Ubiquiti Unifi with Sophos UTM Firewall (VM) on VMware ESX with Netgear Switches and multiple SSID/VLANS

Wow.. That title 🙂

So.. My home environment consists of an ESX server running several VM’s including a Sophos UTM firewall.   I also have several ancient but quite usable Netgear switches a GS716T and a GS724T.  I also had 3 quite old 802.11n wireless access points providing 2 separate networks within our relatively small home.  The other thing was that even though though 2 of the access points are on the same network to provide coverage, I used separate SSIDs which we manually had to switch between because automatic handoff was problematic and simply bad.

This quick guide does not explain:

• Basic networking
• ESX and Building VM’s
• Sophos UTM Firewall
• Setup of your firewall, routing, nat and rule set
• Setup of DHCP per vlan

2 of these access points (DLink DIR-645) were to give coverage at each end of the house and worked OK but had to be manually switched between on each device.  Annoying.

1 was to provide coverage for the kids tablets

After having some issues and needing to power cycle the kids AP several times a day and general connectivity issues I decided it was time to upgrade my wifi around the place.

The criteria I had was:

• I wanted to provide multiple networks on each access point
• I wanted to provide better coverage in the house
• I wanted to provide coverage in our backyard area
• I wanted seamless roaming between each access point on all networks

So, I purchased a Ubiquiti UniFi AP-AC-LR unit for in the house and a UniFi AP-AC-Mesh unit to mount outside on my shed facing into the back yard area.

Given the coverage issues with 2 802.11n DIR-645’s I wondered how I would go with just 1 AP in the house, but thought I could give it a go and always buy a 2nd later if i needed it.  Turns out I didn’t.

I installed the Unifi Management software on a VM and then I installed the UniFi App https://play.google.com/store/apps/details?id=com.ubnt.easyunifi&hl=en  on my phone.   The App on my phone is excellent and shows great information.  You can configure nearly everything from the app once you have it installed and talking to your management controller.

I then installed the AP with the included POE unit and then powered it up.  As I plugged them into my ‘home’ vlan with my PC and existing gear it was detected immediately and I was able to update the firmware to the latest, set a static IP for the LAN connection and start playing with it.

Issues!

As I mentioned at the top I wanted to support multiple VLANs for my environment. A breakdown of these are:

• vlan 5 – Home Lan (Also default, where my home PC’s live)
• vlan 10 – Home Wifi Network (where all our wireless devices will live)
• vlan 11 – Visitor Wifi Network (Visitors who come over)
• vlan 66 – Kids Wifi Network (Lots of limits on bandwidth, time, sites)

Initially i rushed in, didn’t do much RTFM.   I am a techhead after all and this is just easy networking.  Sure, well, the simple things caught me out rushing and late and night and from googling I found many other people were having similar problems.  Like all good google sessions I ended up going to bed thinking I might need to buy some new switches as many people reported issues with Netgear switches and Ubiquiti just like me and they wouldn’t work together.   Well, a testament to resting on a problem because I fixed the issue  in literally 5 minutes the next day when I thought clearly and with 0 problems.  There was NO problems using my very old netgear switches with modern Ubiquiti devices at all.

PVID is important!  Heres the gotchya.

The LAN connection for the Access points MUST be on a untagged port.  It also MUST be on the same PVID as the controller as per your switch config.  If you have this right, your Controller will be able to connect and configure your AP.  If you don’t have this correct it simply won’t work.

Here’s the config on my GS724T

The Basic VLAN definitions:

The PVID Settings, this is where you MUST put your controller and all Access points on the SAME PVID.  This is the part that confuses people and causes connectivity issues.

In my example, my controller VM is on vlan5 which is also set to PVID 5 and plugged into g12, with the Access Point physically plugged into port g19.  You will note that they are both set to PVID 5.  This could be any PVID setting, and maybe your default lan is PVID 1, this is very normal, just make sure they are both the same.

Here’s the port settings for each VLAN on the Switch:

The ones relevant here are Vlan 5, which is Untagged on ports with my desktop equipment.  Please note note in particular g12 and g19, along with the same PVID, both are untagged ports for Vlan 5.  This will ensure the controller can talk to the Access point.

