Category Archives: Tech Support

ZyXEL EMG3425-Q10A Port Forwarding

The ZyXEL EMG3425-Q10A has NAT Port Forwaring but it doesn’t seem to work well because the Remote Management section has been patched out. This causes the remote management screen to always boot on the IP that is the same as the Port Forwarding Default Server Setup. You need to do two things to fix this mess. First change the default server setup to be the target you normally will port forward to. Turn on a firewall on this host. Second, you need to forward the WWW and HTTPS rules to that host.

When adding additional rules, click “add” instead of apply. Add ports like 25565 to host minecraft or 27015 to TF2.

You cannot delete rules or you have to re-enter all of them in the right order. AGAIN.

EDID Reading on Arch Linux

There are several tools to read the Extended Display Identification Data, EDID, from systems but I found LinuxTV’s edid-decode the most thorough when debugging for a linux 5.0.x display boot flicking problem.

On arch I ran installed edid-decode-git and then ran a quick script:

for f in `find /sys/devices -name 'edid'`; do sudo cat $f| edid-decode;done

and I got something like:

EDID version: 1.4
Manufacturer: BOE Model 65a Serial Number 0
Made in week 1 of 2015
Digital display
6 bits per primary color channel
DisplayPort interface
Maximum image size: 34 cm x 19 cm
Gamma: 2.20
Supported color formats: RGB 4:4:4, YCrCb 4:4:4
First detailed timing includes the native pixel format and preferred refresh rate
Display x,y Chromaticity:
  Red:   0.6416, 0.3437
  Green: 0.3183, 0.6103
  Blue:  0.1494, 0.0439
  White: 0.3125, 0.3281
Established timings supported:
Standard timings supported:
Detailed mode: Clock 139.770 MHz, 344 mm x 194 mm
               1920 1968 2000 2080 hborder 0
               1080 1083 1089 1120 vborder 0
               +hsync -vsync 
               VertFreq: 59 Hz, HorFreq: 67197 Hz
Detailed mode: Clock 111.820 MHz, 344 mm x 194 mm
               1920 1968 2000 2080 hborder 0
               1080 1083 1089 1120 vborder 0
               +hsync -vsync 
               VertFreq: 47 Hz, HorFreq: 53759 Hz
ASCII string: J125V
Manufacturer-specified data, tag 0
Checksum: 0xa9 (valid)

This helped when trying to diagnose: black screen on Dell XPS 15 with kernel 5.0 and Bug 109959 – REGRESSION: black screen with linux 5.0 when starting X

Linux Client VPN using Meraki Cloud Controller authentication

If you want to VPN into your network using the Meraki Cloud Controller the Client VPN Instructions indicate that you may be out of luck when trying to use xl2tp.

Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.
Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.

It turns out that if you setup the IPSEC phase1 and phase2 algorithms then it’ll work.

It took some googling to bring it all around but combined with the Project network-manager-l2tp Github issue 34 of  “IPSec options hard coded” and the Ubuntu question “L2tp IPSEC PSK VPN client on (x)ubuntu 16.04“, I found that setting IPSEC Phase1 Algorithms to 3des-sha1-modp1024 and Phase2 Algorithms to 3des-sha1 works.

Phase1 Algorithms: 3des-sha1-modp1024 Phase2 Algorithms: 3des-sha1
Phase1 Algorithms: 3des-sha1-modp1024 Phase2 Algorithms: 3des-sha1

Now I can connect to the VPN no problem. On Arch Linux!

Install Firefox on Amazon Linux x86_64 Compiling GTK+

Amazon Linux doesn’t offer the Gimp Tool Kit (GTK+) so if you want to run Firefox on an Amazon Linux system, say for Selenium testing, you are left having to compile the system yourself.  Luckily you have found this post.  Create the script below, run it as root and it will build all the components needed for GTK+ and its dependencies for Firefox to run just fine on the system.

vi ./gtk-firefox
chmod 755 ./gtk-firefox
sudo ./gtk-firefox

After you have built the packages, add the /usr/local/bin to your path by updating your .bashrc file.

cat << EOF >> ~/.bashrc
export PATH

Here is the gtk-firefox file for your pleasure.

If you are running OSX Mountain Lion or above and cannot get Firefox to run via the SSH -X command, make sure you have XQuartz installed as Apple removed X11 by default.

Edited to make Firefox latest release more reliable. Updated with Gist.

