— pissing into the wind

Not much changed this week. I’m still in a sling not using my arm as much as possible. The numbness is still there. I can’t tell if it’s getting better. The blood spots from surgery have cleared up significantly and it doesn’t look anywhere as hideous as it did when I got the splint removed 4 days ago. My arm is pretty sore when I wake up, but it usually clears up after by the time I finish my first cup of coffee in the morning.

Read More

I tore my left distal bicep on July 26 and had repair surgery on it on the 29th. I’m going to document my recovery here to track progress.

There’s a lot of good info here.

This is the day after. The bruising wasn’t initially there. I’m trying to highlight how you can see the tendon has detached from the bone.

I can’t say much about my surgical experience as I was put under and have a 4 hour gap when the surgery took place. The most common procedure for this type of injury involves making an incision in your forearm, reaching up into the bicep to pull the muscle back down, drilling a hole in your forearm, and then inserting the tendon into the bone. According to the surgeon, everything went well. I’ll have to take his word for it. My medical bill was $36K, but after insurance I was on the hook for only $2K.

After the surgery, I was in a splint and sling until my follow-up appointment about a week and a half later. The main concerns at this point are to keep all pressure off the arm and keep it dry. You want to give the reattached bicep time to heal properly. DO NOT USE THE ARM. Thankfully, my wife helped me out quite a bit. It was pretty humbling to have to ask for help for things like soaping my armpit in the shower.

The day after surgery

The splint was removed on August 9, but I’m in the sling for a while longer. The doctor wants me to try slowly extending the arm several times a day but keep it in the sling otherwise. At this point I can use the arm to lift no more than a cup of coffee. There’s a numbness on the thumb side of my forearm from below the incision to about where my thumb begins on the back of my hand. It just feels like I got local anesthesia in the area. This is a common condition post-surgery as a nerve in the area is stretched during the procedure. My grip felt weak when I first got the splint off, but feels normal now. I cannot move my left arm in a palm up position and fully extending the arm is out of the question.

Splint off!

I can’t flex my injured bicep and it is noticeably flatter. My tricep looks to be totally disengaged as well.

Injured arm (obviously)
Normal arm

Read More

Recently noticed time skew across my workstations and servers at home and put together a Stratum-1 NTP server for the local network using the Adafruit Ultimate GPS hat and an RPi 4. I’ll post the write up later. In the meantime, here are the commands I’m using to point all the rest of my RPis at the NTP servers for the local network:

sudo timedatectl set-timezone America/Chicago
sudo timedatectl set-ntp true
sudo bash -c 'echo "NTP=tick.guammie.localtock.guammie.local" >> /etc/systemd/timesyncd.conf'
sudo systemctl restart systemd-timesyncd

You can check and validate with these commands:

timedatectl timesync-status
timedatectl show-timesync
systemctl status systemd-timesyncd

Read More

Migrated to a new web host today and everything went pretty smooth. Used the Duplicator plugin to move the blog over. I ended up having to get the pro version because I set this up as multisite a long time ago when there were multiple users. It was only $79, worked flawlessly, and saved me a lot of time and headache, so money well spent to me.

Read More

Let me start by saying this:  I hate VCSA 6.5.  I hate the fact that I have to use Flash (which EVERYONE is dropping support for) to manage my enterprise environment.  Flash and Java… good riddance.  I didn’t even realize I didn’t have Flash installed until I had to manage this stupid thing and needed the plugin for IE11.

I recently upgraded(?) my Windows vCenter 6.0 installation to VCSA 6.5.  I couldn’t get the migration to work and this is just at home, so I did a clean install, recreated my 6.0 environment, and reattached my hosts to the new vCenter.  One of the things that I’ve been struggling with since then is not being able to deploy new OVAs or upload files to my datastores (short of just using scp).  Scouring the internet, I came across a couple of VMware KB articles that solved my issues:

This one talks about the issue and this one solves it.  Basically you have to either setup a valid cert on the VCSA or trust the built-in one signed by the VCSA CA.  Now I can even use Edge (for now) to access vCenter.

Read More

Noticed IPv6 DHCP was broken on all my Windows 10 clients after I upgraded to the anniversary edition (1607).  Had to run a couple powershell commands to get them pulling addresses:

Wired:

Set-NetIPInterface ethernet -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface ethernet -AddressFamily ipv6 -ManagedAddressConfiguration Enabled

Wireless:

Set-NetIPInterface wi-fi -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface wi-fi -AddressFamily ipv6 -ManagedAddressConfiguration Enabled

That’s it!

Read More

I’ve been a longtime fan of Windows Live Writer for many years.  Alas, it has been unsupported for many moons and I haven’t been able to get it working with SSL.  The good news is that Microsoft decided to release WLW to the open source community.  The even better news is that someone has forked the code and taken up the mantle.  If you’re an existing Windows Live Writer, I suggest you give Open Live Writer a try.  The setup and user interface will be familiar and things seem to work overall.

Read More

So I had an issue at work that went like this:  We recently put in new managed switches at our remote sites.  One of them failed and was replaced by our 3rd party subcontractor.  They just do a hardware replacement and my team does the configuration.  By default, the switches are configured to use 192.168.1.254 with no gateway info set.  There is only a web UI enabled by default as well.  I have to somehow open a browser and get access to that web console so I can configure the new switch.  I have an 1841 or 1921 router at the other end to configure to make this work.  NAT voodoo time.

The scenario:

NATNAT

The fix:

conf t

int f0/0
ip add 192.168.1.253 255.255.255.0
ip nat inside

int s0/0/0
ip nat inside

int l1
ip address 10.15.4.249 255.255.255.252
no shut

exit

router bgp 65000
network 10.15.4.248 mask 255.255.255.252

exit

ip nat outside source static 192.168.1.254 10.15.4.250
ip nat inside source static 10.210.23.8 192.168.1.100
ip route 10.15.4.250 255.255.255.255 f0/0 1

end

Now I can open a browser to 10.15.4.250 and it works.  When doing any commands reaching back to my computer (tftp), I used 192.168.1.100 as the server (tftp://192.168.1.100/startup-config) and that worked.

That’s it.

Read More

did some cleanup on the backend.  making sure everything still works.

Read More

I posted this on the freenas forums..

Here’s a short write-up on how I got SSL going with LDAPS against AD for authentication. I used the plugin and am working out of / in the jail.
keytool is located at /usr/pbi/subsonic-amd64/bin
1) Create a cnf file to be used for generating the csr.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Texas
localityName = Locality Name (eg, city)
localityName_default = San Antonio
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Department
commonName = Common Name (hostname)
commonName_default = subsonic
commonName_max = 64
emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[email protected]_names
[alt_names]
DNS.1 = subsonic
DNS.2 = subsonic.domain.com
IP.1 = 192.168.0.1

2) Generate the csr and private key

openssl req -new -sha256 -out subsonic.csr -config subsonic.cnf -newkey rsa:2048 -nodes -keyout subsonic.key

3) Submit the CSR to your CA. I used a Windows CA and received the subsonic.cer certificate.
4) Generate a PKCS12 file to be used for the Web SSL Java Keystore. I could not get this working using the sytem keystore, so this one is just for https.

openssl pkcs12 -export -out subsonic.pfx -inkey subsonic.key -in subsonic.cer -certfile CA-Certificate.cer

5) Create the Java Keystore to be used for SSL access.

./keytool -importkeystore -srckeystore subsonic.pfx -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic.domain.com

6) Add your CA certificate to the system Java Keystore as well. This will be used for LDAPS authentication. The default password is ‘changeit’ You should probably change that as well.

./keytool -import -trustcacerts -alias CA-domain.com -file /CA-Certificate.cer -keystore /usr/pbi/subsonic-amd64/openjdk7/jre/lib/security/cacerts

7) Enable LDAP Authentcation under Settings\Advanced

LDAP URL: ldaps://server.domain.com:636/dc=domain,dc=com
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=groups,dc=domain,dc=com)))
LDAP Manager: DOMAIN\user (non privileged!)

8) The default user cache is too high. Edit it in /var/db/subsonic/jetty/4427/webapp/WEB-INF/classes/ehcache.xml

<cache name="userCache"
maxElementsInMemory="1000"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="3600"
overflowToDisk="false"
diskSpoolBufferSizeMB="1"
statistics="true"/>

Read More

This is a copy/paste from https://forums.he.net/index.php?topic=3194.0.  I’m keeping it here in case that post ever disappears and I need a reference.

This isn’t something people do often, so I figured I would add a post about it (mostly so I can Google it myself in a few years…)
To configure Dynamic DNS (DDNS) updates on your NetScreen/SSG device (may vary slightly between revisions/models):
NOTE: You might also require PING/ICMP Echo Request to be enabled on WAN interface…
By default, DDNS uses HTTPS to connect to update server. You must add the CA certificate that signed the server’s certificate.  For tunnelbroker, connect tohttps://ipv4.tunnelbroker.net/nic/update – you don’t need to login so click cancel if prompted. To display the certificate click (or double-click) on the "padlock" next to "https" in the address bar.
– in Chrome, click "Connection" then "Certificate details"
– in IE, click the padlock then "View certificates" – (IE seems to have issues saving certificates to a file…)
Select the "Certification Path" tab
Double-click the entry immediately above(currently "Starfield Secure Certificate Authority – G2") the default/bottom one (e.g. tunnelbroker.net)
Select "Details" tab
Select "Copy to file"
Next / Base-64 / Browse – pick somewhere you can find it and a name you can remember, e.g. "starfield-2.cer"
Now, go to Web-UI on NS/SSG
Navigate to Objects – Certificates
Select "File: Choose File"
Find the cert you saved previously, OK
Select "Load"
Adding Certificates via CLI:
Not recommended as it requires storing the cert file on a tftp server, but read about it here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4777
The NS/SSG can now validate the certificate when it connects to update server!
Next, gather your tunnel information.
From https://tunnelbroker.net/ find your tunnel entry
e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
copy this hostname somewhere you can find it
Click on the tunnel entry
Click on the Advanced tab
Copy your Update Key somewhere you can find it
Now, the actual DDNS part….
Option #1: Web-UI
In NS/SSG Web-UI, navigate to Network / DNS / DDNS
Take note of any existing entries as you will be prompted for an ID number that is not currently in use…
Select "New"
Enter an unused ID number (1 is fine if you have no existing entries)
Set server type to "dyndns"
Set server name to "ipv4.tunnelbroker.net"
Defaults for update intervals should be fine
Leave "Clear text" unchecked – that is why we added the cert!
Enter your account name in "Username"
Enter your "Update Key" in Password
Leave Agent blank – it will auto-populate with your OS version, unless you want to put something else here
Bind to Interface – Select your WAN/untrust interface your tunnel is on
For "Hostname", enter your tunnel name – e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
For Service, leave default of "dyndns"
Select OK!
Option #2: CLI:
get dns ddns  – take note of any existing entries as they must each have a unique ID number
set dns ddns id X server "ipv4.tunnelbroker.net"server-type dyndns
set dns ddns id X username USERNAME password UPDATEKEY
set dns ddns id X src-interface ethernet0/0 host-name username-1.tunnel.tserv3.xxx1.ipv6.he.net
set dns ddns enable
To view status:
-> get dns ddns
status: enable  usage: 1/8
id type   state server          username   interface  nextupdate   lastresp
——————————————————————————–
1 dyndns     1 ipv4.tunnelbrok username   eth0/0     6d;23:24:00  nochg
To view detailed status:
-> get dns ddns id X
Id:                     1
State:                  Init
Socket:                 -1
Type:                   dyndns
Server:                 ipv4.tunnelbroker.net
Clear-text:             no
Refresh-int:            7 days 0 hours 0 minutes 0 seconds
Min-update-int:         1 hours 0 minutes 0 seconds
Next-update:            6 days 23 hours 24 minutes 0 seconds
Username:               username
Password:               **********
Agent:                  Netscreen-6.X-00000
Src-interface:          ethernet0/0
Host-name:              username-1.tunnel.tserv3.xxx1.ipv6.he.net (dyndns)
Last-response:          nochg
Last-response-ip:       0.0.0.0
Last-Updated:           before 36 minutes 8 seconds
Counters
——————————————————————————–
Successful updates:     3
Failed updates:         0
Server lookup failures: 5
Socket creation errors: 0
Socket connect errors:  3
Socket send errors:     0
Update retries:         0
To debug / troubleshoot:
From CLI:
Cancel debugging / clear buffer:
-> undebug all   (or press <ESC>)
-> clear dbuf
Enable DDNS debugs:
-> debug dns ddns
View dbuf:
-> get dbuf stream
Errors that show DNS is working:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2
Errors that show SSL issue:
DDNS: connect error
socket creation failed
Successful update:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2
GET /nic/update?system=dyndns&hostname=username-1.tunnel.tserv3.xxx1.ipv6.he.net&myip=XXX.XXX.XXX.XXX&wildcard=OFF&mx=mail.exchanger.ext&backmx=NO&offline=NO HTTP/1.0
Accept: text/html;*.*;
Host: ipv4.tunnelbroker.net
….
nochg XXX.XXX.XXX.XXX
….
ddns: succesfully updated DYNDNS server
The "nochg" means the updated IP matches the existing one, so "no change".
Don’t forget to cancel debugging with "undebug all" or pressing "<ESC>"
Brian

Read More

The antivirus server at work was pissing me off and saturating our OC3.  I policed it down to 50mbps.

ip access-list extended traffic-police
permit ip host 192.168.0.100 any

class-map traffic-police
match access-group name traffic-police

policy-map traffic-police
    class traffic-police
        police 50000000 conform-action transmit exceed-action drop

int po1/0
service-policy output traffic-police

Read More