• Oct 29, 2017

    Setting up WAN Failover on a USG

    For many years, I've been intrigued about routers that have cellular backup to maintain connectivity when the primary Internet does down. I've never pursued setting this up as my Internet connection has been quite reliable with downtime measured in hours over the last few years. The cost to set this up could never be justified for my home setup.

    One of the features of the latest UniFi Controller is the ability to turn an unused Ethernet port on the USG to be a WAN failover. This is a great addition for a enterprise class router, but overkill for my needs.

    About a year ago I purchased a HooToo Travel Router to experiment with setting up a VPN when I travel. I had some success with it, but ultimately gave up and have just been using it as a battery for other devices. I've been reading forums about the Mobley and saw that the Mobley could be tethered to a router and not just used as a hotspot. Now I had a mobile hotspot and a router that maybe I could put together to be a WAN failover.

    The forums talking about the Mobley mentioned router firmware called ROOter that supports various routers and modems. There happened to be firmware for a router similar to my portable router, so I decided to give it a try. Worst case is that I'd brick the router and this exercise would be over.

    After a bit of fiddling, I got everything working. The below steps detail what I did. There are a large number of steps, but they're pretty simple. There should be very few, if any, changes for different LTE modems.

    1. I grabbed firmware for the HooToo TripMate Nano router.
    2. I then flashed the firmware onto the router. This is going to vary based on the current firmware on the router.

      Screen Shot 2017 10 29 at 4 29 41 PM
    3. Select the ROOter SSID on your computer. Use the default WiFi password of rooter2017.

      Screen Shot 2017 10 29 at 4 32 54 PM
    4. Goto Safari and enter 192.168.1.1.

      Screen Shot 2017 10 29 at 4 35 16 PM
    5. Click Login.
    6. Click on "Go to password configuration..."
    7. Enter a password and confirm it.

      Screen Shot 2017 10 29 at 4 36 25 PM
    8. Click SAVE & APPLY at the bottom of the page.
    9. On the left side, click on Network and then Interfaces.

      Screen Shot 2017 10 29 at 4 37 35 PM
    10. Next to LAN, click on EDIT.
    11. For the IPv4 address, enter 10.10.10.1 (it has to be a different subnet than the hotspot and I like this numbering scheme). At the bottom of the page, click SAVE & APPLY.

      Screen Shot 2017 10 29 at 4 38 43 PM
    12. The router will apply the settings and knock you off the network. I did have to disconnect from WiFi and reconnect to get assigned a new IP address.
    13. In Safari, connect to 10.10.10.1. Login.
    14. On the left side, select DHCP and DNS.
    15. Enter 8.8.8.8 and 8.8.4.4 for DNS Forwardings. Click SAVE & APPLY at the bottom.

      Screen Shot 2017 10 29 at 4<br /> 43 11 PM
    16. On the left side, Select Wifi under Network and then click EDIT next to ROOter.
      Screen Shot 2017 10 29 at 4 44 54 PM
    17. Change the ESSID to whatever you want.

      Screen Shot 2017 10 29 at 4 46 26 PM
    18. Click on Wireless Security.
    19. Change Encryption to WPA2-PSK. Change the Key as well. Click SAVE & APPLY.

      Screen Shot 2017 10 29 at 4 47 40 PM
    20. You'll have to reconnect to WiFi for the new SSID that you just set.
    21. Power on the Mobley. It can't be plugged into the USB port of the TripMate as there is a separate USB port on the Mobley for tethering.
    22. On the Mobley, peel off the little cover on one side to reveal a micro USB port.

      Mobley
    23. On the left side of the interface, click on Modem and then Connection Info.
    24. Enter broadband next to APN and click SAVE.

      Screen Shot 2017 10 29 at 5 05 55 PM
    25. Plug in a micro USB cable from the router to the Mobley.
    26. On the left side, click on Network Status. Wait a little bit until the connection is established. Once connected, it will look like this.

      Screen Shot 2017 10 29 at 5 07 40 PM
    27. You may also want to setup Connection Monitoring which will attempt to reconnect the modem in case of network failure.

      Screen Shot 2017 10 29 at 5 15 05 PM
    28. Plug in an Ethernet cable from the router to the VOIP port (or LAN2 depending on the model) of the USG.
    29. On the UniFi Controller, setup the VOIP port to be WAN2. Wait for the USG to re-provision.
      USG Site Configuration
    30. Click on the devices icon and select the USG.
    31. Select WAN2 and enter DNS settings. I've used Google's DNS, 8.8.8.8 and 8.8.4.4.
    32. Make sure Load Balancing is set to Failover Only and then click QUEUE CHANGES. Then click APPLY CHANGES.

      Screen Shot 2017 10 29 at 7 02 03 PM

    In order to verify that things are working, SSH into the USG using your admin username and password.

    Type show load-balance status and you'll see something like this:

        Group wan_failover
      interface   : eth0
      carrier     : up
      status      : active
      gateway     : x.x.x.x
      route table : 201
      weight      : 100%
      flows
          WAN Out : 624
          WAN In  : 0
        Local Out : 2
  • Oct 27, 2017

    A new diet

    Several years ago I wrote that I went gluten free to help with some intestinal issues. Doing that combined with my ulcerative colitis medicine has kept me in check for awhile. Unfortunately things changed earlier this year and my colitis acted up.

    When I was fighting my latest flare up, my wife suggested I look at changing my diet again. She is a great wife and did research to see what diets could help people with ulcerative colitis. She found the Specific Carbohydrate Diet and while it seemed quite restrictive, I felt like I didn't have any other choice. I started this diet about three months ago and have been quite good at closely sticking to it. The basic gist of the diet is to eliminate grains, beans, and complex sugars. Looking at my diet prior to this, I had been eating a lot of grains, beans and definitely a lot of complex sugars!

    The hardest part of the diet started out being the sugars as I love sweets. I've replaced sugars with lots and lots of fruit as well as nuts. Luckily I live in San Diego and fresh fruit is pretty plentiful all year round. Going to the store is a different experience as I closely look at labels and look for things that really shouldn't exist in my food such as sugar in the Kirkland Salsa or rice in the crunchy snap peas.

    One side effect that is probably pretty obvious is that I lost over 10 pounds on this diet not that I needed to do it.

    People have asked me if I feel better because of the diet. I guess the diet and the medication have made me feel normal again. I've always had a lot of energy and been pretty fit so that hasn't changed. I have no plans to get off this diet as it seems to be agreeing with me. Watching what I put in my body is definitely not a bad thing and has made me more closely examine the labels for foods to see what hidden ingredients lie in our processed foods.

  • Oct 27, 2017

    Review: Running Buddy smartphone pouch

    For many years, I've been using a Wahoo Fitness Sportband to hold my iPhone when I run. I've replaced it a few times and try my best to keep it in good shape. It appears that rinsing it after I run and adjusting the strap caused my last one to wear out prematurely. I can't say that I've been disappointed with it, but when I heard a recommendation for the Running Buddy on MacBreak Weekly, I figured I'd give it a try.

    The Running Buddy is a pouch that clips to my shorts using very powerful magnets. The pouch holds my iPhone 6s pretty snuggly the magnets ensure that it won't move. When I first put my phone in the pouch and started running, I had my doubts about it as I thought my phone would fall. It was a weird feeling having the pouch on my waist. After a few miles of running, I forgot that I was still wearing it. One thing to note about the pouch is that if your shorts aren't tight, then the pouch with your phone will pull down your shorts!

    I've been running with the pouch for a few weeks and I can't quite say if having the phone on my arm or on my waist is better. The pouch is slightly more comfortable as I don't have pressure on my arm, but the pouch rubs against my stomach. The armband's neoprene got quite disgusting because of the sweat. The different material of the pouch seems like it would repel sweat better.

    I'm going to keep using the pouch as I'm starting to get used to how it feels.

    Pros

    • Convenient way to hold iPhone while running.
    • No unsightly tan lines on my arm.
    • No pressure on my arm.
    • Material is easy to wipe off and doesn't appear to retain sweat.

    Cons

    • Feels kind of weird on my waist.
    • At first it feels like it is going to fall off.
    • Can't glance at information on screen.
    • Unknown longevity as the part that comes in contact with my waist and shorts gets covered in sweat.
    • Material rubs against my abdomen and could cause irritation.

    Summary

    This case is an interesting solution to holding my phone. For people walking, I can definitely recommend it if you don't have pockets or the pockets aren't convenient. For runners, I think it takes getting used to and if you don't like armbands, it is definitely worth a try.

  • Oct 23, 2017

    Dealing with the IoOT

    No, the title is not a typo. I'm coining the acronym Internet of Outdated Things! I've written in the past about keeping devices updated and the recent KRACK attack brings this issue back to the forefront. I've already updated by UniFi access points and am waiting for updates from Apple and Amazon for clients that I have connecting over WiFi. The only other devices that I have on my WiFi network are a few old SlimDevices Squeezeboxes.

    These Squeezebox Radios are now over 5 years old, but still going strong. All our music in the house is streamed through 3 other Squeezebox devices that are hard wired, so I'm not concerned about those. Since Logitech stopped supporting these devices several years ago, I can't realistically expect to get a firmware update to fix this WiFi issue. However, should I just toss the devices because I can't get a firmware update? For some devices I'd take the opportunity to upgrade, but our music system has been running so well for so long that I'm not going to touch it. Where does that leave me? While the KRACK attack is mostly theoretical right now and the attacker must be in close proximity, I decided I had to figure out a way to mitigate this just for my own piece of mind.

    I decided to start with the work I documented last year on blocking my IP cameras from talking to the Internet and modify it for this situation. This is a little different because I only want the Squeezebox devices talking to my Media Center running the Logitech Media Server and I want the devices to be able to talk to the Internet in order to stream music. Unlike last year, this exercise is all being done in the UniFi controller since I'm using a USG and UniFi access points.

    So let's begin:

    1. In the UniFi controller, go into Settings and select Networks.
      Screen Shot 2017 10 23 at 5 17 31 PM
    2. Click on Create New Network.
    3. Enter a name for the network; I chose Music.
    4. Leave it on Corporate and LAN1.
    5. Enter a VLAN number; I chose 1006 and then enter the gateway as 10.0.6.1/24 or something similar depending on your network. Click on Update DHCP Range.
    6. You can enable DHCP guarding if you like so that only the USG is recognized as a DHCP server.
      Screen Shot 2017 10 23 at 5 20 11 PM
    7. Click Save.
    8. Click on Wireless Networks and then Create New Wireless Network.
      Screen Shot 2017 10 23 at 5 22 42 PM
    9. Name the new network and turn on WPA Personal Security with a Security Key.
      Screen Shot 2017 10 23 at 5 26 18 PM
    10. Select Use VLAN and enter the VLAN you setup before.
    11. Click on Advanced Options and then on MAC Filter (note this may not be in all versions of the controller software).
    12. Whitelist your devices that you want to connect (this is not necessary and MAC addresses can be spoofed, but it can't hurt).
    13. Click Save.
    14. Click on Routing & Firewall, Firewall, and then Select Groups. These groups will be used later in the firewall rules.
      Screen Shot 2017 10 23 at 5 28 57 PM
    15. Click Create New Group. Set it up as a Port group with 53, 123, and 67 as the ports. Name it DNS _ NTP _ DHCP.
      Screen Shot 2017 10 23 at 5 31 12 PM
    16. Click Save.
    17. Click Create New Group. Address group and use 10.0.0.0/8 and then click Save.
      Screen Shot 2017 10 23 at 5 32 23 PM
    18. Click Create New Group. Address group and use 10.0.1.100 or whatever is the address of your Logitech Music Server. Click Save.
      Screen Shot 2017 10 23 at 5 33 45 PM
    19. Click Create New Group. Port group and use 9090, 3483, and 900. Click Save.
      Screen Shot 2017 10 23 at 5 34 05 PM
    20. Click on Rules and then LAN Local.
    21. Click Create New Rule.
      Screen Shot 2017 10 23 at 5 38 26 PM
    22. Configure this rule to allow DNS, NTP, and DHCP requests from the Squeezebox devices to the router. Select UDP, New/Established/Related. Then select the Music Network and then the DNS _ NTP _DHCP port group as seen in the picture. Click Save.
      Screen Shot 2017 10 23 at 5 40 16 PM
    23. Add a Rule for ICMP packets. See picture.
      Screen Shot 2017 10 23 at 5 43 41 PM
    24. Finally for this section, add a rule to drop all other traffic. This must be the last rule in this set.
      Screen Shot 2017 10 23 at 5 44 49 PM
    25. Click on LAN IN and then Create New Rule.
    26. This rule allows traffic from the Squeezebox to the Media Center.
      Screen Shot 2017 10 23 at 5 43 41 PM
    27. And finally the last rule to drop all traffic from the Squeezebox to the internal network.
      Screen Shot 2017 10 23 at 5 47 36 PM
    28. On the Squeezeboxes, you have to enter the IP address of your Logitech Media Server as device discovery won't work over subnets without some extra steps.

    Still here? The process for creating rules is quite tedious, but once you get the hang of it things start moving faster. What I've done is restricted traffic from the Squeezebox devices so that they can only talk to the Logitech Music Server on certain ports and can only talk to the router on certain ports. I also didn't setup rules for WAN traffic letting the Squeezeboxes talk to the Internet.

    Will this fix KRACK? No. Will I be a target for KRACK? Probably not. Is isolating network traffic a good thing? Absolutely. If you have the know how to do this and a little time, I think it is worth it. I've gradually been moving pieces of my network to VLANs.

    If there are any mistakes, please let me know! I'm not a network engineer, so it is quite possible I missed something.