header-logo-left

The Lone Geek Blog

One geek in a sea of nerds.

header-logo-left

Moving VMDK Images Between ESXI and VBox

I did a thing that works but requires a little manual work to do...

| Comments

About 10 days ago, I decided to shutdown my server because my room was getting uncomfortably hot half way into the night but before I shut it down for the time being, I copied a couple virtual machines over to my continuously running file server that I wanted to remain up. The VM I do my webdev stuff on and a small ftp server for the networked printer to upload scans to.

The process is fairly straight forward. Just download the VMDK disk image to my file server and create a .vbox file for VirtualBox. I kept the virtual NIC’s MAC addresses so they’d get the same IP from my pfsense box but due to NIC driver changes from the differing hypervisors, I had to adjust the network config within the VMs. No biggie.

Gave the webdev vm 2vCPUs and the ftp server got just one and kept the ram allocation the same and it’s almost like nothing happened as far as the guests are concerned. :)

When I decide to start using the room heater / VM box, I can simply shutdown the guests before making minor networking changes again and copy the disk images back over to fire them up on it.

Side note

The space heater computer has got me thinking about a second cooler running machine to run ESXI on as well then it’d be a simple migration to and from as needed or desired. I’m thinking maybe single Xeon E5-something or i7 2nd or 3rd gen cpu with 32GB of ram and about 1TB of disk space ought to do.

Just making a public note. :) Cheers.

Installed an Amp in My Truck

because the factory deck just wasn't loud enough. ;)

| Comments

I installed an amp in my truck 🚚 because I got tired of having to crank it almost to max just to make out words playing in a podcast. The stock unit did ok with music, just lacked any decent power to jam with. Initial testing yielded pleasent results.

Install proceedure is typical. Radio outputs to Amp, Amp outputs to Speakers. Grabbed power from an old unused cigarette lighter and tucked all the wires and amp into the dash. Sounds pretty good for ~$92 on amazon. I have 4 3-way speakers in the truck that was installed a few years ago. I tuned the radio to put more power to the back and reduce the highs from the audio from the fronts.

It sounds good, has better bass now that I don’t need to turn the radio up so loud to hear it. It has me thinking about a subwoofer for that extra thump but I dunno where I’d put it exactly, maybe under the driver seat. ;)

Cheers.

DNS Over TLS Using PFsense

and why you need it.

| Comments

Before I begain, this guy talks a bit about it and does it the “old” way for systems with version 2.4.3 and older.

In version 2.4.4, pfsense was updated to offer support within the webui. Just 3 check boxes and your outgoing dns traffic is encrypted. You can do a packet capture on port 853 of you WAN interface to verify. I did a scan on my network and discovered there is still some plain DNS traffic but I’m unsure what to make of it. Some to microsoft and some to “akadns.org” (some sort of CDN for something). Maybe I need to do some checking at some point.

image1

image2

For those who run unbound on other systems (or older pfsense boxes), you can try this bit of config code to see if it will work for you.

1
2
3
4
5
6
7
forward-zone:
    name: "."
    forward-ssl-upstream: yes
    forward-addr: [email protected]
    forward-addr: [email protected]
    forward-addr: 2606:4700:4700::[email protected]
    forward-addr: 2606:4700:4700::[email protected]

Now to encrypt what little HTTP traffic I have without triggering Amazon and Netflix’s Anti-VPN/Tunneling block…

Enjoy!

Creating a Home Based Cloud Service

A log about my home cloud adventure

| Comments

Idea of sorts

For the past few weeks I’ve been poking around on a git repository listing a bunch of self hosted software to get an idea on what to play with on my lab server and maybe keep around and that’s when I came across the “file sharing and synchronization” section. I found some software called Pydio

Pydio

This one was or is a bit tricky imo. I started out with a simple ubuntu vm (4 vcpu, 4gb ram, 8gb system disk, 20gb data disk), getting that all setup and ready to go for the application; no biggie.

Attempt 1

I got the application running but ran into a tiny issue with fine tuning the datastores portion in order to store all my data in the data disk and not on the system disk. Well, what should have been a simple change of the paths, it kept saving data in the original locations and any attempts to remedy that seem to fail. I can’t seem to get it to cooperate. I’m probably going to wipe the install and mount the data disk to .config/pydio and not worry about changing the paths within the app itself. This seems to be an easier method in my mind.

Attempt 2

Mounted the bigger disk to .config/pydio and now it seems to work. :/ Technology eh?

Derp

Tried to change the url in which the application loaded from and well, that just flat out broke it and I can’t find a way to fix it without reinstalling it again. the mysql database is useless, the config still points to the server ip (I wanted to use a local dns name). Oh well. Time to look for another one.

