Posts by CimmerianX

Just as an additional note.... if the router can't restrict access based on source IP, use IPTABLES on the host OS along with FAIL2BAN... just in case you are paranoid like me.

Ditto what JorgeM said.... there's a lot to learn if you are just starting out.

If you want to try OpenVPN, it's an SSL based VPN and I have a post on how to set it up and configure it.
http://www.slsmk.com/installing-openvpn-on-ubuntu-server-12-04/

I also have post on L2TP/IPSEC, great for stock android devices.
http://www.slsmk.com/setup-l2tp-ipsec-vpn-on-ubuntu/

Is the server listening on 3306 for the mysql service? You can check with "netstat -lanp | grep 3306"

Can you telnet to this port from the workstation? For windows use "telnet <server IP> 3306".

Do you know the DB to which you want to connect? HAve you assigned rights in mysql to allow the certain user@workstation to connect to the database. You must use a "GRANT ALL on dbname.tablename to 'user'@'workstation' identified by <password>;" && "flush privileges;" before a user can connect from anywhere.

From windows... you can use MySQL Workbench (free program) to test connectivity to the remote host. If you do anything with Mysql, you should have this utility anyway.

WPA/WPA2 is very crackable... just takes a longer depending on the complexity of the PSK.

1) Turn off all windows firewalls. then test
2) Run IPCONFIG /ALL on each and note results. Are they all on the same subnet with same gateway and DNS?
3) Ping another PC by IP?
4) Ping another PC by full FQDN name? Does the FQDN even resolve?
5) IS there WINS on the network?
6) Are the workstations running any other protocols other than TCPIP?
7) Are there any hostfiles or lmhosts files with entries on any workstation?

Answer these for me please.

Yeo. You can do this 2 ways, and this of course depends on your VPN equipment.

1) Create the 150-ish tunnels where site A has 12 tunnels (one to each site), site B has 12 tunnel (one to each site) and so on. Not a fun option.

2)The better option, at the HQ, no routes are needed, but you will need new tunnels built for Src=10.148.1.x to Dst=10.148.2.x, 10,148.3.x, etc. Then another set for Src=10.148.2.x to Dst=10.148.1.x, 10.148.3.x, etc. And repeat for every site's subnet. Each site must have the VPN dst setup to send 10.148.0.0/16 to the HQ so that traffic for all sites are encrypted over the tunnel. The HQ will decrypt the traffic, then re-encrypt bound for the new destination.

This works fine. I do this all the time for remotes that VPN into my HQ.

IS this a Cisco Solution? If yes, then you also need to add NONAT entries for subnets to all other subnets....

Yep. Did you check device manager to see if your card is listed and/or missing drivers (indicated by the yellow sign on the device).

From command line, run 'ipconfig /all'. Is your card listed?

Depends what kind of backup. You can usually conenct the external drive via usb, have it mounted under /media or /mnt, and access the backup data. How are you backing up?

For example, Cisco-Linksys RC042 supports dual external WAN connections. When the primary fails, the secondary kicks in and everything routes automagically.

homedesktop\storage is not accessible by domainuser\user. The very simple workaround is to connect to homestorage with different credentials.

From Windows Explorer, Right click My Computer and select Map Network Drive. Pick a drive letter, enter your homestorage folder location, tick the checkbox for 'connect using different credentials', and enter your home PC id/pw when promtped.

Now you can access the share by UNC or Drive letter.

I've been experimenting with OpenVPN lately and now would like to generate a package with certain features enabled that require a recompile. I.e. enabling the password caching feature and packaging it with specific certs and profiles.

Basically, is it possible to compile a windows-version/windows-package of the client from linux? If yes, can you give a push in the right direction.

I ask about linux because going through HOW TO on the windows based setup to enable a recompile of the package leaves me with missing dependencies, bad links... it's just a mess.

No.

Depends on the OS you are using... in windows you can issue the 'copy' command and give the destination a different name. So you can copy and rename in 1 command.

What OS do you have?

Somehow - Jorge always beats me to the answers.... OP, do follow JorgeM's post, it's spot on.

MAke sure the server is the DNS and/or WINS server for the remote domains. When a remote machine tries to join a domain, it relies heavily on the DNS for the domain. I've joined many remote machines to a domain over VPN and through routed networks. As long and you are using the DC's DNS for resolution, it whould work fine.

To try and save your data, go out and buy a sata to USB adapter kit. Costs about $15.00 and comes in very handy. You can connect the drive using the kit to another PC's usb and the drive will read like a usb drive. You can then just browse the disk and copy files.

If the disk is fubar'd, then , of course, this won't work.

when the internet guy came he checked my local area connection and said its having the fault where without connection, the packets were being sent and again after connecting the cable, it started sending but have not received any packets.

This makes no sense to me. If you plug in a provided cable, and the 'cable guy' tells you you are sending but not receiving.... it's his problem. They only thing to do is test with another PC. If it also fails in the same way, call the 'guy' and complain.

You'd have to ask them to verify the cert on their end. Or send them the current and ask them ro replace with the latest.

Seriously... If IPCONFIG.EXE is missing, just copy it over from another winodws system.

Nope.

If you want to retain mail on the server, make sure that you don't have the "delete mail on server when I delete it here" selected, and just delete the mail from outlook's inbox once it's done syncing.

BYOD to a corp environment is always tricky and Active sync control over a device is not the best.

For Ios, you will want to create a device profile and post to a corp site that the end user can access, click, and install. The corp profile can have info like wifi config, CA/root Certificates, Pin enforcement, etc...

STart here:
http://www.wikihow.com/Create-a-Provisioning-Profile-for-iPhone

There are a lot of security issues related to having these devices on a corp network (lack of admin central control, remote wipes, encryption, etc...) So be sure you are comfortable with all that.

HE may be returning the phone and wants to wipe his stuff....

Usually in SYSTEM SETTINGS -> SECURITY -> BACKUP AND RESET -> FACTORY DEFAULT

You don't unless the wifi is set to be an 'open' network.

You connect with no modem or router? Unlikely. You must have a device to decode the signal and give you a RJ 45 ethernet connection.

How do you connect? Is it an always on connection?
Your pc will always send packets, how do you know it's sending them? wireshark?

Do you have a single network card in the system? How are you on a local network and on a dedicated broadband at the same time then?

I'm sure you are leaving alot out of the description.

Lot's of VPN providers out there.

My 2 cents:

Try to find one that doesn't keep logs.

You can usually find an openvpn provider that accepts monthly payments instead of prepaying for a year.

JorgeM is right. You can Disable the wifi on the ATT router/modem. These devices lack a true "bridge" mode. The best you can do is use the gui to setup the "DMZ" host internally and disable all firewall services.

Find a network, and administer it.

Seriously though, what kind of question is that? You study, you learn, you get an entry level job, and work your way up from there.

Circumventing your school policies is kinda shady, dontcha think. Best just to ask him.

The switch reboots when you plug in a console cable? do you see any output in the console? Can you log the console session and post it?

Arp retry should have nothing to do with this.

If network shows connected then layer 1 is ok.
CAn you ping your own IP?
Can you ping the IP of the gateway?
Can you ping beyond the gateway to 4.2.2.1?
Can you ping by fqdn? (i.e. ping www.yahoo.com)

Just to add.... there is not enough information in this post at all. WE would need a lot more info. Start with, "How do you know it broke?". What are the symptoms? How is the network setup or how did you set it up? Describe the network to the best of your knowledge. Did you change/add/edit something before the network broke?

IIRC, the option is '-A <# of lines that follow>"
Example grep -A2 findthistext /opt/inthisfile

So, it sounds like you have it installed and sitting at a CLI prompt.... Is it just X that wont start then?

I have a UVerse modem as well. I used it's Router-behind-Router fuction and the 'forward all ip to single host' to emulate a network bridge since the Uverse modems don't have a true bridge mode. My internal router now has the public IP assinged to it even though the Uverse modem is still detectable in-line.

Is this what you were after?

Open your terminal.
Type "ping www.google.com"
The terminal should come back and say it's pinging an ip address xxx.xxx.xxx.xxx or it will say timeout/host not found.

Let me know which it is.

JorgeM, IIRC the GARP packet is the check for any other Machines answering on the same IP address... It's used to detect duplicate IPs on the network. A GARP packet is simply an ARP with the originator's IP. IF any other machines answers the GARP, then a dupe IP exists in the subnet.

Try this tool... it's never failed to create a bootable USB for me.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

Sanity Check: Make sure there is no physical switch that is set to read only.

After that, try this: http://www.troublefixers.com/remove-write-protection-on-usb-pen-drive-or-memory-card-or-ipod/

For file recovery, I've used a hex editor on the raw disk to search for image headers, then recover a fixed amount disk space after the header.

For example, my tool is winhex, I've had it for years. You can let the utility access the raw disk, then using a built in feature, let it find all headers starting with hex 45786966 or 4A464946. Then specify the size of the data to recover, 4 mb should be fine for most pics. This will output a folder with a list of 4 mb files it fould starting with that header. Open each file in photoshop and save it back to a jpg, this will trim off the extra space for smaller files.

I take it there are no historical backups either?

What kind of files are they? PErhaps the important ones can be repaired.

Each ARP entry in the windows ARP table is good for 10 minutes. IF you add new entries, those new entries are good for 10 while the older ones are still good for 9 or less.

Once the entry is in the ARP table, the only way to hange it is to clear the ARP entry manually and let the machine re-discover the other endpoint via arp broadcast.

The XP Transfer wizard only transfers user data and settings for user account. It has nothing to do with applications or drivers. It is expected that the receiving machine already have the applications loaded. Plus, the receiving machine should be up to date on all drivers as well... How would you transfer to this machine without a functioning net card anyway?

Download the drivers on a working machine to a USB disk, then load the drivers from the USB to the new Machine.

1) Network discovery is usually broadcast based unless you are on a Windows Domain. A routed network like this will block broadcasts (That's a good thing). Also, are you pinging by IP or trying to use FQDN or WINS?

2) The pings being blocked are probably caused by PFSense. However, I need to see a diagram of the network layout to see where the firewalls are located with respect to the VPN endpoints.

3) OpenVPN, will usually forward all traffic to the remote subnet.

1) switches are layer2 devices. No IPs come into play. they forward based on MAC. If you have a layer 3 switch for routing or ACLs, this still doesn't come into play when forwarding packets.

2) Routers are not usually connected to enduser systems.

3) PCs use ARP to resolve IPs to MAC. Most will cache ARP entries for a 10 minute timeout. Layer 3 switches and routers also cache ARP entries (usually a 4 hour timeout).

4) A 10 minute DHCP lease is crazy short. To adjust for that, you need to change the ARP timeout values across the board to something very low. Like 2 minutes. Thissetup going to increase ARP and GARP traffic as well as crazy amounts of DHCP traffic. All of that is broadcast traffic BTW.

IMHO, change dhcp to at least 8 hours. AFAIK, you can't change the windows 10 minute ARP timeout (someone check me on that if wrong). Switch and router timeouts will depend on the vendor. You can do it on Ciscos for example.

Usually, an in line firewall would sit between the router and internal lan such that:
Router -> Firewall WAN port -> Firewall -> Firewall LAN port -> internal lan.

All internal hosts would use the Firewall LAN port as the new default gateway. You would want to setup a new subnet for the router to firewall connections so it is distinct from the inside network.

You could also setup a "Firewall on a stick" where 1 connection to the router has 2 vlans defined and traffic is separated that way.

Did you take jorgeM's advice and do basic ping tests?

You can use Virtual box to spin up a virtual MAC OSX as a virtual machine on a windows host.

Both are right on the battery charging and or warranty path.

The Kies software allows the phone to be plugged into a PC USB port and have it show up like a usb disk. However, you can also use android apps to have the phone share files over SMB, FTP, bluetooth, so there are other options as well.

Like Rubberman aluded to, if the networking is set to NAT, then you can port forward a specific port (i.e. tcp/80 tcp/443) from the host machine IP into the virtual machines private IP. That is done right in the Virtual machine's networking section.

Windows 7 and windows 8 can both use the GPOs from server 2008. But the new win 8 policy settings, especially the ones that turn off the unified logon crap, are not included in 2008R2.

The new Windows 8 policy settings can only be managed by using Server 2012 or by adding them to the local security policy of each machine.

AFAIK, there is no 'add-on' for GPO to 2008 R2 that will enable this either. Thank you Microsoft. Way to force us to upgrade.

Home group is Microsoft's way of sharing files in a home network. Not involved here.

When you ping 192.168.0.1, are you wired or wireless?

Can you ping beyond the gateway? Ping 4.2.2.1 or ping 8.8.8.8. Do you get a response. If yes, then your basic connectivity is ok. Now ping www.google.com. you should see it attempt to ping an IP address. If you get no ip address then dns is down. Check your dns settings.