Yeah, WTF?

Are you connecting a permanent IPSEC tunnel with some other network you do not control?

@bransona said in MS-CHAP on Ubiquiti EdgeRouter:

@scottalanmiller is correct. I have Edgerouter 2.0.9 and it STILL requires PAP in the Windows policy. Under Config Tree, there is no way to make the router use MSCHAP or MSCHAPv2 instead of PAP (cleartext). I went to notify Ubiquiti hoping they can potentially have this included in another firmware release soon, but Ubiquiti Support was apprised of this 5 years ago! https://community.ui.com/questions/Encrypted-Radius-Supported/7857b119-91d8-4365-8c2a-8c21de0937a4

Yup it has been a big issue for a while now on the EdgeSwitches too.

@Dashrender said in Time to gut the network - thoughts?:

@JaredBusch said in Time to gut the network - thoughts?:

Correct you do have QoS. It is on the VLAN, that contains the voice devices.

So the following is an incorrect assumption.

@scottalanmiller said in Time to gut the network - thoughts?:

You might want to LEAD with.... since we discovered that QoS was not set up properly and has never been a problem we can assume that QoS and ensuring call quality cannot be the reason.

Let them come up with a reason if you head that off at the pass.

No, it's correct. They didn't do their jobs properly. They neither did the sensible, cost effective thing for the business, which would have been to not have a VLAN at all. Nor did they properly do QoS for your VoIP traffic.

So no matter what, they didn't set up QoS correctly for you.

@dafyre said in EdgeRouter PoE high CPU usage:

@travisdh1 -- Maybe he should start with something simple... like a reboot? (I haven't seen him mention that anywhere).

The entire reason it came back up is that the unit rebooted itself (crashed) at 1300 CDT yesterday.

Did you end up putting in a support ticket? Pretty unfortunate you haven't received a reply yet as to whether you should or not. Hopefully it's fixed soon.

@tonyshowoff said in Hello Mr Chinese IP based hacker:

That's why we set any WAN-fancing SSH port to something obscenely high like 41022, not for "security" but because of the logs. In fact, all of our sshd services run following that pattern, as does our internal HTTP(S) servers but the load balancers take in 80/443.

This prevents as many services as possible from running as root, which anything running port < 1024 does. I don't think most people even know this. At the very least if there's a NAT in play, one can always set ssh and web services ports much higher and just translate the ports to avoid the same issue.

(I know there are some work arounds like setcap on Linux, but in general this is the default behaviour on most machines)

For some reason this made me think of The Venture Bros, Hunter Gather says:

And we want your sad ass undercover agents to stop trying to infiltrate our group. Frankly we're tired of killing them and we can't afford the body bags!

Useful piece of information. Thanks!

@JaredBusch

Good to know. I'm planning on starting this later this week. If I can get this working, I'm going to replace a PFSense firewall with an ERX or lite. Right now, this is the only thing that I dont have setup for ERX yet.

@coliver said:

Do VPN connections get created/torn down with every communication? Or are they persistent until the device disconnects?

Normally neither. They are normally persistent until a certain amount of time, then they tear down when idle. Might be hours or days. That way they don't remain absolutely forever, but normally a very long time.

@JaredBusch said:

You need to upgrade your ERL to firmware 1.8 to get the full traffic analysis capabilities in the GUI.

Which has been done.

@gjacobse said:

@DustinB3403
That is our plan... of course it appears that we need to take a look at the Server DHCP Scope as well.

Of course, don't want to try and overlap.

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

hell, forget windows. Let's look at phones! Android phones rare ever get patched. A hardware firewall in front of them seems very smart!

If you are concerned with security to the point that you are carrying hardware to put in front of your phone, wouldn't you more likely just get an iPhone?

The article implied that iPhones were just as easy to force to his AP as Windows or Android devices.

The point was that they are patched regularly. The carriers can't block it and Apple really annoys people who hold back. Apple takes security seriously in a way that Google cannot because of how they treat the ecosystem and carriers.

Google capitualated, Apple didn't. Apple said - you want our phone, you'll do it our way.

The carriers told Samnsung, LG, HTC, etc (I'm sure Google wasn't even part of it) you want us to carry your phones, you'll do it our way, or we'll find someone who will.

Yup, leaving Apple with a stronger security hand.

Everything that you are doing sounds logical and makes sense to me. I'm pretty confident you are not going to hurt anything here. Will it help dramatically? No idea there. But I think it is likely to help without much risk. Seems like a good idea.

@Jason said:

Nevermind. #faceplam. forgot to go into configure mode first..

I may or may not have done that more than once.

If it is a very specific ad that is an issue, you might want to consider blocking it manually either via IP at the router or via DNS or something similar.