Vlan 10 – Wifi Home – TAGGED on Port 19:

Vlan11 – Wifi Visitors – TAGGED on Port 19:

Vlan 66 – Wifi Kids – TAGGED on Port 19:

Now, what this does is provide g19 wihch is physically connected to the AP with a POE adapter with the following settings:

PVID 5, Vlan 5 Untagged, Vlan 10, 11, 66 Tagged (802.1q trunked)

This is exactly what you need for controller connectivity on Vlan 5 and the 802.1q trunked vlans on g19.

Configuring the AP

So now we have the switch configured we need to configure the AP Wired and Wireless Networks to suit.

First of all each WIRED network has to be defined as in my example, you will note the LAN network is default and cannot be configured with a VLAN, all you can do is set the ip subnet which in my case for vlan 5 is 192.168.1.1/24.  This is why it must be on the same pvid and access port vlan as your controller.  (I note this is a complained about issue with Ubiquiti so this limitation might be removed in a future update)

You then have to define all the other subnets with their relevant vlan assignment as per my example here for the Kids network as an example:

You can then add the Wireless Networks to suit and also set the same vlan assignment as shown again for the Kids Network below:

Once you have this defined your Access Point will be broadcasting all 3 SSID’s as separate wireless networks as shown by my phone

I repeated the same configuration on the Netgear GS716T switch in the Shed and plugged in the UniFi AP-AC-Mesh unit.  Bingo, all 3 SSID’s and networks a broadcasting as well.

With my phone I was able to connect to each wireless network and roaming inside streaming a video to way out in the backyard the phone roamed from access point to access point without skipping a beat with a great signal anywhere I went.

I also used another app on my phone called Wifi Analyzer ( https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en) to see what was happening as per below.

This is a general scan of the 2.4Ghz channels.  As we live quite away from others, we’re lucky to have a pretty much free 2.4Ghz range available so standing in my kitchen I can see both Access Points available on Channel 1 and Channel 6.   You will note both are showing the 3 SSID’s and networks available.

This screenshot shows the 3 networks again and also that there’s multiple frequencies available for each SSID

In this screenshot I expanded the Wifi Network SSID and it now shows me all the channels that this network is available on.  You can see that Channel 1 (2.4Ghz) and Channel 149 (5Ghz) are the strongest as I’m standing in the Kitchen closest to the AP in the house.  The other two on Channel 6 and Channel 36 are from the access point outside on my shed.

I know I said this wasn’t about setting up the Firewall etc, but here’s a look at how the vlans look on the status page of my SophosUTM.  All nicely seperated and doing their own thing with firewall rules separating them all and the internet 🙂

The coverage of the 1 UniFi AP-AC-LR in the house is enough to cover completely inside the house and even outside, the mesh unit giving that extra boost outside.  These units are brilliant and absolutely run rings around the older AP’s I had.  Highly recommended.

Total success, very happy.  Note the Cat5 cable is showing as I’m yet to mount it on the ceiling 🙂

Advertisements

Using OpenDNS to Filter the Internet for Kids

Do you have Kids and worry what they might come across on the Interwebs?

Like a lot of us, I have kids.. Kids that are starting to use the internet and whilst parental supervision is THE best option, its not always a reality that you will be looking over your kids shoulder 24/7 .

A lot of technical savvy people have known for many years that the names of places on the internet such as http://www.news.com.au use something called Domain Name System (DNS) to basically convert the word place name to a number address much like a Phone Book.

Some crafty malware / virus makers also cottoned onto this, so by getting access to a DNS server and inserting a forged address could basically redirect a browser opening http://www.news.com.au to a totally different/fake site.    For years people had been told ‘dont click on links, type them in yourself to be safe’ and with this approach and a poisoned DNS server, you still end up on a fake site which can be used to trick people into giving away private information.

What you can do on your own computer is manipulate DNS lookups by editing the local hosts file which gets checked BEFORE DNS in normal practice but this means you have to be technically savvy, maintain it yourself or run a piece of software to do it.

Is there an easier way!??! YES.. https://www.opendns.com/

It’s absolutely FREE and there’s no ongoing fiddling and tech knowledge required.

OpenDNS lets you change your Internet settings so that instead of using your ISP provided DNS servers (which happens automatically when you connect to the internet) and they maintain different lists of sites and categorize them into different levels!

You can set different filtering levels (customizable).  For my Daughter’s ipad, I have it set to maximum and whilst she’s not even looking for anything questionable at her age it’s a nice thing to have anyway.

Note that you can add your own blocked domains, so when you find something that isn’t blocked you can add it yourself.

You can see overall statistics:

You can also see a list of blocked domains (there’s some obvious adult content I was using here to test it was working):

How do you set this up?

First of all, go to the http://www.opendns.com website and signup an account, this costs nothing.

Next, once you have this setup you need to just use the OpenDNS DNS servers for your DNS lookups.  Whooo wait.. that sounds technical.

Look I’m not going to explain how to do this for every platform but I can help you by telling you to use either google or YouTube to search for the correct question.  What you want to type is ‘how to change DNS settings on X’ with X being your Operating System, such as Windows 7, Windows 8.1, Ipad etc).

On a windows machine by setting your Internet connected interface to the OpenDNS servers can look like this:

This forces ANY dns lookups to go through OpenDNS and you will get a result based on the filtering settings you have set.

As an example, I set my DNS to 208.67.222.222 and 208.67.220.220 and tried to open http://www.boobs.com with Internet Explorer.

Behind the scenes what happens is that my request to open the web page needs to be converted into an address.  My computer asks OpenDNS servers what is the address of http://www.boobs.com.  As this point as I have High filtering set which covers adult sites, OpenDNS responds by giving my computer back the block domain website.  Nice!

Final

Again ADULT Supervision is by far the best way to protect your children from things you do not want them to experience on the internet.

Using OpenDNS servers is by no means fool proof, not every site is covered by this and it is not hard especially for anyone who might be keen to see anything they would like so don’t be lulled into thinking this is an ideal solution.

So why do this?   It’s free, it does work and if anything its great so see the statistics generated very simply so at the very least you can review what your child HAS been looking at as every DNS lookup is listed.

I say why not?  I have this configured on my Daughter’s Ipad and it works a treat as an addition to parental supervision.

Ubiquiti UniFi Video Install on ESXi 5.5 U1 using Ubuntu Server 14.04.1 LTS

I have been wanting to setup a Ubiquiti UniFi Video server as a Virtual machine with Ubuntu Server 14.04.1 LTS for a while.    After looking about for some time I shortened down all the googling and reading into a very quick step guide.  Hopefully this is helpful to someone to get up and going quickly.

Note: I’ve used joe’s editor rather than vi, because I can.  To install it just issue:

sudo apt-get install joe

else use whatever editor you like in place of joe.

Get Keys for the Ubiquiti Install:

wget http://www.ubnt.com/downloads/unifi-video/apt/unifi-video.gpg.key
sudo apt-key add unifi-video.gpg.key

Add install source to /etc/apt/sources.list:

## Ubuntu
deb [arch=amd64] http://www.ubnt.com/downloads/unifi-video/apt trusty ubiquiti

Update apt with installation information:

sudo apt-get update

All Aok then issue the following to install:

sudo apt-get install unifi-video

Install VMWare Tools:

Go to Virtual Machine > Install VMware Tools (or VM > Install VMware Tools).

sudo mkdir /mnt/cdrom
sudo mount /dev/cdrom /mnt/cdrom or sudo mount /dev/sr0 /mnt/cdrom
ls /mnt/cdrom
tar xzvf /mnt/cdrom/VMwareTools-x.x.x-xxxx.tar.gz -C /tmp/
cd /tmp/vmware-tools-distrib/
sudo ./vmware-install.pl -d

Note: The -d switch assumes that you want to accept the defaults. If you do not use -d, press Return to accept each default or supply your own answers.

