If you are experiencing audio popping or delays when playback starts or stops on your HDMI receiver, follow the steps below to disable automatic audio suspension in PipeWire.
Open the terminal. In GNOME, open the Overview, type terminal, and press Enter. In KDE, open the menu, search for Konsole, and press Enter.
Save the file and quit (in Vim, press ESC (escape key),
then : (colon), w, q and then press
Enter.
Note: I found a Reddit posting which has
node.name = "..." and that ellipsis is incorrect. Pipewire does not complain about the syntax. More on that later as I add in more information at the later time.
Then, type in the following and press Enter:
systemctl --user restart wireplumber
This should prevent your home theater receiver, your soundbar, or what-have-you from falling asleep.
Audience
The instructions are meant for Linux users who experienced the delay in sound or in some cases, those who hear
the popping when starting and stopping audio playback. There is no GUI way in a Linux desktop environment that
will allow anyone to disable the audio suspend feature, so the experience with the Linux terminal is needed.
Why Is The Instructions Needed?
I have an Onkyo TX-NZ30 home theater receiver and I'm using it to pipe sound to my home theater receiver through
my NVIDIA Geforce RTX 4070 GPU. It's not as seamless as using Behringer Wing Rack or just about any audio
interfaces such as the Behringer U-Phoria UMC1820 or just about any sound card for that matter that does not involve
either HDMI, Toslink, or optical audio connection.
Currently, managing the power state of audio nodes is a policy decision handled by the daemon configuration. While
there are excellent tools like Helvum for audio routing, a simple toggle to disable audio suspension is not yet standard
in desktop settings applications, so editing the configuration file is the reliable method for now.
Explanation of the Configuration File
The file 50-local.conf acts as a custom instruction manual for WirePlumber, the session and policy manager for
PipeWire (the modern audio backend used in Linux distributions). Because Linux protects the main system configuration
files to prevent users from accidentally breaking the OS, you generally shouldn't edit the master settings directly.
Instead, placing a file with a name like 50-local.conf inside the
.config/wireplumber/wireplumber.conf.d/ directory allows you to safely override the default behavior without
touching the system files.
Here is a breakdown of the code you are adding:
monitor.alsa.rules:
This defines a rule set for ALSA (the Linux sound driver architecture) devices.
matches = [{ node.name = "~alsa_card.*" }]:
This tells the system to identify your audio device. The ~alsa_card.* simply serves as a wildcard for all
audio devices. Previously, the ellipsis was in the configuration file but that's incorrect and has been replaced.
actions = { update-props = { ... } }:
This specifies the actions to take on the matched device.
session.suspend-timeout-seconds = 0:
This is the critical setting. By default, Linux will suspend an audio device after 5 seconds of silence to
save power. Setting this value to 0 commands the system to disable the suspend timeout entirely, keeping the
connection active and the device "awake"
For Windows Users Who Plan on Switching to Linux
For those switching from Windows, this process is the command-line equivalent of opening the Device Manager, finding
your audio device, and unchecking the box that says "Allow the computer to turn off this device to save power." While
Linux offers powerful software like PipeWire, specific power management features for audio often lack a graphical
interface (GUI) switch. Editing this configuration file is simply the direct method to tell your computer, "Do not put
my HDMI audio to sleep," which prevents the delay or popping noise when you resume audio playback.
My Thoughts About "Linux Is Not Hard" Arguments
For anything simple such as browsing the web, Linux is not hard as long as the Linux terminal is not involved. For those
who have to deal with HDMI audio which may seem simple but later on can become complex, the argument that Linux is not hard
simply does not hold water, especially for someone who wants use their computer as part of a home theater system which Windows has
been doing for decades since Windows XP Media Center Edition. So yes, I want to assert to myself by saying "Linux is hard". This is
why I want to make Linux easier for everyone. I only want to provide minimum instructions in order for people to get their sound
system working in Linux -- especially for people who came from Windows. We need something equivalent to Windows' Device Manager in
Linux, so that those who do not want to touch the terminal can disable automatic audio suspension.
Conclusion
Once the configuration is in place and the service has restarted, the audio playback over HDMI audio should be seamless.
Enjoy piping audio from your computer to your home theater receiver or your soundbar! I hope I can be of help!
Seriously, I do not understand why would Discord prevent me from using Ctrl+F to bring up
the browser's find feature! This is a very essential feature when looking for something in a
web page. Especially in Settings!
If you cannot use Ctrl+F because Discord or even Discorse (a forum software) wants to use
Ctrl+F for its own search feature, you can just work around that in
Firefox by doing Alt+E, F in quick succession! Try it!
If you use Chrome, I believe you can press the Alt key and arrow down until you
get down to the Find command and go from there.
Hope this helps!
Article published: 2024-04-26 17:00
Categories: The World of Computers, Computers, Internet
Navigate to the first character after the quote/double-quote and type the following in Vim:
di"
This is useful if you have something like the following:
{
"title": "Vim: How to Delete Text Enclosed In Quotes",
"permalink": "vim-how-to-delete-text-enclosed-in-quotes",
"published": "2023-08-12 14:00",
"categoryIDs": "5,5:0,5:1,5:5",
"description": "In Vim, 'di\"' is the one to use for deleting text in quotes.",
"thumbnail": "",
"smallimage": "",
"largeimage": ""
}
So, to navigate to the first character that starts with a double-quote, simply type /"e;
and the insertion point will highlight the double-quote. To get to the next double-quote, press the
n key again until you get to the one you want. After that, press
the l key to move to the first character and type the following:
di"
The output will be as follows:
{
"title": "",
"permalink": "vim-how-to-delete-text-enclosed-in-quotes",
"published": "2023-08-12 14:00",
"categoryIDs": "5,5:0,5:1,5:5",
"description": "In Vim, 'di\"' is the one to use for deleting text in quotes.",
"thumbnail": "",
"smallimage": "",
"largeimage": ""
}
And now, you can type whatever you want by pressing the i key on your keyboard.
Press the ESC (escape) key to get out of INSERT mode and back into
normal mode. To save changes and quit the Vim text editor, type :wq.
Bonus: If you have delimiters with quotes while writing the code such as:
"This is some \"quote\"!"
Vim will automatically delete the delimiters with quotes along with them, so performing
di" will delete everything that is in between quotes.
""
And you do not need to be inside quotes in order to delete inside the quotes! How cool is that?
*grinning face*
Oh, and you can also use the "change inside" sequence as well:
ci"
This puts you into INSERT mode so you can type text inside quotes.
Audience
This is for Linux users experienced in using the Vim text editor. Vim users should already know
the basics such as :q! for quitting the text editor without saving changes,
:wq for saving changes and quitting the text editor, i for going into
INSERT mode and use the ESC (escape) key to get back into normal
mode. All keyboard commands are beyond the scope of this short article that I wrote.
Conclusion
Hopefully this keyboard command can be of help to you. If you are a Linux user, please give
Vim a try.
This is intended for Linux users who have experience working with the command line.
You should be running any Red Hat-based distributions such as Rocky Linux, AlmaLinux,
or Oracle Linux. CentOS Stream is not a candidate for taking the RHCSA (Red Hat
Certified System Administrator) exam. A lot of people in the Linux community are not
happy about Red Hat discontinuing support for CentOS 8 and now Red Hat does not want
source code to be available for everyone, including Rocky Linux and AlmaLinux. Enough
with wordy paragraphs! We don't want anyone to scroll down too much in order to get
to the most important part! Let's get into the command line, shall we?
Oh, please pardon me for boring you with this, but I almost forgot. This article
assumes that you are logged in as a root user. This is bad security practice in the
production environment, but in the exam, it's okay to be root. If you break it, you
fix it and that will count against your time in the exam. But the important thing is
that you must come up with solutions as fast as possible. Of course, don't be in a
hurry in such a way that you will fail the exam. Okay, enough already! Let's get in
with it! *grinning face*
Type: File Contexts
The command for listing all available SELinux type contexts is:
seinfo -t
The command for listing only the type contexts that relate to the web server:
seinfo -t | grep httpd
So, you searched for anything related to httpd and you came across
httpd_sys_content_t. You need to specify a directory to host your
content other than in /var/www. To add the type context to a directory,
the command will be as follows:
semanage fcontext -a -t httpd_sys_content_t "/data/nas/www(/.*)?"
restorecon /data/nas/www
The seinfo command is the SELinux policy information tool, semanage
is a SELinux policy management tool, and restorecon is for restoring default
SELinux security contexts to files and directories. The "type" contexts is the only one to be
to be concerned about when studying for any Linux exams, such as RHCSA (Red Hat Certified
System Administrator).
As for (/.*)?, that's called a regular expression. This is for setting any
subdirectories and files with the same context as the main directory. Try to remember this in
the RHCSA exam: open parenthesis, forward slash, period, asterisk, close parenthesis, question
mark, and that's about it. The only thing to remember is to have the entire path along with
the symbols in double quotes. In the RHCSA exam, you have access to the man pages, so take
advantage of that whenever possible.
For users of NVDA screen reader (Non-Visual Desktop
Access), NVDA does not speak a question mark such as CTRL+? (control plus question mark). I
do not know if this is a bug in the screen reader or if this is intentional, but at least
it's all I can do to help out if screen readers ignore question marks. That symbol is an
important part of a regular expression, so it needs to be translated to words. Hopefully I
can be of help.
Type: Contexts for Ports
What about ports? If you modify the port number in SSH configuration file
(/etc/ssh/sshd_config) and you restart the service
(systemctl restart sshd), even if you configure the firewall to allow a different
port number (example: firewall-cmd --add-port 12345 --permanent), you won't be
able to SSH into your server because SELinux gets in the way! It's easy to disable SELinux if
you do not mind exposing your server to outside security risks, but when studying for the exam,
it's important to never disable SELinux. Instead, let's search for port-related contexts.
Let's search for any services that have a phrase "port" for any type contexts:
seinfo -t | grep port
You should get a list of services. Let's narrow it down to SSH:
seinfo -t | grep port | grep ssh
Ah ha! There it is. It's ssh_port_t. Of course, I could also type the
following:
seinfo -t | grep ssh_port
And that should give me the same output. So, let's configure SELinux to allow TCP
port 12345 so that we can SSH into our Linux server.
semanage port -a -t ssh_port_t -p tcp 12345
And there you have it! You should now login to your server using SSH.
ssh -p 12345 username@servernameoripaddress
Of course, if you want to search for other services, such as Postfix:
seinfo -t | grep postfix
Oh, wow! So many contexts to choose from! But aren't we looking for
port-related contexts?
seinfo -t | grep port | grep postfix
Hmm... There are no port-related contexts related to Postfix. Of course,
what we do want is SMTP, which is port 25 by default, so let's narrow it
down to just "port" and "SMTP" (all lowercase, of course).
seinfo -t | grep port | grep smtp
# or "seinfo -t | grep smtp_port" (without quotes)
And you should get smtp_port_t. However, configuring an SMTP
server is beyond the scope of this tutorial about viewing the list of
available contexts. Plus, configuring firewalls and enabling/starting
services in a Linux server is also beyond the scope as well.
What Packages Provides seinfo and semanage?
dnf whatprovides */seinfo
The asterisk represents a wildcard, so this would assume that we do not
know the full path to seinfo command. That dnf
command, when executed, reveals a package called setools-console.
So, so install setools-console, just use the dnf install
command as follows:
That package policycoreutils-python-utils is so wordy, isn't it?
*smile*
Don't stress over trying to remember that package name in the exam and in the
real world.
Conclusion
I hope I can be of help to anyone studying for RHCSA exam. Hopefully
you should be able to know how to set SELinux type contexts for directories
and ports. If you are not taking an exam (you should if you want to
further your career in Linux and Information Technology), I hope I can be
of help as well! Have fun administrating your Linux servers!
And yes, I could have used emojis, but screen readers come first! *smile*
Article published: 2023-08-12 13:10
Categories: The World of Computers, Computers, Information Technology, Security
This article is for experienced Linux users who are familar with environment variables such as
$HOME and $USER. These are the Linux users who are familiar with the
command line.
Problem and Solution
Here is an example not to use /home/$USER:
[gpeddie-games@epcotcenter ~]$ su - gpadmin
Password:
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
touch: cannot touch '/home/gpadmin/Templates/Text file': No such file or directory
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
-bash: /home/gpadmin/.local/share/DaVinciResolve/configs/.version: No such file or directory
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
gpadmin@epcotcenter
~
$
And here's the script (/etc/profile) that illustrates an example:
# fix gnome missing 'New file' option
if [ ! -f /home/$USER/Templates/"Text file" ]
then
mkdir -p /home/$USER/Templates
touch /home/$USER/Templates/"Text file"
fi
# ...
# this is a hack to bypass the Davinci Resolve new install Welcome/Onboarding screen since it does not render properly and is not required.
if [ ! -f /home/$USER/.local/share/DaVinciResolve/configs/.version ];then
mkdir -p /home/$USER/.local/share/DaVinciResolve/configs/
echo "Onboarding.Version=10" > /home/$USER/.local/share/DaVinciResolve/configs/.version
fi
To fix this issue, simply replace all instances of /home/$USER with $HOME.
I am familiar with a text editor called Vim. It's a program that runs inside a terminal, similar to the
Command Prompt or PowerShell in Windows.
Before we proceed any further, let's create a backup copy of /etc/profile:
sudo cp /etc/profile /etc/profile.bak
If anything goes wrong, you now have a backup. You can simply use the cp (copy) command to
restore from the backup. Now let's begin.
First, open the Terminal (Konsole in KDE).
As root (or with sudo privileges), type the following command:
sudo vim /etc/profile
Type in the following command, starting with a colon:
:%s/\/home\/$USER/$HOME/g
The syntax for search and replace in Vim is as follows:
:%s/search/replace/g
Let's not concern ourselves with g at the end for now. Basically this command replaces
"search" with the next text "replace." In other words, we want to replace /home/$USER with
$HOME.
Let's have a look at the script again:
# fix gnome missing 'New file' option
if [ ! -f $HOME/Templates/"Text file" ]
then
mkdir -p $HOME/Templates
touch $HOME/Templates/"Text file"
fi
# ...
# this is a hack to bypass the Davinci Resolve new install Welcome/Onboarding screen since it does not render properly and is not required.
if [ ! -f $HOME/.local/share/DaVinciResolve/configs/.version ];then
mkdir -p $HOME/.local/share/DaVinciResolve/configs/
echo "Onboarding.Version=10" > $HOME/.local/share/DaVinciResolve/configs/.version
fi
So why would we want to replace /home/$USER with $HOME? That
/home/$USER should still work!
Let's look at the output again after we save the changes.
Save the changes to the /etc/profile file.
:wq
A : begins a command. w writes changes to the file and q
quits Vim
If you don't want to make changes to the file, then all you have to do is type :q! to
exit without saving any changes.
As I mentioned, let's look at the output again when I log into my administrator account from a user
account.
[gpeddie-games@epcotcenter ~]$ su - gpadmin
Password:
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
touch: cannot touch '/home/gpadmin/Templates/Text file': No such file or directory
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
-bash: /home/gpadmin/.local/share/DaVinciResolve/configs/.version: No such file or directory
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
gpadmin@epcotcenter
~
$
Now, let's see the new output when I log back in as an administrator.
[gpeddie-games@epcotcenter ~]$ su - gpadmin
Password:
Last login: Sat Mar 18 11:13:52 EDT 2023 on pts/0
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
gpadmin@epcotcenter
~
$
You have an Active Directory server running in a Windows Server virtual machine. You installed
Nobara so that you can do content creation and play games. You
wanted to join your Linux desktop to a Windows Active Directory in your home network (or a homelab, if you
want to call it). This is how you install the needed packages for Nobara 36 (that's what I am running)
so that you can join your Linux desktop to the Windows domain:
Replace yourlocaldomainname.lan with your local domain name and do the same for
youradminusername.
So when you log into your administrator account that's part of the Domain Administrators so that you can
gain sudo privileges, you might be wondering why you are getting strange output. Here it is again.
[gpeddie-games@epcotcenter ~]$ su - gpadmin
Password:
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
touch: cannot touch '/home/gpadmin/Templates/Text file': No such file or directory
mkdir: cannot create directory ‘/home/gpadmin’: Permission denied
-bash: /home/gpadmin/.local/share/DaVinciResolve/configs/.version: No such file or directory
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
gpadmin@epcotcenter
~
$
If you look at the /etc/profile script that Linux executes when you log into your Linux account, you
will notice that the developer of Nobara assumed that your home directory is /home/gpadmin
and not /home/graysonpeddie.lan/gpadmin.
This is how I configure the System Security Services Daemon (SSSD, for short) which allows Linux users
to log into the Windows domain from the Linux desktop. Please note that only root can read
/etc/sssd/sssd.conf.
Let's ignore the entire file and focus in the fallback_homedir. The %d is
for the domain name that I logged into and the %u is for the username. In my case, since
I logged into my Linux desktop as gpeddie-games (that's my account designed only for
gaming), my full path is /home/graysonpeddie.lan/gpeddie-games and not
/home/gpeddie-games.
I have all my users (only me) in a separate home folder in order to prevent any kind of conflict with
local user accounts, but then I still append my local admin account with -local in order
to prevent any kind of conflicts in my Linux desktop machine.
Conclusion
This is why you should never assume that all users will be in the parent folder of the home directory.
The only use-case for using a $USER environment variable is if you need to get the name of
the user. Referring back to the /etc/profile script, here is an example:
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`/usr/bin/id -u`
UID=`/usr/bin/id -ru`
fi
USER="`/usr/bin/id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
After reading the script, I'm not sure why $LOGNAME and $MAIL exists in
that profile. Plus, I checked to see if I can get the name of the $USER in my VPS server
and there is already a $USER in the list of environment variables even though it's not
listed in /etc/profile. Strange...
Anyway, I hope I can be of help and use to the people within the Linux community and I am hoping that
people can learn from mistakes when getting the user's current home directory.
Article published: 2023-03-18 15:37
Categories: The World of Computers, Computers, Information Technology, Scripting and Programming
This short article is intended for Linux users who are both familiar with the command line and a terminal-based text editor called vim.
For blind users, I don't believe the ranger program is accessible for screen readers. Probably not even in VoiceOver for Mac. For file management tasks, if only the
Mac's Finder could support SSH's Secure Copy Protocol (scp for short) or SSHFS (Secure Sheel File System). Third-party applications will have to be installed.
I do have brew installed for installing homebrew applications tAhat run Linux-like applications in a Mac, but Brew does not support Mac OS 13 (pre-release). I think
the problem with ranger is that VoiceOver for Mac does not read the currently highlighted directory or file that I currently select.
Keyboard Commands for ranger:
Key: h, j, k, l
Left, down, up, and right. Basic commands similar to Vim and Vi. You can also use arrow keys if you want to! Arrow keys work in Vim as well.
Key: yy and pp
Copy and paste a file or directory.
Key: gg
Go to the beginning of the list of files or directories (typing g once instead of twice opens the list of available commands; type g again and it
should move the selector to the top of the list).
Key: G
Go to the end of the list of files or directories.
Key: Enter
Depending on the file associations, opening an HTML file opens w3m and opening a JSON file opens a text editor such as Vim.
Key: F4 (function key)
Opens a text editor for a selected file.
Key: r
Open with: (Type the name of the program you want to open with.)
Key: spacebar
Select multiple files or directories. This is useful when copying files or directories in bulk.
Key: q
Quit ranger.
Command: :search <filename>
Searches for a file. Replace <filename< with the name of the file you are looking for.
Additional details for ranger can be found by visiting the ArchWiki page.
Install ranger:
For Fedora/Red Hat-based Linux distributions:
sudo dnf install ranger
Replace dnf with yum if you are running an older version of Red Hat-based Linux distribution.
For Debian/Ubuntu-based Linux distributions:
sudo apt install ranger
For those who use Arch Linux (if you use Arch Linux, I'm going to assume you know the commands for installing and updating packages. Explaining flags for pacman is beyond
the scope of my article.):
sudo pacman -Syu ranger
Why choose ranger as a terminal-based file manager?
I need a way to copy and paste files into multiple directories. I can do it via the command line, but I can be very lazy with typing the names of directories. With a new flat-file CMS
(Content Management System), I had a new blog setup and I needed to import all of my posts from ClassicPress to my new CMS. For creating new posts, I follow the convention where the
date comes first before the permalink (yyyymmdd-hhmm-permalink). The following list shows how I break it down.
yyyy
Year: 2023
mm
Month: 02 (February)
hhmm
Hour/Minute: 11:00 (Eastern Time)
permalink
Permalink: need-filemanager-linux
The more I use ranger, the more I begin to fall in love with the program. But if I'm going to be using a screen reader with the screen turned off, this can be a problem
for me and even a problem for blind users as well. However, at least ranger saved me from having to type a lot, especially when performing file management tasks. If you
are looking for a file management program while working over a secure shell (SSH), give ranger a try. Oh, and the more I discover keyboard commands, the more I add to the
list of commands. And of course, the more I enjoy using ranger.
This is for anyone who currently host their WordPress or ClassicPress in a virtual private server such as DigitalOcean, Linode, or any other VPS providers. Any Linux user with knowledge of command line can perform backups and restoration tasks. You must be familiar with Linux and you know how to connect to your production server via SSH.
Plus, this article assumes that you have installed and configured WordPress in your VPS server. In addition, this article assumes you can perform basic database administration tasks such as adding a new database along with creating a new user for WordPress or ClassicPress. If your hosting provider provides managed WordPress or ClassicPress hosting, then this article may not apply to you. And because this article is for those who currently run a VPS server, I am going to have to assume that you have some hands-on experience with the Linux command line. This article need not apply to non-technical Linux, Mac, and Windows users. When I say non-technical Linux users, I'm talking about those who wanted to get away from Windows or Mac and simply wanted to use Linux just to browse the Internet and not deal with the command line.
Last, but not least, I am also going to assume that you know how to configure your Apache server as well. Both Apache and NGINX (pronounced Engine-X) configurations won't be covered here, including backing up and copying certificates that you get from your hosting provider.
You have your own VPS server that is running ClassicPress. Your domain name is exmaple.com and your SSH port number is (insert your TCP port number here). You have a development server for developing your own custom ClassicPress theme and you want to use your development server to backup everything from your production server.
Open the terminal and connect to your development server via SSH.
ssh yourusername@devserver -p (your port number if it's other than port 22)
From your development server, create an SSH key pair. We are going to use id_rsa.
ssh-keygen -t id_rsa
Next, enter the location and filename. Example:
/home/yourusername/.ssh/classicpress
After that, leave the passphrase blank. Press Enter a couple of times until you get back to the prompt ending with $.
Execute ssh-copy-id with the name of the public key file and specify the username and domain name.
ssh-copy-id -p (your TCP port number if not 22) -i ~/.ssh/classicpress.pub yourname@example.com
You should be able to login to your server. Give it a try.
ssh -p (your port number or remove -p) -i ~/.ssh/classicpress yourname@example.com
If all goes well, you should be able to connect to your production server without been prompted for the password or passphrase. I mentioned "without passphrase" because if a Linux user executes a single script for performing a backup and has set a passphrase for the SSH identity key, then the script will prompt a Linux user for the passphrase multiple times.
For the purpose of backing up a database, this task will take you through creating a .my.cnf file. This is a hidden file that will contain the username and password for mysqldump command. mysqldump allows a database administrator to backup the MySQL or MariaDB database.
Login to your production server from your development or backup server and perform the steps below.
Create a new file using either vim or nano called .my.cnf. This file will be saved in your home directory. mysqldump will read the file containing the username and password. For me, I use vim.
vim .my.cnf
If you are using Vim, press the i key to begin the INSERT mode and begin typing the following lines. If you are using nano, simply start typing the following.
Replace yourdatabaseusername with your database username and yourdatabasepassword with your database password. When installing either WordPress or ClassicPress on a VPS server, a Linux administrator must have created a database along with the username and set password during the installation process.
Save your changes.
For Vim users, exit out of INSERT mode by pressing the ESC key; then, type :wq to write changes to the .my.cjnf file and quit Vim. The : key begins the command for Vim, w saves the file, and q quits Vim. If you want to not write any changes and quit Vim, then the command is :q!. If the ! were omitted, then Vim will tell you that you need to save your changes before you quit Vim.
For nano users, the keyboard commands for saving the changes and quitting the text editor is CTRL+O for saving changes (press the ENTER key to confirm changes) and CTRL+X to quit the text editor.
Once done, do a database backup of your WordPress or ClassicPress database.
mysqldump ClassicPress > test.sql
This assumes that your database name is ClassicPress. Replace ClassicPress and enter the name of the database that you created when you installed WordPress or ClassicPress in your VPS server.
Your new file called test.sql should be in the same directory that you executed the command for testing. If you open that file up with your chosen editor, you should see all the database commands. Go ahead and close the file.
Log out of your production server by typing exit and press ENTER.
If your database backup is successful, congratulations! That task is done! Your may delete the test.sql file by using the rm command (be careful with that rm command; you might delete files accidentally). The benefit of having a .my.cnf file within the home directory is that you do not want to expose your database password when executing mysqldump. Let's use sleep 10 as an example as the mysqldump command can be very quick once executed.
If you have a Linux machine, open up two terminals and place them side by side.
For the first terminal, execute the following command:
watch 'ps aux | grep sleep'
The watch command will output the ps aux | grep sleep command. Here is the output of the command:
The command sleep 30 will be there for 30 seconds and will disappear from the watch output after the number of seconds have passed.
Use the CTRL+C key to exit out of the watch output. If you are using a Mac, the keyboard command is Control+C. Command+C is for copying text.
My point is, if the mysqldump command gets executed for a long period of time while dumping the entire database, mysqldump can show up in the list of processes. For example, let's say you executed a mysqldump command as follows:
This command will take about 30 seconds when dumping an entire MySQL/MariaDB database. As a result, the output will be as follows (note that this is just an example):
This can be a big problem if an attacker gains access to your server and monitors for the list of processes. That's why it's important to avoid storing passwords in a script whenever possible. That's where .my.cnf configuration file comes in. I did not know about this until I found out about adding a username and password in .my.cnf file. I learn something new almost every single day.
And if you want an example of a real process list, here it is with Apache web server running in my production server:
Okay. That's all for the remote server configuration. Let's get into some real fun part, the configuration of the development server for performing automated backups!
Development or Backup Server
Now here is the script you have all bee waiting for.
#!/bin/sh
# DIRP: Directory path
DIRP=~/cpbackup
# FILE: Partial file name
FILE=$DIRP/classicpress-$(date +%Y%m%d)
# Hostname, IP address, or domain name
HOST=example.com
# Private key for automated logging into an SSH server (no passphrase or password)
PKEY=~/.ssh/classicpress
# TCP Port number (use whatever port you assigned for an SSH server in the
# production server.)
PORT=22
# User name assigned in the remote Linux server
USER=yourusername
# Let's perform some checks. Does the directory in the $DIRP variable exist?
if [ ! -d $DIRP ]
then
echo "Directory not found: $DIRP"
exit 1
fi
# Does the SSH key pair exist?
if [ ! -f $PKEY -a ! -f $PKEY.pub ]
then
echo "SSH key pair $PKEY and $PKEY.pub does not exist. Exiting."
exit 1
fi
# Delete any backup files older than x number of days
find $DIRP -maxdepth 0 -mtime +10 -exec rm {} \;
# Backup the SQL database and store them locally for later restoration.
ssh -p $PORT $USER@$HOST -i $PKEY mysqldump ClassicPress > $FILE.sql
# Next, change directory to /var/www and compress them to standard output
# which then gets redirected to a compressed .tar.gz file.
ssh -p $PORT $USER@$HOST -i $PKEY 'cd /var/www && tar czf - *' > $FILE.tar.gz
# If there is a wp-config.php file stored outside /var/www, make a backup of
# that configuration file as well.
scp -P $PORT -i $PKEY $USER@$HOST:/var/wp-config.php $FILE-wp-config.php
# After that, backup the Apache virtual host configuration file.
scp -P $PORT -i $PKEY \
$USER@$HOST:/etc/apache2/sites-available/000-default.conf $FILE-apache.conf
# The script ran successfully.
exit 0
First, I recommend that you create a bin directory inside your home directory.
mkdir ~/bin
Then, use a text editor in the terminal of your choice (vim, nano, pico, etc.) to create a new file called cpbackup.sh. That script will be in the bin directory. In my case:
vim bin/cpbackup.sh
Copy the script that I created above. It's after the section called Development or Backup Server. The script starts with #!/bin/sh which is the start of the script. Copy it all the way down to exit 0.
Paste the script in the terminal. For Linux users who use a GNOME Terminal like I do, it's CTRL+SHIFT+V. For Mac users who use a Terminal, it's Command+V.
Make some changes to the variables, such as the host name/IP address, port number, et cetera.
Save your changes and exit the text editor.
Give the script an executable permission.
chmod +x bin/cpbackup.sh
chmod, called change mode, allows you to modify read, write, and execute permissions for a user, group, and others. This is beyond the scope of my article. Remember back in the Audience and Prerequisites section that I have to assume you are familiar with Linux. I will have to write another article if I have to get everyone up to speed on how to gain familiar with Linux.
After that, execute the following command:
bin/cpbackup.sh
And you are done! If all goes well, all of your backup files have been stored in the backup directory. And oh, be sure you test your backups by extracting all the WordPress/ClassicPress files from the archive and put it in /var/www. Restoring the database is as simple as:
mysql -u ClassicPress -p ClassicPress < classicpress.sql
Then, simply copy wp-config.php file to /var (it's a good idea to move your wp-config.php file outside of /var/www directory) and copy the Apache configuration file to /etc/apache2/sites-available/, enable the virtual host using the a2ensite command, and you are good to go.
To automatically backup your WordPress/ClassicPress site from time to time, simply execute crontab -e and enter at the bottom of the crontab file:
0 0 * * * bin/whateveryournameofthefileis.sh
And that is done.
Summary
Hopefully you should have a backup infrastructure in place so that if anything goes wrong, you can be able to restore from a good working backup. I hope my article is helpful to anyone who needs to perform a backup of their website including the database. Stay safe and practice good security hygiene online. Oh, and backup your files in your computer to a server or a NAS if you have one. And yes, you should definitely have a home server or a NAS for backing up all your important files. Thank you for reading my article.
Article published: 2022-11-17 08:47
Categories: The World of Computers, Information Technology, Internet, Networking, Scripting and Programming
If you promoted your server to a domain controller, you won't be able to change the hostname for Windows Server Domain Controller without inputting commands in the command prompt. Basically, you need to open the command prompt, add a new alternate hostname, make the domain controller your primary hostname, reboot your server, and then remove the old hostname. This is useful if the server's hostname was not changed before the server gets promoted as a domain controller. The order of commands along with the syntax is as follows:
Adds a new hostname to the domain controller as an alternate hostname. For this example, newcomputername will be added as an alternate hostname for the domain controller.
/makeprimary
Makes a hostname a primary name for the domain controller. newcomputername will be the primary name for the domain controller and the oldcomputername will be the alternate hostname for the domain controller.
/remove
Deletes the hostname from the domain controller. In this case, the /remove flag removes the oldcomputername from the domain controller.
/enumerate
Although not shown in the order of commands above this list of commands, parameters, and flags, this will enumerate the list of hostnames assigned to the domain controller. This flag does not require a parameter, so the colon after the enumerate flag is not needed.
shutdown /r /t 0
This command reboots the server (hence, /r) immediately (/t 0. The /t 0 flag and parameter is a timer.
dcdiag
Not shown in the list of commands above. This command runs a diagnostic for the domain controller to make sure everything in the domain controller is working fine. There might be some errors and warnings, but if computers can login to the domain controller, it should be fine.
Because I did not know the commands myself, I must give credit to "The ICT Guy" (Twitter profile) for writing an article titled Correctly renaming a Domain Controller for a seamless easy migration. That article has been of great help to me since I am testing Windows Server 2016 Essentials edition as part of my virtual homelab setup. For example, I wanted to test the domain joining functionality in macOS and test an Active Directory integration in Nextcloud using an LDAP/AD integration app. LDAP stands for Lightweight Directory Access Protocol and is used for managing users and groups.
I hope I can be of help to Windows administrators.
Article published: 2022-09-25 01:15
Categories: The World of Computers, Information Technology
When creating Linux containers for the purpos of joining them to an Active Directory Domain Controller, make sure the checkbox after the "Unprivileged Container" is unchecked. The "unprivileged container" checkbox is after the "Hostname" edit box. Unprivileged Linux containers won't be able to join to an Active Directory. Essentially, I forgot to uncheck the "Unprivileged Container" and wasted hours of my time, but I consider time well spent when learning the hard way.
Proxmox has "Unprivileged Container" checked by default when creating a new Linux container. That option cannot be changed once a Linux container is created, so the Linux container will have to be deleted in order to start from scratch with "Unprivileged Container" unchecked.
Skip ahead to Long Version section for more details.
I wanted to see if I can implement Active Directory functionality without needing Windows Server operating system. A software called "Samba" lets me do just that, so I followed instructions on getting Samba's Active Directory Domain Controller (AD-DC, for short) up and running. I set this up in a privileged Linux container. The reason why Linux containers need to have privileges is because when I did a search for "setresgid failed [22][Invalid argument]" (without quotes) in StartPage, I came across a page in GitHub titled Cannot log in with Active Directory users via SSSD on Proxmox #3153. That was when I created a new Linux container and I forgot to uncheck the "Unprivileged Container" checkbox. I did a lot of troubleshooting when I looked into /var/log/sssd/sssd_graysonpeddie.lan.log and /var/log/sssd/krb5_child.log. graysonpeddie.lan is my local domain name for my home network. This web page explains how to setup a Linux client for joining to a Samba domain. From what I have learned, if I execute an id command in my Linux client:
gpeddie@ubuntu-desktop1:~$ id
uid=1451201106(gpeddie) gid=1451201104(grayson peddie) groups=1451201104(grayson peddie),1451200513(domain users)
According to the GitHub page that I linked earlier, the maximum user ID and group ID (UID and GID for short) is 65536 for an unprivileged Linux container. Within the issue page, the max UID and GID can be changed to 1000000000 or something higher. However, as this is for experienced Linux users who know the inner workings of Linux containers, the moral of the story is that "Unprivileged Container" needs to be unchecked in order for domain joining to work.
Warning
Bear in mind that privileged containers are not safe for businesses when it comes to attackers exploiting privileged Linux containers. And yes, it's all about vulnerabilities and exploits when it comes to escaping Linux containers and causing damage to the host; however, for homelab purposes, a privileged Linux container is fine for my needs. If you are concerned about the security of Linux containers, spin up virtual machines instead of Linux containers in Proxmox. Of course, depending on your security hygiene, virtual machines can be as unsafe as privileged and unprivileged Linux containers if you do not have security precautions in place. For more details, learn more about privileged and unprivileged containers.
Article published: 2022-09-22 06:27
Categories: The World of Computers, Computers, Information Technology
From your smartphone (not your desktop or laptop computer), open the Uber application.
Tap Account. The Account button is located at the bottom right of your smartphone's screen.
Tap your avatar to the right of your name.
Tap your email address to change your email address. Skip to step 6 if you do not make use of unique email addresses for every account that you signed up for.
Once you change your email address, tap Update. Go into your email account and look for an email from Uber. Enter the verification code that Uber gave you.
Tap your password. You will need to verify your password first before you generate your new password from a password manager.
And you are done! Congratulations! You have successfully changed your unique email address and password! Stay safe!
Cannot Change Email Address and Password in Uber's Website
If you are like me, you watched a video about Uber Has Been Hacked and you have a unique email address and unique password assigned to your Uber account. If you make use of a password manager such as Bitwarden or KeePassXC but do not have more than one email address, that's okay and unique passwords are important anyway. Password managers saved me from re-using passwords and I cannot remember hundreds of passwords.
So you learned about Uber that got hacked and we all know that we should change our passwords, correct? For no reason, Uber won't let me change my email address and password in their website. I have to change that in an Uber app in my smartphone. And yes, I went into my profile after I sign into Uber's website and there is no way to change both my email address and password!
The Only Way To Change Important and Sensitive Information?
That's right! Your smartphone! If you need to change your email address and password, you must open the Uber app in order to change what you need to change. And you know what? My computer is a lot more convenient than my smartphone. Why? Physical keyboard, a mouse, and a large monitor. I have to have my smartphone very close to me due to my visual impairment and the use of my smartphone can hurt my back. It would be nice if I could connect my smartphone to a dock and use my computer monitor, mouse, and keyboard to control my smartphone. That reminds me of Purism's Librem 5 smartphone. I found a video called Desktop and Phone Convergence. Purism Librem 5 is not only a smartphone, but it is more of a general-purpose computer. The smartphone runs PureOS, a Linux distribution made for Librem laptops and Librem 5 smartphone. If Android could do convergence right out of the box, I could turn off my Mac Mini that I currently have in order to save power and just use my smartphone like a computer. That way, I could pull up an Uber application using my mouse and keyboard and I can change my email address and password from there! I do not have to worry about visiting Uber's website.
Surely, we should be able to change our email address and password right from Uber's website, right? At the end of the day, I think we are living in a smartphone-first world where smartphones are all the rage these days. And all the smartphone manufacturers are all copying Apple's designs with the exception of Planet Computer Astro Slide 5G. That smartphone has a built-in physical keyboard and I would love to get my hands on one when it ships. Oh, and you can thank me for providing instructions at the very beginning of my article. Far too many blogging websites make it seem so wordy that their articles provide lots of reasons for changing the password that I would have to scroll down the article in order to view the instructions. Simply read the instructions from the beginning of this article and you can change your email address and password in no time!
For those unfamiliar with LXC and Proxmox, LXC is similar to a virtual machine that runs a guest OS (Windows, Linux, Mac, Android, etc.) but the container part of LXC excludes the core part of the OS and simply provides networking and storage inside a container. Unlike virtual machines, applications inside a container can access resources on a host system directly. Proxmox is a hypervisor for running virtual machines and Linux containers (LXC) in a server hardware.
IP Addresses and Subnetting
Do you need to have multiple IP addresses assigned to a network interface inside an LXC container? In terms of networking, a single NIC can have multiple IP addresses. This is useful if you want to run a single server with multiple websites that have their own IP address. Here's what I mean:
172.20.31.0/23
A small HTML file with a list of websites hosted by the web server.
172.20.31.1/23
A web application running Adminer, a lightweight alternative to phpMyAdmin.
172.20.31.2/23
A development version of my website that mirrors a production version. Anyone who visits my site sees my production version of my website.
Once I test the changes I made in the development website, I push the changes up to the production website.
172.20.31.3/23
A custom-built web application for taking notes. Any notes written in HTML gets shown up in the web browser.
172.20.31.4/23
A development version of the note-taking web application taken from 172.20.31.3.
A note for those new to networking: pay attention to the subnet. A slash 23 subnet can start with 172.20.30.1 and ends at 172.20.31.254. Both 172.20.30.255 and 172.20.31.0 are both valid IP addresses. 172.20.30.0 is a network address and 172.20.31.255 is a broadcast address. Cisco has an article about IP addressing and subnetting in order to help you understand how subnetting works. With that out of the way, let's get into configuring a Linux container running in a Proxmox server.
How I Initially Configure the Network Interface Inside a Linux Container?
When you create a new Linux container, you get to the Networking tab and filled in the IP address and default gateway. Once you start the container, the output of /etc/network/interfaces is as follows:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 172.20.31.0/23
gateway 172.20.30.1
Now you want to add additional IP addresses to a single network interface:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 172.20.31.0/23
gateway 172.20.30.1
iface eth0 inet static
address 172.20.31.1/23
iface eth0 inet static
address 172.20.31.2/23
iface eth0 inet static
address 172.20.31.3/23
iface eth0 inet static
address 172.20.31.4/23
You saved the file and you did a restart of networking service:
systemctl restart networking
What happens if you reboot? The output will be as follows:
If I did not check out the /etc/network/interfaces file, I would execute the ip a command that lists IP addresses for all interfaces and saw something similar to this:
gpadmin-local@webservers:~$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if111: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7e:ef:18:b4:a4:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.31.0/23 brd 172.20.31.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7cef:18ff:feb4:a4b9/64 scope link
valid_lft forever preferred_lft forever
When I restarted the networking service, I found out that the network interface (eth0) already exists. I don't know why Proxmox would change individual IP addresses to the same IP address and add redundant default gateways with the same IP address, but it seems Proxmox does not handle multiple IP addresses in a network section of the web interface for the Linux container.
Solution
Turns out I have to remove the IP address and gateway from the network configuration. With the Linux container selected (in my case: webservers), I went into Network, double-click the eth0 row containing an IP address, tab over to IPv4/CIDR edit box and removed both the IP address/subnet mask and gateway. Once I've done that, I clicked OK, made configuration changes in /etc/network/interfaces, and rebooted the container. In order to verify full networking functionality, I rebooted the Linux container, logged back into the container, and once I execute ip a command, all the IP addresses are preserved.
A screenshot of the Proxmox web interface. Everything in the sreenshot is darkened except for the two edit boxes, which is IP address/CIDR and default gateway. Both are set to blank and the IPv4/CIDR edit box shows "None." This image only shows a dialog box for network configuration. Those with eyesight can view a large image by clicking or tapping in the figure.
Oh, and I almost forgot: this network configuration can also apply to Ubuntu, AlmaLinux, Rocky Linux, OpenSUSE, and just about any other Linux distributions.
Notes For Those Who Use a Screen Reader
For anyone using a screen reader such as JAWS (Windows), NVDA (Windows), VoiceOver (Mac), or Orca (Linux), I'm not sure how anyone can access a virtual machine within a Proxmox web interface. And I'm not even sure if screen readers can read the text within the Linux container console; however, I am able to copy text from the console. The only difference is I have to highlight using a mouse, right-click in the console, and select copy. Doing Control+C sends a termination signal or displays ^C in a terminal. Doing Control+V once does nothing, but executing Control=V again shows a ^V in a console, so pasting text in a Proxmox console does nothing for those who do not want or cannot use a mouse.
Summary
The bottom line is this: in the networking section of the Proxmox web interface, leave the IP address and default gateway blank. Once you get into the console, edit the /etc.network/interfaces and add your IP addresses manually.
I watched the video about whether the ransomware can be stopped and I scrolled down through the comment section. While reading comments, some people are suggesting that we switch to Linux because Linux is more secure compared to Windows. That is true that Linux is inherently secure compared to Windows and Mac; however, what if I were to tell you that if you are running Arch Linux, Fedora, Ubuntu, Solaris, FreeBSD, OpenBSD, Haiku OS, or just about any other operating systems in our planet that you can still fall victim to phishing attacks? If we all switch to a different operating system on a basis that one is more secure compared to other operating systems, then we are forgetting about our weakest link.
Let me ask you again. Who or what is the weakest link in the cybersecurity chain? It's not Windows; we are the ones that need education so we can protect ourselves online.
No anti-malware, anti-virus, and anti-ransomware programs will protect you against ransomware attacks. And Linux and BSD operating systems won't protect you from phishing emails either. What we need is cybersecurity awareness training. Businesses should establish cybersecurity awareness training. Here's one example that shows a video about cybersecurity awareness training from Burgi Technologies. The video starts with email, which talks about safeguarding your email such as phishing, email attachments, and spam. Do note though that an email address can be spoofed, so if you receive a phishing email and the email address in the From field ends in @paypal.com and the email claims to be from PayPal, you should simply go to PayPal's website and check what is going on in your PayPal account. Plus, the security awareness training talks about passwords, malware (don't forget that malware can target Linux computers as well), public Wi-Fi, and even IoT, such as thermostats, Google Nest cameras, and even light bulbs. Even a router needs to be protected as well. And don't forget about social engineering as well.
Remember what I mentioned about PayPal? Phishing attacks is one of them. They can even call you over the phone by impersonating that someone is your employer. They might say it's urgent and they need access to the username and password so they can access the network resources so they can do harm. In other words, they can manipulate you into disclosing confidential or sensitive information.
Regarding security question and answers, it's convenient if you forget your password, but put in your correct information and once an attacker can scour the Internet tin order to look for information, they can click the "reset password" link, fill in the answers to questions, and once everything is correct, they can then reset the password so you cannot access your account any longer. This is where a password manager comes in. Your password manager of choice can remember gibberish answers to questions. For example:
Question: What is your boyfriend's name?
Answer: I would like to say thank you to my friend 68dagbbzpTmR5.
Question: What is your first car you owned?
Answer: My beautiful-looking car is my bicycle and I love jverw89.TmZr
Question: What is your mother's maiden name?
Answer: oi9574bn8tTv8rBz0qpM.,[23w489hZm
A lack of honesty can safeguard your account against information gathering so they can do harm to your account. That's why a password manager such as Bitwarden can come in handy so that a password manager can help remember your gibberish answers to security questions. And no, security questions is not a security feature. If I know so much about you and I know your email address, I can gather information about you and reset your password by answering security questions without your knowledge. I know this is scary, but don't let that scare you if you are using a password manager.
To take it a step further, I also make use of unique email addresses as aliases. I do not use plus addressing or catchall because I can create email addresses for my own domain name. I use different email addresses for different sites that I sign up for. For example, I gave pizzahut(at)example(dot)com to Pizza Hut, uber(at)example(dot)com for Uber, walmart(at)example(dot)com for Wal-Mart, bestbuy(at)example(dot)com, and so on and so forth. Not only is this good for security, unique email addresses enhances my privacy. Sure, this is not part of cybersecurity awareness training as employees may not have the luxury of having more than 1 email addresses, but I did this in order to take security into my own hands so that I won't become a weakest link in the cybersecurity chain. Even if businesses said that they took security seriously, if one of my unique email addresses have been compromised in a breach and ends up in Have I Been Pwned, not only should I change the password using my password manager, I can change my email address right away. Why? I did this in order to dodge spam and phishing emails. Because I make use of unique email addresses, I get very little to no spam each month. If I do get spam email messages that lands in my spam or inbox folder and one of my unique email addresses were listed in the To field, I can consider my email address compromised and can track who sold or give away my email address and change my email address or stop doing business with them at any time, immediately delete my compromised email address, and move on with my life.
Don't let Linux users tell you that you should switch to Linux no matter how inherently secure Linux is. At the end of the day, no matter how much we need to keep our operating systems and software up to date, we still are the weakest link in the cybersecurity chain. We still need to educate everyone in order to stay safe online. Linux is not a be-all-end-all solution to our security problems.
(For my blog post, I want to focus on the audience regarding people who use Internet every single day and knows a lot about cybersecurity. Myself included.)
Imagine a scenario: you went to get your haircut and the place you went to requires you to enter an email address before you get your haircut. Why? Even if I do have a smartphone and I use Internet every single day, why must I put in my email address? For what purpose? To send spam? For businesses, they might say "we respect your privacy and take security seriously," but in my mind, I would say that if an email gets compromised in a data breach, it's more likely that those who are not tech-savvy are more likely to receive spam and phishing emails. Not thinking about security when using the Internet can lead to ransomware and identity theft. They might stop using the computer altogether because of fear of feeling unsafe online.
So anyone who have not used the Internet before would then ask...
Okay, so what is malware? Oh, maybe I should click in the link. Oh, and what is a file?
Okay, I can imagine tech-savvy folks asking "what do you mean, 'what is a file?' Do you ever know how to use a computer before?" How can we guide people who does not use Internet every single day, let alone not knowing "what is an Internet?"
What is an operating system? Windows? Mac? Linux? What is an email address? What is a "file?" See where I'm going with? What is Android? iPhone? iOS? How do I manage files and folders in my computer? How do I check my email? I hope you get my point.
So back to the topic about email address requirement, people who have no plans to educate themselves regarding security and privacy should not have an email address and should not be using the Internet. Even a smartphone can be very complex compared to a cell phone that only make and receive phone calls and nothing else. Let alone how to send and read text messages. And yes, I'm talking about people who use cell phones with no capability for browsing the Internet. Not even Firefox, Chrome, or Safari.
Okay, so you say that your 90-year-old family member knows how to use the Internet, takes care of security themselves, and I should not overly-generalize myself. Well, that's great, but we should not force everyone to have a smartphone just so they can face dangers lingering in the Internet.. People should be educated regarding the implications regarding cyber attacks and how to protect themselves; however, as long as people out there (Demographics of Cybercrime Report) do not take their time to educate and protect themselves, businesses should not require them to have an email address when they check in. Even dentists should make email address requirement optional as well. Even though I have close to 200 email addresses at the time of writing (one email address per site with no plus addressing and no catchall for my domain), I do not want to enter my email address if I do not want to for privacy and security reasons.
Businesses say "we take security and privacy seriously," yet businesses do not take their time to harden and patch their systems over time. Of course, training employees regarding how to protect themselves against phishing emails is a very important part of having a security culture for businesses. But then again, an email address would be a requirement for businesses for getting your customers to setup an account online, but in a physical world where people simply walk in, as long as people do not use the Internet and do not plan to educate themselves, an email address should not be a requirement. At all.
Article published: 2021-10-06 12:00
Categories: The World of Computers, Computers, Security
I have been watching a couple of YouTube videos of people who want a computer in one room (such as a wiring closet) and a keyboard, video, and mouse (KVM) in a home office. To give you an idea of what I'm talking about, I want to post links to YouTube videos.
Embedding YouTube or Odysee videos will insert a tracking cookie in users' personal computers. As a citizen of the US, I need to follow GDPR if European visitors visit my website. I don't like and want to talk to lawyers to be honest. 🤣😀
As for the video from Linus Tech Tips, I would much rather have a couple of computers rather than single computer that can house a couple of virtual machines running desktop OSes such as Linux and Windows just to make it easier for me. So yeah, a virtual machine is a computer within a computer that can serve different purposes such as running Ubuntu within Windows using VirtualBox or by running Windows OS in a Linux host using KVM or Xen.
So, I have an idea of my own. When it comes to building a house, I would like to wire my future house for Ethernet and HDMI connectivity. The computer will be in a wiring and server closet and my essentials such as my mouse, keyboard, monitor, audio interface, and a couple of others will be in a recording studio/home office room. So here's what I'm thinking of buying in the future:
One concern I had with USB over Ethernet is latency from the audio interface to the computer over the Ethernet cable. However, one look at the images and answers to questions tells me that latency over Ethernet cable should not be a factor. That way, I can have my computer fans spin at max RPM in the server room (well, maybe not too loud) and still have complete silence in my studio/office with sound proofing and acoustic panels.
Oh, here something that I would like to show you (for those with eyesight). It's a home theater room made in Blender.
This is a rendering of my home theater made in Blender. It has a 200" projection screen, 7.2.4-channel speaker system, and comfy seats with cupholders in between.
My dream of a home theater will be a lot simplistic than that with flat ceilings with no light strips in between them. A home theater will be in a basement. Speaking of home theater, I could patch my home desktop over to my home theater while in the server closet if I want to watch YouTube/Odysee videos. How cool would that be if a house can have a central computer core just like in a starship such as U.S.S. Enterprise D or U.S.S. Voyager? Speaking of starships in Star Trek, do you know that a central computer core can span over several decks? Actually, a starship can contain two or more computer cores. My house might have only a single central computer core with a couple of rack-mounted desktops and servers as part of a homelab! Here is an example of a homelab shown in a YouTube video.
As for rack-mounted desktop PCs, I'm thinking of Rosewill RSV-L4500U Rackmount Server Chassis and put them inside a StarTech.com 42U Server Rack Cabinet. Oh, sure the rack-mounted enclosure costs more than an open-frame 42U rack, but to me, it will look a lot cleaner by having an enclosure. Now if only there are 5U or 6U rack-mountable computer cases so I can fit a tall heatsink such as Noctua NH-D15 or Scythe Ninja 5 heatsink. Now keep in mind. I do not care about the looks of computer components. No RGB fans, no tempered glass side panels from the likes of Lian-Li 011 Dynamic XL or even from Phanteks line of computer cases, no nothing.
Why!?
Out of sight, out of mind.
That's my mindset when it comes to computers. If you watch Star Trek, you must know that Captain James T. Kirk does not look at a central computer core every single day while he's in his quarter or in the bridge! No Starfleet officers should care about how cool computers look as long as they perform their jobs! Sorry elite gamers, but I do not like the market the computer case manufactures are targeting. Go look at how cool your computer looks while you are failing your Cisco CCNA course because hey! All that cool RGB fans and that NZXT Kraken Z73 cooler of yours are so much fun to look at! 🤣
As for me? I'm excelling in Cisco CCNA course! Why? My Silverstone FARA R1 computer case only has a plain side panel and is free of distractions. It's unfortunate that a computer case with a plain side panel is unavailable. But I have it! However, the limitation I have is I cannot take the case feet off so I can fit on top of a rack-mounted shelf.
Oh, did I meant to taunt you for having all that cool tempered glass computer case with all that RGB gizmos? Get over it! Seriously. I know you've been playing games 24/7 while you look at how cool your computer looks. Okay, okay. I'll be nice to you elite gamers! 🙂
If you want to get into the world of homelab, Lawrence Systems and Learn Linux TV has done a couple of videos for setting up different aspects of homelab such as Home Assistant, storage server, firewalls and switches, Linux, Ansible, securing your lab, and so much more. Check out the playlist on YouTube and enjoy! Any desktop PCs will be part of a homelab as well. And yes, RAID is not a backup solution. In a RAID 5 setup with 7 hard drives (6 for data and 1 for parity), if one drive fails, swap out the hard drive as soon as possible. But if two drives out of 7 fail, you lose all the data inside the hard drives.
Now here's a question. What about entertainment devices such as NVIDIA Shield TV, and PlayStation 5? These devices can sit on a rack-mountable shelf and can be patched to my home office room using an Ethernet-based USB extender. For HDMI, I can make use of Anthem MRX 740 for my home office room and use HDMI Zone 2 Out to pass HDMI audio/video signal to Anthem MRX 1140 receiver, which can go to the home theater room. What I've learned from a thread over at avforums.com is that the main receiver (MRX 740) will pass audio/video signal to another receiver and plays no part for processing A/V signals.
What that means is I can independently select a source in the second zone while the first source will remain intact in the main office room. Just tell Home Assistant to switch to NVIDIA Shield in the second zone of MRX 740 receiver, and Home Assistant will do the rest. Whatever is shown in MRX 1140 for the home theater room will reflect what was shown from MRX 740's HDMI Zone 2 output.
So yeah, centralizing desktop PCs in a wiring/server closet is my dream of the future! Centralize all the desktop computers into one 45U server rack! 🙂
Article published: 2021-08-14 17:42
Categories: Visionary Living and Exploring Tomorrow, Homes and Buildings, Home Theater, The World of Computers, Computers, Networking
This is a comparison of two lavalier microphones. Recently, I bought a Shure MX185 cardioid lavalier microphone as I want to test if a uni-directional (cardioid) microphone is right for me, especially if I want to test and hear if my AKG K702 headphone leaks sound to my microphone especially for the Zoom meeting. I bought a Movo LV8-D microphone as of late October so I can participate in Zoom meeting that began November of last year. The Zoom meeting I am participating in is Cisco Academy from National Industries for the Blind. I'm studying for Cisco Certified Network Associate certificate (CCNA, for short) and my class ends by the end of August. I asked if students and my instructor can hear any leaks coming from my K702 headphone and they said they did not hear any leaks at all, which is great. However, I have a Sony WX1000XM3 headphone and because of the shape of my headphone, I don't think my hearing aids are picking up any high frequency sounds unlike when I use my AKG open-back headphone.
I plan to ship my Shure microphone back because the uni-direction nature of a lavalier microphone is not for me, especially as I was reading from left to right as i read the script during the recording.
Do note that even though I did cut out a couple of pauses in my audio production software (Ardour), I tend to speak slow as speaking at a moderate speed for more than a minute is not my second nature. As I live in Altha, FL, a rural town in the United States, I've been very lonely a lot even when I go to restaurants with my family. Plus, I did not position the text inside the dialog in the first part of the video correctly. I do not want to waste another 45+ minutes trying to render the entire video using Blender. Although as a Linux user, I could have used KDenLive instead of Blender; however, as Blender is a very easy tool for me to use, I used it for the majority of my video editing. My familiarity with KDenLive is secondary to Blender.
When I zoom in using GNOME Magnifier (Windows key+Alt+8 to activate the magnifier and Windows key+Alt+- or Windows key+Alt+= to zoom in or out, respectively), there is a small mouse cursor shown in the screen. I think it's a bug with the compositor that draws the entire application, be it Firefox, GIMP, or Ardour). Please ignore the small mouse cursor. Thanks.
Anyway, I appreciate you checking out my video that I linked above. Here are the links to products listed for the video:
As a web developer of my website, I have implemented pagination that allows anyone to view more posts by page and be able to view blog posts by month and year. I created a custom theme from scratch so that I can personalize my website to my liking. I wanted to give the pagination system an "electronic" look.
This screenshot shows pagination implemented in my website. In my development machine, I have set the number of posts per page to 5 in order to demonstrate the effect. I blurred the surrounding image to cut the file size by half.
For those with eyesight, you can click in the image to see a full screen of my desktop that shows the pagination system in effect.
if ( 'monthly' == $r['type'] ) {
$query = "SELECT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`,"
." count(ID) as posts FROM $wpdb->posts $join $where"
." GROUP BY YEAR(post_date), MONTH(post_date) ORDER BY post_date $order $limit";
$key = md5( $query );
$key = "wp_get_archives:$key:$last_changed";
if ( ! $results = wp_cache_get( $key, 'posts' ) ) {
$results = $wpdb->get_results( $query );
wp_cache_set( $key, $results, 'posts' );
}
if ( $results ) {
$after = $r['after'];
foreach ( (array) $results as $result ) {
$url = get_month_link( $result->year, $result->month );
/* translators: 1: month name, 2: 4-digit year */
$text = sprintf( __( '%1$s %2$d' ), $wp_locale->get_month( $result->month ), $result->year );
if ( $r['show_post_count'] ) {
$r['after'] = ' (' . $result->posts . ')' . $after;
}
$output .= get_archives_link( $url, $text, $r['format'], $r['before'], $r['after'] );
}
}
}
So I looked over the code and I saw that there is a $result variable that is converted into an array. I took that code from the WordPress.org website and I modified the code to suit my needs in functions.php inside my custom theme folder.
function monthly_archive_array() {
global $wpdb;
$r['type'] = 'monthly';
$where = apply_filters( 'getarchives_where',
"WHERE post_type = 'post' AND post_status = 'publish'", $r );
$last_changed = wp_cache_get( 'last_changed', 'posts' );
if ( ! $last_changed ) {
$last_changed = microtime();
wp_cache_set( 'last_changed', $last_changed, 'posts' );
}
/**
* Filter the SQL JOIN clause for retrieving archives.
*
* @since 2.2.0
*
* @param string $sql_join Portion of SQL query containing JOIN clause.
* @param array $r An array of default arguments.
*/
$join = apply_filters( 'getarchives_join', '', $r );
$query = "SELECT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, count(ID) as posts FROM $wpdb->posts $join $where GROUP BY YEAR(post_date), MONTH(post_date) ORDER BY post_date ASC";
$key = md5( $query );
$key = "wp_get_archives:$key:$last_changed";
if ( ! $results = wp_cache_get( $key, 'posts' ) ) {
$results = $wpdb->get_results( $query );
wp_cache_set( $key, $results, 'posts' );
}
if ( $results ) {
return (array)$results;
}
}
$archiveMonthlyList = monthly_archive_array();
function get_monthly_archive_array() {
global $archiveMonthlyList;
return $archiveMonthlyList;
}
Note that in the last 6 lines of code, I decided to have a function (get_monthly_archive_array()) get the result from a variable ($archiveMonthlyList). When I go to my website, ClassicPress executes a functions.php file in my custom theme folder so that I don't get the data from the database twice. Yet I actually do have wp_get_archives() in my sidebar, so I did have my website execute the same SQL statement twice. Well, one is in descending order from the newest to the oldest in the sidebar and I wanted to get the month and year of all the published posts from oldest to newest. If I replace the built-in function in my sidebar with my own function which exposes an array, I should be able to improve performance for my website, although probably not by much.
function constructLinkFromYearMonth($array, $index, $nextMonth) {
$offset = ($nextMonth === true) ? 1 : -1;
$spanlsaquote = ($offset === -1) ? "<span class='visualonly'>‹ </span>" : "";
$spanrsaquote = ($offset === 1) ? "<span class='visualonly'> ›</span>" : "";
$prevNextMonth = ($offset === -1) ? "Previous" : "Next";
echo "<a href='".get_month_link($array[$index + $offset]->year,$array[$index + $offset]->month )
."'>".$spanlsaquote."<span class='screenreader'>".$prevNextMonth." month: </span><span class='narrow-screen'>"
.showMonthYearLocale(
[$array[$index + $offset]->year,$array[$index + $offset]->month])."</span>".$spanrsaquote."</a>";
}
function show_pagination() {
global $paged;
if(empty($paged)) $paged = 1;
global $wp_query;
$pages = $wp_query->max_num_pages;
if(!$pages)
{
$pages = 1;
}
echo "<div class='pagination'>";
echo "<h3>View More Posts By Month or Page</h3>";
echo "<div class='pagination_area'>";
echo "<div class='pagination_top'>";
// Get the list of months and years from the archive in an array.
$monthlyArchive = get_monthly_archive_array();
// If there is year/month in URL, get it and trim the leading and
// trailing slashes. Example: 2021/04
$currentMonthYear = trim($_SERVER['REQUEST_URI'],'/');
// array[0] = year, array[1] = month
// Example: array[0] = "2021", array[1] = "04"
$curMonthYearArray = explode('/',$currentMonthYear);
if(preg_match("/^[0-9]{4}\/(0[1-9]|1[0-2])$/",$curMonthYearArray[0].'/'.$curMonthYearArray[1])) {
// array[0] = year, array[1] = month
// Example: array[0] = "2021", array[1] = "04"
$curMonthYearArray = explode('/',$currentMonthYear);
// Initialize a blank array for integers.
$intCurMonthYearArray = Array();
// Convert strings to integers in an array in a new variable.
foreach($curMonthYearArray as $curMonthYear)
$intCurMonthYearArray[] = (int)$curMonthYear;
// Initialize the integer for the index.
$indexOfMonthYearArray = 0;
foreach ($monthlyArchive as $key => $val) {
if ((int)$val->year === $intCurMonthYearArray[0] &&
(int)$val->month === $intCurMonthYearArray[1]) {
$indexOfMonthYearArray = $key;
}
}
echo "<ul class='pagination_month'>";
echo "<li class='month_current'>";
echo "<span>".showMonthYearLocale($curMonthYearArray)."</span>";
echo "</li>";
if($indexOfMonthYearArray > 0) {
echo "<li class='month_prev'>";
constructLinkFromYearMonth($monthlyArchive, $indexOfMonthYearArray, false);
echo "</li>";
} else echo "<li class='month_prev smallfontsize'><a class='screenreader'>Beginning of current month</a></li>";
if($indexOfMonthYearArray + 1 < count($monthlyArchive)) {
echo "<li class='month_next'>";
constructLinkFromYearMonth($monthlyArchive, $indexOfMonthYearArray, true);
echo "</li>";
} else echo "<li class='month_next smallfontsize'><a class='screenreader'>End of current month</a></li>";
echo "</ul>";
} else {
$latest = $monthlyArchive[count($monthlyArchive) - 1];
echo "<div class='pagination_month msg'><span>View latest posts since "
."<a class='date-narrow' href='".get_month_link($latest->year,$latest->month )
."'>".showMonthYearLocale([$latest->year,$latest->month])."</a>.</span></div>";
}
echo "</div>";
if(1 != $pages)
{
echo "<div class='pagination_bottom'>";
echo "<div class='pagination_prevbtns'>";
if($paged > 2)
echo "<a href='".get_pagenum_link($paged - 2)."'>«</a>";
else echo "<a class='visualonly pagination_disbtn'>«</a>";
if($paged > 1)
echo "<a class='pageprev' href='".get_pagenum_link($paged - 1)."'>‹</a>";
else echo "<a class='pageprev visualonly pagination_disbtn'>‹</a>";
echo "</div>";
echo "<ul class='pagination_slot'>";
for ($i=1; $i <= $pages; $i++)
{
echo "<li>";
echo ($paged == $i)? "<a class='pagination_number current'><span class='screenreader'>Current Page: </span>".$i."</a>":"<a href='".get_pagenum_link($i)."' class='pagination_number' >".$i."</a>";
echo "</li>";
}
echo "</ul>";
echo "<div class='pagination_nextbtns'>";
if ($paged < $pages)
echo "<a class='pagenext' href='".get_pagenum_link($paged + 1)."'>›</a>";
else echo "<a class='pagenext visualonly pagination_disbtn'>›</a>";
if ($paged < $pages-1)
echo "<a href='".get_pagenum_link($paged + 2)."'>»</a>";
else echo "<a class='visualonly pagination_disbtn'>»</a>";
echo "</div></div></div></div>\n";
} else {
echo "<div class='pagination_bottom'>";
echo "<div class='pagination_prevbtns'>";
echo "<a class='visualonly pagination_disbtn'>«</a>";
echo "<a class='pageprev visualonly pagination_disbtn'>‹</a>";
echo "</div>";
echo "<div class='pagination_slot msg'><span class='nopages'>Only 1 page shown.</span></div>";
echo "<div class='pagination_nextbtns'>";
echo "<a class='pagenext visualonly pagination_disbtn'>›</a>";
echo "<a class='visualonly pagination_disbtn'>»</a>";
echo "</div></div></div></div>\n";
}
}
function monthly_archive_array() {
global $wpdb;
$r['type'] = 'monthly';
$where = apply_filters( 'getarchives_where',
"WHERE post_type = 'post' AND post_status = 'publish'", $r );
$last_changed = wp_cache_get( 'last_changed', 'posts' );
if ( ! $last_changed ) {
$last_changed = microtime();
wp_cache_set( 'last_changed', $last_changed, 'posts' );
}
/**
* Filter the SQL JOIN clause for retrieving archives.
*
* @since 2.2.0
*
* @param string $sql_join Portion of SQL query containing JOIN clause.
* @param array $r An array of default arguments.
*/
$join = apply_filters( 'getarchives_join', '', $r );
$query = "SELECT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, count(ID) as posts FROM $wpdb->posts $join $where GROUP BY YEAR(post_date), MONTH(post_date) ORDER BY post_date ASC";
$key = md5( $query );
$key = "wp_get_archives:$key:$last_changed";
if ( ! $results = wp_cache_get( $key, 'posts' ) ) {
$results = $wpdb->get_results( $query );
wp_cache_set( $key, $results, 'posts' );
}
if ( $results ) {
return (array)$results;
}
}
$archiveMonthlyList = monthly_archive_array();
function get_monthly_archive_array() {
global $archiveMonthlyList;
return $archiveMonthlyList;
}
The reason why I decided to remove the range variable is so I want viewers in mobile devices to be able to scroll through pages horizontally (left/right). Of course, for desktop users I could add some JavaScript code that allows me to add/remove numbers based on the current page number and based on the width of the web browser. However, I am a heavy proponent of not using JavaScript whenever possible. I want everyone without JavaScript or for those such as me who use NoScript to enjoy the full potential of my website.
Web development is hard work, but at the end of the day, I enjoyed it a lot. Thanks for reading and enjoy visiting my site!
And note to self: I need to encode HTML code even if it's inside a <pre> tag before I break my website when publishing my post. Don't forget to do the same if you are a web developer as well. Use < for < and > for >. You can also use " for " as well. View the source code for my post to see what I did. In Firefox, open the context menu and choose "View Page Source." Same goes for Google Chrome.
Updated as of July 3, 2021 at 12:44 AM: Added <wbr /> tag to a long function in order to break the function into two lines. This is useful for mobile devices. All today's mobile devices should support HTML5 by now.
Article published: 2021-05-01 08:57
Categories: The World of Computers, Scripting and Programming
When you setup your new router, it's always a good idea to create a new user other than admin for pfSense and vyos for VyOS in order to reduce the chance that bots and miscreants will gain access to your router.
VyOS
Here's the completed configuration of my VyOS router and I will show you the commands.
Configuration
service {
# ...
ssh {
access-control {
allow {
user <username>
user vyos
}
}
listen-address 10.249.0.1
}
}
system {
# ...
login {
banner {
pre-login "Unauthorized access is strictly prohibited."
}
user <username> {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "First and last name goes here."
home-directory /home/<username>
}
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
# ...
}
Commands
ssh vyos@10.249.0.1
configure
edit system login user <username>
set authentication plaintext-password <your-password-goes-here>
set full-name "First and last name goes here."
set home-directory /home/<username>
exit
edit service ssh access-control
set allow user <username>
set allow user vyos
commit
save
You want to allow vyos access using SSH to make sure it works. Also, there is encrypted-password in VyOS but VyOS gave me an error telling me that the encrypted password is invalid. I did try to discard, but VyOS told me there are not changes to be discarded, so I saved, started a new terminal window, and once I SSH into my VyOS router for 10.249.1.1, everything works fine.
Now don't exit out of VyOS session just yet. You want to make sure SSH is working properly for a user you want to log into. Because otherwise editing and viewing the configuration will have to be done either through the use of a console cable or a monitor and keyboard hooked up to a monitor. SSH using your new username and password you've created. If you can successfully login to VyOS with a different username, you can simply remove the vyos user from the access control list in configuration mode.
delete service ssh access-control allow user vyos
Again, stay logged in to VyOS and use a different terminal to test and make sure you can log into VyOS through SSH. If everything is working as intended, you can safely log out of VyOS from all the terminals you've opened.
Also, you can configure a banner. Examine the configuration above and see if you can add a login banner. The pre-login is for when a user attempts to access the VyOS router using SSH. This will print out a banner before a user gets prompted for a password. After a user logs into VyOS, if the post-login is set, VyOS will print out the banner once the user logs in. This concludes the commands used for securing VyOS.
pfSense
The same can be done for pfSense. Open the web browser, point your browser to pfSense (in my case, http://10.249.2.1), and login to your pfSense web interface. Once you get to the main interface, follow instructions as follows.
In the System menu, open the User Manager.
Click in the + Add button below the list of users.
Enter the Username, Password, and Full Name. No spaces in the username.
In the Group Membership area, select admins and click in Move to "member of" list. This will move the admins group to the "member of" list.
Save the changes, log out, and log back in as the new admin user you have created in step 4.
In the user manager, click in the pencil icon (Edit) to edit the admin user.
Check the checkbox for Disabled. An admin user cannot login once the checkbox is selected.
When done, Save the changes.
Try to login as admin. If successful, you should not be able to log in as an admin user but instead log in as a new user. This concludes the step-by-step instructions for pfSense.
Conclusion
Preventing a root or admin user from logging into a router is one of the security's best practices. You can help ensure that bots and miscreants won't be able to gain access to your router without the correct username and password. Even when bots are performing a brute-force attack. Still, it's important to restrict access to the router through the use of a management subnet and if using pfSense, setup a root and server certificate in the Cert. Manager within the System menu and add a root certificate to your web browser of your choice. Use a management subnet for any devices that have SSH access or a web interface and do not allow managers, sales, web developers, or any other non-IT departments access to the critical network infrastructure.
Update: I just hit "c" twice in my keyboard (ccode instead of code) even though I only typed "c" just once. Ugh... Maybe I just need a different keyboard that prevents double-types regardless of the operating system I'm using... (And yes, I'm using Arch Linux.)
In part 1 of the article, I have covered how to create and configure virtual machines and install both VyOS and pfSense. In part 2 of this article, I'm going to cover how to configure pfSense with OSPF networking. Let's get going, shall we?
You must have created and configured virtual machines, installed VyOS and pfSense, and setup VyOS with OSPF. This article is for the intended audience who have knowledge and good experience with installing operating systems, working with Linux command line, basic networking, and virtual machines. This article is for those who have good computer networking skills such as configure networks and how to segregate networks from each other. Also, it's important to know how subnetting in IPv4 works.
I'm going to spin up a new virtual machine in my desktop computer. The virtual machine will have a network bridge set to ethbr0_2402. This is what the image looks like as shown below.
There are four terminals that shows how I configure all the interfaces.
For those who have eyesight, in the upper-right hand corner of the screen, you can see a list of bridges I have created. Each bridge has its own VLAN ID. So in my case, ethbr0_2402 has a VLAN ID of 2402. The traffic between the desktop and my server is as follows:
From desktop...
Signal coming out of virtual machine in my desktop...
...goes to ethbr0_2402, a bridge interface, which goes to...
...to ethbr0.2402, a VLAN interface that assigns a VLAN ID tag of 2402, which goes to...
...ethbr0, another bridge interface, which carries tagged VLAN traffic to...
...enp5s0, a physical network interface that carries tagged VLAN traffic to...
...an RJ-45 Ethernet cable which carries bits of ones and zeros of VLAN traffic to...
...my server, which gets picked up by enp7s0, which sends tagged VLAN traffic to...
...ethbr10, a bridge interface which sends tagged VLAN traffic to...
...vlan2402, a VLAN interface which links to ethbr10. vlan2402 removes the VLAN tag from the signal and then goes to...
...ethbr10_2402, a bridged interface which now sends traffic to pfSense VM in my server.
I hope I don't lose everyone. That's why it's important to have a lot of experience in Linux and networking. In order to send traffic back to a desktop VM running in my desktop, you simply reverse the process. Here, let me put it this way:
Desktop } Desktop VM <-> ethbr0_2402 (Bridge) <-> ethbr0.2402 (VLAN) <-> ethbr0 (bridge) <-> enp5s0 (Physical NIC in Desktop) <-> Ethernet Cable <-> enp7s0 (Physical NIC in Server) <-> ethbr10 (Bridge) <-> vlan2402 (VLAN Interface) <-> ethbr10_2402 (Bridge) <-> pfSense VM { Server
If VLANs did not exist, I would have to have 10+ network interface cards or adapters for my desktop and server (that makes 20 total or 2 times the number of network interfaces cards or adapters) and 10+ network cables and that would be a lot of mess to deal with.
And yes, do refer to the scenario and netplan configuration for my server in my first article.
Let's Configure pfSense
A Note About The Quality of Images
Please excuse the quality of images. When I took screenshots using a virtual machine (From the menu: Virtual Machine -> Take screenshot), the images were saved as PNG format (Portable Network Graphics). The PNG format is larger in file size than JPG (jpeg) format and I wanted to do a batch conversion of PNG to JPG all at once. In Linux, that's where mogrify comes in and is included in a package called imagemagick that can be downloaded from the distro repository such as Ubuntu, Debian, Fedora, Arch, OpenSUSE, and many others. I'm not completely sure how to preserve the image quality at 80% while keeping the file size low. Plus, I also used mogrify to batch resize images and store it in a different folder so that files would not be overwritten. I do have GIMP but because I have about 39 images, it can take a lot of time to do repetitive tasks.
For the first tab, I do Ctrl+Shift+E and change from .png to .jpg.
Resize the image (Alt+I, S).
Do Ctrl+Shift+E again to export the new image inside the thumbnail folder.
Because I cannot do Ctrl+Tab to get to the next tab, I had to click in the second tab while magnified, because in a 4K screen (3840x2160), the tabs are very small. That's because GIMP is not HIDPI-aware in Linux.
I then would repeat the same process 38 times until I have gotten all the images converted and resized, making sure that the image quality is at 80%, not 90% by default in GIMP.
I don't know why I cannot do Ctrl+Tab and Ctrl+Shift+Tab for switching between images without using my mouse. This is why I would rather want to do automation using a command line utility whenever possible and that's the reason why I couldn't figure out how to set the quality of images using the mogrify command. So, with a note about image quality out of the way, let's get into configuring pfSense for networking, shall we?
Images for Configuring pfSense
Figure 1-0: Login to pfSense. Username is "admin" and password is "pfsense." All lower case.Figure 1-1: IntroductionFigure 1-2: Configure hostname, local domain name, and DNS server.Figure 1-3: Set your time zone. Leave the NTP server as default unless you want to use your own.Figure 1-4: Leave the WAN configuration unless you want to change the IPv4 address. Scroll down to the bottom of the page...Figure 1-5: ...and clear the ckeckbox for bogon and RFC 1918 networks. This is only if you are behind another router.Figure 1-6: Leave the LAN configuratin as it is.Figure 1-7: Choose your password.Figure 1-8: Reload configurationFigure 1-9: Done!
Instructions for Configuring pfSense
Open the web browser for the virtual machine, type the pfSense's internal IP address, and hit Enter.
The virtual machine should have the same VLAN ID as the pfSense's virtual machine for the internal network. in my case, the IP address for the pfSense gateway is 10.249.2.1 and the VLAN ID is 2402. Note that you do not choose a VLAN interface when configuring virtual machines, but bridges. The network bridge is what allows virtual machines to share one or more interfaces.
The default username is admin and the password is pfsense. Login to pfSense. (Figure 1-0)
The setup wizard begins. Continue to the next step. (Figure 1-1)
Enter the hostname for pfSense, your domain name (optional; I've chosen lab.graysonpeddie.lan because this is my "virtual homelab"), primary/secondary DNS server (I suggest 1.1.1.1 and 1.0.0.1, but you can pick one such as 8.8.8.8 or 9.9.9.9), and I suggest you uncheck the checkbox for Override DNS. (Figure 1-2)
Leave the NTP (Network Time Protocol) Server as it is, and choose a timezone if you want. (Figure 1-3)
For the next step, leave everything as is, scroll down to the bottom of the page and uncheck the two check boxes for blocking private and bogon networks. These two need to be unchecked for Internet connection to work correctly. Continue to the next step. (Figure 1-4, Figure 1-5)
Note: If you are configuring pfSense and you have a public IP address assigned by your Internet service provider, leave both of them checked.
This step is for configuring a private IP address. Leave it as it is and continue to the next step. (Figure 1-6)
Choose your own password. Make sure you can remember your password as you'll need it when you log into pfSense. (Figure 1-7)
Click Reload to reload the configuration and click Finish to finish the setup wizard.
Things to Do Before Configuring OSPF in pfSense
Images for Post-Installation Steps and Verifying Internet Connection
Figure 1-1: Hover over System menu and go to Advanced.Figure 1-2: Go to Networking section.Figure 1-3: Disable hardware offloading and click Save.Figure 1-4: If all goes well, you should have connectivity to the Internet.
Let's Take Care of Things Before Vefifying Internet Connectivity
Skip the steps below if you are configuring pfSense in a real hardware. These steps are for those working in virtual machines.
Open the System menu and click in Advanced. (Figure 1-1)
Go to the Networking section and scroll down to the bottom. (Figure 1-2)
At the bottom of Networking section, check the checkbox to disable hardware checksum offloading. (Figure 1-3)
Verify that the Internet is working in the internal network. (Figure 1-4)
Install FRR Package in pfSense
Images for Installing FRR Package in pfSense
Figure 1-1: Available Packages.Figure 1-2: Click Install next to FRR.Figure 1-3: Click Confirm to install FRR.Figure 1-4: The installation of FRR should be successful.
How to Installing FRR Package in pfSense
Go to the Package Manager that is inside the System menu.
In the Available Packages section, scroll down to frr and click Install. (Figure 1-1, Figure 1-2)
Confirm the installation of FRR package and the installation should be successful. (Figure 1-3, Figure 1-4)
pfSense Firewall
pfSense must allow OSPF traffic from two VyOS routers. It's important to limit OSPF traffic between pfSense and VyOS routers. Let's configure the firewall before we configure OSPF using FRR.
Images for Firewall Configuration
Figure 1-1: Firewall Rules for WANFigure 1-2: Allow OSPF traffic.Figure 1-3: New firewall rule for OSPF added in WAN.
How to Allow OSPF Traffic Through the WAN Firewall
Open Rules in the Firewall menu. You should be in Firewall / Rules / WAN. The WAN tab is selected by default. (Figure 1-1)
Click in the Add button (either one) to create a new rule. (Figure 1-1)
For a new rule, the action is set to Pass by default. Set the Protocol to Any, set the source IP address and subnet mask (remember to limit the subnet for OSPF traffic to pass through), and click Save at the bottom of the page. In my case, I changed the source drop down menu to Network and set the address to 172.24.19.0/28. (Figure 1-2)
The firewall rule configuration is done. (Figure 1-3)
Now Let's Configure OSPF
Images for OSPF Configuration
Figure 1-0: The FRR-related menu items can be found in the Services menu.Figure 1-1: Enable FRR in order for OSPF to work.Figure 1-2: Enable OSPF and set the Router ID.Figure 1-3: Set the default area to 0. Note that I have added IP addresses for networks, but because that section has been marked depricated, I've decided to remove the IPv4 addresses from the list of networks.Figure 1-4: It's time to add a new interface.Figure 1-5: Add a WAN interface and set the interface to "broadcast."Figure 1-6: Add a LAN interface and set the interface to "non-broadcast."Figure 1-7: OSPF configuration is complete.
Instructions for OSPF Configuration
Under the Services menu, click in FRR Global/Zebra. This will take you to the global configuration page for FRR. (Figure 1-0)
Check the checkbox for Enable FRR and click Save at the bottom of the page. (Figure 1-1)
Next, go to the OSPF section and enable OSPF. Specify the Router ID. (Figure 1-2)
Scroll down until you get to specify an area. The area should be the same as configured in VyOS routers. Save changes when done. (Figure 1-3)
Note that there is no need to specify the networks which is marked deprecated. Interfaces need to be specified instead.
Go to the Interfaces tab and click Add. (Figure 1-4)
Set the Interface to WAN, Network Type to Broadcast, and save changes. (Figure 1-5)
Add another interface for LAN, with Network Type set to Non-Broadcast and save. (Figure 1-6)
You should have both the WAN and LAN interfaces configured for OSPF. (Figure 1-7)
Can Hosts Behind pfSense Ping Other Hosts in Different Networks?
Now, if you go ahead and start up two hosts from two VyOS networks (one host per network), you should be able to ping a host behind pfSense (In my case, 10.249.2.100). But before we do that, let's check the neighbors.
Let's start with vyos_2400. I'm going to connect to the VyOS router via SSH, issue sh ip ospf neigh, and get the list of neighbors from there.
grayson@v2400-host1:~$ ssh vyos@10.249.0.1
Welcome to VyOS
vyos@10.249.0.1's password:
Last login: Sun Feb 21 21:42:53 2021 from 10.249.0.100
vyos@v2400-vyos:~$ sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.249.1.1 1 Full/DR 34.369s 172.24.19.3 eth0:172.24.19.2 0 0 0
10.249.2.1 1 Full/DROther 34.372s 172.24.19.4 eth0:172.24.19.2 0 0 0
vyos@v2400-vyos:~$ exit
logout
Connection to 10.249.0.1 closed.
grayson@v2400-host1:~$
So, my vyos_2400 router can see pfSense's "public" IP address. Can I ping a host behind pfSense's network?
grayson@v2400-host1:~$ ping 10.249.2.100
PING 10.249.2.100 (10.249.2.100) 56(84) bytes of data.
64 bytes from 10.249.2.100: icmp_seq=1 ttl=62 time=1.22 ms
64 bytes from 10.249.2.100: icmp_seq=2 ttl=62 time=2.09 ms
64 bytes from 10.249.2.100: icmp_seq=3 ttl=62 time=1.20 ms
64 bytes from 10.249.2.100: icmp_seq=4 ttl=62 time=1.90 ms
^C
...
Yes I can! The ^C is for Ctrl+C which terminates the process. What about a host behind vyos_2401? What do the neighbors look like?
grayson@pop-os:~$ ssh vyos@10.249.1.1
Welcome to VyOS
vyos@10.249.1.1's password:
Last login: Wed Feb 10 21:57:29 2021 from 10.249.1.100
vyos@v2401-vyos:~$ sh ip ospf n
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.249.0.1 1 Full/Backup 37.358s 172.24.19.2 eth0:172.24.19.3 0 0 0
10.249.2.1 1 Full/DROther 32.289s 172.24.19.4 eth0:172.24.19.3 0 0 0
vyos@v2401-vyos:~$ exit
logout
Connection to 10.249.1.1 closed.
grayson@pop-os:~$
Well, I don't see a need for ping as it should work with no problems. But it should work nonetheless.
Okay, so what about a host behind pfSense? Can I ping one of the hosts behind VyOS routers from a host that is behind pfSense? I tried and the answer to that is "no." The reason for that is NAT needs to be configured so that pfSense knows how to return the traffic back to the original host. pfSense needs to translate the original source address (such as 10.249.0.100) back to 10.249.2.0/24, which is the translation address and subnet mask. This is where outbound NAT comes in. Note that hosts behind pfSense can reach the Internet and pfSense will translate the packets back to the WAN interface address, but for private networks via OSPF, this is where the outbound rule needs to be filled in.
Network Address Translation (NAT)
NAT can be found in the Firewall menu. Instead of giving you images, I can provide step-by-step along with the list of settings that need to be configured.
Here are the list of settings that need to be configured.
Advanced Outbound NAT Entry
Interface: WAN
Address Family: IPv4
Protocol: Any
Source: Network; 10.249.2.0/24
Destination: Network; 10.249.0.0/16
Translation
Address: Other Subnet (Enter Below)
Other Subnet:10.249.2.0/24
Note that your IP addresses may be different depending on how you configure your routers and networks. Adjust accordingly.
Now here's step-by-step instruction on how to configure NAT.
Once you get to the NAT page that is found under the Firewall, go to the Outbound section.
In the Mode area, click in Hybrid Outbound and click Save.
Below the Mappings section, click in the Add button. You will be adding a single rule for OSPF so either buttons do not matter. The order of rules do matter for both firewall and NAT rules.
Enter the settings I have provided above. If you are using a screen reader, jump to the previous heading level 4 titled Network Address Translation, and jump down to the first list.
Once you are done configuring the rule from the settings I've provided, save your changes and click Apply at the top of the screen. pfSense will apply the changes.
As I understand it, the "source" field in the NAT rule is for hosts originating behind pfSense and the destination field is for hosts that is behind the two VyOS routers. And the translation address is where pfSense will send the return packets back to the originating hosts behind pfSense. Maybe I could configure the same thing in one of my VyOS routers? Why would I do that while I could simply use masquerade as a translation address? Why is there no such thing as masquerade in pfSense? That's the question I'm going to find out for myself.
So Now Can Hosts Behind pfSense Ping Other Hosts in Different Networks?
With all the settings I have applied for my NAT rule, the host behind pfSense can now ping hosts that are behind VyOS routers. To verify, I have deleted the rule with a translation address of 10.249.2.0/24, and tried pinging hosts behind the VyOS routers. The echo replies did not get sent back to the originating host behind pfSense. I re-added the rule again with the settings from above and pings from other 10.249.0.0/16 networks are now working.
Conclusion
That is all for part 2 out of 2 for this article! The hosts between pfSense and VyOS routers can ping each other once OSPF has been configured! If you enjoyed my article, can you please share your feedback with me in Twitter and LinkedIn? I will provide links so you can comment in my article. Thank you for reading my article. I've been writing an article since February 10th and stopped since the 14th as I've been busy with my studies during the last two weeks and until the 21st of this month. Happy networking! Have fun!
Revisions
Version 1.00:Initial Publish
Version 1.01:Updated the figures for the pfSense's setup wizard and OSPF configuration.
If you understand computer networking and know how IPv4 subnetting works, here's a zip file which contains a self-contained HTML file. Double-click in the HTML file and you can begin practicing.
This is part 1 of 2 of configuring multiple networks that can communicate with each other through OSPF.
Introduction
How much do you know computer networking? Do you know how subnetting works? What about IP addresses? Do you know how routers and switches work? Do you have a homelab and do you know what a homelab is? If you answer yes to all of the questions and you want to expand your knowledge of networking, this article is for you. Yes, I'm targeting audience that have a good knowledge in networking. This is even for those with lack of certificates such as CompTIA A+, Network+, and Security+, and even for those without a degree! Well, why don't we delve right into it, shall we? If you are Network+ certified, you must know that OSPF is a dynamic link-state protocol that allows the two or more private networks to talk to each other. If you have a consumer router such as Netgear or Linksys, this article is only for the pros!
Also, my article covers the use of virtual machines and networking bridging, so I'm going to assume you know how to set them up. I'm using Ubuntu Server 20.10 as my Linux home server that runs KVM (Kernel-based Virtual Machine). Virtual machines are what enables a computer to run inside a computer and network bridging behaves similar to a network switch. And because of that, I'm also going to assume you are familiar with the Linux command line.
Now buckle your seatbelt because this article is going to be a very long one.
Internet Protocol version 4; a 32-bit addressing scheme in a form of a.b.c.d (0 to 255 for each octet)
OSPF
Open Shortest Path First is a dynamic link-state protocol.
NAT
Network Address Translation: used to provide public-to-private IP address translation when an ISP can only assign a single public IP address. IPv6 (128-bit addressing scheme does away with NAT because each device can be assigned a public IPv6 address).
KVM
Kernel-based Virtual Machine for running virtual machines in a home server or desktop. A virtual machine is akin to putting a computer inside a computer each running its own operating system.
Router
A router connects one or more networks together and even connects the network to the Internet. A router can act as a default gateway if an IP address falls outside the list of network the router is connected to.
Switch
A network forms a star topology by connecting more than one host (a computer, printer, home theater receiver, etc.) to a central switch. If an IP address falls outside the subnet, a switch can forward a packet to a router.
You can learn a lot about computer networking by going through the tutorial. Basic networking is beyond the scope of my article.
You work at a company called "GalaxyTech" that specializes in building PCs and servers. Your company has three buildings. The two buildings connect to a central building through fiber. The central building has a fiber connection to the Internet Service Provider. Each of the three buildings have a purpose:
Central building: Office rooms, IT department, web development, sales department, and accounting.
Manufacturing facility: for building computers and servers, has rooms for office spaces, and IT department.
Warehouse building: warehouse, shipping, office rooms, and IT department.
Your job is to travel to three buildings and get networking setup. An ISP has provided a set of IP addresses within a subnet, which is 172.24.19.0/29. For the purposes of the article, I'm using 172.24.19.0/29 as a private subnet. 172.16.0.0/12 is part of RFC 1918 private addressing scheme. Plus, the three networks are going to be as follows:
Central building: 10.249.0.0/24
Manufacturing facility: 10.249.1.0/24
Warehouse building: 10.249.2.0/24
The three networks should be able to talk to each other. Note, however, this is going to be a very simple scenario. In the production environment, it is important to split a single subnet into a smaller subnet and segment them into different networks. Plus, different networks should not talk to each other and pinging should not be allowed for security reasons. But in this article, I am keeping it simple.
My computer and server both have 2.5Gbit Ethernet adapters installed. There is no switch involved as I cannot afford a managed 8-port switch that supports VLANs at the time of writing, so I simply have a straight cable that connects from my computer to my server. And because I'm running Ubuntu Server 20.10 in my home server, I want to share how my home network is configured (/etc/netplan/00-installer-config.yaml).
# This is the network config written by 'subiquity'
network:
version: 2
ethernets:
enp3s0f1:
dhcp4: no
enp4s0f0:
dhcp4: no
enp4s0f1:
dhcp4: no
enp7s0:
dhcp4: no
bridges:
...
ethbr10: # Computers, Smartphones, etc.
interfaces:
- enp7s0
- enp4s0f0
- vlan10
dhcp4: no
addresses:
- 172.20.1.1/26
ethbr10_2400:
interfaces:
- vlan2400
dhcp4: no
ethbr10_2401:
interfaces:
- vlan2401
dhcp4: no
ethbr10_2402:
interfaces:
- vlan2402
dhcp4: no
...
ethbr10_2409:
interfaces:
- vlan2409
dhcp4: no
ethbr10_2419:
interfaces:
- vlan2419
dhcp4: no
ethbr10_2429:
interfaces:
- vlan2429
dhcp4: no
ethbr20: # Home Automation, Wired
interfaces:
- enp4s0f1
dhcp4: no
addresses:
- 172.20.5.1/24
...
vlans:
vlan10:
id: 10
link: enp3s0f1
dhcp4: no
...
vlan2400:
id: 2400
link: ethbr10
dhcp4: no
vlan2401:
id: 2401
link: ethbr10
dhcp4: no
vlan2402:
id: 2402
link: ethbr10
dhcp4: no
...
vlan2408:
id: 2408
link: ethbr10
dhcp4: no
vlan2409:
id: 2409
link: ethbr10
dhcp4: no
vlan2419:
id: 2419
link: ethbr10
dhcp4: no
vlan2429:
id: 2429
link: ethbr10
dhcp4: no
My home server is equipped with a 4-port Gigabit networking card, a built-in NIC in my motherboard, and a 2.5Gbit networking adapter. The motherboard's built-in NIC is not in use. My computer's IP address is 172.20.1.8, which is part of a /26 subnet. I do have a couple of VLANs setup in my desktop computer as well. But instead of Ubuntu, I'm running Arch Linux, which is for experienced Linux users such as myself. So back to the Netplan config file, Netplan seems to be exclusive to ubuntu and is not available in other Linux distributions such as CentOS and Debian. All of the interfaces have DHCP set to no so this is more like a router that connects multiple networks together and pfSense is a router distribution that runs in a virtual machine. pfSense has an IP address of 172.20.0.2 and resides in ethbr0 bridge interface which is not shown here in order to keep it short. My computer, laptop, and smartphone resides in ethbr10. Each VLAN has an ID and is linked to a specific bridge interface, which in this case, ethbr10. Then, each bridge is specifically bridged to each VLAN. So, the way it works is this: ethbr10_2400 is linked to vlan2400 with a VLAN ID of 2400, vlan2400 is linked to ethbr10, and ethbr10 is bridged to multiple interfaces including a VLAN interface with an ID of 10. Sure, my networking is very complex, but that is part of the homelab!
As for my desktop computer, I use Network Manager for networking. Here's what it looks like:
There are four terminals that shows how I configure all the interfaces.
In order to create virtual machines, I wanted to do so as a user instead of root. To do that, I added a user called kvmguests and added libvirt as a group.
The acl package provides the setfacl and getfacl. For those who do not know, ACL stands for "Access Control List" which grants or denies read/write/execute permissions for files and directories. /vm/kvm contains two directories: iso and img. The iso directory is for holding installation images and img directory is for holding virtual machine disk images.
This image shows the list of storage pools for the virtual machines shown in the right. To the left shows how to open the "Details" window.
So, to get to the list of storage pools, right-click where it says "QEMU/KVM," click Details, and in the Connection Details dialog box, click Storage. You can add whatever storage pool you need. I suggest keeping the installation images separate from disk images. This helps keeps it organized.
For VyOS, you'll want the rolling release as the LTS release requires a purchase of a subscription.
Ready to Configure Virtual Machines for OSPF?
Okay, so you got your virtual machine environment and your network all setup and ready to go, so it's time to get your virtual machines up and running. For those who have eyesight, you can click in the checkbox to show the list of images. For blind users, I do not know how this is going to work for you when it comes to exiting out of the virtual machine window using your keyboard. You could make use of serial connection by deleting the video display when you customize the installation before starting a virtual machine. However, I've ran into problems when trying to get the pfSense installer image up and running. Please accept my apologies for not being of much help if you rely on your screen reader. Anyway, let's get going.
Images for Installing and Configuring Virtual Machines
Figure 1-0: The prerequisite for installing a virtual machine. Connect to a remote server via SSH.Figure 1-1: The first step of installing a virtual machine. Choose local install by default.Figure 1-2: The second and third step of installing a virtual machine. Choose an install image.Figure 1-3: The fourth and fifth step of installing a virtual machine. Choose Debian 10 for VyOS or FreeBSD 11.4 for pfSense 2.4. 1 Gig of RAM and 2 virtual CPUs are fine for testing.Figure 1-4: The sixth and seventh step of installing a virtual machine. Create a disk image.Figure 1-5: The eighth step of installing a virtual machine. Make sure to name, select "Customize configuration before install," and select a network bridge.Figure 1-6: The ninth step of installing a virtual machine. Add a network interface.Figure 1-6: The tenth step of installing a virtual machine. Let the installation begin!
Prerequisite
First, enable virtualization extensions in your computer's BIOS. This will depend on what motherboard/PC/laptop you use. If you can't see the screen, ask someone to help you navigate around the menus in the BIOS screen.
If you do not have virt-manager installed in your desktop, use your package manager to install virt-manager.
Debian and Ubuntu:apt update && apt install virt-manager
Arch Linux:pacman -Sy virt-manager ("S" stands for "sync" and "y" stands for "update repositories.")
If you have not done so, create a private/public key pair with a blank passphrase so that you can login to a remote server without a password. A Virtual Machine Manager will prompt you for a password indefinitely. Also, make sure your user is part of the libvirt group. Because otherwise connecting to a remote server using virt-manager is not possible.
Open the terminal and type the following command.
ssh-keygen -t rsa
Accept the defaults and leave the passphrase blank.
Then enter the following command with your username and hostname/IP address:
You will be prompted to enter the password in order to copy a public key to your remote server. Never share your sensitive private and public key with everyone.
Try to login to your remote server.
ssh kvmguests@vmserver
If you can login without a password, you are good to go.
Open virt-manager and connect to your remote server (figure 1-0). With a public key, you should not be prompted for a password.
Go to File, then Add Connection... to open the Add Connection window.
Check the checkbox for Connect to remote host over SSH.
Enter the Username and Hostname.
Then click Connect.
Okay, so you are able to login to the remote server using virt-manager, right? Let's get into the fun part, which is creating a new virtual machine!
With the remote server highlighted, click in the Create a new virtual machine button. A tooltip will come up if you hover over a monitor with a play button in the toolbar. (Figure 1-1)
The Local install media is selected. Click Forward to go to the next screen. (Figure 1-1)
To the right of Choose ISO or CDROM install media, click the Browse button to the right of the edit box. (Figure 1-2)
In the list of storage pools, choose a pool that contains all hte ISOs you've downloaded. In my case, it's ISOs. (Figure 1-2)
In the list of ISO files, look for vyos-rolling-latest.iso. Then click Choose Volume to confirm your selection. (Figure 1-2)
In the Choose the operating system you are installing edit box, type Debian 1 and use the up and down arrow keys to select Debian 10. VyOS is based on Debian. Then click Forward. (Figure 1-3)
Accept the Memory and CPUs settings and click Forward. (Figure 1-3)
Select or create custom storage and click Browse. (Figure 1-4)
Select a storage pool where the disk images will be in (in my case, Images) and click the plus button next to Volumes to Create New Volume. Hover the mouse pointer over the plus sign for the tooltip to show up. (Figure 1-4)
Give the storage unit a name. Here is the convention and example name that I use. (Figure 1-4)
(VLAN ID for external network)_(VLAN ID for internal network)_(Operating System Name)
v2419_v2400_vyos
v stands for VLAN. VLAN 2419 will be the bridge that connects to pfSense (my edge router, a gateway to the Internet). VLAN ID 2400 is for an internal bridged network that VyOS VM will use.
Leave the rest as is and click Finish. Make sure you have plenty of disk space in your server! (Figure 1-4)
Once you are back in the New VM, click the Forward button to continue to the last step for the wizard. (Figure 1-4)
Give your virtual machine the same Name as you created in Step 10. Keep the convention the same. (Figure 1-5)
Check the checkbox for Customize the configuration before install. (Figure 1-5) A virtual machine will have two NICs (Network Interface Controllers).
Expand the Network selection, choose Bridge Device... from the dropdown menu, and in the Device name: edit box, assign the bridge to the first NIC. In my case, it's ethbr10_2419. (Figure 1-5)
Remember that VLAN 2419 is for the external network that connects to pfSense (172.24.19.1). The VM will have an IP address of 172.24.19.2/24. That will be for the central building of GalaxyTech. Read the scenario above if you need to.
Be sure you have Customize the configuration before install checked and click Finish. We're not done yet. (Figure 1-5)
Click in the Add Hardware at the bottom left-hand corner of the VM window. (Figure 1-6)
In the list of hardware components, select Network. This is where a second NIC can be added. (Figure 1-6)
Next to the Network source:, open the dropdown menu, choose Network bridge, and enter the name of the bridge in Device name. I chose a bridge for an internal network, which in my case it's ethbr10_2400. 2400 is my VLAN ID. (Figure 1-6)
When done, click Finish to return to the VM window. (Figure 1-6)
Notice that you have two NICs in the list of hardware components installed for the VM. (Figure 1-7)
Now, it's time to Begin Installation. Click in that button in the upper-left corner and on we go!!!
Figure 1-0: Booting up the installation of VyOS: Press Enter to accept the default.Figure 1-1: Installing VyOS: The username and password is vyos. Begin the installation of VyOS.Figure 1-2: Installing VyOS: Type ? to see the list of commands. Accept the defaults for partitioning the disk.Figure 1-3: Installing VyOS: Accept defaults and create a password for the user vyos.Figure 1-4: Installing VyOS: For VM, type vda to install the bootloader into the disk. When done, reboot.Figure 1-5: Booted up VyOS for the first time! Login and you're in.
Install VyOS Into The First Instance of VM
When the bootloader shows up, leave the Live (amd64-vyos) as selected and press Enter. (Figure 1-0)
When you get a login prompt, the username and password is vyos. (Figure 1-1)
Type the following command to begin the installation of VyOS. (Figure 1-1 and 1-2)
install image
Then press Enter. Note that you can type ? to see the list of commands and parameters. (Figure 1-2)
The installer has found a disk to partition in callsed vda. Go ahead and accept the defaults (auto and vda). (Figure 1-2)
Input Yes to continue the installation as the disk is empty. (Figure 1-3)
You can leave everything as default until you get to create a password. Note that I should have left the image name as-is. An image is an image similar to Cisco IOS; however, I did enter v2419_v2400_vyos. Just leave the image name as default. (Figure 1-3)
Enter the password that you can easily remember. (Figure 1-3)
Once you are done creating a password, leave the rest as defaults and reboot. (Figure 1-4)
Once rebooted, login with the user vyos along with your newly-created password and you're in!
Congratulations! You've just created yourself a first virtual machine and installed VyOS! Before you continue configuring the network, let's create another virtual machine and install VyOS.
I have already provided instructions for creating a virtual machine and installing VyOS into the VM. In Step 10 and Step 13, give your new disk and VM the new name while still following the convention.
(VLAN ID for external network)_(VLAN ID for internal network)_(Operating System Name)
v2419_v2401_vyos
Your VM will use a different internal bridge name for the second VLAN, which has an ID of 2401. So, in Step 19 (third from the last step), you would enter ethbr10_2401 for the second NIC. So, here's how I have it setup:
VM Name
External NIC
Internal NIC
v2419_v2400_vyos
ethbr10_2419
ethbr10_2400
v2419_v2401_vyos
ethbr10_2419
ethbr10_2401
v2419_v2402_pfSense
ethbr10_2419
ethbr10_2402
And the IP addresses and subnet prefixes are going to be:
VM Name
Public IP
Private IP
v2419_v2400_vyos
172.24.19.2/24
10.249.0.1/24
v2419_v2401_vyos
172.24.19.3/24
10.249.1.1/24
v2419_v2402_pfSense
172.24.19.4/24
10.249.2.1/24
Note that I simply wanted to pretend that anything in 172.24.19.x/24 is part of the public IP addressing scheme. 172.24.19.x/24 is still part of 172.16.x.x/12 private subnet (RFC 1918). Only for this article, I'm going to pretend that anything in 172.24.19.x/24 will have a public IP address assigned to each of the three virtual machines. A fake one, if you will.
Images for the installation of pfSense into the third VM
Figure 1-1: Installing pfSense: Accept copyright notice.Figure 1-2: Installing pfSense: Accept choices made by the installer.Figure 1-3: Configure pfSense: Configure connection to the Internet.Figure 1-4: Configure pfSense: Setup the internal network and ping 1.1.1.1 to confirm the Internet is working.
Create a Third VM and Install pfSense In a VM
I am very sure you can create a new VM named v2419_v2402_pfSense with an internal network bridge named ethbr10_2402. If not, look over the steps on how to create a new VM. Be sure to keep ethbr10_2419 as the device name for the first NIC in the New VM dialog.
Now the steps for installing and configuring pfSense is as follows:
Go ahead and press the Enter key throughout the installation process. The installer will insteall pfSense into the virtual disk and prompt you to reboot the system. (Figure 1-1 and 1-2)
Set vtnet0 as WAN and vtnet1 as LAN. (Figure 1-3)
pfSense will attempt to discover an IP address if a DHCP server is configured. If not, wait for pfSense to time out. (Figure 1-3)
When you get to the menu, type to select 2 and press Enter. (Figure 1-3)
Enter 1 for vtnet0. Type n as DHCP server was not configured. (Figure 1-3)
Enter the IP address for external network. In my case, it's 172.24.19.4/24. If I omit /24 from the IP address, I will be asked to input a subnet bit (or a prefix number). 24 is what I would enter. (Figure 1-3)
If you have no need for IPv6, simply type n, hit Enter, and hit Enter again to leave the next line blank.
Now here's something I screwed up on. Not shown in Figure 1-3 is it asks if you want to revert back to HTTP instead of keeping in HTTPS. Idealy, for a production environment you always want HTTPS for protection against on-path attacks, which is also known as man-in-the-middle (MiTM) attack. Because this is a homelab and I have kept the networks segregated from each other, HTTP is fine.