Seafile

Found an alternative to Pydio after a few google searches. I must say, it was far more easier to do and not so complicated to setup and configure. Just download and run a bash script on a minimal server install. I’ve got it in a VM with 4vCPUs, 1GB RAM, 20GB vDisk and seems far more responsive than Pydio. I’m not sure what to with it for now so I’m gonna shutdown the these two VMs for now to mess with at some point in the future.

I’ll probably finish the config with a reverse proxy and set to auto start with the OS.

Conclusion

I’m probably going to delete pydio and not even bother with it anymore. I don’t even understand where it defines the URLs to it’s various services. I checked the database and the only config file I found in .config/pydio.

I may use Seafile for something, not sure what. Resillo Sync and Dropbox has served me well for local and remote file synchronization respectively. I just want something I can link my parents to so they can upload things to me without bothering with archives or anything complicated.

The adventure continues!

Isolating Machines Within a LAN

Creating a isolated segment within a bigger LAN

| Comments

Today, I decided to try creating a single point to point connection from a host on my LAN to the Pfsense box while at the same time, preventing it from connecting to other devices on the LAN. This is not like a VLAN where you’d have multiple networks on the same wires but I think it similar to how ISPs and some businesses engineer their networks.

I did it by creating a Virtual IP Alias on Pfsense to serve has the gateway with the subnet mask of /22 then assigning the second ip on the client with the virtual ip as the gateway and pointing the dns to that virtual ip as well.

Windows IPv4 Settings Windows IPv4 DNS Settings

I then created aliases to point to the right things. Allow rules for the host to Pfsense and specific hosts on the larger lan. A general deny rule to prevent the isolated host from connecting to any private IP. Pretty basic stuff.

Firewall - Isolated IPs

The goal is to isolate a thing while giving it access to the internet and approved nodes on the LAN. This is one method I’ve thought of outside of replacing all the switches on the network with managed ones for doing VLANS to different physical devices on the network. I don’t believe this is a fool proof method as all it’d take is some program or privileged person with the knowledge to modify the host’s IP settings and bump it back on the main LAN. It should work just fine for what I intend to use it for.

I’m curious to see what kind of security risks this poses to the main LAN should a isolated device become infected with something. Some research is required in the matter.

I think for the first real world test is to assign a computer to the isolated IP for my niece and nephew to use for school work. Maybe I can utilize OpenDNS for content filtering :) and of course, grant them unprivileged permissions on the computer. Microsoft has some parental tools for reporting child activity that could be useful.

That’ll be it for now. Until next time, keep geeking out!

The Pfsense Box - Part 2

An update in my adventures of being a sysadmin at home.

| Comments

The Pfsense box - Part 2

Time for an update. I think I’ve figured out how statefull firewalls work now. I have 7 networks configured on it, 4 of them leading back to virtual networks on my server, one of them intended for the wireless network, a OpenVPN network, and the main one is of course my LAN.

The Networks

  • Main LAN - Has access to everything and consists of anything that can’t be placed on a VLAN yet.
  • WLAN - For wireless traffic but likely will be devoted to guest use. Maybe I’ll setup two, each taking a /25 segment.
  • OpenVPN - Not explicitly configured but can access the LAN and LAB_NET when a client connects remotely.
  • DMZ - Intended for one machine or VM at a time. Has no access to any other local network but machines on the Main LAN can access it, mainly for RDP access. I may fine tune the level of incoming access later for just RDP.
  • LAB_NET - For any VMs I don’t want on the LAN but still want access to. VMs here can access preapproved nodes on the LAN and nothing else.
  • WINLAB - For VMs within my Windows Server AD network. Has no outgoing access to anything. It is just setup so I can RDP to the windows VMs. I need to lock down the incoming ports.

All networks but the WINLAB can access the internet at varying degrees to later be defined. It took 13 months before I finally learned how to properly configure the firewall to allow all this to work. Learning the order of operations, how rules can influence how next one below it works, how deny rules placed before an allow rule can block all but allow some packets to flow or something like that.

The DMZ can ping and lookup dns on the pfsense box, is denied access to all RFC1918 addresses, and is only permitted outgoing traffic for ports 80 and 443 to the WAN.

The LAB_NET has 3 deny rules to WINLAB, DMZ, and VLAN100, 3 allow rules to 3 nodes on the LAN and one LAB_NET to ANY with the destination inverted for the LAN. Blocking all outgoing access to the LAN but the ones I allow.

The WINLAB has no rules defined so pfsense just blocks traffic originating within the network.

^ That feels redundant but w/e.

Everything is subject to change as I learn more and build on it. I am currently working on a way to grant guest access to the WLAN and looking at getting a Ubiquity Unifi WAP to replace the two routers turned WAPs and sharing the same SSIDs and passwords and hopefully gain some much desired wireless performance to boot. Our laptops will need a upgrades to their wireless cards but that would be an easy swap.

Firewall - WAN Firewall - LAN Firewall - WLAN Firewall - DMZ Firewall - LAB_NET

Err, small update. I originally wrote this on July 20th and not long after, I managed to break the config of my pfsense box and find out that the SSD I had installed had partially failed to a read-only state. Not even formattable. So I have to resort to using a usb flash drive and recover the lost config to get what I had recently setup back up and running. I still don’t have Suricata, Squid, or pfBlocker running atm as I need to rebuild the configs for them and setup so that they don’t write to my flash drive and kill it. In due time.

I had just configured pfBlocker and was testing and playing with it when I get this wild idea to make /tmp and /var into ramdisks. Not realizing that /var had at least a gigabyte of logs from Suricata and roughly 60gb of Squid Cache. Welp, the system did NOT like that and refused to boot and had the SSD been writeable, I could have easily reverted and recovered the system. The purpose of the ramdisk? To save writes to a disk with over 5TB of writes since I deployed it and only 50GB of reads. Seems backwards but yeah, bad config.

Now the plan is to either deploy the OS on flash media and save logs and cache to a spinning hard drive. I’d probably only need to just mount the hard drive to /var and /tmp to ram manually in the /etc/fstab file and be set. Perhaps some work in a lab and/or googling might help with this study. :)

So um, cheers. Keep hacking the things!

Car Radio for Powered PC Speakers

A thing about my PC Radio. :)

| Comments

Car Radio for Powered PC Speakers

Here’s a thing I use for sound for my desktop. It’s not a typical set of powered satellite speakers. No, I use a car stereo. Specifically, a Jensen CD6112 the someone gave me. Overall, it’s a good little radio. Any of them will do with the only requirement is a auxiliary input of some kind. 3.5mm or RCA. It sits in a box dad made a long time ago for the purpose of having a home made weather radio during the event of a severe storm. I re-purposed it several years ago for my computer. It had a previously had a radio that could tune to the weather channels but only had a cassette player and FM/AM tuners. That worked for a while till the sound quality got annoying so I installed the Jensen from my old truck that I had no use for. Details I’m not going into.

Anyhow, so I got a box with the radio in it. Now, power is simple. Power comes from a standard 12v 5A brick that is always on. There’s a couple 40w 3-way satalite speakers for sound and wired to the front channels only of the radio. I have a simple antenna that was originally screwed into the box just kinda draped across my door frame. It’s been hanging just fine for years.

Audio from the computer runs thru a 3.5mm standard cable into a kvm and out that to the radio’s rear RCA plugs.

The interesting bit, imo, is how I wired it to turn on. First, there is a 5v relay being powered by my PC that is wired in series of a switch hanging below my secondary monitor. The purpose being is when the switch is on, the radio turns on/off with the computer but I can still turn off the radio when the computer is still on. There is a secondary switch in the box that bypasses both switch+relay, essentially wired in parallel, in case I wanted to play the radio without the computer.

And that is that. To me it’s simple setup. :)

Oh, the sound quality is still better than most pre-built setups you’d get in a electronics store imo. That could be just the speakers themselves but still. They get loud and bassy without the need of any kind of sub. I set the EQ to -2 Treble, +3 Bass.

Cue All About Dat Bass song

Automating Ubuntu 18.04 Installs

Automating Ubuntu 18.04 Installs and possibly older and newer versions

| Updated on | Comments

Now a month has passed since my last post and Ubuntu 18.04 is almost officially released. It’ll be out on April 26th, 2018. I went ahead and and started building a NetBoot ISO. I found a GitHub repository that contained what I needed. The script simply pulls the NetBoot ISO from a Ubuntu mirror of my choice, extracts it, injects my SSH keys, scripts, preseed file, and whatever else I decide to add. Once the build is prepped, it packs everything up into a nice little 58MB ISO file. From there, I boot the ISO which then promptly runs thru the preseed file and automatically does everything I configured it to do. Once installed and rebooted, I then log in as root with my SSH key assigned to putty or any SSH client, answer a couple questions from a script I put together from the original repository, it does some updating and reboots again. The end result is a system ready to do some whatever with no visible traces that such an install took place. 🙂

The only thing I have to do is answer two questions after it’s first reboot for the host name and domain name then re-login after the 2nd reboot as my chosen user name configured at ISO build time.

Now my ISOs and preseed files utilize a local APT Proxy on my network with the domain name “fileserver.sanlan” using the APT Cacher package. You can either set one up or rebuild the iso.

May readd the local proxy if I can add a trusted root to my images to access the proxy securely and have https repos work. Atm, I must disable the proxy any time a script adds it’s own secured repo to the install.

The other repository I linked in my other post about Server Automation for Linux produced full sized 839MB ISO. This one does everything I need it to do except it requires the Internet to work or mainly, a connection to the APT Proxy I have (was) configured on my local network with all the files preloaded.

Some fine tuning might be needed once Ubuntu 18.04 is officially released but as of today, it’s functional. The only scripts I modified from the original repository was build-iso.sh, preseed.cfg, and added init-host.sh. I deleted the files for 17.10 since I didn’t need or want them. I may carry my changes for 18.04 over to 16.04 for the heck of it. I edit both files at once.

You can’t say they didn’t get credit. 😛 They made the code, I simply modified it for myself. 😊

Enjoy my fellow nerds! 🖖

Update 2018/09/29: My scripts were updated to use a password file in the repository root with a plain text password (for now) and use the user running the script as the user for the image.

Commented out qemu support in the build-disk.sh scripts and add simple VirtualBox support. The script just creates the vbox file, registers it to the installed virtualbox instance, creates the disk image and ISO image then assigns them to the vbox file with a bridged nic.

System Installation Automation

| Comments

Over the past 8 months or so, I’ve been playing with my Dell R710. It’s a nice system to play on but it could use some SSDs. One day I shall get some. My last post described a bit about it as it currently stands. This post shall be about what I’ve done as far as creating automated system installs for both Windows and Linux.

Windows Deployment Systems (WDS) + Microsoft Deployment Toolkit (MDT)

I know some people might frown on the idea but my deployment system resides within my primary Windows Server 2016 Lab VM also running AD and TCP/IP Routing to a isolated virtual network of things.

It took some time but I managed to build a system that’d prepare a Windows 10 VMware VM from creation to a functional system complete with drivers and a few apps preinstalled. I intend to add more when I think about it and eventually come up with some way to update the installers.

I’m going to include some configs of what I have so far.

The MDT Config lets me set up a VM complete with a select set of apps to do my things. It has so much potential that I’ve yet to explore. In due time I suppose. At present, it just installs vmware drivers specifically for VMs hosted on my ESXi Lab Server; notepad++, 7zip, and Google Chrome can be checked at the preinstall stage for whatever template I choose.

The WDS Config is pretty basic. It’ll let me automatically install windows but that’s it. It took some time to figure out how to build it but it works now. There’s not much it can do on it’s own, that’s where MDT comes in.

I have used the WDS system to netinstall windows to a physical machine at least once. No more CDs or USB sticks. :)

Unattended Linux Install ISOs

Now for my efforts with Linux was somewhat easier. It took some effort and with the help of an article I found, I was able to build an ISO that would install Ubuntu Server onto a freshly created VM with OpenSSH Server, nano, and htop along with a script to change the VM hostname and domain and do other things I configure it to do like copy my ssh keys from a remote host to the system. :)

I put all the files up on github to share. Unattended Ubuntu Repository

My Lab/Production Environment

An update on my lab server.

| Comments

This will serve as an update to my lab since I bought it.

The current specs:

  • Dell PowerEdge R710
  • Dual Intel Xeon L5640
  • 64GB DDR3 ECC REG RAM
  • 2x 148GB SAS HDDs in RAID-1
  • 3x 600GB SAS HDDs in RAID-5
  • 1x 500GB SATA HDD in RAID-0

The Server received a fan mod as mentioned here in my effort to keep it’s noise at a tolerable level. Now if and when I get some SSDs, I can get rid of the annoying sound the HDD heads make. I make keep them for storage or for scratch space but I don’t want to be hitting them with random I/O as much. That’s the primary cause for the noise.

It still runs Vmware ESXI 6.5 and currently has 30 registered VMs. This number fluctuates as I create and delete VMs.

It still has my original Windows Server VM that runs my AD related stuff and WDS+MDT. I have a Windows Server 2012 R2 VM for a currently undetermined purpose beyond testing. A few linux servers for web development, ftp server for printer scans, mail server for… reasons, gitlab and a dedicated gitlab runner vm with it’s own private network between the two. I’ve played with making an automated ubuntu server install iso that works wonderfully (may blog on that at some point).

There is a standalone Win10 VM I leave running for various purposes. Resource useage is super low so meh. There is a puppetmaster vm that I’ve yet to explore. All of those things are constantly running though I may kill the puppetmaster till I learn more about it.

For what’s not constantly running. A domain member server (dmsrv1), dockerlabs to play with docker, Kali Linux, MS-SQL Server, Opnsense, pfsense lab, powershell lab, pxe server (currently unconfigured), smallwall, a linux webserver using webmin+usermin for the control panel, 3x Windows 10 Client VMs for automated install testing, Win10 Development VM to host Dev tools, Win10 Insider VM, Win10 Client for VB Studio (the dev vm and it may have the same tools, I don’t remember), Win10 Enterprise VM, Win7Pro VM, and finally Xubuntu.

ESXI UI

ESXI UI

ESXI UI

ESXI UI