Irma took me out for a few days, but I’m back!

Lately I’ve been trying to make sure all of the tech at my girlfriend’s home can actually be managed by her, should I be hit by a bus and fall into a coma. I was in the process of building a Sophos XG UTM, decided to buy a Circle instead. Kids needed a computer, so I got them an LG ChomeBase instead of going through the hassle of making Windows secure and kid-safe. She had some home automation going with a Wink Hub, Echo Dots, and an assortment of LED smart bulbs, so I handed down my EcoBee3 when I upgraded to the 4.

The EdgeRouter PoE and UAP-AC-Lite combo were the remaining weakest link in terms of self-management and control. The ER is wholly unsuitable for mere mortals, and while the UAP could theoretically be reset and managed entirely via the phone app… that would be another hassle to deal with in my absence.

And I also had a coverage gap I wanted to address. I’d place her AP in an alcove to keep everything neat and tidy, but it’s a horrible spot for 5GHz propagation to the back patio where I often work. Dropping a UAP-AC-M or UAP-AC-Lite near the area and using the wireless uplink feature would have solved it, but that’s adding more complexity where I want less.

Enter AmpliFi Mesh:

AmpliFi Mesh

The early reviews on this product weren’t all glowing, from the technologist’s perspective it has a number of compromises and a purposeful lack of features, but from the I want a multi-AP setup that the girlfriend can easily manage from her phone perspective it ticks all the boxes. Since the initial launch they’ve simplified the product line, the Base and LR mesh kits are gone and the HD Mesh kit has dropped a couple hundred bucks down to $349 retail. I picked up a used kit on eBay for $200-ish and I’m not sure which version it is.

I’ve configured the system in bridge mode behind the EdgeRouter while I figure out how to replicate my site-to-site VPN. The Mesh units are placed in the laundry room downstairs and the hallway upstairs, and I am bathing in glorious 5GHz coverage where previously it was spotty. I’m sure it’s not the absolute fastest using 2.4GHz for backhaul but the Internet connection here is ~60Mb/s and I’ve no trouble achieving that throughout the home despite this being an apartment complex with a bazillion 2.4GHz APs in view.

So far, I’m liking it a lot… it addressed my pain points at an affordable price and is gorgeous to boot. Since I’m just using the wireless functions there isn’t much to dislike, but one minor nit is that it doesn’t support Guest access in bridge mode.

Would recommend for situations where an EdgeRouter / USG + UAPs are overkill and a high-quality simple solution is desirable.

Update: Troy Hunt put together a thorough review of an AmpliFi install with lots of screenshots.

AD Dynamic DNS Updates from EdgeRouter DHCP

Today was the day that I de-commissioned DHCP on my home Active Directory servers. The one area that gave me a little trouble was figuring out how to get Dynamic DNS for clients working with AD DNS. All of the guidance I could find was for BIND.

Here are the commands I used:

set service dhcp-server use-dnsmasq disable
set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Replace LAN with the name of the DHCP server instance on the EdgeRouter, and AD-DOMAIN-NAME with your AD domain (note the trailing period). The " are necessary to escape the quotation marks within the CLI — make sure to copy those as-is.

Breaking this down step-by-step:

set service dhcp-server use-dnsmasq disable

This configures the ER to use ISC’s DHCPd instead of dnsmasq.

set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'

I’m not sure the first one is necessary here, but we’re configuring DHCP to perform DNS updates on clients’ behalf and to include static DHCP clients.

set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Finally, we configure each DHCP scope for updates to the forward and reverse zones.

Chromebooks May be Habit-forming

I’ve recently discovered Chromebooks:

2017-08-08 15.53.46

Ok, it’s not like I just heard about them, but it was over the past few weeks that I realized they can serve a useful purpose.

  1. I needed a cheap portal serial terminal. Beagle Term and a cheap USB -> RJ45 serial cable fit the bill perfectly.
  2. I wanted a device to leave at my girlfriend’s for casual use. Never cared to Android tablets, didn’t want to spend real money on an iPad or a Windows tablet with a decent CPU. The Chromebook works nicely for this.
  3. The girlfriend’s kids have started 3rd grade and need access to a computer for school assignments. Was going to give them one of these Chromebooks… but she’d prefer they use something not portable and eventually I snagged a good eBay deal on an LG Chromebase instead.
  4. My mother needs access to a computer. For both her and the kids, giving them a computing environment that’s real difficult to screw up is high on the priority list. ChromeOS is perfect for this.

My Chromebook of choice is the Asus C300SA — 3lbs, 13.3″ screen, 4GB RAM, and a legit 10+ hours of battery life. The best part is that Amazon regularly offers reboxed returns at a low price, I’ve picked up four for $100-$115/ea.

Weak points are the sub-1080p display, non-backlit keyboard, and of course, the N3060 dual-core CPU (~989 CPU Mark score). Not gonna sugar-coat it, this thing strains under the load of 10-20 browser tabs I routinely have open… but it does far better than those cheap Windows tablets on Z-series Atom quad-cores.