Press the Enter key and you should be back on the menu. (Figure 1-4)
Press 2 again and press Enter to get into the interface configuration. You'll want to configure the LAN address which is number 2.
If you only want IPv4, simply enter the IP address and subnet mask (in my case, 10.249.2.1/24) and leave the rest set to default. Press Enter at the last step to get back to the menu.
To make sure everything is working, press 7, hit Enter, and ping (don't type ping) 1.1.1.1. If it's working, you are good to go.
Congratulations on installing and setting up pfSense. But it's not over yet. You will need to setup another virtual machine to configure pfSense. But let's get the network up and running in two VyOS instances first.
If you are familiar with Cisco's IOS, then the commands will be a lot different. First, and foremost, there's no such thing as privileged EXEC mode. The $ sign means you are in user mode. If you type sudo -i or configure, VyOS will put you in "#" mode. Please note the following output below:
vyos@vyos:~$ sudo -i
root@vyos:~# exit
logout
vyos@vyos:~$ configure
[edit]
vyos@vyos# hostname v2400-vyos
hostname: you must be root to change the hostname
[edit]
vyos@vyos# set hostn?
Configuration path: [hostn] is not valid.
[edit]
vyos@vyos#
VyOS is a full Linux distribution. Every VyOS command begins with "set" once you are in VyOS configuration mode. Even though VyOS is a Linux distribution that is focused in routing, please do not edit the /etc/hostname file as root. Instead, perform the following commands:
vyos@vyos:~$ configure
[edit]
vyos@vyos# set system host-name v2400-vyos
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$ reboot
Are you sure you want to reboot this system? [y/N] y
Reboot the system and you should be back in VyOS with a new hostname. Set the hostname for the second VyOS instance (different VM) to v2401-vyos and reboot the VM. The commit command commits changes to memory and save saves changes to the disk as /config/config.boot. VyOS will complain that changes made to /etc/hostname and then executing the two set commands above will cause VyOS to error out saying "temporary failure in name resolution" or something like that. So yea, unlike Cisco IOS's hostname v2400-cisco in global configuration mode, changes in VyOS do not take effect even once the changes have been commited to memory and saved to disk. However, just about all the networking commands you'll be doing will take effect once you call commit in configuration mode.
See what happens if you configure a domain name for your VyOS router. You can name whatever domain name you want. I suggest you keep the TLD set to lan so you won't cause confusion with a .com domain.
configure
set system domain-name lab.graysonpeddie.lan
commit
discard
save
set system domain-name lab2.graysonpeddie.lan
discard
The first command gets you into configuration mode. I then configure the domain name for the router. I commited the changes to memory but decided to discard the changes. Because the change has been stored in RAM, I get an error message saying No changes have been discarded. Then, I changed the domain name to lab2.graysonpeddie.lan but decided to discard the changes. So even if I make changes to network configuration, the changes won't take effect until I commit to RAM and then save changes to disk.
Now, let's get into networking, shall we? First, we must configure the interfaces for v2419-v2400-vyos. Make sure you are in configuration mode. There should be no :~ between hostname and number sign. Remember, sudo -i takes you into root mode just like all other Linux distributions do.
set interfaces ethernet eth0 address 172.24.19.2/24
set interfaces ethernet eth1 address 10.249.0.1/24
set protocols static route 0.0.0.0/0 next-hop 172.24.19.1
commit
save
And for v2419-v2401-vyos VM:
set interfaces ethernet eth0 address 172.24.19.3/24
set interfaces ethernet eth1 address 10.249.1.1/24
set protocols static route 0.0.0.0/0 next-hop 172.24.19.1
commit
save
Once you exit the configuration mode for both of them, can you ping 1.1.1.1 in both VMs? If yes, you are in good shape! 0.0.0.0/0 means a default gateway of last resort. 1.1.1.1 is not in the routing table, so the router has to go through 172.24.19.1 in order to reach out to 192.168.1.254, which is my mom's router, and 192.168.2.254, which is the Comtrend router for Consolidated Communications. Because I do not have a way of getting traceroute information from a virtual machine, I can do that from my desktop PC. Note that I cannot ping 172.20.0.2, which is the edge router for pfSense that reaches out to the Internet. I don't want my internal hosts to ping my edge gateway for security and obscurity reasons.
[grayson@grayson-epcotcenter Storage]$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 _gateway (172.20.1.1) 0.191 ms 0.143 ms 0.136 ms
2 * * *
3 192.168.2.254 (192.168.2.254) 4.231 ms 4.246 ms 4.267 ms
4 sdsl-blt-216-227-16-10.gtcom.net (216.227.16.10) 14.952 ms 14.960 ms 14.976 ms
5 rblt-aa.gtcom.net (216.227.16.1) 15.049 ms 15.080 ms 15.023 ms
6 atl-b22-link.telia.net (62.115.9.130) 24.028 ms atl-b22-link.telia.net (80.239.192.68) 23.200 ms 23.194 ms
7 cloudflare-ic-309901-atl-bb1.ip.twelve99-cust.net (213.248.83.18) 53.332 ms cloudflare-ic-301665-atl-bb1.c.telia.net (62.115.32.222) 43.354 ms 43.360 ms
8 one.one.one.one (1.1.1.1) 32.600 ms 24.107 ms 21.845 ms
[grayson@grayson-epcotcenter Storage]$ ping 172.20.0.2
PING 172.20.0.2 (172.20.0.2) 56(84) bytes of data.
^C
--- 172.20.0.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3055ms
[grayson@grayson-epcotcenter Storage]$
For learning experience, let's configure DHCP server for both VyOS routers. I'm going to start with v2419-v2400-vyos VM in configuration mode.
edit service dhcp-server shared-network-name InternalNetwork2400 subnet 10.249.0.0/24
set range P1 start 10.249.0.100
set range P1 stop 10.249.0.199
set default-router 10.249.0.1
set name-server 1.1.1.1
commit
save
Here's another way without the use of edit:
set service dhcp-server shared-network-name InternalNetwork2400 subnet 10.249.0.0/24 range P1 start 10.249.0.100
set service dhcp-server shared-network-name InternalNetwork2400 subnet 10.249.0.0/24 range P1 stop 10.249.0.199
set service dhcp-server shared-network-name InternalNetwork2400 subnet 10.249.0.0/24 default-router 10.249.0.1
set service dhcp-server shared-network-name InternalNetwork2400 subnet 10.249.0.0/24 name-server 1.1.1.1
commit
save
I'll let you figure out why I use the edit command as a shortcut.
And for v2419-v2401-vyos VM in configuration mode:
edit service dhcp-server shared-network-name InternalNetwork2401 subnet 10.249.1.0/24
set range P1 start 10.249.1.100
set range P1 stop 10.249.1.199
set default-router 10.249.1.1
set name-server 1.1.1.1
commit
save
P1 is just a text field for the range. Think of it as a pool of IP addresses. This allows VMs to acquire an IP address from the router that connects to it.
NAT
Endpoint devices using private IP addresses need to communicate over the Internet over a public IP address. Configure NAT in both VyOS virtual machines. Remember, this can only be done in configuration mode.
set nat source rule 1 translation address masquerade
set nat source rule 1 outbound-interface eth0
commit
save
Setting a translation address to masquerade allows endpoint devices to act as though it has its own public IP address.
Now this is where OSPF comes into play. But first, I will create two virtual machines--one of which connect to their own network behind VyOS routers. In order to do that, though, I will have to set up my virtual machine environment in my desktop machine.
[grayson@grayson-epcotcenter ~]$ sudo usermod -a -G libvirt grayson
[sudo] password for grayson:
[grayson@grayson-epcotcenter ~]$ sudo systemctl enable libvirtd
Created symlink /etc/systemd/system/multi-user.target.wants/libvirtd.service → /usr/lib/systemd/system/libvirtd.service.
Created symlink /etc/systemd/system/sockets.target.wants/virtlockd.socket → /usr/lib/systemd/system/virtlockd.socket.
Created symlink /etc/systemd/system/sockets.target.wants/virtlogd.socket → /usr/lib/systemd/system/virtlogd.socket.
Created symlink /etc/systemd/system/sockets.target.wants/libvirtd.socket → /usr/lib/systemd/system/libvirtd.socket.
Created symlink /etc/systemd/system/sockets.target.wants/libvirtd-ro.socket → /usr/lib/systemd/system/libvirtd-ro.socket.
For changes to take into effect, I have to log out and back in for the libvirt group to take effect for my user grayson. But instead of logging out and back in, I'm going to restart my machine. I could even execute a start command for libvirtd if I want. libvirtd daemon (similar to a "service" in Windows) is what allows me to run virtual machines in my desktop without root privileges.
Once I restart my desktop machine, I am able to spin up 3 virtual machines, install Pop!_OS, and ping the router's IP addresses. My desktop had 32GB of RAM and my server has 48GB of RAM. For my desktop, I can give the three virtual machines each having 4GB of RAM. Of course, I cannot ping each other's internal endpoints because each router (be it VyOS or pfSense) does not know how to reach their own network that came from a different router.
While we can set static routes for each VyOS router as we did for setting a default gateway, we are going to make use of OSPF. More information about OSPF can be found in this web page. Actually, the web page I linked can show you how to configure Cisco routers using OSPF, but I am only focusing in VyOS and pfSense for now.
Let's learn how we can configure OSPF in two of the VyOS instances. Let's start with v2419-v2400-vyos and then configure v2419-v2401-vyos.
vyos@v2400-vyos# edit protocols ospf
vyos@v2400-vyos# area 0 network 10.249.0.0/24
vyos@v2400-vyos# area 0 network 172.24.19.0/28
vyos@v2400-vyos# parameters router-id 10.249.0.1
vyos@v2400-vyos# commit
vyos@v2400-vyos# save
vyos@v2401-vyos# edit protocols ospf
vyos@v2401-vyos# area 0 network 10.249.1.0/24
vyos@v2401-vyos# area 0 network 172.24.19.0/28
vyos@v2401-vyos# parameters router-id 10.249.1.1
vyos@v2401-vyos# commit
vyos@v2401-vyos# save
Each router has two networks in the same area and the router ID is the neighbor ID. Let's exit the configuration mode and have a look at the neighbors.
vyos@v2400-vyos# exit
exit
vyos@v2400-vyos:~$ sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.249.1.1 1 Full/Backup 37.035s 172.24.19.3 eth0:172.24.19.2 0 0 0
vyos@v2401-vyos# exit
exit
vyos@v2401-vyos:~$ sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.249.0.1 1 Full/DR 33.747s 172.24.19.2 eth0:172.24.19.3 0 0 0
Pay no attention to the last three columns including the dead time (actually, you can read more about dead time that I linked here). The two VyOS routers can see each other. Each router has an outbound interface which is eth0 and has its IP address assigned. From 10.249.0.0/24, to get to 10.249.1.0/24, the router goes out from 172.24.19.2 to 172.24.19.3 in order to reach the 10.249.1.0/24 subnet. So, from my virtual machine running Pop!_OS that connects to v2400-vyos, my VM's IP address is 10.249.0.100 and when I ping 10.249.1.100 the ping is successful.
I then ping from another virtual machine that is connected to v2401-vyos VM. Its IP address is 10.249.1.100. I ping 10.249.0.100 and if you look at the neighbor for v2401-vyos, the ping is successful.
So everything is successful between two VyOS instances, right? Let's configure the firewall next.Update as of October 24, 2021
Oh, and here is something I forgot to mention. It's about setting passive interfaces. None of the hosts inside the private network should know anything about OSPF traffic. That's where the next command comes in.
set protocols ospf passive-interface eth1
That way, VyOS will not broadcast OSPF into the internal network. What if you have 5 networks? Let's say there are 4 LAN networks and 1 network that connects to other OSPF-enabled routers such as pfSense and Cisco ISR routers. You can use the set of commands instead as shown below.
set protocols ospf passive-interface default
set protocols ospf passive-interface-excluse eth0
All the interfaces are set to passive by default except the one that connects to the OSPF network and out to the Internet.
Why is firewall important? It's to keep the bad guys out and control which traffic can go in and out. Let's configure the firewall for both VyOS VMs.
First, I will show you the configuration.
vyos@v2400-vyos# show firewall
name WANIn {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
source {
address 172.24.19.0/28
}
}
rule 3 {
action accept
source {
address 10.249.0.0/16
}
}
}
name WANLocal {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
protocol ospf
}
}
[edit]
vyos@v2400-vyos#
vyos@v2401-vyos# sh firewall
name WANIn {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
source {
address 172.24.19.0/28
}
}
rule 3 {
action accept
source {
address 10.249.0.0/16
}
}
}
name WANLocal {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action accept
protocol ospf
}
- rule 3 {
- action accept
- destination {
- port 22
- }
- protocol tcp
- }
}
[edit]
vyos@v2401-vyos#
I will start with the commands for v2400-vyos and you can go from there.
edit firewall name WANIn
default action drop
...
But before you enter the commands above and figure out the rest, let me ask you this. What does a dash indicate?
If you guess "the changes will be deleted before it's commited to RAM," you are correct. This is how to delete the firewall rule:
delete firewall name WANLocal rule 2
Now go ahead and perform the rest of the commands. Follow the hierarchy!
Did you complete all the commands? Okay! More questions for you! How do you assign the two sets of firewall chains to the outbound interface?
Do you know how you configured IP addresses for your interfaces? Use the ? and TAB key to help you out.
set interfaces ethernet eth0 firewall in name WANIn
set interfaces ethernet eth0 firewall local WANLocal
What does WANIn and WANLocal do?
The firewall controls the flow of traffic coming into the router (WANLocal) or into the network (WANIn). However, the firewall chain for out has not been configured. This is fine for what we need to setup OSPF.
Can you ping each other's public IP addresses (172.24.19.x)? If no, what do you need to do in order to allow the public IP addresses to ping each other? I'll give you a hint...
We have installed VyOS into virtual machines, set our passwords, configured Ethernet interfaces, NAT, OSPF, and firewall. In my two desktop virtual machines, I can ping each other's IP addresses in different networks.
I have to end it here because the article got so long and it took me a few days to write this article. In Part 2, I'm going to finish off by configuring pfSense that will allow internal network to communicate with other networks behind VyOS routers. Stay tuned!
I Welcome Your Feedback!
Instead of enabling comments in my blog, I encource you to give feedback in one of the following links below.
Version 1.01:Added info to the prerequisite section for those who are blind.
Version 1.02:I need to add an internal network (10.249.0.0/16) as a source in the WANIn chain for both VyOS routers. Without it, even though I am able to ping each other's endpoints from different networks, I cannot ping the two VyOS internal networks from a host behind pfSense. However, once I add the third rule to a WANIn chain, I'm able to ping hosts behind the two VyOS routers. I also added the feedback heading and revisions to the table of content.
Version 1.03:I have added a PNG image that shows a multiple routers that are connected to the central router and the central router connects to the "cloud."
Version 2.00:(October 24, 2021) The developers of VyOS must have changed from dns-server to name-server when it cones to configuring a DHCP pool. The changes should work now. Plus, I've added information about passive interfaces, which is important for keeping the OSPF traffic from broadcasting into the private network.
