IT Blog

TP-Link TL-WR941N Firmware Update

For the test, I will update the TP-Link TL-WR941N 300Mb/s V2 router with firmware 3.12.5 Build 100929 Rel.57776n.

1) Let’s look at the revision of the router, in my case it is V2, and just for it we download the archive with the new firmware from the official site, the first link for the 300Mb/c model, and the second for 450Mb/c.
Continue reading “TP-Link TL-WR941N Firmware Update”

Speed limit on network interface using TC

I will give an example of a speed limit of up to 3.3 Gb/s on a network interface on Ubuntu Server 16.04:

/sbin/tc qdisc del dev ens2f0 parent ffff:
/sbin/tc qdisc add dev ens2f0 handle ffff: ingress
/sbin/tc filter add dev ens2f0 parent ffff: protocol ip prio 50 u32 match ip dst 0.0.0.0/0 police rate 3300mbit burst 330k mtu 30000 drop flowid 1:0

Continue reading “Speed limit on network interface using TC”

nload – monitoring network interface bandwidth

nload – network interface bandwidth monitoring tool with graphical display in the terminal.

Creating dummy interfaces on Linux

I will give an example of creating dummy interfaces in Linux.
On the test I use Ubuntu Server 16.04.

The first thing you need to load the module “dummy”, you can also add the option “numdummies = 2” to immediately create two dummyX interfaces:
Continue reading “Creating dummy interfaces on Linux”

BGP. Channel Balancing on Quagga

I will give an example of balancing only incoming traffic with two channels using Quagga.

On the test, I will use Ubuntu 16.04.4 LTS and Quagga 0.99.24.1, the network interface ens1f0 for the second provider with one neighbors and ens2f0 for the first provider with two neighbors, the local network will be connected to ens2f1. Both providers announce “default”.
3.3.3.0/23 this will be my network with white IP addresses.
Continue reading “BGP. Channel Balancing on Quagga”

Directories with a large number of files

Once there was an interesting situation, in the same directory there were millions of files.
And some of them are necessary.

When you try to view the list of files, you will naturally get a stupor for a long time.
Alternatively, they can be viewed via FTP, which has 10,000 for the frequent standard limit on the number of displayed files, for example, the FileZilla FTP client conveniently moves files in directories, but this option is long, because time is spent on FTP requests, the load on the drive is low.

If the files are not needed, you can delete them with the command (with the confirmation request to delete)

rm -r /dir/

Or delete everything without a request along with the directory:

rm -rf /dir/

In my case, small files were unnecessary, so going to the right directory, deleted the command below with anything that is smaller than the specified size:

cd /dir/
find -size -2 -type f -print -delete

Before deleting, you can see the number of such files and the total number, but this is also a lengthy process:

find -maxdepth 1 -size -2 -type f -print | wc -l
find -maxdepth 1 -type f -print | wc -l

If, instead of -2, you specify 0, then files with zero size will be deleted, that is, empty.

If you need to sort the files by directories, go to the directory with files, create the necessary directories, for example, by dates and move the files by template (all whose names begin on 2017, -maxdepth 1 indicates that you do not need to search for files in subdirectories):

cd /dir/
mkdir 2017
find -maxdepth 1 -type f -name '2017*' -exec mv -vn -t /dir/2017 {} \+

The result of the execution can be written to the file by adding to the command “> file”, for example:

find -maxdepth 1 -type f -name '2017*' -exec mv -vn -t /dir/2017 {} \+ > /dir/dir/file.log

Access restriction to Ubiquiti over IP using Firewall

For the test, I’ll take the airMAX Rocket M5 sector antenna in bridge mode and the airMAX NanoBeam M5 client antenna in router mode.

Restrict access first to the client.
Suppose that it is connected to the sector and has an IP address 192.168.110.40 which looks into the Internet (obtained via DHCP).
The IP of the administrator who should have access to it remotely is 10.10.10.5, the rest must be blocked.

And so, go to the airMAX NanoBeam M5 web interface, open the “NETWORK” tab, next to “Configuration Mode:” select “Advanced”, then more settings will appear.
At the bottom where the “Firewall” tick the “Enable”.

Just below we add a rule specifying:
Target: DROP
Interface: WLAN0
IP Type: TCP
Source: 10.10.10.5 (IP from which it is allowed to connect, as well as be sure to put a tick in front of it under the exclamation mark)
Port: leave empty
Destination: 192.168.110.40 (An antenna IP that looks out)
Port: 22 (This is an SSH port, similarly, other rules are created to restrict access to the HTTP port – TCP 80, HTTPS – TCP 443, Telnet – TCP 23, SNMP – UDP 161, Discovery – UDP 10001)

As you can see, this rule blocks all TCP connections to port 22 of the WLAN0 interface on IP 192.168.110.40, and the set check mark on ! before Source: 10.10.10.5 means that everything except this IP is blocked.

Click “Add”, then “Change” at the bottom and at the top of “Apply” to apply the changes, after that the antenna will restart.

To limit access to the sector antenna that is configured by the bridge, we add the same rules, only where the Interface: we specify ANY (ALL).

Is done.

After adding rules and connecting to a device via SSH in the configuration, you can see the following:

ebtables.status=enabled
ebtables.1.status=enabled
ebtables.1.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 22 -j DROP
ebtables.1.comment=
ebtables.2.status=enabled
ebtables.2.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 80 -j DROP
ebtables.2.comment=
ebtables.3.status=enabled
ebtables.3.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 443 -j DROP
ebtables.3.comment=
ebtables.4.status=enabled
ebtables.4.cmd=-A FIREWALL -p 0x0800 --ip-protocol 17 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 161 -j DROP
ebtables.4.comment=

See also my article:
Ubiquiti SSH control

Blocking social networks on Mikrotik routers

There are several ways to prohibit access to social networks and other sites on Mikrotik routers.

The first and most effective

method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)

The second and one of the simplest

is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:

ip dns static add name youtube.com address=127.0.0.1
ip dns static add name www.youtube.com address=127.0.0.1
ip dns static add name name=".*\.vk\.com" address=127.0.0.1

The command to view static DNS records on the router:

ip dns static print

However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 8.8.8.8 and 8.8.4.4.

The third option

is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 87.240.131.0/24 (this is ip 87.240.131.1-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
Example commands:

ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.97 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.103 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.117 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.120 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.245 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.246 disabled=no

The fourth option

through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):

ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$"
ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social

Blocking social networks using iptables

Once on one of the NAT servers I needed to block some sites.

If the sites are located on several IP addresses, then you need to find out these ranges of IP addresses, for example, look for VKontakte on bgp.he.net, for example, a list of subnets for one of the AS belonging to VK “http://bgp.he.net/AS47541#_prefixes”.

When networks or hosts are known, add rules for them in iptables, for example:

/sbin/iptables -A FORWARD -s 87.240.128.0/18 -j DROP
/sbin/iptables -A FORWARD -s 95.142.192.0/20 -j DROP

Thus, we prohibit the passage of the traffic of these networks through the server.

NetData installation

NetData – monitoring system that displays real-time statistics on web panels.

On the test, I will install NetData on Ubuntu 18.04 and Ubuntu 16.04.
Before installing, you can upgrade the system:

sudo apt-get update
sudo apt-get upgrade

If Ubuntu version is 18.04 and newer, then NetData is installed with the command:

sudo apt-get install netdata

After installation, the configuration will be in /etc/netdata/, the logs in /var/log/netdata/.

On Ubuntu 16.04 and older, you can install as follows (the installation will be done in /opt/netdata/):

sudo bash <(curl -Ss https://my-netdata.io/kickstart-static64.sh)

Restart NetData can command:

sudo systemctl restart netdata

View status:

sudo systemctl status netdata
sudo ps ax | grep netdata

After installing NetData, you can immediately open it in the browser http://HOST:19999
I recommend to immediately restrict access to the tcp port 19999, for example through iptables.