I was going to set up PiHole for a friend. Since she has an old Netbook available, I think why not using it. This sounds logical right? It would be if most distros are not 64bit only in their latest version. Also, I am looking for something small and lightweight.
At the end, I picked Linux Lite (https://www.linuxliteos.com/). Their Series 3 is still available in 32bit and because it is based on Ubuntu LTS, it is still in support till 2021.
Linux and PiHole installation is pretty standard and straightforward.
If you have issue to access the PiHole, you may want to check the firewall setting in Linux Lite. Also, it is worth to check the power saving option too to ensure the computer won't got to sleep.
Saturday, October 12, 2019
Saturday, September 28, 2019
EdgeRouter X VLAN and Firewall Rule Sets
One of the reasons you want to use VLAN is to segregate your network and to control traffics from one network to another. This post is just about this.
One of the issue I have is the direction in a ruleset As I was trying to limit the incoming traffics to an interface, you would think the direction should be IN. Oddly, the direction is actually OUT.
In this example, I have a VLAN 100 and would like to accept traffics from VLAN 1 and 2 into this network, but to restrict the access from it to VLAN 1 and 2.
To do this, I set the default action of this rule to DROP, and then added three rulesets to grant the permitted traffics.
The first rule is a general rule which allows any traffics from this VLAN to connect to the internet.
For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols. Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED.
The second rule is a specific rule allowing VLAN 1 traffics to enter into this network.
For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols. Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED (you may also need NEW). One extra is required for this ruleset, and it is specifying its source! on the source tab, I picked VLAN 1 from Network Interface dropdown box (or specifying the VLAN 1 IP, e.g. 192.168.1.0/24). I applied similar steps for VLAN 2.
After all of these, VLAN 100 should be able to accept traffics from VLAN 1, and 2, and be able to talk to the WAN. However it should not be able to access network resources in VLAN 1 and 2.
Above is based on this tutorial video I found on YouTube.
One of the issue I have is the direction in a ruleset As I was trying to limit the incoming traffics to an interface, you would think the direction should be IN. Oddly, the direction is actually OUT.
In this example, I have a VLAN 100 and would like to accept traffics from VLAN 1 and 2 into this network, but to restrict the access from it to VLAN 1 and 2.
To do this, I set the default action of this rule to DROP, and then added three rulesets to grant the permitted traffics.
The first rule is a general rule which allows any traffics from this VLAN to connect to the internet.
For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols. Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED.
The second rule is a specific rule allowing VLAN 1 traffics to enter into this network.
For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols. Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED (you may also need NEW). One extra is required for this ruleset, and it is specifying its source! on the source tab, I picked VLAN 1 from Network Interface dropdown box (or specifying the VLAN 1 IP, e.g. 192.168.1.0/24). I applied similar steps for VLAN 2.
After all of these, VLAN 100 should be able to accept traffics from VLAN 1, and 2, and be able to talk to the WAN. However it should not be able to access network resources in VLAN 1 and 2.
Above is based on this tutorial video I found on YouTube.
Wednesday, September 25, 2019
Problem connection to Samba Server
Today I have reinstalled Linux on a machine of mine, and configured it to use Samba to share a folder to the rest of my network.
However, when I tested my setup on a Windows machine, I got connection error. I have checked my setup and everything seems to be fine. At the end, it turns out nothing wrong with my setup as I can connect to this machine using IP. The problem is with my NetBIOS resolver.
My Linux machine IP is 133, but the IP reported when I ping it on my Windows machine is 113.
However, when I tested my setup on a Windows machine, I got connection error. I have checked my setup and everything seems to be fine. At the end, it turns out nothing wrong with my setup as I can connect to this machine using IP. The problem is with my NetBIOS resolver.
My Linux machine IP is 133, but the IP reported when I ping it on my Windows machine is 113.
If you have similar issue as i did, you may want to check your NetBIOS resolver too. The problem may be in your network rather than your setting.
n.b. To clear DNS caches under Ubuntu is:
sudo systemd-resolve --flush-caches
Labels:
connection error,
DNS,
flush caches,
NetBISO,
Resolver,
Samba,
systemd-resolve
Saturday, September 14, 2019
Few Points of Setting up EdgeRuter X
Just want to share a few things I learnt while I was setting up my EdgeRouter X.
PVID is similar to UNTAGGED with other vendors, similar VID is as TAGGED.
Hence, with the example below, the router is configured as
eth1: VLAN 10
eth2: VLAN 20
eth3: VLAN 100
eth4: Truck port for VLAN10, VLAN20 and VLAN100
After setting up DHCP for each network, it needs to setup for DNS forwarding.
All fields in DHCP nees to be set. I made the mistake not filling in the Router and DHCP field. The router field is for the Gateway, and unlike other router which cannot be implied. Missing it would result Gateway detail omitted in connected clients and hence no internet access.
System wide DNS isn't set up in the System pane.
But rather using Config Tree
Personally, I prefer to use my choice of DNS provider than my Internet Provider's servers for stability and "privacy". For example, with my choice of DNS provider, NX is returned for NX for URL like below rather than Internet Provider's error page.
Last but not least, enable hardware offloading for NAT and IPSec to get the best out of the router.
PVID is similar to UNTAGGED with other vendors, similar VID is as TAGGED.
Hence, with the example below, the router is configured as
eth1: VLAN 10
eth2: VLAN 20
eth3: VLAN 100
eth4: Truck port for VLAN10, VLAN20 and VLAN100
After setting up DHCP for each network, it needs to setup for DNS forwarding.
All fields in DHCP nees to be set. I made the mistake not filling in the Router and DHCP field. The router field is for the Gateway, and unlike other router which cannot be implied. Missing it would result Gateway detail omitted in connected clients and hence no internet access.
System wide DNS isn't set up in the System pane.
But rather using Config Tree
Personally, I prefer to use my choice of DNS provider than my Internet Provider's servers for stability and "privacy". For example, with my choice of DNS provider, NX is returned for NX for URL like below rather than Internet Provider's error page.
nslookup www.jkjkjlkjlkjlkjl.com
*** UnKnown can't find www.jkjkjlkjlkjlkjl.com: Non-existent domain
Last but not least, enable hardware offloading for NAT and IPSec to get the best out of the router.
Labels:
Custom DNS,
DNS Forwarding,
ER-X,
Gateway,
switch,
Ubiquiti Networks,
VLAN
Sunday, July 14, 2019
EdgeRouter X VLAN Awared Switch Setup
After managed to setup my EdgeRouter X (ER-X) as a VLAN awared switch, I want to make a few notes on things I have learnt.
1. For the trunk port, set the VID field with VLAN IDs it handles (tagged). In my setup, eth0 is my trunk port and it allows VLAN ID 1, 10, 20 and 100 to pass-through.
2. For VLAN port (un-tagged), put the desired VLAN ID in the PVID field (see example below)
3. Last but not least, it may worthwhile to tick the "Use non-default VLAN for management" option, and set the VLAN ID to the VLAN which you would like to be used as your management network while using the wizard to setting up the ER-X. This allows you to get back to the ER-X later if you wish to change its settings later.
1. For the trunk port, set the VID field with VLAN IDs it handles (tagged). In my setup, eth0 is my trunk port and it allows VLAN ID 1, 10, 20 and 100 to pass-through.
2. For VLAN port (un-tagged), put the desired VLAN ID in the PVID field (see example below)
3. Last but not least, it may worthwhile to tick the "Use non-default VLAN for management" option, and set the VLAN ID to the VLAN which you would like to be used as your management network while using the wizard to setting up the ER-X. This allows you to get back to the ER-X later if you wish to change its settings later.
Tuesday, July 2, 2019
Mint Linux Firefox scrollbar fix
Part of the reason I have moved away from Firefox is because of its scrollbar issue in Linux.
Ever since GTK 3 (or earlier), scrollbar in Firefox goes to when you click rather than jump a page when you click on its blank area. This is very annoying when you are reading an article and you are not equipped with a mouse with a scroll wheel.
Anyway, the fix is quite simple. You just need to add the below to ~/.config/gtk-3.0/settings.ini
[Settings]If the file doesn't exist, you just create it, i.e. touch ~/.config/gtk-3.0/settings.ini
gtk-primary-button-warps-slider=0
Tuesday, June 18, 2019
PiShrink, Move from a large SD card to a smaller SD Card
Initially my Raspberry Pi was using a 32GB SD Card for its Raspbian installation. Since the device is only using for testing, it is a bit of a waste to run the OS on a large SD card. Hence, I am looking for a solution to clone the disk to a smaller SD Card. At the end, I found this nice little script called PiShrink from this blog, https://community.octoprint.org/t/pishrink-an-sd-card-backup/1791
The steps are very simple. You first create an image file from your SD Card. You can use good old dd command or like myself use the Disks utility comes with my Mint Linux Cinnamon installation. Then you run the script against your image. Finally, you restore your image back to the smaller disk with your favorite imaging tool such as dd or Disks.
Here is an example of using PiShrink
wget https://raw.githubusercontent.com/Drewsif/PiShrink/master/pishrink.sh
chmod +x pishrink.sh
sudo ./pishrink.sh raspbian_full.img
Saturday, May 25, 2019
NEXX WT3020F OpenVPN Client Setup
Although Raspberry Pi has much more powerful hardware if it is used as a VPN Router, it's wifi support and single LAN can be a problem to many. Also I found the current OpenWRT implementation for it can be flaky at times.
There are few OpenWRT supported travel routers on the market, and NEXX WT3020F is one of them.
Although OpenWRT can work as an OpenVPN client and has the luci-app-OpenVPN package to assist the configuration, I always find it too clumsy. This seems to change in versions after 18.6.2 (if you are 18.6.x, please follow this tutorial: https://blog.cavebeat.org/2018/02/vpn-tunnel-as-a-wan-interface-on-openwrt-lede-router/)
The luci-app-OpenVPN client in recent snapshots show that you can now configure the OpenVPN client by uploading an ovpn configuration file. This makes things so much easier!
To configure your OpenWRT router for OpenVPN, you
1) Upload the ovpn configuration file
2) Go to setting edit, and put in your credential in the auth-user-pass section box provided, and put the path of this "file" (see highlighed) next to the auth-user-pass option.
3) Set up the tunnelling (see my Raspberry Pi VPN Setup for steps), and you are ready to go!
3) Set up the tunnelling (see my Raspberry Pi VPN Setup for steps), and you are ready to go!
Update:
If you are using OpenWRT 18.6.x, please follow this tutorial. This tutorial is much simpler than many I found on the Internal. It shows you how to use ovpn to setup your VPN rather than transferring it setting using the luci-app-openvpn GUI.
https://blog.cavebeat.org/2018/02/vpn-tunnel-as-a-wan-interface-on-openwrt-lede-router/
Here are steps:
Transfer the ovpn file obtained from your VPN provider to /etc/openvpn
Here are the commands I used:
touch sigavpn_ny.ovpn
vi sigavpn_nv.ovpn
The first line creates an ovpn file, and the second line opens the file for editing. I transfer the content by simple copy and paste.
After pasting the contents, look for this line
auth-user-pass
Append this line with the path to the password file, e.g. /etc/openvpn/sigavpn_ny.auth
Now create the password file with the path you previously put in the ovpn file, e.g.
# assumed you are already in /etc/openvpn
touch sigavpn_ny.auth
vi sigavpn_ny.auth
The password file should have two lines. First line is your username, and the second line is your password.
Lastly, alter the openvpn file in /etc/config to link everything up, e.g.
config openvpn 'siga_vpn'
option enabled '1'
option config "/etc/openvpn/sigavpn_ny.ovpn"
Thursday, May 9, 2019
Set Up Openwrt with VPN on Raspberry Pi
After many attempts, I have finally configured my Raspberry Pi 3B+ as a VPN Router using OpenWrt.
Here I would like to share steps that work for me.
The OpenWrt image I used is from the snapshot branch, and its version is "OpenWrt SNAPSHOT r9947-165d598"
To write to my SD Card, I used Rufus(https://rufus.ie/).
The default LAN setup of OpenWrt on Raspberry Pi is static. Hence, the first thing to do is to change it to DHCP, so can connect to the Internet. The commands are:
ref: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
After, I use the opkg to install LUCI, so I can configure the rest using a GUI. The commands are:
Although my Raspberry Pi 3B+ comes with in-built wifi, I found it problematic when it is being used in 802.11n mode. Hence, I use a Realtek USB dongle instead. To get it recognized, you need to install additional modules:
Once all done, reboot the Raspberry Pi.
With LUCI is installed, you should be able to log onto your Raspberry Pi Openwrt using a browser.
In Network -> Wireless, you should see a new 802.11bgn adapter.
Next I create a WAN interface. I strongly advice you to name it "wan". This is because the default OpenWrt installation comes with a set of rules defined for "wan".
This newly created WAN interface is then bound the physical "eth0" interface., and is set to be a DHCP Client.
Once the WAN setup, it is time to remove the LAN's eth0 binding, but instead bridging it to the wifi interface.
Here is the tricky part. As in this point, you are likely to lose the connect to the Pi, and this often upset the OpenWrt setup, i.e. it may not apply all the changes. Hence, for this part, you may need to configure this part on the Pi itself, and using it command line interface.
Here is the lan DHCP settings in my /etc/config/dhcp
And here is the network settings for my /etc/config/network
If everything is okay, you should be able to use the IP you given to your Pi to log back into LUCI using wifi, e.g. 10.0.5.1
Test if you can connect to the Internet with the setup. If not, check your firewall setup. It should be similar to this.
If things are still good, then it is time to setup the VPN.
With the latest version of luci-app-openvpn, setting up VPN can't be easier. You just need to upload the ovpn file provided by your provider to OpenWrt, and you are almost there.
Once the configuration file is uploaded and accepted by OpenWrt, you should see something similar to below:
Press the Edit button, and edit the configuration to tell OpenWrt where it can find the VPN login credential.
Find the line auth-user-pass, and append it with the full path name to your username and password file, e.g. /etc/openvpn/WindscribeHk.auth.
The auth-user-pass (the text box underneath the "section to add an option 'auth-user-pass') should have two lines. The first line is your username and the second line is your password.
Commit the changes.
On the Overview page, tick the "enable" option and press start. (You may need to restart the router at this point)
Now, you have all the bits and pieces setup. Time to wire them up.
Firstly, you need to setup a tunnel interface as below:
This interface is bound to "tun0" (as setup by OVPN), and with protocol Unmanaged. This new interface is assigned to the WAN firewall group.
This is it. You can test your new setup with sites such ipleak.net to see if you are now hide behind you VPN.
N.B. The stable branch 18.6.04 is working on Raspberry Pi 3B+ now. However, it lacks wifi support, and you may need to use a dongle for WiFi.
As OpenWRT is running from a SD card under ext4 file system, it would be bad to just power off the Raspberry Pi without properly shutdown the system. To shutdown the system properly, you can either ssh into the Opeenwrt and run the poweroff command. Alternative, you can shutdown the system from LUCI if you have have the "luci-app-advanced-reboot" plugin installed.
Here I would like to share steps that work for me.
The OpenWrt image I used is from the snapshot branch, and its version is "OpenWrt SNAPSHOT r9947-165d598"
To write to my SD Card, I used Rufus(https://rufus.ie/).
The default LAN setup of OpenWrt on Raspberry Pi is static. Hence, the first thing to do is to change it to DHCP, so can connect to the Internet. The commands are:
uci set network.lan.proto=dhcp uci commit /etc/init.d/network restart
ref: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
After, I use the opkg to install LUCI, so I can configure the rest using a GUI. The commands are:
opkg update
opkg install luci
ref: https://openwrt.org/docs/guide-user/luci/luci.essentialsAlthough my Raspberry Pi 3B+ comes with in-built wifi, I found it problematic when it is being used in 802.11n mode. Hence, I use a Realtek USB dongle instead. To get it recognized, you need to install additional modules:
opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci
In addition, you need OpenSSL and OpenVPN modules for VPN support:
ref: https://www.makeuseof.com/tag/raspberry-pi-vpn-travel-router/
opkg install
openvpn-openssl luci-app-openvpn
Once all done, reboot the Raspberry Pi.
With LUCI is installed, you should be able to log onto your Raspberry Pi Openwrt using a browser.
In Network -> Wireless, you should see a new 802.11bgn adapter.
Next I create a WAN interface. I strongly advice you to name it "wan". This is because the default OpenWrt installation comes with a set of rules defined for "wan".
This newly created WAN interface is then bound the physical "eth0" interface., and is set to be a DHCP Client.
Once the WAN setup, it is time to remove the LAN's eth0 binding, but instead bridging it to the wifi interface.
Here is the tricky part. As in this point, you are likely to lose the connect to the Pi, and this often upset the OpenWrt setup, i.e. it may not apply all the changes. Hence, for this part, you may need to configure this part on the Pi itself, and using it command line interface.
Here is the lan DHCP settings in my /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,9.9.9.9,8.8.8.8'
And here is the network settings for my /etc/config/network
Reboot after changes are made. (or restart the network service)config interface 'lan'
option type 'bridge'
option netmask '255.255.255.0'
option proto 'static'
option ipaddr '10.0.5.1'
If everything is okay, you should be able to use the IP you given to your Pi to log back into LUCI using wifi, e.g. 10.0.5.1
Test if you can connect to the Internet with the setup. If not, check your firewall setup. It should be similar to this.
If things are still good, then it is time to setup the VPN.
With the latest version of luci-app-openvpn, setting up VPN can't be easier. You just need to upload the ovpn file provided by your provider to OpenWrt, and you are almost there.
Once the configuration file is uploaded and accepted by OpenWrt, you should see something similar to below:
Press the Edit button, and edit the configuration to tell OpenWrt where it can find the VPN login credential.
Find the line auth-user-pass, and append it with the full path name to your username and password file, e.g. /etc/openvpn/WindscribeHk.auth.
The auth-user-pass (the text box underneath the "section to add an option 'auth-user-pass') should have two lines. The first line is your username and the second line is your password.
Commit the changes.
On the Overview page, tick the "enable" option and press start. (You may need to restart the router at this point)
Now, you have all the bits and pieces setup. Time to wire them up.
Firstly, you need to setup a tunnel interface as below:
This interface is bound to "tun0" (as setup by OVPN), and with protocol Unmanaged. This new interface is assigned to the WAN firewall group.
This is it. You can test your new setup with sites such ipleak.net to see if you are now hide behind you VPN.
N.B. The stable branch 18.6.04 is working on Raspberry Pi 3B+ now. However, it lacks wifi support, and you may need to use a dongle for WiFi.
As OpenWRT is running from a SD card under ext4 file system, it would be bad to just power off the Raspberry Pi without properly shutdown the system. To shutdown the system properly, you can either ssh into the Opeenwrt and run the poweroff command. Alternative, you can shutdown the system from LUCI if you have have the "luci-app-advanced-reboot" plugin installed.
Labels:
3B+,
ext4,
luci-app-advanced-reboot,
OpenWRT,
poweroff,
Raspberry Pi,
safe shutdown,
sdcard,
VPN
Saturday, April 20, 2019
Tighten Up OpenWRT
To my surprise, the default firewall rules using in OpenWRT is not as strict as I would wish for. The default setup fails the SheildsUp Port Scanning test.
Luckily, the steps to rectify this is very simple, and they are (as found in https://www.techrapid.uk/2017/04/hardening-openwrt-security-grc-shieldsup.html):
Step 1: Open router web interface
Step 2: Drop all WAN ping reply
Luckily, the steps to rectify this is very simple, and they are (as found in https://www.techrapid.uk/2017/04/hardening-openwrt-security-grc-shieldsup.html):
Step 1: Open router web interface
- Select tabs Network - Firewall
- Select General Settings
- In wan:wan ? DROP
- Change input to drop, forward to drop
- Press save & apply
Step 2: Drop all WAN ping reply
- In Firewall tab
- Select Traffic Rules
- In Allow ping select edit
- Select action to drop
- Press save & apply
Your router now passed from Ping Echo test.
Device Clean Up
Every time you plug in an USB drive, it leaves a footprint in your system. It is okay if you only use a drive or two. However, if you have a few, then this can get a bit ugly.
You can tidy things up by removing them in the Device Manager, but you can only do this one at a time. This is a bit too clumsy. Alternative, you can use a tool such as DeviceCleanup Tool (https://www.uwe-sieber.de/misc_tools_e.html), which allows you to select multiple devices and delete together.
You can tidy things up by removing them in the Device Manager, but you can only do this one at a time. This is a bit too clumsy. Alternative, you can use a tool such as DeviceCleanup Tool (https://www.uwe-sieber.de/misc_tools_e.html), which allows you to select multiple devices and delete together.
Subscribe to:
Posts (Atom)