How to show and clear DHCP bindings on the LAN Huawei VRP (Versatile routing platform) CLI

This is a quick reference guide for clearing DHCP bindings Huawei VRP CLI.

1. display ip pool

The following command will display all the dhcp bindings depending on how it is configured. It will either be interface or pool name. DHCP can either be configured on the interface or globally.

Cisco equivalent “sh ip dhcp binding

display ip pool interface vlanif21 used

display ip pool name testdhcp used

[Huawei]display ip pool ?
   interface     Information of interface pool
   name          Pool name
   vpn-instance  Show IP pool bind the VPN-instance
   |             Matching output

display ip pool interface vlanif21 used  
   Pool-name      : vlanif21
   Pool-No        : 0
   Lease          : 1 Days 0 Hours 0 Minutes
   Domain-name    : -
   DNS-server0    : 8.8.8.8         
   DNS-server1    : 8.8.8.4         
   NBNS-server0   : -               
   Netbios-type   : -               
   Position       : Interface       Status           : Unlocked
   Gateway-0      : 192.168.1.254   
   Mask           : 255.255.255.0
   VPN instance   : --
 
      Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 
  192.168.1.1   192.168.1.254   253     1        252(0)         0        0
 
 Network section : 
 
 Index              IP               MAC      Lease   Status  
 
 252   192.168.1.253    5489-9877-235d      78724   Used

2. Reset ip pool

Cisco equivalent would be “clear ip dhcp binding“.

reset ip pool interface vlanif21 ?
   X.X.X.X   Start IP address
   all       All IP address
   conflict  Conflict IP address
   expired   Expired IP address
   used      Used IP address

or

By pool name

reset ip pool ?
   interface  Interface pool
   name       Pool name




Thank you for reading – please feel free to leave a comment

How to install GNS3-Server on Ubuntu 20.04

This is a quick reference guide on how to install GNS3-Server on Ubuntu 20.04

1. Install GNS3-Server

1.1 Update and add GNS3 repository

sudo apt-get update
sudo add-apt-repository ppa:gns3/ppa

1.2 Install GNS3-Server and GNS3-GUI

sudo apt-get install gns3-server gns3-gui

2. Create configuration File

Create file gns3_server.conf in directory /root/.config/GNS3/2.2/

cd /root/.config/GNS3/2.2/
nano gns3_server.conf

Paste the following configuration

[Server]
; IP where the server listen for connections
host = 0.0.0.0
; HTTP port for controlling the servers
port = 3080

; Option to enable SSL encryption
ssl = False
certfile=/home/gns3/.config/GNS3/ssl/server.cert
certkey=/home/gns3/.config/GNS3/ssl/server.key

; Path where devices images are stored
images_path = /home/gns3/GNS3/images

; Path where user projects are stored
projects_path = /home/gns3/GNS3/projects

; Path where user appliances are stored
appliances_path = /home/gns3/GNS3/appliances

; Path where custom device symbols are stored
symbols_path = /home/gns3/GNS3/symbols

; Option to automatically send crash reports to the GNS3 team
report_errors = True

; First console port of the range allocated to devices
console_start_port_range = 5000
; Last console port of the range allocated to devices
console_end_port_range = 10000

; First VNC console port of the range allocated to devices.
; The value MUST BE >= 5900 and = 5900 and <= 65535
vnc_console_end_port_range = 10000

; First port of the range allocated for inter-device communication. Two ports are allocated per link.
udp_start_port_range = 20000
; Last port of the range allocated for inter-device communication. Two ports are allocated per link
udp_end_port_range = 30000

; uBridge executable location, default: search in PATH
;ubridge_path = ubridge

; Option to enable HTTP authentication.
auth = False
; Username for HTTP authentication.
user = gns3
; Password for HTTP authentication.
password = gns3

; Only allow these interfaces to be used by GNS3, for the Cloud node for example (Linux/OSX only)
; Do not forget to allow virbr0 in order for the NAT node to work
allowed_interfaces = eth0,eth1,virbr0

; Specify the NAT interface to be used by the NAT node
; Default is virbr0 on Linux (requires libvirt) and vmnet8 for other platforms (requires VMware)
default_nat_interface = vmnet10

[VPCS]
; VPCS executable location, default: search in PATH
;vpcs_path = vpcs

[Dynamips]
; Enable auxiliary console ports on IOS routers
allocate_aux_console_ports = False
mmap_support = True
; Dynamips executable path, default: search in PATH
;dynamips_path = dynamips
sparse_memory_support = True
ghost_ios_support = True

[IOU]
; Path of your .iourc file. If not provided, the file is searched in $HOME/.iourc
iourc_path = /home/gns3/.iourc
; Validate if the iourc license file is correct. If you turn this off and your licence is invalid IOU will not start and no errors will be shown.
license_check = True

[Qemu]
; !! Remember to add the gns3 user to the KVM group, otherwise you will not have read / write permissions to /dev/kvm !! (Linux only, has priority over enable_hardware_acceleration)
enable_kvm = False
; Require KVM to be installed in order to start VMs (Linux only, has priority over require_hardware_acceleration)
require_kvm = False
; Enable hardware acceleration (all platforms)
enable_hardware_acceleration = True
; Require hardware acceleration in order to start VMs (all platforms)
require_hardware_acceleration = False

3. Start GNS3-Server

Simply type gns3server in your home directory to run application.

gns3server

The following example will show that GNS3 has started and is working. You will need to ensure that the Server and Client are on the same version or the client will not be able to connect with the GNS3-Server.

root@ur-buntub:~# gns3server
2021-02-11 20:06:12 INFO run.py:219 GNS3 server version 2.2.17
2021-02-11 20:06:12 INFO run.py:221 Copyright (c) 2007-2021 GNS3 Technologies Inc.
2021-02-11 20:06:12 INFO run.py:224 Config file /root/.config/GNS3/2.2/gns3_server.conf loaded
2021-02-11 20:06:12 INFO run.py:243 Running with Python 3.8.5 and has PID 8822
2021-02-11 20:06:12 INFO run.py:79 Current locale is en_US.UTF-8
2021-02-11 20:06:13 INFO web_server.py:318 Starting server on 0.0.0.0:3080
2021-02-11 20:06:13 INFO __init__.py:62 Load controller configuration file /root/.config/GNS3/2.2/gns3_controller.conf
2021-02-11 20:06:13 INFO __init__.py:66 Controller is starting
2021-02-11 20:06:13 INFO compute.py:64 Create compute local
2021-02-11 20:06:13 INFO compute.py:364 Connecting to compute 'local'
2021-02-11 20:06:13 INFO web_log.py:233 127.0.0.1 [11/Feb/2021:20:06:13 +0000] "GET /v2/compute/capabilities HTTP/1.1" 200 552 "-" "Python/3.8 aiohttp/3.6.2"
2021-02-11 20:06:13 INFO notification_handler.py:50 New client has connected to compute WebSocket
2021-02-11 20:06:13 INFO compute.py:434 Connected to compute 'local' WebSocket 'http://127.0.0.1:3080/v2/compute/notifications/ws'
^C2021-02-11 20:06:23 WARNING web_server.py:170 Server has got signal SIGINT, exiting...
2021-02-11 20:06:23 INFO web_server.py:113 Closing 1 websocket connections...
2021-02-11 20:06:23 INFO compute.py:460 Connection closed to compute 'local' WebSocket 'http://127.0.0.1:3080/v2/compute/notifications/ws'
2021-02-11 20:06:23 INFO notification_handler.py:59 Client has disconnected from compute WebSocket
2021-02-11 20:06:23 INFO __init__.py:130 Controller is stopping

4. Configure GNS3 Client

Click Edit and then Preferences

Thank you for reading – please do not hesitate to leave a comment if you have any questions.

