John Galea's Blog

My blog on Gadgets and the like

Ryze DJI Tello drone review

DO NOT BUY THIS DRONE without reading this review, and DO NOT BUY A DRONE FROM HENRY’S. Ok now we have that out of the way we can get on with the review, assuming your bothering to continue reading 🙂 It absolutely shocks me how bad this drone is. I watched and read a lot of reviews before bellying up with the cash, and not one of them pointed out some of the significant and obvious issues/limitations/design flaws with this drone. I have to wonder if these other reviewers are on the take … Of course the only person upset about corruption is the one that got left out 🙂

Oh and while we are at it, I bought it from Henry’s fully aware that they have NO RETURNs. I thought, it’s a DJI, how bad could it be? Man was I wrong …

So to level set, the drones I have played with to date are Syma X5WSW, a Syma X5HW, a Syma X8, and a Cellstar CX10D nano drone. All of these are at best toys, so my expectations you would think are not set all that high … In the box there’s the copter, one spare set of props, a tool to remove the props, a teenie tiny print manual in the oddest size ever (fortunately you can download the manual and read it on a reasonable screen) and that’s it. The copter charges the battery by a micro USB cable, but does not include one. The battery can only be charged in the copter. Now if your an iPhone person and don’t have any micro USB cables … Oddly the first one I tried a little pig tail I used wouldn’t charge it, and the unit kept turning on. After a couple hours I figured nothing was happening so I changed to a different cable/charger, and low and behold it got started charging. There is no way to tell how charged the battery is in progress other than, unplug it, turn it on, connect to it, start the ap and seeing the teenie tiny battery icon inside the app … The drone takes just shy of 1A so be sure and use a charger that can deliver enough current to charge it

Speaking of connecting, I got a little ahead of myself, you download an app called tello from the Apple or Android store, you can not operate this copter without an Android or iOS phone/tablet. This should be obvious but it’s worth stating … The copter once turned on sets up a WIFI hotspot which you connect to. Then start the app. If you leave it on default there’s no password for the WIFI and iOS will not automatically connect to it. Fortunately you can add a password and make connecting to the Tello a little easier. If you don’t connect after a couple minutes and start flying, the drone powers off and your starting the process again. A nice, and not nice feature. I tried both the iOS and Android versions of the app and didn’t notice any differences, good or bad.

Once installed, connected, and charged your ready to go. And I then bumped into the first major limitation. It is absolutely IMPOSSIBLE to fly this at night. They stupidly did not include any lights on the copter. WTF? Are you for real? They warn you in the ap when the lighting is low, so I guess there is that.

Without lights, or even a piece of colored tape (which will be something I add) it is super hard to identify your orientation with the copter, whether in light or dark lighting. And without orientation flying this thing is REALLY challenging. Of all the flaws with this copter this is by far the biggest omission.

And now comes my next big gripe … the people working at Ryze must have the best optical coverage on the planet because absolutely everything from the would be useful telemetry data (speed/height), to the battery charge level, to the messages, to the super small print in the manual are all so damn small as to be difficult to see/read even with my glasses.

Now inside the app you can change all kinds of settings, like turning on VR support for using with google (a nice add but with the lag over WIFI completely impractical), to changing settings for the quality level of the photos etc. And every single one of them change back to defaults the next time your in the app. Your kidding me? I had read this in one of the reviews, but just assumed they would have got around to fixing this glaring error … NOPE. Sigh … Not that this is a big deal, but there is no app for the Apple watch for the Tello.

The video is sent back to the phone rather than being recorded on the drone. There is no micro SD card slot. This results in choppy video and is laggy when your trying to fly the drone by watching the screen. In fact, fly the drone by watching the screen and your likely to end up crashing the drone even more frequently. The video on this is so bad, for me, it’s useless. Now admittedly, I knew this. Here’s a sample video to show you just how bad it is. Look at the jumpyness even given this super low motion gentle video.

The lens is not movable, not from the drone, not from the app, Nada, totally fixed. So getting your picture or video properly framed is challenging. Why they didn’t allow you to at least manually move it is beyond me.

Pictures and videos are stored in the Tello app. From the app you can then save them to the normal iPhones photos/videos. From there you can finally now share them, email them etc. It’s clumsy to say the least. Why they didn’t add a share from the tello app like everyone else is beyond me. And once you’ve got them over with you default photos/videos, you now have to delete them in two places when your done. And Android was the same by the way …

This drone is by default controlled by onscreen joy sticks. These are not the easiest to use without looking at them. In fact I would go so far as to say clumsy. You can buy an optional bluetooth controller and that may help. With this the controller talks to the Tello ap which in turn relays the commands to the drone. This may help some in flying the drone, but you are out another $40. Sheesh. The one everyone seems to recommend, even Ryze is the Gamesir T1D. They have not added gyro like controls that would allow you to tilt the phone to control the drone. And they have not added any kind of vibrate to tell you when your fingers have drifted off the controls. So in the end I gave in and bought the controller. In for a penny … So the controller actually works quite well, and is solidly built. It has a rechargeable battery. Technically the GameSir is NOT iOS certified but the Tello ap sees the remote and you can enable within the settings. Once enabled the onscreen joysticks disappear but the menus for doing tricks setting up stuff and the like all stay, which is perfect. Once the remote is working the lag between the phone and the Tello is noticeable and you need to take it into account when trying to maneuver. Don’t bother trying to pair the remoe, an iPhone will ignore it. In Android however the Gamesir is paired/connected normally. Having to buy the Gamesir is at best a bandaid on a problem, problem being Ryze should have included a remote, even if it was a super cheap on like the one with the nano drone I mentioned above.

Flight time is rated at 13 mins (which is about what I get), and it took 1.5 hrs to recharge it from dead. It drew a steady just under 1A for the whole time. You can buy spare batteries relatively inexpensively, but if you do, be sure and buy an external charger for them, because otherwise they can ONLY be charged in the drone. You can not turn the drone on while it’s plugged in.

Ok so I have been pointing out some of the bad things about the drone. Now let’s talk about some of the good. This is by far one of the best hovering drones out there. It’s optical sensors on the bottom really do an incredible job of hover in place. Because of this, it’s one of the best indoor drones I’ve flown so far (minus the usability of the onscreen controls). And the camera, is actually quite good and turns out some reasonable pictures, if you can manage to frame want you want as I mentioned above. The pictures are 2592×1936 and were about 1.2M in high quality and about 661K in low, or about half. Sadly the default pic is low quality (and the app ALWAYS defaults back to low each and every time).

This drone does auto take off, toss to launch, palm land and auto land, all of which work VERY well.

In it’s bag of tricks the drone can do a 360 circle about itself, as well as a circle 7 ft in front of it (not configurable), and an up and away all the while automatically starting a video while doing the maneuver (assuming you can live with the jerkyness).

The drone can do flips in 8 directions, but cuts this feature off as soon as the battery is below 50%, so if you wanna do flips, do them early or be disappointed. None of the other drones I have played with had this level of restriction.

Once the battery hits a critical low level the drone does an auto land. It will also do an auto land should WIFI get out of range.

It’s worth mentioning you do get warned as WIFI signal strength is getting low (ie the drone is too far from you or there are strong WIFI signals near). In fact I actually had this happen when the drone was not all that far from me, like across the street. I guess just too many WIFI signals near my home. I’ve noticed a lot of people on vblogs discussing using a WIFI range extender like the Anbee Tellow WIFI extender to get better coverage. In all honesty, given how difficult it is to fly this when you can’t see it, I’m not sure how useful this is. And reports seem to say it still does nothing to improve the jerky video, but admittedly I have not done it.

The drone has two speeds of control the default is slow, which is useful indoors and in low wind, and fast (which is changed in the settings screen) which would be better outdoors or in the wind.

Speaking of wind I had it out in conditions no previous drone could have flown in, and in spite of complaining it handled exceptionally well and even still held it’s position exceptionally well. By the way, looks like height is capped at 10M.

There is an API that allows controlling the tello from a third party app. This results in a super neat programming tool you can use to create a program for the Tello to follow. For example Droneblocks on iOS.

By the way, one of the reasons I bought this small drone instead of say the DJI Spark is the current laws regarding drones. At time of writing anything above 250g (and don’t be surprised if that changes) has restrictions on when, and where they can be legally flown. At 80g this drone is exempt.

Advertisements

July 20, 2018 Posted by | Uncategorized | Leave a comment

PiHole ad blocking (mini review)

I’ve had a colleague talk to me about PiHole for a while now … In my Pfsense post I had talked about implementing ad blocking using PfblockerNG, a package for Pfsense. It works, and works pretty well, which is one of the reasons why I was reticent to checkout Pihole. In fact, you use the same sources for ad blocking for both, so functionally speaking they perform the same function, so why bother? Setting up Pfblocker was challenging, and not simple by any means (not onerous either). Or so I thought. After some prodding I loaded up PiHole in a Ubuntu bare VM. I gave it 2 core, 1G of memory and 30G which was plenty. As a VM I can always bump it up if need be. Ubuntu uses a logical volume manager so even adding space is pretty simple. Heading over to the PiHole web site you discover installing PiHole takes one simple command. They have automated the process pretty well. There are a bunch of questions to answer to get the install done, and you should have your machine on a static IP but it was a super smooth install.

Once up integrating it into my environment was super simple. I went to my DHCP settings, and added PiHole as the first DNS server, and Pfsense as the second. So if PiHole is down, my clients are not. I chose to leave DHCP with Pfsense, and so with this setup all of the local names just work. I also updated my incoming VPN settings to add PiHole which means ad blocking gets extended out to my external devices too, ie phones, tablets and the like.

So what are the advantages? Well … First up is some lovely metrics on the PiHole dashboard:

You also get Top clients (ie most active), Top domains, and top blocked domains. From the list on top blocked domains you can very simply and easily add the domain to the white list allowing this domain.

You can also simply and easily add domains to your own whitelist and blacklist:


All in all this is much simpler and cleaner than on PfblockerNG.

You can also add or delete your whitelists:

You can also shutdown PiHole for a period of time if it’s causing issues:

In the extensive logs you can see where each client has been going, so if you want to see what your thermostat, or media player are doing, it’s pretty easy.

And if you happen to hit a domain that is completely black listed you get a really nice web page telling it’s blocked, and if you click technical data you can see which list blocked it, and last but not least can simply and easily whitelist it.

Using DNSBench I was able to test out the performance and it compared fine with Pfsense/PfblockerNG.

I have to say, I am shocked at just how well this is done. So much so I went back and disabled PfblockerNG on Pfsense 🙂

What’s missing?
1) You can only have one password for Admin of PiHole, no userids, and anyonecan browse the main dashboard
2) You can not setup a specific IP or MAC to pass through PiHole
3) You can only block an entire domain, nothing more granular
4) I also don’t see a way to use PiHole to do parental controls. I did find a Good article on how to insure your family are using restricted (non adult) google, bing and youtube.

July 17, 2018 Posted by | Uncategorized | Leave a comment

Windows server 2016 docker containers quick start

Ok let’s start with what are containers? They are basically a light way to compartmentalize applications. The containers instead of replicating the OS the way VMs do, over, and over again, the containers call APIs to get whatever needs to get done from the OS. So they are super light weight. Windows server 2016 added containers and it’s a simple add of a feature:

Then you install docker for windows. There are two versions consumer and enterprise editions CE/EE. At install time for CE you need to choose between wanting to run Windows or Linux Containers. You can switch anytime you like from the docker taskbar. EE can run both. The way Linux containers work is inside HyperV a VM called MobyLinuxVM is created and the containers are then run under that.
Once installed your ready to get started. There’s a list of all readily available containers.

You can also install a series of powershell container commands by running the powershell command:
install-packageprovider containerimage -force
The you get powershell commands like:
find-containerimage
install containerimage blah

So let’s get started with a simple windows nano container. The simple command:
docker run -it –network=NAT microsoft/nanoserver
will get you off to the races. You probably want to use the –name option to give a name to the container that makes any sense, and your also probably going to want to use –hostname to give the machine a more memorable name inside the container. All commands are managed by docker. Docker for windows is unique so be careful when googling that your looking at docker for windows. There’s no pretty GUI for docker, so get ready to pretend like your on Unix 🙂 Docker will go and download (for the first time) an image file that will be used by anything that is nano based. So this gives you a Windows command prompt.

By the way, this can also be done on Windows 10.

It’s worth noting the docker run command takes an image, creates a container and starts it. If you keep doing docker runs your going to end up with a bunch of docker containers around. The command below will show you a list of all containers:
docker ps -a
The command below will show the list of all images that have currently been downloaded
docker image ls
The command below will allow you to start a container and connect to it (the -i) (the jibberish numbers are the container ids which you get from docker ps -a command)
docker start -i e710b8182d2b
The command below will show you all currently running containers
docker ps
The command below will allow you to connect to a running container
docker attach 785ceca8c01d
When you exit from the command prompt from nano this shuts down the container. If you connect to the same container more than once, the commands are echoed, ie they are not separate sessions.
The command below allows you to clean up all containers you may have inadvertently created by running instead of starting:
FOR /f “tokens=*” %i IN (‘docker ps -a -q’) DO docker rm %i

Ok woohoo first container. So let’s look at networking. Out of the box Windows creates a NAT network. A NAT creates an internal network that you can talk to the host and get to the internet if you wish. This is assigned by a form for DHCP. So next up would be to get a container on the real network, not NAT. This article tells you all about the different kind of networks available to containers. This Youtiube video I found helpful to fix an issue with my docker network stack. I wanted a transparent so I created a new network inside docker that containers can then use. The command below took care of this for me.
docker network create -d transparent TNET
Magically transparent networks were also created on each of my adapters, which as luck would have it is what I wanted. Once the network is created you can now start a new container on that network using the command:
docker run -it –network=WAN microsoft/nanoserver (Where WAN is the name of my transparent network on the WAN side).
We are getting closer to being useful. I had some issues with the MAC address changing each time I started the container, meaning the IP kept changing. So I used the command below to fix this. I found a mac I could use by noting one it had created before (using ipconfig /all) and then kept it. This will use DHCP on your network.
docker run -it –network=WAN –mac-address=enteramacaddresshere microsoft/nanoserver

So in all the command with all my learning becomes:
docker run -it –network=WAN –hostname=iis-nano-wan –name=iis-nano-wan –mac-address=addyourmacaddress nanoserver/iis

To copy files from the host to the container you can use:
docker cp wwwroot.zip iis-nano-wan:c:\wwwroot.zip

Once in the container you can use expand-archive powershell command to extract it!

In Windows you can do Windows containers, or Linux containers but not both at the same time, and this is decided at hyperv install time.

Lots more to learn but this is a good quick start.

June 14, 2018 Posted by | Uncategorized | Leave a comment

Using a DSLR camera in a Kayak

Rather than do the same post twice, I thought I’d put a link to my blog post about Using a DSLR camera in a kayak.

June 12, 2018 Posted by | Uncategorized | Leave a comment

Workoutdoors app mini review

I recently discovered a new app for my Apple Series 1 Watch WorkOutDoors. This app bring full vector maps to exercise tracking. You can pan and zoom around the map as well as see bread crumbs of were you’ve been exercise.

At the end exercise you get a terrific summary of the workout. In my case it was a hike and I got a summary of distance, number of steps, heart rate etc. Even apps like Strava don’t give you a map like this! The app on a series one (which does not have a GPS) uses the GPS on the phone. Quite impressive.

Comparing the distance with another exercise app called RunGPS it is 8.3 Vs 8.13km, within 2% of each other, which is quite good. RunGPS track of the same exercise.

Once complete you can export the exercise as a GPX, that can be then imported into Garmin connect or Strava. I tried Garmin and it came through ok, but the walk got interpreted as uncategorized. Here’s the workout on Garmin connect.

When Garmin in turn linked in with Strava it came over as a ride.

Imported directly into Strava the app gives you the opportunity to change it from a ride.

All in all the app works well, but the exciting thing about this app is what is coming. I spoke with the author of the app and he tells me he is adding waypoint and navigation support. This would be game changing and it would be the only app on an Apple watch capable of that. He also said direct export to something like Strava is also on the todo list.

May 3, 2018 Posted by | Uncategorized | Leave a comment

PFSense open source Firewall

Ok, I will warn you straight off, this is going to be a tekkie post, sure to bore many. But if your one of the few that eats bits for breakfast … enjoy! I have to admit, even as an IT guy with pretty good network knowledge this project challenged me.

Routers sit there out of the internet, exposed. The result of this is that they get hacked. Manufacturers stop updating firmware and plugging vulnerabilities because in the end, there is no motivation for them to spend the effort/$$s. Instead they want you to buy a new router every so many years. And the cycle goes on. And the firewall on routers is not always impervious … If you don’t believe this, after you’ve setup Pfsense see how many hacks get through your existing router!

This product attempts to fix this issue by putting another layer between your precious laptops, phones, gadgets etc and your likely leaking router. Or so the story goes. Frankly when a colleague of mine, Jeff, starting talking about this topic I had to admit the fascination of it alluding me, all the while he was enthusiastic and embracing of Pfsense. Now given I think Jeff is a bright fellow, so I decided to dive in and see what I could see … And frankly, it’s the winter, I’m not snowboarding, my gf is out of town, and I’m bored, so I decided to burn some cycles. And burn some cycles this will … Setting up Pfsense is no small feat. So let’s jump in. We will take this in small steps, enabling functionality as we go. I’ve written, updated and rewritten this article a number of times as I’ve learned more and more. In all I’ve been at this almost a month, but don’t fret, you can start small and add features until you get the functionality set you want.

Introduction

So what is Pfsense you ask? It is a Linux (FreeBSD to be exact) Open source, extensible, highly configurable firewall. By default, it does not have some advanced features (like intrusion detection, anti virus etc), but these can be added through a fairly extensive list of package add ons. Pfsense can run on super small appliances, or it can be loaded on just about any old PC you have laying around. I chose to load it as a HyperV VM at first so that it costs me nothing, and I can assign it as much or as little resources as I want to … In the end the hardware resources for this firewall are quite low. I gave it 2G memory and 4 VCPU 20G and that was more than enough. In reality you really only need a couple G drive space for it to run off. As a VM I can also move around the networking that Pfsense has quickly and easily allowing me to implement it as it goes! I downloaded an ISO (which stupidly was Gzipped) and installed it from there. Installation was quick and painless. Once up you simply tell Pfsense which network has your internet (the WAN) and which has internal network (the LAN). You will need (and want) two network cards for Pfsense. IPs for these networks can be super simply setup. It’s worth noting, that Pfsense becomes your gateway out to the internet, so if it’s down … so’s most of your internal network. I did notice that they have obsoleted the 32 bit version of Pfsense at 2.35. Going forward you will need a 64 bit x86 processor. Pfsense could have, but does not allow you to have the two subnets on the same NIC which would have been helpful, but compromising from a security point of view. Pfsense can also implement all DSL PPOE authentication, allowing you to put your modem in what’s called bridge mode. Although I’ve not done this, to allow me to fall back quickly by turning the Bell modem, a SmartRG SR505, back on anytime and abandon Pfsense.

Getting started

Step one of getting it up and able to act as a firewall is pretty easy. My Router will remain on the perimeter with IP in the 192.168.1.x range. I chose to setup the LAN as 192.168.2.x. I can slowly migrate clients from the 192.168.1.x exposed side to the 192.168.2.x behind the firewall side. Pfsense is setup initially to be pretty lenient and allow pretty much everything outbound. This makes setup and admin much easier. You can choose whether this is how you want to leave it, or start adding rules blocking outbound stuff. I’ve seen other firewalls that take the opposite approach and deny all, but this becomes a headache pretty quickly. If your going to have anything that is serving in the home (web server for example) you will need to assign a static IP to the WAN (192.168.1.x) side of Pfsense. If Pfsense is going to be DHCP duty then the lan side (192.168.2.x) will also end up with a static IP. By allowing Pfsense to do DHCP (instead of your router) DNS inside your home can be comprehensive. Something that never quite worked right on my previous setup.

Configuring inbound NATs (and static IPs)

Next step is setting up your inbound rules. For me I have inbound RDP, as well as a web server. So first off you have to create static IPs (DHCP reservations) for any hosts that are going to serve. This is easily done from Status > DHCP Leases and click the + sign to add a static mapping. Or you can add them yourself Services > DHCP server down the bottom. The static IPs are based on MAC addresses of the network cards. First off you have to go to your router and repoint any incoming rules and move them to point to the IP address on the WAN side of Pfsense. Within Pfsense you then add Firewall > NAT for each server you want to host. I had some difficulty in that I had a VPN running on the one host which blocked the incoming NAT. This cost a NUMBER of hours to sort out, but in debugging I poked around a lot. I found Canyouseeme very valuable in testing externally inbound ports.

Outbound VPN

Ok now your ready for the next feature … outbound VPN. If you do any form of P2P you want a VPN if for no other reason than to avoid nagging from your provider. I found a great guide for setting up PureVPN for Pfsense. The VPN setup is done using OpenVPN. The setup was not at all straight forward and honestly took a while to get working. The one thing missing in this doc was the compression setting which was LZO Compression Legacy.

Now with this setup ALL traffic will go through the VPN. This isn’t what I want. What I really want is for any traffic for the one host that I run P2P on to go through VPN. So to take care of that I added an additional interface for the VPN. Interfaces > Assignments, add. This adds something it calls OPT1. Then in System > routing you now see a gateway for the VPN. Lastly you can now create a firewall rule that triggers on requests from that host and passes it to the VPN gateway instead of the default gateway.

You can use tools like IP chicken, or Whats my ip address to help debug when your connected to VPN and not.

Status > system logs can show you any errors VPN might be having. The status of the VPN connection can be seen at Status > OpenVPN.

The default for OpenVPN client is to have all communications go out the VPN once setup (as I mentioned above). In the configuring of the client you can remove this and then route the traffic you want to the VPN through rules.

I had one MAJOR issue with the VPN on Pfsense. I want what is called an internet kill switch. Ie if the VPN is down, then I want no traffic outbound outside of the VPN. At this point I’ve been unsuccessful in getting this working. What ought to be simple rules, just don’t seem to be working.

It’s worth mentioning that if you create a VPN on the PC then that PC is directly exposed to all other members of the same VPN. So it’s important to insure your running a firewall at the very least. By moving the VPN onto PFsense it removes this exposure. It is important that you turn Snort on (more on this later) on the VPN interface.

Dynamic DNS

Next up I added Pfsense updating dyndns which was super trivial. This allows Pfsense to update dyndns instead of my client. This became super important if ALL internal traffic is going through the VPN, because it will end up updating dyndns with your VPN IP since this would be all your internal network was aware of.

Ad/Malware/Ransomware blocking

With a fully functioning firewall we can now look into exploiting some additional functionality. I had read a bit about PiHole which is an ad/malware blocking DNS server that can be setup in a separate VM. Well it turns out you can do the same thing in Pfsense using PfblockerNG. There are two sides to PfBlockerNG. The first which for now I don’t care about looks for incoming hackers. The second replaces the DNS forwarder that normally is in use for internal DNS requests and replaces it by a DNS resolver. The DNS resolver has the ability to add lists to it that it will in turn reroute to an internal IP address, in effect blocking that IP (called DNSBL). There are lists of “bad” sites that can be obtained from PiHole. These are then manually added as feeds into DNSBL and the Pfblocked goes out and updates them daily. This gives you PiHole like functionality for free! To test if this is working go into one of the lists that you added as feeds and find a URL. Then simply ping that URL. If you get 10.10.10.1 (the default for DNSBL) as the IP address back for that URL DNSBL is working perfectly! I had a major issue that I had DNSSEC turned on which requires a secure DNS server. As it turns out the DNS servers I use are not compatible with DNSSEC so outbound was being blocked. Turning DNSSEC fixed the issue. I originally turned on another function of Pfblocker called DNSBL easylist, but I found that blocked too many things to be useful so turned it back off. Even Google calendar stopped working. I also had issues in that most clients will cache dns requests. So to flush this on windows you have to enter:
ipconfig /flushdns (as an admin)
I ran into one oddity which is that if you stop Pfblocker, I had to manually tell Pfblocker to back out and resync the DNSBL feeds to get it working again if you then enable it.

Tuning DNSBL

Once your have turned on Ad/malware blocking you may see that there are sites being blocked that you don’t want blocked. These can be easily tuned to allow those domains. By going into Pfblocker, then alerts you can see what is being blocked as well as which list it was on. These domains can then easily be clicked on to add to a whitelist. This white list allows these domains through. Or you can manually add them to the Pfblocker, DNSBL, custom domain whitelists. And you can add domains, and include subdomains to allow. Once they are on the whitelist you will need to force a reload for them to start working, by Pfblocker, Update, force. Then you can test to see if that site is now not being blocked. Using this method you can fine tune what you want and not want to allow.

Blocking hackers/web robots

Now that the more important DNSBL is setup and running we can look at blocking known incoming attacking web sites. There are lists for this just like there are for DNSBL. These are configured in PFBlocker, IPV4 tab.

This in turn creates an incoming firewall rule to block these IPs.

To test this I added my own external IP address to the block list and then attempted a connect. Sure enough it was blocked and shows in the alerts as being blocked.

This web site had a couple of lists of bad guys to add to PfBlocker! Now this is entirely based on the sources IPs. As you can imagine bad guys can change their IPs so this is somewhat like chasing your tail. This is not to be confused with something like Snort that is more algorithmic detection based. This would also not detect anything like a port scan of your host. You can also use this feature to block web robots/spiders/crawlers from indexing your web site and adding it to search engines. You can also control well behaved spiders using Robots.txt on your web site.

In the end I don’t see much point to this part of Pfblocker.

Snort

It is quite common for hackers to try and see if they can get into networks and poke around using everything from known exploits to hacking tools etc. There are apps called Intrusion detection sensors (IDS) and prevention that attempt to use known patterns to identify and block these prods. Snort is one of these. Setting up Snort is a multi step process.

Step 1 install Snort

First install it from the packages list. It will consume additional memory, processor and disk space, but it ended up being less than I thought …

Step 2 tell Snort what interface to listen on

Once installed you need to tell Snort what interfaces you want it to listen on. At the very least I recommend your VPN and WAN (internet connection). Remember that outbound VPN is it’s own connection, and people doing bad things maybe also using VPN so it’s not a bad place to keep an eye on as well. And, the VPN drills a hole directly through your router/firewall so this is a place Snort is actually extremely helpful. And lastly snort can watch for bad things coming out of your internal network … like viruses and the like. In fact the packet inspection, and pattern recognition in Snort can very much be compared to anti virus, and the positive thing is these are blocked at the perimeter of your network. When defining your network (especially your external network) be sure and check block offenders. What’s the point in seeing an intrusion and doing nothing? Don’t forget to press save.

Step 3 tell Snort what to look for

Once the network is defined you need to go into WAN categories and tell it what you want it to look for. I just turned them all on, which annoyingly there is no enable all button.

Step 4 is Global setting

This defines what Snort does for all networks. I also created an account on Snort.org which allows me to download patterns from Snort itself. Be sure and set an update interval for the patterns to insure you have the most current. I chose daily. I also again just basically turned on all of the available sources for known threats. I can always revisit this if it becomes to slow/burdensome.

Step 5 go get updates

By going into Updates next you can download all of the patterns so Snort knows what to be looking for. This would happen according to the update frequency you set above but this just lets you kick it.

Step 6 start it

At this point Snort is ready to go, but you have to manually start it. Go back to interfaces and start Snort. I hadn’t noticed this at first, and was wondering why it seemed to be doing nothing 🙂 DOH. Snort can take a few minutes to get started so be patient.

Once started it will look like this and is good to go:

Test it

Ok so it’s installed, and configured but is it doing anything? I read lots of articles about how to test Snort. There were many way too complicated answers to this stupidly simple question. Well it’s actually pretty easy to test. Just use a port scanner, pscan, nmap whatever. Now just point that scan at the interface you enabled Snort to watch and let it rip. In short order Snort will jump into action. You can see this in Snort, alerts.

From this interface you can click the red x under source interface to remove this block (assuming you enabled block), or you could also click the red x under SID to remove that rule if you decided it was blocking something you didn’t want blocked. You can see what the IP that the offender was using along with the rule that triggered this alert. Under the blocked tab you can see all IPs that Snort has triggered on and subsequently blocked. Again here you can click the red x to remove the block. Now it’s worth noting that if you were doing this by RDP you have now just lost contact with the host you were testing from 🙂 Don’t forget to unblock your test machine. And with that you’ve tested Snort …

Tuning Snort

Because Snort actively blocks sites it’s important to keep an eye at least at first at what it is alerting on. I found it was alerting on, and then blocking my VPN provider which in turn broke my VPN. It had false positive triggered. So I had to go into the alerts, disable the rule that was causing a false positive and then unblock my VPN provider. I also had issues that Snort was triggering on P2P, which in a corporate environment is bad, but at home is good, so I simply told it to ignore those.

You can create pass lists for IPs you always want ignored, but setting this up is WAY less than obvious. It takes 4 steps. 1) create a firewall alias with all the IPs for a given interface you want to allow. 2) create a passlist that points to the alias you just created. 3) tell sort the passlist for a given interface 4) restart snort.

It’s worth noting the obvious, that any thing that Snort detects as an attack, is something that went through your router (in my current setup where Pfsense is behind my router, ie double Natd).

If you find anything not working, a web site, an app, whatever, start by disabling snort and see if it is the culprit. Then you can look at tuning it. One area of snort that is ENTIRELY problematic is the http_inspect function provided by OpenAppid. I highly recommend you just disable these. So many web sites will false positive trigger and then be blocked by this.

Inbound VPN using OpenVPN

Next up I thought I would look at OpenVPN to be able to setup a VPN externally into my network. I started with this official guide to get going. It recommended using the wizards within OpenVPN and I didn’t at first and had no end of issues. Then I discovered (and it’s in the guide but I missed it) that you need to add a package to Pfsense to allow you to export your OpenVPN connection. This allows you to create simple install files to test out OpenVPN. I found tweaking and making changes to your OpenVPN server was easiest dealt with by downloading the install files and running them. If all that had changed was the config, then that’s all it installed. It ought to be possible to just export the configuration but I had no luck with that on Windows. Then I had issues with DNS resolver not working. These were fixed by creating an access list for the subnet of the VPN clients, in my case I had chosen 192.168.3.x. With this fixed and working I was able to get at my internal network remotely. This also means ad blocking would now also work with my VPN clients. It also means I can refer to my internal machines by their names rather than their IPs from VPN clients. The last thing not working was internet traffic through the VPN tunnel. Ie all remote internet traffic would go through my internet connection. This I had issues with and could not find the solution. And then I found this article that pointed to the fact that I needed to create an outbound NAT rule to allow VPN traffic externally. And like that … le voila it was done!
It’s worth noting that I tried to setup IPSEC/L2TP but could not find a group of setting that windows would live with and gave up. I had no end of performance issues with OpenVPN, and in the end got the best results by dialing down from SSL/TLS to Remote access User auth. This still used TLS for authentication making it harder to hack into my VPN. I also dialed down the encryption. The greyed out one was too slow, in spite of trying a number of different hardware solutions.

It’s worth noting, that if you decide to pass all of your remote traffic through your home you will be limited by the slowest part of your service speed. So in my case I was roughly 24Mb/s down and 7 Mb/s up. But remember, for a remote client this gets reversed. So the fastest you could possibly dream of would be 7Mb/s. Not great. So, my decision was simply to leave remote clients using their own internet connection for external communications. Internal would still go through VPN, and ad blocking etc still work. Of course you do loose the protection of Snort. To tell the remote client to use their own external connection turn this off:

To be able to use internal DNS names as well as ad blocking for remote hosts, be sure and turn on block outside DNS.

Connecting to OpenVPN with an iPhone/iPad

There is a client export package that can be installed on Pfsense that makes setting up clients super easy. Once this is done you go to VPN/OpenVPN/client export and select OpenVPNconnect. This will allow you to save an ovpn file that has everything you need. Go to your iPhone/iPad and install OpenVPN connect app. Now email yourself the ovpn file you previous downloaded. Go into the default iOS mail app and click on the attachment. Click Copy to open vpn.

Then import it into OpenVPN. Now your ready to test. I found one odd anomaly which is that you can not logon twice with the same VPN userid. It hands out the same IP address thus kicking others off. The simple solution is to have separate accounts per device.

Traffic shaping

Traffic shaping is something I’ve had in the past and like it. The theory is to prioritize those things that are important. Like web browsing. And de-prioritize unimportant things like torrents. I played with this a LOT and got no where. In fact, I had it cause MAJOR performance issues. For now, I’ve turned this off.

