (set this option ONLY if the DHCP server is same as the PXE Server. Otherwise, do NOT add this)
2. option 066 = FQDN or IP-Address of PXE Server
3. option 067 = boot\x64\wdsmgfw.efi for WDS (or ipxe.efi if using FOG Server)

Repeat for PXEClient (BIOS x86 & x64)

1. option 066 = FQDN or IP-Address of PXE Server
2. option 067 = boot\x64\wdsmgfw.efi for WDS (or undionly.pkxe if using FOG Server)

Click Next > OK when done > Navigate to Scope Options to verify the results:

Linux DNS Networking

DNS client on Linux:
  • /etc/resolv.conf specifies the nameservers for resolver lookups. The order of lookup is sequential and accordance to DNS protocol. Local and global DNS entries are added here. Please be advised that these settings could be overwritten by system updates and even reboots. The proper way of inserting persistent DNS records onto resolv.conf is
    vim /etc/resolvconf/resolv.conf.d/head >> insert a record such as: nameserver [LOCAL_DNS_IP] >> save file: wq + enter >> Regenerate resolv.config with: sudo resolvconf -u
  • /etc/hosts file is typically used for only administrative purposes and internal network functions of limited scope. Singular entries associating names with IPs are sometimes added here.
  • /etc/nsswitch.conf specifies the lookup order, to be used in conjunction with the hosts entry.
  • /etc/network/interfaces is the manual IP Address configuration method (typically for servers). Here is a sample of an edit of this file:
    iface eth0 inet static
        address 10.10.30.X
        netmask 255.255.255.0
        gateway 10.10.30.1
        dns-search kimconnect.com
        dns-nameservers 10.10.20.1 10.10.20.2
Lastly, any changes to network configurations should be followed by this command: service network-manager restart

Windows Firewall Block ICMP Ping

Following is a quick exercise in configuring Windows firewall to block certain protocols:

# Disable Ping Outbound
New-NetFirewallRule -DisplayName "Block Outbound ICMPv4" -Direction Outbound -Protocol ICMPv4 -IcmpType 8 -Action Block

# New-NetFirewallRule -DisplayName "Block Outbound ICMPv6" -Direction Outbound -Protocol ICMPv6 -IcmpType 8 -Action Block
# Reverse the change
netsh advfirewall firewall delete rule name="Block Outbound ICMPv4"

# netsh advfirewall firewall delete rule name="Block Outbound ICMPv6"

How to Install OpenDNS Client on Ubuntu

Install the dynamic IP updater:

# Install the app
sudo apt-get install ddclient

Press Enter repeatedly to accept null values. Then edit the config file manually:

sudo vim /etc/ddclient.conf

Input values similar to this:

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
protocol=dyndns2
ssl=yes
use=web, web=myip.dnsomatic.com
server=updates.opendns.com
login=OpenDnsUsername [actual username such as user@gmail.com]
password='OpenDnsPassword' [actual password]
network_label

Please note that ‘network_label’ is found by accessing https://dashboard.opendns.com/settings/

Edit the /etc/default/ddclient file to resemble this

# Configuration for ddclient scripts 
# generated from debconf on Sun Jun 24 00:08:13 EDT 2018
#
# /etc/default/ddclient

# Set to "true" if ddclient should be run every time DHCP client ('dhclient'
# from package isc-dhcp-client) updates the systems IP address.
run_dhclient="false"

# Set to "true" if ddclient should be run every time a new ppp connection is
# established. This might be useful, if you are using dial-on-demand.
run_ipup="false"

# Set to "true" if ddclient should run in daemon mode
# If this is changed to true, run_ipup and run_dhclient must be set to false.
run_daemon="true"

# Set the time interval between the updates of the dynamic DNS name in seconds.
# This option only takes effect if the ddclient runs in daemon mode.
daemon_interval="300"

Optional: follow this easier method to edit /etc/default/ddclient

# Set the filename variable
ddclientFile=/etc/default/ddclient

# Make a backup of file
mv $ddclientFile $ddclientFile.bak

# Create a new file
sudo cat << EOF > $ddclientFile
run_dhclient="false"
run_ipup="false"
run_daemon="true"
daemon_interval="300"
EOF

Run this command to check whether configurations are valid: sudo ddclient -verbose -file /etc/ddclient.conf

# Sample Output:

rambo@pihole:/home/rambo# sudo ddclient -verbose -file /etc/ddclient.conf
CONNECT: myip.dnsomatic.com
CONNECTED: using HTTP
SENDING: GET / HTTP/1.0
SENDING: Host: myip.dnsomatic.com
SENDING: User-Agent: ddclient/3.8.3
SENDING: Connection: close
SENDING:
RECEIVE: HTTP/1.1 200 OK
RECEIVE: Server: nginx
RECEIVE: Date: Mon, 14 Dec 2020 03:21:13 GMT
RECEIVE: Content-Type: text/plain; charset=utf-8
RECEIVE: Content-Length: 12
RECEIVE: Connection: close
RECEIVE: Strict-Transport-Security: max-age=2628000
RECEIVE: X-Frame-Options: deny
RECEIVE: X-XSS-Protection: 1; mode=block
RECEIVE:
RECEIVE: 172.500.500.500
INFO: forcing updating MacDuff because no cached entry exists.
INFO: setting IP address to 172.500.500.500 for TESTNETWORK
UPDATE: updating TESTNETWORK
CONNECT: updates.opendns.com
CONNECTED: using SSL
SENDING: GET /nic/update?system=dyndns&hostname=MacDuff&myip=172.500.500.500 HTTP/1.0
SENDING: Host: updates.opendns.com
SENDING: Authorization: Basic abceHashHash
SENDING: User-Agent: ddclient/3.8.3
SENDING: Connection: close
SENDING:
RECEIVE: HTTP/1.0 200 OK
RECEIVE: date: Mon, 14 Dec 2020 03:21:14 GMT
RECEIVE: server: opendns
RECEIVE: content-length: 17
RECEIVE: content-type: text/html; charset=UTF-8
RECEIVE: x-envoy-upstream-service-time: 783
RECEIVE: x-xss-protection: 1; mode=block
RECEIVE: x-ingress-point: lax
RECEIVE: connection: close
RECEIVE:
RECEIVE: good 172.500.500.500
SUCCESS: updating TESTNETWORK: good: IP address set to 172.500.500.500
Finalize setup:
 
# Restart ddclient
sudo service ddclient restart

# Set it to auto-run on reboots
sudo systemctl enable ddclient

PowerShell: Get Ports to Process Connections / Associations

Current Iteration:

Here is a quick snippet to enable Network Engineers and Systems dudes to gather connection info on local or remote Windows.

# Sample Output

# Checking connections on port(s) 80 443 8080 8443...
# Checking connections on for process name(s): chrome...
# Process names have not been defined. Program now scans 7 processes...

# ProcessName  PID Protocol SourceEndPoint     DestinationEndpoint ConnectionStatus processOwner
# -----------  --- -------- --------------     ------------------- ---------------- ------------
# chrome      5896 TCP      10.10.10.500:51788 10.10.10.500:8080   ESTABLISHED      KIMCONNECT\rambo
# chrome      5896 TCP      10.10.10.500:51789 10.10.10.500:8080   ESTABLISHED      KIMCONNECT\rambo
# chrome      5896 TCP      10.10.10.500:51793 10.25.1.1800:443    ESTABLISHED      KIMCONNECT\rambo
# chrome      5896 TCP      10.10.10.500:51794 10.25.1.1800:443    ESTABLISHED      KIMCONNECT\rambo
# getProcessConnections.ps1
# version 0.0.3
#
# Description:
#   This script will connect to a list of Windows machines to collect processes and their ports utilizations
#   This iteration includes information on the process owner(s)
#   Program has been slightly optimized
#
# Requirements:
#   WinRM connectivity is expected toward the list of computer names

$computerNames="$env:computername"
$processNames='chrome'
$portNumbers=@()

function invokeGetProcessPorts{
    [cmdletbinding()]
    Param(
        [string[]]$computerNames=$env:computername,
        [string[]]$processNames=$null,
        [string[]]$portNumbers=$null
        )
    function getProcessConnections{
        [cmdletbinding()]
        Param(
            [parameter(ValueFromPipeLine=$True)][AllowEmptyCollection()][string[]]$processNames=$null,
            [parameter(ValueFromPipeLine=$True)][AllowEmptyCollection()][string[]]$portNumbers=$null
            )
        # Initialize variables    
        $results=@()
        $psVersionFeasible=$PSVersionTable.PSVersion.Major -ge 4
        $processes=if($processNames){
                write-host "Checking connections on for process name(s): $processNames..." 
                if($psVersionFeasible){
                        try{                
                            get-process $processNames -IncludeUserName # This is only available in PoSh 4.0+ 
                        }catch{
                            write-warning $_
                        }
                    }else{
                        get-process $processNames
                        }
            }else{
                if($psVersionFeasible){               
                    get-process -IncludeUserName
                }else{
                    get-process
                }
            }
        
        if($processes){
            write-host "Checking $($processes.count) processes..." -ForegroundColor Yellow
            # Collecting wmiobjects to be able to invoke .getowner() method
            $processObjects=if(!$psVersionFeasible){Get-WmiObject Win32_Process}else{$null}
            $netStat=if($portNumbers){
                    write-host "Checking connections on port(s) $portNumbers..."
                    netstat -ano|?{$_ -match "\:($($portNumbers -join '|'))\s"}
                }else{
                    write-host 'Port numbers were not defined. Scanning all ports...' -ForegroundColor Yellow
                    Netstat -ano|?{$_ -match "\d$"}
                }
            $previousPid=$previousOwner=$null
            write-verbose "Process ID:"
            foreach($process in $processes){            
                $processId=$process.ID
                write-verbose "$processId"
                $processName=$process.ProcessName
                $processOwner=if($processId -ne $previousPid){
                    $previousOwner=if($processObjects){
                            $processObjects|?{$_.ProcessId -eq $processId}|%{if($_.GetOwner().User){$_.GetOwner().Domain+"\"+$_.GetOwner().User}else{'unknown'}}|select -unique
                        }else{
                            $process.UserName
                        }
                    $previousOwner
                }else{
                    $previousOwner
                }
                $matchedLines = $netStat|findstr $processId
                write-host "Process Id $processId matched $($matchedLines.count) lines"
                foreach($matchedLine in $matchedLines){                    
                    $line = $matchedLine.Split('') | where{$_ -ne ""} # remove empty lines
                    $leftCount = $line[1].LastIndexOf(':')
                    $rightCount = $line[2].LastIndexOf(':')
                    $sourceEndpoint=$line[1].SubString(0,$leftCount)+':'+$line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                    $destinationEndpoint=$line[2].SubString(0,$rightCount)+':'+$line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                    $results += [PSCustomObject]@{              
                        ComputerName = $env:computername
                        ProcessName  = $processName
                        PID = $processId
                        Protocol = $line[0]
                        SourceEndPoint = $sourceEndpoint
                        DestinationEndpoint = $destinationEndpoint
                        #LocalAddress = $line[1].SubString(0,$leftCount)
                        #LocalPort = $line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                        #RemoteAddress = $line[2].SubString(0,$rightCount)
                        #RemotePort = $line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                        ConnectionStatus = $(if(!($line[3] -match '\d')){$line[3]}) # Checking if the connection contains any empty string.
                        processOwner=$processOwner
                    }
                }
                $previousPid=$processId
            }            
        if($results){
            return $results
            }elseif($processNames -and $portNumbers){
                write-host "$processNames not found on $portNumbers" -ForegroundColor Yellow
                return $null                
            }else{
                write-host "No processes matched." -ForegroundColor Yellow
                return $null
            }
        }else{
            write-host "No processes matched." -ForegroundColor Yellow
            return $null
        }
    }

    $results=@()
    foreach ($computerName in $computerNames){
        $session=New-PSSession -ComputerName $computerName
        if($session.state -eq 'Opened'){
            $result=invoke-command -ComputerName $computerName -scriptblock{
                param($importFunc,$x,$y)
                write-host "Executing function on $env:computername"
                [scriptblock]::create($importFunc).invoke($x,$y)
            } -args ${function:getProcessConnections},$processNames,$portNumbers
            if($result){
                $results+=$result
            }else{
                write-host "No matches on $computerName"
            }
            Remove-PSSession $session
        }else{
            write-warning "Unable to connect to $computername"
        }
    }
    return $results
}

$resultArray=invokeGetProcessPorts $computerNames $processNames $portNumbers
$resultArray|ft

Previous Iterations:

# getProcessConnections.ps1
# version 0.0.2
#
# Description:
#   This script will connect to a list of Windows machines to collect processes and their ports utilizations
#   This iteration includes information on the process owner(s)
#   Program needs to be further optimized
#
# Requirements:
#   WinRM connectivity is expected toward the list of computer names

$computerNames=$env:computername
$processNames='chrome'
$portNumbers=@(80,443,8080,8443)
function getProcessConnections{
    [cmdletbinding()]
    Param(
        [parameter(ValueFromPipeLine=$True)][AllowEmptyCollection()][string[]]$processNames=$null,
        [parameter(ValueFromPipeLine=$True)][AllowEmptyCollection()][string[]]$portNumbers=$null
        )
    # Initialize variables    
    $results = @()
    $netStat = if(!$portNumbers){
            write-host 'Port numbers were not defined. Program now scans all ports...' -ForegroundColor Yellow
            Netstat -ano
        }else{
            write-host "Checking connections on port(s) $portNumbers..."
            netstat -ano|?{$_ -match "\:($($portNumbers -join '|'))\s"}
        }
    $processes=if($processNames){
        write-host "Checking connections on for process name(s): $processNames..."         
            Get-Process $processNames
        }else{                
            get-process
        }

    if($processes){
        write-host "Process names have not been defined. Program now scans $($processes.count) processes..." -ForegroundColor Yellow
        foreach($process in $processes){
            $processOwner=Get-WmiObject Win32_Process -Filter "ProcessId='$($process.ID)'"|%{if($_.GetOwner().User){$_.GetOwner().Domain+"\"+$_.GetOwner().User}else{'unknown'}}|select -unique
            $matchedLines = $netStat|findstr $process.ID
            foreach($matchedLine in $matchedLines){                    
                $line = $matchedLine.Split('') | where{$_ -ne ""} # remove empty lines
                $leftCount = $line[1].LastIndexOf(':')
                $rightCount = $line[2].LastIndexOf(':')
                $sourceEndpoint=$line[1].SubString(0,$leftCount)+':'+$line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                $destinationEndpoint=$line[2].SubString(0,$rightCount)+':'+$line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                $results += [PSCustomObject]@{              
                    ProcessName  = $process.Name
                    PID = $process.ID
                    Protocol = $line[0]
                    SourceEndPoint = $sourceEndpoint
                    DestinationEndpoint = $destinationEndpoint
                    #LocalAddress = $line[1].SubString(0,$leftCount)
                    #LocalPort = $line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                    #RemoteAddress = $line[2].SubString(0,$rightCount)
                    #RemotePort = $line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                    ConnectionStatus = $(if(!($line[3] -match '\d')){$line[3]}) # Checking if the connection contains any empty string.
                    processOwner=$processOwner
                }
            }
        }            
    if($results){
        return $results|ft -AutoSize
    }elseif($processNames -and $portNumbers){
        write-host "$processNames not found on $portNumbers" -ForegroundColor Yellow
    }else{
        write-host "No processes matched." -ForegroundColor Yellow
    }
    }else{
        write-host "No processes matched." -ForegroundColor Yellow
        return $null
    }    
}

foreach ($computerName in $computerNames){
        invoke-command -ComputerName $computerName -scriptblock{
        param($importFunc,$x,$y)
        [scriptblock]::create($importFunc).invoke($x,$y)
    } -args ${function:getProcessConnections},$processNames,$portNumbers
}
# getProcessConnections.ps1
# version 0.0.1
# This function is expected to run on a Windows localhost session

function getProcessConnections{
    [cmdletbinding()]
    Param(
        [parameter(Mandatory=$False, ValueFromPipeLine=$True)][AllowEmptyCollection()]
        [string[]]$processNames=$null,
        [string[]]$portNumbers=$null
    )
    Begin{    
        $results = @()
        $netStat = if(!$portNumbers){
                write-host 'Port numbers were not defined. Program now scans all ports...' -ForegroundColor Yellow
                Netstat -ano
            }else{
                write-host "Checking connections on port(s) $portNumbers..."
                netstat -ano|?{$_ -match "\:($($portNumbers -join '|'))\s"}
            }
        $processes=if($processNames){
            write-host "Checking connections on for process name(s): $processNames..."         
                Get-Process $processNames
            }else{
                write-host 'A process name has not been defined. Program now scans all processes...' -ForegroundColor Yellow
                get-process
            }
    }Process{
        if($processes){
            foreach($process in $processes){
                $matchedPorts = $netStat | findstr $process.ID
                foreach($matchedPort in $matchedPorts){                    
                    $line = $matchedPort.Split('') | where{$_ -ne ""} # remove empty lines
                    $leftCount = $line[1].LastIndexOf(':')
                    $rightCount = $line[2].LastIndexOf(':')
                    $sourceEndpoint=$line[1].SubString(0,$leftCount)+':'+$line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                    $destinationEndpoint=$line[2].SubString(0,$rightCount)+':'+$line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                    $results += [PSCustomObject]@{              
                        ProcessName  = $process.Name
                        PID = $process.ID
                        Protocol = $line[0]
                        SourceEndPoint = $sourceEndpoint
                        DestinationEndpoint = $destinationEndpoint
                        #LocalAddress = $line[1].SubString(0,$leftCount)
                        #LocalPort = $line[1].SubString($leftCount+1,($line[1].Length-$leftCount-1))
                        #RemoteAddress = $line[2].SubString(0,$rightCount)
                        #RemotePort = $line[2].SubString($rightCount+1,($line[2].Length-$rightCount-1))
                        ConnectionStatus = $(if(!($line[3] -match '\d')){$line[3]}) # Checking if the connection contains any empty string.
                    }
                }
            }            
        return $results|ft -AutoSize
        }else{
            write-host "No processes matched." -ForegroundColor Yellow
            return $null
        }
    }
}

getProcessConnections -portNumbers 80,443
getProcessConnections -processNames chrome

How to Install & Configure Pihole on Ubuntu 20.04

1. Installation
– Run these commands:

# sudo apt-get install gamin -y
sudo curl -sSL https://install.pi-hole.net | bash

– Possible problem: lighttpd service not running (when gamin has not been preinstalled)
– Fix: run these commands

sudo pihole uninstall
rambo@pihole:~$ sudo pihole uninstall
[?] Are you sure you would like to remove Pi-hole? [y/N] y
[✓] Root user check
[✓] Update local cache of available packages
[i] Existing PHP installation detected : PHP version 7.4.3
[i] Be sure to confirm if any dependencies should not be removed
[i] The following dependencies may have been added by the Pi-hole install:
dhcpcd5 git iproute2 whiptail dnsutils cron curl iputils-ping lsof netcat psmisc sudo unzip wget idn2 sqlite3 libcap2-bin dns-root-data libcap2 lighttpd php7.4-common php7.4-cgi php7.4-sqlite3 php7.4-xml php7.4-json php7.4-intl
[?] Do you wish to go through each dependency for removal? (Choosing No will leave all dependencies installed) [Y/n] n
[✓] Removed Web Interface
[✓] Removed /etc/cron.d/pihole
[✓] Removed lighttpd configs
[✓] Removed config files
[i] Removing pihole-FTL...Failed to stop pihole-FTL.service: Unit pihole-FTL.service not loaded.
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt purge lighttpd -y
#sudo pihole -r
#useradd -G pihole pihole
sudo apt-get install gamin -y
curl -sSL install.pi-hole.net | sudo bash
2. Follow the wizard to complete the installation

Hint: simply by pressing enter or <ok >repeatedly until reaching this screen

3. Configure firewall
# Adding firewall rules per pihole prerequites https://docs.pi-hole.net/main/prerequisites/
#sudo iptables -I INPUT -p tcp --dport 53 -j ACCEPT
#sudo iptables -I INPUT -p udp --dport 53 -j ACCEPT
#sudo iptables -I INPUT -p udp --dport 67 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4711 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4712 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4713 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4714 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4715 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4716 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4717 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4718 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4719 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 4720 -j ACCEPT
sudo ip6tables -I INPUT -p udp --dport 547 -j ACCEPT

# DHCP Server:
sudo iptables -I INPUT -p tcp --dport 67 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 67 -j ACCEPT

# DHCP client/relay
sudo iptables -I INPUT -p tcp --dport 68 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 68 -j ACCEPT

# DHCP Failover partners
sudo iptables -I INPUT -p tcp --dport 647 -j ACCEPT

# DNS
sudo iptables -I INPUT -p tcp --dport 53 -j ACCEPT

# Grant Pihole TCP:53 access to localhost
sudo iptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT

# Allowing a traffic from a certain subnet
iptables -A INPUT -s 10.10.10.0/22 -j ACCEPT
# iptables -D INPUT -s 10.10.10.0/22 -j ACCEPT # Reverse previous command

# Save firewall rules
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"
# Fixing startup conflicts between iptables & netfilter-persistent
# sudo systemctl edit netfilter-persistent.service
vim /etc/systemd/system/netfilter-persistent.service.d/iptables.conf
### Verify this content ###
[Unit]
Conflicts=iptables.service ip6tables.service

### Modify content and save file ###
[Unit]
After=iptables.service ip6tables.service ufw.service
4. Check service status
rambo@pihole:~$ service lighttpd status
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-12-04 22:43:12 PST; 10min ago
Main PID: 32359 (lighttpd)
Tasks: 6 (limit: 4615)
Memory: 10.0M
CGroup: /system.slice/lighttpd.service
├─32359 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
├─32393 /usr/bin/php-cgi
├─32396 /usr/bin/php-cgi
├─32397 /usr/bin/php-cgi
├─32398 /usr/bin/php-cgi
└─32399 /usr/bin/php-cgi

