With my 16 port unifi PoE switch dieing I needed something cheap, while browsing eBay I found a HP 5500 and was able to make offer of $90 shipped.
Reading all docs I figured it was a procurve which has a Cisco like CLI, but man I was way wrong. Thankfully I was able to find a manual HERE. Took some time to learn, but it just works for my needs.
Here is a quick rundown on how to make a simple Debian box into a router Removed un-needed items
apt purge iptables
Install required items
apt install bridge-utils firewalld dnsmasq
Enable IP Forwarding
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
Find NICs
ip a to find the NICs
Now we create the bridge. This is assuming your device has three NICs and you want two for LAN and one for WAN
nano /etc/network/interfaces
Install and configure wireguard I use the Wireguard install script to create the config we import into the wireguard. That is located HERE
Generate your first wireguard config. After running the script above it will ask you for a client name, I would name it something relating to opnsense
Install Wireguard on OPNSense | System -> Firmware -> Plug-ins -> select and install ‘os-wireguard’
Get to wireguard config | Refresh the page, then go to VPN -> Wireguard
This works if you’re having PiHole hand out DHCP on your network.
nano /etc/dnsmasq.d/05-no-pihole-dhcp.conf Now we need to add the following to the file. You can change 1.1.1.1 to anything you want
# Assign alternate DNS for select hosts # Set Specific Clients to be affected dhcp-mac=set:altdns,00:00:00:00:00:00 #Device 1 dhcp-mac=set:altdns,00:00:00:00:00:00 #Device 2 # Set Alternate DNS dhcp-option=tag:altdns,option:dns-server,1.1.1.1
How to use SSL tunneling on WSL and access on local machine. This is super useful when needing to VNC into a smartOS KVM VM.
ssh -L 0.0.0.0:PORT:REMOTE_IP:PORT [email protected]
I learned about XCP-NG not to log ago and love it. It’s great and easy to use. My only issue is I guess on newer versions of Windows 10/Server 2019 they were having freezing issues. I had the issue with Windows 10. I just went with Windows 7 VMs for what I needed until they get the problem worked out. XCP-NG works great with Linux. Here are some useful commands I’ve found.
This is probably useful to figure out how to reverse proxy Apache behind NGINX, but I was finally able to get NextCloud working on NGINX with no problem I like to use NGINX as my web server because that’s what I’ve always worked with. I’ve tried a couple times to get NGINX to work with NextCloud, but it would also end up not letting me log in. I did some Googleing and I guess it has something to do with how the cache is handled in NGINX.
Copied from Here
If you don’t want to do any configuration inside the guest, then the only option is a DHCP server that hands out static IP addresses. If you use bridge mode, that will probably be some external DHCP server. Consult its manual to find out how to serve static leases.
But at least in forward modes nat or route, you could use libvirt’s built-in dnsmasqd (More recent versions of libvirtd support the dnsmasq’s “dhcp-hostsfile” option).
I noticed that when trying to mount NFS upon boot it wasn’t working. After it was booted up I could run “mount -a” and everything would come up. After some googling I learned you can add “_netdev” to the mount options in /etc/fstab and it works great.
I’ve tested this on Debian and CentOS
Disable ADMIN user Before doing this bit you may wish to check that the new user you added works for everything you need it to. Those things might include:
ssh to [email protected] Log in on web interface at https://192.168.1.22/ Various ipmitool commands like querying power status:$ ipmitool -I lanplus -H 192.168.1.22 -U somename -a power status Password: Chassis power is on If all of that is okay then you can disable ADMIN:
This is not my article I copy and pasted if from the below. The only reason it’s on here is because it took me a while to find so I figured I would put it here since it’s useful to me.
Enable voice VLAN on Cisco switches for non-Cisco phones
by lunarg on February 20th 2017, at 14:53
When provisioning non-Cisco phones on a Cisco-switched network, you may notice that the configured voice VLAN is not correctly provisioned to the phone.
Add the following to the http in /etc/nginx/nginx.conf. This tells nginx where the actually IP is coming from instead of showing as cloudflare.
# CF set real ip set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; This is the reverse proxy file /etc/nginx/sites-available/plex.
I found these scripts years ago and decided to use them. I might as well share them
First the ipset and iptables need to be installed
apt install iptables ipset Now we need to create the ipset lists
ipset create drop hash:net ipset create allowHTTPS hash:net ipset create allowSSH hash:net ipset create directHTTPS hash:net ipset create google hash:net script to update files and countries. If you go to the ipdeny site you can find which countries you can add.
I just did this on Debian 9, it might work on older versions and more than likely Ubuntu
Do everything as root: sudo su -
Install vlan package: apt-get install vlan
Load 8021q module: modprobe 8021q
Add 8021q module at bootup: echo 8021q | sudo tee -a /etc/modules
Make sure it is in the file: cat /etc/modules
Now we need to edit the interfaces file: nano /etc/network/interfaces
There will probably be something like below
open up CMD with admin privileges then type the following
Enable RDP connections Set-ItemProperty ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\‘ -Name “fDenyTSConnections” -Value 0
Make Firewall rule Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
First we are going to become root
sudo su Next we are going to join the realm. This should installed everything needed after you run the command below
realm join domain.com --user domainadmin Permit all users to log in.
realm permit --all Add user group as root
nano /etc/sudoers Paste into above file
%groupname@domain ALL=(ALL:ALL) ALL Allow sssd to create user directory
nano /etc/pam.d/common-session Paste into above file
session optional pam_mkhomedir.
Enter enable mode:
en
Enter Global Config (use this mode for 99% of the configuration, must be in enable mode):
conf t
Set port back to default
default int G0/4
Encrypts all passwords on the device:
service password-encryption
Configure enable password (or secret in this case):
enable secret ________
Create user with highest privilege:
username _____ priv 15 password ______
Generate RSA key for SSH (needed if you plan to use SSH):
Over the past couple days I’ve been trying to get a Cisco 3560 with VLANs to work. Finally I was able to get it working. This is my first blog post FYI it’s not the most detailed. It’s just info on what I’ve learned. This is not the best post to read if you have no technical knowledge. If you have some you should be able to work your way thru my horrible instructions.