Radovan Brezula

Author Archives: Radovan Brezula

Part1 – Monitoring Network Traffic with ntopng and nProbe

Ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. It provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information. ntopng comes in three versions, Community, Professional (Small Business Edition) and Enterprise. The Community version is free to use and opensource. A physical NIC card of the server can be monitored by by specifying its interface name as

./ntopng -i eth0

However, we will use ntopng in flow collection mode along with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe.

ntpong community version is installed on Ubuntu Server 18.04.1 with IP address 172.17.100.7/16. Ubuntu is running inside VirtualBox VM. The IP address of the host (Asus k55vm) is 172.17.100.2/16. The host is connected to the SOHO router that functions as gateway to the Internet gateway with the IP address 172.17.100.1/16. The network diagram is shown on the Picture 1.

nProbe is installed on Raspberry Pi 3B with the IP address 172.17.100.50/16. Windows 7 Continue reading

Juniper vSRX 15.1X49 on QEMU

Recently, I have been quite busy running into some problems with deployment of Junos 15.1X49-D15.4 on Qemu image. So, I want make your lifer easier and I share my quick installation steps with you.

1. Download vSRX VMware Appliance

Download the file media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova. The good news is that you do not need to enter a licence key after you download the image. The bad new is that you still need a valid contract with Juniper in order to download the file. Luckily, you can find the installation file flying somewhere on the Internet.

2. Extract Archive and OVA files

$ unrar e media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.rar
$ tar xvf media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova

3. Convert StreamOptimized Virtual Machine Disk to Format 

Details ale explained in my original vSRX article.

$ qemu-img convert -O qcow2 media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.vmdk media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.img 

4. Hack Image To Support QEMU

Unfortunately, vSRX 15.1 image boots to “Wind River Linux 6.0.0.15” prompt but it would not launch the freebsd VM within the nested KVM instance. The workaround along with the detailed explanation of the issue is originally posted here.

$ /usr/local/bin/qemu-system-x86_64 -m 4192M Continue reading

Connecting RasPBX via SIP Trunk

The previous tutorial has covered RasPBX installation on Raspberry Pi 3 board. At the end of the tutorial we have tested local calls between chan_sip extensions 1010 and 1020 that are registered to RasPBX. This time we will go further and connect RasPBX with another FreePBX VOIP system via PJSIP trunk. The FreePBX is running on VirtualBox and it is in version 14 with Asterisk 13. As the last step of the tutorial, we will test VOIP calls  between RasPBX with FreePBX that are interconnected by PJSIP trunk.

As we have mentioned, a complete RasPBX and Zoiper softphones installation and configuration is covered in a previous tutorial (except the SIP trunk).  Also, the tutorial does not cover installation of FreePBX on VirtualBox VM. So far, our inventory contains RasPBX and FreePBX with the following components.

RasPBX - Asterisk on Raspberry PI board:
- Asterisk 13.22.0
- FreeBPX 14.0.3.13
- Zoiper softphone on Ubuntu 18.0.4, IP 172.17.100.2/16, ext. 1010
- Zoiper softphone on Android 5.1, IP 172.17.100.5/16, ext. 1020

FreePBX - Installed  on VirtualBox VM
- Asterisk 13.19.1
- FreeBPX 14.0.3.13
Continue reading

Check Point GAiA as Personal Firewall on Linux – Part2

This is the second part of the tutorial that aims to deploy Check Point Gaia as a personal firewall under Linux. Let' assume that we have created underlying network infrastructure with the scripts create_taps.sh and bridge_interfaces.sh in Part1. This part goes further and explains Gaia installation on QEMU virtual machine (VM).  We will use the same network topology depicted on the Picture 1.1 of the part 1. Let's start with the point 2.

Picture 1.1 Network Topology

2. Checkpoint Gaia Installation

First, we need to create an empty qcow VM disk with qemu-img utility as we want to install Gaia into this image.

$ /usr/local/bin/qemu-img create -f qcow2 checkpoint.img 100G

As we downloaded Gaia ISO image in the part1 of the tutorial, we can start Checkpoint Gaia VM machine with the ISO attached  to Qemu cdrom.

$ sudo /usr/local/bin/qemu-system-x86_64 -m 4096M -enable-kvm -smp 2 \
-boot d -cdrom Check_Point_R80.10_T462_Gaia.iso checkpoint.img  \
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-device e1000,netdev=net0,mac=00:11:22:33:44:00 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device e1000,netdev=net1,mac=00:11:22:33:44:01 \
-netdev tap,id=net2,ifname=tap2,script=no,downscript=no \
-device e1000,netdev=net2,mac=00:11:22:33:44:02

Below are the configuration options.

Select:
- Install Gaia on this system
- Proceed with the installation
- Keyboard - US
- Partition Continue reading

Ubuntu 18.04 Overheating

Since the upgrade from Ubuntu 16.04 LTS to Ubuntu 18.04, my laptop ASUS k55VM) is overheating and goes to critical temperature shutdown. The temperature varies between 70 and 85°C with doing nothing and then goes up to 95 with watching YouTube videos before shutdown. I have tried to clean fans from dust, blacklisted noveau driver but nothing helped. Finally, I have been successful with searching for workaround that is working for me. The issue here is intel_pstate scaling driver which does not reduce the processor speed when temperature increases.

The driver is not modular and it is built-in with kernel so we cannot unload it. However, we can disable it at boot by editing grub configuration. Firstly, check if your system is using the intel_pstate frequency scaling driver. If not, overheating is not caused by the intel_pstate driver and you need to figure out the cause by yourself.

$ cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_driver

intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate

Solution 1 - Disabling intel_pstate at Boot by Editing Grub Configuration

Open /etc/default/grub with editor and locate the line that begins with:

GRUB_CMDLINE_LINUX_DEFAULT

Add intel_pstate=disable at the end of that string as below.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_pstate=disable"

Now, execute:

Update Continue reading

Check Point GAiA as Personal Firewall on Linux – Part1

Check Point GAiA is the next generation Secure Operating System for all Check Point appliances, open servers and virtualized gateways. In this tutorial we will create a network infrastructure which supports usage of Gaia Qemu VM as a personal firewall on Ubuntu Linux. We will also go through the entire installation of Gaia on Qemu VM. This firewall appliance can be used up to 15 days period covered by a free trial Gaia license (no registration needed).

Hardware:  Asus K55VM laptop:
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
- RAM - 2 x Kingston DDR3 8192MB,
- HDD - ST1000LM024 HN-M101MBB 1000GB

Hardware requirements:
- Gaia QEMU VM: RAM - 4096MB, HDD - 15GB
- Windows 7 QEMU VM: RAM 2048MB, HDD - 15 GB

Software:
Host - Kubuntu Linux 18.04.1 LTS with installed QEMU emulator version 3.0.0 and KVM module
Guest 1 - Checkpoint GAiA R80.10, OS build 462, OS kernel version 2.6.18-92cpx86_64
Guest 2 - Windows 7 Home Premium, x86 with installed Smart Console R80.10 Build 991140073

Credentials - username/password:
- Gaia web portal: admin/check123point
- Gaia expert mode: check123point
- Windows 7: no password Continue reading

VyOS 1.2.0 Epa2 Realased

Finally, VyOS 1.2 epa2 ISO live image is released to subscribers. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

Free subscription is available for contributors, nonprofits and educational and research institutions, and both long-time contributors. Everyone who contributed before the release model change gets a perpetual subscription, the amount of contributions doesn’t matter. After that, contributing within a given year will give us a yearly subscription. If you are not a subscriber you can still download VyOS rolling release or built the ISO image from the source code.

You can use my Bash and Expect scripts to automatize VyOS 1.2.0 installation to VMware disk image. The scripts are available in the Script (1.1) section. Firstly, run the script  deploy_vyos-1.2.0.sh and after the ISO images boots up, you can run the second script  install_vyos-1.2.0.sh. You can run the image using GNS3 project and test open-source routing.

Asterisk on Raspberry Pi

RaspPBX is a project which brings the free and open source Asterisk and FreePBX into Raspberry Pi board. RaspPBX turns Pi into a communications server which can be used by small businesses with up to 12 extensions. FreePBX is a web-based open source GUI  that controls and manages Asterisk. Our goal is to show installation of the latest RaspPBX into Raspberry Pi 3 Model B Rev 1.2.

The latest image available for download includes Asterisk 13.20.0 and FreePBX 14.0.2.10.

1. Download, Extract and Copy RaspPBX Image to SD Card

$ wget http://download.raspberry-asterisk.org/raspbx-04-04-2018.zip
$ sudo dd bs=4M if=raspbx-04-04-2018.img of=/dev/mmcblk0 status=progress conv=fsync
$ unzip raspbx-04-04-2018.zip

2. Utilize all space on your SD card

By default the image utilizes only 4GB of your SD card space. Login to the console with username root and password raspberry and issue the command below.

# raspi-config

Navigate to Advanced Options-> A1 Expand Filesystem Ensures that all of the SD card storage is available to the OS. The filesystem will be enlarged upon the next reboot.

