Radovan Brezula

Author Archives: Radovan Brezula

ClearOS Installation on QEMU

ClearOS is an operating system based on CentOS for use in small and medium enterprises as a network gateway and network server with a web-based administration interface.

ClearOS in Gateway mode acts as a firewall, gateway and server on a local network. The tutorial provides installation and configuration steps for deployement of ClearOS on QEMU VM. We will later connect ClearOS QEMU VM into GNS3 network topology in order to test  features such as application traffic filtering and transparent proxy with user authentication.

Software Used:
Host OS: Kubuntu Linux 18.04.1 LTS with Qemu 3.0.0 installed and kvm-intel module loaded
Guest OS: ClearOS 7.5.0 x86_64

1. Preparing Host Network Infrastructure

As we are going to  install ClearOS guest QEMU VM in a gateway mode,  your host should have two network adapters available. (Picture 1). In our case, the first ClearOS guest network interface ens3 will be defined as LAN type during ClearOS installation. The second guest interface ens4 will be defined as External and used for connection to SOHO network. We will bridge the interface ens4 with the host interface enp4s0f2 using iproute utility. But first, we need to create tap interfaces tap0 and Continue reading

Cisco TRex on Ubuntu Server 18.04

TRex is stateful and stateless traffic generator that is designed to benchmark platforms using realistic application traffic. It can generate L3-7 traffic and scale up to 20Gbps. TRex implements the both client and server side. The tutorial provides exact steps that you can follow to install TRex on Ubuntu Server 18.04. Hope you find it useful.

1. Preparing Qemu Ubuntu Server VM for TRex Installation

I assume that you have installed Ubuntu Server 18.0.4 on Qemu disk. Start Qemu Ubuntu Server VM.

$ /usr/local/bin/qemu-system-x86_64 -m 4G -enable-kvm Ubuntu18.04-server-TRex2.vmdk -serial telnet:localhost:2222,server,nowait

Assign IP address from the internal Qemu DHCP server to the guest NIC of Ubuntu Server VM.

$ sudo dhclient

IP address is 10.0.2.15/25 and the default gateway is 10.0.2.2. Now you can connect to the Ubuntu Server issuing telnet from the host.

$ telnet localhost 2222

Copy my script trex-vm.sh from the host to Ubuntu Server Qemu VM. The script installs packages required by TRex. It also redirects VM machine output to serial port and configures old-style Ethernet interfaces naming.

$ scp -rv [email protected]:/home/brezular/trx-vm.sh .

Assign execute privileges to the script and run the Continue reading

Creating VyOS ISO Image

There are several ways to get an VyOS ISO image. Firstly, you can buy subscription, so you will have an access to LTS VyOS ISO images. The LTS images are also available for VyOS contributors or evangelists with perpetual 1-year access. The third option involves building ISO image itself. Building involves cloning VyOS repository with git, taking care of required dependencies and finally compiling from sources. Either you need Debian as a base and manage dependencies manually or you can compile using the docker method and Debian is not needed.

Using the Dockerfile you create your own Docker container that is used to build a VyOS ISO image or other required VyOS packages. The Dockerfile contains some of the most used packages needed to build a VyOS ISO, a qemu image, and several of the submodules.

1. Install Docker CE

We are going to install Docker CE on Ubuntu 18.04.2 LTS (bionic).

$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl software-properties-common git
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88

$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
$ sudo apt-get update
$ sudo apt-get install docker-ce
Continue reading

L2TP/IPSec Remote Access VPN on VyOS

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself. Therefore, it is often combined with IPSec that is used for encapsulation of L2TP packets between the endpoints. Securing L2TP using IPsec is standardized in RFC3193. The tutorial provides remote Access L2TP/IPsec configuration for VyOS network OS.

So far, I have tested L2TP/IPSec configuration on VyOS 1.2.0 with an Android phone as configured as L2TP/IPSec client. However, I have not been successful, ended with the error message below. The same L2TP/IPSec configuration works for the legacy 64-bits Vyatta 6.6, therefore, it is used in our lab, instead of VyOS.

xl2tpd[1809]: Maximum retries exceeded for tunnel

We employ Cisco vIOS-L3 in order to simulate a SOHO router. The router is connected to the Wifi router Access_Point (172.17.100.1/26) with an associated wireless client (Android phone IP 172.17.100.5/16). The L2TP/IPSec client is running on the phone. The client is configured to connect to the VPN gateway running on Vyatta (10.0.1.1/24) in order to reach the server LAN subnet (10.0.0.0/24) within L2TP/IPSec VPN tunnel Continue reading

Part2 – Monitoring Network Traffic with ntopng and nProbe

In the Part1 we have covered compilation of ntopng on Ubuntu 18.04.1 Server and installation of nProbe on Raspberry Pi 3. We have also configured Cisco Catalyst switch 3550 for traffic mirroring. The source of the traffic is the interface Fa0/3 where PC is connected and the destination port is Fa0/24 with connected Raspberry Pi 3B. This tutorial goes further and it covers configuration of the both ntopong and nProbe. First, let's have a look at the network topology.

Picture 1 - Network Topology

nProbe is running on Raspberry Pi 3B with the IP address 172.17.100.50/16. ntpong is running on Ubuntu 18.04.1 Server as the VirtualBox guest with the IP address 172.17.100.7/16. Our goal is to monitor network traffic from all devices connected to the ports of Cisco Catalyst switch 3550. In fact, we are monitoring only Windows 7 machine that is connected to Fa0/3.

Note: Without valid license, nProbe is working in demo mode and it is limited to show only 25000 flows export.

nProbe can work in two modes - poll mode and push mode. In a poll mode, ntopng dynamically subscribes to the probe via ZMQ, Continue reading

Part1 – Monitoring Network Traffic with ntopng and nProbe

Ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. It provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information. ntopng comes in three versions, Community, Professional (Small Business Edition) and Enterprise. The Community version is free to use and opensource. A physical NIC card of the server can be monitored by by specifying its interface name as

./ntopng -i eth0

However, we will use ntopng in flow collection mode along with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe.

ntpong community version is installed on Ubuntu Server 18.04.1 with IP address 172.17.100.7/16. Ubuntu is running inside VirtualBox VM. The IP address of the host (Asus k55vm) is 172.17.100.2/16. The host is connected to the SOHO router that functions as gateway to the Internet gateway with the IP address 172.17.100.1/16. The network diagram is shown on the Picture 1.

nProbe is installed on Raspberry Pi 3B with the IP address 172.17.100.50/16. Windows 7 Continue reading

Juniper vSRX 15.1X49 on QEMU

Recently, I have been quite busy running into some problems with deployment of Junos 15.1X49-D15.4 on Qemu image. So, I want make your lifer easier and I share my quick installation steps with you.

1. Download vSRX VMware Appliance

Download the file media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova. The good news is that you do not need to enter a licence key after you download the image. The bad new is that you still need a valid contract with Juniper in order to download the file. Luckily, you can find the installation file flying somewhere on the Internet.

2. Extract Archive and OVA files

$ unrar e media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.rar
$ tar xvf media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova

3. Convert StreamOptimized Virtual Machine Disk to Format 

Details ale explained in my original vSRX article.

$ qemu-img convert -O qcow2 media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.vmdk media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.img 

4. Hack Image To Support QEMU

Unfortunately, vSRX 15.1 image boots to “Wind River Linux 6.0.0.15” prompt but it would not launch the freebsd VM within the nested KVM instance. The workaround along with the detailed explanation of the issue is originally posted here.

$ /usr/local/bin/qemu-system-x86_64 -m 4192M Continue reading

Connecting RasPBX via SIP Trunk

The previous tutorial has covered RasPBX installation on Raspberry Pi 3 board. At the end of the tutorial we have tested local calls between chan_sip extensions 1010 and 1020 that are registered to RasPBX. This time we will go further and connect RasPBX with another FreePBX VOIP system via PJSIP trunk. The FreePBX is running on VirtualBox and it is in version 14 with Asterisk 13. As the last step of the tutorial, we will test VOIP calls  between RasPBX with FreePBX that are interconnected by PJSIP trunk.

As we have mentioned, a complete RasPBX and Zoiper softphones installation and configuration is covered in a previous tutorial (except the SIP trunk).  Also, the tutorial does not cover installation of FreePBX on VirtualBox VM. So far, our inventory contains RasPBX and FreePBX with the following components.

RasPBX - Asterisk on Raspberry PI board:
- Asterisk 13.22.0
- FreeBPX 14.0.3.13
- Zoiper softphone on Ubuntu 18.0.4, IP 172.17.100.2/16, ext. 1010
- Zoiper softphone on Android 5.1, IP 172.17.100.5/16, ext. 1020

FreePBX - Installed  on VirtualBox VM
- Asterisk 13.19.1
- FreeBPX 14.0.3.13
Continue reading

Check Point GAiA as Personal Firewall on Linux – Part2

This is the second part of the tutorial that aims to deploy Check Point Gaia as a personal firewall under Linux. Let' assume that we have created underlying network infrastructure with the scripts create_taps.sh and bridge_interfaces.sh in Part1. This part goes further and explains Gaia installation on QEMU virtual machine (VM).  We will use the same network topology depicted on the Picture 1.1 of the part 1. Let's start with the point 2.

Picture 1.1 Network Topology

2. Checkpoint Gaia Installation

First, we need to create an empty qcow VM disk with qemu-img utility as we want to install Gaia into this image.

$ /usr/local/bin/qemu-img create -f qcow2 checkpoint.img 100G

As we downloaded Gaia ISO image in the part1 of the tutorial, we can start Checkpoint Gaia VM machine with the ISO attached  to Qemu cdrom.

$ sudo /usr/local/bin/qemu-system-x86_64 -m 4096M -enable-kvm -smp 2 \
-boot d -cdrom Check_Point_R80.10_T462_Gaia.iso checkpoint.img  \
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-device e1000,netdev=net0,mac=00:11:22:33:44:00 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device e1000,netdev=net1,mac=00:11:22:33:44:01 \
-netdev tap,id=net2,ifname=tap2,script=no,downscript=no \
-device e1000,netdev=net2,mac=00:11:22:33:44:02

Below are the configuration options.

Select:
- Install Gaia on this system
- Proceed with the installation
- Keyboard - US
- Partition Continue reading

Ubuntu 18.04 Overheating

Since the upgrade from Ubuntu 16.04 LTS to Ubuntu 18.04, my laptop ASUS k55VM) is overheating and goes to critical temperature shutdown. The temperature varies between 70 and 85°C with doing nothing and then goes up to 95 with watching YouTube videos before shutdown. I have tried to clean fans from dust, blacklisted noveau driver but nothing helped. Finally, I have been successful with searching for workaround that is working for me. The issue here is intel_pstate scaling driver which does not reduce the processor speed when temperature increases.

The driver is not modular and it is built-in with kernel so we cannot unload it. However, we can disable it at boot by editing grub configuration. Firstly, check if your system is using the intel_pstate frequency scaling driver. If not, overheating is not caused by the intel_pstate driver and you need to figure out the cause by yourself.

$ cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_driver

intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate

Solution 1 - Disabling intel_pstate at Boot by Editing Grub Configuration

Open /etc/default/grub with editor and locate the line that begins with:

GRUB_CMDLINE_LINUX_DEFAULT

Add intel_pstate=disable at the end of that string as below.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_pstate=disable"

Now, execute:

Update Continue reading

Check Point GAiA as Personal Firewall on Linux – Part1

Check Point GAiA is the next generation Secure Operating System for all Check Point appliances, open servers and virtualized gateways. In this tutorial we will create a network infrastructure which supports usage of Gaia Qemu VM as a personal firewall on Ubuntu Linux. We will also go through the entire installation of Gaia on Qemu VM. This firewall appliance can be used up to 15 days period covered by a free trial Gaia license (no registration needed).

Hardware:  Asus K55VM laptop:
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
- RAM - 2 x Kingston DDR3 8192MB,
- HDD - ST1000LM024 HN-M101MBB 1000GB

Hardware requirements:
- Gaia QEMU VM: RAM - 4096MB, HDD - 15GB
- Windows 7 QEMU VM: RAM 2048MB, HDD - 15 GB

Software:
Host - Kubuntu Linux 18.04.1 LTS with installed QEMU emulator version 3.0.0 and KVM module
Guest 1 - Checkpoint GAiA R80.10, OS build 462, OS kernel version 2.6.18-92cpx86_64
Guest 2 - Windows 7 Home Premium, x86 with installed Smart Console R80.10 Build 991140073

Credentials - username/password:
- Gaia web portal: admin/check123point
- Gaia expert mode: check123point
- Windows 7: no password Continue reading

VyOS 1.2.0 Epa2 Realased

Finally, VyOS 1.2 epa2 ISO live image is released to subscribers. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

Free subscription is available for contributors, nonprofits and educational and research institutions, and both long-time contributors. Everyone who contributed before the release model change gets a perpetual subscription, the amount of contributions doesn’t matter. After that, contributing within a given year will give us a yearly subscription. If you are not a subscriber you can still download VyOS rolling release or built the ISO image from the source code.

You can use my Bash and Expect scripts to automatize VyOS 1.2.0 installation to VMware disk image. The scripts are available in the Script (1.1) section. Firstly, run the script  deploy_vyos-1.2.0.sh and after the ISO images boots up, you can run the second script  install_vyos-1.2.0.sh. You can run the image using GNS3 project and test open-source routing.

Asterisk on Raspberry Pi

RaspPBX is a project which brings the free and open source Asterisk and FreePBX into Raspberry Pi board. RaspPBX turns Pi into a communications server which can be used by small businesses with up to 12 extensions. FreePBX is a web-based open source GUI  that controls and manages Asterisk. Our goal is to show installation of the latest RaspPBX into Raspberry Pi 3 Model B Rev 1.2.

The latest image available for download includes Asterisk 13.20.0 and FreePBX 14.0.2.10.

1. Download, Extract and Copy RaspPBX Image to SD Card

$ wget http://download.raspberry-asterisk.org/raspbx-04-04-2018.zip
$ sudo dd bs=4M if=raspbx-04-04-2018.img of=/dev/mmcblk0 status=progress conv=fsync
$ unzip raspbx-04-04-2018.zip

2. Utilize all space on your SD card

By default the image utilizes only 4GB of your SD card space. Login to the console with username root and password raspberry and issue the command below.

# raspi-config

Navigate to Advanced Options-> A1 Expand Filesystem Ensures that all of the SD card storage is available to the OS. The filesystem will be enlarged upon the next reboot.

3. Configure Static IP Address

Set static IP address for interface eth0.

# echo "interface eth0" >> /etc/dhcpcd.conf
# echo Continue reading

IPFire on Raspberry Pi 3B

IPFire is a modular opensource firewall distribution with a primary objective of security. IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework). The modular designs allows to extend basic functionality by installation of add-ons that can be easily deployed with the IPFire package management system - pakfire. Updates are digitally signed and encrypted.

During the installation of IPFire, the network is configured into different, separate segments (zones). These different segments may be enabled separately, depending on your requirements. Each segment represents a group of computers who share a common security level.

Green represents a "safe" area. This is where all regular clients will reside. It is usually comprised of a wired, local network. Clients on Green can access all other network segments without restriction. Red indicates "danger" or the connection to the Internet. Nothing from Red is permitted to pass through the firewall unless specifically configured by the administrator. Blue represents the "wireless" part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must be explicitly allowed Continue reading

LEDE on Raspberry PI

In December 2017, I created a home router based Linux piCore installed on Raspberry PI3. I use this router in everyday life in order to provide Internet connection for my home devices. So far I have not noticed any issues. However, the router offers only basic functionality. The number of packages that extends router's functionality is limited by the number of available PiCore extensions in repository. Therefore, it is better to load Raspberry with a advanced network distribution that provides a better customization of embedded netwrok devices with many available packages.

The article discusses an installation and configuration of Linux Embedded Development Environment (LEDE) on Raspberry PI3. LEDE is an opensource project that was created in 2016 as a fork of OpenWrt - Linux OS for embedded devices. In 2018, LEDE and OpenWrt projects reemerged and they announced their unification  under OpenWrt name .

1.  LEDE Installation

The part 1 discusses installation of LEDE on Raspberry Pi3 and resizing LEDE image. After copying LEDE to SD card, we need to resize file system in order to use full capacity of SD card.

1.1 Downloading and Extracting LEDE for Raspberry PI3

$ wget https://downloads.lede-project.org/releases/17.01.4/targets/brcm2708/bcm2710/lede-17.01.4-brcm2708-bcm2710-rpi-3-ext4-sdcard.img.gz

$ Continue reading

EIGRP Support in FRRouting 5.0.1

Recently, I have created Linux Core 9.0 x86-64 VMware Disk (VMDK) and installed FRRrouting suite 5.0.1 on the top of it in order to test current EIGRP support in Linux (RFC 7868).

The last time I tested EIGRP with FRR 3.1-dev installed on Linux Core, FRR suffered from many bugs. In fact, they were so serious so EIGRP was not ready for use. Unfortunately, they are also presented in FRR version 5.0.1. Therefore, I advise you to use another IGP routing daemons such as OSPF or IS-IS available in FRR until the issues are resolved.

Anyway, you can use my Core Linux VMDK disk with installed FRRouting 5.0.1 to practice routing in Linux. Thanks to using minimalistic Core Linux distribution, the size of image is only about 86 MB. The Core kernel is compiled with enabled option MULTIPATH so you can test equal cost multipath routing with OSPF. The image is available in Linux Core Router/Switch appliances.

Openswitch OPX 3.0.0 Installation On Ubuntu 18.04.1 LTS

I have covered installation of Openswitch OPX 2.3.2 on Linux Ubuntu 16.04 in a previous article. I will go further with this time and cover installation of Openswitch 3.0.0 on Ubuntu 18.04 (upgrade from 16.04). Firstly, it is worth to add that I haven't been successful with installation of any OPX version on Ubuntu 18.0.4.1. I have done several test with different Oracle VirtualBox versions (5.1, 5,2) but I have always got the error message VBoxManage: error: Code NS_ERROR_FACTORY_NOT_REGISTERED (0x80040154) - Class not registered (extended info not available). According to the words of developers installation of OPX 3.0.0 has been tested with Ubuntu 16.04 and Oracle VirtualBox 5.2.

1. Openswitch OPX 3.0.0 Installationon Ubuntu 18.04.1 Using Nested Virtualization

As I do not posses any spare hardware I decided to do a little workaround with the help of nested virtualization. Nested virtualization refers to virtualization that runs inside an already virtualized environment. In other words, it is the ability to run a hypervisor inside of a virtual machine (VM), which itself runs on a hypervisor. I installed Openswitch OPX 3.0.0 Continue reading

Openswitch OPX in GNS3

The previous article discusses an installation of Openswitch OPX on VirtualBox using lvm tool. We have extracted Openswitch OPX VDI disk from VirtualBoxVM and run the disk with Qemu. The image has been subsequently customized using the after install script in order to run it inside GNS3. Finally, we have tested the image within a simple GNS3 lab that proves its functionality. This article goes further and we are going to test VLANs bridging using Linux native commands.

Picture 1 - Network Topology

The lab consists of three Openswitch OPX 2.3.2 instances powered by Qemu hypervisor. The device OPX-Distrib1 is multilayer switch that is responsible for routing between VLANs 10,20,30,40 and 50. The VLANs 10-40 are end-users VLANs and the VLAN50 is used for management. The switches OPX-Access1 and OPX-Access2 are L2 switches with the port e101-001-0 configured as the trunk ports. End users are connected to the access ports e101-002-0 and e101-003-0 on both access switches.

Note: Customized Openswitch OPX 2.3.3 vdi disk can be downloaded in Download section. Login name is opxUser and the password is not set.

1. End User Computers and Management PC Configuration

In order to save memory of host, Continue reading

1 3 4 5 6 7 9