Syed Jahanzaib Personal Blog to Share Knowledge !

August 27, 2021

NAT types for console | a horror tale for gamers behind NAT

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 4:55 PM

First of all, **What is NAT?**

Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network.

As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.

Basically, NAT allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.

Moving on, the 3 NAT types, when concerning gaming consoles/PCs, PS3/PS4, or the Xbox 360/Xbox One, are

  1. Open (Type 1)
  2. Moderate (Type 2) &
  3. Strict NAT (Type 3)

NAT1 is a direct connection to the internet; all ports are accessible, with no port forwarding rules required. Ultimately, an Open/Type 1 NAT will provide the best connection quality whereas Moderate and Strict NAT restrict the connections between a gaming console or PC. If your internet connection has a public IP address (non-RFC1918, non-RFC6598) on the exterior interface of your home router, you should be able to have your PS4 run in NAT2 mode. If you control the port forwarding on your home router, you should be able to get the PS4 to run in NAT1 mode, even on an internal RFC1918 address.

NAT2 is a single layer of public-to-private conversion, and requires assisted port forwarding to achieve inbound connections to the PS4. The Moderate, Type 2 NAT, as well as Strict, Type 3 NAT, limits the connections that can be created between your gaming console or PC and someone else’s gaming consoles or PCs. Users with Moderate NAT, or type 2 NAT, are only able to connect with other users also having a Moderate NAT type, type 2, or an Open NAT Type, type 1.

NAT3 is two layers of conversion, and usually involves a carrier-grade-NAT device at the ISP, as well as a NAT device at the home, making it nearly impossible to achieve direct inbound connections to the PS4; in NAT3 mode, only server-assisted connections are possible, with each PS4 establishing an outbound connection through the two layers of NAT devices, with centralized servers mediating the PS4-to-PS4 communication. Users with Strict/Type 3 NATs can only connect with other users using an Open/Type 1 NAT.Furthermore, at a smarter NAT 3 setup, If you see an address in on the outside interface of your home router, you’re out of luck; you’re in NAT3 territory, may GOD have mercy on your gameplay 🙂


More to come from the Mikrotik Side …

July 29, 2021

MySQL: DROP tables older than X Period using BASH Script

Notes for Self:

Following script can delete single or multiple table older than X time from the mysql DB. It was pretty useful for DMASOFTLAB RADIUS MANAGER CONNTRACK table OR customized  SYSLOG-NG logging system, where table is daily created automagically in database using current date using YYYY_MM_DD format (dates have underscore sign). There are other solutions as well like creating procedure etc, but since this was older MySQL version , therefore I took this route.


DMASOFTLAB Radius manager have its own connection tracking module which stores date wise table to store data. (YYYY-M-DD format for table), & deleting it using bash script is not possible because older versions gives syntax error, therefore we had to wrap the table name in BACKQUOTE.

Also most importantly, if we delete tables older then x period, then there is a table that dma creates to hold the conntrack details called tabxid, & eventually with date criteria, it will be deleted too, therefore I EXEMPTED in the mysql statement so that it should remain safe else conntrack table will not work.

mkdir /temp
touch /temp/
chmod +x /temp/
nano /temp/

Now paste following data, and modify accordingly

#!/usr/bin/env bash
#set -x
# Script to delete TABLES OLDER THEN X period from particular DB
# Made for syslog-ng to save disk space
# Created on: 2019
# Last Modified: 10-SEP-2021
# Syed Jahanzaib / aacable at hotmail dot com /
DATE=`date +'%Y-%m-%d'`
# You can change the months to days also by
#DAYS="30 DAYS" (or maybe syntax is DAY)
# Don't modify below
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
logger $DB Trimmer Script started $DATE , IT WILL DELETE tables from $DB older then $DAYS
echo "syslog_ng script started $DATE , IT WILL DELETE tables from $DB older then $DAYS"
# This is one time step.
echo " Script Started @ $DATE "
# --- Now Delete $DEL_TABLE TABLE from $DB table ...
$CMD "SELECT create_time FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = '$DB' AND table_name NOT LIKE '%tabidx%' AND create_time < NOW() - INTERVAL $DAYS;" | awk '{print $1}' > $TMPFILE
# Apply Count Loop Formula
cat $TMPFILE | while read tables
TABLE_TO_DELETE=`echo $tables`
# In below CMD , I wrapped the backquote, it took an hour to sort this issue that DASH - sign is not supported in DB/table for older mysql version)
DATE=`date +'%Y-%m-%d'`
echo "$DB_TRIMMING script deleted TABLE $TABLE_TO_DELETE FROM $DB , confirm it Please. Jz"
logger $DB TRIMMING script ENDED $DATE , $TABLE_TO_DELETE got deleted $DB , confirm it plz
echo "$DB TRIMMING script ended $DATE "

You can now schedule it to run daily in night at 00:00 hours by editing CRONTAB

crontab -e

& add following entry


Save & Exit.

2# FOR SYSLOG-NG, to delete SINGLE table created 30 days before – JUNK TEST CODE

Syslog-NG generally creates tables with underscore _ sign, therefore I modified the script as per below

mkdir /temp
touch /temp/
chmod +x /temp/
nano /temp/

Now paste following data, and modify accordingly

#!/usr/bin/env bash
#set -x
# Script to delete XX days older single table from particular DB
# Made for syslog-ng to save disk space
# Syed Jahanzaib / aacable at hotmail dot com /

# Don't modify below
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
DATE=`date +'%Y-%m-%d'`
DEL_TABLE=`date +'%Y_%m_%d' -d "$DAYS day ago"`
logger syslog_ng script started $DATE , IT WILL DELETE $DEL_TABLE TABLE FROM $DB
# This is one time step.
echo " Script Started @ $DATE "
# --- Now Delete $DEL_TABLE TABLE from $DB table ...
DATE=`date +'%Y-%m-%d'`
logger TABLE_TRIMMING script ENDED $DATE , $DEL_TABLE TABLE FROM $DB deleted, confirm it plz
echo "TABLE_TRIMMING  script ENDED at $DATE , $DEL_TABLE TABLE FROM $DB deleted, confirm it Please. Jz"


July 2, 2021

Radius | Disconnect users after service change / user disable

Filed under: Mikrotik Related, Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 8:50 AM

Note for self

In older version of radius manager, when OP disables any user account or change user service package , those changes doesnt take effect until the user disconnect/reconnect. Sometimes user remains connected for days. Back in those days , we made a workaround by creating a mysql trigger and script combination. 

Assuming you have fully functional radius working, along with root access to DB. Save this trigger.sql and import it in mysql radius DB.

Example: mysql -uroot -pMYPASS radius < trigger.sql

Following trigger will check for rm_users table changes, and if it found any changes in the users disable/enable or srvid changes, it will add entry in the rm_kickuserstable & our schedule script will pick the data from there and will act accordingly …

MYSQL > kickuser_trigger

-- Host: localhost Database: radius
-- Server version 5.5.54-0ubuntu0.12.04.1
/*!40103 SET TIME_ZONE='+00:00' */;
/*!50003 SET @saved_cs_client = @@character_set_client */ ;
/*!50003 SET @saved_cs_results = @@character_set_results */ ;
/*!50003 SET @saved_col_connection = @@collation_connection */ ;
/*!50003 SET character_set_client = utf8 */ ;
/*!50003 SET character_set_results = utf8 */ ;
/*!50003 SET collation_connection = utf8_general_ci */ ;
/*!50003 SET @saved_sql_mode = @@sql_mode */ ;
/*!50003 SET sql_mode = '' */ ;
/!50003 CREATE/ /!50017 DEFINER=root@localhost/ /*!50003 TRIGGER kickuser_trigger BEFORE UPDATE ON rm_users
IF NEW.enableuser <> OLD.enableuser THEN
INSERT INTO rm_kickuser (datetime, username, msg) VALUES (NOW(), new.username, new.enableuser);
IF NEW.srvid <> OLD.srvid THEN
INSERT INTO rm_kickuser (datetime, username, msg) VALUES (NOW(), new.username, new.srvid);
END */;;
/*!50003 SET sql_mode = @saved_sql_mode */ ;
/*!50003 SET character_set_client = @saved_cs_client */ ;
/*!50003 SET character_set_results = @saved_cs_results */ ;
/*!50003 SET collation_connection = @saved_col_connection */ ;
---- Dumping routines for database 'radius'
-- Dump completed on 2021-07-02 8:24:05

rm_kickuser TABLE

Save following & import it in radius db 

Example: mysql -uroot -pMYPASS radius < rm_kickuser_SQL_DB_Creation.sql

root@radius-zaib:/temp# cat rm_kickuser_SQL_DB_Creation.sql

-- phpMyAdmin SQL Dump
-- version
-- Host: localhost
-- Generation Time: Jun 13, 2016 at 10:32 AM
-- Server version: 5.5.46
-- PHP Version: 5.3.10-1ubuntu3.21
SET time_zone = "+00:00";
/*!40101 SET NAMES utf8 */;
-- Database: `radius`
-- --------------------------------------------------------
-- Table structure for table `rm_kickuser`
`datetime` datetime NOT NULL,
`username` varchar(64) NOT NULL,
`msg` varchar(32) NOT NULL,
-- Dumping data for table `rm_kickuser`


the Script !

