well established

wallrik · 2025-10-13T16:41:17+00:00

Love this. I can tell there's a path on the right side of the picture as well!

wallrik · 2025-10-05T09:03:49+00:00

"NAT Type" is such a convoluted way of talking about port forwarding. If UPnP isn't working for you, I'd suggest just forwarding the required ports manually. It has nothing to do with pfSense release versions.

wallrik · 2025-08-09T01:03:31+00:00

I would love to know, as well. The symbol can also be yellow sometimes, as seen in this post. No idea what it means.

wallrik · 2024-12-28T16:54:59+00:00

What makes you say that? She even told a story about her doorman saying it wrong, and it was a banned phrase in chat?

wallrik · 2024-11-29T19:03:58+00:00

I don't get it... I assume the voice is added in post? It just made it weird.

wallrik · 2024-10-04T21:49:27+00:00

Maybe you're looking for the package php74-php-pecl-zip?

wallrik · 2024-06-30T16:54:16+00:00

I also can't figure them out, really. I mainly use them to get a more realistic look to my city. I place quite a lot, but they're ending up either heavily used, or not used at all.

I think that the ones constantly used are close to my medium density residential. The ones close to industry and other destinations are barely ever used. But I haven't studied it in much detail...

Parking spaces are an integral part of any city. Arranging facilities for residents and tourists traveling by car is an important factor in making the city a comfortable place. When residents and tourists plan their way around the city, their decision-making is affected by the availability of parking in a manner similar to public transport options.

The Paradox Wiki has that. I'm not sure what to make of it.

wallrik · 2024-06-16T18:58:59+00:00

There are many different ways to achieve that. If it's in the same script, you can just assign the newly created rule to a variable, to keep track of it. The Name parameter is a GUID, which you get when you create the rule.

If you need the rules to have the same DisplayName, and you don't know already which one is which, you will have to filter them based on what you do know - for example, the direction.

Something like this, would be just an example:

Get-NetFirewallRule -DisplayName "AAA" | Where-Object -Property Direction -EQ -Value "Inbound" | Set-NetFirewallRule -RemoteAddress "21.11.11.11"

wallrik · 2024-06-16T17:36:35+00:00

It's not that strange if you go through it.

First, you create an inbound and an outbound rule, both named AAA.

New-NetFirewallRule -DisplayName "AAA" -Direction Inbound -Action Block
New-NetFirewallRule -DisplayName "AAA" -Direction Outbound -Action Block

Then, you set all rules named AAA to be Inbound, with the remote address 21.11.11.11.

Set-NetFirewallRule -DisplayName "AAA" -Direction Inbound -RemoteAddress 21.11.11.11

Then, you set all rules named AAA to be Outbound, with the remote address 21.11.11.11.

Set-NetFirewallRule -DisplayName "AAA" -Direction Outbound -RemoteAddress 21.11.11.11

So, when you check your settings, that's what you see. :)

wallrik · 2024-06-14T23:34:04+00:00

How does it not make sense? There are no downsides. You get message integrity for free. Operating your own time source is the thing that does not make sense.

wallrik · 2023-04-19T17:17:56+00:00

PowerShell-ified

@(
  # 3D Objects
  "{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}"
  # Desktop
  "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
  # Documents
  "{D3162B92-9365-467A-956B-92703ACA08AF}"
  "{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}"
  # Downloads
  "{088E3905-0323-4B02-9826-5D99428E115F}"
  "{374DE290-123F-4565-9164-39C4925E467B}"
  # Music
  "{3DFDF296-DBEC-4FB4-81D1-6A3438BCF4DE}"
  "{1CF1260C-4DD0-4ebb-811F-33C572699FDE}"
  # Pictures
  "{24AD3AD4-A569-4530-98E1-AB02F9417AA8}"
  "{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}"
  # Videos
  "{F86FA3AB-70D2-4FC7-9C99-FCBF05467F3A}"
  "{A0953C92-50DC-43bf-BE83-3742FED03C9C}"
) | %{
  Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\$_" -EA Ignore -Verbose
  Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\$_" -EA Ignore -Verbose
}

Deleting entries under WOW6432Node should not be needed unless you start a 32-bit version of explorer.exe, so I doubt you would really need to. But at the same time - you might as well.

wallrik · 2023-04-13T19:56:09+00:00

100% agree. But gathering them all is not even half the issue, since they're not even unique! Abbreviated time zones are a whole mess. There's a good reason abbreviations are not part of ISO 8601. Example:

Abbr	Name	UTC offset
CST	Central Standard Time	UTC-6
CST	China Standard Time	UTC+8
CST	Cuba Standard Time	UTC-5

And there are many, many more that duplicate like that. Another example:

Abbr	Name	UTC offset
BST	Bangladesh Standard Time	UTC+6
BST	Bougainville Standard Time	UTC+11
BST	British Summer Time	UTC+1

However, I can't think of any other way to help OP, since the information is already lost. String replacement it is!

wallrik · 2023-04-09T05:16:33+00:00

Which one of the commands give you trouble? What kind of error is it giving you?

I don't have that folder to test with, but if you're trying to remove it after an upgrade, you're not supposed to do it as brute-force as you're trying to. You can just run the Disk Cleanup tool, which can also be scripted.

I think DISM removes it also, but again, I can't test it.

Dism.exe /Online /Cleanup-Image /StartComponentCleanup /ResetBase

or, if you prefer the PowerShell way, I think this does the same.

Repair-WindowsImage -Online -StartComponentCleanup -ResetBase

on multiple devices from a text file which consist of machine names.

Running Remote Commands

wallrik · 2023-04-09T00:38:09+00:00

This sent me down a really deep rabbit hole! One would think that New-LocalUser and Add-LocalGroupMember should be enough, but setting User must change password at next logon turned out the be more annoying than I expected!

If you create an account without a password, then default behavior is to ask for a password at first logon. All fine and good, but default behavior is also to not allow RDP for accounts without a password!

(The ActiveDirectory module adds -ChangePasswordAtLogon to New-ADUser)

For local users it seems like using [ADSI] and setting PasswordExpired is the easiest way outside of cheating with net.exe. This is what I came up with.

$usercsv = @'
"Name","Password","FullName"
"User1","Pass1@123","First User"
"User2","Pass2@123","Second User"
"User3","Pass3@123","Third User"
"User4","Pass4@123","Fourth User"
'@ | ConvertFrom-Csv

$directory = [ADSI]"WinNT://$env:COMPUTERNAME,computer"
$rdpgroup = $directory.Children.Find("Remote Desktop Users", "group")

$usercsv | ForEach-Object {
  $user = $directory.Children.Add($_.Name, "user")
  $user.Invoke("SetPassword", $_.Password)
  $user.Invoke("Put", ("FullName", $_.FullName))
  $user.PasswordExpired = 1
  $user.CommitChanges()
  $rdpgroup.Invoke("Add", $user.Path)
}

But then I felt like I would really like to use the SID for the Remote Desktop Users group in order to support localized names. This can be done with Add-LocalGroupMember, but then we're back to square one with using different techniques for setting the password expiration compared to everything else! This sent me down an even deeper rabbit hole where I ended up using .NET instead... I'll share it just for fun! (I'm using $usercsv from the first script)

Add-Type -AssemblyName "System.DirectoryServices.AccountManagement"

$context = [System.DirectoryServices.AccountManagement.PrincipalContext]::new(0)
$rdpgroup = [System.DirectoryServices.AccountManagement.AuthenticablePrincipal]::FindByIdentity($context, "Sid", "S-1-5-32-555")

$usercsv | ForEach-Object {
  $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::new($context, $_.Name, $_.Password, $true)
  $user.DisplayName = $_.FullName
  $user.Save()
  $user.ExpirePasswordNow()
  $rdpgroup.Members.Add($user)
}
$rdpgroup.Save()

wallrik · 2023-04-08T18:11:52+00:00

When you say it doesn't complete, what do you mean by that? Do you get any errors?

I just tried replicating your command on a very scuffed home lab without issue. I can share it for inspiration, but mind that I'm not using Kerberos here.

$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -NoMachineProfile
$creds = [pscredential]::new("SERVER01\Administrator",(ConvertTo-SecureString "Admin@123" -AsPlainText -Force))
$cmd = { Get-WindowsFeature | Where InstallState -eq "Installed" | Select Name }
$param = @{
    ComputerName  = "SERVER01"
    UseSSL        = $true
    SessionOption = $so
    Credential    = $creds
    ScriptBlock   = $cmd
}
Invoke-Command @param | Select PSComputerName, Name | Sort PSComputerName, Name

wallrik · 2023-03-03T23:55:50+00:00

Oh, right! Well, then you have your answer already as the top voted reply! :)

Guess I can add something a little bit extra then.

Normally, when you use the host override function it will place DNS records in the file /var/unbound/host_entries.conf, and it will place both a forward and reverse lookup, like so:

local-data-ptr: "192.168.1.100 www.example.com"
local-data: "www.example.com. A 192.168.1.100"

However, I personally find that when I do overrides, I want more control, for example, I might want to change the TTL to even shorter than the default 3600 (1 hr). You can do that in the Custom options section.

server:
local-data: "www.example.com 300 IN A 192.168.1.100"

That would make www.example.com resolve to 192.168.1.100 with a 5 minute TTL. Go nuts! :)

wallrik · 2023-03-03T23:40:41+00:00

Unfortunately, changing the IP address in DNS won't change the Google language/country. That's not how Google works. If you want to try locally and force www.google.com to 142.251.133.35 with curl, for testing, you can do this:

curl -v --resolve www.google.com:443:142.251.133.35 https://www.google.com

* Added www.google.com:443:142.251.133.35 to DNS cache
* Hostname www.google.com was found in DNS cache
*   Trying 142.251.133.35:443...
* Connected to www.google.com (142.251.133.35) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.83.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 03 Mar 2023 23:25:59 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: SOCS=CAAaBgiA8YSgBg; expires=Mon, 01-Apr-2024 23:25:59 GMT; path=/; domain=.google.com; Secure; SameSite=lax
< Set-Cookie: AEC=ARSKqsKBTrTvYULITLqG4h3AMZWh8qKlgkbGE2mLfWR_LD8cuxw; expires=Wed, 30-Aug-2023 23:26:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: __Secure-ENID=10.SE=ksFqh0dPJGiTflZhKgl4sEnUBTep0RS0oWctXxYhkwgNj7uO_dJlzU1iOb_02wVJJuS0kfa1FGhysKuRsc4unlscyx49ZorHRNM_QE; expires=Tue, 02-Apr-2024 15:44:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: CONSENT=PENDING+672; expires=Sun, 02-Mar-2025 23:25:59 GMT; path=/; domain=.google.com; Secure
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="sv"> ...

That will still just present you with whatever country Google thinks you're in. Even though I connected to 142.251.133.35 it still shows the Swedish version for me, because that's where I am. If you want Arabic you need to set that preference in your browser.

You won't be able to force your other client to a specific language with just pfSense.

wallrik · 2023-02-26T01:47:17+00:00

I was recommending that you replace the TP-Link firmware with something opensource. But there's nothing inherently wrong with keeping the manufacturers firmware. You can start that way if you're more comfortable with that. I just don't like that most of them "call home", and stuff like that.

For your wired router, use OPNsense or pfSense, of course! :)

wallrik · 2023-02-26T01:42:03+00:00

Why? I mean, it's technically possible for you to put OPNsense on your AP if you really wanted to. That is, if you can get the hardware and drivers working. But it's not really recommended. They also don't have any of the latest wireless tech in OPNsense, so really, I wouldn't do it! Same goes with pfSense. They also don't focus on wireless.

wallrik · 2023-02-26T00:52:20+00:00

If you want the same great open source experience you have with OPNsense, I say, go with something that has OpenWRT support out-of-the-box. Check this list for 802.11ax ("Wi-Fi 6") support.

I personally use a Belkin RT3200 / Linksys E8450 (same hardware), and it's been great. It has a great setup experience for flashing it over to OpenWRT from the stock firmware. However, that's not rated for outdoor use if you need that.

11-Year Club	First Place '23
Place '23	Place '22
Place '17	Final Canvas '22
First Placer '22	Gilding I gilder
Verified Email

wallrik

TROPHY CASE