Because of my current internet provider which refuse to give me a public IP (providing me with only CGNAT), I can no longer access my stuff at home as I wish. This post describes my workaround for the problem.
External access server
Used to connect the tunnel from the inside to, and to connect to from the outside. I use a Oracle Free tier WM for this.
On the access server, I have set up a (normal) user account for the tunnel, then created a private key using Puttygen and added the public key to the .ssh/authorized_keys file for the user. /etc/ssh/sshd_config needs to be modified by adding the line
GatewayPorts clientspecified
Do not forget to check that you are able to login to the server using the user set up for this purpose (set private key login in Putty, or use ssh -i with that key)
Firewall on the access server
If the access server is behind other firewalls, you need to open the port(s) you want to connect to. For the Oracle VMs, this is done via the web UI:
Virtual Cloud Networks, click the VCN name, click the subnet name, click the security list (“Default security list” unless you have done it the recommended way to create separate security lists). Then (at last), “Add Ingress Rules”:
Source CIDR: 0.0.0.0/0 (unless you want to limit, but just for testing this will allow everyone to connect)
Source port: blank
Destination port: the port you want to connect to. An unprivileged user (the SSH user account) can only use ports 1025 and up.
The same port(s) also need to be opened on the access server itself.
I prefer using firewalld for this:
# firewall-cmd –zone=public –permanent –add-port={your-port-number-here}/tcp
# firewall-cmd –reload
GUI for plink (from Putty) to keep a reverse SSH tunnel open
https://myentunnel.informer.com/download/
Download the file (myentunnel_setup-3.6.1.exe), install it and then replace the included plink.exe with the current version included by the Putty installation.
Putty location: C:\Program Files\PuTTY
myEntunnel location: C:\Program Files\MyEnTunnel
Files used for the default profile: localports.txt (blank), remoteports.txt, keyfile.ppk (used for connecting to the server)
Ref: https://superuser.com/questions/235395/automatic-ssh-tunneling-from-windows
MyEntunnel configuration
Settings tab:
The obvious section, server (name or IP) and username, I suppose you know what to fill in there 🙂
No passphrase is needed, since we’re connecting with a private key only (this is also required by Oracle VMs)
As I forgot to note down the default settings, I just provide a snapshot of the settings I have in use (most are default values):
Tunnels tab:
Only the remote side needs to be filled in, syntax as the description below the input fields (per tunnel to create):
[listen-IP:]listen-port:host:port
Where listen-IP is the LOCAL ip of the access server (a private IP address if behind NAT as with the Oracle WMs, which are usually by default on the 10.x.x.x network) listen-port is the port opened in the inside and outside firewalls (the port on which you will access the inside stuff on) host is the inside host, can be localhost for the computer running MyEntunnel, or any other host reachable from that computer. port is the port on the inside host
A complete line could look like this:
10.0.0.3:18180:192.168.101.180:80
(will access port 80 on the inside host IP 192.168.101.180, when going through the access server at port 18180)
CM4-DUAL-ETH-BASE Wiki
(Very thin documentation on the CM4 baseboard used, nothing about the USB3 network port, but some info on the RTC, fan control and display and camera interfaces)
Internet of Things – a techie’s viewpoint
(I used mainly the beginning of chapter 36 for the first good enough solution I found on how to switch the interfaces so that eth0 will be used for WAN and eth1 for LAN)
Installation
Get the latest (stable) version of OpenWrt (I use “Factory (EXT4)”), write it to a MicroSD-card the usual way, insert into slot on CM4 board and boot up.
Note: Before booting the SD-card, you might want to resize the Linux partition and file system on it. Do this with another Linux-based system:
Insert the SD-card into a reader/card slot and check end of ‘dmesg’ output which device was assigned the card:
In this case (on my Synology NAS), the card readers’ slot was assigned ‘sdr’.
Resize the partition with ‘parted’:
root@DS1517:~# parted /dev/sdr
GNU Parted 3.2
Using /dev/sdr
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
p
Model: TS-RDF8 SD Transcend (scsi)
Disk /dev/sdr: 31.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
1 4194kB 71.3MB 67.1MB primary boot, lba
2 75.5MB 173MB 104MB primary
(parted) resizepart 2 -1
...
(parted) q
Resize the file system with ‘resize2fs /dev/sdr2’
The default is to use eth0 for LAN, which I didn’t like (with the possibility that the other USB3-based interface might be less stable, and is using kernel drivers for the incorrect model).
To fix this I used the guide mentioned above, the beginning of chapter 36, with some modifications to fit my network.
(section 36.4 in IoT guide)
The later distributions of OpenWrt starts up as logged in as root on the console, which makes it easier to do the initial adjustments to the network settings. As the guide mentions, if your home network is on the 192.168.1.0/24 subnet, you can access the shell by SSH (root without password) to do the modifications.
Change the lan section of /etc/config/network to:
config interface 'lan'
option ifname 'eth0'
option proto 'dhcp'
Reboot the Pi, and you will get IP by DHCP (handed out by your old router). Either find that IP in the old router or just do a “ifconfig” command on the console.
Installing the kernel module for the USB3 network port
(section 36.5 in IoT guide)
To get the second network port working, you need to install the correct kernel module for the chipset it is using. In the case of the CM4 base board, the chip is rtl8153. Unfortenately there is no exact match or that chip (yet/ever ?), but rtl8152 will work fine. Use ‘opkg’ to install the module:
For further configuration, I also add a more user-friendly text editor than ‘vi’:
opkg install nano
Verify by ‘ifconfig eth1’ that the second network adapter shows up.
Switching the eth0 / eth1 interfaces to have eth0 for WAN
Now that we have both interfaces visible, we can switch their usage as described in the IoT guide. For my network (LAN side) I use a network mask of /16, so I cannot be on that same IP range for the network on the inside of the CM4 router.
For the inside, I choose (from the private IP-series) 172.16.3.0/24, and will give my CM4 router the IP address 172.16.3.1.
Change the old ‘lan’ section to ‘wan’ and add a new “lan” section in /etc/config/network:
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'lan'
option proto 'static'
option ifname 'eth1'
option ipaddr '172.16.3.254'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
option type 'bridge'
(I don’t think the “gateway” config is needed in ‘lan’, but have to check that)
Configure DHCP on the LAN interface
Add a “dhcp” section for eth1 in /etc/config/dhcp:
Reboot the CM4 router, connect your uplink cable to eth0 and a computer to eth1. When the CM4 router has started, and if everything works well, and the computer should get an IP address on the 172.16.3 network (in the range from .100 to .250).
LuCI confusion by manual configuration
Access the web interface on http://172.16.3.254, set a password for the web interface.
When you first access the web interface for your manually configured CM4 router, LuCI will ask to update the configuration to the new format (for using ‘br-lan’ instead of “option type ‘bridge'”) and using the ‘br-lan’ device instead of the manually entered ‘ifname’ in the lan section. Allow these changes, and the GUI is ready for use.
Configuration
The first step is to go to System/Software in the menu and click the “Update lists” button to refresh/create the list of available plugins for OpenWrt. Then use the many OpenWrt guides online for additional configuration ideas.
If you during setup have your CM4 router behind another router on the local network, change the firewall setting for WAN to allow inbound access (unless you’re happy with accessing it from a computer on that routers’ LAN interface).
You find that setting under “Network/Firewall”:
You can after this change access the web interface and SSH over the WAN side IP. Do not forget to change back if this router is put on a public network!
That’s it for the basics and getting started with OpenWrt on a Pi4 with dual ethernet interfaces (either with the used CM4 baseboard or a separate USB3 dongle). I have probably missed some of my steps as this guide was written some time after I completed the setup.
Statistics
Add and configure (accept default settings) the package named ‘luci-app-statistics’ to get graphs for CPU usage and network traffic.
Add the module ‘collectd-mod-thermal’ to get graph for CPU temperature.
Ivacy VPN settings
Get the OpenVPN-Configs.zip file from here:
https://support.ivacy.com/setup_guide/how-to-setup-openvpn-on-pf-sense/ or (any of the non-Mac and non-Windows files) here:
https://support.ivacy.com/vpnusecases/openvpn-files-windows-routers-ios-linux-and-mac/
Follow the guide
https://support.ivacy.com/setup_guide/how-to-configure-and-install-openvpn-on-your-openwrt-router/
Ivacy-VPN related content in /etc/config/openvpn (as created by LuCI)
For easier configuration, skip the steps in the guide which explains how to configure the VPN connection using LuCI, just add the connection and then hit “Save & Apply” on the basic settings page, then edit the /etc/config/openvpn file directly:
I recently did the same installation on the carrier board from Seeed Studio, with a 8GB/8GB eMMC CM4 on it.
At the time I wrote this guide, the official CM4/Pi4 OpenWrt image did not contain the needed driver for the network adapter on the USB-bus, which lead me into using the bloated image from Seeed Studio.
For the new installation attempt, I found out which driver was used, and was prepared to install it manually.
The driver needed for this board is ‘kmod-usb-net-lan78xx’, but as it’s now included in the official image, no additional steps (except for configuring) eth1 is needed.
Resizing the OpenWrt root partition is done the same way as described above, except the extra steps needed if using a CM4 with eMMC (as described in the “Getting Started” above (follow the instructions for Mac/Linux for installing “usbboot”).
Seeed Studio CM4 Router Board
Another board from Seeed Studio. This one uses a real NIC controller chip (RTL8111E) for the second port to provide better stability and speed: CM4 Router Board product page
När det inte går spara konfigurationen (full flashdisk):
Om det finns nÃ¥gon gammal version av ASA eller ASDM, sÃ¥ gÃ¥r den plocka bort med “delete”-kommandot show disk
delete disk0:/asa-gammal-fil.bin
Byta version på adsm eller asa som laddas: enable
conf t
asdm image disk0:/asdm-792-152.bin
boot system disk0:/asa924-33-k8.bin
write memory
reload
Laga trasig ASDM-inloggning
https://www.grandmetric.com/knowledge-base/design_and_configure/cisco-asa-enable-asdm-access-asa/
To enable ASDM on Cisco ASA, the HTTPS server needs to be enabled, and allow HTTPS connections to the ASA.
To configure ASDM (HTTP) access to Cisco ASA on particular interfaces, where core and management are the nameifs use following commands:
ASA(config)#aaa authentication http console LOCAL
ASA(config)#http server enable
ASA(config)#http 0.0.0.0 0.0.0.0 inside
Remember to create username, password to be able to authenticate to asdm:
ASA(config)#username admin password secretpassword
