Routing local traffic to a remote outbound with pfSense Firewall and OpenVPN

The purpose of this article is to realize the local machine X can communicate over local router A running pfSense through the WAN gateway of the remote router B also with pfSense.


The lab environment

Local machine X:
[IP_ADDR]=192.168.0.254 [Mask]=255.255.255.0 [GW]=192.168.0.1

Local router A:
[IP_ADDR]=192.168.0.1 [Mask]=255.255.255.0 [GW]=Router_A_WAN_ADDR

Remote router B:
[IP_ADDR]=192.168.11.1 [Mask]=255.255.255.0 [GW]=Router_B_WAN_ADDR

OpenVPN client on router A:
[Mode]=TUN [Interface]=OVPN_A  [IPv4 Tunnel Network]=192.168.30.49/30

OpenVPN server on router B:
[Mode]=TUN [Interface]=OVPN_B [IPv4 Tunnel Network]=192.168.30.50/30


1. Establish an OpenVPN TUN tunnel between router A and B anyway. This is not the focus of this article.

2. Set a allow all rule for OVPN_B on router B

[Area]=OVPN_B
[Action]=Pass
[Interface]=OVPN_B
[Protocol]=Any
[Src]=any
[Dst]=any

3. Set an Outbound NAT on the firewall of router B

[Interface]=WAN
[Protocol]=Any
[Src]=192.168.0.0/24 (or any area you want)
[Dst]=any
[Translation addr]=Interface Address

4. Set a rule for routing traffic to OVPN_A on the LAN firewall table of router A

# Route all traffic of local machine X
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=192.168.0.254
[Dst]=any
[Gateway]=OVPN_A

# Route specific destnation IP traffic
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=any
[Dst]=192.168.11.1 (example)
[Gateway]=OVPN_A


Result: (Tested on local machine X)
> tracert 192.168.11.1

Tracing route to 192.168.11.1 over a maximum of 30 hops

1 20 ms 20 ms 20 ms 192.168.30.49
2 30 ms 30 ms 30 ms 192.168.11.1

Trace complete.

Use Doxygen to generate documents and diagrams or graphs for your source code

1. apt install required paackages

$ sudo apt update
$ sudo apt install doxygen dia graphviz

2. generate the Doxyfile

$ cd [SOME_PATH]
$ doxygen -g

3. edit the Doxyfile

OUTPUT_DIRECTORY = [YOUR_OUTPUT_DIRECTORY]
INPUT = [YOUR_SOURCE_CODE]
RECURSIVE = YES
EXTRACT_ALL = YES
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
CLASS_DIAGRAMS = YES
DIA_PATH = /usr/bin/dia
HAVE_DOT = YES
CLASS_GRAPH = YES
COLLABORATION_GRAPH = YES

4. run doxygen

$ doxygen [YOUR_Doxyfile]

5. result examlple

继续阅读Use Doxygen to generate documents and diagrams or graphs for your source code

Note: Setup collectd and collectd-web on Ubuntu/Debian

# apt install collectd

# nano /etc/collectd/collectd.conf

# service collectd start

# apt-get install git
# apt-get install python
# apt-get install librrds-perl libjson-perl libhtml-parser-perl libcgi-session-perl

# cd ~
# git clone https://github.com/httpdss/collectd-web.git
# cd collectd-web
# chmod +x cgi-bin/graphdefs.cgi

# nano runserver.py

Change listen IP address to 0.0.0.0

# ./runserver.py &

# killall python

Note: Add swap file to ubuntu

Check swap file

# swapon -s

Create swap file

# dd if=/dev/zero of=/swap.img bs=1G count=8

Set swap file right

chmod 600 /swap.img

Check swap file right

# ll /swap.img

Format swap file

# mkswap /swap.img

Activate swap file

# swapon /swap.img

Deactivate swap file

# swapoff /swap.img

Check swap

# swapon -s
# free -h

Auto mount swap fs

# echo "/swap.img none swap sw 0 0" >> /etc/fstab

Note: How to reverse proxy a Minecraft server with Nginx

Check your kernel version >= 4.9

uname -a

Enable BBR

sysctl -w net.core.default_qdisc=fq
sysctl -w net.ipv4.tcp_congestion_control=bbr
sysctl -w net.ipv4.tcp_notsent_lowat=16384
sysctl -p

Add stream config to /etc/nginx/nginx.conf

stream {
include /etc/nginx/tcp.d/*.conf;
}

Create a new config for Minecraft server

upstream [YOUR_MINECRAFT_SERVER] {
server [YOUR_MINECRAFT_SERVER]:[PORT];
}
server {
listen [PORT];
proxy_pass [YOUR_MINECRAFT_SERVER];

}

Test Nginx config

nginx -t

Reload Nginx

nginx -s reload

Optional: Add DNS SRV record

Name     _minecraft._tcp.[YOUR_MINECRAFT_SERVER].tld
Priority [0-65535]
Weight   [0-65535]
Port     [PORT]
Value    [YOUR_MINECRAFT_SERVER]

Note: How to use rsync without SSH

Server config: /etc/rsyncd.conf

uid = www-data
gid = www-data
max connections = 4
use chroot = no
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
#hosts allow = 0.0.0.0
#hosts deny = 192.168.100.0/24

[rsync]
path = /var/www/html
comment = rsync
auth users = rsync
ignore errors
read only = yes
list = yes
auth users = rsync
secrets file = /etc/rsyncd.pwd

 

Secret: /etc/rsyncd.pwd

rsync:rsync

 

Server run:

$ rsync --daemon --config=/etc/rsyncd.conf

 

Client connect:

$ rsync --list-only -rsh=rsh --port=873 [email protected]_TARGET_ADDRESS::rsync

 

How to boot BPI-M2U/M2B up from SATA device

BPI-M2 Ultra is a powerful Quad-Core ARMv7 based SBC (Single Board Computer) with a powerful Allwinner R40 SoC and 2 GiB DDR3 RAM. BPI-M2 Berry is a Raspberry Pi compatible version of M2U with V40 SoC, an automotive version of R40, and fewer RAM (1 GiB). They are software compatible.

For some reason we want to boot M2U from SATA device for better IO performance. The following photo shown how to connect a SATA HDD to M2U.

M2U_SATA

From design of Allwinner, the default boot devices sequence has been cured in the BOOT ROM of SoC. The priorities of boot devices from high to low are SD card > NAND > eMMC > NOR SPI Flash.

There is no SATA device right? NP, we can load and boot bootloader and U-Boot form a SD card. By setting the kernel cmdline in the uEnv of U-Boot, it will take over the right from SD card to the SATA device at the second boot stage.

So let’s start.

 

First prepare a bootable SD card from official released image, like this.

Then open the 256MiB FAT partition called BPI-BOOT.

Open and edit /bananapi/bpi-m2u/linux/720p/uEnv.txt. Attention: which file you need to edit depend on which bootloader you select with bpi-bootsel, the default bootloader will load the environment configuration from 720P.

Find this part of this file.

root=/dev/mmcblk0p2 rootfstype=ext4 rw rootwait bootmenutimeout=10 datadev=mmcblk0p2
console=earlyprintk=sunxi-uart,0x01c28000 console=tty1 console=ttyS0,115200n8 no_console_suspend consoleblank=0
bootopts=enforcing=1 initcall_debug=0 loglevel=4 init=/init cma=256M panic=10
volumioarg=imgpart=/dev/mmcblk0p2 imgfile=/volumio_current.sqsh rw rootwait

Change the three MMC block device to /dev/sda2, like that.

root=/dev/sda2 rootfstype=ext4 rw rootwait bootmenutimeout=10 datadev=sda2
console=earlyprintk=sunxi-uart,0x01c28000 console=tty1 console=ttyS0,115200n8 no_console_suspend consoleblank=0
bootopts=enforcing=1 initcall_debug=0 loglevel=4 init=/init cma=256M panic=10
volumioarg=imgpart=/dev/sda2 imgfile=/volumio_current.sqsh rw rootwait

Now we have a SD card to boot root file system on  the SATA device.

 

It’s easier to prepare the root filesystem on HDD. Just need to dd the original official released image to the HDD like a SD card. Then expand or resize the root fs like normal. Then power it up.

Now enjoy.