How to configure a static IP address on Ubuntu 20.04 CLI

This is a quick reference guide on how to configure a static IP address on Ubuntu 20.04

1. Check interfaces by typing ifconfig -a

root@VPS:~# ifconfig -a
eth0: flags=4163&amp;lt;UP,BROADCAST,RUNNING,MULTICAST&amp;gt;  mtu 1500
inet 10.10.0.102  netmask 255.255.255.0  broadcast 10.10.0.255
inet6 fe80::7ff:fe59:9a16  prefixlen 64  scopeid 0x20 	&amp;lt;link&amp;gt;
        ether 02:00:07:59:9a:16  txqueuelen 1000  (Ethernet)
RX packets 226  bytes 23624 (23.6 KB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 95  bytes 14736 (14.7 KB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73&amp;lt;UP,LOOPBACK,RUNNING&amp;gt;  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10&amp;lt;host&amp;gt;
loop  txqueuelen 1000  (Local Loopback)
RX packets 2  bytes 78 (78.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 2  bytes 78 (78.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

You will need to specify the interface that you would like to statically assign an IP address to. In this scenario the interface is eth0.

2. Create a yaml file in /etc/netplan

Use nano to create and edit files – simply run the following command if you do not have it installed.

apt-get install nano

Create a yaml file under /etc/netplan – I have used network_config.yaml as my file name.

root@VPS:~# cd /etc/netplan/
root@VPS:/etc/netplan# nano network_config.yaml

Enter the following into network_config.yaml file using nano – make sure you change the interface to your ifconfig -a output (the interface you would like to configure your static IP on). My interface in this scenario is eth0.

You will also need to specify your default gateway and your dns servers. These are configured under the following headings: gateway4 and nameservers respectively.

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - 10.0.125.10/24
      gateway4: 10.0.125.254
      nameservers:
          search: [mydomain, otherdomain]
          addresses: [10.10.0.1, 1.1.1.1]

3. Apply Netplan

root@VPS:/etc/netplan# sudo netplan apply

4. Check that you have received an IP address on the interface you have specified by running ifconfig.

root@VPS:/etc/netplan# ifconfig
eth0: flags=4163&amp;lt;UP,BROADCAST,RUNNING,MULTICAST&amp;gt;  mtu 1500
        inet 10.10.0.102  netmask 255.255.255.0  broadcast 10.10.0.255
        inet6 fe80::7ff:fe59:9a16  prefixlen 64  scopeid 0x20&amp;lt;link&amp;gt;
        ether 02:00:07:59:9a:16  txqueuelen 1000  (Ethernet)
        RX packets 770  bytes 77688 (77.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 271  bytes 38562 (38.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73&amp;lt;UP,LOOPBACK,RUNNING&amp;gt;  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10&amp;lt;host&amp;gt;
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2  bytes 78 (78.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 78 (78.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Thank you for reading and please feel free to leave any feedback.

How to remove a user from 2FA Google authentication on Ubuntu 20.04

This is a quick reference guide on how to remove a user from Google 2FA authentication on Ubuntu 20.04

Simple remove the file .google_authenticator from the users home directory

root@VPS:~# rm /home/vpsuser/.google_authenticator

Remove root from 2FA Authentication is as follows:

root@VPS:~# rm .google_authenticator

Thank you for reading and please feel free to leave any feedback.

How to configure 2FA authentication using Google authenticator on Ubuntu 20.04 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Ubuntu 20.04.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

root@testssh:/etc/ssh# adduser authtest

2. Edit /etc/ssh/sshd_config

root@testssh:/etc/ssh# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

3. Install Google Authenticator

root@testssh:/etc/ssh#apt-get update
root@testssh:/etc/ssh# apt-get install libpam-google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

root@testssh:/etc/ssh# su authtest
authtest@testssh:/etc/ssh$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

rm /home/authtest/.google_authenticator

To remove from root

root@VPS:~# rm .google_authenticator

5. Change back to root and edit /etc/pam.d/common-auth

authtest@testssh:/etc/ssh$ exit
exit
root@testssh:/etc/ssh#
nano /etc/pam.d/common-auth

add the following line to the bottom of the file:

auth required pam_google_authenticator.so nullok

6. Restart sshd

root@testssh:/etc/ssh# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

Thank you for reading and please feel free to leave any feedback.

How to perform throughput testing using iPerf3 on Ubuntu 20.04 CLI

This is a detailed guide on how to perform throughput testing using IPERF on Linux Based Operating Systems.

1. Install iPerf3

You will need to have iPerf3 installed on both endpoints. iPerf3 works using a client and server model.

apt install iperf3

2. iPerf3 Server

Once installed you will need one end point to listen for iPerf traffic. By default this will listen on port 5201.

2.1 iperf3 -s

This command will start the iPerf server

root@FTP:/etc/conf.d# iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------

2.2 iperf3 -s -p

This will specify which port to listen on. You will need to ensure that this is specified on both client and server.

root@FTP:/etc/conf.d# iperf3 -s -p 5002
-----------------------------------------------------------
Server listening on 5002
-----------------------------------------------------------

3. iPerf3 Client

Command examples:

Replace 10.0.x.x with the server IP address.

iperf3 -c 10.0.x.x -t 5 -l 1000k
iperf3 -c 10.0.x.x -t 5 -l 1000k -w 2.5m
iperf3 -c 10.0.x.x -t 5 -l 1000k -w 2.5m -P 5
iperf3 -c 10.0.x x -t 60 -l 1000k -w 2.5m -P 5
iperf3 -c 10.0.x.x -t 60 -l 1000k -w 2.5m -P 10 
iperf3 -c 10.0.x.x -t 5 -l 1000k -R
-t, –time nThe time in seconds to transmit for. iPerf normally works by repeatedly sending an array of len bytes for time seconds. Default is 10 seconds.
-l, –length n[KM]The length of buffers to read or write. iPerf works by writing an array of len bytes a number of times. Default is 128 KB for TCP, 8 KB for UDP
-w, –window n[KM]Sets the socket buffer sizes to the specified value. For TCP, this sets the TCP window size. (this gets sent to the server and used on that side too)
-R, –reverseRun in reverse mode (server sends, client receives).

4. Testing using Wondershaper (Traffic Shaper)

You can install wondershaper to shape the client or servers interface bandwidth.

4.1 Install Wondershaper

apt install wondershaper

IMPORTANT: The following installation will create the directory for where the traffic shaping configuration will go.

cd bin
git clone https://github.com/magnific0/wondershaper.git
cd wondershaper
make install

4.2 Edit /etc/conf.d/wondershaper.conf

nano /etc/conf.d/wondershaper.conf

Example configuration:

You will need to specify which interface and what the bandwidth is restricted to in kbps.

[wondershaper]
# Adapter
#
IFACE="eth0"

# Download rate in Kbps
#
DSPEED="10240"

# Upload rate in Kbps
#
USPEED="10240"

4.3 Restart Wondershaper

service wondershaper restart

5. iPerf Before and after Wondershaper.

root@FTP:~# iperf3 -c 10.0.125.14
Connecting to host 10.0.125.14, port 5201
[  4] local 10.0.125.11 port 38860 connected to 10.0.125.14 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   115 MBytes   968 Mbits/sec    0   3.03 MBytes
[  4]   1.00-2.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   2.00-3.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   3.00-4.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   4.00-5.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   5.00-6.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   6.00-7.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   7.00-8.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   8.00-9.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   9.00-10.00  sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  1.10 GBytes   942 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  1.09 GBytes   939 Mbits/sec                  receiver

iperf Done.
root@FTP:~# service wondershaper start
root@FTP:~# iperf3 -c 10.0.125.14
Connecting to host 10.0.125.14, port 5201
[  4] local 10.0.125.11 port 38864 connected to 10.0.125.14 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.71 MBytes  14.3 Mbits/sec    0    102 KBytes
[  4]   1.00-2.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   2.00-3.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   3.00-4.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   4.00-5.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   5.00-6.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   6.00-7.00   sec  1.06 MBytes  8.86 Mbits/sec    0    102 KBytes
[  4]   7.00-8.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   8.00-9.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   9.00-10.00  sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  11.7 MBytes  9.83 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  11.1 MBytes  9.31 Mbits/sec                  receiver

iperf Done.

