Syed Jahanzaib Personal Blog to Share Knowledge !

May 12, 2019

Facilitate CDN traffic with Mikrotik

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 12:49 PM


Control / Facilitate CDN traffic with

~ Mikrotik Router ~

First some DRY theory !

CDNs replicate content in multiple places. There’s a better chance of content being closer to the user, with fewer hops, and content will run over a more friendly network. The general idea of a CDN is to deliver content as fast as possible to the user without compromising the user’s experience. Usually, a CDN have global location servers, called Point of Presence. These PoPs store data as cache. When a user requests for a website, the nearest PoP will handle the request using stored cache.

The BIG players such as Google in order to enhance user experience have tried to get as close to the user as possible by direct peering with the regional service providers and provide contents using CDN (Content delivery network) providers. Google is having its own CDN network branded as a service called Google Global Cache (GGC)

Nowadays all the major ISPs have CDN facility , which tremendously helps them to reduce burden on there internet feed. Without CDN, cost of real internet bandwidth will be a heavy burden for any OP. With CDN user will get better video streaming experience.

I know few ISP’s here in Karachi (& one particularly originated from Gulshan Area) which totally relies on CDN (more than 50-60% of there internet data is routing via CDN) , I have used one of them, there real internet speed is pathetic but if you browse YT/FB they works excellent.


Our upstream ISP have CDN server installed in there data center & traffic going to CDN have no limit. But we want to control the traffic as following

1 Mb package Users break up for bandwidth controlling …

  • 1mb internet bandwidth
  • 1mb CDN bandwidth

So if a user is surfing the internet he will get full 1mb internet speed, & if he uses the traffic going to YOUTUBE CDN ,  He will get another 1 mb (additional).
Virtually he will get 2mb in total.

Using Mikrotik, we can achieve this task by using Firewall Mangle & Queues Tree. Same can be done with Mangle & PCQ base simple queues too. It’s a debatable topic on what to use, & depends on the selection, mangle marking method would also be changed.

Every network is different so one configuration cannot fit all. Number of users & traffic volume plays vital role in selection of marking / queue type to use.

Choose the marking/queue type wisely to save your Mikrotik CPU from becoming Mr. SPIKY 🙂 YKWIM 😀

Disclaimer: This is just an example for sharing purposes ONLY & yes there are many other methods and tuning techniques you can adopt to make this process much more efficient.

Script !

# CDN PACKET MARKING SCRIPT using Mangle/Queue.Tree
# By Syed.Jahanzaib
# Email: aacableAThotmailDOTcom
# https://aacableDOTwordpressDOTcom
# March 2019
# Address list name which is created dynamically by radius or you can go with manual method too
# This is important ... it can be done by varieties of ways, select one that matches your network design

#Create Address List which will contain CDN server's IP addresses
/ip firewall address-list
add address= list=cdn_list
add address= list=cdn_list

# Copy paste following rules & make sure to move these MANGLE rules to TOP position,
# so that they can be applied before any other rule, (for cdn)

/ip firewall mangle
add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_1mb_up passthrough=no src-address-list=1Mb
add action=mark-packet chain=postrouting dst-address-list=1Mb new-packet-mark=cdn_1mb_down passthrough=no src-address-list=cdn_list

add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_2mb_up passthrough=no src-address-list=2Mb
add action=mark-packet chain=postrouting dst-address-list=2Mb new-packet-mark=cdn_2mb_down passthrough=no src-address-list=cdn_list

# Define Queue Type & limitation that we want to provide to each package
/queue type
add kind=pcq name=1mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB
add kind=pcq name=1mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB

add kind=pcq name=2mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB
add kind=pcq name=2mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB

# Add Queue/Speed Limitation using above Queue Types to firewall mangled/marked packets

/queue tree
add name="CDN - 1mb - upload" packet-mark=cdn_1mb_up parent=global priority=1 queue=1mb-cdn-upload
add name="CDN - 1mb - download" packet-mark=cdn_1mb_down parent=global priority=1 queue=1mb-cdn-download

add name="CDN - 2mb - upload" packet-mark=cdn_2mb_up parent=global priority=1 queue=2mb-cdn-upload
add name="CDN - 2mb - download" packet-mark=cdn_2mb_down parent=global priority=1 queue=2mb-cdn-download

# Script Ends Here.

1mb users CDN usage Graph.


As shown in above example image, 1mb users are using 227 mb of CDN (YT) bandwidth,  (it was off time with lesser number of users, in peak traffic reaches in Gb’s) & real internet bandwidth is free OR available for other tasks/users,  thus providing relief to the real internet bandwidth pipe.

Syed Jahanzaib


April 22, 2019

MySql Database Recovery from Raw Files

Filed under: Linux Related, Radius Manager — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 2:31 PM

mysql recovery.PNG

Disclaimer: This worked under particular case. It may or may not work for everyone.


OS: Ubuntu 12.4 Servedit Edition / x86

MYSQL: Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (i686) using readline 6.2

The OP was running radius for AAA. The disk got faulty for some unknown reasons and were unable to boot from it. There was no database backup [Real example of bad practices] So restoration from mysqldump to new system was not an option there !


We need to restore the Database using mysql raw files. Luckily the faulty disk was able to got attached to other system & we were able to copy the core /var/lib/mysql/ folders (along with all sub folders in it)

Quick & Dirty Restoration Step !

Requires some good level of Linux / DB knowledge]

  • Setup a test SANDBOX, Install same level of OS along with MYSQL on new system/disk. Create databases / tables as required. Verify all is working by logging to mysql
  • Stop the MYSQL service.
  • Copy the folder /var/lib/mysql [copied from faulty disk] to this new box under /var/lib/mysql/  
  • Set the permission on newly copied files/folders
    chown mysql -R /var/lib/mysql/

After this point Try to start the MYSQL service , IF it starts successfully & you can see your DATA , then skip below steps , ELSE continue through below steps …

  • Edit the /etc/mysql/my.cnf & add following line under [mysqld] section
    innodb_force_recovery = 6
  • Start MYSQL service & the service will start in Safe Mode with limited working support. Verify if you can able to login to MYSQL service by
    mysql -uroot -pPASS
  • If above step works, Export the Database backup using mysqldump cmd e.g:
    mysqldump -uroot -pSQLPASS   radius  >  radius_db_dump_.sql
  • Once done, Open the file in nano or any other text editor, & verify if it contains the required data.

Now copy the radius_db_dump_.sql to safe location & you know what to do next 🙂

  • Import this mysqldump file to your working radius system !



Make sure you have multistage backup strategies in place for any mission critical server.

Example for mysql Database, You can do following

  • If your server is VM, then VEEAM B&R will be your best friend & guardian, go for it
  • 1st Stage Backup: [Highly recommended for live replication]
    ideally, you should have at least 2 Replica servers & configure either Master-Master or Master-Slave Replication
  • 2nd Stage backup:
    Create bash scripts to export DB backup in local folder on a daily basis, (or hourly basis if required]
  • 3rd Stage backup:
    Attach external USB disk to the server, and in your backup script, add this usb as additional backup repository
  • 4th Stage backup:
    Configure DROPBOX and add it as additional backup repository
  • 5th Stage backup:
    The admin should manually copy the backup folders to his desktop so that if all other backups gets failed , this should come in handy.

Syed Jahanzaib




April 11, 2019

Vcenter 6.5: Cannot complete operation due to concurrent modification by another operation

Filed under: VMware Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:39 AM


We have few ESXI machines managed by Vcenter (all have same 6.5 version). Today when we tried to upgrade compatibility on one vm guest using Vcenter, it gave following error.

Cannot complete operation due to concurrent modification by another operation

After some troubleshooting, it came to my knowledge that there was a pending snapshot made by Veeam B&R software, that was causing the issue. After removal of this snapshot, the compatibility upgraded worked fine, & later we moved this VM from one esxi to another dueto resource strains.


Vcenter error and snapshot removal solved it


In one another encounter, whenever we tried to edit the guest VM setting, it gave error “Invalid configuration for device ‘1’.” , for this particular case we simply remove the affected guest VM from the inventory & re-added it and the problem got solve.

April 5, 2019

Mikrotik with Freeradius/mySQL # Part-22 – Create Dynamic Address List using Mikrotik-Address-List Attribute

Filed under: freeradius, Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 12:28 PM


Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Syed Jahanzaib~


  • We have FREERADIUS installed as a AAA system in Ubuntu 16.04 server
  • Mikrotik version 6.44 is acting as PPPoE NAS connected with radius for AAA


When any user connects with our NAS, he should be added to mikrotik dynamic address list under IP > firewall > address list, so that we can manipulate this address list for different tasks, example mark connections/packets/routing and use them in Queues / Routes section or perform different sort of filtering as required.

In this particular task we are dynamically adding user in particular address list using radius attributes, then using this address list packet marking is being made, and then in Queues we are using these marked packets for different sort of bandwidth policies, example for normal internet we will limit 1mb per user , and for CDN traffic we will add addition 2mb for YT & FB. [and vice versa for different packages accordingly]



We will use Mikrotik-Address-List attribute in radgroupreply section. as shown here.

1# Adding User entry in RADCHECK table so user can authenticate …

mysql> select * from radcheck;
| id | username | attribute | op | value |
| 1 | zaib | Cleartext-Password | := | zaib |
1 rows in set (0.01 sec)

2# Adding Radius Group Reply for 1mb Group, Example 1mb group user will get 1mb dynamic queue plus they will be added dynamically in address list name 1mb

mysql> select * from radgroupreply;
| id | groupname | attribute | op | value |
| 21 | 1mb | Mikrotik-Rate-Limit | == | 1024k/1024k |
| 22 | 1mb | Mikrotik-Address-List | := | 1mb |
2 rows in set (0.00 sec)

2# Adding username ZAIB in the Radius user group & assign him 1mb Group.


mysql> select * from radusergroup;
| id | username | groupname | priority |
| 5 | zaib | 1mb | 1 |
1 row in set (0.00 sec)


Now we will test user via RADTEST cmd …

radtest zaib zaib localhost 1812 testing123


Sending Access-Request of id 130 to port 1812
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address =
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host port 1812, id=130, length=50

Mikrotik-Rate-Limit = "1024k/1024k"
Mikrotik-Address-List = "1mb"

Freeradius Debug Result:

Sending Access-Accept of id 156 to port 34563
Mikrotik-Rate-Limit == "1024k/1024k"
Mikrotik-Address-List := "1mb"
Finished request 32.

Now try to connect user from your user device, & upon connection you will see new address list entry for this user IP ..

& its 1mb queues have been created as well

# Mikrotik Mangling & Queueing Section !

Now we will move towards Mikrotik related configuration for mangling & queue. in above steps we added DYNAMIC queue for test purposes, & as we will be using simple queues therefore we need to remove the dynamic queue, Do so , then we will move further …

  • Marking upload & download separately for 1mb user address list …

/ip firewall mangle
add action=mark-packet chain=forward comment="1mb users UPLOAD" new-packet-mark=1mb_users_up src-address-list=1mb passthrough=no
add action=mark-packet chain=forward comment="1mb users DOWNLOAD" dst-address-list=1mb new-packet-mark=1mb_users_down passthrough=no
  • Creating PCQ base 1mb download/upload limit variable …
/queue type
add kind=pcq name=download-1mb pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64
add kind=pcq name=upload-1mb pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64
  • Creating PCQ base simple Queues to actual limit each user with 1mb download/upload …
/queue simple
add name="1mb user DOWN - PCQ" packet-marks=1mb_users_down queue=upload-1mb/download-1mb target=""
add name="1mb user UP - PCQ" packet-marks=1mb_users_up queue=128k-per-user/128k-per-user target=""



1st- user - 1mb user test


2nd pc 128K 1mb


How to remove all dynamic queues [can be used in script login section]

dynamic queue removal.PNG

/queue simple remove [find where dynamic]


As we can see that address list have been created successfully, now we can manipulate it for our different tasks using marked packets for customized PCQ base queues for policy base queueing.

I will write more on it later if manage to get some spare time.


Syed Jahanzaib


March 29, 2019

March 25, 2019

Mikrotik with Freeradius/mySQL # Part-21 – Weird Trigger for Duplicate Users

Filed under: Mikrotik Related, Radius Manager — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:13 AM

dup user.jpg


Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Syed Jahanzaib~


  • We have DMASOFTLAB radius manager installed as a billing system in Ubuntu 12.04 server
  • Mikrotik version 6.4x.x is acting as Hotspot NAS and connected with radius for AAA

Requirement: [A Weird one really]

As operator demanded

“We are running Hotspot on mikrotik, & client login to hotspot using his mobile/laptop. If logged-in client leaves his primary location without logout, & move to another location, & if he try to login from another device, his request will gets DENY because of Single user limit. We increased it to 2 by using SIM-USE=2 directive in user properties,It allows second session to login, but both sessions can use the bandwidth, therefore we want that once second session is established its old first live session should get kicked. If it was single Hotspot we could have used the script on LOGIN, but there are several NAS spreaded across various location using single radius.”

if the user uses same device then we could have used

if (User-Name){
if("%{sql:UPDATE radacct set AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale Session' WHERE UserName='%{User-Name}' and CallingStationId='%{Calling-Station-Id}' and AcctStopTime is NULL}"){

but things are different in hotspot as I have observed, if devices are different then it will give us already logged-in error, if we use sim-use=2 then second device can be logged-in but old session will also be alive and both ids will suck the bandwidth at a time.

Also using idle-timeout or keep-alive timeout is the simplest way to achieve this , but for some weird reasons and to avoid long arguments dueto accent issues, I made one customized solution for the operator.


Login to mysql with root

mysql -uroot -pXXXX

and switch to radius database

use radius;

Now create new table that will hold duplicate users record

MYSQL Table to hold duplicate users list

-- Table structure for table `rm_dupusers`

DROP TABLE IF EXISTS `rm_dupusers`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `rm_dupusers` (
`username` varchar(64) NOT NULL,
`ip` varchar(16) NOT NULL,
`nas` varchar(16) NOT NULL,
`comments` varchar(64) DEFAULT NULL,
KEY `dupid` (`dupid`)
/*!40101 SET character_set_client = @saved_cs_client */;

-- Dumping data for table `rm_dupusers`

MYSQL TRIGGER to check duplicate users sessions

Now we will create a new Trigger that will be executed when any record is inserted in radacct, it will check for existing duplicate session of user and if it found , it will add its entry in the mysql table of rm_dupusers

drop trigger chk_dup_user;
/*!50003 CREATE*/ /*!50017 DEFINER=`root`@`localhost`*/ /*!50003 TRIGGER `chk_dup_user` BEFORE INSERT ON `radacct` FOR EACH ROW BEGIN
SET @dupuserchk = (SELECT count(*) from radacct where username=New.username and acctstoptime is NULL);
IF (@dupuserchk = 1) THEN
SET @dupusername = (SELECT username from radacct where username=New.username and acctstoptime is NULL);
SET @dupuserip = (SELECT framedipaddress from radacct where username=New.username and acctstoptime is NULL);
SET @dupusernas = (SELECT nasipaddress from radacct where username=New.username and acctstoptime is NULL);
INSERT into rm_dupusers (dupid,username,ip,nas,comments) values ('',@dupusername,@dupuserip,@dupusernas,'Duplicate User');
END */;;

Mysql Part is Done.

Now we will create a BASH script that will scheduled to run every minute.

BASH script !

Create bash script in desired folder, in this example I am using /temp folder as default

mkdir /temp
touch /temp/
chmod +x /temp/
nano /temp/

& paste following, make sure to modify credentials

#set -x
# Following script is made specifically for Dmasoftlab radius manager 4.1.x
# When any new user will login, it will simply check if exists session of same user found, it will kick previous session
# it requires custom trigger on radacct table, this script will be schedule to run every minute
# Created: 25-MARCH-2019
# Tested on Ubuntu OS Only
# CHANGE these
currenttime=$(date +%H:%M:%S)
# Add Script start execution entry in the /var/log/syslog to see if the script got executed or not
logger "Duplicate User poller script Started @ $currenttime by the CRON scheduler ... Powered by SYED.JAHANZAIB"
echo "- Script Start Time - $currenttime"
echo "- Checking Duplicate Users in $DUP_TABLE table ..."
CMD="mysql -u$SQLID --skip-column-names -s -e"
#Table which contain main users information

# Checking if /temp folder is previously present or not . . .
if [ ! -d "$TEMP" ]; then
echo "- INFO: $TEMP folder not found, Creating it now to store logs ..."
mkdir $TEMP
echo -e "- INFO: $TEMP folder is already present to store logs."



IPADD=`ip route get 1 | awk '{print $NF;exit}'`
SRVSTATUS=`service $SRV status |grep running |wc -l`
if [ "$SRVSTATUS" -ne 1 ];
#if [ -z "$SRVSTATUS" ];
echo "- ALERT:

- $SRV not responding ***
- $currenttime

Exiting ..."
exit 1
echo "- INFO: $SRV service is accessible. Proceeding further ... OK"

# Check if table exists
if [ $($CMD \
"select count(*) from information_schema.tables where \
table_schema='$DB' and table_name='$DUP_TABLE';") -eq 1 ]; then
echo "- INFO: $DUP_TABLE Table exists ..."
echo "- WARNING: $DUP_TABLE Table does not exists ..."
# Enable following line so that it will update all users simultanous-use to '2' so that two sessions can be established
# $CMD "use $DB; UPDATE  radius.radcheck SET value = '2' where Attribute = 'Simultaneous-Use';
# pull user record
$CMD "use $DB; select username,ip,nas from $DUP_TABLE WHERE datetime >= NOW() - INTERVAL $INT MINUTE;" >> $TMPUSRINFO
if [ ! -s $TMPUSRINFO ]
endtime=$(date +%H:%M:%S)

echo "
- INFO: No Duplicate User found in DMA RADIUS MANAGER TABLE '$DUP_TABLE' , Sending EXIT signals ...

- Script Ends Here...
- EXITING peacefully...
- Script End Time - $endtime
exit 1

# Apply Count Loop Formula while deleting first line which have junk text
cat $TMPUSRINFO | while read users
username=`echo $users | awk '{print $1}'`
USER_IP=`echo $users | awk '{print $2}'`
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where framedipaddress ='$USER_IP' AND acctstoptime is NULL;"`
NAS_IP=`echo $users | awk '{print $3}'`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`

# Print Info on screen
echo "Duplicate User Found: USER: $username , IP: $USER_IP, ID: $ACCTSESID, $NAS: $NAS+IP @ $currenttime ... KICKING him now ..."
echo "Duplicate User Found: USER: $username , IP: $USER_IP, ID: $ACCTSESID, $NAS: $NAS+IP @ $currenttime ... KICKING him now ..." >> $DUP_LIST_FILE
#echo User-Name=$USERNAME,Acct-Session-Id=$ACCTSESID,Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | $RADCLIENT -q -c 1 $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
#for hotspot, enable following line
echo Framed-IP-Address=$USER_IP | radclient -x -c 1 $NAS_IP:$NAS_COA_PORT disconnect $NAS_SECRET
# once done, we should delete the tmp files to clear the garbage

CRON scheduler to run the above script every minute. Edit crontab by

crontab -e

& add following entry

* * * * * /temp/ >/dev/null 2>&1

Testing …

Using same credentials, Login to first device, and then on second ,

& run this script,

root@radius:/temp# /temp/
- Script Start Time - 10:52:03
- Checking Duplicate Users in rm_dupusers table ...
- INFO: /temp folder is already present to store logs.
- INFO: mysql service is accessible. Proceeding further ... OK
- INFO: rm_dupusers Table exists ...
Duplicate User Found: USER: test , IP:, ID: 81d00057, : +IP @ 10:52:03 ... KICKING him now ...
Sending Disconnect-Request of id 58 to port 1700
Framed-IP-Address =
rad_recv: Disconnect-ACK packet from host port 1700, id=58, length=32
NAS-Identifier = "ZAIB_CCR_GW"

older session will be removed

radclient dc the first user.PNG

Weirdo …. but its fun to learn !


Command to view duplicate users session in freeradius using CLI

mysql -uroot -pMYPASS --skip-column-names -e 'use radius; SELECT username FROM radacct WHERE acctstoptime IS NULL;' > 1.txt && sort 1.txt | uniq -cd

Syed Jahanzaib

February 14, 2019

Barracuda Email Security Gateway – Short Notes

Filed under: Emails - Antispam — Tags: , — Syed Jahanzaib / Pinochio~:) @ 12:58 PM


We are running our own email server hosted locally using IBM Lotus Domino Server. Last year we acquired Barracuda Email Security Gateway hardware device (BSFI300a) to filter spam/junk emails. It came along with 1 Year Total Protection Plus & 1 Year IR (instant replacement). Hardware quality is enterprise grade & we haven’t encountered any failure so far.


Barracuda usage in our organization ~

For some reasons, we are using this device to filter incoming emails only. Outgoing emails are delivered to recipient/destination email server directly from our Domino server via main gateway router (bypassing barracuda for outgoing emails). This was done for better tracking of outgoing/sent emails as domino provides more detailed log as compared to barracuda. But IMO its better to use antispam device/app as centralized gateway to filter/control both incoming/outgoing email transactions.


Barracuda effectiveness in filtering Spam ~

If we talk in percentage basis, it is blocking spam upto 96-97 % effectively. We regularly review its message logs and report uncatched spam to Barracuda central spam & we never receive such email from that host further, so there monitoring team is reviewing the submission actively I suppose. The biggest advantage is that it have variety of filtering options, we enabled Reverse DNS entry check up / SPF and few other rules, and our biggest headache of SPOOFED emails got solved.


Past experience with Symantec SMSDOM ~

Before this we were using Symantec Mail security for domino base application  for about 10 years but it got discontinued & declared EOL. SMSDOM filtering was not much effective & was a constant headache for us. on an average it was blocking just an average of 80%. spoofed emails was the biggest issue, and then it was not able to scan files inside archive, plus the famous issue of PDF archive.

Barracuda Hardware Specs for 300 Model

barracuda 300 user support

barracuda 300 user other specst

Some Snapshots …

barracuda 300 - dashboard part 1

barracuda 300 - dashboard part 2


barracuda 300 - dashboard part 3.PNG


Tip’s & Common Usage

Following are few short notes for reference purposes. First Login to Barracuda with admin account,

Device Web Management Port

  • 8000

View email messages LOG

Goto Basic > Message Log

SMTP Banner / Attachment Size Limit / SPF,Helo, Ehlo settings

Goto  ADVANCED > Email Protocol

TIP: Enabling SPF really helps ! but make sure you have proper SPF record on your domain dns server


Ping/Dig/Telnet Test / View LIVE Mail process Log

Goto  ADVANCED > Troubleshooting

Firmware Update

Goto ADVANCED > Firmware Update

IP + DNS configuration / Destination Mail Server / Barracuda Hostname Page

Goto Basic > IP Configuration

Password Change / Log Management / System Management like reset logs,restart,shutdown

Goto Basic > IP Configuration > Administration

Allow/Block Domain

Goto Basic > BASIC > BLOCK/ACCEPT > Sender Filters

Blocking Marketing & Tagged emails

block mkt emails


Block specific extensions

Goto BASIC > BLOCK/ACCEPT > Attachment Filters


Blocking particular emails using Content filter,

example If want to block emails if it have particular word in subject,header,body

content filter

Check Queued emails

Goto Advanced > Queue Management

Device Backup/Restore/Scheduled

Goto Advanced > Backups

NTP configuration

Goto Advanced >Advanced Networking

* Block SPOOFED messages *


under `Current Domain Count` , click on `MANAGE Domain`

then goto `ADVANCED` > `Email Protocols`

& select `YES` under `Reject messages from my domain`

spoofed block.PNG

Also read this regarding SPOOFED bypass check.

Will keep adding more information as explored or requested.

General Tips for better email acceptance at remote email servers on internet

Following are general tips every email administrator must follow to avoid there email rejection at different internet hosts.

  • Make sure your ISP have IP PTR record against your email server name, example if you have acquire public IP from the ISP, ask them to create reverse DNS / PTR record for this IP against your MAIL Server public ip
    Example IP should resolve to >
  • Setup an A record in web site DNS for the Server Name to resolve to the IP
  • example  should resolve ip to >
  • Add your SPF record with the correct details (Add all SMTP relays in it if you are using SMTP relay of your ISP)
  • SMTP welcome banner should be your email server FQDN
  • Make sure you have valid SPF record to avoid spoofing your domain name bys pammers, Gmail highly recommend it as well.
  • Adding DKIM/DMARC against your domain name is a good addition.
  • Try using your ISP SMTP as relay as first line,

Some online tools to check for email server

The most effective way to check your domain and email server health is to visit following URL

A good looking record should be something like this

Domain name MX Record Test

mxtools ms record test.PNG


mxtools emails test record test.PNG

Domain Name SPF Record Test

mxtools spf record test.PNG


PROBLEMS & Their workarounds/solutions !

This happened second time that barracuda SMTP Transaction response were getting very slow, & inbound emails were arriving very slowly with 3-5 minutes of delay. example if we test it from outside, (mxtools)

“SMTP Transaction Time 18.341 seconds – Not good! on Transaction Time”

It starts to work fine after a reboot & the smtp transaction times drops to 2-3 seconds only. also if we bypass barracuda (routing rules) it works fine.

Other Details: our Internet connectivity: very good
Firmware Latest : v8.1.0.003 [as of march 2019]
Performance Statistics
HelpIn/Out Queue Size: 0/0
Average Latency: 88 seconds 
Last Message: 1 minute ago 
Unique Recipients: 276 
System Load: 2% 
CPU 1 Fan Speed: 4143 RPM 
System Fan 1 Speed: 8333 RPM 
CPU 1 Temperature: 28.0°C 
System Temperature 2: 23.0°C
Temperature 1: 27.8°C 
Temperature 2: 29.8°C 
Firmware Storage: 62% 
Mail/Log Storage: 18%

Yesterday we contacted barracuda support, and they did some tuneup late night via tunnel support & replied “they have allocated more resources to the appliance to give it more to work with, which will help the device process emails

and from this morning we are seeing normal response in smtp transaction time. we will keep monitoring & update.

March 2019 Updates: It seems that tuning done by barracuda support team have solved the issue. there is no more extra delays in INBOUND smtp transaction.

Configuring ATP , Advanced Threat protection along with CPL [cloud protection layer]

WE acquired the barracuda device along with Total Protection Plus that included ATP also. initially we thought that ATP is built in feature in this device that is enabled by the Total threat protection bundle package , but after 10 months of usage, it came to our knowledge that you need to enable ATP viac configuring CPL option in the device , for this you need account and device registration at

in Barracuda ESG ,

  • Goto Advance
  • Cloud Control
  • & select YES for Connect to Barracuda Cloud Control

Enter account details and press SAVE, and shortly it will connect with the barracuda Cloud.

You can then see your appliance “”

barracuda cloud control cp;.PNG

Some points to be noted.

  • In your website domain panel, make sure you modify MX entries, so that all inbound emails should first arrive on barracuda data center (depends on what region data center you selected) , then in CPL , DOMAINS, add your domain and email server there,

we selected US Region when setting up CPL online, and used following in our web site domain dns MX records.

  • Primary:
  • Backup:

this way all inbound will arrive on barracuda , filter/scan and it will forward them to your mail server IP, where barracuda must be in front which will then forward it to your local server.

barracuda domain setting.PNG

  • Under your Barracuda ESG device, make sure to exempt traffic coming from barracuda cloud ip range list,  under rate control .

IP range can be found here.

Now we have enabled the barracuda cloud control and in our web site public dns, we have changed MX record from to use barracuda cloud x.x.x.x, so all of our inbound emails are now first arriving on barracuda cloud which then filter and send it to our which filter and forward it to ESG (via our firewall router)

  • To enhance more security on smtp port on firewall router, we have no altered the smtp forward rule and accept smtp traffic only from barracuda cloud ip ranges, this way we have got rid od many authentication / hacking / knocking request on SMTP port


Syed Jahanzaib


February 6, 2019

Unable to access Windows 2003 shared folder from Windows 10

Filed under: Microsoft Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 1:04 PM


We have some folders shared on old windows 2003 box, while trying to access them from windows 10 workstation, we are seeing following error …

w2003 error for w10.PNG


In Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. To enable it ,

Start powershell with privilege mode (on your windows 10 workstation) by >

Open CMD in privilege mode, and start powershell 


Now get status of ​SMB1Protocol

Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

Probably it will be in Disabled State, change it to enable using following cmd,

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Afterwards, it may ask you to reboot machine, Do it to restart so that changes can take effect.

Status after enabling SMB1Protocol

PS C:\> Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

FeatureName : SMB1Protocol
DisplayName : SMB 1.0/CIFS File Sharing Support
Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol.
RestartRequired : Possible
State : Enabled
CustomProperties :
ServerComponent\Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer
Browser protocol.
ServerComponent\DisplayName : SMB 1.0/CIFS File Sharing Support
ServerComponent\Id : 487
ServerComponent\Type : Feature
ServerComponent\UniqueName : FS-SMB1
ServerComponent\Deploys\Update\Name : SMB1Protocol

Now try to access windows 2003 sharing folder & hopefully it will work fine.

Syed Jahanzaib

February 1, 2019

Forced routing of selective emails to ISP SMTP via Mikrotik Routing

Filed under: IBM Related, Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:06 AM



We have a LAN environment with our own email server [IBM Lotus Domino] hosted locally. Mikrotik router is acting as our gateway router with /29 public pool & port forwarding from mikrotik public ip to email server is configured. Barracuda Antispam gateway is in place as well.

Problem & Challenges :

Sometimes there are few email servers on the internet that does not accept our emails, either they bounce back or silently drop our emails despite our public IP is not listed in any of blacklisting on the internet[It happens commonly with microsoft hosted email servers as they silently drop our emails without informing any reason]. If we use our ISP SMTP as relay in the DOMINO configuration, then the emails delivers to those particular servers without problem. But we cannot use ISP SMTP for all emails routing/relaying as they have per day sending limit, and we donot get proper reports for delivered or hold emails.

Another BIG problem is that sometimes ISP’s SMTP server IP gets ban/added in the spamhaus or likewise SPAM blacklist database & when this happens 80-90% emails bounces back.

So we needed a solution where we should not use ISP SMTP relay all the time but only particular destination email server’s mails should be routed to ISP smtp. & it should all be controlled by our Mikrotik RouterOS dynamically/centrally.


First created a address list which should contain IP addresses of remote email servers [that donot accept our emails directly]

/ip firewall address-list
add comment="remote company mail server X IP" list=few_mails_routing_2_primary_ISP_smtp

Now using NAT rule, we will forcefully route all emails [port 25 traffic] going to above address list, will be routed to ISP SMTP , with below rule …

# is the ISP SMTP IP

/ip firewall nat
add action=dst-nat chain=dstnat comment="Few Mails Routing 2 primary ISP smtp" dst-address-list=few_mails_routing_2_primary_ISP_smtp dst-port=25 protocol=tcp to-addresses= to-ports=25

It’s done.

BUT next challenge is to overcome issue when ISP changes it’s SMTP IP address for whatsoever reason, so we need to schedule a script that will keep checking the ISP SMTP IP by resolving it via google dns, and update the ISP SMTP IP in the NAT rule. [As per my knowledge we cannot put DNS name in TO-ADDRESS field, this is why putting IP is necessary, & update it dynamically is also essential to avoid bouncing email dueot blacklisting for ISP old SMTP IP]

the Script !

or workaround I suggest for very particular problem?

# Mikrotik routerOS script to resolve ISP SMTP, and add it to variables & in NAT rules
# Useful in scneario where ISP change its smtp IP frequently (to avoid SMTP Blacklisting)
# Script by Syed Jahanzaib / aacable at hotmail dot com / https : // aacable . wordpress . com
# 31-January-2019
# Find rule with following comments
:local COMMENT "few_mails_routing_2_primary_ISP_smtp";
# DNS Name of SMTP for resolving
# Which DNS server to be used for resolving
:local DNSSERVER "";
# Below is Default IP of SMTP Server, so that if resolving cannot be done for what so ever reason, set this IP as DEFAULT SMTP
:local DEFAULTSMTP "";
# Destination port that need to be redirected
:local DSTPORT "25";
# Dat time variables
:local i 0;
:local F 0;
:local date;
:local time;
:local sub1 ([/system identity get name])
:local sub2 ([/system clock get time])
:local sub3 ([/system clock get date])
:set date [/system clock get date];
:set time [/system clock get time];
# Set script last execution date time
:global SMTPLastCheckTime;
:set SMTPLastCheckTime ($time . " " . $date);

# Set global variables to store for ISP SMTP & its last resolved status

# Check if resolving is doable, then act accordingly
:foreach addr in $RESOLVELIST do={
:do {:resolve server=$DNSSERVER $addr} on-error={
:log error "$ISP1SMTPDNSNAME resolved result: FAILED @ $date $time !";
/ip firewall nat set to-addresses=$DEFAULTSMTP to-ports=$DSTPORT [find comment="$COMMENT"] }}

# If resolving is ok from above results then set resolved address as default SMTP ip
:log warning "$ISP1SMTPDNSNAME resolved result: SUCCESS @ $date $time !";
/ip firewall nat set to-addresses=$ISP1ACTIVEIP4SMTP to-ports=$DSTPORT [find comment="$COMMENT"]

We can add dynamic names in the ISP SMTP address list.





January 16, 2019

BASH script to monitor Cisco Switch Port Status

Filed under: Cisco Related, Linux Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 10:55 AM


2019-01-17 10.05.47.jpg

Following script was designed for an OP who wanted to monitor his cisco switch ports status via linux base bash script.

  • Created: February, 2016
  • Revision: January, 2019


OP Requirements:

  • We need a bash script that can acquire ports status of Cisco switch using SNMP query & act accordingly based on the results, example send sms/email etc,
  • The script should first check target device network connectivity by ping, if PING NOT responding, Exit,
  • If ping OK, then check SNMP status, if SNMP NOT responding, then error report, & Exit,
  • If Ping / SNMP responds OK, then check the port status, if port status is NOT UP , then send email/sms alert 1 time until next status change.

Hardware / Software Used in this post:

  • Cisco 3750 24 Gigabit Ports Switch
  • Ubuntu 12.4 Server Edition
  • Bash Script
  • SNMP support enabled on Cisco switch to query port status using MIB names


I made following script which checks PING/SNMP status, and then Port Status of Cisco 3750 Switch. This is just an example. You can use your own techniques to acquire the same result. This is fully tested and working script. There are many other ways to do the same like using any NMS app like Nagios, or DUDE which have good GUI control so no need to do coding in the dark : )

Surely this contains too much junk or some unwanted sections, so you may want to trim it according to your taste and requirements.

Syed Jahanzaib

  1. Install SNMP MIBS

First we need to make sure that MIB are installed, Do so by

sudo apt-get install -y snmp
apt-get install -y snmp-mibs-downloader
sudo download-mibs

After this , Add SNMP Mibs entry in


by adding this line

mibs +ALL

Save & Exit

Now query your switch by following command to see if snmpwalk is working …

root@Radius:/temp# snmpwalk -v1 -c wl IF-MIB::ifOperStatus

& you should see something line below if SNMP is working …

IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.17 = INTEGER: up(1)
IF-MIB::ifOperStatus.5182 = INTEGER: down(2)
IF-MIB::ifOperStatus.5183 = INTEGER: down(2)
IF-MIB::ifOperStatus.5184 = INTEGER: down(2)
IF-MIB::ifOperStatus.10601 = INTEGER: up(1)
IF-MIB::ifOperStatus.10602 = INTEGER: down(2)
IF-MIB::ifOperStatus.10603 = INTEGER: down(2)
IF-MIB::ifOperStatus.10604 = INTEGER: down(2)
IF-MIB::ifOperStatus.10605 = INTEGER: up(1)
IF-MIB::ifOperStatus.10606 = INTEGER: up(1)
IF-MIB::ifOperStatus.10607 = INTEGER: up(1)
IF-MIB::ifOperStatus.10608 = INTEGER: up(1)
IF-MIB::ifOperStatus.10609 = INTEGER: up(1)
IF-MIB::ifOperStatus.10610 = INTEGER: up(1)
IF-MIB::ifOperStatus.10611 = INTEGER: up(1)
IF-MIB::ifOperStatus.10612 = INTEGER: up(1)
IF-MIB::ifOperStatus.10613 = INTEGER: up(1)
IF-MIB::ifOperStatus.10614 = INTEGER: up(1)
IF-MIB::ifOperStatus.10615 = INTEGER: up(1)
IF-MIB::ifOperStatus.10616 = INTEGER: up(1)
IF-MIB::ifOperStatus.10617 = INTEGER: up(1)
IF-MIB::ifOperStatus.10618 = INTEGER: up(1)
IF-MIB::ifOperStatus.10619 = INTEGER: up(1)
IF-MIB::ifOperStatus.10620 = INTEGER: up(1)
IF-MIB::ifOperStatus.10621 = INTEGER: up(1)
IF-MIB::ifOperStatus.10622 = INTEGER: up(1)
IF-MIB::ifOperStatus.10623 = INTEGER: up(1)
IF-MIB::ifOperStatus.10624 = INTEGER: up(1)
IF-MIB::ifOperStatus.10625 = INTEGER: down(2)
IF-MIB::ifOperStatus.10626 = INTEGER: down(2)
IF-MIB::ifOperStatus.10627 = INTEGER: down(2)
IF-MIB::ifOperStatus.10628 = INTEGER: down(2)
IF-MIB::ifOperStatus.14501 = INTEGER: up(1)

OR getting UP/DOWN result for particular port (port 10)

snmpwalk -v1 -c wl IF-MIB::ifOperStatus.10610 -Oqv

Output Result:




the Script!

  • mkdir /temp
  • cd /temp
  • touch
  • chmod +x
  • nano

and paste following, make sure to edit all info accordingly…

#set -x
# Script to check Cisco Switch Port Status and send alert accordingly
# It will first check PING, then SNMP Status, then PORT status & act accordingly
# Email: aacable at hotmail dot com / http : // aacable . wordpress . com
# 15-Jan-2019
# KANNEL SMS Gateway Info
# If ip parameters are missing, then inform & exit
if [ -z "$HOST" ];then
echo "Error: IP missing, Please use this,
./ 10601"
exit 1
# If port parameters are missing, then inform & exit
if [ -z "$PORT" ];then
echo "Error: PORT number missing, Please use this,
./ 10601"
exit 1
# Test PING to device
count=$(ping -c $PING_ATTEMPTS $HOST | awk -F, '/received/{print $2*1}')
if [ $count -eq 0 ]; then
echo "$HOST $DEVNAME is not responding to PING Attempts, cannot continue without , por disable ping check] !"
exit 1
echo "- PING Result : OK"
# Test SNMP Result of device
snmpwalk -v1 -c $SNMP $HOST SNMPv2-MIB::sysDescr.0 > /tmp/$HOST.$PORT.snmp.status.txt
if [ ! -f "/tmp/$HOST.$PORT.snmp.status.txt" ]; then
echo "- ALERT: ..... $HOST $DEVNAME is not responding to SNMP Request, Cannot continue without it ... Exit"
exit 1
echo "- SNMP Result : OK"
# If all OK, then pull Port Description
PORT_DERSCRIPTION=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifDescr.$PORT -Oqv`
# Check if folder exists, if not create one and continue
if [ ! -d "/$TEMP" ]; then
echo "/$TEMP folder not found, Creating it so all ping results should be saved there . . ."
mkdir /$TEMP
CHKPORT=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifOperStatus.$PORT -Oqv`
# If Port number does not exists, then inform and exit
if [ -z "$CHKPORT" ]; then
echo "ALERT: .... Port number $PORT NOT found on $HOST $DEVNAME , Please check Port Number, Exiting ..."
exit 1
# SMS/EMAIL Messages for PORT UP / DOWN #
# Temporary file holder for PORT DOWN/UP storing sms/email
echo "ALERT:
echo "INFO:

PORT_DERSCRIPTION=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifDescr.$PORT -Oqv`
# Check if port is UP
if [ "$CHKPORT" = "up" ]; then
# Check if port isUP and its previous state was DOWN, then send UP sms/email
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 1 ]; then
echo "INFO: This port was previosuly DOWN, and now its UP ,Sending UP SMS 1 time only"
$SENDMAIL -u "$HOST_PORT_UP_ALERTONSCREEN" -o tls=yes -s -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PORT_UP_MSG_HOLDER -o message-content-type=text
# Sending PORT DOWN ALERT via SMS using KANNEL SMS Gateway
cat $PORT_UP_MSG_HOLDER | curl "http://$KANNELURL/cgi-bin/sendsms?username=$KANNELID&password=$KANNELPASS&to=$CELL1" -G --data-urlencode text@-
sed -i "/$HOST/d" "$HOST_PORT_STATUS"
if [ "$CHKPORT" = "down" ]; then
#check if port staus was previosly UP, then act
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 1 ]; then
echo "ALERT: ..... $HOST $DEVNAME port $PORT $PORT_DERSCRIPTION is DOWN. SMS have already been sent."
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 0 ]; then
echo "SMS Sent FOR $HOST $DEVNAME port $PORT $PORT_DERSCRIPTION DOWN have been sent only 1 time until next status change ..."
$SENDMAIL -u "$HOST_PORT_DOWN_ALERTONSCREEN" -o tls=yes -s -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PORT_DOWN_MSG_HOLDER -o message-content-type=text
# Sending PORT UP ALERT via SMS
cat $PORT_DOWN_MSG_HOLDER | curl "http://$KANNELURL/cgi-bin/sendsms?username=$KANNELID&password=$KANNELPASS&to=$CELL1" -G --data-urlencode text@-


change the IP and port number.

  • /temp/ 10610

You can add entry in cron like this

# Check for Service remote host port status
*/5 * * * * /temp/ 10610


SMS result:
2019-01-17 10.05.47.jpgEmail Result:

email alert on port down vlan.PNG

# Monitoring Port # 10 , when port is DOWN ...

root@Radius:/temp# ./ 10610
- PING Result : OK
- SNMP Result : OK
ALERT: .... WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is DOWN @ Tue Jan 15 12:44:45 PKT 2019
ALERT: ..... WL_Main_Switch port 10610 GigabitEthernet2/0/10 is DOWN. SMS have already been sent.

root@Radius:/temp# ./ 10610
- PING Result : OK
- SNMP Result : OK
ALERT: .... WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is DOWN @ Tue Jan 15 12:44:51 PKT 2019
ALERT: ..... WL_Main_Switch port 10610 GigabitEthernet2/0/10 is DOWN. SMS have already been sent.

# Monitoring Port # 10 , when port is UP now ...
root@Radius:/temp# ./ 10610
- PING Result : OK
- SNMP Result : OK
INFO: .... WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is OK @ Tue Jan 15 12:45:01 PKT 2019
INFO: This port was previosuly DOWN, and now its UP ,Sending UP SMS 1 time only
Jan 15 12:45:11 radius sendEmail[18700]: Email was sent successfully!
0: Accepted for delivery

# Monitoring Port # 10 , when port is working UP ...
root@Radius:/temp# ./ 10610
- PING Result : OK
- SNMP Result : OK
INFO: .... WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is OK @ Tue Jan 15 12:45:12 PKT 2019
Older Posts »

%d bloggers like this: