Monday, June 26, 2017

Enabling IPv6 for Internode ISP on a Mikrotik router

A little background

There's been plenty of posts on this topic but having struggled through a couple of them myself, I figured I'd put up my own results.

Enabling IPv6 support on a Mikrotik router when using the Australian ISP "Internode" requires a couple of settings and is best performed in sequence.  You can of course do all of this via the GUI or via the CLI.  In our case I'm showing you the code for the CLI


Getting an IPv6 prefix from Internode


/ipv6 dhcp-client
add add-default-route=yes interface=Internode-PPPoE pool-name=internode pool-prefix-length=56 request=prefix use-peer-dns=no

The above code will get your prefix allocated to you from Internode.  It adds the prefix into a "pool" and allows for other interfaces on the router to add addresses using the prefix in the pool.  The DHCP client is running on the virtual PPPoE interface - in this case called "Internode-PPPoE" but yours will naturally be different.

Note I am also not using the DNS settings from Internode.  This is because I use the Cisco Umbrella (OpenDNS) servers for all name resolution and don't want the DNS servers provided by Internode in their DHCP response to be used by my router.

Allocate an address from the prefix to your inside interface of the router


/ipv6 address
add from-pool=internode interface=LAN

The above code will dynamically allocate an address from the available pool to the named interface.  In my case my internal interface is called "LAN".  It's a VLAN interface in my case but yours might just as easily be "ether01-master-local" or something.

Advertise the router to your internal network

/ipv6 nd
set [ find default=yes ] interface=LAN

The above code advertises the router to your internal network via the internal interface of your router (in my case the VLAN interface named "LAN").   

Note that advertising of the prefix (basically telling your internal network what IPv6 address to use for the first 64 bits of the address) happens dynamically and we don't need to set this value.

Define your Firewall rules

With IPv4, most people don't realise that they are (somewhat) relying on the Network Address Translation (NAT) of their router to secure their computers against certain types of attacks.

As IPv6 does not use Network Address Translation (NAT), you cannot rely on this modicum of security that NAT provides, and must create Firewall rules to match this small amount of security which the IPv4 NAT solution provides.  Our firewall rules need to:
  • Only permit connections made from our internal network to the Internet
  • Block connections made from the Internet to our internal network
  • Permit DHCPv6 packets from Internode
  • In the MikroTik router, the IPv6 firewall is separate to the IPv4 firewall, so you must add the firewall rules to this dedicated IPv6 firewall.

/ipv6 firewall filter
add action=accept chain=input comment="Permit DHCPv6 connections to router external interface" dst-port=546 in-interface=Internode-PPPoE \
    protocol=udp
add action=accept chain=forward comment="Permit all outbound IPv6 from LAN" in-interface=LAN out-interface=Internode-PPPoE
add action=accept chain=forward comment="Permit and forward established sessions when inbound" connection-state=established,related \
    in-interface=Internode-PPPoE
add action=drop chain=forward comment="Drop all attempts to route to inside when not part of established session" in-interface=Internode-PPPoE
add action=drop chain=input comment="Drop all other connections to outside interface of router " connection-state="" in-interface=\
    Internode-PPPoE

 The code above adds the firewall rules and applies them to the interfaces of the router.  Note again that my interfaces are named "LAN" and "Internode-PPPoE".  Yours will of course be different.




Sunday, October 27, 2013

Using a Windows 8 Product Key in Windows 8.1 from a clean installation

You're probably not the only person who has an existing Windows 8 machine that for some reason or another can't be upgraded to Windows 8.1 from the Windows Store.

If you've downloaded the Windows 8.1 ISO and need to perform a clean installation, you can activate it using a Windows 8 product key.  The following instructions have been shamelessly taken from Microsoft and the "Windows Valley" website.

The prerequisites for this work are:

  • A Windows 8.1 ISO (or USB flash drive with an extracted ISO on it)
  • The Windows 7 USB/DVD tool (if you only have the ISO file for Windows)
  • A valid Windows 8 product key
Once you have the ISO, you need to extract its contents to a USB flash drive using the Windows 7 USB/DVD tool.  Don't worry, it works for Windows 8 (and Windows 2012 as well).

Next, you need to follow the instructions provided by Windows Valley and create a file called "EI.CFG" in the Sources folder on your USB flash drive.

For the plain vanilla Windows 8.1 Professional, the file needs to contain the following text:

[EditionID]
Professional
[Channel]
Retail
[VL]
1

If your edition of Windows is not Windows 8.1 Professional (i.e. the N edition or the Windows Media Center Edition), refer to the Windows Valley link for what value to use for "EditionID".

Save this file (make sure you save it as EI.CFG not EI.CFG.TXT!) and then safely eject your USB flash drive.

You will now be able to boot off this drive and install Windows 8.1 without a product key.   Once you have installed Windows, the only way to then use a Windows 8 key is via the command line; you cannot enter a Windows 8 Product Key using the product key GUI as it will reject the key.

To get around this issue, open an Administrator command prompt, and then use the following command:


Cscript.exe %windir%\system32\slmgr.vbs /ipk <Your product key>

That's it, you're done!




Tuesday, July 2, 2013

Getting back the Command Prompt in Windows 8.1

Microsoft decided in their infinite Wisdom to change the Windows "Quick Links" menu in Windows 8.1 so that the default layout removes the shortcut to the Command Prompt, and replaced it with a link to Powershell.

The average Joe does not use Powershell, people!

Thankfully this can easily be fixed.  Just right-click the Taskbar and select Properties.  Then go to the Navigation tab and un-click Replace Command-Prompt with Windows PowerShell in the menu when I right-click the lower-left corner or press Windows key+X.


Monday, July 1, 2013

Surface Pro keyboard and Event Viewer messages

If you have a Surface Pro, you might be getting some Event 219 warnings in the System Event Log, related to a hardware device with ID VID045E&PID_079.




To clear matters up, this is the Surface Touch or Type cover driver.  If you see this warning, it may match up with you being unable to type.    As of July 2013, I still need to occasionally disconnect and reconnect my type cover, and I can only assume that if I checked the event log for events logged at that time I would find this event.

Thursday, June 20, 2013

Backing up Windows Home Server 2011 to 4K sector size disks

Last week my Windows Home Server 2011 box informed me that my external USB backup hard disk was beginning to fail.  Big props to the folks at Dojo North who supply a free SMART monitoring plug-in for Windows Home Server, otherwise I would not have known the disk was on the way out.

So yesterday I purchased a Western Digital "MyBook" 3TB external hard disk to replace this external drive, and configured the Windows Home Server backup to store data on this drive from now on.   Imagine my surprise when I see this the next morning:



OK, that was unexpected.  Wonder what the problem was?  Let's have a look at the detailed error:


The request "could not be performed because of an I/O error"?  Huh?

Well let's cut to the chase.  The problem is caused by Windows Server 2008 R2 (and Windows 7) not supporting disks with native 4K sector sizes  for storing of VHD files.  Don't confuse this with NTFS cluster sizes - that's totally separate and does not solve the problem.  

As we know, Windows Image Backups are VHD files, and so the backup fails.   Great.

So how do we fix this?  The only way to fix this problem in Windows 2008 R2 and Windows 7 is to force the drive to use 512KB Emulation mode on the low level format.  This is not something you can do with Windows format tool and must be done with a manufacturer tool.  Thankfully, Western Digital provide the "WD Quick Formatter" utility which allows you to reformat the drive to 512E mode.  This removes Windows XP support, but who the hell cares.

Here's what FSUTIL says about the drive before it was reformatted using the WD tool:


 And here's what it says after the reformat:


But my drive can't be reformatted to 512E mode!

Well my friend, you are hosed and either need to buy a drive that does, or upgrade to Windows 2012 (or Windows 8).

Sunday, June 2, 2013

Annoying password storage in Windows for Outlook accounts

I'm somewhat of an Information Security maverick, so I've been living the BYOD lifestyle (whilst keeping stuff secure) for the better part of 4 years.  This basically means that none of my devices are members of the corporate Active Directory Domain.

When your machine is a domain member and you login, the domain credentials are tokenised (either as NTLM tokens or Kerberos Tickets).  Any application which can make use of these - such as Outlook - just calls on the token and passes it on to the Exchange CAS servers to authenticate your session.   No need to enter your password again - Single Sign On.  Everybody's happy.

However if you're not a domain member there is no automatic creation of authentication tokens to services hosted in any AD domains, so when you launch applications which access those services you're prompted for your credentials.  No big deal - you just enter the relevant username and password and tick the "Remember my Credentials" option.  The next time you launch the application the authentication is seamless.

When you change your domain password, your applications will pop a dialog box asking you to re-enter your password because, hey, the authentication failed since the stored password is the old one.   Again you would suggest this is no big deal because you can just re-enter your password and ensure the "remember my password" option is ticked, right?

Wrong (at least for some Outlook).

For some bizarre reason, the Windows Credential store does not update the password when you enter a new one.   The login will work but the store keeps the old password and the next time you launch Outlook you get prompted for the password again.  This continues indefinitely unless you take action.

As per Microsoft's own article on this problem (http://support.microsoft.com/kb/2762344), the only solution is to open the Windows Credential Manager and manually remove the stored credentials for any items with the word "Outlook" listed in them.  The next time you open Outlook and tell the popup to store the credential, the password is saved back to the credential store.

It sure would be nice if Microsoft fixed this one, because it's happening on my Windows 8 Pro machines running Office 2013, so it's not like it's something from the past.

Sunday, May 26, 2013

Windows 8 app store cyber squatting

As a user of Microsoft Windows 8, I have become increasingly displeased with the lack of control over app publishing in the Windows App Store.

The app store provides hosted copies of Metro applictations, and these appear to undergo some form of vetting.  However the store also supports links (not hosting) to Desktop applications so that software developers can have the desktop versions of their applications also searchable from the App Store.

These desktop apps appear to not undergo any vetting at all.  In the last three weeks I have found three separate links in the app store to popular desktop applications which I use.  When selecting these links, I was instead taken to a 3rd party website called "getdesktopapp.com" which supposedly hosts the files.

There's a number of reasons why this is utterly ridiculous.   For one, these "applications" in the store are nothing more than Link Bait which you are highly likely to click because, well, it's from the App Store.  Second, there is no guarantee the links themselves do not contain malware because they're not even hosted by the developer!

Microsoft needs to fix this FAST and vet all Desktop application links in the App Store to confirm they actually refer to the developer, and that the links contained within do NOT contain known Malware.  For the sake of Microsoft's own reputation, cyber squatting of application names in the app store should be impossible.