Isolating Mikrotik LAN Ports

For a home project of mine, I have decided on Mikrotik’s hEX PoE lite due to its awesome capability to power other devices.

Outside of PoE, I needed a standard Internet router - WAN on port 1 and LAN on other ports - but with a twist. I wanted to have LAN ports isolated from each other while still being able to access WAN. Something that on almost any wireless box you get as a checkbox turned out to be a actually non-existent.

However, beauty of a bit more manageable and complicated device is that you can define a lot of functionality yourself. For this particular scenario, solution was in adjusting the firewall.

To setup firewall, the easiest way is to connect via WinBox and go into New Terminal. There we can just execute following commands:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"  
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

First two allow any established and related connection unconditionally. Third one allows anything going out to WAN interface. Packets coming into that interface will have to be either established or related so there is no reason for another accept there. Final rule is to drop all other traffic.

With just these four rules, all LAN ports are isolated while still being capable of Internet acess.

BSOD When Starting VirtualBox

Ever since I have upgraded Windows 10 to build 14931, whenever I tried to run VirtualBox, a blue screen crash would happen. Worse still I only had “The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.” in the Event Viewer. As the old joke goes: absolutely correct, but still useless.

To make things even worse, under known issues for the release there was “Oracle VM VirtualBox will crash on launch after upgrading to this build.” So I gave up and tried to install VMware Player. I mean, not all third-party virtualization software can be broken.

Guess what, VMware wouldn’t start either. However, there was no crash but a slightly cryptic message about something called Device Guard and a link to knowledge base article. While my issues didn’t closely match described ones, article did put my sights on Hyper-V.

After going into Turn Windows features on or off and disabling Hyper-V followed by reboot, I could start VirtualBox once more.

I haven’t went into further troubleshooting - it just wasn’t worth it. For one, I do not use Hyper-V on my laptop so turning it off didn’t hurt me. And, as I am running insider builds, I am sure that, by the time this build comes to slow ring, there will be some workaround either on Microsoft or Oracle side. In any case, my problem is solved.

[2016-10-11: Yep, new update 14942 broke VirtualBox again - now even this workaround doesn’t work. Although at least VMWare works with this release.]

Fair Use

Well, it was good while it lasted; today I got information from Comcast that they’ll start to enforce 1 TB usage limit starting November 1st.

Explanation given for this is standard “fair use” sermon - those who use more should pay more. Given human notion of fairness and the fact 1 TB is quite high it is easy to agree with their words. However, this is all bullshit. It is just another word for $50 price hike.

You see, in order to keep unlimited bandwidth you just need to add $50 extra to your current $100+ cost. If you don’t and you accidentally go overboard, you pay $200 more. So, for $150 (to take the cheapest plan) you have no worries you might pay $300. It sounds more like a racket than fairness to me - pay me money to prevent something bad happening to you.

If fairness in the compensation for traffic was the primary goal, and Comcast is stating $50 extra would cover unlimited portion, then the fair thing would be to charge those $50 only to users that go over 1 TB. Auto-upgrade them for that month and that’s it. And, while you are at it, if user spends only 100 GB return him $50. I mean, it is only fair that ones that use less pay less.

Guess what, an option to pay less is not in Comcast’s plan. Not there is any option of rollover of “unused” data from previous month. And no, you cannot actually verify Comcast’s usage meter for accuracy. I know that my own router shows difference of 15% as compared to the Comcast’s meter. Guess in which direction. ;)

And yes, this might sound like a bickering when I have a huge 1 TB allocation that I generally don’t reach anyhow. But 100 GB seemed as a huge amount too in the times before Netflix. Considering video goes 4K and that more and more services are up on the Internet, a year or two from now, 1 TB will be easily reachable. Heck, if you backup stuff on the Internet (e.g. SpiderOak), you are essentially one crash away from it.

Of course, by that time, everybody will be on the new unlimited plan, paying $50 of the “protection money”. At some point that plan will have enough people on it that old “limited” plan will be retired. However, some users will use more data then the others so a new limit of 5 TB will be instituted with an option to pay $100 to make it unlimited… History repeating itself at its best.

HamCheck 1.20

I am getting into the age when memory is not what it used to be. That is the only excuse I have for missing 2016 release of Extra Class Ham exam question pool by 3 months.

So, you’ve guessed it, this update includes the latest US amateur radio exam questions for Extra class alongside the unchanged General and Technician pools.

The newly added Extra pool has total of 712 questions. As before, there is a Technician pool consisting of 426 questions and the General Class pool with 462 question.

This program still remains one of the rare with keyboard-only operation and a high-DPI support and you can download the new version here.

Setting Up Private Internet Access on Mint, 2016 Edition

I have already written about getting Private Internet Access running on Linux Mint back in 2013. It was for then current version 16 and it still works. However, there are some possible improvements to be made.

As OpenVPN client is installed by default these days, we only need to download PIA’s OpenVPN configuration files. More careful ones will notice these files are slightly different than recommended default. These have VPN server IP instead of DNS name. While this might cause long term issues if that IP ever changes, it does help a lot with firewall setup as we won’t need to poke a hole for DNS over our eth0 adapter.

From downloaded archive select .ovpn file with desired destination (usually going with one closest to you gives the best results) and also get both .crt and .pem file. Copy them all to your desktop and we’ll use them later for setup. Yes, you can use any other directory too - this is just one I prefer.

With this done we can go into configuring VPN from Terminal window:

sudo mv ~/Desktop/*.crt /etc/openvpn/
sudo mv ~/Desktop/*.pem /etc/openvpn/
sudo mv ~/Desktop/*.ovpn /etc/openvpn/client.conf

sudo sed -i "s*ca *ca /etc/openvpn/*" /etc/openvpn/client.conf
sudo sed -i "s*crl-verify *crl-verify /etc/openvpn/*" /etc/openvpn/client.conf

sudo echo "auth-user-pass /etc/openvpn/client.login" >> /etc/openvpn/client.conf
sudo echo "mssfix 1400" >> /etc/openvpn/client.conf
sudo echo "dhcp-option DNS 209.222.18.218" >> /etc/openvpn/client.conf
sudo echo "dhcp-option DNS 209.222.18.222" >> /etc/openvpn/client.conf

echo "^^username^^" | sudo tee -a /etc/openvpn/client.login
echo '^^password^^' | sudo tee -a /etc/openvpn/client.login

sudo chmod 500 /etc/openvpn/client.login

Now we can test our VPN connection:

sudo openvpn --config /etc/openvpn/client.conf

Assuming that this last step ended with Initialization Sequence Completed, we just need to verify whether this connection is actually used and I’ve found whatismyipaddress.com quite helpful here. Just check if IP detected there is different then IP you usually get without VPN.

Stop the test connection using Ctrl+C so we can configure automatic startup and test it.

echo "AUTOSTART=all" | sudo tee -a /etc/default/openvpn
sudo reboot

Lastly you can think about firewall and disabling default interface when VPN is not active. This means allowing traffic only on tun0 interface (VPN) and allowing only port 1198 (it used to be 1194).

sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0
sudo ufw allow out 1198/udp
sudo ufw enable

Assuming all went well, VPN should be happily running.

PS: For nitpickers, you can actually make firewall for VPN a bit more strict. This assumes 1.2.3.4 is address of your VPN destination (check in client.conf under remote) and that your network interface is eth0 (check with ip addr).

sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0
sudo ufw allow out on eth0 proto udp to 1.2.3.4 port 1198
sudo ufw enable

[2017-08-18: Newer guide is available for Linux Mint 18.]