kataan dot org

not building a wall but making a brick.

---

Implementing VLANs in OpenWRT: Enhancing Network Security and Efficiency

OpenWRT is a powerful open-source firmware replacement for many home “appliance” routers that gives you enterprise router features out of home network appliances. One key feature it offers is the ability to implement Virtual LANs (VLANs), which allow you to segment your network into distinct virtual networks. I will guide you through the process of setting up VLANs in OpenWRT, with a focus on three use cases: isolating IoT devices,  creating guest networks and isolating homelab networks.

Understanding VLANs

A VLAN is a logical grouping of network devices. By using VLANs, you can create isolated networks that operate as if they were physically separate, providing enhanced security and efficiency.

a VLAN uses an identifier called a “Tag” to identify a virtual network. VLAN-aware devices can associate a tag with a specific physical port or wireless network and isolate traffic to those ports/networks.

A port can also be configured as a “trunk” port, which can pass all traffic. This is useful when you want to extend multiple VLANs across devices, for example a backbone network connecting two ethernet segments.

Steps to Implement VLANs in OpenWRT

1. Accessing OpenWRT Web Interface

1. Connect to your router’s web interface by entering its IP address in your web browser. Typically, this is 192.168.1.1. Hopefully you’ve changed yours.  :)
2. Log in with your admin credentials.

2. Install VLAN Support

Navigate to System > Software and click on Update lists to ensure you have the latest package information. Then, search for and install the luci-proto-relay package. This package provides the necessary tools for configuring VLANs.

3. Configure VLANs

1. Go to Network > Switch. Here, you will see a list of your router’s switch ports.
2. Identify the port to which your LAN devices are connected. This is often labeled as ‘CPU’ or ‘WAN’.
3. Click Edit next to the identified port.
4. In the “VLAN” section, create a new VLAN by clicking Add.
5. Assign a VLAN ID (e.g., 10 for IoT devices) and choose a CPU Port. The CPU port should be the same port you identified earlier.
6. Click Save.
7. Repeat steps 4-6 for additional VLANs, such as a guest network (e.g., VLAN ID 20).

4. Configure Interfaces

1. Go to Network > Interfaces.
2. Click Add new interface.
3. Choose a name for the interface (e.g., IoT).
4. Select the VLAN you created for IoT devices from the dropdown menu.
5. Click Submit.
6. Repeat steps 2-5 for each additional VLAN you want to create.

5. Configure DHCP (Optional)

If you want each VLAN to have its own DHCP server, go to Network > DHCP and DNS. Click Add to create a new DHCP server for each VLAN interface you created.

Use Cases for VLANs

1. Isolating IoT Devices

IoT devices are notorious for their security vulnerabilities. My oven and my refrigerator both connect to a phone app which is mildly helpful and frighteningly connected. By placing them on a separate VLAN, you can isolate them from your main network, minimizing the risk of an IOT security exploit affecting my home network.They can talk to specific hosts/networks on the internet, but not any of my internal hosts.

2. Guest Networks

Creating a guest network on a separate VLAN allows you to provide internet access to visitors while keeping them isolated from your private network. With my guest network, I’ve set an easy password and configured “client isolation”, meaning that a client on the guest network can’t access another guest, or my home network.

3. Homelabs

I have a VLAN set up for my homelab, so I can restrict my traffic from a test Active Directory environment, a test Linux environment and several home servers in their own virtual network, separating their traffic from my home streaming traffic.

Conclusion

Implementing VLANs in OpenWRT is a powerful way to enhance network security and efficiency. By segmenting your network into distinct virtual networks, you can isolate specific groups of devices and control their access. This is particularly useful for securing IoT devices and providing a secure guest network. With OpenWRT’s flexibility, you can tailor your network to meet your specific needs.

Posted on October 30th, 2023 in blog | No Comments »

WRT54G to WRT1900ACS: Empowering Networks with OpenWRT

What’s a WRT1900ACS?

The WRT1900ACS is a capable router from several years ago that are dirt cheap on the used market and have a ton of features that I like. With an alternative OS like OpenWRT or DD-WRT, you unlock new features that compare to a proper router.

