ePMP elevate webinar

Some highlights on the ePMP Elevate platform.

-Allows ePMP Elevate software to run on on non-Cambium 802.11n subscriber modules
-ePMP Elevate subscribers function as ePMP subscribers
-Solution for WISPs who have hardware deployed. Offers a migration plan.
-ePMP AP must be licensed for ePMP Elevate
-5GHZ Only
-XW and XM based Ubiquiti hardware
-17 supported models
-2.4 GHZ is in on the roadmap. No official comment on timeframe.
-cnMaestro support is available for XW hardware
-Replaces the UBNT software with a cambium interface. Looks pretty close to any other ePMP interface.
-If DFS is FCC certified on the hardware it will work on the hardware when it gets the elevate system.


1 Subscriber license $35
10 Subscriber License $315
You would buy multiples 10 subscriber licenses for more than 10 subs.  Locked to wired mac Address of the AP.






Dirty Cow is Coming – Update your *nix boxes

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.

This is an old vulnerability but appears to be something being exploited regularly.  In otherwords, keep your stuff up-to-date.



Check to see if your systems are vulnerable:


Apple has abandoned us..

I have been a long time Apple fan. I don’t think of myself as a Fan Boy, but a fan.  My first Mac was a Performa 6200.  I have been anxiously awaiting the refresh of the MacBook pro.  I am using a 15” Macbook pro from 2008.  It has been upgraded with an SSD and more ram, but is starting to see some age.

From a stockholder perspective, I see several fails from Apple.  The first, and most egregious of these is the removal of the 3.5mm jack from the iPhone.  Two years ago Apple bought Beats by Dre for 3 Billion dollars.  Guess What? Most of the product line uses 3.5mm plugs. Apple just killed a huge upsell to their user base by killing the 3.5mm plug.  Sure, you can get wireless Beats, but those are very high end and not everyone wants wireless.  So why did Apple spend 3 billion dollars on a highly popular brand, which now does not work with their product line? It’s a major let down of shareholders because it is more missed opportunities.

Now, let’s move on to what started this rant.  The new Macbook pros.  My current setup is my previously mentioned 2008 model. It has dual monitors, 2 usb hubs, and a hardwired Ethernet connection routinely plugged in. At the very least I need dongles. The new USB-C ports on the new MacBook Pro models means I can no longer plug my iPhone directly into my laptop for charging or syncing.  Syncing is no big deal as wifi syncing is kind of working.  I am not a big cloud user so I have definite benefits to a cable sync.  However, the charging aspect of it is very handy.  I spend a fair amount of time in the field.  I routinely visit data centers, remote network locations, and backrooms where network equipment is shoe-horned into.  Most of the time power outlets are few and far in-between.  I am lucky to have a power outlet to keep my MacBook going. This means I tend to plug my phone into the laptop to charge. I can no longer do this. #fail

Another major issue is the removal of the escape key.  This is more symbolic of how Apple has abandoned the power user than function.  Anyone who has worked in Linux probably uses the VI text editor. Using the escape key is an essential key to this software.   I also routinely log-in to network routers.  One of the first things you are presented with many of them is “press escape to get started”.  I am already having to use an old terminal program and a USB to serial adaptor in most cases.  I worry about how adding and escape key to the touch bar is going to work on an older setup like this.

At this point in my thinking process I have decided I needed to plan out what all I need to make a new MacBook Pro work with my current setup.  I figure I need to come up with several dongles.  I need one for each of my external monitors, one for Ethernet, and something to replace the connections to my 2 8 port USB hubs.  These hubs have hard drives, a usb headset, usb mic, accept flash drives, and a card reader. I am fully expecting I need a home dock and some dongles to take on the road with me.  I routinely use Ethernet in my day to day job activities.  So off to the Apple store I go.  This is where I run into the next fail.  I pick out the MacBook I wish to purchase and there are no “Suggested accessories” like with previous models.  You used to be able to add on dongles and such right from the same screen. You can no longer do this.  Again, this is a major fail on the part of upselling the customer.  Here I am, wanting to purchase additional dongles and I have to go hunting for them. After many frustrating minutes of digging I found a SB-C to VGA adaptor, but not a DVI adaptor.  The whole experience was frustrating.  Now, I have to treck into a dreaded Apple store and hope one of the folks in there understand what I am talking about. This is the second stockholder fail I see.  Lost revenue from a lack of upselling options.

I realize the trend tends to be leaning toward mobile and phone.   There is still a huge segment of the business population which gets work done on desktop and laptops.  Abandoning them is a sure fire way to drive away further sales.  If the I.T. decision makers at companies are not using your product, that loses direct revenue.  This reaches much further, though.  More and more folks are looking for integrated solutions.  If they see work is buying a certain brand of computers, you tend to buy that brand.  Then you tend to buy that brand for your children and integrate it into your homes.  Brand awareness plays into this as well. Beats are a popular brand and if they have to have dongles to work it creates a shoddy looking product. Why buy a dongle when I can plug it directly into my new google phone? Why would work buy products they have to stock an Apple version of and an everyone else version.

Not only has Apple abandoned the power user, but they are failing the shareholders as well.  Their job is to maximize the value of the company for us shareholders.   Apple needs to innovate, but taking stuff away is not the way to do it.  I remember the days when you had to have a special “Apple microphone” to plug into a mac.  The plug was slightly longer.  This caused issues and much confusion.  I know people who did not buy mac products because of this attitude.  It wasn’t about the microphone. It was the fact everything was proprietary. Apple is an innovator, but forcing people into their way of thinking can backfire.  I can pay off big on the flip side.  In this case I think this will be the day the Macbook died.  Unless Apple changes things the Macbook will have a place in education, like they always have. Once folks get out into the business world, the value of a portless, escape-key-less laptop will hamper them. I hope I am wrong.


Metro Ethernet Terms

As some of you reading this dive into metro ethernet you should know some terminology

• User-Network Interface (UNI): The UNI is a physical Ethernet port on the service provider side of the network along with a predefined set of parameters to provide data, control and management traffic exchange with the end-customer CPE device. The customer CPE device can be a Layer 2 Ethernet switch, Layer 3 routing node or some of LTE nodes.

• Network-to-Network Interface (NNI):  NNI is represented by the physical Ethernet port on the service provider access node that is used to interconnect two Ethernet MANs of two different service providers. We are also using E-NNI as a reference point for the interconnection of Layer 2 MAN service with Layer 3 service nodes—the provider edge router (PE), a broadband network gateway (BNG), vertical handover (VHO), etc—in the provider network.

• Ethernet Virtual Connection (EVC) is the architecture construct that supports the association of UNI reference points for the purpose of delivering an Ethernet flow between subscriber sites across the MAN.


Simple shut-off scripting

I had a client today who is doing some manual things as they are using Quickbooks for billing and such.  One thing they kind of struggle with is turning off people for non-payment and such.  Their current method is adding a que and throttling someone to a low-speed to make them call.  Their network is a routed network utilizing DHCP to the CPE at the customer.  Everything is in router mode and they control the addressing of the units via DHCP reservations.  So how do we make this better without adding radius and all kinds of stuff into the network?

First we set up a web-proxy

/ip proxy
set enabled=yes port=8089

/ip proxy access
add dst-host=mtin.net dst-port=80
add dst-host=*.mtin.net dst-port=80
add dst-port=53
add action=deny redirect-to=www.mtin.net

What the above code does is says anyone coming into the proxy is only allowed to go to mtin.net (used our domain as an example), use port 53 (DNS), and anything else gets redirected to www.mtin.net. We chose port 53 because they are in the process of cleaning up some of the radios and such which are using and other DNS servers.

Next we set up a nat rule

/ip firewall nat
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address-list=\
SHUTOFF to-ports=8089

This nat rule says anyone making a port 80 request coming from our SHUTOFF address-list gets redirected to port 8089 (our proxy port setup earlier).

Our third step is to setup our address list. this is very straightforward.  Just modify and add users to this list when they are to be turned off.

/ip firewall address-list
add address= list=SHUTOFF

Lastly, we add a filter rule which denies the SHUTOFF folks from using anything except port 53 and port 80.  We do this because we can’t proxy port 443 and other SSL traffic. If folks go to a HTTPS site it simply fails.  This is a drawback of using a web-proxy.

/ip firewall filter
add action=drop chain=forward dst-port=!53,80 protocol=tcp src-address-list=\

If you have an SSL payment gateway you can modify your filter rules to allow traffic to it. This is just one quick and dirty way of letting customers know they have been turned off.


Soft Reconfiguration inbound

Several people have been asking what soft Reconfiguration Inbound is on a BGP peer.

In the dark days of BGP you had to tear down the BGP session and do a full reestablishment in order to bring it up.  What soft reconfiguration does is copies of all routes received (this is why it is called inbound) are stored separately from the regular BGP table.   When a change is made the new change is applied to the stored copy of the BGP routes.

Disadvantage? This takes up memory because you have two files basically.

So how is this different than route refresh described in RFC 2918? This is a standard, with an RFC unlike Soft Reconfiguration inbound, which is a Cisco thing. Route refresh asks the peer to resend all its routes.


Homeland Security US-Cert e-mail on Network infrastructure

A few days ago Homeland Security published an e-mail on threats to network devices and securing them.  Rather than cut and paste I exported the e-mail to a PDF. Some good best practices in here.

TA16250A The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations