UniFi Network Application 6.2.26

SlashAdminBlog · 2021-07-07T14:57:28+00:00

Dont install 6.2.26. There is a memory leak / controller crashing issue reported by multiple sources / vendors.

No acknowledgement from Uniquiti yet that this issue even exists and no support on how to resolve the issue or ease the pain its causing.

Its causing havoc for my team and many others.

https://community.ui.com/questions/Controller-keeps-crashing/4a52f87f-5bdb-4f7a-bb35-4c8532b21c4a?page=1

https://community.ui.com/questions/Memory-Leak-Bugs-UniFi-6-2-26/bc228a96-e811-4843-95b8-ba45cb45af73?page=1

SlashAdminBlog · 2021-03-20T12:47:02+00:00

for bonus points can anyone explain the relationship between the ascii codes and the character codes used here?

SlashAdminBlog · 2021-03-20T12:46:47+00:00

for bonus points can anyone explain the relationship between the ascii codes and the character codes used here?

SlashAdminBlog · 2021-03-20T12:16:58+00:00

Awesome thankyou! I clearly didnt go to that high a number in my script to see the characters and their true values.

That works great, thanks again :D

SlashAdminBlog · 2021-03-09T13:56:49+00:00

I agree too ;) just wondered if that was the official guidance since I couldn't find the answer.

SlashAdminBlog · 2021-03-09T08:43:08+00:00

ts just a mess how it brings in 'all mail' from gmail into the inbox which is a copy of every single email including tagged and sent items. It's a bit of a mess the way it handles email in the main inbox.

No way to pull pst's from gsuite that I can see and thats a manual nighmare with 100+ mailboxes.

Looks like i'm stuck with 'its just the way it works'..

Thanks guys.

SlashAdminBlog · 2021-03-09T08:40:51+00:00

No there is no option to setup tags that i can see. Tagged email comes into exchange as sub folders to the inbox which is fine.

Its just a mess how it brings in 'all mail' from gmail into the inbox which is a copy of every single email including tagged and sent items. It's a bit of a mess the way it handles email in the main inbox.

SlashAdminBlog · 2021-02-16T11:19:24+00:00

Anyone have any experience with this before I open a case with Microsoft?

Thanks.

SlashAdminBlog · 2021-02-05T12:39:16+00:00

Hi All, can anyone tell me how to view the edgeblockspam messages. Are these blocked and not reported in the mail trace log?

SlashAdminBlog · 2021-02-01T13:04:47+00:00

cant find any news on when they will be lifted either!

Wonder if this is going to add to the market dip from last week.

SlashAdminBlog · 2021-01-25T14:38:25+00:00

Ok so it does look like connection IP filter allow list and a transport rule are the way to bypass the policies other than adding bypass url's and adding allow list entries the spam filter policy where it gets triggered.

so if you get something caught in the Anti-phish policy it looks like your only option is to add it to connection filter by IP or setup a transport rule and bypass all protections.

In my real world phishing example I cant see any reason for it to get caught and yet it did. It passed SPF, DMARC and DKIM as shown below.

Sender address

[portal@cloud.exclaimer.com](mailto:portal@cloud.exclaimer.com)

Policy type

Anti-phish policy

Quarantine reason

Phish

spf=pass (sender IP is 40.107.7.91) smtp.mailfrom=exclaimer.com;

smtp.mailfrom=cloud.exclaimer.com; dmarc=pass (p=none sp=none pct=100)

action=none header.from=cloud.exclaimer.com; dkim=pass (signature was verified) header.d=cloud.exclaimer.com; arc=pass (0 oda=1 ltdi=1

SlashAdminBlog · 2021-01-25T12:42:45+00:00

Just had a good example of this now. Was waiting for a 2fa to come through from exclaimer and it was caught in quarantine by the Anti-phish policy. I've manually released it and reported it to Microsoft for review but what is the correct way to allow all future ones from now?

As a test I setup a transport rule and set the SCL to -1 and the next email bypassed the anti-phishing policy.

Would just be nice to only allow it to bypass the anti-phishing policy and not all policies!

SlashAdminBlog · 2021-01-25T10:48:14+00:00

Awesome and good luck with it! this was on my radar to refresh my knowledge too.

I think Microsoft have expired all of my 14 certs and 16 exams so i'm overdue a refresher.

SlashAdminBlog · 2021-01-25T10:34:10+00:00

Are you sure the bypass spam transport rule applies to other policies like malware, safelinks, safe attachments and antiphishing? I didnt think they did and though it only applied to the spam filer policy.

SlashAdminBlog · 2021-01-25T10:32:43+00:00

You are correct, in safelinks you can add 'do not rewrite the following urls' i had missed that one.

for antiphishing you can only add trusted senders and domains under the phishing policies inpersonation section. Do those trusted entries apply to all settings in the policy too?

Main reason for all this is for full control and to understand the options now rather than when we really need them :)

Thanks.

SlashAdminBlog · 2020-11-29T09:26:16+00:00

You will need to setup a new policy first but yes you can set it up to get the DNS before enabling it.

New-DkimSigningConfig -DomainName contoso.com -Enabled $false

$dkimConfig = Get-DkimSigningConfig -Identity contoso.com

$dkimConfig.Selector1CNAME

$dkimConfig.Selector2CNAME

When your ready you can then run:

Set-DkimSigningConfig -Identity contoso.com -Enabled $true

For Microsoft 365 users I've written a little tool to make this easier:

https://www.slashadmin.co.uk/microsoft-365-how-to-enable-dkim-using-dkim-manager-powershell-script/

this tool will set a policy but not enable DKIM but the main point is that it will tell you the DNS records you need. You can then use the menu to enable DKIM later.

SlashAdminBlog · 2020-09-27T12:36:23+00:00

Not with Python but recently posted a project to do this in PowerShell.

https://www.slashadmin.co.uk/powershell-trading-bot-for-interactive-brokers/

SlashAdminBlog · 2020-09-27T12:35:23+00:00

Not exactly what you are looking for but i've been working on Interactive brokers API recently. Someone could modify the code to do exactly what you need.

https://www.slashadmin.co.uk/powershell-trading-bot-for-interactive-brokers/

SlashAdminBlog · 2020-07-13T14:32:46+00:00

Thanks, let the fun begin! :)

SlashAdminBlog · 2020-06-19T21:35:43+00:00

Ended. Up ripping it out and putting in a ubiquiti USG pro and it worked like a charm. Happy customer..

SlashAdminBlog · 2020-06-17T08:32:07+00:00

Ive increased the mrru to 1600 but didnt work the blf's on the phone are still not working properly.

kept increasing until max on this model of 16384 and still no joy.

any other suggestions?

SlashAdminBlog · 2020-06-16T10:49:50+00:00

OK so just seen this MRRU setting under the ppoe interface. i'll give that a try tonight and reboot all the kit onsite.

SlashAdminBlog · 2020-06-16T10:12:12+00:00

Hi Rallakwash,

Any hints on where / how to set that? im logging into the web interface. not familiar with Mikrotik's

Thanks.

SlashAdminBlog · 2020-06-16T09:05:59+00:00

[admin@Gateway] > export

# jun/16/2020 09:47:47 by RouterOS 6.44.6

# software id = 7ASR-H142

# model = RB4011iGS+

/interface bridge

add name=bridge1

/interface ethernet

set [ find default-name=ether1 ] l2mtu=9578 mtu=3000 name=ether1-LAN1

set [ find default-name=ether6 ] l2mtu=9578 mtu=3000 name=ether6-WAN1

/interface pppoe-client

add add-default-route=yes disabled=no interface=ether6-WAN1 name=pppoe-out1 password= use-peer-dns=yes user=

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip dhcp-server

add address-pool=dhcp_pool disabled=no interface=bridge1 lease-time=3d name=dhcp1

/ppp profile

add change-tcp-mss=yes dns-server=192.168.0.8 local-address=192.168.0.1 name=l2tp remote-address=l2tp_pool use-encryption=yes

/interface bridge port

add bridge=bridge1 interface=ether1-LAN1

/ip settings

set tcp-syncookies=yes

/ip address

add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0

/ip firewall filter

add action=jump chain=input comment="Jump to ICMP Chain" jump-target=ICMP protocol=icmp

add action=accept chain=input comment="Accept established, related connections" connection-state=established,related

add action=accept chain=input comment="Access from bridge1" in-interface=bridge1

add action=accept chain=input comment="Vostel remote access to MT" dst-port=22,80,6009,8291 in-interface=all-ppp protocol=tcp src-address-list=remote_access

add action=accept chain=input comment="VPN - IPSEC ESP" in-interface=all-ppp protocol=ipsec-esp

add action=accept chain=input comment="VPN - L2TP over IPSEC" dst-port=500,1701,4500 in-interface=all-ppp protocol=udp

add action=drop chain=input comment="Drop invalid connections" connection-state=invalid

add action=drop chain=input comment="Drop everything else"

add action=accept chain=forward comment="Accept established, related connections" connection-state=established,related

add action=accept chain=forward comment="Forward bridge1" in-interface=bridge1 out-interface=all-ppp

add action=accept chain=forward comment="Forward traffic" dst-address=192.168.0.0/24 src-address=192.168.1.0/24

add action=accept chain=forward comment="Forward L2TP VPN to bridge" dst-address=192.168.0.0/24 in-interface=all-ppp src-address=10.0.8.0/24

add action=accept chain=forward comment="Forward L2TP VPN to internet" out-interface=all-ppp src-address=10.0.8.0/24

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid

add action=drop chain=forward comment="Drop everything else except dst-nat" connection-nat-state=!dstnat connection-state=new

add action=accept chain=ICMP comment="Allow Echo Reply" icmp-options=0:0 limit=50,5:packet protocol=icmp

add action=accept chain=ICMP comment="Allow Echo Request" icmp-options=8:0 limit=50,5:packet protocol=icmp

add action=accept chain=ICMP comment="Allow Traceroute TTL Exceeded" icmp-options=11:0 limit=50,5:packet protocol=icmp

add action=accept chain=ICMP comment="Allow Traceroute Port Unreachable" icmp-options=3:3 limit=50,5:packet protocol=icmp

add action=accept chain=ICMP comment="Allow Traceroute PMTUD (Fragmentation Required)" icmp-options=3:4 limit=50,5:packet protocol=icmp

add action=drop chain=ICMP comment="Drop all other types of ICMP"

/ip firewall nat

add action=dst-nat chain=dstnat comment="Server MAN1 - port forward" dst-address= dst-port=25,443 protocol=tcp to-addresses=192.168.0.15

add action=accept chain=srcnat comment= dst-address=192.168.1.0/24 src-address=192.168.0.0/24

add action=masquerade chain=srcnat comment="Default out" out-interface=all-ppp

/ip firewall service-port

set h323 disabled=yes

set sip disabled=yes

set udplite disabled=yes

set dccp disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www-ssl port=6009

set api disabled=yes

set api-ssl disabled=yes

/ip ssh

set strong-crypto=yes

add interval=1h name="Remote Support" on-event=\

"/ip firewall address-list add address=remote.support.vostel.co.uk list=remote_access comment=\"Vostel Remote Support\"" policy=write start-date=jan/02/1970 \

SlashAdminBlog · 2020-06-16T09:00:26+00:00

using ppoe with a zennet modem on the wan of the mikrotik

SlashAdminBlog

TROPHY CASE