Now create the script & schedule it to run every 1 minutes

#set -x
# Following script is made specifically for Dmasoftlab radius manager 4.1.x
# When OP disables any user or change service, it will kick the user so that either disconnects, or his package changes on reconnect
# it requires custom trigger on rm_users table, this script will be schedule to run every minute
# Created: 25-MARCH-2019
# Tested on Ubuntu OS Only
# CHANGE these
currenttime=$(date +%H:%M:%S)
# Add Script start execution entry in the /var/log/syslog to see if the script got executed or not
logger "Kick Disabled/Enabled & Service Change - User poller script Started @ $currenttime by the CRON scheduler ... Powered by SYED.JAHANZAIB"
echo "- Script Start Time - $currenttime"
echo "- Checking Disabled/Enabled Users in $USR_TABLE table ..."
CMD="mysql -u$SQLID --skip-column-names -s -e"
#Table which contain main users information

# Checking if /temp folder is previously present or not . . .
if [ ! -d "$TEMP" ]; then
echo "- INFO: $TEMP folder not found, Creating it now to store logs ..."
mkdir $TEMP
echo -e "- INFO: $TEMP folder is already present to store logs."

# Check if table exists
if [ $($CMD \
"select count(*) from information_schema.tables where \
table_schema='$DB' and table_name='$USR_TABLE';") -eq 1 ]; then
echo "- INFO: $USR_TABLE Table exists ..."
echo "- WARNING: $USR_TABLE Table does not exists ..."
# pull user record
$CMD "use $DB; select username from $USR_TABLE WHERE datetime >= NOW() - INTERVAL $MNT MINUTE;" >> $TMPUSRINFO
if [ ! -s $TMPUSRINFO ]
endtime=$(date +%H:%M:%S)

echo "
- INFO: No User to KICK found in DMA RADIUS MANAGER TABLE '$USR_TABLE' , Sending EXIT signals ...

- Script Ends Here...
- EXITING peacefully...
- Script End Time - $endtime
exit 1
# Apply Count Loop Formula while deleting first line which have junk text
cat $TMPUSRINFO | while read users
username=`echo $users | awk '{print $1}'`
USER_IP=`echo $users | awk '{print $2}'`
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where username ='$username' AND acctstoptime is NULL;"`
NAS_IP=`$CMD "use $DB; select nasipaddress from radacct where username ='$username' AND acctstoptime is NULL;"`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`
if [ -z "$ACCTSESID" ]; then
echo "User Found to KICK: USER: $username , BUT USER IS NOT ONLINE, no action is requiroed ..."
# Print Info on screen
echo " User Found to KICK: USER: $username , IP: $USER_IP, ID: $ACCTSESID, NAS: $NAS_IP @ $currenttime ... KICKING him now ..."
logger " User Found to KICK: USER: $username , IP: $USER_IP, ID: $ACCTSESID, NAS: $NAS_IP @ $currenttime ... KICKING him now ..."
echo " User Found to KICK: USER: $username , IP: $USER_IP, ID: $ACCTSESID, NAS: $NAS_IP @ $currenttime ... KICKING him now ..." >> $KICKUSER_LIST_FILE
#in below cmd, I am using SSH base method to kick the user because there were some issues in routing & NAS was not accepting radclient packets, you may use the radclient method which is better approach
ssh -p 22 admin@ /ppp active remove [find name=$username]
#for pppoe , use below
#echo user-name=$username | radclient -x $NAS_IP:$NAS_COA_PORT disconnect $NAS_SECRET
#for hotspot, enable following line
#echo Framed-IP-Address=$USER_IP | radclient -x -c 1 $NAS_IP:$NAS_COA_PORT disconnect $NAS_SECRET
# once done, we should delete the tmp files to clear the garbage


*** Schedule the script to run every minute

crontab -e

*/1 * * * * /temp/ > /dev/null 2>&1


root@radius-zaib:/temp# ./

- Script Start Time - 08:43:58
- Checking Disabled/Enabled Users in rm_kickuser table ...
- INFO: /temp folder is already present to store logs.
- INFO: rm_kickuser Table exists ...
- INFO: No User to KICK found in DMA RADIUS MANAGER TABLE 'rm_kickuser' , Sending EXIT signals ...

- Script Ends Here...
- EXITING peacefully...
- Script End Time - 08:43:58


Syed Jahanzaib

March 22, 2021

Modifying Expiration Time in Dmasoftlab Radius Manager

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 8:38 AM

This post is published as a personal reference, It describes a method via which you can modify the user account expiration default time of 00:00:00 to some other time, so that middle night disconnection can be avoided & user can get some time in official hours to recharge there account. with traditional FREERADIUS we can modify the disconnection in RADCHECK table, but since DMA doesn’t defines the expiration there & uses its own authentication module which checks for the user expiration date in RM_USERS table, therefore we have to make little modification to facilitate this option.

Another option is to create TRIGGERS, so that whenever a new user is created, it should modify the time instantly, or add the user name in separate table, and using predefined bash script which can monitor the table and perform action accordingly. lots of options can be opted.

As asked by few network OP’s who are using dmasoftlab radius manager as there billing system & performs manual recharge after getting payment from the users by door to door collection, One of the most annoying issue is the expiration time at which users get disconnected dueto expiration limit expires. By default when a user is created his time is entered in following format

2021-03-20 00:00:00

As a result, as soon as date changes at 00:00:00 hours, the user will be disconnected from the system. which means in the middle of night. Users starts calling OP help desk & most of the time, its difficult to recharge accounts in mid night.

