delete protocols igmp-snooping
分类: IT
The fastest way to solve the loading HTTP assets in HTTPS webpage problem
add the following line in the nginx config then restart
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
Build a customized iPXE firmware and deploy a chain loading environment
As the number of devices in my network has increased, so has the workload of performing maintenance on these systems. From time to time I need to use some rescue systems, such as WinPE and Linux LiveCD. Mounting boot images for them often requires the use of a corresponding management tool or out-of-band management, such as IPMI or BMC manager. The physical machine even needs to burn a USB boot disk.
Preboot eXecution Environment, the abbreviation is PXE, provides a mechanism for booting a computer using the NIC. This mechanism allows the computer to boot without relying on a local data storage device (such as a hard disk) or a locally installed operating system.
So I noticed that there is an open-source PXE firmware called iPXE. Building a customized iPXE firmware is simple according to the wiki page of iPXE.
sudo apt update
sudo apt install git gcc binutils make perl liblzma-dev mtools
git clone git://git.ipxe.org/ipxe.git
cd ipxe/src
make
I need the chain loading function, so I need to add some parameters during the building process like this.
make bin/nm-undionly-20211002-1a.kpxe EMBED=nmboot.ipxe
make bin-x86_64-efi/nm-ipxe-20211002-1a.efi EMBED=nmboot.ipxe
Now I get both legacy BIOS and UEFI PXE firmware embedded my own chain loading script nmboot.ipxe. The script is quiet simple, just chaining the entry point from my HTTP server.
#!ipxe
dhcp
chain http://172.16.0.11/pxe/ipxe/boot.php
The advantage of this is that it minimizes the size of iPXE firmware for the NIC PXE to be downloaded from the TFTP Server, i.e., the Next Server that has been given by DHCP server. Because of the slow loading speed over TFTP.
My home lab use pfSense as my gateway and DHCP server, the DHCP server config is quite simple.

The next step is just to prepare the file on the http server. Refer here.


It’s done!
阅读更多:Build a customized iPXE firmware and deploy a chain loading environmentReference:
Provision a CAP-only SKU Aruba wireless AP to VC
I recently had a problem with my newly purchased Aruba AP-305 not being able to be added to the VC. The solution was discovered through research.
Firstly, use the following command to show the provisioning log:
show log provision
If you got something like “ADP info: CAP-only sku. Will set it as standalone mode“. This is due to the lack of CCODE (i.e. Country-Code) in this AP. The solution is also simple.
- Connect the serial cable to the console port of Aruba AP
- Reset the AP
- Hit any key to break into apboot >
proginv system ccode CCODE-[CC]-[SHA1]
(replace [SHA1] with the SHA-1 hash of “[CC]-[SN]” ([CC] is your AP’s Restricted Regulatory Domain, like RW, US, JP and IL), and [SN] is the serial number)
US – Restricted Regulatory Domain – US
JP – Restricted Regulatory Domain – Japan
IL – Restricted Regulatory Domain – Israel
RW or UNRST – Rest of the World (Unrestricted)
For example CCODE-RW-de6fdb363ff04c13ee261ec04fbb01bdd482d1cd
5.
invent -w
6.
dhcp
7.
setenv serverip [TFTP_Server_IP]
8.
upgrade os 0 [ArubaInstant_Firmware]
9.
upgrade os 1 [ArubaInstant_Firmware]
10.
factory_reset
11.
saveenv
12.
reset
Now it’s done.
Solution for unable resolving an A record with an intranet address when using pfSense
If you are having trouble resolving a domain name with an A record as an intranet address when using pfSense, add the following field to the Custom options of your DNS Resolver settings.
server:
private-domain: "example.com"
Solution of ESXi cannot wget over HTTPS
esxcli network firewall set --enabled false
wget https://example.com/folder/file -P /vmfs/volumes/datastore/folder
esxcli network firewall set --enabled true
Routing local traffic to a remote outbound with pfSense Firewall and OpenVPN
The purpose of this article is to realize the local machine X can communicate over local router A running pfSense through the WAN gateway of the remote router B also with pfSense.
The lab environment
Local machine X:
[IP_ADDR]=192.168.0.254 [Mask]=255.255.255.0 [GW]=192.168.0.1
Local router A:
[IP_ADDR]=192.168.0.1 [Mask]=255.255.255.0 [GW]=Router_A_WAN_ADDR
Remote router B:
[IP_ADDR]=192.168.11.1 [Mask]=255.255.255.0 [GW]=Router_B_WAN_ADDR
OpenVPN client on router A:
[Mode]=TUN [Interface]=OVPN_A [IPv4 Tunnel Network]=192.168.30.49/30
OpenVPN server on router B:
[Mode]=TUN [Interface]=OVPN_B [IPv4 Tunnel Network]=192.168.30.50/30
1. Establish an OpenVPN TUN tunnel between router A and B anyway. This is not the focus of this article.
2. Set a allow all rule for OVPN_B on router B
[Area]=OVPN_B
[Action]=Pass
[Interface]=OVPN_B
[Protocol]=Any
[Src]=any
[Dst]=any
3. Set an Outbound NAT on the firewall of router B
[Interface]=WAN
[Protocol]=Any
[Src]=192.168.0.0/24 (or any area you want)
[Dst]=any
[Translation addr]=Interface Address
4. Set a rule for routing traffic to OVPN_A on the LAN firewall table of router A
# Route all traffic of local machine X
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=192.168.0.254
[Dst]=any
[Gateway]=OVPN_A
# Route specific destnation IP traffic
[Area]=LAN
[Action]=Pass
[Interface]=LAN
[Protocol]=Any
[Src]=any
[Dst]=192.168.11.1 (example)
[Gateway]=OVPN_A
Result: (Tested on local machine X)
> tracert 192.168.11.1
Tracing route to 192.168.11.1 over a maximum of 30 hops
1 20 ms 20 ms 20 ms 192.168.30.49
2 30 ms 30 ms 30 ms 192.168.11.1
Trace complete.
Use Doxygen to generate documents and diagrams or graphs for your source code
1. apt install required paackages
$ sudo apt update
$ sudo apt install doxygen dia graphviz
2. generate the Doxyfile
$ cd [SOME_PATH]
$ doxygen -g
3. edit the Doxyfile
OUTPUT_DIRECTORY = [YOUR_OUTPUT_DIRECTORY]
INPUT = [YOUR_SOURCE_CODE]
RECURSIVE = YES
EXTRACT_ALL = YES
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
CLASS_DIAGRAMS = YES
DIA_PATH = /usr/bin/dia
HAVE_DOT = YES
CLASS_GRAPH = YES
COLLABORATION_GRAPH = YES
4. run doxygen
$ doxygen [YOUR_Doxyfile]
5. result examlple

Note: How to reverse proxy with socat
socat tcp-listen:[LISTENING PORT],fork,reuseaddr tcp-connect:[TARGET ADDRESS]:[TARGET PORT]
Note: Add swap file to ubuntu
Check swap file
# swapon -s
Create swap file
# dd if=/dev/zero of=/swap.img bs=1G count=8
Set swap file right
chmod 600 /swap.img
Check swap file right
# ll /swap.img
Format swap file
# mkswap /swap.img
Activate swap file
# swapon /swap.img
Deactivate swap file
# swapoff /swap.img
Check swap
# swapon -s
# free -h
Auto mount swap fs
# echo "/swap.img none swap sw 0 0" >> /etc/fstab