Best posts made by EddieJennings

This weekend I failed to deploy my ERLs, because of a traffic issue occurring with one of the two.

ERL1 = local office ERL. I was able to test the configuration and found it to function with no problems. Traffic passed fine to the devices with 1-to-1 NAT

ERL2 = data center ERL. Due to [reasons] it was not possible to test this prior to the deployment attempt; thus, I mimicked the configuration of the known, working ERL1 as much as I could, obviously changing IP addresses as necessary. Traffic for hosts that weren't involved with 1-to-1 NAT worked fine. Traffic for hosts that had 1-to-1 NAT failed, which makes me think the issue is with how I've configured NAT.

Configuration caveats:

• Security through obscurity: I've altered the IP addresses of the hosts and interfaces, but they should be valid for the /24 and /28 networks involved.
• The old Cisco ASA had two interfaces in the outside-VLAN with one address assigned to them. eth1 will eventually be that second interface.
• I was so focused on just getting Internet connectivity to all of the hosts, I did not test the success of the site-to-site VPN.
• All configurations (except the obscuring of the IP addresses) were done using the GUI.

This is the configuration of the ERL2 as it was Saturday night.

Here's the current question: Do you folks see a problem with the NAT configuration? There should be 1-to-1 NAT for the IIS server and PostFix server. All other hosts (SQL server, etc.) use NAT-overload as its destination NAT.

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action drop
            description "Deny traffic from 74.6.168.184"
            log disable
            protocol all
            source {
                address 74.6.168.184
            }
        }
        rule 20 {
            action drop
            description "Deny traffic from 23.253.40.182"
            log disable
            protocol all
            source {
                address 23.253.40.182
            }
        }
        rule 30 {
            action drop
            description "Deny traffic from 72.30.14.0/24"
            log disable
            protocol all
            source {
                address 72.30.14.0/24
            }
        }
        rule 40 {
            action accept
            description "Allow HTTP to IIS"
            destination {
                address 172.16.254.12
                port 80
            }
            log disable
            protocol tcp
        }
        rule 50 {
            action accept
            description "Allow HTTPS to IIS"
            destination {
                address 172.16.254.12
                port 443
            }
            log disable
            protocol tcp
        }
        rule 60 {
            action accept
            description "Allow FTP to IIS"
            destination {
                address 172.16.254.12
                port 21
            }
            log disable
            protocol tcp
        }
        rule 70 {
            action accept
            description "Allow SMTP to PostFix"
            destination {
                address 172.16.254.14
                port 25
            }
            log disable
            protocol tcp
        }
        rule 80 {
            action accept
            description "Allow SMTP-SSL to PostFix"
            destination {
                address 172.16.254.14
                port 465
            }
            log disable
            protocol tcp
        }
        rule 90 {
            action accept
            description "Allow SMTP-MSA to PostFix"
            destination {
                address 172.16.254.14
                port 587
            }
            log disable
            protocol tcp
        }
        rule 100 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 110 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 65.254.219.164/28
        address 65.254.219.165/28
        address 65.254.219.166/28
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 172.16.100.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 172.16.254.1/24
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "Outside to IIS"
            destination {
                address 65.254.219.165
            }
            inbound-interface eth0
            inside-address {
                address 172.16.254.12
            }
            log disable
            protocol all
            type destination
        }
        rule 2 {
            description "Outside to PostFix"
            destination {
                address 65.254.219.166
            }
            inbound-interface eth0
            inside-address {
                address 172.16.254.14
            }
            log disable
            type destination
        }
        rule 5000 {
            description "IIS to Outside"
            log disable
            outbound-interface eth0
            outside-address {
                address 65.254.219.165
            }
            protocol all
            source {
                address 172.16.254.12
            }
            type source
        }
        rule 5001 {
            description "PostFix to Outside"
            log disable
            outbound-interface eth0
            outside-address {
                address 65.254.219.166
            }
            protocol all
            source {
                address 172.16.254.14
            }
            type source
        }
        rule 5002 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address 65.254.219.161
    host-name erl-peak10
    login {
        user SomeUser {
            authentication {
                encrypted-password GIBBERISH.
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer 50.241.10.49 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret GIBBERISH
                }
                connection-type initiate
                description Office
                ike-group FOO0
                ikev2-reauth inherit
                local-address 172.16.254.1
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 172.16.254.0/24
                    }
                    remote {
                        prefix 172.16.253.0/24
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.7+hotfix.4.5024004.171005.0403 */

@scottalanmiller Seems less inflammatory than me admitting I doubled-checked a number before making a post.

@mike-davis I'm finally getting around to updating my own site. I just re-added my private saxophone lesson rates tonight.

@scottalanmiller said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Trying to fix a broken install of Yosemite Server Backup.

Veeam has a patch for that.

Youtube Video

I'm finally getting to the point where I'm planning how all of this will work. This is the end goal for the server hardware.

Hyper-V Host 1 (former physical Server 2 - SQL Server)

• Will be running the new production VMs
• Six S3500 SSDs configured in RAID 5. Two SSDs will be taken from former Server 1, and two SSDs taken from former Server 3.

Hyper-V Host 2 (former physical Server 1 - IIS server)

• Will be running most likely Veeam VM and storing backups
• Four Seagate Enterprise 4 TB HDDs in RAID 10. -- currently reviewing storage needs for backups, so this could change

Hyper-V Host 3 (former physical Server 3 - the Yosemite backup server, Redis, and host for PostFix VM)

• Purpose to be determined
  *Four S3700 SSDs configured in Raid 5. These SSDs will be taken from former Server 2.

Since I'll be swapping hard drives between servers, there's going to be downtime, so I'm thinking through how I can reduce how much downtime there will be. The below plan isn't set in stone, but rather just ideas.

I would start by copying the data used by the IIS virtual folders to an external device. Once that initial copy is done, I would take the production systems offline. I would take a backup of SQL server and copy it to the external device, as well as copy whatever files are new and have changed with the IIS virtual folders (I love robocopy.)

Next, I would do all of the disk swapping from above, install and patch Hyper-V on each of the systems, and configure networking. Then I would create the production VMs, configure the servers and patch, copy the data from the external storage, and restore the SQL server backup.

There are probably better ways of doing this. Articulating the above helps my thought process. I had a text document with another plan, which I subsequently deleted, for as I was writing and thinking, I realized how flawed it was.

@dafyre Ha! Just realized I misread the question. It's taken a few years, but I'm getting "this person starts tomorrow" far less now.

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

Thanks to @Dashrender for the assist.  It looks like the problem was authentication.  I authenticated to the VPN using domain\username rather than using the User Principal Name.  Doing the latter allowed me to reach DFS shares.

Woops, that's crazy but definitely there is an issue with DNS

huh?

If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com.

User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.

@NerdyDad http://www.project1999.com/

I'm thinking through what I can reasonably do with this lab machine. My plan is to put it in colocation. Yes, I know I could do all of this cheaper with [insert service here] and [insert VPS provider here], but the point of the exercise to gain some experience managing something in colo.

Current hardware: Dell R310, 32 GB RAM, Xeon X430 quad core 2.4 ghz, two 2 TB SATA drives in RAID 1 running KVM (Fedora)

"Permanent" VMs

Fedora VM (firewall)
1 GB RAM
1 vcpu
20 GB disk

FreePBX
1 GB RAM
1 vcpu
25 GB disk

NextCloud
2 GB RAM
2 vcpu
500 GB disk

Zimbra
8 GB RAM
2 vcpu
50 GB disk

VM for backups (which would replicate data to something like Backblaze)
2-4 GB RAM
1-2 vcpus
1200 GB disk

Remaining RAM: ~16 GB
Remaining Disk: ~200 GB

Potential other VMs

3-5 Windows VMs for various learning objectives, each with 2 GB RAM, 1 vcpu, and 30 GB disk space

If 5 additional VMs are deployed. . .
Remaining RAM: ~6 GB
Remaining Disk: ~50 GB

Disk space isn't a great concern, since for about $290 I can get two more 2 TB drives, put them in a RAID 10 and have 4 TB of usable space. I'm more concerned with RAM. The "potential other VM" will be setup and destroyed as needed, so I can function with the hardware I have; however, I'm sure eventually I'll have projects which will become permanent VMs. This makes me consider contributing that $290 to an overall beefier server.

@DustinB3403 Steam this time around.

This looks like it worked. I added this line to the appropriate network using virsh net-edit:

<route address='0.0.0.0' prefix='0' gateway='192.168.100.1'/> (yes, the final subnet decision was to use 192.168.100.0/24).

That created a default route, which shows up with ip route show. If I can get DNS resolution, then I'm all set .

Is it just me, or does it seem silly that I have to download and install a separate module in order to do Windows updates via PowerShell for my Hyper-V 2016 host?

It seems like such functionality should be built in (think yum update). Perhaps I'm missing something that's already there.

@scottalanmiller said in Fedora 27 and Outgoing Email:

@aaronstuder said in Fedora 27 and Outgoing Email:

@scottalanmiller so do I even need postfix?

Yes, mailx is only a client, it's telling Postfix to send it. if you wanted to send through Postfix by hand, you could.

Fun = telnet to postfix and send E-mail that way

System76 laptop arrives tomorrow

I've found roaming profiles to be the source of headaches and frustration. Your mileage may vary though, and it's entirely possible I did a less-than-stellar job implementing roaming profiles (was a few years ago). I found folder redirection (with DFS namespace) without roaming profiles achieved most of what I wanted and was more reliable.

@hobbit666 I discovered windirstat 3 years ago. My life was forever changed.

So about that nginx reverse proxy...

:face_with_stuck-out_tongue:

And so the adventure begins. FreePBX instance on Vultr is installing and voip.ms account has been created

I've found a far better thread for discussing the merits of text editors. Enjoy

With the exception of the last 10 minutes doing guild tasks on Project 1999, I've spent all evening messing with vultr, voip.ms, freepbx, and my Cisco ASA -- at least I'm loving my System76 laptop.