Therefore its better to change the expiration time to happen in official working hours so that both user & OP can have some time to recharge the accounts within office hours.

To automate this process, create a bash script & schedule it to run at 11:50 pm daily. This script will change all users expiration HOURS to your modified time.


Create TEMP folder / script file along with executable permission

mkdir /temp
touch /temp/
chmod +x /temp/
nano /temp/

& paste following contents, make sure to change MYSQL user/password & required expiration hours

# set -x
# BASH base script to change EXPIRATION hours in DMA RADIUS Manager RM_USERS table
# to modify users expiration disconnection time so that middle night disconnection can be avoided
# You can schedule this script to run every XX minutes/hours
# example : in cron use below line , means run at 11:50pm
# 50 23 * * * * /temp/
# By Syed Jahanzaib / aacable at hotmail dot com
# CREATED on : 20th-March-2021

CMD="mysql -u$SQLUSER --skip-column-names -s -e"
# DMA related, below is 8pm. change timings as per your requirements
# R.M Table which contain users expiration information (in freeradius, we use Expiration attribute in radcheck,
# But DMA uses its own authentication module to validate users details from the rm_users table
# Date Related
TODAY=$(date +"%Y-%m-%d")

# Start execution
# Modify the 00:00:00 hours to suite yours local time, I have used 8pm timings as an example

# or you can use single line code here in mysql directly or by $CMD
#UPDATE rm_users SET expiration = DATE_FORMAT(expiration, '%Y-%m-%d $NEW_EXP_TIME');"

# ECHO on screen and also LOG in /var/log/syslog (for ubuntu)
echo "DMASOFTLAB RADIUS MANAGER - User expiration HOURS now changed from $COLUMN_NAME to $NEW_EXP_TIME - Script executed successfully @ $DATE"
logger "DMASOFTLAB RADIUS MANAGER - User expiration HOURS now changed from $COLUMN_NAME to $NEW_EXP_TIME - Script executed successfully @ $DATE"
#Script Ends here

CRON Scheduler:

You can schedule it to run at 23:50 hours daily (this is the default time when dma expires account program runs, so we will modify the cron schedule to modify expiration time just before DMA program runs …

50 23 * * * /temp/

Syed Jahanzaib

March 5, 2021

Ubuntu Default 200GB Partition & it’s extension

Filed under: Linux Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 8:53 AM

Thanks Mr. GerardBeekmans for detailed guidance.


I have create one VM guest (on esxi) & 900GB disk is assigned to it. Ubuntu 16 server is installed with default installation options. But when I see disk report, it shows only 200 GB of disk space

as shown below …

root@XXX-log:/temp# df -h
Filesystem Size Used Avail Use% Mounted on
udev 7.8G 0 7.8G 0% /dev
tmpfs 1.6G 900K 1.6G 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 196G 92G 94G 50% /
tmpfs 7.9G 8.0K 7.9G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda2 976M 146M 764M 16% /boot
tmpfs 1.6G 0 1.6G 0% /run/user/0

But when I run FDISK or other tools, it shows below

root@XXX-log:/temp# fdisk -l
Disk /dev/sda: 920 GiB, 987842478080 bytes, 1929379840 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 2C824CE0-94E5-4515-B28D-8FA40983CFF5

Device Start End Sectors Size Type
/dev/sda1 2048 4095 2048 1M BIOS boot
/dev/sda2 4096 2101247 2097152 1G Linux filesystem
/dev/sda3 2101248 1929377791 1927276544 919G Linux filesystem

Disk /dev/mapper/ubuntu--vg-ubuntu--lv: 200 GiB, 214748364800 bytes, 419430400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Ubuntu DEFAULT regular installer does it by default. It’ll provision about a 200 GB LVM based Logical Volume (LV) for use. The rest of the space is not used until you decide what to do with it (assign to the existing root and extend it, or create additional volumes later).

If you use the alternative installer you get more advanced abilities regarding partitioning and can configure this right at the start vs. making changes after installation.

It looks like your /dev/sda3 is our LVM’s physical volume. Some commands to run to check for size details:


The first command will show you the physical partition details and the volume group (vg) that is attached to it. The second command will show you the volume group details. Check for “VG Size” and “Free PE / Size”.

If the VG itself already spans the entire LVM (ie around that 900 GB size of your actual disk) then you can simply expand the Logical Volume named /dev/mapper/ubuntu–vg-ubuntu–lv and afterwards expand the filesystem on top of it.

If you simply want that single LV to take up the entire volume group’s space without needing to create more volumes for now, this should get the trick done:

lvresize -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

& afterwards DF showed correct space.

root@bbi-log:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 7.8G 0 7.8G 0% /dev
tmpfs 1.6G 900K 1.6G 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 904G 94G 771G 11% /
tmpfs 7.9G 8.0K 7.9G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda2 976M 146M 764M 16% /boot
tmpfs 1.6G 0 1.6G 0% /run/user/0

Thanks Mr. GerardBeekmans for detailed guidance.

These steps were based on default Ubuntu behaviour but your setup may be different.

Syed Jahanzaib

March 2, 2021

Bash Script for General Customizable Report via Email

Filed under: Linux Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 12:37 PM

Note for MySelf:

This post contains bash script sample , which upon executed, can query various system components & send the report via email. Useful to monitor remote server. Further functions can be added or existing can be customized according to the requirements. I opted for LOOP Formula to show mysql DB sizes in MB/GB using IF ELSE statements & some other fun stuff for myself as well.

The script is bit messy & scrambled in terms of proper organized display, but it works fine. You may customized or trim as per your taste

Feel free to use as you like …

Syed Jahanzaib

#set -x
# Version 1.1 / 10th January, 2014
# Last Modified / 5th-MARCH-2021
# Syed Jahanzaib / Web: / Email: aacabl AT hotmail DOT com
# This script generalized & customized DISK reports and email to admin
# Adjust below DATA fields accordingly. remove / add desired tasks.
# Settings various VARIABLES for the script
# Colors Config ... [[ JZ ... ]]
CREDITS="Powered by Syed Jahanzaib / 0333.3021.909 / aacable at hotmail dot com / https:// aacable . wordpress .com"
CMD="mysql -uroot --skip-column-names -e"
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
INT_IP1=`hostname -I`
INT_IP2=`ip route get 1 | awk '{print $NF;exit}'`
EXT_IP=`dig +short`
DNS=$(cat /etc/resolv.conf | sed '1 d' | awk '{print $2}')
# Check OS Type
os=$(uname -o)
# Check OS Release Version and Name
OS=`uname -s`
REV=`uname -r`
MACH=`uname -m`
VERSION=`cat $1 | tr "\n" ' ' | sed s/.*VERSION.*=\ // `
if [ "${OS}" = "SunOS" ] ; then
ARCH=`uname -p`
OSSTR="${OS} ${REV}(${ARCH} `uname -v`)"
elif [ "${OS}" = "AIX" ] ; then
OSSTR="${OS} `oslevel` (`oslevel -r`)"
elif [ "${OS}" = "Linux" ] ; then
KERNEL=`uname -r`
if [ -f /etc/redhat-release ] ; then
PSUEDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/SuSE-release ] ; then
DIST=`cat /etc/SuSE-release | tr "\n" ' '| sed s/VERSION.*//`
REV=`cat /etc/SuSE-release | tr "\n" ' ' | sed s/.*=\ //`
elif [ -f /etc/mandrake-release ] ; then
PSUEDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/os-release ]; then
DIST=`awk -F "PRETTY_NAME=" '{print $2}' /etc/os-release | tr -d '\n"'`
elif [ -f /etc/debian_version ] ; then
DIST="Debian `cat /etc/debian_version`"
if ${OSSTR} [ -f /etc/UnitedLinux-release ] ; then
DIST="${DIST}[`cat /etc/UnitedLinux-release | tr "\n" ' ' | sed s/VERSION.*//`]"
# Check Architecture
architecture=$(uname -m)
# Check Kernel Release
kernelrelease=$(uname -r)
set $(date)
time=`date |awk '{print $4}'`
DT=`date +%d.%b.%Y_time_%H.%M`
DATE=$(date +%Y-%m-%d)
DT_HMS=$(date +'%H:%M:%S')
TODAY=$(date +"%Y-%m-%d")
TODAYYMD=`date +"%d-%b-%Y"`
#Get ip which have default route
logger General report has been started @ $DATE / $DT_HMS
# Check FREERADIUS online sessions
#SESSIONS=`$CMD "use radius; SELECT username FROM $SQL_ACCOUNTING_TABLE WHERE acctstoptime IS NULL;" |wc -l`
# Adding OS level Details in email message
# modify below disk name we want to monitor, make sure to change this
DISKTOT=`df -h $DISK |awk '{print $2}'| sed -n 2p`
DISKUSED=`df -h $DISK |awk '{print $3}'| sed -n 2p`
DISKAVA=`df -h $DISK |awk '{print $4}'| sed -n 2p`
DISKUSEPER=`df -h $DISK |awk '{print $5}'| sed -n 2p`
MEMTOT=`free -m |awk '{print $2}'| sed -n 2p`
MEMUSED=`free -m |awk '{print $3}'| sed -n 2p`
MEMAVA=`free -m |awk '{print $4}'| sed -n 2p`
MEMUSEDPER=`free -m | grep Mem | awk '{print $3/$2 * 100.0}'`
MEMAVAPER=`free -m | grep Mem | awk '{print $4/$2 * 100.0}'`
#GMAIL Details
#Collect all data in file
echo "
General Report for $HOSTNAME - $INT_IP - $EXT_IP


Operating System Type $os
Architecture : $architecture
Kernel Release : $kernelrelease

# Fetch ALL DB's & calculate there sizes and convert sizes in MB/GB
MYSQLALLDB=`$CMD "show databases;" > $ALL_DB_TEMP_LIST`
cat $ALL_DB_TEMP_LIST | while read database
DB=`echo $database | awk '{print $1}'`
MYSQLDBSIZE=`$CMD "SELECT table_schema '$DB', sum(data_length + index_length)/1024/1024 FROM information_schema.TABLES WHERE table_schema='$DB' GROUP BY table_schema;" | cut -f1 -d"." | sed 's/[^0-9]*//g'`
if [ "$MYSQLDBSIZE" -ge 1024 ]; then
MYSQLDBSIZE_FINAL=`echo "scale=2; $MYSQLDBSIZE/1024" |bc -l`
echo "$DB / $MYSQLDBSIZE_FINAL GB" | column -t >> $DB_HOLDER
if [ "$MYSQLDBSIZE" -le 1024 ]; then
MYSQLDBSIZE_FINAL=`echo "scale=2; $MYSQLDBSIZE" |bc -l`
echo "$DB / $MYSQLDBSIZE_FINAL MB" | column -t >> $DB_HOLDER
cat $DB_HOLDER | column -t >> $EMAILMSG
echo "
Disk Details:
df -h |grep sda2 | column -t >> $EMAILMSG
echo "

Total_RAM_Used = $MEMUSED MB
Total_RAM_Available = $MEMAVA MB
Total_RAM_Used_Percent = $MEMUSEDPER %
Total_RAM_Available_Percent = $MEMAVAPER %
" > /tmp/temp_memory_report.log

cat /tmp/temp_memory_report.log | column -t >> $EMAILMSG

echo "
# Print Fetched Information on Screen , for info to see
# EMAIL SECTION ##############
# Make sure you install sendEMAIL tool and test it properly before using email section.
#SEND EMAIL Alert As well using sendEMAIL tool using GMAIL ADDRESS.
# If you want to send email , use below ...
echo " - Sending SMS/EMAIL info ..."
#curl "http://$KHOST/cgi-bin/sendsms?username=$KID&password=$KPASS&to=$CELL2+$CELL3+$CELL4" -G --data-urlencode text@$SMSMSG
sendemail -u "$HOSTNAME - $EXT_IP - General Report- $DATE " -o tls=yes -s $SMTP -t $TO1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$EMAILMSG -o message-content-type=text
# log entry in /var/log/syslog
logger General Report have been end @ $DATE / $DT_HMS

Make sure to install BC to calculate size

apt-get -y install bc

Sample snapshot for Email Reporting !

Howto install ‘sendemail’ tool to send email via Gmail ID.

Very Well with Tested For UBUNTU 12.x , may work on other ubuntu versions too

Quick copy paste …

apt-get -y install libio-socket-ssl-perl libnet-ssleay-perl perl
apt-get -y install sendemail


February 28, 2021

netElastic vBNG

Pending Post …

For Mikrotik base ISP’s

As most small scale ISP’s are using mikrotik which itslef is very user friendly, & easy to manage even for a beginner admin , it also provides greater level of control/visibility/tracing, But it maxes out on 2000-3000 users (CCR series). Probably Mikrotik is not aimed for enterprise/large level market in terms of features & scalability. I have read that BNG is written from scratch, therefore its scalability is far better. Maybe in coming time, principle will add good visibility in upcoming BNG versions because visibility & controlling is not very good at vBNG. So far as per customer reviews, BNG have outclass mikrotik routers in terms of scalability/CPU resource control . In general ,Mikrotik routers can support 2000-3000 ppp sessions with hurdles, whereas vBNG can support upto 128k sessions (depends on the model & hardware/clustering). Best part of BNG is user modular base pricing.

VBNG is costlier then Mikrotik But cheaper than other big name brands ! It’s worth trying …

What is vBNG

(vBNG) is a high-performance (3rd party proprietary) software (or hardware appliance) router that can run on any server system from any x86 vendor. vBNG supports all common features such as PPPoE and IPoE, subscriber traffic policing and shaping, and CG-NAT. Full routing protocol support includes MPLS, OSPF, BGP, and others.

netElastic vBNG has two main components, the Control Plane (CP) and the Data Plane (DP).
The Data Plane moves packets in and out, applying QoS and other policies along the way. It’s sizing is based on how much bandwidth is needed and uses CPU Cores, network interfaces, and RAM.
The Control Plane communicates with management tools, manages policies, establishes and updates routing tables for the Data Plane, handles AAA and most other functions that aren’t involved with actual packet forwarding. The Control Plane sizing is generally based on the complexity of the use case and number of subscribers expected on the vBNG.

Deployment Options

vBNG can be deployed in several different manners described below.

Host Mode on Bare Metal – Entire vBNG running directly on a server. This is the most common option and uses the least amount of resources, avoiding virtualization layer overhead.
Host Mode in a Virtual Machine – Entire vBNG running in one VM. This is a good option for smaller vBNGs going into environments with existing virtualization capabilities and eliminates the need for a dedicated server


Click on following document link for further elaboration

VBNG Server and VM Sizing for vBNG

vBNG Single Box Test Results:

Server Hardware specs:

  • Dell R730
    64 GB RAM
    12 Cores processor x 2 @ approx 2.4 GHz
    500 GB x 2 HDD (Raid 1)
    2 ports x 2 Ten Gigabit Fibre Network Cards (Bonding 2 Port WAN, 2 Port LAN)

Server Software specs:

  • Centos 7.x on bare metal
    On TOP of centos, virtual machine is created for vBNG

On 2500+ active pppoe users , CPU utilization ratio was under 5%.




vBNG Models/Packages: Redirecting …

Look for following URL to see the feature comparison,

BNG Packages

Case Study:

Harbour Isp Case Study:

Click to access Harbour-ISP-Case-Study.pdf

Adding vBNG DICTIONARY in Freeradius

To add additional/3rd party dictionaries in freeradius, first copy the dictionary file in /usr/share/freeradius folder.

then edit the file DICTIONARY file in /usr/share/freeradius/dictionary

nano /usr/share/freeradius/dictionary

& add the dictionary file location in the end of this file

Example File:

ZAIB #### 15-FEB-2021
#### Add VBNG NETELASTIC support in Freeradius as well
$INCLUDE dictionary.netelastic-2019q3

Save the file & exit the editor. Now Reload the freeradius service

service freeradius reload
service freeradius restart

Freeradius Attributes for vBNG

You can use the following attribute to assign profile on vBNG. this profile example 1Mbprofile must be configured on the vBNG first.

FR3 attribute:

Attribute: NetElastic-Qos-Profile-Name  | Op := | Value 1Mbprofile

Disconnect user on vBNG via Freeradius RADCLIENT

# Send DISCONNECT REQUEST TO NAS FOR SPECIFIC USERS, Modify the parameters as per your local config
echo user-name=USERNAME | radclient -x disconnect SECRET

& in return you should get

Received Disconnect-ACK Id 168 from 192.168.x.x:3799 to 192.168.x.x:43014 length 20

vBNG manuals

vBNG manuals / infor & dictionary files are available at my gdrive , @ following link


SALES Inquiries …

Fro Global:

For Pakistan region, following reseller can be contact @ [you may refer this blog]





Syed Jahanzaib

January 21, 2021

Possibilities: Mikrotik PPP Disconnection/Yellow Sign Problems

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:58 AM

Disclaimer! This is important!

Every Network is different , so one solution cannot fit/applied to all. Therefore try to understand logics & create/modify the solution as per your network scenario. Do Not follow copy paste blindly.

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to share tips that worked for me.

Tips posted here are based on personal experiences which I faced/sorted at various networks locally/internationally. It is requested to kindly contribute your valuable experience & any tips to help others.
Sharing is Caring …

Syed Jahanzaib~

PPP Common Problems

From some time we were getting following complains from few ISP’s regarding

  • Few websites (like banking) not opening if user is connected via pppoe only
  • User pppoe dial stuck , not able to reach to mikrotik pppoe server
  • User pppoe connectivity frequent/intermittent disconnection/termination
  • User pppoe dialer is connected but yellow mark at user device/workstation , No internet


Try to diagnose the issue one by one by below tips

  1. For few websites not working on pppoe clients only issue , try to add following rule & test
    /ip firewall mangle
    add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
  2. Mikrotik RouterOS Firmwares plays very important roles in the stability in various segments, Try LONG-TERM release. Sometimes upgrading/downgrading rectifies issues without modifying any configuration. Read Mikrotik Forums to see if other users are having similar issues on particular version.
  3. Cheap wifi routers at client end example TPLINK/TENDA are headache to manage. Most of the older models have BUGS from security & stability issues. Always make sure that you dont use buggy routers brands, Always upgrade the Firmwares to latest. This mostly rectifies many issues.
  4. On busy network, always use your local dns (must be reachable with/without pppoe dialer as well via intervlan routing level). Uncheck allow remote request from mikrotik. In PPPoE profile, use the local dns as primary and google dns as secondary. In few network this sorted the YELLOW ICON sign.
  5. Pay attention to mikrotik CPU, if you have high number of users on single Tik, OR if you have CONNTRACK/NATTING enabled, then disconnection of pppoe users can cause CPU spikes resulting in Tik freezing for a minute or it can cause other users disconnection dueto cpu not responding timely, resulting in looping as well. Use separate router for natting. If you have high number of PPP users along with some NATTING rules, Stop using Masquarade on same router that have a lot of dynamic interfaces. DO NOT use NAT on any router that have high number of connecting/disconnecting interfaces , like pppoe/vpn. Place an additional router connected with your PPPoE NAS, and route NAT traffic there. Make sure to disable CONNECTION TRACKING on PPPoE NAS router. As a rule of thumb, to divide load (& as a failover) , if you are using ccr1036 , add another ccr1036 after every 1200-1500 users.
  6. Adding your local DNS & assign it to user profile as a primary DNS sorted the yellow sign problems in some users WiFi Routers.
  7. PPP is sensitive to high delays and network timeouts, Make sure you dont have layer 2 level broadcast/delays
  8. If you Cisco switch with VLANs , set STP/RSTP to none on switch TRUNK  [*** This sorted the ppp disconnection at few networks]
  9. If you have Cisco switches with VLANs, Do Not allow all VLANS on TRUNK ports, Allow only limited/designated vlans on TRUNK port [*** This sorted dialup stuck issues at few networks]
  10. Changing the MTU [sometimes it sorts websites & few apps related issues , examples whatsAPP , Telegram, etc]
  11. Try to disable Encryption/Compression on the profile of the pppoe. Choosing only (pap) for pppoe server [This sorts some old freeradius related issues]
  12. Disable RSTP on all ports/VLANS [Test with caution, for temporary basis only just to confirm if its related issue]
  13. Disable LOOP protection in mikrotik ports settings [Test with caution, for temporary basis only]
  14. Do Not disable ICMP Some user end routers checks for icmp reachability to detect internet access. It’s quite worse when there are operators that think that ICMP is dangerous and it has to be blocked. Make sure you are not blocking all ICMP traffic, just fine tune it to allow at least certain type of icmp packets, however, when someone further upstream does that, you will have problems
  15. Do Not disable NTP protocol, [it is being used by many devices like android devices like android TV’s, Gaming devices etc]

