Freedom Mobile and Choice of Phones

Freedom Mobile in Canada has a very useful plan for $15 per month. It is called Home 250. It includes 100 minutes outgoing call air time, unlimited incoming, unlimited short messages and 256M full speed (30Mbps) data. After using 256M full speed data, there are no overage charge, the speed is just throttled down to 256Kbps, which is good enough for voice calls over Internet, such as Hangout Dialer calls, not to mention all messaging such as WhatsApp and Wechat. So essentially, the $15 covers most of people's smart phone plan requires except video watching, which will use up bigger data plan pretty fast too.

Having found and tested this plan, the next step is finding a right phone. The choice is limited if you want to find a cheap and good one by yourself due to requirement of cellular network. Unlike big carriers like Rogers and Bell, Freedom Mobile's network requirement is rather special.

Check this out:
https://www.reddit.com/r/freedommobile/comments/8ao4tu/a_guide_to_freedom_mobiles_network/

So we need:

1. Must support UMTS1700/2100 (Band 4). This band is used for voice calls. Without both 1700 and 2100 in Band 4, even the phone has Internet network, calls will fail. It will dial but the receiving end will never ring. Data works on this band if all other bands are not available. Please note there is the misconception that some phone lists UMTS2100 and claim to work with Freedom Mobile. It won't. UMTS1700 is more important than UMTS2100.
2. Should support LTE1700/2100 (Band 4). This band is used for high speed data network for better data connection.
3. Better support  LTE1700/2100 (Band 66). This band is the new high speed band for data network. It has much more space to avoid congestion. Not many phones support this band.
4. Nice to support  LTE700 (Band 13), LTE2600 (Band 7) and LTE2600 (Band 41). Freedom Mobile is using these bands in congested area like shopping malls.

From Freedom Mobile Website in January 2024:

Our LTE network primarily supports Band 66, Band 13, Band 4, Band 71 and Band 7 in select locations. Band 66 provides access to our fastest LTE speeds, while Band 13 is our Extended Range LTE that may be able to reach farther and penetrate walls for better coverage in buildings, basements, and elevators.

I found phonedb.net has most accurate and readable specification data on phones. GSMArena.com is confusing or occasionally not correct.

There are a few good choice of phones supporting Freedom Mobile currently available. They all support UMTS Band 4, LTE Band 4 and LTE Band 66:

• OnePlus5/5T
• Sony Xperia XA2
• Essential Phone PH-1
• Xiaomi Mi A2
• LG G6 H873

Configuring AWS VPN with Cisco ASA

Recently configured Amazon AWS VPN connection with Cisco ASA 5500 series. The documentation provided by Amazon is correct. The downloaded configuration for ASA is also good. However the troubleshooting information from Amazon is useless by just stating the general rules which experienced Network Admins are fully aware.

Below are the catches that got me stumped for some time.

• There are no logs on both sides of VPN, making the whole work difficult to troubleshoot when not working.
• The local subnets on both AWS VPC and office network must be fully operational including routing and firewall before the VPN connection comes up.
• The VPN must see a round-trip packet initiated from office internal subnet outside ASA or from the internal network interface on ASA, and SUCCESSFULLY returned from VPC subnet to truly bring up the VPN connection.
• Pinging from ASA without specifying originating port toward VPC has no effect. Ping from VPC toward office network has no effect either. Amazon provided ASA configuration file contains a sla monitor for ASA to ping VPC every 5 seconds to maintain the connection works. But when troubleshooting, better use a OS in office internal network to ping an live OS instance IP on AWS VPC. AWS' local gateway x.x.0.1 and DNS IP x.x.0.2 do not respond to pings from remote subnets so do not ping them to bring up VPN
• Disable Public Network Firewall in Windows on AWS VPC to respond to pings.
• Check connection status on ASA using command show crypto isakmp sa and show crypto ipsec sa. They shows no sa when VPN is not up even when all configuration are correct. It just needs a ping. The Connection Status on AWS VPN Connection has a big time lag of several minutes to show correct status.
• Use show access-list to see the hit count of both VPN mapped access-list and VPN filter access-list to help determining where the packets have reached
• Don’t forget adding route outside rules and no-nat-in rules.
• VPN traffic access control should be done using group policy filter access list, not through mapped VPN Access List. 
• The syntax of group policy filter access list is different from regular access list. For example, to allow local subnet to SSH to remote subnet, the command is access-list acl_amzn-vpn-filter extended permit tcp [remote_subnet] [remote_mask] eq ssh [local_subnet] [local_mask]. The access list rule syntax for inbound traffic is the same as regular command, like this access-list acl_amzn-vpn-filter extended permit tcp [remote_subnet] [remote_mask] [local_subnet] [local_mask] eq ssh. Some documentation say the outbound is implicitly added when inbound is permitted. It is not the case for me.

Convert Apache SSL certificates into Tomcat keystore

Found a quick way on some online forum to convert PEM format SSL certificates into Tomcat NIO keystore format.

In Linux, concatenate all *.pem files (cert first, followed by interca cert) into one pem file, like all.pem Then create keystore in p12 format with private key + all.pem

openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12

Then go into Windows, use Java included keytool to export p12 into jks

keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks

BitBucket Environment Variable Change

BitBucket is based on Tomcat, but for version 5.6 and higher, its environment variable including Java Local Machine location is configured in new ways instead running tomcat.exe

Java Home variable is easy to configure. It is in System Properties - Advanced system settings - Environment Variables - System variables - JAVA_HOME. This variable will be used in installation of Bitbucket. However if Bitbucket is already installed, it will not be automatically used by existing Bitbucket services.

Their Java Virtual Machine location has to be manually specified.

Start with AtlassianBitbucketElasticsearch first.

1. Copy the text string in "Path to executable" in Services console . It is "C:\path\elasticsearch-service-x64.exe //RS//AtlassianBitbucketElasticsearch".
2. Paste it into Command Prompt window, edit it to: C:\path\elasticsearch-service-mgr.exe //ES//AtlassianBitbucketElasticsearch. Execute It.
3. In the configuration windows, go to Java tab, edit the Java Virtual Machine box with correct path to jvm.dll, for example, c:\program files\java\jdk1.8.0_71\bin\server\jvm.dll
4. Apply and OK. You can start the service now.

Second configure AtlassianBitbucket.

1. Copy the text string in "Path to executable" in Services console . It is "C:\path\bserv64.exe //RS//AtlassianBitbucket".
2. Paste it into Command Prompt window, edit it to: C:\path\bservmgr.exe //ES// AtlassianBitbucket . Execute it.
3. In the configuration windows, go to Java tab, edit the Java Virtual Machine box with correct path to jvm.dll, for example, c:\program files\java\jdk1.8.0_71\bin\server\jvm.dll
4. Apply and OK. You can start the service now.

Use iptables on Linux to port forward

IPTABLES on Linux can be configured to replace Web Reverse Proxy in some cases to redirect ports. Below is how on Ubuntu.

Enter command below in SSH session to redirect port 80 to port 8080. Port 8080 will keep working.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Verify it it is working. Then make sure the configuration will be loaded every time Linux starts.

sudo iptables-save | sudo tee /etc/iptables.conf

to save your current iptables rules to /etc/iptables.conf and then insert these lines in /etc/rc.local:

# Load iptables rules from this file
iptables-restore < /etc/iptables.conf

Cisco UCS Blade Server Setup Hints

The online information for Cisco UCS mainly covers concepts, but lacking on specifics, like cabling and admin access issues. Here is my notes.

Java Compatibility

Cisco UCS Admin Console is only compatible with Java 7, not Java 8.

The KVM console also requires Flash, so Firefox with Flash has the best compatibility. Chrome does not work with KVMconsole

Cabling 

Plug two, four or eight ports on the first network module on Chassis to Fabric Interconnect A, starting from left. If Fabric Interconnect is configured in cluster mode, two, four or eight ports on the second network module connect to Fabric Interconnect B.

In UCS Admin Console, set these ports on Fabric Interconnect as Server Ports. When done, chassis will show.

In UCS Admin Console, set some ports on Fabric Interconnect as Uplink Ports for connection into company network. Set speed to 1Gb if company network is 1Gb, otherwise the link will come up.

Use copper Ethernet SFP+ transceiver to connect Fabric Interconnect quickly into copper network.

Network Setup

Use LAN Pin Group to assign ports to network.

Small Cron Job Tricks

While troubleshooting a Linux script that fails to run, learned following three tricks about cron job:

1. Check system log at /var/log/cron to see if the job has been executed on time.
2. The last cron command in file, say a file in /etc/cron.d, must be followed by an empty line. Otherwise the last cron command will not be executed.
3. Add  “2>&1” to the end of cron command to disable sending STD to email. By default, root receives email, or address specified by "MAILTO=user@somehost.tld"

Chinese Wireless Router LB-Link

Recently I bought a couple cheap wireless router LB-Link BL-600N from China during my trip there. I bought it because I found people were discussing on Chinese router forum saying it is the cheapest router (less than CAD$10) with very high spec (dual band 600M, gigabit Lan and USB) and supports Tomato firmware. Although people says it runs super hot and suffers from wireless dropouts, I bought it anyway because I have been always pretty lucky buying cheap routers and configure them with 3rd party firmware to run stably. I believe I can attach heatsink to it to solve the heat problem and the wireless dropout issue seems to be heat related.

After a months of effect, I admit my confidence is defeated.

First is the temperature. One guy on the forum used a laser thermometer tested the running temperature. Without heatsink mod, the inner metal shield case runs 90 degree celcius. With heatsink covering the entire metal shield case, the temperature lowers to 70 degrees celcius. I do not have thermometer but by touching, it can attest the claim. Without heatsink mod, in other words with stock setup, the router starts to restart itself randomly after two weeks obviously due to high temperature. And it keeps restarting every  few hours as long as the temperature is not lowered. With heatsink mod, it does not restart itself anymore.

Second, after restarting problem solved, I come to realize the wifi dropouts. It is happening with and without heatsink mod and on both of my routers. The heatsink I used is from an old Nvidia fanless video card and it almost as big as the router itself. It does not runs too hot to touch. So either the wifi part of the router is defective or the temperature should be even lower, which I will try if I come across a giant heatsink in future, LOL.

Edit after a year.

I have now been running this LB-Link BL-600N for a year without rebooting. I ended up sticking a big heatsink onto the metal shield of the router, with plastic case removed of course. Wi-Fi is also disabled because it is not stable with or without heatsink. I plugged a dual band Lenovo Newfi router configured as AP for wireless signal. This setup has been rock solid ever since.

The firmware running on LB-Link BL-600N is Tomato Shibby for Tenda N60.