Monday, July 23, 2018

Finally! Open WIFI encryption is coming.

I have been waiting for a very long time for a wifi standard that allows encryption across an "open wifi" connection.  Normally when you connect to an Open SSID there is no authentication or encryption.  This means any data that is transmitted in the clear is readable by anyone in the area.  This is less of a problem in todays world of HTTPS but it is still enough of a concern that I hate using open wifi anywhere without a VPN.  I also shy away from setting up any clients with open wifi for their customers and instead suggest that they have a wifi code posted.  Well we are finally getting "open wifi" with encryption!  WPA3 includes a new feature called Opportunistic Wireless Encryption (OWE).  I won't bother trying to explain it, because I'm not qualified, but I have linked a video below.  In short it allows encryption without authentication.  So you can offer a wifi signal that anyone can join and still offer the security of encryption in the air.  Please note that because there is no authentication there is also no guarantee that what you are connecting to is actually the ssid you think it is.  Hopefully we can see some verification like SSL uses in the future.  Maybe letsencrypt can help us out there with free certs??

Friday, June 10, 2016

PFsense on Xenserver 6.5

PFsense has a few issues with XenServer. First the nic offloading on FreeBSD is not compatible with the virtual nics on XenServer. This causes very slow throughput on the virtual nics. Second PFsense doesn't see the xn nics as supporting Vlans even though they do.  And last XenServer tools needs to be installed.

So first disable the offloading on the nics.  

First find the UUID of the virtual interfaces for the VM running PFsense, type the following in the XenServer console: 

xe vm-vif-list uuid=VMUUID

Then using each of those UUIDs

xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"
Next you must trick PFSense into allowing vlans on the xen nic.
This needs to be done in the PFSense webpage

Go to Diagnostic -> Edit File

Load file /etc/inc/

Add the "//hack for XenServer" to the file after the "//hack for some lagg modes", and before the "return false;":
// hack for some lagg modes missing vlanmtu, but work fine w/VLANs
if (substr($iface, 0, 4) == "lagg")
return true;

 // hack for XenServer xn interfaces
if (substr($iface, 0, 2) == "xn")
return true;

return false;

Last install XenServer tools

pkg install xe-guest-utilities

echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/

service xenguest start

That's it!  Your done...  BUT WARNING!!! If you upgrade to a newer version that overwrites PFsense may not boot.  At this point I plan on Backing up my config and taking a snapshot each time I test an upgrade.  If the upgrade breaks things then i'll install from scratch and run the above fixes then restore my config.  Not fun, no... But until they start better supporting XenServer we don't have much of an option.


Disable nic offloading

Enable vlans

Install XenServer tools

Monday, March 21, 2016

Install issues with XenServer 6.5 on a HP DL380 G5 or Cisco MCS7800

After having to install XenServer 6.5 on a Cisco MCS7800, which is just a re-branded HP DL380 G5, I wanted to list post install steps that must be taken.

1.  For some reason a local storage area is never created during install.  So step one is to create it.
xe sr-create content-type=user type=ext device-config:device=/dev/cciss/c0d0p3 shared=false name-label="Local storage"
2.  Make it default by right clicking on Local storage and choosing default using XenServer manager GUI.

3.  And finally, because the local storage was never created an import template was never generated
cd /opt/xensource/packages/files/transfer-vm./

That should fix the issues of not having local storage, not having default storage, and not having an import template.  If I come across other tweaks that are needed with this system i'll add them to the list.

Tuesday, April 7, 2015

Soti MobiControl Dynamic Template

Well, I just created my first ever Github project.  It's a template for use with Soti's MobiControl.  If you have ever used MobiControl then you know that the Lock Screen design/templates are VERY limited.  You basically have to hand write HTML and use their tags (ex. ) in the HTML to insert each and every entry in the Lockdown policy.  This is very cumbersome for anyone, let alone those who are not really good with HTML.  

Once you have finally created a good working template you better hope that you never need to add or delete an item from the lockdown policy.  If you do your going to have to go into the the HTML and manually add/remove the references to the correct lockdown tag. You better hope that it doesn't screw up your layout.  Or worse you decide to use a different device with a different screen size!  You may as well start over....

With that in mind I created a template that uses CSS and JavaScript to automatically adjust for the screen size, number of lockdown entries, and the header and footer text/image.  It also automatically uses the exe icon if you don't manually set an image for your entry (yeah you had to specify that in the HTML manually).  This new template will make it really easy to add and delete entries in the lockdown policy without ever having to touch the HTML.  Oh and did I mention it handles device rotation!?  Yep... That too.

If your using MobiControl and want to check it out, or are just interested in device orientation through CSS, or any of the other tweaks I used.  Check it out at

A Soti MobiControl template, that's dynamic. A mobile phone style template that changes automatically depending on how many entries you have in your lock screen. It keeps you from having to change the HTML every time you want to change the lock screen entries. It's also dynamic for screen size and changes based on device orientation. Uses CSS and Javascript

Wednesday, September 3, 2014

Ghetto-fi your VMware backups (VMware backups for free)

If you are using VMware on the cheap (free), then you are probably missing some great functionality.  For one, backups!  Sure you can backup your data inside the VM (and you should!), but how about bare metal full VM backups?  If you like the idea but hate the cost check out ghettoVCB.  It's a great script that has some limited community support.  Basically it runs several shell commands to snapshot your VM which unlocks your main VMDK file.  Then makes an FTP connection out, and copies the entire VM (minus the snapshot of course) to a destination of your choosing.  Then if you have any need for the backup you can simply import the VM and your back up and running.  Lots of great uses for this and it's FREE!

Friday, July 18, 2014

Offline Files not coming back online when reconnecting to the network

So here's the problem we had. User has offline files on his H: drive (Home drive), so that he can access them while traveling.  If the user boots up his laptop and logs in, and THEN connects via VPN or work wireless, he can't access his H: drive at all.  He can still see his offline files, but they stay offline and all other files are not accessible.  Also if he disconnects his laptop goes to a meeting then comes back and docks he is unable to get access to his H: drive until he reboots.  The only way to get the files back online and have access to the rest of his H: drive is to log-in WHILE having a live network connection to the office.  After a bit of research I found the answer via mcseRob (See link below).

The short version is that the user needs read access to the folder that the share is pointed to, not just a sub-folder that his H: drive is pointing to.  Windows checks to see if the files are back online by checking the share itself!  So when it checks and doesn't have read access to the share it thinks the files are still offline.  So a quick fix is to give all users read access to the share itself.

For our situation we ONLY give read access to the share and not all the sub folders below.  This does allow everyone to see the sub-folder names, which may reveal user names.   But follow the link below for some possible fixes to that problem.


Tuesday, December 6, 2011

Enable Windows 7 admin shares for local accounts (c$, etc)

If you are frustrated by the lack of access to admin shares in Vista or Windows 7 here is a reg hack to re-enable those shares. This will allow local accounts (On the host machine) to access admin shares. By changing this registry setting you are DISABLING UAC remote restrictions!

Key: Software\Microsoft\Windows\CurrentVersion\Policies\System Name: LocalAccountTokenFilterPolicy Data Type: REG_DWORD
Value: 1

Please be aware that this is a security hole if your systems are not patched (Not to mention zero day attacks). Use with discretion and without blame (Me that is).

From Microsoft:
How UAC remote restrictions work 
To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

Other Source: