pc engine – pfsense as router / firewall

download (1)Just built a pfsense router on  a pc engine to replace my aging 7390 fritzbox…. Very very awesome and fast!

Perfect for UFB (ultra fast broadband) here in New Zealand – FTTH has arrived :)


I’m currently running these services on it (2 x 1GHZ cpu, 4GB RAM, 16GB msata SSD);

  • dhcpd – DHCP server
  • miniupnpd – UPnP server
  • ntpd – NTP server
  • squid – Transparent Proxy & Reverse Proxy
  • snort – IDS (Intrusion Detection System) / IPS (Intrusion Prevention System)
  • ssd – SSH server
  • unbound – DNS Server
  • ipsec – IPsec VPN (site to site VPN)
  • openvpn – Open VPN (client VPN)

Check these links for some great advise…




Grab hardware here – http://www.pcengines.ch/apu.htm


Creating a .pem with the Private Key and Entire Trust Chain

download (3)You may find you install a SSL cert, but certain browsers show the connection as unsafe (i.e. mobile browser has issues but desktop browsers are happy)

This generally points to not having the cert chain correct. You can check your cert chain at sites like –




  1. Download your Intermediate and Primary Certificates.
  2. Open a text editor (such as notepad) and paste the entire body of each certificate into one text file in the following order:
    1. The Private Key – your_domain_name.key
    2. The Primary Certificate – your_domain_name.crt
    3. The Intermediate Certificate – gd_bundle_g2_g1.crt
    4. The Root Certificate – TrustedRoot.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    (Your Private Key: your_domain_name.key)
    (Your Primary SSL certificate: your_domain_name.crt)
    (Your Intermediate certificate: DigiCertCA.crt)
    (Your Root certificate: TrustedRoot.crt)

    Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

unraid smart check – dead WD green drive

errors on unraid GUI – sometimes its a loose cable, sometimes its an issue with the drive.

Run this command to check smart status

smartctl -a -d ata /dev/sda
or if you are using a newer SATA controller
smartctl -a -A /dev/sda


unfortunately in my case, looks like drive is pretty much dead… not too bad for a drive almost 5 years old.

its pretty typical of a WD green drive in its default config to die in this type of environment, no plans to replace it with a similar type drive. You can see below the incredibly high LCC count which indicates the drive header has parked this many times over its life. This is probably part of the problem – there is a tool you can run (check this vid, link for  WDIDDLE3 also in comments – http://www.youtube.com/watch?v=J2eYyRI_F98) which disables the intellipark feature of the green drive. I never disabled the park timeout before this drive died (which defaults to 8 seconds!) — note: i have disabled it completely on my other green drives.


Model Family: Western Digital Caviar Green
Device Model: WDC WD10EADS-00M2B0
Serial Number: WD-WCAV51020991
LU WWN Device Id: 5 0014ee 2588170a5
Firmware Version: 01.00A01
User Capacity: 1,000,204,886,016 bytes [1.00 TB]
Sector Size: 512 bytes logical/physical
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 2.6, 3.0 Gb/s
Local Time is: Thu Oct 30 18:48:41 2014 NZDT
SMART support is: Available – device has SMART capability.
SMART support is: Enabled

SMART overall-health self-assessment test result: FAILED!
Drive failure expected in less than 24 hours. SAVE ALL DATA.
See vendor-specific Attribute list for failed Attributes.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
1 Raw_Read_Error_Rate 0x002f 168 154 051 Pre-fail Always – 12560032
3 Spin_Up_Time 0x0027 149 105 021 Pre-fail Always – 5508
4 Start_Stop_Count 0x0032 099 099 000 Old_age Always – 1253
5 Reallocated_Sector_Ct 0x0033 119 119 140 Pre-fail Always FAILING_NOW 648
7 Seek_Error_Rate 0x002e 200 200 000 Old_age Always – 0
9 Power_On_Hours 0x0032 041 041 000 Old_age Always – 43079
10 Spin_Retry_Count 0x0032 100 100 000 Old_age Always – 0
11 Calibration_Retry_Count 0x0032 100 100 000 Old_age Always – 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always – 371
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always – 363
193 Load_Cycle_Count 0x0032 001 001 000 Old_age Always – 1932037
194 Temperature_Celsius 0x0022 118 076 000 Old_age Always – 29
196 Reallocated_Event_Count 0x0032 001 001 000 Old_age Always – 463
197 Current_Pending_Sector 0x0032 199 193 000 Old_age Always – 323
198 Offline_Uncorrectable 0x0030 199 190 000 Old_age Offline – 186
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always – 0
200 Multi_Zone_Error_Rate 0x0008 003 001 000 Old_age Offline – 39455

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed: read failure 90% 24914 789707146

Here is a good post on another forum about the issue (which also seems to hit some of the new RED drives);


I have disabled intellipark on the rest of my green drives (since they are close to 5 years and probably near failure). I have some new RED drives which i have increased the time out to 300 seconds. (most come with 300 sec timeout, but older firmware is at 8 seconds). From what I’ve been reading there is no physical difference between WD red and green drives, only the firmware differs. So if you are going to put some green drives into a NAS / RAID or Server environment ensure you run wdidle3 and either disable or change timeout on intellipark to 300 seconds. (then its pretty close to a red drive)

To check current status

wdidle3 /r

to disable intellipark

wdidle3 /d

to set to 300 (max) timeout

wdidle3 /s300

SQL Server Setup – Error code 0x84B30002

SQL Server Setup has encountered the following error:
No feature were uninstalled during the setup execution. The requested features may not be installed. Please review the summary.txt logs for further details.
Error code 0x84B30002.

Follow the below steps it may help to uninstall, Before follow this procedure please make sure you have some idea about registry

1. Open Registry Editor
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
3. Browse Ids one by one and identify the GUIDs for SQL Server 2008
4. Run the below command for all SQL Server 2008 Guids one by one

msiexec /x “GUID”

SQL Express – Backup Plan

SQL express doesn’t have the luxury of SQL maintenance plans, but you can still write a SQL script to dump a database to a particular location and run it via task scheduler on a daily basis.

Create SQL query and save it to a particular location… (NightlyBackup.sql)


SET @pathName = ‘D:\SQL Backup\database_‘ + Convert(varchar(8), GETDATE(), 112) + ‘.bak’


Create cmd / bat and save to similar location to above… (Backup DB to disk.cmd)

sqlcmd -S servername\INSTANCENAME -U sqluser -P sqluserpassword -i “NightlyBackup.sql”

forfiles /p “C:\SQLBackupLocation” /m *.bak /s /d -2 /c “cmd /c del @file : date >= 7 days >NUL”

Create windows task schedule event to run above at 5:30pm everyday. 

nginx – and gzip

i only have vdsl at home and host my website via it… the following graphs shows when nginx started serving faster than the vdsl connection could handle (which is about 9Mbits)

ngnix with cache enabled, gzip enabled and set to 6


ngnix with cache enabled, gzip enabled and set to 9 (maximum)


ngnix with cache disabled, gzip enabled and set to 9 (maximum)



setup vmware environment

vmwareOne of the scripts i use to standardise our vmware host deployments;

# Author : Darren T
# v1 : Setup vcenter parameters
# Usage ;
# Please manually connect to vCenter, use "Connect-VIServer" -- this promotes usernames and passwords not being saved with script.
# Modify Variables below before running.
# ------------------- VARIABLES -------------------------
# Database Retention Policy
$Days_Retension = "30"
# Set SMTP Server & Sender Account
$SMTP_Server = ""
$Sender_Account = "administrator@company.co.nz"
# ------------------- CODE ONLY BELOW -------------------
# Database Retention Policy -- Enable limits
# Get-AdvancedSetting -Entity $defaultVIServer | where {$_.Name -match "^task.|^event."}
Write-Host "Setting Database Retension... " -NoNewLine;
Get-AdvancedSetting -Entity $defaultVIServer -Name "event.maxAge" | Set-AdvancedSetting -Value $Days_Retension -Confirm:$false
Get-AdvancedSetting -Entity $defaultVIServer -Name "event.maxAgeEnabled" | Set-AdvancedSetting -Value $true -Confirm:$false
Get-AdvancedSetting -Entity $defaultVIServer -Name "task.maxAge" | Set-AdvancedSetting -Value $Days_Retension -Confirm:$false
Get-AdvancedSetting -Entity $defaultVIServer -Name "task.maxAgeEnabled" | Set-AdvancedSetting -Value $true -Confirm:$false
# Set SMTP Server & Sender Account
Write-Host "Setting SMTP Server & Sender Account... " -NoNewLine;
Get-AdvancedSetting -Entity $defaultVIServer -Name "mail.smtp.server" | Set-AdvancedSetting -Value $SMTP_Server -Confirm:$false
Get-AdvancedSetting -Entity $defaultVIServer -Name "mail.sender" | Set-AdvancedSetting -Value $Sender_Account -Confirm:$false

nginx – setup as reverse proxy


Previously to take down this wordpress site all you needed to do was hold down F5 for about 20 seconds then the site would take about 5 mins to recover.

There were a few factors causing this and quite a few different methods to solving the problem. WordPress itself is run on php / apache, apache has an evasive mod which can block certain IPs depending on the defined abusive behavior (typical DDOS attack). Since i like to run a few websites behind a single IP i looked at fixing the issue closer to the perimeter….

Enter nginx (engine x) as a reverse proxy, the site now typically caches all content and serves it straight out of memory. No longer does mysql / apache kill itself under high load on the backend…


You will need to create the nginx directories if they dont already exist. Check /var/log/nginx/error.log (default ubuntu) if any issues starting the service.

sudo aptitude install nginx
sudo service nginx start

The following added to http {}
(located in /etc/nginx/nginx.conf)

log_format cache '***$time_local '
'$remote_addr '
'$upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) ';
access_log /var/log/nginx/access.log cache;
error_log /var/log/nginx/error.log;
server_names_hash_bucket_size 64;
proxy_cache_path /var/www/nginx_cache levels=1:2
max_size=1g inactive=30m;
proxy_temp_path /var/www/nginx_temp;

the following added to location / {}
(located in /etc/nginx/sites-enabled/default)

proxy_pass http://sigtar;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 32 16k;
proxy_cache one;
proxy_cache_valid 200 302 304 10m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;
client_body_buffer_size 128k;
proxy_busy_buffers_size 64k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;

Note if you have problems with wordpress redirect issues… check this post;


Also confirm you have this line in http {}

server_names_hash_bucket_size 64;

Very basic load test, user load time is reasonably consistent as user count increases.

load test

activate windows from command line – slmgr

Temporarily extend evaluation period (limited execution – see output below)…

C:\Windows\System32>cscript slmgr.vbs /rearm

C:\Windows\System32>shutdown -r -t 1

Show detailed license information…

C:\Windows\System32>cscript slmgr.vbs /dlv

License Status: Initial grace period
Time remaining: 43200 minute(s) (30 day(s))
Remaining Windows rearm count: 0

Activate windows…

C:\Windows\System32>cscript slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

C:\Windows\System32>cscript slmgr.vbs /ato

Will require access to the internet – most of the time the issues are either time sync or connectivity to internet.

http://support.microsoft.com/kb/921471 Windows activation fails and may generate error code 0x8004FE33

To do this, configure the following list of CRLs to be unauthenticated on the proxy server: