Cruise review: NCL Getaway – February 18, 2018 [Part 7 – At Sea and Return to Miami]

This post is part 7 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 7: From buffet to steak

Our last full day was at sea, involving a trip to the buffet for both breakfast and lunch. Again, there was nothing exceptional to point out at either meal, but both of us didn’t have any complaints about the food. We always seem to find quite a few things we like and the buffet has no shortage of options. It seemed like the bar stock at the Garden Cafe had deteriorated by lunchtime as there was a much more limited selection of beer available. Other bars didn’t seem to have the same issue throughout the day but it was a noticeable change upstairs, possibly indicating the impending end of the trip.

In the early afternoon we did a circuit of the Waterfront on deck 8, finding the Sugarcane Mojito Bar to be too windy, and the Sunset Bar to be less of a sunset and more of an oven-like heat and light experience. Kayla went to try and find a seat with a happy medium between the two extremes, while I milled around the Sunset Bar. Another indicator that the cruise was wrapping up was that the bartenders were actively soliciting people to fill out comment cards.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 6 – Cozumel]

This post is part 6 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 6: Fishin’ in Cozumel

One of our more in-depth excursions this trip was to take a fishing charter while in Cozumel. We’d done some research and settled on Cozumel Charters, selecting a 4-hour bottom fishing tour on an economy-class boat good for up to 4 people. We picked the bottom fishing option over deep-sea fishing, again mainly due to online reviews claiming that there was a higher likelihood of catching something. I am pleased to report that the collective knowledge of the Internet did not disappoint and we had a great time.

After submitting our details and 30% deposit by credit card, we got a confirmation email shortly afterward, containing a list of detailed instructions including where to meet the charter, what to bring, keeping the fish (they’re yours) and where to get them cooked if you’d like to eat your catch. There was also a handy PDF acting as confirmation and an invoice. The rest of the payment is made in USD at the port when you get picked up.

Our instructions were to take a taxi to Puerto Abrigo after disembarking the ship. There’s a bit of up the stairs, dodging the shops, and down the stairs to get to the taxi pickup at the port, but the first person who asked if us if we needed a cab was in fact a legitimate port representative. The 10-minute ride there cost $10 US plus tip; there is a whole conversion racket and they don’t take credit cards, so you might do better with pesos if you already have them. As of May 2018, apparently the standard rate was $15 US so I don’t feel like we did too badly.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 5 – Harvest Caye and Roatan]

This post is part 5 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 4: Harvest Caye (vs. Great Stirrup Cay)

Awoken to the rattling of the VOIP/PoE phone across the desk, and combined with the time change of minus one hour, Kayla and I were able to rouse ourselves in enough time for a full service breakfast at Savor. She selected the Eggs Benedict, and I chose the eggs to order (over easy) with a side of link sausage. It was a fairly standard breakfast offering, but nothing to complain about.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 4 – Costa Maya]

This post is part 4 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 3: A lovely pile of rocks in Costa Maya

The title of this section comes from a TripAdvisor review (filter by 3 star/Average) in which the reviewer is unimpressed with the Chacchoben Mayan ruins, declaring them “a pile of rocks”. I mean, points for calling it like you see it, but they’re historic rocks – what exactly were you expecting?

The docking process this morning seemed unreasonably lengthy and loud, but I’m only an amateur and any loud noises in the morning have been a subject of contention since a very early age.

Before disembarking, we went to the buffet and acquired some food. I’m not typically a breakfast person, but made a good attempt as it wasn’t clear when lunch would be offered on our tour. One noticeable omission from the morning buffet was bananas, which I’d figured would be a standard and highly available breakfast item, but none were to be seen. Of course, I didn’t actually ask anybody, so this could just be chalked up to early-morning grogginess.

Keep in mind that in general, you can’t take food off the ship into the ports lest ye incur the wrath of vessel security and foreign customs officers, so that “apple to go” better be down to the core and ready to be pitched by the time you’re on the lower decks.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 3 – At Sea]

This post is part 3 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 2 at sea: Rock the boat

The downside of being at the extreme front end of the ship was apparent in the early hours of Monday, when we were jolted awake overnight several times with cabinets rattling and above-average movement of the ship. Both of us woke up at 5am and tried to get back to sleep, then later awoke at 9am to different kinds of noises: a high-pitched, whistling, wind sound from the front door, accompanied by low-pitched, repetitive bass from the cabin next to us.

It turns out that when your cabin is directly at the end of a long hall, the design of the passageway causes an effect not dissimilar to that of a wind tunnel. Kayla, who has less tolerance for soothing ocean sounds than I do, gave the cabin door a mighty hipcheck to silence the noise.

Unfortunately, this action only remedied half of the problem – I was still very conscious of the bass line emanating from the next cabin over. Eventually I was irritated enough to get up and on with my day, while my wife was able to ignore the low frequency and fall back asleep. Upon exiting the cabin, the stateroom beside us had its door slightly ajar, leaking the cacophony of noise into the hall as well.

I’m really not sure what to do in these circumstances – it didn’t feel worth a complaint, and I think the price difference between the rooms (Haven vs. oceanview) might make the staff more reluctant to enforce any sort of noise bylaw. In any event, I don’t recall similar morning music happening for the rest of the cruise, so the problem didn’t come up again.

I ambled up to the buffet and encumbered my plate with pork, waffles and potato products. Very shortly after I sat down, a server came over and offered coffee right at the table, which was a nice perk.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 2 – Embarkation and Sail-Away]

This post is part 2 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts here:

Day 1: Embarkation

After checking out of the Residence Inn, we caught an Uber to PortMiami for $21US and went through the entrance at Terminal B, which was being used to board all the odd-numbered passenger decks (eg: 5, 9, 11, 13 and 15) – Terminal C had the even-numbered floors.

The ride to the port was 27 minutes, and it took us about another fifteen minutes to get through security and half-way through the check-in line on the main floor – so I’d estimate we spent about half an hour total waiting before getting on the ship.

Despite our experience with NEXUS cards being the key to avoiding confusion in Port Canaveral, the port agent in Miami wanted nothing to do with them and didn’t even flip past the picture page on our passports. I guess the next approach will be to offer both passport and NEXUS, and see what the agent prefers for identification and immigration purposes.

We were issued ship keycards with the appropriate indicators for our dining and beverage packages, which I would suggest is a key thing to verify before leaving the check-in desk. Later on in the day, a few folks at the bar in front of us were missing the package codes, and told that they’d have to go wait in line at Guest Relations to get a sticker.

Continue reading

Cruise review: NCL Getaway – February 18, 2018 [Part 1 – Miami]

This post is part 1 in a series of 7 about our vacation on the NCL Getaway, from February 18-25, 2018. You can read the other parts, which will be linked here as they’re published:

Thanks for joining as I discuss our long-promised, often-delayed February trip on a ship! We make it to Miami, the Western Caribbean and back again to the extremely odd weather of Southwestern Ontario.

(If this was YouTube, you might imagine the above introduction set to obnoxious dubstep and prefaced with “It’s ya boy!”)

As previously mentioned in my December 2017 NCL Epic review, we partook in the Norwegian CruiseNext Ultimate program, bought some deposits and used one of them on the February 18 sailing of the Getaway to coincide with Kayla’s week off.

To avoid burying the lede even further, of our four total cruises with Norwegian, this was probably the best experience we’ve had so far. Everything lined up very well; the Getaway offered everything we like in a ship; and we had a great time before, during, and after the cruise.

Continue reading

EdgeRouter 4: routing, VLANs and banging one’s head against the wall

I spent most of my Labour Day trying to accomplish two tasks with an EdgeRouter 4 and the other miscellaneous networking gear in the house: setting up a simple VLAN and getting my backup DSL connection working.

Two WANs and a LAN

With two WAN connections (one DHCP/cable, one PPPoE/DSL), I wanted to have specific local network ranges send traffic out to (and receive forwarded traffic from) a specific WAN connection. Note that this isn’t quite the load balancing feature (which I don’t want), but moreso “IP range A uses cable, IP range B uses DSL”. I went through the gauntlet of EdgeRouter support articles and forum posts without much success:

I haven’t yet solved the problem, but I believe the issue is related to the PPPoE connection not injecting default routes into the main table (hence the need for policy-based routing), plus my second SNAT rule didn’t seem to match traffic. The PPPoE connection has a very volatile dynamic IP address, so source NATing based on address translation rather than masquerade wouldn’t work.

In any event, I’m sure this will be another weekend problem, but it was compounded by…

Why can’t I ping hosts on the VLAN?

Using some details from the “Router on a Stick” configuration, I wanted to split out hosts that would be on the DSL network from the cable network. I added a new VLAN (16) to eth1, stood up a DHCP server in the appropriate IP block, and configured /etc/network/interfaces on my Ubuntu 16.04 box using approximately these instructions from Debian and microHOWTO. The system got a lease in the correct range, but hosts on VLAN 1 (192.168.1.0/24) were unable to ping or access the server in VLAN 16 (192.168.16.0/24).

I went through a large number of troubleshooting steps, including:

  • Can I ping from VLAN 16 to VLAN 1?
    • Yes, but the server still had an interface on VLAN 1, so this wasn’t really a valid test.
  • Can I ping the router IP address?
    • Yes, clients from VLAN 1 could ping 192.168.16.1, which is the EdgeRouter IP on VLAN 16.
  • What does tcpdump say?
    • The Linux box on VLAN 16 was getting ping packets, but not replying to them.
  • Are there firewall rules on the EdgeRouter that might be preventing VLAN-to-VLAN traffic? 
    • The default seems to be “accept”, but adding explicit accept policies including logging only showed the inbound traffic.
  • Is the switch not permitting VLAN traffic?
    • The Cisco SG500-52P purchased as surplus gear has the most awful web interface. I tried changing the port mode from “Trunk” to “General” and back again, specifically setting the port for the server as untagged/PVID 16 and then updating the config on the Linux box to avoid tagging the VLAN – no change. I also took the opportunity to upgrade the firmware.
  • Is the EdgeRouter somehow not permitting the reply ICMP traffic at a lower level that I can’t easily see?
    • At this point I busted out the old pfSense box and hooked it into an EdgeSwitch Lite, configured VLANs and firewall settings correctly there and tried to ping the server on VLAN 16 from another system. No change.

At this point I had changed out all components in the equation except for the server, so after dinner I poked around with a few more settings in the switch and then tried a different scenario:

  • Using a “known good” Netgear GS742 switch that wasn’t connected to the rest of the network, I configured port 3 with VLAN 16, untagged/PVID
  • A Windows desktop computer was connected to port 1 with VLAN 1 untagged
  • A macOS laptop was connected to port 3
  • The pfSense box was connected to port 24 and offered DHCP on VLANs 1, 16 and 32

 

 

When all components were connected, the desktop on VLAN 1 at 192.168.1.101 was able to ping the laptop on VLAN 16 at 192.168.16.101 successfully.

The next test was to move the laptop downstairs, plugit into the Cisco SG500-52P, and assign the port VLAN membership as 16, untagged, PVID. The laptop picked up a DHCP lease from the EdgeRouter, and a system on VLAN 1 elsewhere on the network was able to ping the laptop on VLAN 16!

Investigating the server

At this point, the trouble seemed to lie with the server itself. After some Googling, I ran across a Ubuntu Forums post that talked about VLAN routing issues – the last post suggested checking the rp_filter setting with the following command:

sysctl -a | grep \.rp_filter

The setting is described in sysctl.conf as:

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks

On my IBM x3650 server with a large number of interfaces, it turns out rp_filter was enabled in both the “all”, “default” and “eno2” categories:

net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.br-0fce6441466a.arp_filter = 0
net.ipv4.conf.br-0fce6441466a.rp_filter = 1
net.ipv4.conf.br-f02b395ad2f3.arp_filter = 0
net.ipv4.conf.br-f02b395ad2f3.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.docker0.arp_filter = 0
net.ipv4.conf.docker0.rp_filter = 1
net.ipv4.conf.eno1.arp_filter = 0
net.ipv4.conf.eno1.rp_filter = 1
net.ipv4.conf.eno2.arp_filter = 0
net.ipv4.conf.eno2.rp_filter = 1
...

I made the following adjustments to /etc/sysctl.conf, then ran sysctl -p:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

Then manually made the adjustment for the eno2 interface:

sudo echo 0 > /proc/sys/net/ipv4/conf/eno2/rp_filter

After this command was run, I was able to successfully ping the server’s IP address in VLAN 16 from a desktop in VLAN 1.

Follow up tasks

So that I don’t forget, here are some follow up tasks that I’d like to finish for this project (in addition to sorting out the PPPoE routing):

  • Do some reading and better understand the rp_filter mechanism. Try firing up a VM or system with only one interface (instead of one on VLAN 1 and one on VLAN 16) to see if this affects the behaviour.
  • Reboot the server in question and see if the rp_filter setting persists on the eno2 interface based on the “conf.default” and “conf.all” settings.
  • Review switch port settings; see if some ports can be changed to “General” from “Trunk”. Consider replacing the switch with something that will cause less irritation.
  • See if merely tagging the port with VLAN 16 (and not setting it as untagged/primary) and configuring an eno2.16 interface still allows traffic to flow.
  • Apply firewall rules on the EdgeRouter (starting from a “deny all” basis) and confirm that only authorized traffic is permitted.
  • Ensure VLAN hardware offload is enabled on the EdgeRouter
  • Add another VLAN now that the first one was figured out!

Windows file share and NTFS permissions

For future reference when I inevitably forget whether it is more appropriate to restrict folders with NTFS permissions (Security tab) or file share permissions (Sharing tab).

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v%3dws.10)

“For example, some experienced administrators prefer always to set share permissions to Full Control for Everyone, and to rely entirely on NTFS permissions to restrict access.”

Relevant table of examples:

Folder type Share permissions NTFS permissions
Public folder. A folder that can be accessed by everyone. Grant Change permission to the Users group. Grant Modify permission to the Users group.
Drop folder. A folder where users can drop confidential reports or homework assignments that only the group manager or instructor can read. Grant the Change permission to the Users group.

Grant the Full Control permission to the group manager.

Grant the Write permission for the users’ group that is applied to This Folder only. (This is an option available on the Advanced page.)

If each user needs to have certain permissions to the files that he or she dropped, you can create a permission entry for the Creator Owner well-known security identifier (SID) and apply it to Subfolder and files only. For example, you can grant the Read and Write permission to the Creator Owner SID on the drop folder and apply it to all subfolders and files. This grants the user who dropped or created the file (the Creator Owner) the ability to read and write to the file. The Creator Owner can then access the file through the Run command using \\ServerName\DropFolder\FileName.

Grant the Full Control permission for the group manager.

Application folder. A folder containing applications that can be run over the network. Grant Read permission for the Users group. Grant Read, Read and Execute, and List Folder Content permissions to the Users group.
Home folders. Individual folders for each user. Only the user has access to the folder. Grant the Full Control permission to each user on their respective folder. Grant the Full Control permission to each user for their respective folder.

Exchange 2016 + Outlook on iOS and Android: Message size limits and their configuration

Users with the official Microsoft Outlook client on Android or iOS kept running into ~36MB size limits when attempting to send attachments (given the megapixel sizes of most cell phone photos, this can amount to 3 to 4 pictures attached and the whole message is rejected), and none of the conventional transport/mailbox maximum size settings were the cause. I’m hoping the changes in the following articles are the fix:

The settings I specifically believe are responsible are:

  • maxAllowedContentLength in %ExchangeInstallPath%FrontEnd\HttpProxy\ews\web.config
  • maxAllowedContentLength and maxReceivedMessageSize in %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config
  • maxAllowedContentLength and maxRequestLength in %ExchangeInstallPath%FrontEnd\HttpProxy\owa\web.config
  • maxAllowedContentLength, maxRequestLength and maxReceivedMessageSize in %ExchangeInstallPath%ClientAccess\Owa\web.config