Saturday, December 18, 2021

How to update Ubiquiti UniFi controller on CentOS 7.

Note: This needs to be done after hours as devices may lose connectivity for about 10 seconds to re-provision.

  1. Get URL for latest stable UniFi Controller: https://www.ui.com/download/ Then click on UniFi. Then look for software category. Then click on UniFi Network Application Debian file. Then click Download link. Accept EULA. Then review download link location.
  2. SSH into server and log in as root.
  3. Stop the UniFi controller service
    # service unifi stop
  4. Download the Unix version of the UniFi controller replacing the version number in the URL from Step 1:
    # wget https://dl.ui.com/unifi/6.xx.xx/UniFi.unix.zip
  5. Unzip the downloaded file:
    # unzip UniFi.unix.zip
  6. Move existing UniFi controller to a backup folder:
    # mv /opt/UniFi/ /opt/UniFi_bak
  7. Move new UniFi controller files to final location:
    # mv UniFi/ /opt
  8. Copy existing database (with all info about your UniFi devices) files to final location:
    # cp -rf /opt/UniFi_bak/data/ /opt/UniFi/data/
  9. Change ownership of files to match what your controller runs as:
    # chown -R ubnt. /opt/UniFi
  10. Start new UniFi controller software:
    # service unifi start
    (wait for database to be upgraded in background, may take a few minutes before you are able to log in)

Optional prune database to optimize performance issues:

https://help.ubnt.com/hc/en-us/articles/204911424-UniFi-How-to-Remove-Prune-Older-Data-and-Adjust-Mongo-Database-Size#3.%20How%20to%20Prune%20Linux

Monday, November 21, 2016

How to Enable IPv6 on pfSense with Time Warner Cable internet

Here are some quick instructions on how to enable IPv6 on pfSense when using Time Warner Cable (residential or business class DHCP provided) internet access.


  1. Under interfaces click on WAN. Select DHCP6 from drop down menu on IPv6 configuration type. Make sure DHCPv6 Prefix Delegation size is set to 64. Uncheck Block bogon networks. Click Save.
  2. Under interfaces click on LAN. Select Track interface from drop down menu on IPv6 configuration type. Make sure Track interface is set to WAN under Track IPv6 Interface. Click Save.
That's it. You should see on your pfSense dashboard that the WAN and LAN interfaces each have an IPv6 Time Warner IP address. Release/renew DHCP IP addresses on your LAN devices and they should now pick up IPv6 Time Warner IP addresses.

Tuesday, August 30, 2016

How to download a file using Powershell

Here is how to download a file using Powershell without needing any additional tools. Great for Hyper-V Core systems or remote access.

powershell.exe "Import-Module BitsTransfer; Start-BitsTransfer -Source http://domain.tld/somefilename.exe -Destination c:\PathToAFolder"

Friday, November 28, 2014

Site-to-Site IPSEC VPN using Mikrotik Routerboards

A good video on how to setup the VPN is here:
http://gregsowell.com/?p=1290
Example:  Site A has static IP address and Site B has dynamic IP address. On Site B Mikrotik router, you will need to add the following script to update the VPN policy. To do this using Winbox, go to System -> Scripts. Click + sign. Give the script a name. Then paste the following code into the box below:
:local WANip [/ip address get [find interface="ether5"] address]
 
:log info "Interface IP is $WANip"
 
:local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]
 
:log info "IP sans the slash notation is $WANip"
 
/ip ipsec policy set 0 sa-src-address=$WANip
Click Okay to save the script. 

To schedule the script to run every 5 minutes (in case the WAN IP address changes), in Winbox go to System -> Scheduler. Give the task a name. Start date can be ignored. Set Start time to 1 second (00:00:01). Set Interval to 5 minutes (00:05:00). Where it says On Event, type in the name of the script you entered above. Click okay.

