so adding:

ntpd_enable="YES"
ntpdate_enable="YES"

to the /etc/rc.conf just does the trick (and starting services if not rebooting the server).

After some moments of running the ntp client you can check it with:

# ntpq -c peers
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp2.Housing.Be 128.32.206.55 2 u 16 64 377 189.371 -14.785 5.513
mighty.poclabs. 169.229.70.64 3 u 28 64 377 132.913 -14.411 5.034
+vps1.cobryce.co 64.235.98.66 3 u 16 64 377 180.600 -22.410 5.258

where servers marked with * are the selected server and + are the candidates for ntp sync.

If you need to block an abuser flood-trying to connect to your AP, resulting in multiple radius connections and error messages, you can make ACL on AP like this:

# access-list 760 deny 0002.725f.93c3 0000.0000.0000
# dot11 association mac-list 760


where 0002.725f.93c3 is the abusers mac address.

Happy banning,
S.

hw.bge.allow_asf="1"

And reboot.

Hope it will save you some minutes figuring it out…

S.

It’s called “clogin” as Cisco login script.

It requires all the credentials in ~/.cloginrc file (protocol / password / enable).

Syntax of .cloginrc file can be found here.

and usage is simple, just clogin hostname

And besides loging it’s very usefull for multiple box configuration. Let’s say you just need to write configs of your 5 routers.

clogin -c "write;exit" router1 router2 router3 router4 router5

and Voila !

S.

It’s done via queues:
/queue simple add interface=guest max-limit=2M/2M disabled=no

Where “guest” is the interface name and 2M is the down/uplink speed in bps you want to shape it to.

More about this on Mikrotik Wiki

S.

X11 connection rejected because of wrong authentication.

after some searching I found following fixed the issue:

/opt/ssh/etc/sshd_config:
X11UseLocalhost no
(must be set to no, default is yes)

S.

Failover on Cisco ASA silently stops working after you enable ipv6 configuration.

We’re used of stupid Cisco bugs, but this wins it all !

S.

Configuration is easier than expected and it worked right away. In my case Cisco 7600 series is at the data center where native IPv6 is established and Mikrotik RB450 ( a choice for home router – really powerful and really cheap).

One /64 subnet is assigned for the tunnel (point-to-point) and /48 is then routed to it. Yes. In IPv6 /64 subnet of 18446744073709551616 IPs is used for point-to-point tunnel (2 IPs).

On Cisco 7600 – interface (99.. is a 7600 public IP as 22.. is my home public IP):
interface Tunnel0
description --- test ipv6 in ipv4 tunnel ---
no ip address
ipv6 address 2AAA:BABA:101:1::1/64
tunnel source 99.99.99.99
tunnel destination 22.22.22.22
tunnel mode ipv6ip

and route:
ipv6 route 2AAA:BABA:BEEF::/48 2AAA:BABA:101:1::2

and on Mikrotik:
/interface 6to4 add disabled=no local-address=22.22.22.22 mtu=1280 name=ipv6tunnel remote-address=99.99.99.99
/ipv6 address add address=2AAA:BABA:101:1::2/64 interface=ipv6tunnel
/ipv6 route add disabled=no dst-address=::/0 gateway=ipv6tunnel


And that’s it. You can configure local interface on Mikrotik, like this:
/ipv6 add address=2AAA:BABA:BEEF:DEAD:1/64 advertise=yes interface=ether2

Local machines, if properly configured should receive advertised IPv6 prefix and configure itself for IPv6.

That’s for now, more about IPv6 soon ! HaveAnice !!

S.

It uses configuration like this (193.2.1.66 is the local ip, 193.2.1.80 is destination server IP):

bind-address 193.2.1.66
tcp { 55443 { => 193.2.1.80:443 } }
tcp { 55022 { => 193.2.1.80:22 } }

But it fails doing its job right when you use this on a really busy port/service (500 or more simultaneous established TCP connections).

pf does the forwarding well even over 1000 TCP connections. Example:

rdr on em0 proto tcp from any to 193.2.1.66 port 55443 -> 193.2.1.80 port 443
rdr on em0 proto tcp from any to 193.2.1.66 port 55022 -> 193.2.1.80 port 22
nat on em0 from any to 193.2.1.80 -> 193.2.1.66

- the em0 is the name of the outside interface. Without the nat rule, destination server would see a packet with source ip of the client so it would send a packet back directly to the client which causes asymmetric routing and very possible problems. The nat rule changes the source IP to the port forwarders one.

Happy forwarding,
S.

It’s called swatch – yes, really impressing web site and lack of documentation, examples is tipical for a geek’s tool.

example config – very simple:
watchfor /Security violation occurred/
mail addresses=ninja@level13.org,subject="SWATCH warning - switch_name"

and the command line invocation:
# /usr/local/bin/swatch -c /usr/local/etc/swatch/switch_name.conf -t /var/log/syslog/switch_name.log --daemon --use-cpan-file-tail

–daemon for forking it in the background

–use-cpan-file-tail is needed so that the swatch will tail file even after it’s rotated by the rotating script, but make sure that the perl module File::Tail is installed

It can of course match multiple patterns (multiple watchfor sections) on the same log file, but you must run multiple instances of the software for tailing multiple log files.

Make sure to read swatch man page.

S.