Skip to content
Jul 24 / thebrotherswisp

TheBrothersWISP 29 – Buying Towers, Mikrotik Changelog, CapsMan

***Warning*** Greg has mic issues, so please forgive the quality. It will be repaired for the next show

Greg, Alex, Tomas, Mike(only for a moment unfortunately), and guest Quincy talk today about:
Purchasing old towers
Mikrotik changes(the good and the bad)
Mikrotik CapsMan

To see the video please visit the link below!!!

Jul 22 / Greg

Cool Siemon LC Fiber Connectors

I had the opportunity to play with a Siemon LC connector recently and found it quite clever.

Not only does it have an innovative way to remove a connector by pulling on the connector body, but it also allows you to simply and quickly swap transmit and receive on the connector without having to break it apart. Have a quick look at the following video.

Jul 10 / thebrotherswisp

TheBrothersWISP Unimus – Mikrotik Plus More Backup System

Greg, Mike, Tomas, and Tom talk about Unimus, Tomas’ new backup application for Network equipment. It’s dead simple, so you no longer have an excuse NOT to have proper backups for your infrastructure. It’s the “up and running in less than 10 minutes” system!

To see the video please visit the link below!!!

Jun 14 / thebrotherswisp

TheBrothersWISP 28 – Mimosa, IgniteNet, SSL With Lets Encrypt

Mike, Miller, and Tomas(how sad, no Greg) talk about staples, wireless headsets, new Mikrotik ROS releases, New Mimosa, new IgniteNet, and SSL certificates via Let’s Encrypt.

To see the video please visit the link below!!!

Jun 4 / Greg

Mikrotik Firewall Raw Feature Test

While talking about doing a podcast on DoS protection it was brought to my attention that Mikrotik added a new firewall feature (Raw). Raw is a mechanism to less granularly, but more efficiently drop traffic in the router.

Raw is configured similarly to a standard firewall rule, but it will drop traffic BEFORE it has an opportunity to hit the connection tracking table. In the packetflow diagram you will see it juuuust before the connection tracking. It has a chain of prerouting and output.

My testing consists of a nice low powered RB750 running 6.36rc21(this is the first version with the Raw feature). I wanted a nice low powered single proc device so I wouldn’t have to push it too hard to see results.

My traffic generator is Hyenae running a TCP SYN attack. This was my first time to use Hyenae, and I was delighted with the results. It runs pretty cleanly and can generate a whole host of attacks…I actually had to set a fixed send delay because it was tipping the 750 over hehehe. The one thing I didn’t understand was the destination/source pattern settings.

It defaults to %-%@80.
The first % sign is a wildcard that says “randomly generate a MAC address”.
The second % sign says randomly generate an IP address, and the @80 means use port 80.
For example you could set a mac address and IP like so: 00:00:00:00:00:01-1.1.1.1@80
You can see in my example below I attacked my router directly by specifying its IP and didn’t worry about the MAC.

raw1

The Raw option can be found in “/ip firewall raw”. It’s also already in winbox at the same location:

raw2

For my testing I DoS’d the router with a SYN attack to port 80. I created a Raw rule and a standard Filter rule.
My Raw rule is:

1
2
3
/ip firewall raw
add action=drop chain=prerouting disabled=yes dst-port=80 log=no log-prefix="" \
    protocol=tcp

raw3
raw4

Then I created my Filter rule on the input chain…input because the traffic is destined TO the router.

1
2
/ip firewall filter
add action=drop chain=input disabled=no dst-port=80 log=no log-prefix="" protocol=tcp

raw5
raw6

When you start looking at the Raw command you will immediately notice there are a lot of knobs that are missing. I’m no rocket surgeon, but I assume it is due to doing the filtering so early in the system. Here’s a side by side of just the initial screen(Filter on the left, Raw on the right):

raw7

Now for the quick test. I start with both rules enabled. Since the Raw rule catches first, the Filter rule isn’t hit. This is evidenced by the counter. With the Raw rule enabled we are averaging about 5% CPU:

raw8

I then disable the Raw rule and let the Filter rule take over:

raw9

As you can see the filter rule is averaging about 13% on the CPU.

Conclusion

The Raw rule in my basic testing shows around an 8% savings in CPU over a standard Filter rule. I’ve also heard reports of 6 fold savings in the CCR platform! As described to me, this can be an invaluable tool in DoS/DDoS attacks. It could be the difference between your router tipping over from attack or hanging on and keeping you online.

This Raw system can also still be pretty flexible since it can utilize address-lists identified by the Mangle or Filter systems. Once this gets ported to a stable version I plan to make some adjustments to my basic firewall scripts to take advantage of the Raw system. I’m not sure of any other implications(does this affect FastPath or queuing…I don’t know?!?!)

Let me know what you guys think…how do you see yourself utilizing this in your networks?

May 31 / thebrotherswisp

TheBrothersWISP – Ubiquiti Exploit – Security Best Practices

Mike, Greg, Miller, and Tomas talk about the recent Ubiquiti exploit(stuff happens, right), and some best practices for securing your network. Mike gives some indepth details on what happened, and we talk about ways to mitigate.

To see the video please visit the link below!!!

May 22 / Greg

FreePBX 13 And Web Meet-me

I’ve been running an install of web meet-me on an ancient version of trixbox. Unfortunately it locks up pretty regularly, though nothing shows up in the logs…it just likes to stop working. I finally had enough and decided to do a new install. I couldn’t find an easy appliance with it installed and ready to go, so I decided to start from scratch. You can reference my original article to see how I configured the callmanager side.

From scratch equates to me installing FreePBX 13. I threw it into a VM with a couple of gigs of RAM with about 20GB of disk. Since FreePBX is a bootable ISO it’s a sinch to install…it does all of the work for you!

After getting this installed, IP’d, and updated, I started working on the install of web meet-me…and man was it a pain in the butt.

Change the conference system to meetme:
FreePBX => Settings => Advanced Setting
Change “Conference Room App” to “app_meetme”.
meetme3

The readme included with web meet-me is pretty helpful, and will get you most of the way there.
The line “meetme => odbc,meetme,booking” didn’t actually need to be added to make it work, though.
In mysql I added the database:

1
create database meetme;

Then import the database files and add permissions for a user:

1
2
3
4
5
6
7
mysql < db-table-create-v7.txt
mysql < db-admin-user-create.txt
mysql
CREATE USER 'meetme'@'localhost' IDENTIFIED BY 'MyPassword';
GRANT ALL PRIVILEGES ON *.* TO 'meetme'@'localhost'
WITH GRANT OPTION;
FLUSH PRIVILEGES;

If you get an error 500 when browsing to the page, you will need to edit the “/var/www/html/web-meetme/lib/defines.php” file. Change this at the end:

1
2
3
4
<?
}
 
?>

to this:

1
2
3
4
<?php
}
 
?>

next, edit your custom extension file(/etc/asterisk/extensions_custom.conf):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
;
;
;
;
;
;
 
;
;
;
;
;
;
 
[conferences]
include => ext-meetme;
exten => s,1,Answer
exten => s,n,Wait(1)
exten => s,n,Playback(welcome);
exten => s,n,Goto(STARTMEETME,1)

You now need to add a custom destination for the meetme:
Admin => Custom Destination => Add
meetme1

Next create an inbound route to send everything to the meetme:
Connectivity => Inbound Routes => Add
meetme2

Now I created a trunk to my Callmanager server. I hit a brick wall for a while trying to create a trunk using type “chan_sip”. Unfortunately it won’t come up. Once I finally switched to “chan_pjsip” everything started working. I wasted so much time on this. To test my callmanager trunk I tried calling over while watching the log file on the FreePBX server “tail -f /var/log/asterisk/full”. This will spit out plenty of messages. If you are having issues you will see the “Endpoint not registered” message cycling. For the pjsip trunk, you should only need to put the IP in the PJSIP section’s “SIP Server” section.

I found this tutorial that helped my install process. You can reference this article for additional details.

On a side note, until I added a random conference in the conference section, I just couldn’t get everything going:
Applications => Conferences

This took way longer than it should have. I was chasing my tail on the trunk for a while, but the web meetme is also a little wacky to configure. Good luck, and I hope this helps guys.