Here is a quick rundown on how to make a simple Debian box into a router Removed un-needed items apt purge iptables Install required items apt install bridge-utils firewalld dnsmasq Enable IP Forwarding sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf Find NICs ip a to find the NICs Now we create the bridge. This is assuming your device has three NICs and you want two for LAN and one for WAN nano /etc/network/interfaces
Install and configure wireguard I use the Wireguard install script to create the config we import into the wireguard. That is located HERE Generate your first wireguard config. After running the script above it will ask you for a client name, I would name it something relating to opnsense Install Wireguard on OPNSense | System -> Firmware -> Plug-ins -> select and install ‘os-wireguard’ Get to wireguard config | Refresh the page, then go to VPN -> Wireguard
I learned about XCP-NG not to log ago and love it. It’s great and easy to use. My only issue is I guess on newer versions of Windows 10/Server 2019 they were having freezing issues. I had the issue with Windows 10. I just went with Windows 7 VMs for what I needed until they get the problem worked out. XCP-NG works great with Linux. Here are some useful commands I’ve found.
This is probably useful to figure out how to reverse proxy Apache behind NGINX, but I was finally able to get NextCloud working on NGINX with no problem I like to use NGINX as my web server because that’s what I’ve always worked with. I’ve tried a couple times to get NGINX to work with NextCloud, but it would also end up not letting me log in. I did some Googleing and I guess it has something to do with how the cache is handled in NGINX.
Copied from Here If you don’t want to do any configuration inside the guest, then the only option is a DHCP server that hands out static IP addresses. If you use bridge mode, that will probably be some external DHCP server. Consult its manual to find out how to serve static leases. But at least in forward modes nat or route, you could use libvirt’s built-in dnsmasqd (More recent versions of libvirtd support the dnsmasq’s “dhcp-hostsfile” option).
Disable ADMIN user Before doing this bit you may wish to check that the new user you added works for everything you need it to. Those things might include: ssh to [email protected] Log in on web interface at https://192.168.1.22/ Various ipmitool commands like querying power status:$ ipmitool -I lanplus -H 192.168.1.22 -U somename -a power status Password: Chassis power is on If all of that is okay then you can disable ADMIN:
This is not my article I copy and pasted if from the below. The only reason it’s on here is because it took me a while to find so I figured I would put it here since it’s useful to me. Enable voice VLAN on Cisco switches for non-Cisco phones by lunarg on February 20th 2017, at 14:53 When provisioning non-Cisco phones on a Cisco-switched network, you may notice that the configured voice VLAN is not correctly provisioned to the phone.
Add the following to the http in /etc/nginx/nginx.conf. This tells nginx where the actually IP is coming from instead of showing as cloudflare. # CF set real ip set_real_ip_from 22.214.171.124/22; set_real_ip_from 126.96.36.199/22; set_real_ip_from 188.8.131.52/22; set_real_ip_from 184.108.40.206/12; set_real_ip_from 220.127.116.11/18; set_real_ip_from 18.104.22.168/22; set_real_ip_from 22.214.171.124/18; set_real_ip_from 126.96.36.199/15; set_real_ip_from 188.8.131.52/13; set_real_ip_from 184.108.40.206/20; set_real_ip_from 220.127.116.11/20; set_real_ip_from 18.104.22.168/20; set_real_ip_from 22.214.171.124/22; set_real_ip_from 126.96.36.199/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; This is the reverse proxy file /etc/nginx/sites-available/plex.
I found these scripts years ago and decided to use them. I might as well share them First the ipset and iptables need to be installed apt install iptables ipset Now we need to create the ipset lists ipset create drop hash:net ipset create allowHTTPS hash:net ipset create allowSSH hash:net ipset create directHTTPS hash:net ipset create google hash:net script to update files and countries. If you go to the ipdeny site you can find which countries you can add.
I just did this on Debian 9, it might work on older versions and more than likely Ubuntu Do everything as root: sudo su - Install vlan package: apt-get install vlan Load 8021q module: modprobe 8021q Add 8021q module at bootup: echo 8021q | sudo tee -a /etc/modules Make sure it is in the file: cat /etc/modules Now we need to edit the interfaces file: nano /etc/network/interfaces There will probably be something like below
First we are going to become root sudo su Next we are going to join the realm. This should installed everything needed after you run the command below realm join domain.com --user domainadmin Permit all users to log in. realm permit --all Add user group as root nano /etc/sudoers Paste into above file %[email protected] ALL=(ALL:ALL) ALL Allow sssd to create user directory nano /etc/pam.d/common-session Paste into above file session optional pam_mkhomedir.
Enter enable mode: en Enter Global Config (use this mode for 99% of the configuration, must be in enable mode): conf t Set port back to default default int G0/4 Encrypts all passwords on the device: service password-encryption Configure enable password (or secret in this case): enable secret ________ Create user with highest privilege: username _____ priv 15 password ______ Generate RSA key for SSH (needed if you plan to use SSH):
Over the past couple days I’ve been trying to get a Cisco 3560 with VLANs to work. Finally I was able to get it working. This is my first blog post FYI it’s not the most detailed. It’s just info on what I’ve learned. This is not the best post to read if you have no technical knowledge. If you have some you should be able to work your way thru my horrible instructions.