The Lone Geek Blog

One geek in a sea of nerds.


The Pfsense Box - Part 2

| Comments

The Pfsense box - Part 2

Time for an update. I think I’ve figured out how statefull firewalls work now. I have 7 networks configured on it, 4 of them leading back to virtual networks on my server, one of them intended for the wireless network, a OpenVPN network, and the main one is of course my LAN.

The Networks

  • Main LAN - Has access to everything and consists of anything that can’t be placed on a VLAN yet.
  • WLAN - For wireless traffic but likely will be devoted to guest use. Maybe I’ll setup two, each taking a /25 segment.
  • OpenVPN - Not explicitly configured but can access the LAN and LAB_NET when a client connects remotely.
  • DMZ - Intended for one machine or VM at a time. Has no access to any other local network but machines on the Main LAN can access it, mainly for RDP access. I may fine tune the level of incoming access later for just RDP.
  • LAB_NET - For any VMs I don’t want on the LAN but still want access to. VMs here can access preapproved nodes on the LAN and nothing else.
  • WINLAB - For VMs within my Windows Server AD network. Has no outgoing access to anything. It is just setup so I can RDP to the windows VMs. I need to lock down the incoming ports.

All networks but the WINLAB can access the internet at varying degrees to later be defined. It took 13 months before I finally learned how to properly configure the firewall to allow all this to work. Learning the order of operations, how rules can influence how next one below it works, how deny rules placed before an allow rule can block all but allow some packets to flow or something like that.

The DMZ can ping and lookup dns on the pfsense box, is denied access to all RFC1918 addresses, and is only permitted outgoing traffic for ports 80 and 443 to the WAN.

The LAB_NET has 3 deny rules to WINLAB, DMZ, and VLAN100, 3 allow rules to 3 nodes on the LAN and one LAB_NET to ANY with the destination inverted for the LAN. Blocking all outgoing access to the LAN but the ones I allow.

The WINLAB has no rules defined so pfsense just blocks traffic originating within the network.

^ That feels redundant but w/e.

Everything is subject to change as I learn more and build on it. I am currently working on a way to grant guest access to the WLAN and looking at getting a Ubiquity Unifi WAP to replace the two routers turned WAPs and sharing the same SSIDs and passwords and hopefully gain some much desired wireless performance to boot. Our laptops will need a upgrades to their wireless cards but that would be an easy swap.

Firewall - WAN Firewall - LAN Firewall - WLAN Firewall - DMZ Firewall - LAB_NET

Err, small update. I originally wrote this on July 20th and not long after, I managed to break the config of my pfsense box and find out that the SSD I had installed had partially failed to a read-only state. Not even formattable. So I have to resort to using a usb flash drive and recover the lost config to get what I had recently setup back up and running. I still don’t have Suricata, Squid, or pfBlocker running atm as I need to rebuild the configs for them and setup so that they don’t write to my flash drive and kill it. In due time.

I had just configured pfBlocker and was testing and playing with it when I get this wild idea to make /tmp and /var into ramdisks. Not realizing that /var had at least a gigabyte of logs from Suricata and roughly 60gb of Squid Cache. Welp, the system did NOT like that and refused to boot and had the SSD been writeable, I could have easily reverted and recovered the system. The purpose of the ramdisk? To save writes to a disk with over 5TB of writes since I deployed it and only 50GB of reads. Seems backwards but yeah, bad config.

Now the plan is to either deploy the OS on flash media and save logs and cache to a spinning hard drive. I’d probably only need to just mount the hard drive to /var and /tmp to ram manually in the /etc/fstab file and be set. Perhaps some work in a lab and/or googling might help with this study. :)

So um, cheers. Keep hacking the things!

Car Radio for Powered PC Speakers

| Comments

Car Radio for Powered PC Speakers

Here’s a thing I use for sound for my desktop. It’s not a typical set of powered satellite speakers. No, I use a car stereo. Specifically, a Jensen CD6112 the someone gave me. Overall, it’s a good little radio. Any of them will do with the only requirement is a auxiliary input of some kind. 3.5mm or RCA. It sits in a box dad made a long time ago for the purpose of having a home made weather radio during the event of a severe storm. I re-purposed it several years ago for my computer. It had a previously had a radio that could tune to the weather channels but only had a cassette player and FM/AM tuners. That worked for a while till the sound quality got annoying so I installed the Jensen from my old truck that I had no use for. Details I’m not going into.

Anyhow, so I got a box with the radio in it. Now, power is simple. Power comes from a standard 12v 5A brick that is always on. There’s a couple 40w 3-way satalite speakers for sound and wired to the front channels only of the radio. I have a simple antenna that was originally screwed into the box just kinda draped across my door frame. It’s been hanging just fine for years.

Audio from the computer runs thru a 3.5mm standard cable into a kvm and out that to the radio’s rear RCA plugs.

The interesting bit, imo, is how I wired it to turn on. First, there is a 5v relay being powered by my PC that is wired in series of a switch hanging below my secondary monitor. The purpose being is when the switch is on, the radio turns on/off with the computer but I can still turn off the radio when the computer is still on. There is a secondary switch in the box that bypasses both switch+relay, essentially wired in parallel, in case I wanted to play the radio without the computer.

And that is that. To me it’s simple setup. :)

Oh, the sound quality is still better than most pre-built setups you’d get in a electronics store imo. That could be just the speakers themselves but still. They get loud and bassy without the need of any kind of sub. I set the EQ to -2 Treble, +3 Bass.

Cue All About Dat Bass song

Automating Ubuntu 18.04 Installs

| Updated on | Comments

Now a month has passed since my last post and Ubuntu 18.04 is almost officially released. It’ll be out on April 26th, 2018. I went ahead and and started building a NetBoot ISO. I found a GitHub repository that contained what I needed. The script simply pulls the NetBoot ISO from a Ubuntu mirror of my choice, extracts it, injects my SSH keys, scripts, preseed file, and whatever else I decide to add. Once the build is prepped, it packs everything up into a nice little 58MB ISO file. From there, I boot the ISO which then promptly runs thru the preseed file and automatically does everything I configured it to do. Once installed and rebooted, I then log in as root with my SSH key assigned to putty or any SSH client, answer a couple questions from a script I put together from the original repository, it does some updating and reboots again. The end result is a system ready to do some whatever with no visible traces that such an install took place. 🙂

The only thing I have to do is answer two questions after it’s first reboot for the host name and domain name then re-login after the 2nd reboot as my chosen user name configured at ISO build time.

Now my ISOs and preseed files utilize a local APT Proxy on my network with the domain name “fileserver.sanlan” using the APT Cacher package. You can either set one up or rebuild the iso.

The other repository I linked in my other post about Server Automation for Linux produced full sized 839MB ISO. This one does everything I need it to do except it requires the Internet to work or mainly, a connection to the APT Proxy I have configured on my local network with all the files preloaded.

Some fine tuning might be needed once Ubuntu 18.04 is officially released but as of today, it’s functional. The only scripts I modified from the original repository was build-iso.sh, preseed.cfg, and added init-host.sh. I deleted the files for 17.10 since I didn’t need or want them. I may carry my changes for 18.04 over to 16.04 for the heck of it.

You can’t say they didn’t get credit. 😛 They made the code, I simply modified it for myself. 😊

Enjoy my fellow nerds! 🖖

System Installation Automation

| Comments

Over the past 8 months or so, I’ve been playing with my Dell R710. It’s a nice system to play on but it could use some SSDs. One day I shall get some. My last post described a bit about it as it currently stands. This post shall be about what I’ve done as far as creating automated system installs for both Windows and Linux.

Windows Deployment Systems (WDS) + Microsoft Deployment Toolkit (MDT)

I know some people might frown on the idea but my deployment system resides within my primary Windows Server 2016 Lab VM also running AD and TCP/IP Routing to a isolated virtual network of things.

It took some time but I managed to build a system that’d prepare a Windows 10 VMware VM from creation to a functional system complete with drivers and a few apps preinstalled. I intend to add more when I think about it and eventually come up with some way to update the installers.

I’m going to include some configs of what I have so far.

The MDT Config lets me set up a VM complete with a select set of apps to do my things. It has so much potential that I’ve yet to explore. In due time I suppose. At present, it just installs vmware drivers specifically for VMs hosted on my ESXi Lab Server; notepad++, 7zip, and Google Chrome can be checked at the preinstall stage for whatever template I choose.

The WDS Config is pretty basic. It’ll let me automatically install windows but that’s it. It took some time to figure out how to build it but it works now. There’s not much it can do on it’s own, that’s where MDT comes in.

I have used the WDS system to netinstall windows to a physical machine at least once. No more CDs or USB sticks. :)

Unattended Linux Install ISOs

Now for my efforts with Linux was somewhat easier. It took some effort and with the help of an article I found, I was able to build an ISO that would install Ubuntu Server onto a freshly created VM with OpenSSH Server, nano, and htop along with a script to change the VM hostname and domain and do other things I configure it to do like copy my ssh keys from a remote host to the system. :)

I put all the files up on github to share. Unattended Ubuntu Repository

My Lab/Production Environment

| Comments

This will serve as an update to my lab since I bought it.

The current specs:

  • Dell PowerEdge R710
  • Dual Intel Xeon L5640
  • 2x 148GB SAS HDDs in RAID-1
  • 3x 600GB SAS HDDs in RAID-5
  • 1x 500GB SATA HDD in RAID-0

The Server received a fan mod as mentioned here in my effort to keep it’s noise at a tolerable level. Now if and when I get some SSDs, I can get rid of the annoying sound the HDD heads make. I make keep them for storage or for scratch space but I don’t want to be hitting them with random I/O as much. That’s the primary cause for the noise.

