X Marks the Spot

random commentary on life, the universe, and anything

August 11, 2020
by puhfu
0 comments

Remote L3 adoption of UniFi Security Gateway (USG) by Cloud Key controller

I have an EdgeRouter 4 and dual WAN set up at our primary location with the WLAN managed by a Cloud Key gen 2. I needed to set up a Unifi Security Gateway at a secondary site for the usual reasons but wanted to use the primary site Cloud Key controller to manage the USG (vs having a second controller).

I started with the UniFi – Device Adoption guide which, in hindsight, was both generally informative and totally unhelpful. Almost anti-helpful in fact. Following the guide, I wound up setting up a ‘temporary’ controller on a laptop to do the basic config for the USG.

I was able to set up a site-to-site L2TP VPN between the EdgeRouter and the USG using the very clear EdgeRouter – Site-to-Site IPsec VPN to USG guide.

topology.png

As a side note, easiest way to verify that the VPN is up using the Feature Wizard > VPN Status (https://edgerouterip/#Wizard/feature/VPN_status).

Although the VPN was up, the Cloud Key controller could not see the USG at all. The UniFi – Troubleshooting Device Adoption guide was generally informative and helped to identify the issue. The USG needs an “inform address” to phone home to in order to be adopted over the internet. Unfortunately, it pointed to the UniFi – Device Adoption Methods for Remote UniFi Controllers guide which was quite the waste of time. With the one exception of needing to set the inform URL on the USG – which you can’t do if you can’t connect to it remotely.

I found the solution in USG set-inform for dummies.

Here’s what worked for me:

Primary Site
  1. Set up dynamic DNS for my primary site WAN connection (as the WAN IP is assigned via DHCP). If you have a static address, create a DNS A record.
  2. Map TCP port 8080 at the EdgeRouter through to the Cloud Key inform port. (UniFi – Ports Used)
  3. Map UDP port 3478 at the EdgeRouter through to the Cloud Key for STUN support. (UniFi – Troubleshooting STUN Communication Errors)
Secondary Site
  1. Reset USG to factory default state (or start from there if you didn’t waste time configuring the USG like me)
  2. Plug the WAN connection into eth0. It’ll pull an IP from your ISP DHCP server. Should be live on internet at this point.
  3. Plug a computer into eth1. The default USG runs a DHCP server and assigns an IP from 192.168.1.0/24.
  4. ssh into the USG (192.168.1.1) using the username/password: ubnt/ubnt
  5. Enter the following:
# mca-cli set-inform http://unifi.controller.com:8080/inform
# exit
# reboot

The USG should now be visible in your Cloud Key controller for adoption. It disappears and then reappears when provisioned. Keep in mind you can only have one USG per controller site, so if you have a USG already you will need to have a second controller site for the new USG.

July 3, 2020
by puhfu
0 comments

Edgerouter 4 and https SSL certs

Wanted to get rid of the annoying not secure https session so found these instructions.

https://community.ui.com/questions/How-to-install-a-Valid-Certificate-on-the-ER-version-1-8-5-and-above/71d1fb1b-198d-4114-910c-1a24326104b4#comment/6b468339-fe58-4d9c-b6f7-d0cbbf64d541

Used zerossl.com for the 90d certificate. So every 90d I have to install the updated cert.

Quick instructions:

  1. CSR -> zerossl
  2. Generates cert and ca-bundle (as .crt files)
  3. Download and save on local computer, extract zip
  4. Copy cert into server.crt on ER4 and append key file (cat <keyfile> >> server.crt)
  5. Copy ca-bundle into ca-bundle.crt on ER4

That should work for updates.

June 18, 2020
by puhfu
2 Comments

Day One and IFTTT troubleshooting

The Problem

I couldn’t get twitter and facebook sync to work using IFTTT. Both failed with “There was an error during the check process.” messages.

Adam @ Day One support chat was amazingly helpful.

The Solution for Twitter

Because I purchased through the Mac app store, my Apple ID was linked to the account and the iCloud email was propagated as the account email, but there was no Day One account password set. In order for IFTTT to sync to Day One, it has to use the Day One account to log in instead of a federated login (like Google or Apple ID). Here’s what I had to do to get it to work:

  1. Go to https://dayone.app/settings in a web browser
  2. Click the option to sign in with Apple ID. 
  3. Sign In. 
  4. Add a password to your account. It may look like there is a password (has a bunch of “*********”, but if there is a box to the right to click that says “add password” then there isn’t a password. If there was a password already, it would say “change password”.

Then, I had to reconnect the service using the sign in with email option instead of Apple ID.

*Pro-tip: sign out from Day One first (https://dayone.app/logout) so that you get prompted to sign in using the Day One account (vs Apple ID)*  

Ref: https://help.ifttt.com/hc/en-us/articles/115010229587-How-do-I-change-the-account-associated-with-a-service-

Once all that was done, it passed the check.

Once.

And then it started failing again. This was using the official Day One applet. There’s something janky going on. I got frustrated and just created my own applet and it works fine now.

The Solution for Facebook

Turns out, the facebook issue was as simple. The service was logged out. Duh. Logged back in. Works like a charm.

I wound up creating my own applet for Facebook link posts because I didn’t like the formatting of the Day One version.

June 17, 2020
by puhfu
0 comments

Journals, Journaling, and the app journey (which was pretty brief, actually)

Well, after some encouragement from my therapist (dealing with my mom’s rapidly declining health), and some procrastination, I’m finally biting the bullet and doing what all the, heck, not cool, but actually, who journals?

Rabbit hole: https://medium.com/mind-cafe/why-keeping-a-daily-journal-could-change-your-life-9a4c11f1a475

I guess you can take the boy out of the workplace and make him work from home because of COVID-19 but you can’t take the informaticist out of the boy.

Functional Requirements:

  1. A good UX and UI
  2. Nice fonts
  3. Makes it easy to write
  4. Easy to add photos or video from iPhone (or desktop but mostly iPhone)
  5. Integration with Facebook, Instagram, maybe Pinterest (for recipes, seriously guys, stop hating), and this WordPress blog
  6. Integration with Peloton (seriously, don’t appreciate the judgment)
  7. Available on MacOS with apps for iPhone and iPad that take into account that they are different platforms
  8. Sync across platforms, frequently, so that can start on one, continue on another
  9. Exportability in case someone gets greedy and I need to cash out my chips from that platform

Assumptions:

  1. Freemium is not going to be enough. What’s the threshhold? Probably $3/month (one Starbucks-ish)
  2. Apple ecosystem is priority over others
  3. I need to do the least amount of work possible to include the most amount of information

Research:

Candidates:

  1. Evernote – simple, basic, I use it for note keeping (outside of the notes I keep in OneNote)
  2. Day One – minimalistic, Instagram integration is out of the box, uses IFTTT for sync (yay since I already use that), covers the platforms I would likely use to journal (MacBook, iPhone, iPad), but uses own sync service
  3. Journey – closest to Day One but cross-platform and web (but really, how important is this? am I ever going to do this on an android device or linux box? nope), Zapier for integration, uses Google Drive to sync/store data

I really wanted to test out the sync had to buy something. Rolled the dice, ignored the people bitching about Day One moving to a subscription model (hey, they have to pay for infrastructure somehow), bought it.

Some problems:

  1. If you sign up for Day One first using google authentication (OAuth2), but then purchase through apple authentication (in-app purchase), you wind up with two Day One accounts. Took a bit of figuring out, but deleted the google account and then logged into Day One using apple account.
  2. Why did I need to do this? Well, IFTTT is the sync tool. You have to have the premium version of Day One in order to use IFTTT. But the premium version was registered to the apple account and I was logged into the google account. Yes, it’s been that kind of day.
  3. I can’t get twitter and facebook integrations to work through IFTTT. It fails the service check. (“There was an error during the check process.”) Will it work? Only time will tell.
  4. I guess this is the check on whether the WordPress integration works. Here goes nothing.

Addendum:

  1. WordPress to Day One worked!
  2. Sort of.
  3. If you include an image URL in the recipe, and there is no image, it breaks and shows a file not found image. Okay, that makes sense. Thanks IFTTT for great documentation and putting the URL to the explanation *IN* the image itself. That was really nice.
  4. No HTML formatting.

May 5, 2020
by puhfu
1 Comment

“incorrect password” error on iOS devices on UniFi wifi network

Source: https://gonza.fi/en/unifi-incorrect-password-ios-iphone-ipad

The Unifi line of WiFi access points from Ubiquiti have a strong reputation for being reliable devices. However, many users are reporting “incorrect password” errors when using premium mobile devices from Apple. Fixing this issue is easy using the Unifi controller WiFi settings.

The reason for the error is WiFi management done on iOS devices. The default settings for the Unifi range are not compatible with iOS 11 and 12. The reason for the error is the “DTIM Mode” that has to do with the beacon timing setting due to power saving. The default value for the Unifi WiFi devices is 1, but it is recommended that this be set to 3 or higher by Apple.

The remedy is to done using your Unifi Controller. Open the administration interface, go to setting and select WiFi. Then select the WiFi where iOS devices are experiencing the “incorrect password” error. In this section you can apply the configuration steps with the following steps:

– Open 802.11 Rate and Beacon Controls
– Uncheck DTIM Mode checkbox for Use default values
– Set DTIM Timing to 3 for both 2G and 5G

That is it. This configuration works better with the power saving features of iPhone and iPad devices on a WiFi network powered by Ubiquiti Unifi wireless Access Points.

I am using a 1st generation Ubiquiti Cloud Key to manage the network so:

  1. Settings > WiFi > WiFi Networks
  2. Mouseover the network name and click on Edit on the right side
  3. Go to: 802.11 RATE AND BEACON CONTROLS
  4. Toggle on: Override DTIM Period
  5. Set both 2G and 5G DTIM Timing to 3

Also: Go To Sleep, Go To Sleep, Go To Sleep Little iPhone https://www.sniffwifi.com/2016/05/go-to-sleep-go-to-sleep-go-to-sleep.html