Kieran Drain

Allowing Google casting or mDNS between VLANs

9th May 2026 Kieran Drain Comments 0 Comment

If you’ve arrived here you probably just want a way to allow your devices to cast to your Chromecast and Google home devices when you have implemented VLANs and it no-longer works. This guide comes in 2 separate parts – The explanation of why mDNS doesn’t work in a multi-vlan arrangement and the how-to guide for creating a VM or container to resolve the issue. If you’re not interested in the why then skip part 1 and go to part 2.

Part 1: Why mDNS between VLANS is an issue

mDNS stands for multicast domain name system. This is a protocol used increasingly in smart home devices to resolve the ip address for a device or service on a local network. This service fails on a VLAN segregated network as the ‘on a local network’ portion is important here because each VLAN is considered to be a different local network. This can cause issues with services which rely on mDNS.

A prime example of how this can affect us is when it comes to casting from a device to a Google nest speaker or chromecast device. mDNS is used by these devices for discovery of devices to cast to and when our media devices are in one VLAN (Such as an IoT vlan) and our users are in another it can cause issues because it seemingly does not work.

A quick google shows multiple results claiming that the TTL on an IP packet for an mDNS query is set to 1. This means that at soon as the packet is received by the next hop (e.g. the default gateway when crossing the VLAN boundary) then the TTL is decremented and the packet is discarded. So lets confirm this expectation of the behavior. mDNS is defined in RFC 6762, this RFC says the following:

11.  Source Address Check

   All Multicast DNS responses (including responses sent via unicast)
   SHOULD be sent with IP TTL set to 255.  This is recommended to
   provide backwards-compatibility with older Multicast DNS queriers
   (implementing a draft version of this document, posted in February
   2004) that check the IP TTL on reception to determine whether the
   packet originated on the local link.  These older queriers discard
   all packets with TTLs other than 255.

This conflicts with a lot of online sources that say the TTL is set to 1 for mDNS packets. So lets look at how google implements the RFC. To do this I took a wireshark capture of an mDNS query from a local device attempting to cast to a google mini. Lets look at a wireshark capture for one of these mDNS query:

So the TTL is actually set to 255. This means that it is actually possible to route these packets. So what’s going on? To understand this behavior we need to go back to RFC 6762 which states:

   A host sending Multicast DNS queries to a link-local destination
   address (including the 224.0.0.251 and FF02::FB link-local multicast
   addresses) MUST only accept responses to that query that originate
   from the local link, and silently discard any other response packets.
   Without this check, it could be possible for remote rogue hosts to
   send spoof answer packets (perhaps unicast to the victim host), which
   the receiving machine could misinterpret as having originated on the
   local link.

So now we get to the actual issue – When the source of the request is in a different VLAN and the devices are RFC 6762 compliant – they will ignore all queries from the external VLAN as the TTL will be less than 255. So while the generally accepted explanation of the root cause on the internet is wrong – the effect is pretty much the same. Queries from a device in one VLAN are not serviced by a device in a second VLAN. So this tells us there isn’t a layer 3 solution to this problem as at the application level the RFC tells mDNS implementations not to accept anything from a different vlan. Therefore the only solutions have to be implemented within a layer 2 context and routing is not supported.

Part 2: Permitting mDNS across vlans using a VM or container

So now that we know that the mDNS packets will be ignored when they are sourced from a different VLAN we have only one valid solution: Implement a relaying device to relay messages between VLANs. You might think NAT could be used to spoof the IP to be that of the same subnet and it can – but the check isn’t source IP; It’s TTL.

This guide focuses on the second option. To resolve the issue we will implement an mDNS relay server. The concept is simple. We implement a Linux server which is a member on each VLAN we want to mDNS to work between.

So we need a server with an interface/ip address in each vlan where we want mDNS to propagate, we want a service which can relay the mDNS packets/requests and we also don’t want to allow anything else. We may also want to ensure that we only allow the relaying on specific VLANs and not include things like the guest vlan.

Proxmox solution

This solution is ideal when you have a proxmox server on your network to which you are trunking all of the relevant VLANs to the host. The solution involves:

Creating a container
Installing the software to relay mDNS queries
Add the container to all VLANs where relay is desired
Lock down the containers firewall to only allow mDNS

Step 1 – Plan your setup

For this service we need to decide which VLANs we want to relay mDNS between and select an IP address inside every one of those networks. If we run DHCP on those networks we should create a reservation. Create a basic plan to match your home network (example below for illustration only

VLAN ID	IP address	Purpose
500	192.168.1.250/24 2001:db8:CAFE:1::250/64	Servers*
100	192.168.2.250/24	Users
666	192.168.3.250/24	Media

NOTE: All VLANs, VLAN IDs and IP addresses are purely for demonstration and should be changed to match your internal network.

Step 2 – Create a new container

Create your container using whichever Linux distro you prefer. In this example I recommend using Debian 13 or Ubuntu 24. Give it the following resources:

1 vcpu
128 MiB Ram
512 MiB SWAP
2 GB HDD (Assuming Debian 13)

When it comes to network configure your main interface which you will use to have access to the internet from the container. IPv6 is optional but you must have a default gateway and internet access

Next navigate to your containers network settings and add in the additional networks. Note that default gateway should be left blank for these networks:

Step 3 – Install the software required

After you have secured the container to your liking install the avahi-daemon software:

apt install avahi-daemon

Configure the software by editing /etc/avahi/avahi-daemon.conf

vim /etc/avahi/avahi-daemon.conf

Under the [Server] block ensure that use-ipv4 and/or use-ipv6 are uncommented

[server]
use-ipv4=yes
use-ipv6=yes

And under the [reflector] block ensure enable-reflector is set to yet

[reflector]
enable-reflector=yes

If using UFW then permit the mDNS packets in your chosen VLANs and to/from the multicast addresses. If using the proxmox firewall mirror the same rules. Since the servers functions are basic we can completely lock it down to only relay mDNS.

ufw allow from 192.168.1.0/24 proto udp to any port 5353
ufw allow from 192.168.2.0/24 proto udp to any port 5353
ufw allow from 192.168.3.0/24 proto udp to any port 5353

ufw allow to 224.0.0.251 proto udp to any port 5353
ufw allow in 224.0.0.251 proto udp to any port 5353
ufw allow in proto udp to 224.0.0.251
ufw allow in proto udp from 224.0.0.251
ufw allow in proto udp to ff02::fb
ufw allow in proto udp from ff02::fb

Finally enable avahi-daemon and restart the service:

systemctl enable avahi-daemon
systemctl restart avahi-daemon

The server is now setup to automatically relay mDNS

What if i use a different hypervisor/bare metal server/VM?

The process is the same, Create a VM or container with an interface in each VLAN and install the software as before.

Bonus information: Google device internal DNS issue

Unrelated to mDNS – An important thing to know when troubleshooting google devices is that they will often ignore DHCP issued DNS servers and instead use Google DNS (e.g. 8.8.8.8, 8.8.4.4) instead. This can cause issues when resolving DNS internally and sometimes cause issues when using services such as TTS from Home assistant to device to fail to send. There is no way to over-ride this behaviour from the google device but NAT could be used at the network level to over-ride the DNS requests going to google.
Note: This can cause other issues and is not necessarily recommended.

Should I buy vorpX in 2026?

9th May 2026 Kieran Drain Comments 0 Comment

Short answer: No

Long answer: Probably not, but not for the reasons most people will usually state.

Ultimately everyone should make their own decisions but if you chose to purchase vorpX – Just know you were warned about the risks here. If you’re the kind of person that is happy to to take the risk and you like what you see then go for it. If you want clearly defined software with contractually guaranteed updates then walk away. Set your expectations accordingly.

The usual arguments against vorpX are technical ones. People say that UEVR – A free and open source way to add 6 DOF VR to any Unreal engine 4 or 5 game – Is a better solution and has no cost. For non unreal engine games Depth3D is often quoted as a less robust but FoSS alternative to vorpX. Others put their hopes in the upcoming open source Wiz3D project which attempts to revive AMD HD3D/NVIDIA 3D vision in order to add stereoscopic 3d support for a host of games (not necessarily just for VR).

The reality is that vorpX as a technical solution has a lot to offer. A range of games and VR headsets are supported out of the box, the developers continue to release new versions and bug fixes. It’s been around long enough to become well known in the PC VR space. So why don’t I recommend it?

Why don’t I recommend vorpX in 2026?

In a word: Licensing.

The vorpX license and software release structure is just abysmal. It’s not so much poorly designed as it is non-existent. There is no business strategy to the product release; No upgrade paths, no clear support durations and no guarantees for future support. The entire licensing support process lacks professionalism and structure. This makes the entire process feel opaque and dishonest. It does not feel like a professional software offering.

Software distribution: Unlike most software, there is no online portal for vorpX. Everything is done the forums and support email. It has a distinct one-man-band feel to the entire process and every time you want access to the software you have to manually email the vorpX team to get a time-limited link to the software. If you need to reinstall and don’t have your original installer – You send an email or complete a web form and wait for the email response.

Software upgrades: When you make the above requests you’re at the mercy of vorpX as to whether or not you’ll be granted the next release. You might be sent the software or if vorpX feel like you got your moneys worth they might refuse and tell you to ‘upgrade’.

License upgrades: So as an existing customer, you wish to ‘upgrade’ your license to entitle you to the newest versions. How do you do that? Buy the product again at the original purchase price. There is no upgrade path or separation of product license and product support as has been common with paid software solutions for decades.

Product life cycle: The product structure is bad. There is a single vorpX product which you purchase a license with no guarantees of updates. You may have an expectation of updates for an undefined period of time – At the sole discretion of vorpX with no commitments made to this effect. This means you can continue to use the software but have no guarantees for how long and if future changes in VR will be supported.

There is no transparent distinction between when one persons purchase ultimately expires versus another or if there is the decision making process is not public and entirely opaque to the end user.

How did I get to this conclusion?

I originally purchased vorpX in 2017. With the Steam Frame around the corner I decided to request a copy of the software to I could see what the state was. When I requested this I received the following email:

The email opens quite unprofessionally and defensively telling me that they don’t owe me updates and if I want to keep using the software I need to give them more money.

I thought I was purchasing a perpetual license for a piece of software. So I went to check, What did I actually buy?

What are you actually buying? 2017 Edition

So what did I see when I purchased vorpX in 2017?

https://web.archive.org/web/20170919085507/https://shopper.mycommerce.com/checkout/product/46304-2

So the web page mentions I am ordering the vorpX software and makes no mention that this purchase is for a specific version or that it’s only for a limited time. This for all intents and purposes looks like I’m purchasing a perpetual license for a piece of software. In retrospect however there are some clear and transparent terms attached. So what are they?

https://web.archive.org/web/20160914215155/http://www.vorpx.com/terms-conditions

So the terms clarify that I am purchasing a license for all 0.x versions (Beta), The 1.0 release and all subsequent 1.x updates. So this means I am entitled to at least the latest 1.x release.

Despite it’s unprofessional nature – What the email is saying now makes a little sense and is perfectly valid – The 1.x software has been deprecated and my license is no longer valid. This would be fair because no-one expects to get software updates indefinitely. I would however expect to be notified of changes that would affect my ability to use my purchase. That said – I’m out of the loop. I haven’t used the software for a long time so lets see if I was notified.

Email from vorpX? No
News article/Blog post on their website? No
Pinned forum post? No

Back to the email – Legacy version

The e-mail claims I don’t have a license for the current release and need to purchase one or I can use the legacy release for which I am licensed. As we discovered above I am eligible for the latest 1.x releases. So what did vorpX send me:

The web updater linked in the email is marked version 21.2.0.1. It downloads the installer for the software and installs it:

The installer is for version 8.1.5.0. So how does this relate to the terms and conditions to which I am bound? Installing the software reveals this that it is version 1.8.1.5

In April 2016 (over a year before I purchased vorpX) the version numbering on the website changed to reflect the year instead of the decimal version numbering referred to in the terms and conditions. So it’s not actually clear where the cut off existed – Was there ever a 1.x release? Without access to legacy versions there’s no way for me to know.

So i raised the question to VorpX directly raising my concerns around the lack of transparency regarding the cut-off:

In response I received the following answer:

So they did actually confirm my understanding that I had a license valid for all 1.x releases and confirming that this is a perpetual license. They also confirmed they made significant bug-fixes to the April 2018 release and that this was the version I received. It was still not clear for me what the cut off was with regards to the versioning. As these were breaking issues resolved I can only assume that every version received these upgrades but that they chose to use the April 2018 version as the basis for this ‘legacy’ version meaning that from a feature perspective this is the latest ‘content’ update I would ever receive.

At this point in time I’m committed to purchasing the license again to get a supported release so I start to do a bit of due diligence and check what I am actually going to get for my €40 and if it represents good value for money. After reading a few Reddit comments of similar experiences from vorpX support (https://www.reddit.com/r/vorpx/comments/1d0ydn8/psa_the_dev_ralf_can_and_will_remove_your_vorpx/) and not finding anything official regarding these changes – I decided to document the response here to bring some clarity to the situation.

I asked support to clarify my concern around the license terms versioning and published versioning inconsistency and asked what I could expect if I re-purchased the software. At this point I was not opposed to re-purchasing the software but I wanted my decision to be informed. For transparency I indicated that I would be publishing their response.

In response vorpX ignored my request for clarification on the software versioning and instead further justified their decision to end software support. They also refused to explicitly define what purchasing an additional license would guarantee me as it’s not defined anywhere.

So to summarize – There are no guarantees for software updates when purchasing a new version but you can ‘expect’ some updates. It was at this point I decided not to purchase the license due to the massive uncertainty and the ‘trust-me-bro’ answer regarding what my €40 investment would actually get me.

What are you actually buying? 2026 Edition

So when you go to purchase vorpX today – What are you actually purchasing? The purchase link leads to lemonsqueezy.com and this is the description.

So there’s a price and a description. Like before there’s no indication on the terms of this software license does not guarantee updates in offering but unlike before – There is no link to the terms of the software. Instead we get a standard link to the Lemon Squeezy terms: https://www.lemonsqueezy.com/buyer-terms

These terms simply state that the EULA for vorpX applies. So where is the EULA for vorpX clearly displayed before purchase?

I couldn’t find it.

What I could find was more interesting. Although there are no direct links to it on the website – The updated terms and conditions are still present on the vorpX website (As of May 2026).

Terms and Conditions

And these are largely identical to those I would have committed to upon my purchase but with most of the Beta references removed. The key definition of what software updates I am entitled do remain unchanged.

So assuming these terms still apply – Brand new users don’t actually have any license entitlements compared to someone that purchased a decade ago.

So what did I actually get in 2017?

I paid a sum of £36.99 in 2017 on and for that i got:

Feature updates for 6 months, 6 days (3rd October 2017 – 9th April 2018)
- This was from my purchase date to the 18.1.0.5 release)
Bug-fix updates for 7 years, 8 months, 4 weeks, 1 day (2nd July 2025)
- This is estimated based on the last modified date on the vorpX executables)

The feature update duration is disappointing but to give vorpX credit – They did release a substantial bug fix for major breaking changes in 2025. The bug fix is beyond my expectations but supplying that to such an old feature release is disapointing.

So what will YOU get if you purchase vorpX in 2026?

To end our email exchange I emailed vorpX for clarification and posed the question:

And their response was:

So there you have it: You can ‘expect‘ free updates for an unspecified amount of time but you actually have zero guarantees.

vorpX are under no obligation to provide anything. You might get updates, you might not. it’s up to the whims of the developer to decide.

Closing thoughts

No-one expects a product (even software) to last forever – but the product needs to be managed. When Meta unveil a new VR headset they offer continuing support. They do not offer support indefinitely. They set a clear expectation of when the product will no longer be supported and provide advance notice of the fact and the implications of that fact.

All of these issues could have been resolved with better communication and product management.

Have a proper and transparent life cycle for the product with a defined guaranteed support period which is pubically displayed at the point of purchase so there can be no confusion around what the license entitles the purchaser to and for how long.
- The license can be tied to a fixed duration, a product (e.g. a headset or windows version) or number of versions – there are plenty of ways other companies structure their product to forecast effort and ensure income exceeds the effort.
  - A subscription is possible also but indicated as not a desirable path for the developer. That said many Reddit comments support this as an option.
- If support/upgrades is not guaranteed – The purchase page must explicitly state that the purchase is for the current version and that any future upgrades are not guaranteed and delivered on a best effort basis.
- Have formal announcements of version deprecation – Make it clear when a version becomes unsupportable. If vorpX want’s to release patches after this date – Just like all of the major software vendors have done in past – They can. Doing this however leaves vorpX with all of the risk and leads to a situation where the income from sales and the effort to maintain the product do not match. This is not a sustainable way to build commercial software.
Have clear and fair communication. If the initial communication I received was clear that I purchased a license with terms that guaranteed me updates for all 1.x releases and now we are on version that exceeds this – Fine. That’s clear, logical and straight forward. When the communication begins by patronizingly trying to jump three steps ahead of me in an argument that we aren’t having – It leaves a sour taste.
- Every single email I received from vorpX was emotionally charged. Every single email felt like I was dealing with a hot-headed developer who assumed I was calling their baby ugly. This clearly isn’t the first time someone has voiced similar opinions or posed similar questions and it felt like I was being dragged into an existing argument that I didn’t start.
- None of what I have discussed has ever been pubically addressed. Despite having the means via the website, blog posts and email to users – The topic has been largely kept quiet. There are multiple Reddit users complaining but also disagreeing on how it’s handled.
- The application of the license ‘expiration’ is applied inconsistently – Rightly or wrongly leading to a feeling of inequality and injustice. If you have the installer already – In most cases you can continue to use a newer version until it’s possibly arbitrarily forcefully removed but again it’s not transparent.
Develop a better method of software distribution.
- vorpX has been going for over a decade and yet they still use the same mix of WordPress and email and it’s just clunky and outdated

Over the course of four emails I went from trying to understand what I had originally purchased. Then to actively ready to re-purchase vorpX and trying to understand what it was I was potentially purchasing and finally to completely losing faith in the company and product. I don’t think it’s unreasonable in 2026 to expect that software you purchase a license for has a guaranteed lifespan defined in some way or another.

I will not be re-purchasing vorpX for use in 2026 and this interaction was so negative that I be asking for vorpX to delete my existing granted license as I have no intention of ever using it again.

Update: SAR and erasure request

As indicated above I reached out to vorpX via a separate email to their data protection contact to make a Subject access request prior to making my erasure request. They replied back from the support email and the exchange speaks for itself:

This response concerned me as it implied that they wouldn’t action my request believing they knew better somehow. Once deleted the license is gone so this implied that the license would remain in some way. A vendor can refuse an erasure request under the GDPR but obviously only in specific circumstances – None of which applied here. I asked for clarification my erasure request:

And the response was in-line with all earlier responses so far – still trying to justify rather than address the direct concerns raised. At no point were my support request and SAR/Erasure request linked leading me to conclude it just so happened to be the same person behind the exchange – Who this is I can only speculate as it’s not transparent coming from the “vorpX team”.

So exchange just further reinforced my opinion that vorpX were not a company I wanted to deal with in the future.

Following this exchange I financially donated in excess of what vorpX costs to the following projects as being projects that further the stereoscopic gaming space in a free and open source way:

All of these projects are ones to keep an eye on in the future.

Reference: Special addresses

8th November 2021 Kieran Drain Comments 0 Comment

This page serves as a refererence guide for special addresses used in networking.

MAC Addresses

Pattern	Purpose	Usage
00:00:0C:07:AC:[XX]	HSRP v1 IPv4	Last two nibbles are the HSRP group
00:00:0C:9F:F[X:XX]	HSRP v2 IPv4	Last three nibbles are the HSRP Group
00:05:73:A0:0[X:XX]	HSRP v2 IPv6	Last three nibbles are the HSRP Group
00:00:5E:00:01:[XX]	VRRP IPv4	Last two nibbles are the Virtual Router ID
00:00:5E:00:02:[XX]	VRRP IPv6	Last two nibbles are the Virtual Router ID
00:07:B4:00:[XX]:[YY]	GLBP	Last octet is GLBP group [XX] followed by the AVF number [YY]
00:23:04:EE:BE:[XX]	VPC System-mac	Last two nibbles is the VPC Domain ID
01:80:C2:00:00:00	STP BPDU	Destination MAC for BPDUs
01:00:0C:CC:CC:CD	Cisco PVSTP BPDU	Destination MAC for BPDUs
01:80:C2:00:00:02	IEEE Std 802.3 Slow Protocols multicast address	Used for LACP etc
01:00:0C:CC:CC:CC	Multicast MAC for Cisco services	Used for PAgP/CDP/VTP

Fault: Unresponsive UI when putting EVE-NG behind an NGINX reverse proxy

5th July 2020 Kieran Drain Comments 7 Comments

For the purposes of this article I’m making an assumption that the reader has already completed all of the steps required to place EVE-NG behind an NGINX reverse proxy. Using the default settings this can cause the EVE-NG HTML5 GUI to act in an unpredictable manner and at times appear to act like there is extreme latency and jitter on the connection.

This same effect can often be seen on other reverse proxy-like applications and can affect other web applications that rely on real-time or near real time communications. Most notibly Cisco Anyconnects Web SSL VPN appears to suffer from this effect however it can be observed to come and go. There is no resolution for Cisco Anyconnect as the configuration options to resolve the root cause are not available to us.

Root cause: The cause of this behaviour is that NGINX will buffer the traffic to the EVE-NG server and therfore to the Apache Guacamole in behind EVE-NG. While this makes for an efficent proxy; It will prevent connections being made correctly for Apache Guacamole correctly and cause sessions to time out. This eventually will exchaust all available sessions and prevent users from connecting.

Resolution: Disable proxy buffering in your proxy.conf on the NGINX server.

This solution may be suitable for other reverse proxies and SSL Web VPNs if the options are configurable. This is the required configuration to be added to the location section of the config file:

proxy_buffering off;

The below is the full required config for the location section of the reverse proxy configuration should it be required for reference:

location / {
proxy_set_header x-real-IP $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded__for;
proxy_set_header host $host;
proxy_pass https://INTERNALIP:443;
proxy_buffering off;
}

Guide: How to get experience of Palo Alto without physical kit

5th July 2020 Kieran Drain Comments 2 Comments

When studying for the Palo Alto PCSNA exam I had formal training and experience with the PA firewalls themselves. That said; Not all of the PA firewalls I supported used all of the features required for the exam and so self study was essential. Now that I’m beginning my studies for PCSNE I’ve discovered that this not only requires experience of PanOS on the firewalls but also experience of Panorama.

This guide will discuss the options available to someone studying for PCSNA or PCSNE to get some hands on training before sitting the exams.

Palo Alto Learning Centre

Palo alto have an education page explaining the certification process and explaining what resources are available to help you study. The most useful of this is the Learning center. The learning centre provides access to some training courses and training materials however what you get access to is dependent on you or your companies relationship with Palo Alto. Palo Alto partners also get additional learning resouces and courses such as EDU-110. As part of these training courses there are virtual labs available that give access to the physical kit however these courses won’t be available for everyone

Virtual Appliance / EVE-NG

The Palo Alto firewall can be deployed as a virtual appliance in most hypervisors. Even in production these virtual appliances can be utilised. The VM Series appliances can be deployed without being licensed or registered in an ‘evaluation’ type state. This allows us to configure and get used to the GUI/CLI but comes with some major drawbacks. The ‘secret sauce’ of Palo Alto firewalls heavily relies on it’s cloud connected features. These features require licenses. Another drawback is that without the base/throughput license on a Palo Alto firewall we don’t get the monitor logs which makes troubleshooting much more difficult. That said for PCSNA/PCSNE this is a fantastic way to get hands on a real device without any physical hardware. I particularly recommened using EVE-NG to run the PA virtual images in.

EVE-NG is a clientless multi-vendor network emulation platform. Similar to GNS3, It allows us to virtualise a variety of network devices including but not limited to Cisco switches/routers/firewalls and Palo Alto firewalls. This can run on bare metal or on any hypervisor as a VM. It also provides a full HTML5 GUI for interaction meaning that only a web browser is required to use it. It’s very easy to set up and build custom topologies. There exists and free and a professional edition.

EVE-NG Basic topology of 2 x Palo Alto VMs, 1 Layer 3 switch and a docker client of Firefox

The professional edition costs about £108/$112 per year (at time of writing) for individuals and is definetely worth it if you’re studying for Cisco or Palo Alto certifications. The professional edition provides ‘docker’ based images for things like Web Browsers and Wireshark with makes connecting to the GUI on the Palo Alto firewalls much easier and it also allows for interfaces to be connected/disconnected while the devices are switched on.

Example of the EVE-NG Docket firefox node and CLI via the HTML5 GUI

AWS / Amazon Web Services

As I illuded to earlier; The secret sauce for Palo Alto comes from it’s cloud based features such as Wildfire/PanDB URL lookups and APP-ID services. These all require licenses to function and so for study the cost of a dedicated device (even with NFR/LAB licenses) may be too high for an individual. Another issue is the requirement for PCSNE candidates to have experience of Panorama as this also requires licensing for the Firewall.

This is where Amazon Web Services comes in. AWS allows us to spin up virtual Palo Alto firewalls or Panorama in an EC2 instance and to pay by the hour for the use of the devices. As well as the EC2 compute/S3 Storage cost for these we also pay a small fee which covers the licensing and subscriptions for the various advanced features. As we only want this for non-production purposes we can lower the EC2 instances resources to the lowest possible to reduce the cost of running.

AWS has in it’s market place the following options for Palo Alto:

VM-Series Next-Generation Firewall Bundle 1 – From $0.87 per hour

Palo Alto VM Series firewall
Threat Prevention (IDS/IPS) subscription
Premium Support
Panorama subscription

VM-Series Next-Generation Firewall Bundle 2 – From $1.14 per hour

Palo Alto VM Series firewall
Threat Prevention (IDS/IPS) subscription
PanDB URL filtering subscription
Wildfire
Global Protect & DNS filtering subscriptions
Premium Support
Panorama subscription

Palo Alto Networks Panorama – From $0.19 per hour

The Panorama server is slightly different in that the license is applied to the firewall so there is only compute costs.

Other virtual machines can also be spun up in AWS and integrated into your topologies for testing. While this method isn’t free it provides a low cost alternative to an NFR (Not for resale) or Lab licensed device. This allows an individual to have access to the full range of Palo Alto capabilities for a small fee. If this were for a team or company I’d suggest getting the NFR or Lab licensed physical kit as this would be cheaper and more effective in the long run.

I intend to put together a guide on building a PCSNE study environment in AWS at a later date.

Fault: Why does my DNS lookup return my own internal IP Address?

5th July 2020 Kieran Drain Comments 1 Comment

If you’re doing a NSLOOKUP for a DNS Name that resolves to your routers public IPv4 address you may find that the result returned from any external DNS server will resolve to your clients internal IP address. If you have an internal DNS server that is forwarding queries to an external DNS server then you may see the DNS servers IP address when querying.

Scenario: You have a server internally which you’re NATing from your outside interface on your Cisco router to an internal IP address. You run a dynamic DNS client to map WWW.YOURDOMAIN.COM to your public IP. Your clients on the LAN also use this router to get internet access using PAT/NAT Overload. You want to verify that the DNS entry has propagated to Google DNS so you perform an NSLOOKUP to 8.8.8.8 or 8.8.4.4

nslookup WWW.YOURDOMAIN.COM 8.8.8.8
Snslookup WWW.YOURDOMAIN.COM 8.8.8.8
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: WWW.YOURDOMAIN.COM
Address: 192.168.0.10

But if you try an online DNS check tool like MX Toolbox it will return the correct result or if you get someone else to try for you to the same External DNS server they get the correct result.

Investigation: Lets confirm what we appear to be seeing. To do this we will capture the DNS queries for an external website (www.google.com) and one to an entry mapped to my external IP (testdns.kierandrain.com).

Query from 10.100.5.22 to 8.8.8.8 requesting the ip for www.google.com

So we can see the reply to our query here and it has resolved www.google.com to 172.214.169.36 correctly. Next we’ll test for testdns.kierandrain.com which is currently mapped to the public IP of my Cisco router.

Query from 10.100.5.22 to 8.8.8.8 requesting the ip for dnstest.kierandrain.com

So we can see this time that 8.8.8.8 appears to have returned the IP address of the querying host. So why did 8.8.8.8 return the incorrect result and how did google know what the local IP address was to return that in the query? As far as 8.8.8.8 was concerned the request came from my public IP and my client was using NAT to contact 8.8.8.8.

Problem Statement: In short any internal queries where the results IP matches the routers outside interface are somehow modified to return the querying hosts IP address. The same issue doesn’t affect IPv6 traffic.

Root cause: You might suspect that this behavior of the external IP being mapped to an internal one looks supiciously like a NAT issue but since NAT only affects the Layer 3 and Layer 4 information on the packets and we see application layer changes then surely this couldn’t be the case. Could it?

The culprit here is a feature known as ALG – Application Layer Gateway. This isn’t specific to Cisco however it does come enabled on all Cisco routers. ALG is intended to support traffic flows where NAT is being performed by changing application layer data on a packet to reflect the changes performed by NAT. This can however cause problems like the scenario above and particularly for SIP and VoIP traffic where the changes can actually cause the packets to become malformed.

As there’s nothing in our router configuration to tell us this is enabled you will need to use the all command when tryting to view the configuration.

Router#show run all | i ip nat service
ip nat service all-algs

As you can see all ALG services are currently enabled by default. To get a detailed view of the ALG subservices we can run the following command.

router(config)#ip nat service ?
H225              H323-H225 protocol
all-algs          Enable all NAT ALGs
dns               DNS protocol
dns-reset-tl      Reset dns cname ttl value
dns-v6            dns v6 packet processing
ftp               ftp protocol
fullrange         allocate all available port of 1024 to 65535
gatekeeper        Gatekeeper protocol
ipsec-esp         ipsec esp packet processing options
ldap              LDAP protocol
list              Specify access list describing global addresses
modify-in-progress Packet processing options when config is being modified and/or cleared
msrpc             MS-RPC protocol
netbios-dgm       NetBios datagram protocol
netbios-ns        NetBios name protocol
netbios-ssn       NetBios session protocol
pptp              PPTP protocol
ras               H323-RAS protocol
rcmd              RCMD protocol
rtsp              RTSP protocol
sip               SIP protocol
skinny            skinny protocol
sunrpc            SUNRPC protocol
tftp              TFTP protocol

Resolution: To resolve this issue we simply disable the NAT ALG service for DNS by issuing the No command for the service. Note we must do this for tcp and udp separately.

! Most modern IOS/IOSXE will disable the service using these commands
!
Router(config)#no ip nat service dns tcp
Router(config)#no ip nat service dns udp

! Some older IOS devices use the following format
!
Router(config)#no ip nat service alg udp dns
Router(config)#no ip nat service alg tcp dns

Now that this service is disabled the DNS lookups data will not be inspected/changed and so they will return the correct IP address for a client behind NAT.

Tip: Force Cisco device to sync to NTP server

2nd July 2020 Kieran Drain Comments 1 Comment

If NTP is unable to synchronise on a Cisco switch or router you may resolve the root cause and the device will still not be synchronised when we check. This is because the device will wait until the next polling interval to try again. Normally we can wait however in instances where we need to update a number of devices this process can be time consuming.

Device# Show ntp associations
address ref clock st when poll reach delay offset disp
~195.219.205.9 .INIT. 16 - 64 0 0.000 0.000 15937.
sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

To force the sync simply remove the NTP configuration for that peer and re-add it. On the addition of the peer the initial sync is immediate.

Device#conf t
Device(config)#no ntp server 195.219.205.9
Device(config)#ntp server 195.219.205.9

And now when we check it will have immediately been synchronised.

address ref clock st when poll reach delay offset disp
+~195.219.205.9 195.219.14.21 2 31 64 1 15.958 3.940 188.52

Reference: Higher or lower preferred?

16th October 2019 Kieran Drain Comments 0 Comment

This will be a dynamic document to document all the scenarios where it’s not clear which is better; A higher value or a lower value?

I have noticed that as a general rule; For layer 2 technologies a lower value is preferred and for layer 3 a higher value is prefered. The purpose of this post is to keep a list so I can see if this rule holds out or is proven wrong on some occasions.

Cisco

Value	Default Value	Preferred value
HSRP Priority	100	Higher
BGP Local-preference	100	Higher
BGP Weight (Cisco)	0	Higher
BGP MED	0	Lower
Spanning-tree bridge ID	32768	Lower
Router ID auto selection	IP Address¹	Higher

¹The highest active configured IP on a loopback is preferred. If there are no lookbacks then the highest IP address on an active interface is chosen next.

Palo Alto

Value	Default Value	Preferred value
HA Device Priority	100	Lower²

²The palo alto documentation covers this is a very confusing manner. It states that the device with the highest device priority is chosen as the active. It goes on to say that a lower integer value means the device has a higher priority.

Reference: Networking Mnemonics

10th August 2019 Kieran Drain Comments 2 Comments

The following is a list of networking Mnemonics which I have either created, been told about or read about as a method of remembering various aspects of networking as part of my study. This list will be updated as time goes on:

The OSI Model

OSI Layer	Mnemonic	OSI Layer description
1	People	Physical
2	Don’t	Data-link
3	Need	Network
4	Those	Transport
5	Stupid	Session
6	Packets	Presentation
7	Anyway	Application

The OSI Model (Alternative)
Please Do Not Take Sales Peoples Advice

EIGRP K Values

K Value	Mnemonic	K Value Description
K1	Big	Bandwidth
K2	Latencies	Load
K3	Don’t	Delay
K4	Really	Reliability
K5	Matter	MTU

Bear in mind that the Cisco format for entering the metric is as follows

metric [Bandwidth] [Delay] [Reliability] [Load] [MTU]
Metric 100 0 255 1 1500

Always remember that delay is in units of 10 micro seconds and so a value of 10 is actually equal to 100 micro seconds of delay.

OSPF LSA Types

LSA Type	Mnemonic	LSA Description
Type 1	Right	Router LSA
Type 2	Now	Network LSA
Type 3	Some	Summary LSA
Type 4	Argue	ASBR Summary LSA
Type 5	As¹	ASBR External LSA
Type 6	Good	Group Membership LSA
Type 7	Network	NSSA LSA
Type 8	Engineers	External Attributes
Type 9	Look	Link Scope Opaque
Type 10	Always	Area Scope Opaque
Type 11	Aside	AS Scope Opaque

¹ Think of As path to remember external

Cisco BGP Attributes (NB: Not yet completed)

BGP Metric	Mneumonic	Preference	Significance	Requirement
Weight	–	Highest	Local	–
Local Preference	–	Highest	Local AS	–
Local originated	–	Local originated	Local	–
AS Path	–	Shortest	Global	–
MED	–	Lower	Global	–
External	–	eBGP > iBGP	–	–
IGP cost	–	Lowest	–	–
eBGP Peerin	–	Oldest	–	–
Router ID	–	Lowest	–	–

BGP attributes are evaluated from the top down. Preference is which value is better than another value and significance is whether that property carries to other AS, Is local to the AS or is local to the device. Compatibility is whether something is vendor proprietarty.

Syslog Severity levels

Syslog level	Mneumonic	Syslog Level description
0	Everyone	Emergency
1	Always	Alert
2	Complains	Critical
3	Even	Error
4	When	Warning
5	Nothing	Notification
6	Is	Informational
7	Different	Debugging

Guide: Using KeePass – The Basics

10th August 2019 Kieran Drain Comments 0 Comment

What is KeePass?

KeePass is a free and open-source password manager. The application allows for usernames, passwords and other information such as strings and files to be stored in a secure database. Where KeePass differs from many commercial solutions for password management is that it stores these in a single encrypted file rather than utilising anything storage in the cloud.This credential database is secured using a master password.

Why use KeePass?

It is best practice to use a unique username and/or password for each service we create credentials for. This practice prevents a scenario whereby if one service is compromised (e.g. Email) that the same credentials are compromised by virtue of being used for other services (e.g. Online banking). It is also good practice to pick a strong password which would be infeasible for a computer to crack. The problem is that doing this gives an unreasonable amount of credentials to memorise. KeePass allows for the storage of credentials and creation of cryptographically secure passwords meaning that we need only remember the master password. It is also free and open source and so open to scrutiny and comes at zero cost.

I personally use KeePass because I’m too forgetful to remember all of these usernames and passwords and too lazy to manually type them in.

Getting started with KeePass

As stated before KeePass stores the passwords in a database file. If you have multiple devices you may need access to this file from multiple locations. To achieve this you can store the KeePass file on cloud storage such as Google Drive, OneDrive, Dropbox or iCloud.

KeePass Clients

As KeePass is free and open-source there are multiple clients across the different platforms. These are the clients I have used and can personally recommend. Simply install the applications to get started.

KeePass official Client
- Available for Windows, Linux, MacOS etc here
- This is the official application for KeePass. Be sure to download version 2.X as this has much more features
- If you use this application I’d recommend donating something to keeping the project alive.

Keepass2Android
- Available from the android app store
- Created by Philipp Crocoll. There are no advertisements with the exception of an annual prompt asking for kind donations.
- Supports a number of cloud locations for the database, autofill integration and fingerprint login.
- If you use this application I’d recommend supporting the project by buying the developer a beer.

Creating the KeePass database

Inside the application choose to create a new database. You’ll then be prompted for the login credentials.

Ensure that you set a strong password as this will protect all of your other passwords. You can also use a key file to provide additional security. Another option is to use your computers login account in place of the authentication. I do not recommend this approach due to the extra risks involved.

In addition to the default settings I recommend making the KeePass database stronger by using the key transformation options. This makes checking the password more computationally difficult and therefore take longer. Before this is enabled we can see how long a guess would take:

This means a computer could guess 500 passwords per second if it were to try to brute force the password. By selecting 1 second delay it will modify the key transformation such that it takes much longer.

This now means a computer could guess less than 1 password per second and is therefore more resistant to brute forcing. The rest of the default settings are good enough.

There are a number of options in the settings to change how KeePass operates; Things like whether or not it opens on startup, minimizes to the tray or the start menu or default usernames for entries. These are largely personal preference however I’d recommend setting the following options.

Enable “Enter Master key on secure desktop”. This option uses the secure desktop (like when UAC dims the screen when asking for an admin prompt) when entering your password thereby preventing applications from intercepting the key strokes. The other option I recommend changing is the autotype features.

I personally recommend using F4 for Global Autotype and Control + Alt + P for the Autotype selected entry. The auto type feature is something I’ll explore in a later blog post.

Once the KeePass file is created and saved it’s just a matter of pointing whatever client you use to the file wherever the file is and enter the master password.