Clustering

Since Pfsense now becomes essential in the home I decided to look into clustering Pfsense. To do this you start out with two fully functioning, fully setup Pfsenses. The easiest way to do this is to set one up, then do a base install on the second, install all packages, and then backup from the primary and restore to the backup. Test both to make sure they are working. Once confirmed your ready to start. The first step is to setup System > high availability sync. This keeps the settings etc in sync between the two boxes. To do this go to the primary, tell it what interface to sync on, I recommend the LAN. Some people talk about needing a dedicated interface, and ya that would be nice, but not necessary in a home environment. Add the IP address of the backup Lan IP. Add the sync config to ip to the backup lan IP. No idea why you have to do this twice. And give it the remote system username/password. Same you would use to logon to the web interface. On the backup box enter only the sync peer. And with that you can see sync working or not in Status system logs. Your now ready for the next phase adding VIPs. To make a seemless fail over your going to need a WAN (if you care about incoming) and a LAN VIP. These are called CARP VIPs. I had HyperV issues, but solved them (enabled MAC address spoofing) and I also had issues on my USB ethernet adapter not working with CARP.

Once I had CARP up I wanted to do some testing to insure it was actually working. I found I had to make a few adjustments to my settings. All incoming NATs had to be moved from the WAN address to the WAN VIP. DHCP had to be modified to add the default route and DNS server to be the LAN VIP rather than the server IP address. The DHCP changes have to be made manually on both servers this does NOT replicate.

It’s worth noting that the way this works is a master/slave relationship. The master, or primary if you prefer is the dominant server and will always take over when it’s available. The slave just sits there waiting to take over. Fail over and fail back happens pretty quickly. Any changes to the slave server in the area of things like firewalls will be completely over ridden when the master comes back online. Hard failures like a server completely dieing are picked up perfectly. Softer fails are hit and miss from my experience.

Site to site VPN using OpenVPN

Ok so just when you think your done … a bud wanted to play with site to site VPN. Why the heck not. This allows you to virtually join networks across the internet. So machines in his home can see mine and vice versa. Now the biggest limitation of this is going to be (as before) your internet speeds. None the less, on we go. So first you setup one Pfsense as a server (the other will be considered the client). It needs to hand out an IP address in a unique subnet. It can NOT share the subnet that your other VPNs are using. Your going to be setting up a peer to peer shared key. It will also have to be on a unique port (can’t share a port with your client OpenVPN setup). You will need to insure there are no overlapping subnets (that you want to share) between the two homes. You configure each end with the subnets of your networks. And from there you configure the client with the same parameters as the server and point the client at the IP or name of the other side. You will need to open the firewall on the server side to allow the incoming port. You can see the status of the tunnel Status, OpenVPN. Errors can be seen in the System logs. Once done you can simply ping first of all the gateway on the other side of the tunnel, and then an IP in the other location. If you want to get fancy you can add DNS to each side so that names resolve as well. And with that, the homes are digitally connected. The tunnel will stay relatively connected, but I have noticed delays when it has been used for a bit while it reconnects.

Hardware testing

If your like me you have a number of older physical boxes in your pile doing little to nothing. Seemed like a great place to play with Pfsense. Again this BURNED A LOT of time!

I dug out an old Asus ASROCK media player I have. It’s based on a dual core atom 330 processor. I got lucky and this one is 64 bit. I decided to put Pfsense on a 8G USB stick. The media player only has one NIC so I used a USB ethernet I had laying around. I also wanted to play with WIFI but I ran into an issue that my Realtek RTL8188 but couldn’t get it going on the 64 bit version of Pfsense. The driver ignored it. Migrating from my VM to the physical box was super simple. You simply backup your old configuration making sure you choose backup all. On the new box do a vanilla install. Be sure and add any packages you want on the new box that you had on the old one. Then use the restore function. If the NICs are different it will simply reask which NICs are which. I had to manually redownload the Pfblocker/Snort rules but that would have been done on the schedule anyway …

Now that you have a functioning Pfsense box you may want to benchmark it. So to do this I popped one of my machines in front of Pfsense, attached to the router and ran Speed test to get a baseline of my internet. I then ran the same test behind Pfsense. My performance was awful. 24.85/7.33 MB/s (down/up) and behind my physical Pfsense box I only got 9.57/4.81. So I looked at the dashboard and saw that processor, and memory seemed to be fine. This left hard drive as the likely culprit. I ran:
geom disk list
To get a list of disks and then ran:
diskinfo -c da0
to benchmark the drive. I discovered the USB key that I was using, and how it was connected was resulting in REALLY bad performance. Like 2.5MB/s vs what ought be 40MB/s or so. So I moved it back to a hard drive. With this resolved the performance improved a bit. At first I’d given up on Atom, but eventually discovered it was traffic shaping causing the poor performance and simply disabled it, I’m not convinced it was doing anything anyway.

By the way I used DSL reports to benchmark my internet speeds but you could also use Source Forge’s too.

Going back to my VM I ran the same test on the VM which was configured as 2 virtual CPUs running on a i7 860, and 3G memory. This time the performance over my 25Mb/s DSL connection was much better and showed little to no slow down.

Performance testing

So now I got curious as to how hard this could be pushed, so I went back to my VM. I setup a web server on one machine, and a web browser on another. I used a Ramdrive to host the content Imdisk so the question of the hard drive being the bottle neck was removed. Using H2testw I was able to measure the Ramdrive as being capable of 389/293 MByte/s (write/read). So on with the test. Locally the content was served up at 166MB/s. Remotely, not through Pfsense this got 150MB/s. It’s worth noting that the second machine is a VM on the same box so the connection is a virtual 10Mb/s adapter. So with 150MB/s as the now bar I was curious to see how multi threaded the firewall is, using a VM allowed me to change the number of CPUs. With 2/4/6/8 VCPUs I got 104/106/120/118 MB/s. So as you can see it scaled relatively well right up to 6 VCPUs. What this tells you, is the firewall is very well multi threaded, able to take advantage of multi core processors!

In running some of this I found a few tools worth pointing out. First of all there is a tool you can install that will tell you your incoming speed test. It removes the router and anything downstream. It’s a way of telling basically your line speed in. From a pfsense command line you need to install the tool:
pkg install py27-speedtest-cli
and then you can run the test anytime by running:
speedtest-cli

Second there’s a network bandwidth tool call iperf that you can use to test speeds between computers without having other bottlenecks like hard drives etc in the way. iperf is can be downloadfor windows amongst others. To add ipferf to pfsense install it from the web based package manager. To use iperf you start iperf on the receiving end by running:
iperf -s
then run it on the other end:
iperf -c host -p port

You will get back a bandwidth between the two.

On Redhat to install iPerf:
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install iperf

Selecting hardware

I saw a guy on a forum ask a simple question … what’s the best hardware to run Pfsense on? The smart ass answer that came back is the one you already have 🙂 That said, its quite true. The ones I played with were for exactly that reason, I already had the box available.

A VM is a great choice and allows you the max flexibility in network configuration as well as resource changing (memory/processor). But I have to say I have had issues with VMs. I could not for the life of me get Pfsense clustering to work, the VIPs refused to come online externally, until … I finally read an article on Best practices for FreeBSD on Hyperv which directly addressed CARP and solved the problem (it was MAC address spoofing had to be enabled). And CPU utilization just seems bizarre to me. I have more experience with Vmware and the way they allocated VCPUs makes a whole lot more sense to me. I would see Pfsense showing the CPUs pretty busy but the physical CPUs still being inactive. Temperature on the VMs never showed on the dashboard of Pfsense.

I tried for a LONG time to get Pfsense to run an older dual core Pentium 4, P4D. I could get the older 32 bit version of Pfsense running, but the 32 bit version is end of life. And since there is no support for taking configurations backed up on the 64 bit version and restoring them on the 32 bit (I tried and it restored but had bizarre issues). The 64 bit would oddly install but just not boot. So this was out. Although, the performance on the P4D on the 32 bit version was quite adequate. Using Windows Server 2018R2 and HyperV I was able to get Pfsense running on the P4D. Performance was adequate but just barely. The processor lived at higher than 50% for a lot of the time and sometimes even peaking around 90+. And this in turn generated a LOT of heat which caused the fans to scream. So in the end this became a net but useless experiment. More time successfully killed!

I had an old Xeon Dell, a poweredge. This box seemed like it would have all the horsepower. Interestingly enough, the performance on this box was not night and day better and certainly didn’t justify the cost of running this HUGE box for nothing.

I also had a quad core atom box and this ran fine as long as I had traffic shaping turned off (as discussed above) and dialed down the VPN requirements.

Going forward Pfsense (2.5 and above) have stated that a CPU having the AES instruction set is a requirement, so if your buying hardware be sure and look for that.

Buying hardware

As I come to the end of the journey I love the functionality that pfsense gives so it’s time to make it permanent and give it a home of it’s own. There are lots of dedicated boxes that make perfect Pfsense machines. Like Qotom Q3554

But this is more money than I want to spend. So I looked for and found a refurb desktop with a Core i5 processor that has AES support so it’s good going forward from Laptopsforless for $149. And if I bore of Pfsense it has many uses in the home. I bought a HP Elite 8200 i5-2400 3.1GHz. With 4 memory slots, a max memory of 32G, and lots of PCI slots there’s lots of room for growth for future uses!

Costs

PCs that run 24×7 can start to become expensive if you aren’t paying attention, so I thought I’d take a look at what my HP Elite 8200 might be consuming. So I bought a Kuman 15A/1800W Plug Power Meter from Amazon. Over the period of almost 2 days I got an average of 44W, which is quite low for a desktop. By comparison my Dell Poweredge SC1430 that I was originally thinking of using consumed a whopping 160W. Translating this into $$s using an average cost of hydro of 8.9 cents/KWh we get an annual cost to keep Pfsense running on this hardware of ~$35 per year. Now the dell would up this to $125, or by buying the new system I saved $90 a year. Or in other words the system was paid for in 1.9 years!

Power management

I played with power management enabling PowerD from within System/Advanced/Misc and put it on min performance (max power saving) and set the drive time out to the min, but didn’t see any decrease in power consumed. So for my system this did not seem to help.

Automated backup

I found a great tool that you can run from a Windows box that you can use to automatically backup and download your pfsense settings. Given the amount of time I have into this … yay!

I read an interesting post from Netgate that explained how to install Pfsense in a minimal environment and one of their comments was “In order to limit microSD card wear, we recommend enabling RAM disks. Navigate to System > Advanced > Miscellaneous and select Use RAM Disks.” They chose to build their Pfsense box on a Dual ethernet, quad core Minnowboard, or Dual core dual ethernet

March 29, 2018 Posted by | Uncategorized | Leave a comment

Advanced elements Firefly AE 1020 mini review

My gf was looking to get an inflatable kayak for the spring and one of these popped up on Kijiji and thus we have this post. At this point I own an Advnaced Frame AE1012 and tried out a AE 1009 Expedition so this makes the third in the company’s product offerings I’ve touched. At this point I haven’t had the Firefly in the water so can’t comment on handling yet. But let’s have a quick look at it and I’ll update the post when I get it in the water. Compared to mine this one is quite a bit shorter, and lighter.


The difference once inflated is quite significant. There’s a whole lot less of the boat behind you. The one we got according to the hull ID is a 2014 and did not come with a seat. (The Hull Id # is located on the kayak and begins with XZE. The last two digits are the ones that will tell us what year it was made in.) I spoke with Advanced elements and they told me “The firefly seat was added in 2016, so your year does not have the seat option. It also does not have a seat buckle to add a seat unfortunately.” I’ve found the company to quite responsive and helpful, excellent customer service.

There’s a lot less to inflate than my boat, 2 chambers (+ floor) Vs 6 (+ floor) . There’s no combing that you could possibly attach a skirt to, or to deflect water out of the cockpit. There’s no dry storage area (same thing on mine). It does however have velcro straps on the deck to hold the oar while you are carrying/launching the boat. Mine doesn’t. Overall the material used seems similar to mine and should be reasonably durable. The inflation chambers use a clever valve that make it easy to inflate and deflate the boat (same as on mine). Overall the boat is super fast to inflate/deflate.

The lack of a seat may be a limiting factor, I guess we will see. Not sure why Advanced elements didn’t think of that. Overall this looks like an excellent beginner boat. Super light, easy to setup. We’ll see how it handles. I can’t wait for the warmer weather to get back on the water!!
Entire manual for the boat is available for download.

Update 5/28/2018
I finally got a chance to get this in the water this past weekend. It is as described super light and super quick to inflate. Once in the water you can easily see the boat is also much lower in the water. Handling wise is where you pay the price of this boat. The rudder they used seems to be about the same size as my boat, but because it is so short in the back when you paddle the boat swings significantly. And then you paddle the other side and it swings back. A lot of energy is wasted as you zig zag, all the while looking like a drunken soldier. It’s shocking the amount of energy this boat takes to move. This boat absolutely does NOT track well, and does not in anyway feel like a real kayak. Rough water would be a big challenge in this boat given the low profile in the water. I have to admit to being thoroughly disappointed in it’s design. A larger rudder on the bottom might help, who knows. I would have to say, I do not recommend this boat.

March 6, 2018 Posted by | Uncategorized | Leave a comment

Amazon dot review

A friend of mine bought an Amazon dot … the first question I asked was why? Then he said do you want to play with it first? Um, sure I thought. So let’s start with what is it. Well first of all it’s a voice activated digital assistant. Think SIRI. You can ask it things like what’s today’s weather. From this point of view given I have an iPhone I don’t see a value. But frankly at $69 it’s cheap enough there doesn’t need to be a lot of value to have one. Setup is pretty easy but be aware it’s impossible from what I can see to set one of these up without an Apple phone/tablet or Android phone/tablet. And even using it without these is not going to be all that rich an experience. Now for someone tech savvy enough to want one of these that’s not a huge barrier, but they could have provided a web interface to interact with it, but they didn’t. And seeing what the dot is playing is seen entirely on your phone/tablet since there is no screen on the dot.

Taking a step back lets look at the physicals. What you have is a round device a little thicker and larger than a hockey puck. Jack wise there is a micro USB plug which goes into a 5.2V 1.8A 9W adapter. In general I saw it drawing around .5A so around 2.5W. So not a whole lot of power. It also has a 3.5mm audio plug you can plug into a stereo. On the top of the device is a mute, volume up/down, and and activation button that calls up Alexa if you don’t want to use voice commands. There lights that go around the outside of the device that have a bunch of meanings. These can be disabled using the devices do not disturb mode. And if this is in the bedroom I HIGHLY recommend you look at this before it inevitably wakes you.

So give me some examples of what you can ask it? Well the list is long but as mentioned above, the weather. If you link your calendar you can ask it your calendar. You can get Alexa to add items to a shopping list that you can see on the phone and share with family members. You can add timers, alarms etc. There is no way that I can see to get emails or text messages from your phone. You can use Alexa to make voice calls to other Alexa enabled devices. You can also make phone calls using your contacts from your phone.

You can ask it other things and it will go out and try and find answers for you. I do find SIRI more conversational than Alexa (which is what the assistant is called). The mic in the dot is really quite good and picks up your voice from quite a distance. Miles better than the mic on iphone which was never meant to be used from across the room. By the way, Apple has a similar device that rocks a whopping $349 price tag. Pass, even if it is an amazing speaker, I’ll still be using my home stereo.

The dot can connect via bluetooth to a home stereo. This opens a few new possibilities for the device. You can use it to play music from Amazon music, find radio stations on tunein and the like. I couldn’t get the radio player Canada skill to work for whatever reason. Paired with the home stereo the sound worked very well. Tunein sadly did not identify the song playing, a HUGE miss for me. I long for a music player with something other than basics, like lyrics, who is the band, what is the song, what’s there discography etc. Not here. Now if your stereo is smart enough to have bluetooth, it probably already has an internet radio player built in. So this is largely a wash. But it does sound fine. Amazon music player does identify the song playing. The dot switched seamlessly back to the internal speaker when the bluetooth disconnected. Well done.

There’s supposed to be a way to pair the dot and my amazon fire TV but I couldn’t get this working. Nor do I see it all that useful.

My Radio WIFI thermostat was not supported so that functionality was out.

The dot can add new “skills” that can add additional functionality you can call on. I like that the device is extensible.

So in the end, it is a neat device, but I’m not sure there is enough room in my digital world for it. And what I don’t need is another gadget that I don’t use. So I won’t be grabbing one … for now. Now if something in a similar price range that used siri and fit into the Apple eco system existed, that I would buy.

March 3, 2018 Posted by | Uncategorized | Leave a comment

PNY 3000 battery pack

I last blogged about a Mocreo 2500 mAH battery pack. It worked well … so well my daughter took it 😦 On to find another one. The worst feature of the Mocreo was that it was a micro USB cable with a converter to lightning. The converter and the cable were a little precarious, although 6 months later it was still working well. So this time I wanted a battery pack that had native lightning cable. This particular battery pack is quite well designed. A little more pudgy than the Mocreo, but all in all not that back in size at all. You can have it in your pocket and for the most part not notice it’s there. They have deisgned it well in that it has both a cable on the one side that is micro USB and on the other is a lightning. Both cables are well designed and rigid enough as to feel durable. If there is a complanint it’s that they did nothing to label which is micro USB and which is lightning, but this is a nit pick. They also included lights to show the level of charge of the pack, a welcome addition.

So let’s look at specs. They are pretty clear that the pack can put out 5V 1A from either cable. This pack once plugged in requires you to press a button to get the charging started. 1A is fine for older iPhones and is the same amount of current the stock charger even with the iPhone 8 comes with. So what you get is a comparable to plugged in charge speed. Almost all newer Android phones and even the iPhone 8 can use higher current to give you a quick charge. So this battery pack will not do that (nor do they suggest it will). The pack lives precisely up to what it says and delivers a solid 1A. On a deep discharge cycle the phone went from 9 to 70% on an iPhone 8 in an hour. The Iphone slows charging down beyond that. Overall the pack can charge the iPhone 8 from dead once. This comes out to an efficiency of around 60%.

From a recharge point of view again the specs are pretty clear that this can only take 1A in, so your looking at a slow recharge. These battery packs do not seem to have caught up to the phones quick charge improvements. Recharge time from dead was well over 3 hours.

For the price on Amazon ~$20 this is a very good battery pack. Well designed, well executed, cheap price, fast ship.

March 1, 2018 Posted by | Uncategorized | Leave a comment

Tracking ski/board on the Fenix 3

I took a little hiatus from snow boarding but went to get back into it. Fortunately I checked ahead and found the ski/board app was missing from my Fenix. I searched and searched and could not find how to add it back. It turns out you can not do it from the phone, from what I can see. On the watch select settings, app, scroll down and select add. Then select Alpine ski. This adds the ski/board app onto the Fenix. Once there this app works very well. It can easily tell going down hill Vs being on the lift. It tacks the number of runs you got in and then the stats for each and every run. You do get a map of the run as well. The runs are visible in the Splits on Garmin connect. And at the end of your day you get moving time, elevation, and speed. The stats that come out of it are very good. If there is anything missing it’s that you don’t get the run names, or at least I didn’t but I was at a small private hill. Here’s some examples of the data you get. The whole data set is here for you. Of course temperature being on your wrist and under a jacket at bogus.

I did find it super easy to interrupt your recording, jacket cuffs, glove cuffs can all push on the buttons. I found it necessary to lock the Garmin which you can do by pressing and holding the power button and then selecting lock. Unlocking is done by pushing and holding the power button.

All in all it works well, and I was impressed.

February 6, 2018 Posted by | Uncategorized | Leave a comment