- Hide menu

Blog

Swapping out a UCG-Max for a UDM Base

I’ve had a Ubiquiti Unifi Dream Machine for almost five years powering an NBN Fibre Gigabit service. Knowing that the probability of electronics that run 24/7 tend to go bang goes up every year it was time to swap it out for something more current and keep the UDM as a backup router/gateway.

Ubiquiti has released a lot of new equipment this year and one that is ticking a lot of boxes and have received good reviews is the Unifi Cloud Gateway Max, aka UCG-Max. This is essentially an upgraded UDM without a built in wifi access point. The UCG has not only the Network app that delivers the routing, VLAN and firewall, but several other applications in the Ubiquiti universe like Protect which is used to manage cameras. The other main feature is that it features 2.5Gbps ports and can route traffic at 1.5Gbps with a packet inspection firewall turned on.

Migrating from the UDM to the UCG is incredibly straightforward. Backup the system, and restore it to the new device. Unplug the UDM and replace it with the UCG. The following video shows how it’s done.

The book that inspired me to love design

When Apple created the Macintosh, Steve Jobs also created the Laserwriter. It was Steve’s interest in “typography, graphic layout, and font design” that led to the Apple Laserwriter and the birth of what was then known as desktop publishing. Consumers had for the first time access to beautiful proportionally spaced type and fonts without having to go to a specialist offset printer. Apple made a little booklet called The Basic Elements of Design and it’s a wonderful introduction to typography, page layout and text-based graphic design. To this day, it’s the book that inspired me to love text based design. While the booklet is out of print, you can download a PDF of it here.

Use Cloudflare to Block Brute Force Login Attacks


The excellent Limit Login Attempts wordpress plugin will detect failed logins and put up its armoury of defences. Nothing showed its usefulness than seeing the number of attempts it detected. However, the plugin still requires WordPress to handle the failed attempt and only login attempts via http and https are handled. XML-RPC attacks and Bot-related attacks need another solution.

For my setup, I only need admin login to WordPress from one IP address. This is where Cloudflare’s content distribution network and it’s Web Application Firewall can provide excellent protection.

The WAF is extremely easy to setup and all you need to do is add the IP addresses that you want to allow into a rule that will block access except for the addresses you have specified (see screenshot).

This will block not only brute force login attempts but also XML-RPC and related attacks from even reaching the wordpress server.

Lightroom Tip: Review and Select Photos in Library and NOT Develop mode

I’ve been using Lightroom from the very first version and I’ve now just realised I’ve been reviewing and selecting my images in the wrong mode. Like many, I thought that if I created Standard and 1:1 Previews it would speed up Lightroom in scrolling from image to image. But LR was still excruciating slow in some situations, eg when an image has lots of complex adjustments, scrolling from or to that image would just bog LR down to a crawl. Especially if there were a sequence of images with heavy adjustments.

It turns out that for simply scrolling and selecting images, make sure you’re in the Library module and NOT the Develop module. In Library, LR will use the image’s standard preview and scrolling is lightning fast. You can make sure you’re in that mode with the keyboard shortcut “E”. It’s an extra key stroke but the difference is night and day. So after editing an image in the Develop module, hit the E key before scrolling to the next images if all you want to do is review.

Fix for iOS and iPadOS apps bypassing AdGuard Home using DoH

When Apple allowed apps to specify their own encrypted DNS server, this was a convenient way for apps to avoid ad-blocking DNS servers. I got tired of the Gmail app on iOS and iPadOS bypassing my AdGuard Home DNS server, just like it can bypass similar blocking services like PiHole. Another example is Safari browser on iPadOS and iOS in Privacy mode will bypass your DNS servers and use an Apple specified DNS over HTTP server. If you use a standard (ie unencrypted) DNS server, this will be bypassed.

It turns out it’s relatively easy to stop this from happening.

You need to specifiy a DNS over HTTPS (DoH) server via a configuration profile as this will override any specific DoH server that has been done in an app. Since AdGuard Home can serve as a DoH server, all you have to do is turn on this feature and install a configuration profile that points to it.

The steps are:

  1. Turn on Encryption settings in AdGuard Home (see screenshot above)
  2. Use your preferred method of getting a SSL certificate for your AdGuard Home server. LetsEncrypt is the most common method
  3. You’ll probably want add a rewrite rule to point the name of you DoH server to an internal IP address
  4. Download iMazing, the excellent and free Configuration Profile tool
  5. Make a profile with a DNS Setting payload (see screenshot below)
  6. Save and install the profile on your i-Device

No more AdGuard bypass by apps!