02 Mar

Regex for private-ASN on Junos

Hi, super quick note to share something I’ve made to match 2 Byte Private ASN numbers (64512-65535) in Junos. You can apply it to match a community, or in an AS-PATH.


I will try and expand it to catch “0”, and also 4 Byte Private ASN, but I can’t burn time on that at the moment.

This one catches “0” (also an invalid community), but doesn’t work in Juniper as the \D toggle doesn’t compute…


20 Jan

RYU Faucet (SDN Controller) on Raspberry Pi

I think I finally have a use for one of my 3 Raspberry Pi computers – an SDN controller.

I have an Allied Telesis switch about to arrive, which I will be using as an SDN device – buzzy and buzzwordy at the same time. I was planning on running Ryu-Faucet as my controller stack on a VM, but I had the genius move of moving my R730 server into another location – thinking the SDN controller should be near to the switch for noob-level troubleshooting (despite that being kind of against the spirit of SDN…) – I went with the nextmost NIX thing I could find – a Raspberry Pi 2 running Ubuntu 14.04 LTS.

So – how to go about doing this from a fresh Ubuntu install? Some garbled notes to follow – but first up – I am not a software developer, I can barely code to save myself – so using things like PyPi are new to me.

First up – an apt-get update / upgrade (I run everything from root for this process)

james@ubuntu:/# sudo su
root@ubuntu:/home/ubuntu# apt-get update
root@ubuntu:/home/ubuntu# apt-get upgrade

That gets us up to date. On my home connection with the Raspberry Pi 2 it took about 15 minutes to complete. Next up, installing enough Python tools to install more Python tools.. Ubuntu 14.04 LTS comes with Python 2.7 by default – so that’s a good start.

Now, we grab Pip (more deets here):

root@ubuntu:/home/ubuntu# wget https://bootstrap.pypa.io/get-pip.py
root@ubuntu:/home/ubuntu# python get-pip.py

Cool, so that grabs Pip for us. Note: I ran get-pip.py twice, the first time it installed an old version, then it smoothly upgraded it (from version 1.5 to version 7.2!).

With Pip installed, we’re good to go installing Ryu-Faucet.. Except not quite. The instructions here don’t account for the fact that we’re not hardened Python devs (and that we’re running on an ARM CPU not an Intel one – I guess).

Grab some extra tools from apt:
root@ubuntu:/home/ubuntu# apt-get install python-dev
Now we can run Pip and pull down the file we want to install (ryu-faucet!):

root@ubuntu:/home/ubuntu# pip install https://pypi.python.org/packages/source/r/ryu-faucet/ryu-faucet-0.28a.tar.gz

Watch the magic occur!

root@ubuntu:/home/ubuntu# pip show ryu-faucet
Metadata-Version: 2.0
Name: ryu-faucet
Version: 0.28a0
Summary: Ryu application to perform Layer 2 switching with VLANs.
Home-page: http://http://openflowsdn.github.io/faucet
Author: Shivaram Mysore, OpenflowSDN.Org
Author-email: faucet-dev@OpenflowSDN.Org
License: Apache License 2.0
Location: /usr/local/lib/python2.7/dist-packages
Requires: ryu, pyyaml

Cool. Next time, we’ll configure the Pi’s single ethernet interface to handle management and SDN controller duties and fling some packets across the data plane.

21 Sep

Select an IPv6 address with a double-click in PuTTY

This ranks highly on the nerd-alert scale, but anyway, here we are.

Putty has a nice feature where you can select a word with a double click. It’s really handy, especially when you are dealing with IPv4 prefixes. It doesn’t work with IPv6 addresses by default. You can edit what Putty uses as a delimiter, under Settings -> Selection.


Scroll down to ‘:’ (or whatever character you want to change the behaviour of!) and change its class from 1 to 2. If you save this as your default settings, from now on you can get a nice double click selection of IPv6 addresses.

More info on classes here.

28 Aug

FreeRADIUS 3 on Ubuntu 14.04 – some notes

Ugh. Nothing worse than setting out to install something relatively simple (like FreeRADIUS) only to find the documentation confusing, inconsistent and contradictory. FreeRADIUS has some pretty decent documentation for the actual operation of the software, but getting things going up-front can be a real mission, especially, if, like me, you’ve never done it before. I’m writing this as I go. My goal is to have a FreeRADIUS server running on my server, which I can use to test RADIUS functionality with some lab routers – Juniper MX480, MX960 and M120s.

First of all, why are you installing FreeRADIUS? What do you stand to gain here? If you already know and you’re hitting some glitches with the installation, these notes might help. If you want something a bit more comprehensive written by an expert – try here.

As FreeRADIUS comes with a pre-compiled package for my poorly chosen operating system (after many problems with Ubuntu 14.04 I’ve gone back to Debian 7.8 for nearly everything). That’s great news – simply run the lazy person’s favourite command:

sudo apt-get install freeradius -y

Now that bit is done, the docs tell you to run the ‘radiusd -X’ commands. From what I can see, that program doesn’t come with the Ubuntu package anymore. Simply replace it with ‘freeradius -X’ – it starts FreeRADIUS in debug mode, and away you go. Note – you might find that the ‘freeradius’ service has already started post installation.. Check with:

ps aux | grep freerad

If it’s in there, do a quick ‘sudo service freeradius stop’ and then you can fire it up again in debug (-X) mode.

Due to the way FreeRADIUS is recommended to be installed, the folder ‘/etc/freeradius’ (where the installer assumes you want things put) is owned by root. It might pay to do the rest of the work as root, if you can. Makes things a bit smoother, than having to use sudo all the time.

Add a user in the /etc/freeradius/users file, add a client in the /etc/freeradius/clients.conf and start the service up (I recommend debug). The formatting for adding a user/client is actually documented well. Remember, a user is a user on your router/device, a client is the configuration knob required on your RADIUS gateway (in this case, also a router). You need a secret phrase between the router and RADIUS server to allow them to talk, as well as a user defined on both sides (the subject of the talk between client and server).

04 Jun

Step-by-Step guide to installing Smokeping on Ubuntu 14.04 LTS

Installing Smokeping on Ubuntu used to be a total breeze. Since 14.04 however, it’s been a bit of a mission.

This guide assumes a fresh out of the box Ubuntu install. I’m using the 64bit Server variety, but this should work on any 14.04 system.

UPDATE – It also works perfectly on Ubuntu 16.04 LTS Server :~)

Note – I am a noob with Apache and a relative noob with Linux, but even I got it to work fairly painlessly.

Step 1: install smokeping (aaand you’re done).
 sudo apt-get install smokeping -y

Step 2:  normally, you’d be done by now.. But things have changed.
 sudo nano /etc/smokeping/config.d/pathnames

You’re going to want to go into the pathnames file and comment out the line about mail. Setting up mail to work with smokeping is outside the scope of this post. Because I’m lazy.

Do this: #sendmail = /usr/sbin/sendmail
Then hit CTRL-O, Enter, CTRL-X. That’s how you save a file in Nano, I won’t stick that bit in again.

Step 3: If you made it this far, you’re going to be fine. Start ‘er up…
sudo service smokeping start

Step 4: Head over to a web browser and enter the IP of your server/cgi-bin/smokeping.cgi
(Hint: it will fail, giving you a 404 error).
(Hint 2: you can find the IP address of your server by entering ifconfig, it’s typically eth0)

Step 5: It’s not working because you’re missing a couple of things. One is a slight config change in a smokeping config file,  one is some missing symlinks.. the other is (likely) the cgi module for Apache2 isn’t enabled. Fix it!

sudo nano /etc/smokeping/config.d/General

Edit the line that has cgiurl in it to read like:
cgiurl =

Save and quit nano.

Next you want to edit the following Apache config file:
sudo nano /etc/apache2/conf-available/serve-cgi-bin.conf

Under the lines

“Require all granted

You want to add:

ScriptAlias /smokeping/smokeping.cgi /usr/lib/cgi-bin/smokeping.cgi
 Alias /smokeping /usr/share/smokeping/www
 <Directory “/usr/share/smokeping/www”>
 Options FollowSymLinks

(Save and quit editing the file)

Finally, enable CGI:
sudo a2enmod cgi

Step 6: Kind of threw 3 things into step 5 there, whoops. Anyway now you want to restart smokeping and apache, just to see if you broke anything:
sudo service apache2 restart
sudo service smokeping restart

Now head back to your browser, throw in

It should work… If not, drop me a line.


