I have 2x4G LTE Modem connected by Ethernet to a Raspberry Pi (let's say eth0 & eth1)
What I would like to do is use this Raspberry Pi to forward a TCP traffic to a specific interface:
Open the 127.0.0.1:3100 and use the eth0 interface
Open the 127.0.0.1:3200 and use the eth1 interface
An application using a proxy trough 127.0.0.1:3100 will have a different IP from the one using the Proxy at 127.0.0.1:3200
Can it be done ? I tried with Squid & Dante, open a Socket5 or HTTP Proxy but I couldn't successfully use one or another connection, always the default.
Related
I'm running Pi4 with Raspbian for my home automation, and it's connected to its both network interface: eth0 (ethernet) and wlan0 (wifi).
The wlan0 is connected to the network 10.10.10.0/24, which is the VLAN for management. This VLAN is configured on the unifi edgerouter x and uap-ac-lite access point. If only wlan0 is active (i.e, I only use the wifi on the Pi), the Pi should be able to see devices on the other VLANs, for example 10.10.50.0/24 for IoT devices.
However, as the Pi is running Unifi controller, I also need to connect it to the edge router's physical network 192.168.10.0/24 so I can manage the access point. This means, the eth0 is active, which somehow makes VLAN 10.10.50.0/24 inaccessible. I disconnect the ethernet cable and the 10.10.50.0/24 is accessible again.
My best guess is that if both interfaces are enabled, only 1 of them (eth0 in this case) will be used for the default routing. Is it possible to make both routing accessible, depending on the destination networks?
Never mind, I have found the answer: Simply change priority of the wifi network routing by adding metric 100 to wlan0 section in dhcpcd.conf
This setup should be based on a proxmox, being behind a opnsense VM hosted on the Proxmox itself which will protect proxmox, offer a firewall, a privat LAN and DHCP/DNS to the VMs and offer a IPsec connection into the LAN to access all VMs/Proxmox which are not NATed.
The server is the typical Hetzner Server, so only on NIC but multiple IPs or/subnets on this NIC.
Proxmox Server with 1 NIC(eth0)
3 Public 1IPs, IP2/3 are routed by MAC in the datacenter (to eth0)
eth0 is PCI-Passthroughed to the OPNsense KVM
A private network on vmbr30, 10.1.7.0/24
An IPsec mobile client connect (172.16.0.0/24) to LAN
To better outline the setup, i create this [drawing][1]: (not sure its perfect, tell me what to improve)
Questions:
How to setup such a scenario using PCI-Passthrough instead of the Bridged Mode.
Follow ups
I) Why i cannot access PROXMOX.2 but access VMEXT.11 (ARP?)
II) is why do i need a from * to * IPSEC chain rule to get ipsec running. That is most probably a very much opnsense related question.
III) I tried to handle the 2 additional external IPs by adding virtual ips in OPNsense, adding a 1:1 nat to the internal LAN ip and opening the firewall for the ports needed ( for each private lan IP ) - but yet i could not get it running. The question is, should each private IP have a seperate MAC or not? What is specifically needed to get a multi-ip setup on WAN
General high level perspective
Adding the pci-passthrough
A bit out of scope, but what you will need is
a serial console/LARA to the proxmox host.
a working LAN connection from opnsense (in my case vmbr30) to proxmox private ( 10.1.7.2 ) and vice versa. You will need this when you only have the tty console and need to reconfigure the opnsense intefaces to add em0 as the new WAN device
You might have a working IPsec connection before or opened WAN ssh/gui for further configuration of opnsense after the passthrough
In general its this guide - in short
vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"
update-grub
vi /etc/modules
vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd
Then reboot and ensure you have a iommu table
find /sys/kernel/iommu_groups/ -type l
/sys/kernel/iommu_groups/0/devices/0000:00:00.0
/sys/kernel/iommu_groups/1/devices/0000:00:01.0
Now find your network card
lspci -nn
in my case
00:1f.6 Ethernet controller [0200]: Intel Corporation Ethernet Connection (2) I219-LM [8086:15b7] (rev 31)
After this command, you detach eth0 from proxmox and lose network connection. Ensure you have a tty! Please replace "8086 15b7" and 00:1f.6 with your pci-slot ( see above)
echo "8086 15b7" > /sys/bus/pci/drivers/pci-stub/new_id && echo 0000:00:1f.6 > /sys/bus/pci/devices/0000:00:1f.6/driver/unbind && echo 0000:00:1f.6 > /sys/bus/pci/drivers/pci-stub/bind
Now edit your VM and add the PCI network card:
vim /etc/pve/qemu-server/100.conf
and add ( replace 00:1f.6)
machine: q35
hostpci0: 00:1f.6
Boot opnsense connect using ssh root#10.1.7.1 from your tty proxmox host, edit the interfaces, add em0 as your WAN interface and set it on DHCP - reboot your opnsense instance and it should be up again.