I started running home networks on a Linksys WRT54G, an ancestor to the WRT1900ACS. a pioneering router that redefined home networking. Its open-source firmware became a playground for tech enthusiasts, setting the stage for a community-driven approach to router customization. I still keep one in storage for nostalgia’s sake.

The WRT1900ACS was released in 2015 but still holds its own in 2023. Equipped with a 1.6 GHz dual-core processor, 512MB of RAM, and four antennas, the WRT1900ACS holds its own. I use it as a border router on a 600 mbit cable circuit and it keeps up with multiple traffic streams.

This router has a USB 3.0/eSATA connection, a USB 2.0 connection and gigabit ethernet. I’ve used an external USB drive to act as shared storage for my LAN, and shared movies and music using the router’s built-in DLNA server.

One thing that attracted me to the WRT1900AC series of routers is dual firmware images. The router keeps a backup firmware image at all times. If the router crashes and doesn’t come fully up 3 times in a row, it’ll switch to the failover image. I keep the Linksys image on one side and OpenWRT on the other, so I can always go back if needed. If you want to go all-in, you’ll need to upgrade the firmware twice.

Under OpenWRT, I’m able to use enterprise-class networking tools with a friendly GUI. I’ve added network traffic monitoring, a Wireguard client and server, VLANs and a reverse proxy for my network.

If I were to compare the two, I’d say DD-WRT is a little easier to pick up, OpenWRT is more flexible. I’ve been focused more on OpenWRT of late, as I’m running a homelab and use it as a sandbox for ideas to use at work.

Installing OpenWRT

OpenWRT has detailed information about the router and installation instructions at https://openwrt.org/toh/linksys/wrt1900acs, but the process is pretty straightforward. You’ll use the Linksys stock firmware, go to the firmware upgrade section of the web admin tool, and upload the “Firmware OpenWRT Install” version. Mess up and brick your router? turn it on, wait for the lights to come on, then turn it off. Repeat two more times to return to the failover image and try again.

Once you install OpenWRT there is a multitude of extensions and applications available. Be mindful of available disk space and memory when choosing applications to install!

 

Posted on October 30th, 2023 in blog | No Comments »

Water Lanterns

Posted on October 16th, 2023 in android, digital | No Comments »

Rome

Posted on October 1st, 2023 in android, photo | No Comments »

A great tiny homelab server – with multiple expansion options!

I’ve been looking for low-power, small footprint homelab servers; servethehome.com’s YouTube channel has a great comparison of “tinyminimicro” servers – ultra-small form factor (USFF) desktops that make great mini servers.

I’ve run into problems with USFF servers only supporting 16GB of memory – it’s why I paid less for a desktop form factor server that supports 64GB of memory. It’s not a problem if you run multiple USFF desktops in a cluster, but I wanted to have one system supporting all of my workloads.

ServeTheHome reviews an HP Elite Mini 600 G9 that supports 96GB of RAM, 2 NVMe drives, and 10gb ethernet in a low-power, quiet USFF form factor. Too much? He also creates a mid-level configuration with 2.5gb ethernet, 48 GB RAM and smaller, cheaper storage.

Posted on July 3rd, 2023 in blog | No Comments »

Outlook opens emails next to weblinks in Microsoft Edge

I noticed this support article; first, Microsoft put up ads in the Start Menu, then offer to change your default browser. If you run Microsoft Edge as your default and change the browser, you get a “Are you sure” prompt you don’t get with any other browser.

Now, for your convenience, Outlook defaults to Edge.

Microsoft is always striving to improve and streamline our product experiences—offering a new way to use the classic Microsoft Outlook app on Windows and the Microsoft Edge web browser.

If you have a Microsoft 365 Personal or Family subscription, browser links from the Outlook app will open in Microsoft Edge by default, right alongside the email they’re from in the Microsoft Edge sidebar pane. This allows you to easily access, read, and respond to the message using your matching authenticated profile. No more disruptive switching—just your email and the web content you need to reference, in a single, side-by-side view.

 

[via hacker news ]

Posted on June 27th, 2023 in blog | No Comments »

Microsoft 365, Outlook and Tasks

Microsoft is changing the interface of Outlook in a way that will affect people who follow David Allen’s Getting Things Done system, or people who rely heavily on tracking tasks in Outlook.

Getting Things Done is a system that lets you capture information and tasks, take action by completing quick tasks, capturing the next actions required to complete the task, saving the information for future reference, or deleting the information if it serves no purpose.

The one, always available, tried-and-true tool for me has been Microsoft Outlook. Microsoft Outlook has a capable tasks interface that lets you prioritize, categorize and delegate tasks. David Allen even has a guide to set up Outlook to leverage GTD.

Microsoft bought Wunderlist, creators of To-Do in 2017. They shut down To-Do in 2019 and renamed it Microsoft ToDo, including it in Microsoft 365. Microsoft has had two competing task managers since then.

I’m a Microsoft 365 customer, and when I saw the option to check out new features in Outlook, I tried them out. What I saw was an interface that looked much like the Microsft365 Outlook web interface (which is good…) but no tasks folder (which is bad…). There’s a link on the sidebar that opens ToDo in a web browser instead of Outlook Tasks.

Apparently Microsoft decided which way to go with regards to tasks. In retrospect, the Android Outlook client not supporting Tasks makes sense. They may have been steering people to Microsoft ToDo and the standalone app.

Tasks show up in Microsoft ToDo under a separate Tasks folder, but the GTD setup is broken – you can’t sort by category. I’ll have to see if there’s a workaround from the GTD people when the changes roll out permanently.

 

 

Posted on June 26th, 2023 in blog | No Comments »

Upgrading to Proxmox VE 8

I’ve used Proxmox for two years in a homelab that serves as a sandbox for work projects, a testbed Active Directory network, and running home automation tools. It combines the familiarity of F/OSS tools like Debian Linux, QEMU, and KVM, with a graphical interface that makes managing virtual servers easy – with a community supported, free tier and paid support models.

Changes in Proxmox VE 8:

1. Updated Kernel and Linux Base: The underlying Debian base has been updated to Debian 12 (Bookworm).
2. Container Improvements: Proxmox VE 8 introduces numerous improvements for container deployments. It now includes full support for Cgroupsv2, which offers more fine-grained resource management and isolation. Additionally, the LXC version has been upgraded to LXC 4.0, bringing performance optimizations and improved compatibility.
3. Ceph and Storage: The Ceph storage cluster integration has been enhanced with new features, making it easier to deploy and manage distributed storage resources. Proxmox VE 8 includes an updated version of Ceph (Octopus) with improved performance, stability, and monitoring capabilities.
4. Networking Enhancements: Network configuration has been simplified with the addition of a new Network Configuration panel in the web interface. It provides a centralized location to manage network interfaces, bridges, VLANs, and bonds, making it easier to configure and monitor network connectivity.
5. Improved Backup and Restore: Proxmox VE 8 introduces significant improvements to its backup and restore functionality. The new backup mechanism is faster and more efficient, allowing for reduced backup times and optimized storage usage. The restore process has also been streamlined, simplifying the recovery of VMs and containers.
6. Security and Authentication: Proxmox VE 8 introduces support for two-factor authentication (2FA), adding an extra layer of security to the management interface. It helps protect against unauthorized access and enhances the overall security posture of the Proxmox VE environment.

More information is available at the following link: https://www.proxmox.com/en/news/press-releases/proxmox-virtual-environment-8-0

Upgrading from Proxmox VE 7 to Proxmox VE 8:

I upgraded my home lab to Proxmox VE 8 in approximately an hour, with limited downtime. Most of the time spent was moving my production workloads from one server to another while the upgrade took place.  I have a 2-node cluster. Two of my VMs I wanted to keep running and ensure they weren’t affected by the upgrade, so I moved them off of Server1 to Server2, upgraded Server1, moved the VMs back to Server 1 and upgraded Server2.

One wrinkle I ran into was not being able to migrate the guest VMs back to Server1 – I received a host key verification failure.  Running the following command on each server resolved the issue:

/usr/bin/ssh -e none -o 'HostKeyAlias=server-b-name' root@server-b-ip-address /bin/true

Run this command on the server with the host alias and IP address of the OTHER server.

Upgrading was simple. You can run the upgrade from the command line or the GUI. As with any upgrade, you’ll want to backup copies of any configuration files on your system. Backing up /etc and /var wouldn’t hurt.

From the command line:

1. Run the pve7to8 command, looking for any errors/warnings in the output. I had one service that was stopped that I restarted before running the upgrade.
2. Run apt update and apt upgrade to upgrade all of your 7.1x apps to the latest versions.
3. Run apt dist-upgrade to start the upgrade process.

During the upgrade, you’ll be asked whether or not you want to automatically stop/restart processes. Since I moved my production workloads to my other server, I selected Yes. If you’ve changed any configuration files that are being replaced, you’ll be asked to review changes, accept the new version or keep the old version. I opted to accept the new versions. At the end of the upgrade, you’ll want to reboot as soon as possible to use the new kernel.

From the GUI:

1. Update Packages: First, update the Proxmox VE 7 installation to the latest available packages. Log in to the Proxmox web interface, navigate to the “Updates” section, and click on “Update” to install any available updates.
2. Upgrade Repository: Switch the repository to the Proxmox VE 8 repository. In the web interface, go to “Datacenter” > “Updates” > “Release Channel” and select “proxmox-ve-release-8.x”.
3. Perform Upgrade: Once the repository has been updated, go to the “Updates” section and click on “Check” to retrieve the latest Proxmox VE 8 updates. Afterward, click on “Upgrade” to initiate the upgrade process.
4. Follow the Wizard
   

By combining robust virtualization, extensive hardware support, clustering, backup and ease of use, Proxmox has made a great virtualization platform for enterprise and home use. I’m very happy with the platform and the level of improvement I see in Proxmox.

Posted on June 25th, 2023 in blog | No Comments »

Chief Hotel Court

Posted on June 4th, 2023 in journal | No Comments »

Cirque

Posted on June 4th, 2023 in journal | No Comments »

Creating a Proxmox 3-node cluster using Zima board computers – 10 watts!

As I posted about wanting to make a 3-node high-availability cluster out of commodity USFF desktop PCs, I found this video outlining a 3-node Intel CPU cluster that runs on 10 watts of power! The cluster uses a SBC called a Zima Board that looks interesting – it’s got SATA, a PCI slot, and having an Intel CPU means less issues with cross-compiling to ARM and being able to run the same OS and binaries in my lab environment.

Posted on May 4th, 2023 in blog | No Comments »

CEPH and Proxmox VE

I’ve wanted to add high-availability to my Proxmox cluster, but I’ve got some work to do first.

CEPH is a distributed storage system that can be used as a storage backend in Proxmox VE. CEPH provides highly available and fault-tolerant storage by distributing data across multiple storage nodes in a cluster.

In Proxmox VE, CEPH can be used as a storage backend for virtual machine disks and containers. This allows for the creation of highly available and scalable virtualized environments that can easily scale up or down as needed.

With CEPH, VMs can auto-migrate on a server failure to provide high-availability.

It looks like CEPH wants 3 storage devices minimum to create a storage array. I’m considering upgrading to 3 USFF systems (see this link for lots of information about USFF desktops as servers). 3 i5 desktops with 16 GB of RAM and NVME drives could make a nice, inexpensive cluster.

Why not use a NUC? The second-hand market is full of off-lease Dell, HP and Lenovo USFF desktops.

Posted on May 4th, 2023 in blog | No Comments »

Proxmox VE 7.4 released

Proxmox is an open-source bare metal virtualization system I use in my homelab. Proxmox supports clustering, high availability and backup using industry standard tools running on relatively mod-free Debian Linux, qemu and kvm. It supports any hardware supported by Debian, which makes use in a lab environment practical – after running VMWare’s vSphere and Nutanix CE and dealing with stringent hardware compatibility lists, I can appreciate a hypervisor that I can throw at any hardware I have in my collection.

Proxmox VE version 7.4 has been released and as minor releases have gone, the upgrade from 7.3 to 7.4 went flawlessly, only requiring a reboot when convenient to load a new kernel. There are the usual upgrades to the Kernel (now at 5.15), QEMU, kvm, and ceph.

Proxmox VE’s UI now lets you sort guest resources by name, which makes organizing VMs much cleaner – even in a small homelab like mine, with a handful of Linux containers, a Docker host, and a small AD test environment.

There’s also a dark mode switch in the UI now, much handier than applying a mode setting that gets reset every time you reboot.

The open-source architectures riscv32 and riscv64 can be used for LXC containers. I’m interested in trying these out to expand my homelab to architectures other than i386 and x64.

If you’re thinking of installing (or upgrading) Proxmox, I’d recommend taking a look at my earlier posts: Proxmox First Steps and Proxmox Helper Scripts For helpful tips on setup and streamlining ongoing maintenance of your Proxmox system.

Posted on March 24th, 2023 in blog | No Comments »

gordy’s camera straps

I’ve got a couple of these sturdy hand straps from https://gordyscamerastraps.com on a couple of my cameras and love the feel, the size, and being able to match strap and camera colors is pretty neat.

Posted on February 9th, 2023 in coolpix995 | No Comments »

Books

Posted on December 20th, 2022 in android, art | No Comments »

LEGO Detail

Posted on December 18th, 2022 in android, journal | No Comments »

Proxmox VE 7.3 released

Proxmox is an open-source bare metal virtualization system I use in my homelab – based on Debian and qemu, it supports a wide variety of hardware.

Proxmox VE version 7.3 has been released and the upgrade from 7.2 went without a hitch using apt. I’m looking into it now, there’s support for ZFS dRaid pools, an update to Ceph, and LXC looks to be updated to 5.0.  I use LXC more than any of the clustering/storage tools, looking forward to seeing what’s new.

Posted on November 23rd, 2022 in blog | No Comments »

Proxmox First Steps

TechnoTim has a great homelab how-to channel on YouTube. This video shows all the steps he’d do when creating a Proxmox server for the first time. Setting update sources, reconfiguring storage, setting up networking and VLANs, updating ISOs, preparing for clustering, and more – all the things I wish I knew after my Proxmox server install was complete and before putting the system into production.

Posted on November 17th, 2022 in blog | 1 Comment »

Cheap Home Office Fix – HDMI audio with multiple PCs

Many people are working from home exclusively or a couple of days a week as part of a hybrid work environment. With a few tweaks, a home office can do double-duty nicely.

My home office has evolved recently, as I’ve written about previously. I have a desktop PC with a 34″ ultrawide monitor and work laptop with a 14″ screen. I want to use the big monitor for everything. I plugged my laptop directly into my monitor’s second HDMI port and bought a Logitech MX keyboard and mouse that pair with up to 3 devices. Now, I can use my desktop monitor, keyboard and mouse with either system.

Audio was the next challenge. I started with a pair of headphones on my work laptop and another on my home desktop, but had to switch back and forth, and deal with 2 sets of cables.

I bought a Jabra Elite 45h wireless headset. It’s noise isolating, has great battery life, good microphone performance without a boom microphone (I felt so 2000s before!) and it can sync to 2 different devices.

I bought a pair of Creative Pebble V2 desktop speakers mostly for looks and to streamline cabling – they’re USB-powered. I had them plugged into my desktop, but realized when switching audio devices that there was a listing for my monitor HDMI connector. I did some poking around behind my monitor and found a 3.5mm headphone jack. Plugged the speakers into my monitor and now I have room audio that plays with the active HDMI connection!

My printers have always been networked, so no office changes were needed to enable me to print from my work laptop.

My only non-shared peripheral is my trusty Logitech  C920 webcam many years old and hasn’t failed me yet, while providing good 1080p video of my office.

My next challenge? Office lighting.

 

Posted on August 28th, 2022 in blog | No Comments »

Sensorio @ Paso Robles

Bruce Munro’s “Sensorio” exhibit, Paso Robles, CA

Posted on August 22nd, 2022 in android, art | No Comments »