I will give an example of updating the BIOS P80 on the HP ProLiant DL320e Gen8 v2 server.
Update is necessary through iLO4.
Continue reading “Update BIOS P80 on HP ProLiant DL320e Gen8 v2”Category Archives: Hardware
Solving the problem with a link to Mimosa B5
Once I noticed problems with a link on different Mimosa B5.
The link rose and fell at 1000Mbps every 5-10 seconds, respectively, the customers had a degradation of traffic, pings fell out.
Continue reading “Solving the problem with a link to Mimosa B5”
TP-Link TL-WR941N Firmware Update
For the test, I will update the TP-Link TL-WR941N 300Mb/s V2 router with firmware 3.12.5 Build 100929 Rel.57776n.
1) Let’s look at the revision of the router, in my case it is V2, and just for it we download the archive with the new firmware from the official site, the first link for the 300Mb/c model, and the second for 450Mb/c.
Continue reading “TP-Link TL-WR941N Firmware Update”
Access restriction to Ubiquiti over IP using Firewall
For the test, I’ll take the airMAX Rocket M5 sector antenna in bridge mode and the airMAX NanoBeam M5 client antenna in router mode.
Restrict access first to the client.
Suppose that it is connected to the sector and has an IP address 192.168.110.40 which looks into the Internet (obtained via DHCP).
The IP of the administrator who should have access to it remotely is 10.10.10.5, the rest must be blocked.
And so, go to the airMAX NanoBeam M5 web interface, open the “NETWORK” tab, next to “Configuration Mode:” select “Advanced”, then more settings will appear.
At the bottom where the “Firewall” tick the “Enable”.
Just below we add a rule specifying:
Target: DROP
Interface: WLAN0
IP Type: TCP
Source: 10.10.10.5 (IP from which it is allowed to connect, as well as be sure to put a tick in front of it under the exclamation mark)
Port: leave empty
Destination: 192.168.110.40 (An antenna IP that looks out)
Port: 22 (This is an SSH port, similarly, other rules are created to restrict access to the HTTP port – TCP 80, HTTPS – TCP 443, Telnet – TCP 23, SNMP – UDP 161, Discovery – UDP 10001)
As you can see, this rule blocks all TCP connections to port 22 of the WLAN0 interface on IP 192.168.110.40, and the set check mark on ! before Source: 10.10.10.5 means that everything except this IP is blocked.
Click “Add”, then “Change” at the bottom and at the top of “Apply” to apply the changes, after that the antenna will restart.
To limit access to the sector antenna that is configured by the bridge, we add the same rules, only where the Interface: we specify ANY (ALL).
Is done.
After adding rules and connecting to a device via SSH in the configuration, you can see the following:
ebtables.status=enabled ebtables.1.status=enabled ebtables.1.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 22 -j DROP ebtables.1.comment= ebtables.2.status=enabled ebtables.2.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 80 -j DROP ebtables.2.comment= ebtables.3.status=enabled ebtables.3.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 443 -j DROP ebtables.3.comment= ebtables.4.status=enabled ebtables.4.cmd=-A FIREWALL -p 0x0800 --ip-protocol 17 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 161 -j DROP ebtables.4.comment=
See also my article:
Ubiquiti SSH control
Blocking social networks on Mikrotik routers
There are several ways to prohibit access to social networks and other sites on Mikrotik routers.
The first and most effective
method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)
The second and one of the simplest
is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:
ip dns static add name youtube.com address=127.0.0.1 ip dns static add name www.youtube.com address=127.0.0.1 ip dns static add name name=".*\.vk\.com" address=127.0.0.1
The command to view static DNS records on the router:
ip dns static print
However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 8.8.8.8 and 8.8.4.4.
The third option
is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 87.240.131.0/24 (this is ip 87.240.131.1-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
Example commands:
ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.97 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.103 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.117 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.120 disabled=no ip firewall address-list add list=socialnetworks address=87.240.143.245 disabled=no ip firewall address-list add list=socialnetworks address=87.240.143.246 disabled=no
The fourth option
through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):
ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$" ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social
See also my articles:
Blocking social networks on Cisco
Blocking social networks using iptables
Installing Huawei iManager U2000 NMS on Windows Server
I will describe the procedure for installing the Huawei iManager U2000 NMS server software on a Windows Server:
1) Run on behalf of the administrator file install.bat
2) Copyright. We read and agree with the license agreement by selecting “I accept the terms”.
Continue reading “Installing Huawei iManager U2000 NMS on Windows Server”
Updating iLO 4 firmware on HP servers
In the test, I will update iLO4 on the HP ProLiant DL380p G8 server with iLO version 1.13 (Nov 08 2012), as well as on several other servers, ProLiant DL360p Gen8, ProLiant DL320e Gen8 v2, etc.
To update iLO, there is no need to restart the server.
Update BIOS P70 on HP ProLiant DL380p Gen8
On the test, I will perform the BIOS update P70 on the HP ProLiant DL380p Gen8 server.
I will perform the update through iLO4.
At the time of this writing, the server was BIOS version 03/01/2013, and from the official site I downloaded 24/05/2019.
BIOS update on the HP ProLiant DL180 G6 server
First you need to download the latest BIOS firmware from the official site support.hpe.com, in the search we will indicate “HPE ProLiant DL180 G6 Server”.
Continue reading “BIOS update on the HP ProLiant DL180 G6 server”Blocking DHCP servers on FoxGate switches
For example, I’ll take a FoxGate S6224-S4 switch; on other models, the configuration is almost the same.
First, enable the dhcp snooping function:
ip dhcp snooping enable
Continue reading “Blocking DHCP servers on FoxGate switches”