HP5500 Fun
With my 16 port unifi PoE switch dieing I needed something cheap, while browsing eBay I found a HP 5500 and was able to make offer of $90 shipped.
Reading all docs I figured it was a procurve which has a Cisco like CLI, but man I was way wrong. Thankfully I was able to find a manual HERE. Took some time to learn, but it just works for my needs.
Simple router using Debian and Firewall-cmd as a base
Here is a quick rundown on how to make a simple Debian box into a router Removed un-needed items
apt purge iptables
Install required items
apt install bridge-utils firewalld dnsmasq
Enable IP Forwarding
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
Find NICs
ip a to find the NICs
Now we create the bridge. This is assuming your device has three NICs and you want two for LAN and one for WAN
nano /etc/network/interfaces
OPNSense as wireguard client and route LAN split tunnel
Install and configure wireguard I use the Wireguard install script to create the config we import into the wireguard. That is located HERE
Generate your first wireguard config. After running the script above it will ask you for a client name, I would name it something relating to opnsense
Install Wireguard on OPNSense | System -> Firmware -> Plug-ins -> select and install ‘os-wireguard’
Get to wireguard config | Refresh the page, then go to VPN -> Wireguard
XCP-NG Quick Notes
I learned about XCP-NG not to log ago and love it. It’s great and easy to use. My only issue is I guess on newer versions of Windows 10/Server 2019 they were having freezing issues. I had the issue with Windows 10. I just went with Windows 7 VMs for what I needed until they get the problem worked out. XCP-NG works great with Linux. Here are some useful commands I’ve found.
NextCloud with Apache behind NGINX reverse proxy on CentOS
This is probably useful to figure out how to reverse proxy Apache behind NGINX, but I was finally able to get NextCloud working on NGINX with no problem I like to use NGINX as my web server because that’s what I’ve always worked with. I’ve tried a couple times to get NGINX to work with NextCloud, but it would also end up not letting me log in. I did some Googleing and I guess it has something to do with how the cache is handled in NGINX.
Static IP KVM Guest
Copied from Here
If you don’t want to do any configuration inside the guest, then the only option is a DHCP server that hands out static IP addresses. If you use bridge mode, that will probably be some external DHCP server. Consult its manual to find out how to serve static leases.
But at least in forward modes nat or route, you could use libvirt’s built-in dnsmasqd (More recent versions of libvirtd support the dnsmasq’s “dhcp-hostsfile” option).
Disable SuperMicro IPMI ADMIN user
Disable ADMIN user Before doing this bit you may wish to check that the new user you added works for everything you need it to. Those things might include:
ssh to [email protected] Log in on web interface at https://192.168.1.22/ Various ipmitool commands like querying power status:$ ipmitool -I lanplus -H 192.168.1.22 -U somename -a power status Password: Chassis power is on If all of that is okay then you can disable ADMIN:
Voice VLAN non-Cisco Phone
This is not my article I copy and pasted if from the below. The only reason it’s on here is because it took me a while to find so I figured I would put it here since it’s useful to me.
Enable voice VLAN on Cisco switches for non-Cisco phones
by lunarg on February 20th 2017, at 14:53
When provisioning non-Cisco phones on a Cisco-switched network, you may notice that the configured voice VLAN is not correctly provisioned to the phone.
CloudFlare with nginx and plex
Add the following to the http in /etc/nginx/nginx.conf. This tells nginx where the actually IP is coming from instead of showing as cloudflare.
# CF set real ip set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; This is the reverse proxy file /etc/nginx/sites-available/plex.
IPTables Fun
I found these scripts years ago and decided to use them. I might as well share them
First the ipset and iptables need to be installed
apt install iptables ipset Now we need to create the ipset lists
ipset create drop hash:net ipset create allowHTTPS hash:net ipset create allowSSH hash:net ipset create directHTTPS hash:net ipset create google hash:net script to update files and countries. If you go to the ipdeny site you can find which countries you can add.
How to enable vlans on Debian 9
I just did this on Debian 9, it might work on older versions and more than likely Ubuntu
Do everything as root: sudo su -
Install vlan package: apt-get install vlan
Load 8021q module: modprobe 8021q
Add 8021q module at bootup: echo 8021q | sudo tee -a /etc/modules
Make sure it is in the file: cat /etc/modules
Now we need to edit the interfaces file: nano /etc/network/interfaces
There will probably be something like below
Add Linux Mint to Active Diretory
First we are going to become root
sudo su Next we are going to join the realm. This should installed everything needed after you run the command below
realm join domain.com --user domainadmin Permit all users to log in.
realm permit --all Add user group as root
nano /etc/sudoers Paste into above file
%groupname@domain ALL=(ALL:ALL) ALL Allow sssd to create user directory
nano /etc/pam.d/common-session Paste into above file
session optional pam_mkhomedir.
Cisco Cheat Sheet
Enter enable mode:
en
Enter Global Config (use this mode for 99% of the configuration, must be in enable mode):
conf t
Set port back to default
default int G0/4
Encrypts all passwords on the device:
service password-encryption
Configure enable password (or secret in this case):
enable secret ________
Create user with highest privilege:
username _____ priv 15 password ______
Generate RSA key for SSH (needed if you plan to use SSH):
pfSense/VMWare/Cisco 3560/Server 2016
Over the past couple days I’ve been trying to get a Cisco 3560 with VLANs to work. Finally I was able to get it working. This is my first blog post FYI it’s not the most detailed. It’s just info on what I’ve learned. This is not the best post to read if you have no technical knowledge. If you have some you should be able to work your way thru my horrible instructions.