Category Archives: Network

Monitoring IPv6 vs IPv4 traffic on Ubiquiti USG with SNMP

So. This has been painful. I decided I wanted to view how much traffic is flowing in and out of my USG now that I have IPv6!!!! It must be crazy, so let me go look. And then the painful truth, the USG controller has no visuals or commands to find the information. Bummer.

After a lot of web browsing, researching, additional hair loss, crying, and help, I have found the solution. I am going to turn on SNMP on the Ubiquiti USG, install telegraf, influxdb, and grafana on my Ubuntu 18.04 server.

This should be easy, right? No.
What could go wrong? A whole whole lot.

Setting up SNMP

I’m going to skip most the heartburn I had of trying to find the correct OIDs, getting the names correct, and ultimately realizing that Ubuntu does not load the MIBs in by default, so you have to do it by hand. Here’s what I did though:

# apt-get install snmp-mibs-downloader libsnmp-base libsnmp-dev snmp
# cd /usr/share/snmp/mibs
# wget http://dl.ubnt-ut.com/snmp/UBNT-MIB
# wget http://dl.ubnt-ut.com/snmp/UBNT-UniFi-MIB

Now, I did something bad, but since this is pretty limited, I loaded all of the MIBs in by default. My /etc/snmp/snmp.conf file looks like this:

# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
# mibs :
mibs +ALL

Setting up InfluxDB

Read more »

Static IPv6 Hostnames on Ubiquiti USG

Yet another update for how I keep updating Ubiquiti to work with IPv6. In this case, I want to update my hosts so that they will use IPv6 locally when using their domain names. Even though my authoritative DNS server has the AAAA records setup correctly, because I had updated Ubiquiti to use the local IP on the USG, it would not return values for my servers. Here’s how I fixed that issue, in a not great way. I’m currently on controller version 5.10.19.

Let’s assume the following:

  • Domain: somelab.us
  • Host: someserver
  • IPv4: 192.168.1.15
  • IPv6 (Fake): 2606:1101:6412:fd00:223b:4911:2314:7843

The first thing to do is make sure that dnsmasq is turned on as the DHCP server. This can be found in “Settings” -> “Services” -> DHCP. Just make sure “Use dnsmasq as DHCP server” is turned on.

Read more »

IPv6 on Cincinnati Bell Fioptics with VLANs using Ubiquiti USG

Cincinnati Bell Fioptics has recently started the deployment of IPv6 through the network. Luckily, we will be allowed to pull a /56 prefix.

A bit of a warning, but the /56 prefix is not sticky to you. If your network connection becomes disconnected for long enough (as of this writing it is 7 days), you could be assigned a new /56. Also, if you put a new device on with a different MAC, you will get a different /56 prefix.

Another note is DNS. You will not be getting AAAA records for the DNS servers. DNS queries will continue to go to their DNS servers using IPv4 addresses. This is fine. You will still get AAAA IPv6 addresses when available for domain names when available, just the communication to get that AAAA is over IPv4. Since you will be dual stack, having both IPv4 and IPv6, there will be no issues.

My network setup currently is as follows:

  • Connections
    • ONT is connected to the USG eth0 ethernet port (WAN)
  • Interfaces
    • WAN1
    • VLAN 1: Management
    • VLAN 2: Home Network
    • VLAN 3: DMZ Network
    • VLAN 4: Guest Network
  • Hardware / Software
    • Model: UniFi Security Gateway 3P
    • Version: 4.4.36.5146617
    • Controller Version: 5.10.20
Read more »

Fioptics TV service with Ubiquiti Setup

At this point, these are more notes for fixing it between upgrades. I use this so that I can hook my UniFi Security Gateway 3P directly up to the ONT and allow all video services to work correctly on my network, with VLANs.

There are too many references to remember on how I built this over the years, but a lot comes from multiple articles on DSL reports, along with things friends have done over time.

My Home Setup

I have multiple networks setup at my house, but in this scenario I will be using my “Home” network, which has the following details:

  • Network Name: Home
  • VLAN: 2
  • Subnet: 192.168.1.1/24

I have the following equipment in my home also that will be used for video:

  • UniFi Security Gateway 3P
  • UniFi Switch 24
  • Actiontec 5240 MoCA Adapters
    • One of my STB has access to Coax, but no Ethernet, so I use a MoCA adapter being my switch and another in front of the Cable Box)
  • Amino Cable Box
    • Entone and ZTE Cable Boxes could be used also. Those have MoCA built in, which reduces the need for a MoCA adapter connected to the Cable Box.
    • An additional note. The Amino Cable Box is wireless, but requires WPS to sync up. Ubiquiti does not support WPS, so they will need to be connected up with Ethernet (or a MoCA adapter).
Read more »

IPv6 on Time Warner with VLANs using OpenWrt

I’ve retired the old Linksys e3000 running TomatoUSB and have replaced it with a ZyXEL NBG6716 802.11AC router that is running OpenWrt Chaos Calmer.  One of the things I was never able to get to work on the e3000 with Tomato-USB was getting each of the four VLANs an IPv6 subnet.  I could only seem to pull down a /64 from Time Warner, which would then get assigned automatically to my first VLAN.  The good news is, I am now running with a /56 assignment from Time Warner with each VLAN assigned a /64.

My current setup looks like:

  • ZyXEL NBG6716 AC router
  • OpenWrt Chaos Calmer r43762 (snapshot of trunk at the time)

So, to start out, make sure you have the following software packages installed:

  • ip6tables
  • ip6tables-extra
  • kmod-8021q
  • kmod-ip6tables
  • kmod-ipv6
  • odhcp6c
  • (optional) luci-proto-ipv6

Setup WAN

At this point, I configured the WAN interfaces to pull an IPv6 address (Network -> Interfaces).  Edit the WAN6 interface to update the following settings:

  • General Setup Tab
    • Protocol: DHCPv6 client
    • Request IPv6-address: try
    • Request IPv6-prefix of length: 56
  • Advanced Settings Tab
    • Bring up on boot: checked
    • Use builtin IPv6-management: checked
    • Use default gateway: checked
    • Use DNS servers advertised by peer: check (even though TW hasn’t passed IPv6 DNS servers to me yet)
  • Physical Settings Tab
    • Bridge interfaces: unchecked
      • Interface: “Ethernet Adapter: “eth1”
  • Firewall Settings
    • Create / Assign firewall-zone: wan

Create VLANs

Now create the VLANs that you want to use (Network -> Switch).  Make sure that each of the VLANs you create are tagged for the CPU.  In my setup, I have the VLANS: Management, Home, Guest, DMZ.

Create Interfaces for the VLANs

Read more »

Burnt VPN Pi (VPN Hotspot on Raspberry Pi)

Warning: I found this in my drafts and I think it was mostly done.  Enough where I can follow it again.  You might have issues following it word for word though until I can recheck and remove this warning.

Purpose

The purpose of this project is to create an environment where we can use two Raspberry Pi’s to create a temporary VPN tunnel, where the client Pi also has an AP hotspot that routes all traffic through the VPN tunnel.  This is good for those people who are going to countries that have different policies than your current country.  Some of the uses I’ve used it for:

  • Watching Netflix while in another country so that I can view my home countries content
  • Getting around country firewalls that block applications such as Facebook, twitter, Instagram, etc
  • Connecting back to a trusted network when I am in a spot where the network is known to be monitored and trying to steal data.

Install the Required Software

Install the following packages:

apt-get update
apt-get upgrade
rpi-update
apt-get install openvpn hostapd resolvconf dnsmasq cryptsetup libnet-ifconfig-wrapper-perl cryptsetup

Now disable some of the software from starting up, as we will be having these pieces start up triggered by future events such as eth0 up and openvpn up:

update-rc.d openvpn disable
update-rc.d hostapd disable
update-rc.d dnsmasq disable

Load modules

Read more »

Setting up TomatoUSB for VLANs and Ubiquiti AP

So after getting a quarter of the way through a comment to a question somebody had on my Ubiquiti APs, TomatoUSB, VLANS, and Linksys e3000 post, I realized it would probably work better as a post instead. Christoph’s question was:

How did you wire everything? I’m trying to do the same and had no luck. I only have one UAP, but if I turned on tagging for the Port I used for each bridge, I wouldn’t even get an IP.
I would like Management and Home to be one vlan, and guest another, so my setup is simpler. Maybe knowing how you wired it will help.
Thanks!

I’m going to walk essentially through what steps I remember taking to get up that far.

Assumptions

  • VLAN 2: Home / Management
  • VLAN 3: DMZ
  • UAP plugged into Port 1
  • Admin Computer plugged into Port 4
  • Management / Home network is 192.168.1.0/24
  • Guest network is 192.168.2.0/24
  • You have a VLAN edition of Toastmans TomatoUSB mode

Setting up TomatoUSB Read more »