Thank you for reading and please feel free to leave any feedback.

How to shape traffic using Wondershaper on Ubuntu 20.04 CLI

This is a quick reference guide on how to shape traffic using Wondershaper on Linux Based Operating Systems.

1. Install Wondershaper

apt install wondershaper

IMPORTANT: The following installation will create the directory for where the traffic shaping configuration will go.

cd bin
git clone https://github.com/magnific0/wondershaper.git
cd wondershaper
make install

2. Edit /etc/conf.d/wondershaper.conf

nano /etc/conf.d/wondershaper.conf

Example configuration:

You will need to specify which interface and what the bandwidth is restricted to in kbps.

[wondershaper]
# Adapter
#
IFACE="eth0"

# Download rate in Kbps
#
DSPEED="10240"

# Upload rate in Kbps
#
USPEED="10240"

3. Restart Wondershaper

service wondershaper restart

4. iPerf Before and after Wondershaper.

root@FTP:~# iperf3 -c 10.0.125.14
Connecting to host 10.0.125.14, port 5201
[  4] local 10.0.125.11 port 38860 connected to 10.0.125.14 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   115 MBytes   968 Mbits/sec    0   3.03 MBytes
[  4]   1.00-2.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   2.00-3.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   3.00-4.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   4.00-5.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   5.00-6.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   6.00-7.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   7.00-8.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   8.00-9.00   sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
[  4]   9.00-10.00  sec   112 MBytes   939 Mbits/sec    0   3.03 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  1.10 GBytes   942 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  1.09 GBytes   939 Mbits/sec                  receiver

iperf Done.
root@FTP:~# service wondershaper start
root@FTP:~# iperf3 -c 10.0.125.14
Connecting to host 10.0.125.14, port 5201
[  4] local 10.0.125.11 port 38864 connected to 10.0.125.14 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.71 MBytes  14.3 Mbits/sec    0    102 KBytes
[  4]   1.00-2.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   2.00-3.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   3.00-4.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   4.00-5.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   5.00-6.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   6.00-7.00   sec  1.06 MBytes  8.86 Mbits/sec    0    102 KBytes
[  4]   7.00-8.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   8.00-9.00   sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
[  4]   9.00-10.00  sec  1.12 MBytes  9.38 Mbits/sec    0    102 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  11.7 MBytes  9.83 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  11.1 MBytes  9.31 Mbits/sec                  receiver

iperf Done.

Thank you for reading and please feel free to leave any feedback.

How to add a static route on Ubuntu 20.04 CLI

This is a quick reference guide on how to add a persistent static route on on Ubuntu 20.04

1. Edit yaml file in /etc/netplan

At this point you should already have a netplan yaml file created either for dhcp or a statically assigned interface IP address.

root@VPS2:~# cd /etc/netplan/
root@VPS2:/etc/netplan# ls
network_config.yaml
root@VPS2:/etc/netplan# nano network_config.yaml

2. Define routes in yaml file.

IMPORTANT: It is extremely important to place all the configuration in the correct columns otherwise the configuration will not take. You should be able to copy, edit and paste the configuration example below and this will place the configuration correctly into your file.

The example below shows me pointing all traffic destined for 10.1.1.0/24 to go via 192.168.1.2.

network:
    version: 2
    renderer: networkd
    ethernets:
        eth0:
            addresses:
                - 192.168.1.100/24
            gateway4: 192.168.1.1
            nameservers:
                addresses:
                - 8.8.8.8
                search:
                - mydomain.net
            routes:
                    - to: 10.1.1.0/24
                      via: 192.168.1.2

3. Apply Netplan

root@VPS2:/etc/netplan# netplan apply

3. Check that the route is in the routing table using “route -n”

root@VPS2:/etc/netplan# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Thank you for reading and please feel free to leave any feedback.

How to configure DHCP over IPSEC Dialup VPN using a Fortigate and Ubuntu DHCP server.

This is a detailed guide on how to configure DHCP over IPSEC Dialup VPN using a Fortigate and Ubuntu DHCP server.

1.Configure Ubuntu DHCP Server

1.1 Install ISC-DHCP

sudo apt-get install isc-dhcp-server -y

1.2 Configure DHCP Server

1.2.1 Check listening interface

You will need take note of the name of the interface that will be listening for DHCP requests as well as the IP Network address.

root@dhcp-server:~# ifconfig
ens18: flags=4163  mtu 1500
        inet 10.60.0.1  netmask 255.255.255.0  broadcast 10.60.0.255
        inet6 fe80::7ca8:39ff:fe64:268  prefixlen 64  scopeid 0x20
        ether 7e:a8:39:64:02:68  txqueuelen 1000  (Ethernet)
        RX packets 726  bytes 835486 (835.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 362  bytes 42915 (42.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

1.2.2 Assign interface to listen for DHCP requests

Add the interface to the following file: /etc/default/isc-dhcp-server scroll down to INTERFACESv4=”” and add your interface as per the example below.

root@dhcp-server:~# nano /etc/default/isc-dhcp-server
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid

# Additional options to start dhcpd with.
#       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="ens18"
INTERFACESv6=""

1.2.3 Configure /etc/dhcp/dhcpd.conf

You will need to first configure a DHCP scope for the listening interface even if you are not going to serve IP addresses to the connected subnet. If you do not configure a scope for the listening interface the DHCP service will not start. In the below example I have set the scope to include only existing interface IP address (range 10.60.0.1 10.60.0.1;)

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#

# option definitions common to all supported networks...

subnet 10.60.0.0 netmask 255.255.255.0 {
   authoritative;
   range 10.60.0.1 10.60.0.1;
   default-lease-time 3600;
   max-lease-time 3600;
   option subnet-mask 255.255.255.0;
   option broadcast-address 10.0.0.255;
   option routers 10.60.0.1;
   option domain-name-servers 8.8.8.8;
   option domain-name "example.com";
}

Next you configure the IPSEC DHCP range beneath the above configuration.

# Subnet of client machines
subnet 192.168.50.0 netmask 255.255.255.0 {
        range dynamic-bootp             192.168.50.10 192.168.50.100;
        option subnet-mask              255.255.255.0;
        default-lease-time              21600;
        max-lease-time                  43200;
        option domain-name-servers      8.8.8.8, 8.8.8.4;
        option routers                  192.168.50.1;
        option broadcast-address        192.168.50.255;
        filename "pxelinux.0";
        allow unknown-clients;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)

1.2.4 Start the DHCP server

 sudo service isc-dhcp-server restart
 sudo service isc-dhcp-server start
 sudo service isc-dhcp-server stop 

2. Configure the Fortigate User and User Group

Depending on your setup you may be using remote authentication such as LDAP or Radius. In this scenario we will be using a local account.

2.1 Configure User Account

config user local
edit "yourusername"
        set type password
        set passwd yourpasswordhere

2.2 Configure user group and assign user

config user group
    edit "YOURVPNGROUP"
        set member "yourusername"
    next
end

3. Configure Fortigate Dialup IPSEC VPN

3.1 Configure VPN IPSEC phase 1

config vpn ipsec phase1-interface
    edit "YOURPHASE1NAME"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set dhgrp 5
        set xauthtype auto
        set authusrgrp "YOURVPNGROUP"
        set psksecret "YOURPSK"
        set dpd-retryinterval 60
    next
end

3.2 Configure VPN IPSEC phase 2

config vpn ipsec phase2-interface
    edit "YOURPHASE2NAME"
        set phase1name "YOURPHASE1NAME"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 5
        set dhcp-ipsec enable
    next
end

4. Configure Fortigate IPSEC interface to enable DHCP

Configure the IP address of the DHCP server (DHCP Relay IP address). You will also have to assign an IP address to the IPSEC interface so that the DHCP server can see the traffic leaving an interface of a particular network and assign the client an IP address from that respective subnet.

config system interface
    edit "YOURPHASE1NAME"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.50.1 255.255.255.255
        set type tunnel
        set snmp-index 9
        set dhcp-relay-ip "10.60.0.1"
        set dhcp-relay-type ipsec
        set interface "wan1"
    next
end

5. Configure Fortigate Firewall Policy

Please note: Split tunneling is configured on the VPN client and not on the firewall. The below example is no split-tunnel: So the destination is both WAN (internet) and LAN (private Network)

   edit 7
        set name "IPSEC->LAN"
        set uuid b74553a4-4f47-51eb-47af-9d6c15bb5f15
        set srcintf "YOURPHASE1NAME"
        set dstintf "internal5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat disable
    next
    edit 8
        set name "VPN-WAN"
        set uuid f2837a40-4f6a-51eb-28e0-cad297096df6
        set srcintf "YOURPHASE1NAME"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable

6. Configure Forticlient

You can leave all the IPSEC VPN settings as default for negotiation etc. You will need to add your connection name, Remote Gateway (Public IP address of Fortigate), Pre-Shared Key, Username. In addition to this you will need select the radial button for DHCP over IPSEC. If you are wanting the internet connection to be local and not via the fortigate you will need to select enable IPv4 Split Tunnel and add the relevant networks that are to be routable over the VPN.

Thank you for reading – please do not hesitate to leave a comment if you have any questions.

Getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

This is a quick reference guide about getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

1.Check the status of the firewall

ufw status

root@FTP:~# ufw status
Status: inactive

IMPORTANT! Please see step 2 before enabling the firewall

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

ufw status verbose – gives more information about the firewall status.

root@FTP:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)


2. Enabling ufw

2.1 CAUTION! Before enabling your firewall make sure that you have added a policy to allow SSH.

root@FTP:/etc/ufw# ufw  allow ssh
Rules updated
Rules updated (v6)

You can check this has been added in the following file: /etc/ufw/user.rules

nano /etc/ufw/user.rules

]

### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

2.2 ufw enable

ufw enable

3. Adding ufw rules

3.1 Basic ufw rule examples

The below rules will be from any source to a specific port on the local server.

root@FTP:~# ufw allow http
Rule added
Rule added (v6)
root@FTP:~# ufw allow https
Rule added
Rule added (v6)
root@FTP:~# ufw allow ftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow tftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow snmp
Rule added
Rule added (v6)
root@FTP:~# ufw allow sftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow smtp
Rule added
Rule added (v6)
root@FTP:~# ufw allow 3389
Rule added
Rule added (v6)

3.2 Check ufw rules

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
69/udp                     ALLOW       Anywhere
161                        ALLOW       Anywhere
115/tcp                    ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
3389                       ALLOW       Anywhere

3.3 Source and destination specific ufw rules

root@FTP:~# ufw allow from 10.0.125.0/24 to any
Rule added
root@FTP:~# ufw allow from 10.0.130.0/24 to any  port sftp
Rule added
root@FTP:~# ufw status
Anywhere                   ALLOW       10.0.125.0/24
115/tcp                    ALLOW       10.0.130.0/24

4. Delete ufw rules

root@FTP:~# ufw delete allow https
Rule deleted
Rule deleted (v6)
root@FTP:~#

Thank you for reading and please feel free to leave any feedback.