Brother MFC in Isolated Guest Network

I have already written how to poke holes in guest network for Chromecast and that method is sufficient for vast majority of devices. However, occasionally you might stumble upon device presenting a bit more challenge. One example is my Brother MFC-J475DW or better said pretty much anything in Brother’s MFC printer lineup.

In order to determine why my printer wouldn’t work despite explicitly allowing for its MAC address, I snooped all traffic using Wireshark. As I knew printer was using IPv4 address, that was my Wireshark filter (ip.version == 4).

After playing with printer for a while (trying printing, scanning, rebooting, etc.), I stopped snoop and started going over captured packets. One packet stood out from the bunch - it was a name query packet for something looking suspiciously like my printer’s name. That packet was broadcasted to my whole network from my computer. As that packet went unanswered, my PC though there is no printer.

Armed with that knowledge, firewall-start script can be adjusted not only to allow traffic from and to the MAC address belonging to the printer (as done for the Chromecast adventure) but also to allow broadcast traffic on the first 2.4 GHz guest WiFi interface:

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -p ARP -i ! eth0 -o wl0.1 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -s ^^34:68:95:A7:64:F5^^ ``-i wl0.1`` -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^34:68:95:A7:64:F5^^ -i ! eth0 ``-o wl0.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^ff:ff:ff:ff:ff:ff^^ -i ! eth0 ``-o wl0.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "logger Poked hole for Brother MFC printer" >> /jffs/scripts/firewall-start
chmod a+x /jffs/scripts/firewall-start
reboot

PS: During snooping do close all other programs that are using network and try to keep any non-printer activity to a minimum. Makes snoop analysis much easier.

Goodbye OneDrive

Back when OneDrive service was offered for the first time, there were not many takers. You had DropBox with 2 GB and unmatched ease of use and you had Google Drive with whooping 15 GB of disk space. So Microsoft decided to one-up them and gave 15 GB to start with and then another 15 GB as a camera bonus. Both were given for free and without an expiry date. Later they would even give unlimited storage for Office 365 users. Something that was unmatched by any competitor.

Trouble started in October 2015 when Microsoft decided that new freebie users are to get 5 GB only and all existing users will be downsized. Following backlash, slight modification allowed users to opt-in for another year of existing limits. Guess what, that year is up and both free and camera roll bonuses are expiring.

For me personally this means going from 40 GB (5 GB base + 10 GB loyalty bonus + 10 GB free plan bonus + 15 GB camera roll bonus) to 15 GB (5 GB base + 10 GB loyalty bonus). Quite a big drop for something that originally didn’t have expiry date. Office 365 users are also going to see their unlimited data shrink to 1 TB.

Microsoft does offer 1 year of free Office 365 subscription for your inconvenience and that is actually not a bad offer if you intended to go Office 365 route anyhow. And they will not (at least for now) delete any files you have there even if you are over new limits. Your account is simply going to be placed in read-only mode until enough space is released.

In the light of this, all I can say is meh. Microsoft’s OneDrive has always been second-rate application (let’s not even get into its Metro version). It went through so many redesigns (remember placeholders?) through versions that I was always scared to update it. That is, back when you had a choice of whether to upgrade it or not. Last few Windows installs I haven’t even gone through the trouble of entering my credentials. I found that, for my workflow, only two cloud storage providers I need are DropBox and SpiderOak.

While DropBox has low storage limits for a free account (2 GB + 3 GB for camera), I still find its way of syncing between computers the most natural and painless one. I NEVER had any issues or data loss no mater what stupid thing I would do. You give it a folder and it just works. This is one program everybody in my family uses on both their computer and mobile device. No pain, just file synchronization done right.

Other excellent system is SpiderOak. It has even lower free offering (2 GB), its configuration is more involved, and syncing is annoyingly difficult to setup. However, there is a reason behind it. This is the only cloud storage that actually doesn’t have access to your data. All encryption is done on your computer(s) and all they ever see is encrypted data. If you ever store on cloud anything private, this is the system you should use and no other.

Between those two storage options, I simply have no need for OneDrive. Yes, Microsoft did fill a niche with their high free data allotment but those days are gone. Now they offer sync that is not as pleasant as with DropBox combined with lack of security you would get from SpiderOak. It is literally the worst of both worlds.

I will not say OneDrive was useless nor I will say I won’t ever use it again. Even with those cuts it still offers 15 GB for free and that is nothing to frown upon. And maybe with some new version they finally decide on design and how exactly to handle files not currently synced. And they might even solve one of their many sync problems.

All I will say is so long and thanks for all the fish. :)

Limiting Bandwidth on MAP Lite

As I wanted to have a separate wireless network for few of my IoT experiments and taking into consideration how secure IoT devices are (hint: not secure at all), I decided to go with a mini access point. Securing IoT gets much easier with a separate physical device.

Device had to be 2.4 GHz AP, allow for remote management, and cheap. One beautiful device matching all criteria was MikroTik mAP lite. Mikrotik devices are usually more of an European thing and, compared to other wireless devices, a bit harder to obtain in States. For example, I bought mine from ICD Group because Amazon didn’t carry any.

I haven’t used MikroTik for a while now but I remembered its WinBox interface fast enough. And I remembered how it saves its settings immediately thus punishing you for any error. It is definitely not the most friendly user interface nor I can call it excellent for beginners. But it is powerful enough to be worth learning.

Anyhow, with basic configuration done I wanted to limit upstream bandwidth toward my main router. From Queues menu I just added new queue, set Target to “ether1”, and assigned Max limit for both upload (256 kbit/s) and download (64 kbit/s). Short speed test later and I was confused. Speed wasn’t being restricted at all. And traffic figures were unreasonably low. Something weird was going on.

A bit of troubleshooting and I found the culprit. Once I changed in IP->Firewall the defcon entry from “fasttrack connection” to “accept”, my queue started limiting as it should.

The Best Western Twitter Experience

A month ago I went to visit some of the Washington state islands; San Juan, Whidbey, Fidalgo, and lot. As we don’t live in the immediate neighborhood and there are quite a few islands to visit, my family and I decided to book a hotel in Mt. Vernon. Best Western it is.

After a day full of boats and hiking we’ve finally arrived to the Best Western Plus Skagit Valley Inn and Convention Center in Mt. Vernon and were informed there is no water available. Frankly, the first idea at that moment was to cancel and go to another hotel. However, pleasant guy working the reception convinced us to stay - water is going to be available in 30 minutes. So we got our stuff to room regardless, went out for a diner, expecting to have shower after we are back. Yep, you’ve guessed it - no such luck.

But we were again assured water return was imminent. Few hours later we gave up on waiting and went for bed refreshed only by some wet towels my wife fortunately always carries. Yes, morning was water-less too with the same “almost there” statements. So we packed and went onto another day of hiking.

Once I got home and got a shower (finally), I’ve decided to tweet Best Western. And surprisingly got a reply pointing me toward e-mail to contact. And so I did.

It has been more than a month since and still there is no reply from Best Western. Not an apology, not an additional question, not saying I’m expecting too much. Absolutely nothing. Full silence.

And frankly that pisses me off. If they didn’t reply to my tweet, I would be ok with it - just another complaint lost in the sea. What they did was masterpiece: they publicly replied to tweet and then just “forgot” to follow up. They made an impression of solving their customer’s issue while doing no work at all. Even better, if somebody calls them on that, they can claim its other department’s fault. Public relations dream - keep appearance of being active while not fixing anything at all. :)

All said, not much changes for me. I wanted to get the story out and I did. I don’t intend to ask Best Western for anything nor will I accept anything. I don’t even want a refund - what’s payed is payed. I am even going to stay in Best Western again - this was the first major issue after staying in quite a few of them over the years. Hell, I still remember one in Vienna as my second home.

Maybe the only thing that will change is me treating words “we’re going to have it fixed in 30 minutes” as a signal to get away as fast as possible.

[2016-08-03: I did receive partial refund today to the tune $70 out of $150.]

Chromecast in Isolated Guest Network

My home network pretty much revolves around Asus RT-AC56U with Asuswrt-Merlin firmware. Nice, stable, and full of features. One feature I absolutely love is multiple isolated guests networks. And I do not use it only for guests.

While my computers are all in main network, all my devices (Chromcast, printer, IoT, …) are in guest network without any intranet access. They can get on Internet but they cannot access my internal network. Considering all is done on the same router, it is not ideal, but it does increase security considerably.

Initially one device presented some trouble. You see, to cast YouTube from my computer I had to have it in my main network. But I didn’t want to. I wanted it to be in isolated guest LAN together with all other devices. But I did want to access it from my internal network. Since the whole network isolation for guest networks is done via firewall rules, that meant it was time for some hole poking.

Prerequisite is to have Asus JFFS enabled. This will enable saving scripts so they can be executed upon startup. Yes, you can do it manually every boot but that gets old quite quickly. For the actual firewall setup, the only thing needed is MAC address of Chromecast device and we can make it an exception to the rule. I prefer to do it via script:

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -p ARP -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -s ^^A4:77:33:33:48:85^^ -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^A4:77:33:33:48:85^^ -i ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "logger Poked hole for Chromecast" >> /jffs/scripts/firewall-start
chmod a+x /jffs/scripts/firewall-start
reboot

First rule pokes a hole through isolation in order to allow for ARP requests. Second two rules allow everything coming from and to specific MAC address. Everything else is a bit of plumbing making script run on router’s startup.

To make this a bit more secure, one might want to restrict this only to interface where device is actually located. Every router firmware might do things a bit differently but guest networks on mine were setup in a reasonable fashion. They all followed formal wlX.Y where X was 0 for 2.4 GHz guest networks and 1 for 5 GHz. Y was number between 1 and 3 directly corresponding to guest network index.

Since my Chromecast device was first guest network in 5 GHz range, its designation was wl1.1 and thus hole could be made a bit smaller:

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -p ARP -i ! eth0 ``-o wl1.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -s ^^A4:77:33:33:48:85^^ ``-i wl1.1`` -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^A4:77:33:33:48:85^^ -i ! eth0 ``-o wl1.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "logger Poked hole for Chromecast" >> /jffs/scripts/firewall-start
chmod a+x /jffs/scripts/firewall-start
reboot

To make these firewall rules even stricter, one can also restrict ARP to allow only certain IPs but I will leave this as an exercise for some other time.

PS: Using pretty much the same basic procedure one can get any device accessible to other isolated guest networks. This is not only nice for Chromecast but really useful for getting printer working too.