IT – NyaMoe – いつ空

Build a customized iPXE firmware and deploy a chain loading environment

As the number of devices in my network has increased, so has the workload of performing maintenance on these systems. From time to time I need to use some rescue systems, such as WinPE and Linux LiveCD. Mounting boot images for them often requires the use of a corresponding management tool or out-of-band management, such as IPMI or BMC manager. The physical machine even needs to burn a USB boot disk.

Preboot eXecution Environment, the abbreviation is PXE, provides a mechanism for booting a computer using the NIC. This mechanism allows the computer to boot without relying on a local data storage device (such as a hard disk) or a locally installed operating system.

So I noticed that there is an open-source PXE firmware called iPXE. Building a customized iPXE firmware is simple according to the wiki page of iPXE.

sudo apt update
sudo apt install git gcc binutils make perl liblzma-dev mtools
git clone git://git.ipxe.org/ipxe.git
cd ipxe/src
make

I need the chain loading function, so I need to add some parameters during the building process like this.

make bin/nm-undionly-20211002-1a.kpxe EMBED=nmboot.ipxe
make bin-x86_64-efi/nm-ipxe-20211002-1a.efi EMBED=nmboot.ipxe

Now I get both legacy BIOS and UEFI PXE firmware embedded my own chain loading script nmboot.ipxe. The script is quiet simple, just chaining the entry point from my HTTP server.

#!ipxe
   
dhcp
chain http://172.16.0.11/pxe/ipxe/boot.php

The advantage of this is that it minimizes the size of iPXE firmware for the NIC PXE to be downloaded from the TFTP Server, i.e., the Next Server that has been given by DHCP server. Because of the slow loading speed over TFTP.

My home lab use pfSense as my gateway and DHCP server, the DHCP server config is quite simple.

The next step is just to prepare the file on the http server. Refer here.

It’s done!

Reference:

https://ipxe.org/

https://gist.github.com/robinsmidsrod/2234639

https://fogproject.org/

Provision a CAP-only SKU Aruba wireless AP to VC

I recently had a problem with my newly purchased Aruba AP-305 not being able to be added to the VC. The solution was discovered through research.

Firstly, use the following command to show the provisioning log:

show log provision

If you got something like “ADP info: CAP-only sku. Will set it as standalone mode“. This is due to the lack of CCODE (i.e. Country-Code) in this AP. The solution is also simple.

Connect the serial cable to the console port of Aruba AP
Reset the AP
Hit any key to break into apboot >

proginv system ccode CCODE-[CC]-[SHA1]

(replace [SHA1] with the SHA-1 hash of “[CC]-[SN]” ([CC] is your AP’s Restricted Regulatory Domain, like RW, US, JP and IL), and [SN] is the serial number)

US – Restricted Regulatory Domain – US
JP – Restricted Regulatory Domain – Japan
IL – Restricted Regulatory Domain – Israel
RW or UNRST – Rest of the World (Unrestricted)

For example CCODE-RW-de6fdb363ff04c13ee261ec04fbb01bdd482d1cd

invent -w

dhcp

setenv serverip [TFTP_Server_IP]

upgrade os 0 [ArubaInstant_Firmware]

upgrade os 1 [ArubaInstant_Firmware]

10.

factory_reset

11.

saveenv

12.

reset

Now it’s done.

Solution for unable resolving an A record with an intranet address when using pfSense

If you are having trouble resolving a domain name with an A record as an intranet address when using pfSense, add the following field to the Custom options of your DNS Resolver settings.

server:
private-domain: "example.com"

继续阅读

Solution of ESXi cannot wget over HTTPS

esxcli network firewall set --enabled false

wget https://example.com/folder/file -P /vmfs/volumes/datastore/folder

esxcli network firewall set --enabled true

Routing local traffic to a remote outbound with pfSense Firewall and OpenVPN

The purpose of this article is to realize the local machine X can communicate over local router A running pfSense through the WAN gateway of the remote router B also with pfSense.

The lab environment

Local machine X:
[IP_ADDR]=192.168.0.254 [Mask]=255.255.255.0 [GW]=192.168.0.1

Local router A:
[IP_ADDR]=192.168.0.1 [Mask]=255.255.255.0 [GW]=Router_A_WAN_ADDR

Remote router B:
[IP_ADDR]=192.168.11.1 [Mask]=255.255.255.0 [GW]=Router_B_WAN_ADDR

OpenVPN client on router A:
[Mode]=TUN [Interface]=OVPN_A  [IPv4 Tunnel Network]=192.168.30.49/30

OpenVPN server on router B:
[Mode]=TUN [Interface]=OVPN_B [IPv4 Tunnel Network]=192.168.30.50/30

1. Establish an OpenVPN TUN tunnel between router A and B anyway. This is not the focus of this article.

2. Set a allow all rule for OVPN_B on router B

[Area]=OVPN_B
[Action]=Pass
[Interface]=OVPN_B
[Protocol]=Any
[Src]=any
[Dst]=any

3. Set an Outbound NAT on the firewall of router B

[Interface]=WAN
[Protocol]=Any
[Src]=192.168.0.0/24 (or any area you want)
[Dst]=any
[Translation addr]=Interface Address

4. Set a rule for routing traffic to OVPN_A on the LAN firewall table of router A

# Route all traffic of local machine X
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=192.168.0.254
[Dst]=any
[Gateway]=OVPN_A
# Route specific destnation IP traffic
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=any
[Dst]=192.168.11.1 (example)
[Gateway]=OVPN_A

Result: (Tested on local machine X)

> tracert 192.168.11.1

Tracing route to 192.168.11.1 over a maximum of 30 hops

1 20 ms 20 ms 20 ms 192.168.30.49
2 30 ms 30 ms 30 ms 192.168.11.1

Trace complete.

Use Doxygen to generate documents and diagrams or graphs for your source code

1. apt install required paackages

$ sudo apt update
$ sudo apt install doxygen dia graphviz

2. generate the Doxyfile

$ cd [SOME_PATH]
$ doxygen -g

3. edit the Doxyfile

OUTPUT_DIRECTORY = [YOUR_OUTPUT_DIRECTORY]
INPUT = [YOUR_SOURCE_CODE]
RECURSIVE = YES
EXTRACT_ALL = YES
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
CLASS_DIAGRAMS = YES
DIA_PATH = /usr/bin/dia
HAVE_DOT = YES
CLASS_GRAPH = YES
COLLABORATION_GRAPH = YES

4. run doxygen

$ doxygen [YOUR_Doxyfile]

5. result examlple

Note: How to reverse proxy with socat

socat tcp-listen:[LISTENING PORT],fork,reuseaddr tcp-connect:[TARGET ADDRESS]:[TARGET PORT]

Note: Add swap file to ubuntu

Check swap file

# swapon -s

Create swap file

# dd if=/dev/zero of=/swap.img bs=1G count=8

Set swap file right

chmod 600 /swap.img

Check swap file right

# ll /swap.img

Format swap file

# mkswap /swap.img

Activate swap file

# swapon /swap.img

Deactivate swap file

# swapoff /swap.img

Check swap

# swapon -s
# free -h

Auto mount swap fs

# echo "/swap.img none swap sw 0 0" >> /etc/fstab

Note: How to use rsync without SSH

Server config: /etc/rsyncd.conf

uid = www-data
gid = www-data
max connections = 4
use chroot = no
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
#hosts allow = 0.0.0.0
#hosts deny = 192.168.100.0/24
 
[rsync]
path = /var/www/html
comment = rsync
auth users = rsync
ignore errors
read only = yes
list = yes
auth users = rsync
secrets file = /etc/rsyncd.pwd

Secret: /etc/rsyncd.pwd

rsync:rsync

Server run:

$ rsync --daemon --config=/etc/rsyncd.conf

Client connect:

$ rsync --list-only -rsh=rsh --port=873 [email protected]_TARGET_ADDRESS::rsync

Note: How to reverse proxy a Minecraft server with Nginx

Check your kernel version >= 4.9

uname -a

Enable BBR

sysctl -w net.core.default_qdisc=fq
sysctl -w net.ipv4.tcp_congestion_control=bbr
sysctl -w net.ipv4.tcp_notsent_lowat=16384
sysctl -p

Add stream config to /etc/nginx/nginx.conf

stream {
include /etc/nginx/tcp.d/*.conf;
}

Create a new config for Minecraft server

upstream [YOUR_MINECRAFT_SERVER] {
server [YOUR_MINECRAFT_SERVER]:[PORT];
}
server {
listen [PORT];
proxy_pass [YOUR_MINECRAFT_SERVER];
 
}

Test Nginx config

nginx -t

Reload Nginx

nginx -s reload

Optional: Add DNS SRV record

Name     _minecraft._tcp.[YOUR_MINECRAFT_SERVER].tld
Priority [0-65535]
Weight   [0-65535]
Port     [PORT]
Value    [YOUR_MINECRAFT_SERVER]