Category Archives: firewall


Upgrade Ubiquiti UniFi AP-AC-Pro to mitigate KRACK

So, if you haven’t heard, there’s a flaw in the WPA2 protocol.  Read about it if you don’t know.

Since have a specific model of Ubiquiti UniFi WiFi AP, I figured they’d have an update quickly, which they did.  However, I didn’t anticipate trouble in updating to latest firmware (3.9.3.7537). It took a LONG time to finally get it updated.  Essentially, the update via the controller would fail to update, even though it would say it was going to update to the right version.  The AP would blink happily, then reboot on the same version of the firmware, over and over.  I tried other means, including trying local and ssh/scp update methods.  Same result.  In then end, this and this and this helped me diagnose a very odd situation:

  • Controller or other udpates failed because it was using https:// URLs to download the update
  • SSL verification built in fails because the time on the AP was not updated (was December, 1969)
  • Time on the AP was not synced (via NTP) because my local NTP server (on my router) was not functional.
  • my local NTP server was not functional because I had my DNS server pointing to non-standard (non-logging, private) DNS servers.
  • Those private DNS servers were failing to resolve some things, AFAICT, including pool.ntp.org

After updating my DNS servers (now using google again – not my first choice since they log my queries), which fixed NTP server, which allowed me to upgrade the firmware on my PFSense router (which wasn’t getting updates because of the DNS issues) which made NTP happier yet, which allowed the WiFi AP to get the correct time, which allowed the upgrade to happen properly.

Whew.

Configure pfSense bridge over multiple NICs as LAN

In the past I’ve used “raw” pf on FreeBSD as a firewall for a variety of situations both large and small, but this week I started playing with an inexpensive, fanless, multi-NIC box as a potential firewall and router running pfSense. Interestingly, the first thing I realized is that I could not find in pfSense any completely user-friendly (read: single checkbox) option to turn all but the WAN-designated NIC into a single bridged “LAN”. Seems like a pretty basic thing someone would want to do as a home router, or simply avoid the switching overhead of packets amongst different subnets. A quick search for other solutions didn’t turn up one that I thought was really complete, hence this guide.
(more…)