It still runs Vmware ESXI 6.5 and currently has 30 registered VMs. This number fluctuates as I create and delete VMs.

It still has my original Windows Server VM that runs my AD related stuff and WDS+MDT. I have a Windows Server 2012 R2 VM for a currently undetermined purpose beyond testing. A few linux servers for web development, ftp server for printer scans, mail server for… reasons, gitlab and a dedicated gitlab runner vm with it’s own private network between the two. I’ve played with making an automated ubuntu server install iso that works wonderfully (may blog on that at some point).

There is a standalone Win10 VM I leave running for various purposes. Resource useage is super low so meh. There is a puppetmaster vm that I’ve yet to explore. All of those things are constantly running though I may kill the puppetmaster till I learn more about it.

For what’s not constantly running. A domain member server (dmsrv1), dockerlabs to play with docker, Kali Linux, MS-SQL Server, Opnsense, pfsense lab, powershell lab, pxe server (currently unconfigured), smallwall, a linux webserver using webmin+usermin for the control panel, 3x Windows 10 Client VMs for automated install testing, Win10 Development VM to host Dev tools, Win10 Insider VM, Win10 Client for VB Studio (the dev vm and it may have the same tools, I don’t remember), Win10 Enterprise VM, Win7Pro VM, and finally Xubuntu.





My Pfsense Box

| Comments

Image of pfsense box

This is my pfsense box, the dell optiplex 790 computer there. I use it in place of a consumer router since the ones I’ve used in the past would quickly approach their limits. They just couldn’t handle the growing collection of internet connected devices. I have a Netgear WNDR3700v3 and TP-Link W8980v1 serving as Wi-Fi Access Points that used to serve as the home router until they started crashing or dropping connections.

I’ve been using Pfsense for about 8 months now. It can be tricky to use at times but I mainly take advantage of it’s unbound service and bandwidth tracking features. I like knowing about how much traffic goes in and out of my network. :) Unbound just lets me use custom domain names for local services instead of messing around with port numbers or host files. VLAN support can be useful once I learn how to use the firewall to shuffle traffic where I want. When I configure it to pass traffic to/from somewhere, it doesn’t always work. Probably just user error.

The pfsense box has a i5-2400 with 8GB of RAM, a Quad Intel Gigabit PCI-E Slim Card, and a Sandisk 120GB SSD. Plenty of resources to do what I want and hopefully last a long time. The SSD doesn’t see very many writes besides periodic logging and squid caching. Though the SSD somehow saw about 2.367TiB of writes but 26GiB of reads as of this writing. That could have been from me playing with squid several months ago and collecting but never using the cache it saved and ended up deleting. Oh well, it should have plenty of life. Not like I store a whole lot on it.

pfsense UI

Pfsense UI

PSA: Don't Pull on the Wires!

| Comments


Don’t do this. This is bad. Stop pulling on the flexy bits, take your hands and grasp the hard part and gently remove the cable from your device.

Cables are cheap, yes, but avoiding expensive fires from shorting the wires out and melting things is a whole lot better. Just. Stop it. K?

Migrating From Virtualbox to Hyper-V and Back

| Comments

Today, I decided to try and migrate a few VMs I have on Virtualbox to Hyper-V and it didn’t go so well. It’d probably had worked out kinda ok if I just did fresh installs but I went the disk conversion route.

So I converted the virtual disks twice, VDI (Virtualbox’s Default) > VHD (A more universal disk) > VHDX (For Hyper-V). That was fun.

Only to find out that 1) Windows 7 must have been installed wrong on Virtualbox with a SATA controller so I couldn’t get it to boot on Hyper-V no matter what I tried. It kept blue-screening with the error 0x0000007B. I googled it and tried some registry “hacks” to start the IDE service (I think) but it kept failing. To edit the registry, I had to mount the VHD to my windows host and open the system hive in the local registry editor.

That was pointless

That quickly got annoying so I turned my attention to Windows XP. That worked out a little better as it was installed on Virtualbox with a IDE Controller. Got it running under Hyper-V… annnnd hello 800x600 32bit resolution that maxed at 1024x768 with the generic drivers Hyper-V (I assume) gave it. It was missing the video drivers and two unknown devices. I got networking up with the Hyper-V Legacy Network Controller but Windows XP still couldn’t find any drivers.

At that point, I tried to find some sort of driver pack iso for Hyper-V like Virtualbox has and no joy. That instantly turned me off on Hyper-V and I deleted everything associated with it and removed the feature from the windows host. I’d expect this kind of trouble from Linux VMs but they worked better than the 8+ year old operating systems. Imagine that. Oh well, can’t say I didn’t try. Maybe I’ll try again with Hyper-V on a independent server and not migrate anything older than Windows 8 or Server 2012.

I would have kept Hyper-V itself installed if it didn’t pull virtualization support from the host for Virtualbox to run right. Given the way Hyper-V integrates itself and runs right on the bare metal, below the host OS, I can understand why but still. I would have thought there’d be some sort of VT-X passthru, if that’s technically possible though.

The only thing it had going for it was VLAN support on a per VM or per physical NIC bases and auto start/stop of the vms with the host. Maybe some other time in the future.

I did this on my Dell Precision T3610 Workstation with an Intel Xeon E5-1650 v2, 16GB DDR3 ECC RAM, a secondary Toshiba 128GB SSD with a Samsung EVO 840 128GB SSD primary.


Finishing the Fan Mod on the R710

| Comments

So I finished the fan controller mod on my R710. Now all you see is a nob sticking out where a tape drive might be installed. :)


The controller is based on an Arduino Nano with a 10k Potentiometer for control. Positive and Negative from the power supply for the Arduino and outside posts of the Potentiometer. Center post goes to A0. D3 of the Arduino goes directly to the PWN pins of the fans. There is a 1uF capacitor on the reset and ground pins to force the Arduino to reset upon power up so the program doesn’t freeze and let the fans go full throttle.

I used 2 pin connectors for power to the Arduino from the HDD Backplane Power Cable and a 3 pin connector from the Arduino to the Pot. Another 3 pin connector to connect the fans to the Arduino. This is so everything can be removed in pieces as needed. As an added feature, I also brought out power to a USB 3 Card in the rear of the Server. Just 5V is needed for everything.

The code:

int pwm = 3; // assigns pin 12 to variable pwm
int pot = A0; // assigns analog input A0 to variable pot
int t1 = 0;   // declares variable t1
int t2 = 0;   // declares variable t2
void setup()  // setup loop
  pinMode(pwm, OUTPUT); // declares pin 12 as output
  pinMode(pot, INPUT);  // declares pin A0 as input
void loop()
  t2= analogRead(pot); // reads the voltage at A0 and saves in t2
  t1= 1000-t2;         // subtracts t2 from 1000 ans saves the result in t1
  digitalWrite(pwm, HIGH); // sets pin 12 HIGH
  delayMicroseconds(t1);   // waits for t1 uS (high time)
  digitalWrite(pwm, LOW);  // sets pin 12 LOW
  delayMicroseconds(t2);   // waits for t2 uS (low time)

And the USB 3 Card.


Keeping Things Cool

| Comments

hmm, running my server at night with the door closed still might not be the best decision. :/ in just a few hours, like 4 or 5 hours, it elevated my room to uncomfortable levels and disrupted my sleep while I was practically naked over the covers (just undies). I’m naturally hot so not good. I don’t have to do anything to sweat, it just happens. anyway, I need a better solution.

  1. Continue to shutdown the server at night while the door is closed to give the AC a break.
  2. Leave the door open and let the AC run more often than dad likes, potentially freezing them at the other end of the house because of our weird vent layout. (how rooms get colder the farther away than the ones closest to the unit, is beyond me)
  3. Install a vent above the door to allow air to circulate without having to keep the door open all the time.
  4. Replace the server with something more efficient for 24/7 runtime and either keep or sell the R710 (preferably keep and just upgrade it for ram hungry tasks during the day if I wanted). I do have a “small” OptiPlex running as a server but it doesn’t have a hdd setup or enough ram or cpu power to run a handful of windows servers and whatnot. I just use it for plex and a few small Linux VMs.
  5. Consider single room AC units. I like the wall mounted bar shaped ones. They are expensive but silent. That could easily keep a small rack of servers cool if I ever build up a collection of them.

I’d probably end up doing #4 anyway. I was considering that simply for the noise levels of the R710 but after my “quick” fan mod, it’s quiet enough to run 24/7 if I wanted to and still coexist in the same room all day. It’s just, as it turns out, I ran into a cooling issue. lol. I’ll likely alternate between #1 and #2 until I find another powerful but cheap used computer that’ll run ESXI.

The temperature issue kinda sucks. I really like my R710. Even better with the fan mod. Speaking of, I need to mod it into the chassis somehow. There’s a little bay below the DVD Drive that I’m guessing was for a tape drive years ago, it only measures like 4 inches with my handy ruler. Too narrow for a 3.5” HDD and way too narrow for a 5.25” ODD or panel. So I thought of poking a hole in the grill and mount the potentiometer and secure the Arduino somehow or pick up a Chinese PWM generator and mount that in that space. I will also need to source 5v power for either solution but I have a couple ideas on that for a future post.

I think that’s it for now, cheers my fellow nerds!