Category Archives: SysAdmin

TP Link Archer VR600

TP-Link Archer VR600

You might be wondering why I’m blogging about another router just after buying myself something much nicer. The answer, as ever, is one of the handful of friends and family for whom I still do tech support. In their case, it really had to be a single-box solution which does everything, and while MikroTik is all good fun to spend hours configuring for oneself, something much more plug in and go was needed in this case.

The person in question had a Billion 8800NL (ISP supplied), which is well regarded but felt a bit flimsy. More to the point, it didn’t seem capable of reliably reconnecting after line drops without being turned off and on again. Things had massively stabilised (maybe one reboot per week required) and I was almost tempted to leave well alone, but even one failure to recover automatically is really too many for this user. It needs to Just Work, especially since we are indulging in the rather adventurous practice of VoIP over ADSL as this person’s primary “landline”.

A trawl around Amazon for ADSL routers is a rather boring thing. Anything costing less than £100 – and plenty costing that or more – seem to have at least some reviewers ranting about lock-ups, over-heating and dead spots. In the end, we spent £100 on the TP Link Archer VR600, partly because it looked OK and partly because I could go and get one from Argos rather than waiting for delivery.

It’s quite nicely built, and the web interface makes reasonable sense. It allows various things including setting it to respond to pings from the internet (essential for my tech support “clients”, whose lines I have configured on my monitoring system so I get notified of any outages), and the usual array of port forwarding, WiFi, etc. It was rather sad to find an option in there to have the thing reboot itself on a daily or monthly schedule – surely an admission that they haven’t engineered it very well in the first place…

That said, it was really good to find an option in there for automatic firmware updates – the days of downloading arcane .bin files and uploading them by hand are (or should be) well over, and I’d much rather have an installation like this one take care of itself automatically.

The router also allows remote admin from a specified IP address, which is handy as it allowed me to set it up for remote control from a location of mine with a fixed IP. This is good in theory, but the web interface is horribly broken unless you visit it at http://ip-address-of-router (i.e. anything different in the address bar, caused by assigning some DNS or reaching it indirectly via a port forward, causes it to get upset and fail to load its CSS).

I’ll update this post in a couple of weeks with how well it manages to hang on to the ADSL connection (and recover it in the event of blips).

Triple monitors + T470s: yes you can

If you happen to have a Lenovo T470s and a USB-C dock with a single HDMI output, it seems Windows 10 can cope with driving twin external displays: one over the dock, and one on the laptop’s own HDMI port. This is in addition to the laptop screen, although my particular monitors aren’t HD.

Update: don’t unplug the connections after suspending the laptop, or the internal display won’t work when you wake it up again!

Mikrotik hAP ac: really rather nice

Mikrotik hAP ac

I got myself an early Christmas present. Various things have always bothered me about ISP-supplied routers. In particular, the BT Home Hub 6:

  • Slow web interface
  • Can’t be made to respond to ping from the internet (or at least, the machine running my monitoring system)
  • IPv6 support feels sort-of iffy – hard to pin this down, but sometimes devices seem not to get a v6 address for no good reason
  • No way to get it to tell you stats, e.g. how much have I downloaded this month? (Useful to know if you’re pondering the cost of switching to an ISP with usage-based billing)
  • No guest WiFi network option
  • Broadcasts a BT Free Wifi type network with no way to turn it off
  • Occasionally gets a different IPv6 prefix when rebooted

And, although you can keep the WiFi network name the same when swapping in a new router, you still end up having to reconfigure static IP addresses, port forwarding, etc. Time to separate the job of routing from the job of speaking to my ISP…

Various colleagues recommended Mikrotik. I had a dig around their Home/SME offerings and decided on the hAP ac – for a two bedroom flat, fewer Ethernet ports and faster WiFi makes sense. It’s handy that it has five ports, because all four on the HomeHub were occupied, and of course you need an extra one to link to whatever takes over the job of establishing your DSL connection. Fortunately I happened to have one of these lying around:

The classic OpenReach VDSL modem (ECI). They don’t do them any more.

These aren’t the most awesome VDSL modems in the world – you can’t get it to tell you the sync speed, etc. – but the HomeHub claimed I was syncing at 80mbps down and 20 up, and speed tests via the above and the Mikrotik suggest I’m still in that ballpark. Maybe I’ll replace it with something fancier in due course.

First impressions of the Mikrotik are good – with their quick setup and some Googling, it took me less than 20 minutes to re-establish WiFi and an internet connection with IPv4 NAT and a sensible default firewall. Someone out on the internet had written up the instructions for getting BT’s IPv6 working, and it looks like their prefixes are supposed to last for 10 years – so hopefully telling the Mikrotik to supply a “prefix hint” to re-request the same one on reboots should put a stop to the occasional changes.

The web interface is nice and snappy and allows you into all the hidden corners. You do need to know a decent amount of networking, and a bit of Linux IPTables, to make sense of it all. You can also configure over SSH via the command line.

To make the transition easier, I set it to broadcast the same WiFi network name (with the same password) as the old HomeHub. Almost everything transitioned over seamlessly. The one exception was the Amazon Echo (interestingly, the newer Echo Dot was OK). A bit of Googling suggests that it does not like the default DHCP lease time on the Mikrotik. Ten minutes does seem a bit tight, so I’ve bumped it to 24 hours and Alexa now seems happy.

Finally, guest WiFi was easy to turn on. I have a more complicated future set-up in mind, but for now, everything is in place and it’s nice to know that next time I change ISPs, I’ll only need to plug in a new bridge (or even just new credentials for the PPPoE link), and everything else will stay the same. And for the first time in four years, Nagios can run active ping checks on my home connection and see that it’s up.

Update: the “Torch” and packet dumping features are excellent – this sort of instrumentation capability comes in really handy for the discerning nerd, e.g. seeing what your IoT devices are up to.

Google Apps: Error 1000 when changing SMTP settings

Do you have Google Apps on one of your domains, left over from the days when they gave it away for free to organisations of fewer than 10 users? I do.

Ever tried to tick this box and got an “We are unable to process your request at this time. Please try again later. (Error #1000)”?

A search suggests that many people on “legacy” (free) Google Apps have run into this, but naturally Google aren’t going to help unless you become a paying customer.

Fortunately, I stumbled across the solution: after ticking the box and before clicking Save, change one of the other settings on the page as well. I used the catch-all e-mail setting (and then changed it back later). Google are correct that the setting change above takes a few hours to propagate to all your GMail users, but it has now started working for me.

How hard can it be?

Sometimes, I wonder if it’s me getting old or large corporations failing to shut up and take my money. Or in this case, somebody else’s money.

Although this is my last year “doing the money” for St Columba’s, I’m still one of an elite handful of people who “work in IT” and thus do all the geeky stuff. And our new minister moving into the manse should have been a chance to enjoy spending the church’s money on a stack of equipment (laptop, mobile phone, etc.) and sorting out an internet connection.

Oh dear, sorting out an internet connection. Here we go again. The default option was Virgin Media: after all, we already have one site with them, so no need for a tedious credit check and a load of faff, just call their sales team (very efficient) and get given a date for a site survey. That gets done, though annoyingly the team they send takes about five minutes to say “we’ll need to run a duct, somebody else does that” and buzz off.

They then fail totally to turn up to do the digging, blame it on “our landlords” (a likely story since we own the house outright – though it’s possible some tedious neighbour complained to the management company about digging up a shared driveway). They claimed it could be sorted, I decided I wanted it fixed before I turned 40, and moved on.

OK then, let’s use the BT phone line already in place. Zen are a supplier I know and trust in situations like this (i.e.: not interested in switching every 18 months to get a good deal, just want good service at a reasonable and stable price). Unfortunately, entering the post code on their site results in a blank grey page. And their social media team seem completely incapable of getting that sorted.

Finally, third time lucky, IDNet got the business, and (aside from some questionable non-default setting choices on their router), seem to have done everything right. I was particularly pleased that their team e-mailed me after I put in an order based on postcode, saying “there’s a stopped line in the property – want us to re-start it?” and giving me the number to confirm using 17070. It’s been up and running for 24 hours so far, so let’s see how it goes…

Bytemark bought by iomart

And so, after sixteen years, Bytemark has been bought out. In common with rather a lot of other customers (if Twitter is anything to go by), I was a bit saddened to hear about this via The Register rather than an announcement. I don’t blame the owners in the slightest – they have every right to cash in on their hard work after sixteen years. And whilst the construction of their own data centre undoubtedly gave them a cost edge over the long term, it no doubt needed to be paid for first.

Unlike other customers, I’m not going to idealise the company’s previous state – my nine year happy relationship with them has been based on our dedicated server Just Working for the most part, and me never needing to contact support. On the rare occasions when I have, it’s been a mixed experience. Such as the time when my query about adding a .mx domain name to their DNS service got a keyword based response: “your MX records look OK to me”. Or even better, the occasion when they managed to e-mail me another customer’s control panel password by accident.

I won’t be making any sudden moves, and if the founders are to be believed, neither will Bytemark.

I hope USB-C catches on

A small connector for a lot of power and data

New laptop, new docking station. But not the proprietary plastic tray of olden times; we’ve been trying out these new Anker USB-C mini-docks at work. I’m really impressed by mine: one cable to plug in when I get to my desk, and I have power and networking, an external monitor and mouse, and an SD card reader. Oh, and a USB port left over which charges my phone even when the laptop isn’t on the dock.

It does get properly toasty when the full set of ports are in use, but that’s not entirely a surprise.

The other nice thing about these are that they can be used with recent Macbooks as well as PC laptops, and if the interface lasts, they’ll be re-usable for the next generation of laptops too rather than tied to one model.

Lenovo T470s

Do your keys glow in the dark? Mine do.

I’ve just been issued with one of these as my new work laptop. So far, I have to say I’m impressed – it solves the poor screen resolution of the X230 I had for many years before it, weighs impressively little, doesn’t get hot during light to medium use; generally works.

Its feet don’t grip the desk well enough – they seem to be felt rather than rubber – but I’m sure I can MacGyver my way round that…

More to follow on how I find using Windows as my primary OS for the first time in five years!

SSH rate limiting vs check_by_ssh – oops

Now that I’ve once again got reliable notifications from my monitoring system, being woken up by them at 6.30AM on my first day off for the Christmas break needed fixing. My Nagios has sent out lots of “spurious” alerts for some time, and my hope was that getting woken up by them would motivate me to fix it. I’m pleased to say that it has!

In addition to checking various machines respond to ping, my system also logs into them using check_by_ssh and checks various things by running commands locally. Sometimes the entire block of SSH-based checks for a server would flip over to CRITICAL with “connection timed out”, even though the machine remained up and running. There was no evidence of a high load average to explain the timeouts, and a bit of checking with netcat revealed that connections to port 22 on the machine in question really did time out from the monitoring machine (but not from anywhere else).

At this point, I had a lightbulb moment and remembered that our firewalls automatically block SSH connections from any IP address which attempts more than 10 in a 60 second period. This crude rate limiting is one of many lines of defence against brute-force attacks, but of course, some hosts have more than 10 checks run over SSH. And the way Nagios runs means that quite often, it hits the rate limit, then continues to do so as it re-tries the checks one after another. The backoff it performs doesn’t help, because it backs off the retry interval in lock-step for all 10 checks.

Having added an exemption to the firewall rate limiting for our monitoring server’s IPs, all is now well in Nagios, and hopefully the only rude awakenings from the alerts will now be genuine outages.

(And it only took me five years to find time to get to the bottom of this intermittent problem!)

Pushover (Android push notifications)

I’ve been looking for a new means of getting alerts from my Nagios (server monitoring) for some time. Previously, I used SMS notifications from Nagios, but at upwards of 5p per credit, given the way a flakey link can result in 10 or 20 notifications in a short space of time, this was starting to get quite expensive. It also doesn’t fit very well with the fact that SMS can cost more to receive abroad and, generally, I spend more time in places with a reliable WiFi connection that with a good mobile signal – especially when visiting family at Christmas.

What would seem appropriate here, then, is some kind of push notification service working over data rather than SMS. Notify My Android doesn’t seem as well regarded these days, but Pushover looks really good. I particularly like that you’re provided with an e-mail address which you can just plug in to things like Nagios to have e-mails turn up as push notifications, without having to script their API.

I’m 24 hours into their 7 day trial, and so far so good. Their app is nicely featured including mute/unmute of sound and vibrate notifications, and quiet hours.