Set Static IP address:

sudo joe /etc/network/interfaces

#iface eth0 inet dhcp (Disables DHCP)
iface eth0 inet static
address x.x.x.x
network x.x.x.0
netmask 255.255.255.0
broadcast x.x.x.255
gateway x.x.x.1
dns-nameservers x.x.x.x

Reboot Server:

sudo reboot

Access Ubiquiti Video from https://ip.address:7443/

Voila!  Quick and simple VM setup of a Ubiquiti NVR

Remote SSH2 connect to your Server for Admin work:

sudo apt-get install openssh-server
sudo /etc/init.d/ssh restart

Note if you want to change ports, etc edit /etc/ssh/sshd_config

Now you can use PuTTY or whatever your favorite terminal software is to connect via SSH (port 22)

P2V an old Physical SUSE Linux 9.3 Server to a Virtual Machine on ESXi 5.1 Server

Today I had an old physical machine running SUSE Linux 9.3 which had died and the mission was to P2V if possible and get running in ESXi 5.1 as a virtual machine.

In a nutshell the P2V was simple, working out how to make the system work and boot in ESXi 5.1 was a little harder.

These are the steps I took:

1) Booted a the old VMWare Cold Convert 3.0.3 ISO.  I prefer this method for a very old piece of hardware and Linux OS rather than some of the newer conversion methods.  Tried and True this way, its unfortunate VMWare killed off the old Cold Convert method imo.

2) Ran the P2V process across the network to a writable share on a Windows 8.1 machine

3) Created a Helper VM in VMWare Workstation 10 of SUSE Linux then added the vmdk from the P2V to the Virtual Machine.

Note the reason for the Helper VM for doing this was because if you boot the existing P2V the machine will fail booting looking for hard disk volumes.  Using the helper VM resolved this.

4) I then used VMWare Workstation 10 to converted the VM to vmx-09 so it would run in ESXi (the P2V disk format was v6) and uploaded the VM to my ESXi environment.

Note I tried creating the helper VM in ESXi and simply uploading the P2V vmdk file, but the machine refused to boot with such an old version vmdk.  Using workstation to up-convert it worked perfectly.

5) Powered on the VM and Voila, system boots perfectly.

6) Todo – Install the VMWare tools and ensure that the NIC works properly.

Installing VMWare Tools on Ubuntu 12.04.3 LTS in VMWare ESXi 5.1U1

So you want to use the VMWare Tools in your freshly created VM running on ESXi, you go to install the Tools and get an error.   This is a problem for many people these days as resolving this via the console are a battle and a cause of dread.

This is what you see in the vSphere Client:

This is not a linux tutorial, I will assume you know how to log onto Ubuntu console via vSphere or using a utility like Putty.

1) Obtain and import the VMware Packaging Public Keys. By using wget the *.pub keys from http://packages.vmware.com/tools/keys directory

Eg: ‘wget http://packages.vmware.com/tools/keys –no-check-certificate -r -l1′

(Note this is a quick and dirty way to recursively download the files but it works 🙂 )

Cd into the packages.vmware.com/tools/keys folder and do a ls -la you should see the two .pub files you need with a ‘ls -la’:

2) Add both keys using ‘sudo apt-key add /key_path/key_name’

Eg: ‘sudo apt-key add ./VMWARE-PACKAGING-GPG-XXX-KEY.pub’

Where XXX is the DSA or RSA, you should get prompted for your password and it confirm with a  simple OK

Make sure you issue this command for each of the .pub files.

3) Create /etc/apt/sources.list.d/vmware-tools.list and put this on a single line:

deb http://packages.vmware.com/tools/esx/5.1u1/ubuntu precise main

Eg:

cd /etc/apt/sources.list.d

sudo vi vmware-tools.list’

(Remember with vi you need to press i to start inserting text, when your done press escape then :wq which will tell via to write the file and quit)

4) Issue the ‘sudo apt-get update’ command to update the local cache

5) Issue the ‘sudo apt-get install vmware-tools-esx’ command it will ask you to confirm, I would assume Y would be your response here

Voila, much googling and experimenting is over very quickly, you should now see this and be able to control the VM via vSphere for shutting down, etc.

Hope this helps someone.

Some helpful documents and pages that helped me assemble this into brief form:

VMware Operating System Specific Packages (OSPs): https://www.vmware.com/support/packages

Manually Download VMWare Tools ISO Image: http://www.vmwarearena.com/2013/09/manually-download-vmware-tools-iso-image.html