Edit 11/21/2012: Added dbus-glib dependency to gist. Added notes about running on OSX

Creating a X.509 or Signing Certificate for AWS EC2 using Powershell and Windows SDK

Currently Amazon AWS only allows Base-64 encoded certificates to be used as an EC2 credential.  Further when creating a user in IAM, Amazon doesn’t provide a convenient certificate generator which it does allow for the root user.  If you want to create these type of certificates on Windows you will find that it is not easy to get the certificate out of a binary (DER) format.  Many will point you to OpenSSL to do the conversion and that is fantastic however some may not be able to use OpenSSL.

I am going to lay out some steps that will help you quickly create an X.509 certificate and private key using the Windows SDK makecert.exe utility and Powershell.

First download the Windows SDK.  When installing, only the Tools option is necessary.  Usually the SDK installs to C:\Program Files\Windows SDK\version\bin.  I would suggest that you modify your path to include the SDK bin directory if you are going to make a lot of these certificates.  These instructions assume that makecert is in your path.

Makecert has a number of functions, but the feature we are interested in is its ability to generate self signed certificates with a straightforward command.  All certificates output are in a DER binary format so they are currently unsuitable for AWS consumption.  We will use powershell to convert from a binary object to a Base-64 string.  Note that makecert normally creates a single file containing both the private key and the public key.  Since we want these elements in separate files, we use the -sv toggle which saves the private key to a .pvk file.  One last gotcha to note is that the tool seems to want you to specify the resulting files with the extensions as show in the help and examples.  If you don’t use the .pvk and .cer extensions it might not output the file.

Assuming that you have the SDK install and can run makecert, here are the steps to get your certificate AWS ready.

Create the self signed certificate and corresponding private key file using makecert:

makecert -sv privatekey.pvk certificate.cer

Next we are going to use powershell and some .NET magic to process the binary files into a text friendly BASE-64 format (PEM).

Process the certificate first:

[byte[]] $x = get-content -encoding byte -path .\certificate.cer

[System.Convert]::ToBase64String($x) > .\cer-ec2creds.PEM

Next Process the private key:

[byte[]] $x = get-content -encoding byte -path .\privatekey.pvk

[System.Convert]::ToBase64String($x) > .\pk-ec2creds.PEM

You can now examine the resulting files in notepad to confirm that they are indeed in a BASE-64 format.

notepad .\cer-ec2creds.PEM

notepad .\pk-ec2creds.PEM

The files should work fine even if they are missing the proper headers and footers.  If you want to include them, they should be as follows.  Remember to add an end line character to the file as well.

For the certificate PEM file:



For the private key PEM file:



I hope this is useful.  Please feel free to comment and share other methods.

Here are some references:


Testing iexplore with Selenium Server as a Jenkins/Hudson Slave via Seleniumhq Plugin

Selenium Server, the 2.0 blend of Selenium RC and Webdriver, is the latest in CI Testing goodness from the Selenium project and SeleniumHQ.  During my experimenting with trying to get Selenium to take scripts made in the Selenium IDE and run them with the new selenium-server-standalone-2.0.0.jar via the Jenkins Seleniumhq Plugin on a Jenkins/Hudson slave, I had a few different issues.  My primary problem was getting *iexplore tests to execute from a Jenkins/Hudson slave node.  The slave is running as a service started as a domain user instead of Local Service.  The slave has to run as a domain user because the Jenkins slave is also doubling as a Windows build server running off a Linux master.  The goal was to test with Firefox 5 and Internet Explorer 7 in a Windows Server 2003 R2 x64 environment.  In the end, I could only get *iexplore tests to run reliably by using Window’s automatic logon and then launch the Hudson/Jenkins slave as a startup shortcut which was just:

javaws http://hudsonhost.local:8080/hudson/computer/slave-agent.jnlp

I believe this will also work with nearly any other Windows distribution up to the latest 7/2008R2 series. It was undesirable to run the Slave service in this way however it may just be what is necessary to test older software with a Windows Server 2003 platform.  This approach locks you out of the console of the server, but you can leave the user with just user privileges and then remote in to administer if needed.

By the way, Firefox 5 ran flawlessly as a domain user after creating a Firefox profile for Selenium.

BDAT causing SMTP service to drop Email

I have been searching around the web to answer a vexing problem about my SMTP server not being able to send mails to our new email gateway. We were running Symantec Mail Security for SMTP (smssmtp email antivirus antispam ) at the front end for some time. Upgrading to version 5.01 seemed to be a good fit. After some tweaking, mail was flowing smooth.

The next day one of the managers said their usual email from our external production site wasn’t being delivered. Obviously this was an issue with the gateway as everything worked fine before the upgrade. First, though, I wanted to examine the production sites setup. The server had a normal Server 2003 IIS 6.0 SMTP server. It only relayed email from the web server and was delivering emails to everywhere except our email gateway. The mails would sit in the Inetpub SMTP queue directory. Further I was able to test SMTP Manually with no problem. Even SMTPDiag said everything was OK. Finally I had to sniff the packets. Here is the resulting conversation from the gateway’s point of view:

220 mailgateway Symantec Mail Security Mon, 17 Sep 2007 12:00:00 -0000
EHLO prodserver
250-mailgateway Hello []
250-SIZE 10485760
250 OK
250 2.1.0 OK
250 2.1.5
451 Timeout waiting for client input
Received: from mail pickup service by with Microsoft SMTPSVC;

After the BDAT 2728 LAST there should be a stream of data which represents the email, but there wasn’t. I tried a manual SMTP connection and sure enough as soon as I entered the BDAT command my SMTP connection was dumped. This was a server which was explicitly whitelisted via IP. Seeing that nothing I tried kept this connection up, I called Symantec for an explanation. They searched for a while and eventually told me that they do not support “chunking”. I pointed out that it was a standard part of the ESMTP services and that it was supported in previous versions. She acknowledged this fact and basically stated that they do not support it. No direction or anything, I was left in the dark.

BDAT is part of a newer ESMTP specification which extends SMTP’s ability to push stuff other than text through the email servers. You can see ESMTP and SMTP Commands and Definitions on Microsoft’s site. Pay attention to the CHUNKING definition:

An ESMTP command that replaces the DATA command. So that the SMTP host does not have to continuously scan for the end of the data, this command sends a BDAT command with an argument that contains the total number of bytes in a message. The receiving server counts the bytes in the message and, when the message size equals the value sent by the BDAT command, the server assumes it has received all of the message data.

The ESMTP stuff gave me direction. Some searching yielded Microsoft’s “How to turn off ESMTP verbs” in Exchange servers. Basically you can turn off different ESMTP features of exchange servers. Since Exchange uses the IIS SMTP service, I figured this might work for the SMTP server Symantec had me install. Reading the article I needed the Metabase Explorer which can be found by searching for IIS 6.0 resources. Apparently, by changing the SmtpInboundCommandSupportOptions integer I would be able to turn off the dreaded chunking, however when I changed the value to remove chunking and restarted the service, the option remained. Reviewing the earlier ESMTP documents, I realized I had to disable both BINARYMIME and CHUNKING due to the fact that BINARYMIME uses chunking to move the data around. Finally, after turning off both the CHUNKING and BINARYMIME verbs, the production site’s mail was flowing.

I hope anyone else banging their head finds this useful. Symantec should either change this option using their installer or inform the system administrators better within the instructions. Having random SMTP connections dropped without explanation is a pretty harry detail to debug especially due to how random it is. Reasons for blocking these transmissions date back to the IIS BDAT DoS attacks (Windows SMTP Service Denial of Service) code occurring back in the day. Still, being that this is a default service which is installed by Microsoft’s SMTP installer, I would think Symantec would at least address it. I saw unanswered posts about antivirus software dropping email all the way back to 2005. It is all the same problem and this is the answer.

Installing Windows XP to a SATA drive on a A8N-SLI Deluxe

I have had some problems installing Windows XP onto a SATA drive for boot on my Asus A8N-SLI Deluxe.

My setup is as follows:
74 gig Raptor on the boot
2 x 500 GB SATA raid-1 for my bootlegs
500 GB drive is just for games and junk, music, etc

Remember, SATA drives are a bit too new for the old XP installer and you need to load drivers from the disk.

Anyway, the install went fine but after the final install sequence upon reboot I would get errors such as “Missing Operating System”. Other times I got lucky and passed that one but then the system would blue screen on boot. Some suggestions were to change your bios settings. This sounds unreasonable as the latest bios has worked fine before this reconfiguration.

It gets really frustrating after four or five reinstalls, with some full formats sometimes just to be sure. Either way. Finally I have come up with a winning solution to get everything going. I had to do was install XP with only the Raptor plugged in. Soon as I did that, it was cake. The bootloader was getting screwed up because of how the system reads the BIOS for SATA drives.