Apps are also a weakness. For the kids and mom, the browser is all they really need. For myself… I need more, and I’m not real impressed with the selection and quality of what’s available in the Chrome Store in the categories I care about. I don’t want to go the Crouton / Linux route either, as that disables many of the security features of ChromeOS. I think I’d be happiest using the Chromebooks as thin clients to Windows. Guacamole and the various Chrome RDP clients haven’t been appealing to me from a UX perspective, so I’ll be digging into Horizon next.

Regardless, for $100-ish the Pros far outweigh the Cons. They’re not good enough to be my only PC, but they are good enough to be the only PC that I take with me.

Lab Progress: Cabling

Ethernet and console cables finally arrived, so it was a busy and sweaty morning of cable routing for the lab. Still need to hook up power, move my Home Production stack over w/ the US-16-XG, and figure out how I’m going to lay out the 10GbE stuff and a few other miscellaneous items.


2017-07-20 15.09.13 Lab Progress.jpg

TIL: DNAT before Firewall

Was adjusting some firewall rules and verifying them from the outside, and discovered that an unexpected port was being allowed, but only on the secondary WAN connection.

This particular setup uses dual WANs in a failover configuration, but has a ton of DNAT rules to allow inbound traffic on the secondary WAN because port-forward can only apply to one wan-interface. Here’s some relevant CLI:

set firewall group port-group web port 80
set firewall group port-group web port 443
set firewall group port-group web port 8080

set service nat rule 100 description wan2-web
set service nat rule 100 destination group address-group ADDRv4_eth7
set service nat rule 100 destination group port-group web
set service nat rule 100 inbound-interface eth7
set service nat rule 100 inside-address address
set service nat rule 100 inside-address port 8080

What I was seeing was that an inbound request to 443 was being allowed from anywhere, despite having firewall rules restricting access to certain IP ranges. Upon further examination I discovered that the request was being sent to 8080 on the inside.

And I immediately suspected my error: DNAT rules are processed before Firewall rules. Turning up logging on the FW and DNAT rules quickly confirmed that was the case.


My other mistake here is that I probably shouldn’t be using inside-address port in my DNAT rules. The guide I followed to originally configure these DNAT rules suggested that they were necessary, but that is not the case and translating port numbers is definitely not the behavior I was looking for.

Lab Progress Report

UPS dropped off some rack shelves and an ES-48-Lite today, which means the only thing holding me up from starting to get this lab racked up and online is time and rack screws.

A kind soul on the Ubiquiti Discord offered me a good deal on an ERLite-3, pair of ERPro-8, and a ES-16-XG so the total amount of Ubiquiti gear available for labbing is going to be fairly impressive!

On hand I’ve got:

Waiting to be delivered:

The end goal here is to be able to run mock deployments with a pair of every class of EdgeRouter and build out complex internetworking without ever having to physically touch the boxes.

Final (maybe?) Update on ER-X / ER-X-SFP Aggregate Performance

It has been confirmed to me that the ER-X / ER-X-SFP have only one 1 Gb/s link between the SoC and switch. Since every packet that enters the SoC through that link will have to exit the same path, 1 Gb/s is the maximum aggregate throughput.

I’ve not been able to garner any interest in why bi-directional testing take a substantial performance hit. I may try some earlier firmware releases in the future but for now I’m moving on from this subject.

Dynamic DNS with Failover Load-Balancing

Here’s the scenario: Dual WANs configured for failover load-balancing. Firewall / DNAT rules in place allowing either interface to be used for incoming connections, and Dynamic DNS is configured on eth6 for and eth7 for

Problem: Want to have resolve to whichever WAN is active. Can’t use web-check on the eth6 / eth7 interfaces because the load-balancing policies apply to traffic originating from the router so wan1 and wan2 would always be set the active interface’s IP.

Solution: At first I thought it would be necessary to create a transition-script for the load-balancing policy to update active-wan outside of ddclient during a transition, but I realized that I was over thinking the problem.

What I ended up doing was creating an additional DDNS entry on a separate interface for which uses a web-check.

set service dns dynamic interface eth5 web dyndns
set service dns dynamic interface eth5 service custom-lb host-name
set service dns dynamic interface eth5 service custom-lb login user
set service dns dynamic interface eth5 service custom-lb options
set service dns dynamic interface eth5 service custom-lb password pass
set service dns dynamic interface eth5 service custom-lb protocol cloudflare
set service dns dynamic interface eth5 service custom-lb server

This exploits the load-balancing of the router’s traffic to discover the correct IP for active-wan. During a failover transition, ddclient will automatically detect that the IP has changed and update active-wan — no transition-script is necessary.

Note: Do not use web-check for weighted load-balancing. It will constantly flap between WAN IPs.