Note:  Here is a list of ports that will need to be opened on both Mikrotik routers in order for the VPN traffic to pass successfully:
Chain: Input, Protocol: 50 (ipsec-esp), Action: Accept
Chain: Input, Protocol: 51 (ipsec-ah), Action: Accept
Chain: Input, Protocol: 17 (udp), Any Port: 500, Action: Accept
Note: In version  Mikrotik OS version 6.39.1, you may experience the following error with IPSEC tunnels:
Expecting IP address type in main mode when using preshared key for authorization (see RFC 2409 section 5.4).
If you see this error, open Winbox, go to IP -> IPSEC. Then go to Peers tab. Double click on the Peer IP address. Then where it says My ID Type, change it to auto. Click Okay. Repeat the same procedure for the other router. This should re-establish the IPSEC tunnel.

Friday, October 3, 2014

How to Add Exchange Autodiscover SRV Record at Godaddy

Here are the instructions on how to add an Exchange Autodiscover record over at Godaddy.
  1. Log into your Godaddy account.
  2. Click on Domains, then click on the Launch button next to domain you wish to edit.
  3. Click on DNS Zone File tab.
  4. Towards bottom of page, find SRV Records heading and click Add Record.
  5. Where it says Name, type in @.
    Where it says Target, type in the FQDN of your Exchange server. Ex. servername.business.tld
    Where it says Protocol, type in _tcp
    Where it says Service, type in _autodiscover
    Where it says Priority, type in 10
    Where it says Weight, type in 10
    Where it says Port, type in 443 (unless you've changed the port that Exchange Web Services listens on)
    Where it says TTL, leave at default 1 Hour or change to 1/2 Hour. 
  6. Click Finish.
  7. Be sure to click Save Changes to ensure the zone file changes are applied.

Wednesday, September 24, 2014

Lock down Exchange to receive only from GFIMaxMail servers

After adding a client to the GFIMAXMail email filtering service, you should lock down Exchange to only receive e-mail from GFIMAXMail servers to prevent spammers from bypassing the filtering.

  1. Open Microsoft Exchange Management Console.
  2. Open Server Configuration then Hub Transport.
  3. If using Microsoft Windows SBS2008 or SBS2011, find the default connector named Windows SBS Internet Receive SERVERHOSTNAME where SERVERHOSTNAME is the name of the server you are working on. Double left click on it to bring up the Properties window.
  4. Click on the Network tab.
  5. Under Receive mail from remote servers that have these IP addresses, remove all of the entries.
  6. Add the IP netblock for your LAN (ex. server IP address 192.168.16.3, so add 192.168.16.0/24).
  7. Add the following IP netblocks that correspond to GFIMAXMail's server clusters:
    • 174.36.154.0/24
    • 192.69.16.0/24
    • 192.69.17.0/24
    • 192.69.18.0/24
    • 192.69.19.0/24
    • 208.43.37.0/24
    • 208.70.88.0/24
    • 208.70.89.0/24
    • 208.70.90.0/24
    • 208.70.91.0/24
    • 5.10.67.0/24
    • 92.51.176.0/24
    • 94.186.192.0/24
  8. When finished adding IP address ranges to the Network tab, click Okay.
A better option would be to add an ACL on your firewall for all incoming Port 25 traffic and add the IP address ranges above, but not all firewall support that type of granular control.

Wednesday, June 25, 2014

Updating Microsoft Windows Small Business Server 2011 (SBS2011)

There are several important updates that need to be manually installed on Microsoft Windows Small Business Server 2011. Download the files below. Before installing them, perform a full server backup. Then install the updates in this order:

  1. Microsoft Windows Server 2008 R2 Service Pack 1
    (download the X64 file only as SBS2011 never came in X86/32-bit version).
  2. Microsoft Windows Small Business Server 2011, Update Rollup 4
    (optional but highly recommended)
  3. Microsoft Exchange Server 2010 Service Pack 3
  4. Microsoft Exchange Server 2010 Service Pack 3, Update Rollup 6
    (optional but highly recommended)
  5. Microsoft Sharepoint Foundation 2010 Service Pack 2
Recommended: reboot between each step and take a backup between each step.

You'll need a couple of hours for the average server to install all of the updates.