Dec 04 22:43:12 pihole systemd[1]: Starting Lighttpd Daemon...
Dec 04 22:43:12 pihole systemd[1]: Started Lighttpd Daemon.
rambo@pihole:~$ service pihole* status
● pihole-FTL.service - LSB: pihole-FTL daemon
Loaded: loaded (/etc/init.d/pihole-FTL; generated)
Active: active (exited) since Fri 2020-12-04 22:43:14 PST; 18min ago
Docs: man:systemd-sysv-generator(8)
Process: 32518 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 04 22:43:14 pihole systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 04 22:43:14 pihole pihole-FTL[32518]: Not running
Dec 04 22:43:14 pihole su[32536]: (to pihole) root on none
Dec 04 22:43:14 pihole su[32536]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 04 22:43:14 pihole su[32536]: pam_unix(su:session): session closed for user pihole
Dec 04 22:43:14 pihole systemd[1]: Started LSB: pihole-FTL daemon.
5. Configuration
  • Pihole Control Panel:
    http://piholeServerIp/admin
  • Ad Lists:
    https://firebog.net
    https://hosts.oisd.nl
    https://github.com/mmotti/pihole-regex/blob/master/regex.list
  • Test
    dig @<piholeServerIp> blockedsite.com
  • Flush dns
    sudo systemd-resolve --flush-caches # Ubuntu
    service nscd restart # Redhat
    ipconfig /flushdns # Windows
  • Blacklist – regex blocks
    Youtube ads: .*sn-\S{4,}-\S{4,}\.googlevideo\.com
    Youtube.com: (\.|^)(youtu\.?be.*|googlevideo\.com)$
  • Change admin password
    sudo pihole -a -p
6. Troubleshooting
  • Issue: ‘DNS Service Not Running’
    Resolution 1: pihole checkout master
    Resolution 2: re-install pihole
      – Backup: pihole -a teleporter
      – Move backup file: copy the tar.gz file from current directory $(pwd)/*.tar.gz to desktop where Internet browser is available for the restoring step
      – Uninstall: pihole uninstall
      – Reinstall: sudo apt install pihole
      – Restore settings: Login into Pi-hole > Settings > Teleporter > Under Restore, click Choose File > pick the backup file in tar.gz format > open > click Restore > OK
    Resolution 3: 
     – Run debug: pihole -d
     – Grant Pihole TCP:53 access to localhost: sudo iptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
    Resolution 4: Set the watchservice script to ensure that pihole is running at all times
  • Issue: unable to reach server via port 80
    Resolution: sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
  • Issue: Pihole service crashes at random times
    Resolution: create a service watcher script
7. How to create a Backup via command line:
cd ~/Desktop
pihole -a teleporter
ls ~/Desktop

How to Block Distracting Sites Such as Youtube and Hulu on Your Home Network

Overview:
  • – You send a voice command ‘block youtube’ to Alexa, an Amazon personal assistant device
  • – Alexa relays that command to IFTTT.com
  • – IFTTT triggers a web call to your local Domain Name Server (DNS) server called ‘pihole’
  • – This web call must be configured at the router/firewall to pass traffic from IFTTT though the firewall to the your local pihole server
  • – Pihole receives the request and triggers blockyoutube.sh
  • – Blockyoutube.sh contains the urls and ips of youtube.com that will configure pihole to delete any name to ip translation related to youtube.com
  • – A set of computers on your network shall be configured to use the local ‘pihole’ server as its DNS
  • – This can be setup at the Dynamic Host Control Protocol (DHCP) server
  • – DHCP is often a function of the firewall or smart wireless devices such as Ubiquiti Unifi Controllers and Access Points
  • – This DHCP tells all computers on the network what IP and DNS each should use
  • – When a user computer asks its DNS server (pihole) about youtube.com, pihole will say ‘no where’
  • – Youtube.com is effectively blocked on local computers via your voice command
Illustration:
  • To be documented…

A Simple Home Network Setup Using SonicWall & Ubiquiti Equipment

Overview:

Internet Service Providers would terminate their wiring at the customer premise equipments (CPE) as a Internet modems. From there, it’s up to the users to setup their network to suite their purposes. In this short article, we shall be observing a cogent design of a small network with emphasis on strong wireless fidelity (WiFi).

Network Topology:

Certain modems would be a combination unit that has wireless capabilities. If so, such Wifi functions should be disabled in favor of a more robust schema. Hence, a single Ethernet cable would be used to connect such modem with a non-wireless router. In this illustration, we’re using a router with virtual lan (VLAN) capability. There shall be two VLANs to separate the ‘private’ (VLAN ID 1) network with a ‘guests’ network (VLAN ID 101). Although its conceivable that a downstream networking switch could further seggregating traffic by port numbers, that complication is beyond the scope of this illustration.

(1) Internet Modem (Motorola) <==> (2) Firewall (SonicWall) <==> (3) Gigabit Switch (Linksys)

The switching apparatus would be connecting directly toward computer desktops/laptops to eliminate the requirement for wifi. However, that is no longer a practical solution as many home devices such as smart phones, tablets, tv boxes, surveilance cameras, and appliances are connecting via wireless nowadays. Therefore, it’s necessary to construct this service using modestly costed Ubiquiti solutions. Herein, we would be running a ‘Unifi Controller’ software on a virtual server to control wireless access points and range extenders.

Gigabit Switch:
<=> Mini Server with VmWare
<=> Unifi Controller (Ubuntu Server with Unifi Controller App)
<=> Uniquiti Access Point (UAP-AC-Pro)
<=> Ubiquiti Wifi Extender (UAP-BeaconHD)

High-level view of tasks:

1. Connect modem to router
2. Connect router to switch(es)
3. Connect switch(es) to Wireless AP and Virtual Server
4. Connect Wireless Access Point
5. Connect Wireless Range Extender
6. Install Linux (Ubuntu) OS onto server
7. Install Wireless Controller Application on a server
8. Configure router to create 2 VLANs
9. Configure Wireless Controller

Some quick instructions:
How to Add VLANs to Sonicwall

Authenticate into Firewall > Navigate to Network > Interfaces > click Add Interface > Input values for Zone, VLAN Tag, Parent Interface, Mode, IP Address, Subnet Mask

Repeat adding interface for each new VLAN

Navigate to Network > DHCP Server > click Add Dynamic > Input values to create two DHCP ranges shown below

How to Configure Unifi Controller

Installation of this software is detailed in this blog.

To ‘adopt’ wireless access points (AP’s), Authenticate to Unifi Controller > Navigate to Devices > click on any device that has the ‘adopt’ link highlighted (if any) > wait for the process to complete

To create a Guests network, navigate to Settings > Networks > Create New Network > input values as illustrated below

Navigate to https://IP.Address.Of.Unifi/manage/site/default/v2/settings/advanced/gateway/dhcp/form > click on DHCP > Add > input the IP address of the VLAN gateway virtual interface as created in prior instructions > Save when ready

Navigate to User Groups > Create New User Group > Input values shown below

Navigate to Wireless Networks > Create New Wireless Network > Input values similar to these > click Save when done > click Devices to observe provisioning progress of new settings to all connected AP’s

Explorer: Can’t connect securely to this page – GoogleChrome: This site can’t be reached

Symptom:

Test Site: https://drive.google.com

Internet Explorer:

Can't connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner.

Chrome:

This site can't be reached
The connection was reset.
Try:
* Checking the connection
* Checking the proxy and the firewall
* Running Windows Network Diagnostics

ERR_CONNECTION_RESET

PowerShell:

PS C:\Users\testUser> wget drive.google.com
wget : The underlying connection was closed: An unexpected error occurred on a receive.
At line:1 char:1
+ wget drive.google.com
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Fix Option #1:
PS C:\Users\testUser> Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
PS C:\Users\testUser>Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
PS C:\Users\testUser>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\Users\testUser> (wget drive.google.com).StatusCode -eq 200
True / False
Fix Option #2:

inetcpl.cpl > Advanced > Reset > OK

Fix Option #3:
netsh winsock reset
netsh int IP reset
ipconfig /release
ipconfig /renew
ipconfig /flushdns
Fix Option #4:

Run ncpa.cpl > Properties > double-click ‘Internet Protocol Version 4 (TCP/IPv4)’ > use Google DNS 8.8.8.8, 8.8.4.4 or OpenDNS 10.161.202.61, 10.161.201.62 > OK > OK

Fix Option #5:

Set the gateway or edge firewall to enable Google docs, Google Drive, and Google Cloud applications from the source (either single node or entire subnet) toward the ‘Untrust’/’Internet’ zone with ‘any’/* destination.

 

Querying Internal DNS for Host Record for iDRAC IPs

Copy / Paste for quick results:

$domain='hooli.com'
$records=Get-DnsServerResourceRecord -ZoneName $domain -ComputerName $env:USERDNSDOMAIN
$records|?{$_.HostName -like '*drac*' -and $_.RecordType -eq 'A'}

# Sample Output:
HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
IRV-SRV01DRAC A 10/21/2012 5:00:0... 00:15:00 55.55.55.55
IRV-SRV02DRAC A 10/22/2012 3:00:0... 00:15:00 55.55.55.56

Issue: Unable to Access Corp Intranet While Connected to Satellite Office Network VS Can Access When Connected to Corp VPN

Step 1: obtain information from DNS servers differences between VPN vs Non-VPN connections

Obtain network info while CONNECTED to VPN

PS C:\Windows\system32> nslookup fileserver01.hooli.com
================================================================
Server: vpndns007.hooli.com
Address: 007.007.007.007
Non-authoritative answer:
Name: fileserver01.hooli.com
Address: 006.006.006.006
PS C:\Windows\system32> route print 6.6.0.0
===========================================================================
Interface List
8...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
9...00 0c 29 7a 20 5e ......Intel(R) 82574L Gigabit Network Connection
7...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
1...........................Software Loopback Interface 1
22...c2 15 b9 3d 9b a9 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
6.6.0.0 255.255.0.0 6.6.254.254 006.006.254.185 1
===========================================================================

Obtain network info while NOT on VPN

PS C:\Windows\system32> nslookup fileserver01.hooli.com
===========================================================================
Server: UnKnown
Address: 500.500.500.500
Non-authoritative answer:
Name: fileserver01.hooli.com
Address: 006.006.006.006
PS C:\Windows\system32> route print 6.6.0.0
===========================================================================
Interface List
8...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
9...00 0c 29 7a 20 5e ......Intel(R) 82574L Gigabit Network Connection
7...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
1...........................Software Loopback Interface 1
22...c2 15 b9 3d 9b a9 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
NONE
===========================================================================

Step 2: Interpret the output of previous step

From the results of the outputs, we can assume that the VPN-DNS vs Non-VPN DNS servers are yielding the same result of the target node. However, the Non-VPN connection is missing the route toward that target. Therefore, the fix is to add a route at the satellite office’s gateway toward the target’s network.

Virtual Machine Queue: Assigning Processors to Network Interfaces

Microsoft Hyper-V Virtual Machine Queuing is useful to maximize high-bandwidth network cards. However, configuring this feature correctly can be a challenge. In brief, here are some recommendations:

Use the right Adapter and driver – avoid Broadcom and older NICs- Assign enough processors to match desired bandwidth. A rule of thumb is that each processor core can handle about 3Gbps; thus, a 10Gbps NIC requires at least 4 cores to account for those cores being shared with system processes.

Common Network Adapter Information Gathering Commands:
get-netadaptervmq
get-netadaptervmq|select name,MaxProcessorNumber
get-vmhostnumanode
get-netAdapterHardwareInfo
Get-NetAdapterVmqQueue


Basic VMQ setting command:
Set-NetAdapterVmq -Name ‘Ethernet X’ -Enabled $True
Set-NetAdapterVmq -Name ‘Ethernet X’ -Enabled $False

# AssignProcessorToNic.ps1

# Assigning a NIC to certain Processor
$coresCount=$(get-WMIObject Win32_Processor | measure-object -Property NumberOfCores -sum).Sum
$processorsCount=(Get-CimInstance Win32_ComputerSystem).NumberOfLogicalProcessors
$isHyperThreadingEnabled=$processorsCount -gt $coresCount  
$availableProcessors=$processorsCount-1
$10GPhysicalNics=Get-NetAdapter -Physical|?{[int]($_.LinkSpeed -replace '\D+') -ge 10}
#$10GPhysicalNics=Get-NetAdapter|?{[int]($_.LinkSpeed -replace '\D+') -ge 10}
$maxProcessorsPerNic=[math]::ceiling($availableProcessors/$10GPhysicalNics.Name.Count)
$initialProcessorNumber=1
foreach ($10GNic in $10GPhysicalNics){
	$10GNicName=$10GNic.Name
    $maxProcessors=.{
        $minRecommended=[math]::ceiling([int]($10GNic.LinkSpeed -replace '\D+')/3);        
        if($maxProcessorsPerNic -gt $minRecommended){
            $value=$maxProcessorsPerNic
        }else{
            $value=$minRecommended
        }
        if($isHyperThreadingEnabled){
            if($value%2 -eq 0){$value}else{$value+1}
        }
        }
	$command="Set-NetAdapterVmq -name '$10GNicName' -BaseProcessorNumber $initialProcessorNumber -MaxProcessorNumber $($initialProcessorNumber+$maxProcessors-1) -MaxProcessors $maxProcessors"
	write-host $command
	pause
	#invoke-expression $command	
    $initialProcessorNumber+=$maxProcessors
    Get-NetAdapterVmq -name $10GNicName
}
<#
Error:
Set-NetAdapterVmq : No matching keyword value found. The following are valid keyword values: 1, 2, 4, 8, 16
At line:1 char:1
+ Set-NetAdapterVmq -name 'Ethernet' -BaseProcessorNumber 1 -MaxProce ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (MSFT_NetAdapter...1FD6A0017D60}"):ROOT/StandardCi...rVmqSettingData) [Set-NetAdap
   terVmq], CimException
    + FullyQualifiedErrorId : Windows System Error 87,Set-NetAdapterVmq

Get-NetAdapterVmq : No MSFT_NetAdapterVmqSettingData objects found with property 'Name' equal to '$10GNicName'.  Verify the value
of the property and retry.
At line:15 char:5
+     Get-NetAdapterVmq -name '$10GNicName'
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: ($10GNicName:String) [Get-NetAdapterVmq], CimJobException
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_Name,Get-NetAdapterVmq

Explanation:
VMQ will ignore Hyper-threaded cores. Thus, on systems where HT is enabled, CPU core number must be set as an
even number vs on HT-disabled systems where odd numbers can be assigned.

$cpuObject=get-WMIObject Win32_Processor
$isHyperThreadingEnabled=($cpuObject|measure-object -Property NumberOfLogicalProcessors -sum).Sum -gt $($cpuObject | measure-object -Property NumberOfCores -sum).Sum
#>