3. Configure Static IP Address

Set static IP address for interface eth0.

# echo "interface eth0" >> /etc/dhcpcd.conf
# echo Continue reading

IPFire on Raspberry Pi 3B

IPFire is a modular opensource firewall distribution with a primary objective of security. IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework). The modular designs allows to extend basic functionality by installation of add-ons that can be easily deployed with the IPFire package management system - pakfire. Updates are digitally signed and encrypted.

During the installation of IPFire, the network is configured into different, separate segments (zones). These different segments may be enabled separately, depending on your requirements. Each segment represents a group of computers who share a common security level.

Green represents a "safe" area. This is where all regular clients will reside. It is usually comprised of a wired, local network. Clients on Green can access all other network segments without restriction. Red indicates "danger" or the connection to the Internet. Nothing from Red is permitted to pass through the firewall unless specifically configured by the administrator. Blue represents the "wireless" part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must be explicitly allowed Continue reading

LEDE on Raspberry PI

In December 2017, I created a home router based Linux piCore installed on Raspberry PI3. I use this router in everyday life in order to provide Internet connection for my home devices. So far I have not noticed any issues. However, the router offers only basic functionality. The number of packages that extends router's functionality is limited by the number of available PiCore extensions in repository. Therefore, it is better to load Raspberry with a advanced network distribution that provides a better customization of embedded netwrok devices with many available packages.

The article discusses an installation and configuration of Linux Embedded Development Environment (LEDE) on Raspberry PI3. LEDE is an opensource project that was created in 2016 as a fork of OpenWrt - Linux OS for embedded devices. In 2018, LEDE and OpenWrt projects reemerged and they announced their unification  under OpenWrt name .

1.  LEDE Installation

The part 1 discusses installation of LEDE on Raspberry Pi3 and resizing LEDE image. After copying LEDE to SD card, we need to resize file system in order to use full capacity of SD card.

1.1 Downloading and Extracting LEDE for Raspberry PI3

$ wget https://downloads.lede-project.org/releases/17.01.4/targets/brcm2708/bcm2710/lede-17.01.4-brcm2708-bcm2710-rpi-3-ext4-sdcard.img.gz

$ Continue reading

EIGRP Support in FRRouting 5.0.1

Recently, I have created Linux Core 9.0 x86-64 VMware Disk (VMDK) and installed FRRrouting suite 5.0.1 on the top of it in order to test current EIGRP support in Linux (RFC 7868).

The last time I tested EIGRP with FRR 3.1-dev installed on Linux Core, FRR suffered from many bugs. In fact, they were so serious so EIGRP was not ready for use. Unfortunately, they are also presented in FRR version 5.0.1. Therefore, I advise you to use another IGP routing daemons such as OSPF or IS-IS available in FRR until the issues are resolved.

Anyway, you can use my Core Linux VMDK disk with installed FRRouting 5.0.1 to practice routing in Linux. Thanks to using minimalistic Core Linux distribution, the size of image is only about 86 MB. The Core kernel is compiled with enabled option MULTIPATH so you can test equal cost multipath routing with OSPF. The image is available in Linux Core Router/Switch appliances.

Openswitch OPX 3.0.0 Installation On Ubuntu 18.04.1 LTS

I have covered installation of Openswitch OPX 2.3.2 on Linux Ubuntu 16.04 in a previous article. I will go further with this time and cover installation of Openswitch 3.0.0 on Ubuntu 18.04 (upgrade from 16.04). Firstly, it is worth to add that I haven't been successful with installation of any OPX version on Ubuntu 18.0.4.1. I have done several test with different Oracle VirtualBox versions (5.1, 5,2) but I have always got the error message VBoxManage: error: Code NS_ERROR_FACTORY_NOT_REGISTERED (0x80040154) - Class not registered (extended info not available). According to the words of developers installation of OPX 3.0.0 has been tested with Ubuntu 16.04 and Oracle VirtualBox 5.2.

1. Openswitch OPX 3.0.0 Installationon Ubuntu 18.04.1 Using Nested Virtualization

As I do not posses any spare hardware I decided to do a little workaround with the help of nested virtualization. Nested virtualization refers to virtualization that runs inside an already virtualized environment. In other words, it is the ability to run a hypervisor inside of a virtual machine (VM), which itself runs on a hypervisor. I installed Openswitch OPX 3.0.0 Continue reading

Openswitch OPX in GNS3

The previous article discusses an installation of Openswitch OPX on VirtualBox using lvm tool. We have extracted Openswitch OPX VDI disk from VirtualBoxVM and run the disk with Qemu. The image has been subsequently customized using the after install script in order to run it inside GNS3. Finally, we have tested the image within a simple GNS3 lab that proves its functionality. This article goes further and we are going to test VLANs bridging using Linux native commands.

Picture 1 - Network Topology

The lab consists of three Openswitch OPX 2.3.2 instances powered by Qemu hypervisor. The device OPX-Distrib1 is multilayer switch that is responsible for routing between VLANs 10,20,30,40 and 50. The VLANs 10-40 are end-users VLANs and the VLAN50 is used for management. The switches OPX-Access1 and OPX-Access2 are L2 switches with the port e101-001-0 configured as the trunk ports. End users are connected to the access ports e101-002-0 and e101-003-0 on both access switches.

Note: Customized Openswitch OPX 2.3.3 vdi disk can be downloaded in Download section. Login name is opxUser and the password is not set.

1. End User Computers and Management PC Configuration

In order to save memory of host, Continue reading

Crypto Energy Consumption Overtakes

I am more than happy to publish the new infographic " Crypto Energy Consumption Overtakes" with the help of my friends from btxchange.io. As we know, cryptocurrency mining is very popular nowadays but it comes with huge drawback in form of huge electricity consumption. The infographic finds out the most surprising numbers for crypto energy volumes. Enjoy reading.

Crypto Energy Consumption Overtakes

I am more than happy to publish the new infographic " Crypto Energy Consumption Overtakes" with the help of my friends from btxchange.io. As we know, cryptocurrency mining is very popular nowadays but it comes with huge drawback in form of huge electricity consumption. The infographic finds out the most surprising numbers for crypto energy volumes. Enjoy reading.

Openswitch OPX Installation on Linux

We have recently covered installation of Openswitch OPS on Linux. Since the version 2.0, Openswitch OPS has transformed into to a completely new project, called Openswitch OPX Base. Similar to its predecessor, OpenSwitch OPX Base system also provides an abstraction of hardware devices of network switch platforms in a Linux OS environment. However, original Yocto OS has been replaced by an unmodified Linux kernel based on Debian Jessie distribution.

We can install OPX Base on a virtual machine, similar to installing OpenSwitch on hardware platforms. A virtual machine (VM) uses the same software binaries as those executed on S6000-ON devices. The main difference is that the low-level device drivers for the SAI and SDI libraries are replaced with the packages that support hardware simulation, and interact with the hardware simulation infrastructure.

A host machine running Openswitch OPX VM might be Windows, or Mac OS X with at least 8GB of RAM and 100GB available disk space, and Virtual Box installed. The virtual machine needs to have one network interface configured for the Management interface (eth0). The network adapter eth0 corresponds to the first adapter attached to the VM, e101-001-0 to the second adapter and so on, and e101-00N-1 to Continue reading

Openswitch OPX Installation on Linux

We have recently covered installation of Openswitch OPS on Linux. Since the version 2.0, Openswitch OPS has transformed into to a completely new project, called Openswitch OPX Base. Similar to its predecessor, OpenSwitch OPX Base system also provides an abstraction of hardware devices of network switch platforms in a Linux OS environment. However, original Yocto OS has been replaced by an unmodified Linux kernel based on Debian Jessie distribution.

We can install OPX Base on a virtual machine, similar to installing OpenSwitch on hardware platforms. A virtual machine (VM) uses the same software binaries as those executed on S6000-ON devices. The main difference is that the low-level device drivers for the SAI and SDI libraries are replaced with the packages that support hardware simulation, and interact with the hardware simulation infrastructure.

A host machine running Openswitch OPX VM might be Windows, or Mac OS X with at least 8GB of RAM and 100GB available disk space, and Virtual Box installed. The virtual machine needs to have one network interface configured for the Management interface (eth0). The network adapter eth0 corresponds to the first adapter attached to the VM, e101-001-0 to the second adapter and so on, and e101-00N-1 to Continue reading

Openswitch OPX Appliances

OpenSwitch OPX Base is an innovative operating system for network systems. It uses an unmodified Linux kernel and standard distribution to take advantage of rich ecosystem, and also provide flexibility in customizing your system according to your network needs.

Note: Openswitch OPX images are customized with my after install script  and they are ready for use in GNS3.

Openswitch OPX 2.3.2
https://drive.google.com/file/d/1Vdpjoz53R7Rx1HYi8KcEuRuNvQnMMn0f/view?usp=sharing
https://sourceforge.net/projects/gns-3/files/VirtualBox%20Appliances/OpenswitchOPX-2.3.2.zip
https://www.4shared.com/s/fQu2DUd9dca

1 2 3 5