25 Jul

3DS Streetpass on Mikrotik RouterOS

Quick and hacky – that’s the way you have to Streetpass in New Zealand, as you get so few legit matches out and about.

To setup your own home Streetpass service is easy.

  • Setup a new SSID on your router, as a virtual ap – call it attwifi
  • Dupe the MAC address on the new virtual AP to 4E:53:50:4F:4F:46
  • Stick that SSID in your local bridge and setup some security
  • Join your 3DS to the attwifi SSID and away you go

Simple as that!

21 May

How to reach PPPoE bridge from Mikrotik

When using a Mikrotik router (or any other decent home router) as your PPPoE client, it’s good to be able to keep access to the ADSL/VDSL modem in-line to allow diagnostics, additional configuration etc. To avoid a situation where the router is essentially double-NATing all the packets going across the WAN link, the ideal setup is a secondary IP address on the router’s WAN interface, that is handled separately.

Below is a crude drawing of my home setup. The Draytek Vigor 130 is acting as a VDSL modem, bridging the PPPoE connection across to the Mikrotik RB2011UAS-2HnD-IN which is ‘dialing’ the PPPoE connection back to my ISP. The ISP dishes out an IP address which lands directly on the router, passing through the Draytek. On the LAN side of the router, is a pretty boring DHCP subnet (with DNS setup as mentioned here).

To setup the router/modem to allow access to both (without unplugging the router to get back to the modem) – you can do the following:

First, add an IP address to the modem:

Now, add the corresponding interface on the Mikrotik (access via SSH, note below is only 2 lines of config):

This will add the other end of the /30 network to the ether1-gateway (physical) interface on the Mikrotik router.

Now, all we need to do is tell the router that it’s OK to NAT on that address, on that interface:

If all went to plan, you should be able to ping from your Mikrotik:

All done, now you can browse to both the router IP for GUI config, and get to the VDSL modem’s config page as well.

Help on this one came from the DD-WRT wiki.

21 May

Mikrotik Firewall – For Home Users

Mikrotik make routers that are affordable enough for the home user market, but are quite powerful and come without too many training wheels. I’m using the RB2011UAS-2HnD-IN as a home router, wireless AP and firewall. It’s powerful and configurable enough to do pretty much anything I’ve thrown at it – but out of the box it’s probably a bit too open to attacks from randos.

Here’s a firewall script I’ve deployed on the home gateway, with the following parameters

Home LAN Subnet –
Home LAN Gateway –

This firewall script can be used to somewhat lockdown access to your router/home LAN without too much struggle. It’s probably missing a few bits and pieces, but seems to have put and end to hackers trying to brute-force root access via SSH over the internet – so far.

21 May

Unblock-US and Mikrotik RB2011UAS-2HnD-IN

If you live somewhere out of the way, like New Zealand, sometimes it pays to use a DNS-proxying service like Unblock-US. Reasons for this are circumventing some draconian geo-blocking rules, but I won’t go into that here.

Anyway – if you want to setup your Mikrotik router to use DNS addresses other than your ISPs provided ones (and make use of the DNS cache offered by the router) – follow these steps:

First, SSH into your router (something like admin@routerIP). I use Putty to do this in Windows. Then enter the following lines:

That adds the 3 Unblock-US DNS addresses they specify to be the router’s DNS servers. You can check it worked by the following command:

Now, the DNS is set, but nothing on your home LAN is going to be interested until you either statically point each device to use the DNS address of your router ( by default), or tell the router’s DHCP server where to get its DNS info from. The latter is the most elegant option. Do it by:

Here, we go into the DHCP server config and set up a DHCP pool on the local bridged interfaces (the locally connected devices, including wifi hosts). Then, we tell the DHCP server to use the router’s IP as its DNS source. Quite often this is already set by default.

Now, you can browse around a bit, using the Unblock-US DNS servers to get to where you want to go. You can check on the DNS Cache by entering:

It should have a few hundred entries after a minute or so of cruising around the internet.

The final (and crucial) step, is to disable ‘Peer DNS’ on your WAN interface. I did this by disabling the option on my pppoe-out1 interface

Some info from here.