add a serial console to your opnsense
In case you need a fast disaster recovery or your opnsense instance is borked, a CLI based serial is very handy, especially if you connect using LARA/iLO whatever.
Do get this done, add
vim /etc/pve/qemu-server/100.conf
and add
serial0: socket
Now in your opnsense instance
vim /conf/config.xml
and add / change this
<secondaryconsole>serial</secondaryconsole>
<serialspeed>9600</serialspeed>
Be sure you replace the current serialspeed with 9600. No reboot your opnsense vm and then
qm terminal 100
Press Enter again and you should see the login prompt
hint: you can also set your primaryconsole to serial, helps you get into boot prompts and more and debug that.
more on this under https://pve.proxmox.com/wiki/Serial_Terminal
Network interfaces on Proxmox
auto vmbr30
iface vmbr30 inet static
address 10.1.7.2
address 10.1.7.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
pre-up sleep 2
metric 1
OPNsense
WAN is External-IP1, attached em0 (eth0 pci-passthrough), DHCP
LAN is 10.1.7.1, attached to vmbr30
Multi IP Setup
Yet, i only cover the ExtraIP part, not the extra Subnet-Part. To be able to use the extra IPs, you have to disable seperate MACs for each ip in the robot - so all extra IPs have the same MAC ( IP1,IP2,IP3 )
Then, in OPN, for each extern IP you add a Virtual IP in Firewall-VirtualIPs(For every Extra IP, not the Main IP you bound WAN to). Give each Virtual IP a good description, since it will be in the select box later.
Now you can go to either Firewall->NAT->Forward, for each port
Destination: The ExtIP you want to forward from (IP2/IP3)
Dest port rang: your ports to forward, like ssh
Redirect target IP: your LAN VM/IP to map on, like 10.1.7.52
Set the redirect port, like ssh
Now you have two options, the first one considered the better, but could be more maintenance.
For every domain you access the IP2/IP3 services with, you should define local DNS "overrides" mapping on the actually private IP. This will ensure that you can communicate from the inner to your services and avoids the issues you would have since you used NATing before.
Otherwise you need to care about NAT reflection - otherwise your LAN boxes will not be able to access the external IP2/IP3, which can lead to issues in Web applications at least. Do this setup and activate outbound rules and NAT reflection:
What is working:
OPN can route a]5]5ccess the internet and has the right IP on WAN
OPN can access any client in the LAN ( VMPRIV.151 and VMEXT.11 and PROXMOX.2)
i can connect with a IPSec mobile client to OPNsense, offering access to LAN (10.1.7.0/24) from a virtual ip range 172.16.0.0/24
i can access 10.1.7.1 ( opnsense ) while connected with IPsec
i can access VMEXT using the IPsec client
i can forward ports or 1:1NAT from the extra IP2/IP3 to specific private VMs
Bottom Line
This setup works out a lot better then the alternative with the bridged mode i described. There is no more async-routing anymore, there is no need for a shorewall on proxmox, no need for a complex bridge setup on proxmox and it performs a lot better since we can use checksum offloding again.
Downsides
Disaster recovery
For disaster recovery, you need some more skills and tools. You need a LARA/iPO serial console the the proxmox hv ( since you have no internet connection ) and you will need to configure you opnsense instance to allow serial consoles as mentioned here, so you can access opnsense while you have no VNC connection at all and now SSH connection either ( even from local LAN, since network could be broken ). It works fairly well, but it needs to be trained once to be as fast as the alternatives
Cluster
As far as i can see, this setup is not able to be used in a cluster proxmox env. You can setup a cluster initially, i did by using a tinc-switch setup locally on the proxmox hv using Seperate Cluster Network. Setup the first is easy, no interruption. The second join needs to already taken into LARA/iPO mode since you need to shutdown and remove the VMs for the join ( so the gateway will be down ). You can do so by temporary using the eth0 NIC for internet. But after you joined, moved your VMs in again, you will not be able to start the VMs ( and thus the gateway will not be started). You cannot start the VMS, since you have no quorum - and you have no quorum since you have no internet to join the cluster. So finally a hen-egg issue i cannot see to be overcome. If that should be handled, only by actually a KVM not being part of the proxmox VMs, but rather standalone qemu - not desired by me right now.
I'm trying to connect my Raspberry Pi 3 model B to two different LAN networks at the same time. One is connected directly to the raspberry and otherr is connected to usb-ethernet adapter.
Both work by them selves correctly, I can acces e.g google through both of them. But when I attach both of them I cannot access the network connected to the adapter.
I found some instructions online on how to connect to two wifi networks, but these didnt really help.
In my network config file I have
auto eth0
iface eth0 inet manual
auto eth1
iface eth1 inet manual
Is there some setting to allow connection through both of them at the same time?
I need the secondary network(through adapter) only for pinging this network. The other is used to ping other network and for other things.
EDIT:
To clarify the situation, I dont need internet access through either of them, but I do need to have access to two separate local networks. Both netwroks run with static IP addresses.
All I had to do was remove the default gateway for the other network. Because having two default networks caused the default gateway to be set as the default gateway of eth1.
Folks,
I have a Ubuntu machine connected to the Internet through wireless (wlan0), and I am sharing this connection to my Ethernet port (eth1). Then, I have this Ethernet port connected to a switch, and two windows machine connected to the same switch. So the two windows machines have a static IP from the LAN generated from the route generated from wlan0 to eth1, so that I can communicate with all 3 computers at the same time (this works since I can ssh and remote access all 3 computers).
My problem is that I when I run my LCM program (with TTL = 1) on my windows PC, I cannot receive the messages on my Ubuntu machine (meaning that the message should pass through the Ethernet). How can I make sure the UDP messages can be routed back into my Ubuntu machine from the windows machines while the wireless network is running?
This was my solution to the problem (right there on the LCM website):
sudo ifconfig eth1 multicast
sudo route add -net 224.0.0.0 netmask 240.0.0.0 dev eth1
Now all my UDP packets are routed only through eth1. And my shared network (from wlan0) is still intact after this. So all computers have internet at the same time. So great!
Currently, I'm successfully running a mosquitto broker, subscribing to topics and publishing messages with clients in a local network.
How can I communicate with another local network which is located at a different IP address?
Should I set up 2 mosquitto brokers, one for each local network?
The PC in the other local network needs to be accessible from Internet, so if it is behind a firewall, you need to set a port forwarding rule inside your router. The rule needs to forward the traffic from the public IP address to the internal LAN private IP address of your broker.
Remember that MQTT uses ports 1883 and 8883 (for SSL).
Because mqtt use tcp connections, there is also a safe way to do this as follows:
A private broker A behind a firewall.
B private broker B behind another firewall.
C cloud broker C on the internet.
Setup the bridge A to C in both directions. This must be configured on A. The safe tcp link to the internet will be created by A.
Setup the bridge B to C in both directions. This must be configured on B. The safe tcp link to the internet will be created by B.
This will create a much safer bridge and can be done even if you do not have control over the router or firewall.
This all depends on how your system needs to work, but you could use multiple brokers (one in each network) then create what is known as a bridge between the brokers.
This has the benefit that the each network can continue to work independently of the others should there be a network outage.
Bridges also allow you to control which messages are shared between sites. Details of how to create a bridge are in the mosquitto.conf man page:
http://mosquitto.org/man/mosquitto-conf-5.html
But as Paolo says, you will need to set up port forwarding for port 1883/8883 on your router to expose the the brokers to the internet.
Here are the steps to allow public connections to MQTT server within private space (home)
allow port forwarding on your router
public port 1883 should be forwarded to private port 1883
IP Address to forward requests on this port should be of the IP address of MQTT server/PC in your home/private network
Update Mosquitto configuration to allow public listeners
add line listener 1883 0.0.0.0 under #listener port-number [ip address/host name]
This will allow requests from any source on 1883 port to be handled by your MQTT
Restart MQTT
I could successfully open up my MQTT server to public/internet traffic by following above steps after many trial and errors with many different configuration changes.