Part 3/4 Annexure Example: [Test it with caution or preferably in LAB tests]

no spanning-tree vlan 1-1014
interface GigabitEthernet2/0/1
description Trunk-LAN-2-Mikrotik
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-16,99
switchport mode trunk

Personnel Opinion!

Well TBH, Mikrotik is a cheap/affordable solution & overall Mikrotik is excellent for core routing too BUT its not made for large scale ppp NATTING. Mikrotik is not an enterprise grade solution with reference to pppoe concentrator. It have it’s architecture’s limitations. As a rule of thumb/In general , We suggest that after crossing 1200-1400 ppp users (& max 2Gb of traffic), just add another mikrotik (ccr1036 or likewise) & so on. I knows few ISp’s locally who are using mikrotik who have used Mikrotik routers just start up their journey in the SP business but later they moves to more mature products like cisco/juniper/vBNG. One ISP in particular using 10-12 Mikrotiks to cater 15k users load (in routing mode only, no natting). With natting situation gets worse when ppp users disconnects in large quantity resulting in CPU hiking/freezing creating nightmares for admins)

If you have thousands of users , then you are in serious business, go with *Huawei/Juniper/Cisco* (which are much mature but comparatively costly products ) & as an alternate, you may look for *VBNG* which have pay as per you go modules.

Syed Jahanzaib

January 19, 2021

January 11, 2021

Cisco 10G Switch & Lenovo SFP Module Compatibility issue

Filed under: Cisco Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 11:46 AM

Recently we acquired cisco 10g SFP+ switch to be added in existing stack. While trying to connect Lenovo ThinkSystem SR650 (P.No: 7X06CTO1WW ) server along with lenovo provide SFP+ modules (P.No 46C3447) with 10g Cisco switch (WS-C3850-24XS-S) via MM Fiber cable. Upon SFP+ module insertion, at both end (server to switch) then the port gets shuts with err-disabled with following error on switch logs

010834: Jan 4 09:43:44: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Te1/0/7 has bad crc
010836: Jan 4 09:43:44: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/0/7, putting Te1/0/7 in err-disable state

& on vmware esxi  , it showed *DISCONNECTED*

Following were technical details:


  • ThinkSystem SR650 (P.No: 7X06CTO1WW )
  • 10g NIC: Emulex VFA5.2 2×10 GbE SFP+ PCIe Adapter (P.No: AT7S )
  • 10g SFP+ Module: Lenovo SFP 10gbase-sr Fiber Optic Transceiver Module (P.No 46C3447 / )


  • SWITCH MODEL : Cisco 10g SFP+ switch (P.No: WS-C3850-24XS-S )
  • Cisco Switch 10GBASE Fiber Optic SFP 10G Transceiver Module: Cisco SFP-10G-SR * Part No: 10-2415-03)
  • Vivanco Optical Fiber Patch Cord: LC-LC MM DUPLEX OM3 10M


After searching here & there, I found that we have to disable SFP compatibility check in the switch using below CMD’s

Add these two commands (blue highlighted) to the switch:

Switch(config)# service unsupported-transceiver
— you will get a warning message here—
Switch(config)# no errdisable detect cause gbic-invalid

Afterwards , shut/no shut the switch interface then plugged in the Lenovo cable back in.  & the connectivity got OK. (make sure WRITE the config on switch so that it stays permanent.

Note: Any time non-Cisco optics are going to be plugged in to a Cisco switch it’s worth adding these commands.

Syed Jahanzaib

Older Posts »

%d bloggers like this: