Ok, so 2 separate networks. WiFi as mgt and wired for vm is what you really want.
What they described is sort of what i was talking about with more than one mac on WiFi blowing things up. Not being a network expert, while i see what they suggested would work for outgoing, i dont understand how its going to route back inside and keep your interface off the public at the same time. It 'seems' like a simple Nat, and exposing your host to the outside directly. But it seems simple enough so you have zero to lose by trying it.
Is there any way to get to your outside via wireless ? My thought was you have a pi, you could do a Ethernet to WiFi bridge ( internal ) and the host would never know. Then give your vm control of the internal WiFi to connect outside ( as you can install any driver you want .. ). Of course if you *have* to be hardwired for the guest that a no-go.
What i do here with only 1 IP: i have nothing in DMZ, and do port forwards from the outside into my internal network to VMs that might need it. Since its all on my 'intenral' network I figure that is safer than exposing an entire device and makes it simple to maintain. At one point i had a reverse proxy ( tiny proxy ) parsing url requests so i could run 3 on a single port, but that was temporary during some testing to see if i could get it to work. This works for me as i only have 2 ports exposed ( one for VPN and one for guacamole ). Everything else i do is via VPN into my network from the outside or guac...
On a customer site, its the same deal, its all via VPN unless they want a public website, then its a port forward to that VM.
Yes, i do have the issue if they break into the exposed VM and get root they have access to my internal network. But that is a really low risk since i'm only exposing a single app. PVE does have a built in firewall you could wrap around a VM. Lock all ports from any traffic in or out, but the one you are exposing. Do all mgt from the console ( i have not used their FW yet.. i just know its there ). Its on my list of things to look into for a couple of the vms.
at the office we dont put anything outside on the DMZ either. its all via reverse proxy..
a thought. could you run the VPN to your IP provider on a VM? do you need it to be on the router?
That would open up some options too.
Sat Nov 28 2020 10:12:18 EST from Nurb432 @ UncensoredOk, so 2 separate networks. WiFi as mgt and wired for vm is what you really want.
What they described is sort of what i was talking about with more than one mac on WiFi blowing things up. Not being a network expert, while i see what they suggested would work for outgoing, i dont understand how its going to route back inside and keep your interface off the public at the same time. It 'seems' like a simple Nat, and exposing your host to the outside directly. But it seems simple enough so you have zero to lose by trying it.
Is there any way to get to your outside via wireless ? My thought was you have a pi, you could do a Ethernet to WiFi bridge ( internal ) and the host would never know. Then give your vm control of the internal WiFi to connect outside ( as you can install any driver you want .. ). Of course if you *have* to be hardwired for the guest that a no-go.
What i do here with only 1 IP: i have nothing in DMZ, and do port forwards from the outside into my internal network to VMs that might need it. Since its all on my 'intenral' network I figure that is safer than exposing an entire device and makes it simple to maintain. At one point i had a reverse proxy ( tiny proxy ) parsing url requests so i could run 3 on a single port, but that was temporary during some testing to see if i could get it to work. This works for me as i only have 2 ports exposed ( one for VPN and one for guacamole ). Everything else i do is via VPN into my network from the outside or guac...
On a customer site, its the same deal, its all via VPN unless they want a public website, then its a port forward to that VM.
Yes, i do have the issue if they break into the exposed VM and get root they have access to my internal network. But that is a really low risk since i'm only exposing a single app. PVE does have a built in firewall you could wrap around a VM. Lock all ports from any traffic in or out, but the one you are exposing. Do all mgt from the console ( i have not used their FW yet.. i just know its there ). Its on my list of things to look into for a couple of the vms.
at the office we dont put anything outside on the DMZ either. its all via reverse proxy..
a thought. could you run the VPN to your IP provider on a VM? do you need it to be on the router?
That would open up some options too.
Yeah. 2 Separate networks. But, I was thinking, it gets more complicated than that with the bridged interface. So... I think what happens is I give the bridged interface that holds the wired ethernet as a slave the current public IP address that resides on the wired NIC on the Pi. We'll call it 72.x.x.x for now. Then I give the VM running Citadel whatever I want. It bridges through the real 72.x.x.x subnet on the physical, wired NIC.
That is all good. But I agree, I think that there is no way to turn off the MANAGEMENT of Proxmox on that NIC. You just have to block 8006 with the firewall built into Proxmox if you want to prevent the management console from being accessible over the public network.
But if you want a management NIC on a different, internal, non-routable subnet... we'll call that 192.x.x.x - I can't find any instructions on how to set that up. I *think* you might just set up another virtual bridge, and assign that virtual bridge to the internal network, then attach the second NIC to the second bridge as a slave of that virtual bridge.
But I am suspicious that this doesn't work with WiFi NICS that can't be put into promiscuous mode. I'm not sure why you can't just open the management console, which is running on the bare metal, onto any attached network connection. I guess because of the way the management console allows you to take console on VMs.
So, I think I understand the problem here - and that it might be part of the design that there is no way around it - which makes Proxmox potentially unsuitable for my needs. I can still always go with a bare metal install of Linux on the machine and skip the VM altogether - that would work - it would be basically physically the same as my Pi - and that works fine. I have Acronis, so I can do live backups of the server as well. The idea of running a VM was real attractive though.
But I can't even get the Easy-Install to run on Debian, nor can I figure out how to upgrade Citadel on the Pi so that I can migrate from the Pi to the i5. So there are a lot of hurdles to jump before I get to worrying about VM vs. bare metal, at this point.
Is there a prefered distro for Citadel? It certainly ain't anything Debian derived. I'm a big fan of Debian and its variants - but as this is going to be just a server, I'm not really afraid of CentOS or other Redhat distro. A little more headache upfront for me... but once it is running, I don't plan on doing much with it but letting it run.
Sat Nov 28 2020 01:00:48 EST from ParanoidDelusions @ UncensoredWould this work better if I just didn't use the WiFi and instead plugged in a USB ethernet adapter and hooked that up wired to the regular household ISP provider's router and plugged the built in ethernet into the Cisco?
Also, I've been feeling teh $TuP1dZ the last few days. I haven't been able to verbalize very professionally what I've been running into. Just kind of bouncing off walls and not making a lot of sense describing my issues. I feel like I'm finally getting a handle on explaining it so I don't sound like a complete noob, here. I'm not a pro in this area of the enterprise - but I know enough to have a fairly intelligent conversation - even though some of my recent posts might lead people to believe otherwise. :)
Sat Nov 28 2020 10:22:35 EST from Nurb432 @ Uncensoreda thought. could you run the VPN to your IP provider on a VM? do you need it to be on the router?
That would open up some options too.
Didn't answer this. Yeah, they use Cisco routers that are preconfigured and locked down to open the VPN connection to their end. If I were Ig, I could probably get around this - but I'm not, unfortunately - so, that router has to be there.
Same service Ig uses for Uncensored. It works awesome - and acts basically like an appliance. You plug it in, you plug your device into it, Give your device their public IP address, and you're on the Internet.
ya, that would works too. i was just thinking from the wireless angle. But ya a usb/wired adapter works too ( just gotta watch drivers there too )
And i dont think you were sounding stupid, none of us are experts :)
Sat Nov 28 2020 16:23:40 EST from ParanoidDelusions @ Uncensored
Sat Nov 28 2020 01:00:48 EST from ParanoidDelusions @ UncensoredWould this work better if I just didn't use the WiFi and instead plugged in a USB ethernet adapter and hooked that up wired to the regular household ISP provider's router and plugged the built in ethernet into the Cisco?
Also, I've been feeling teh $TuP1dZ the last few days. I haven't been able to verbalize very professionally what I've been running into. Just kind of bouncing off walls and not making a lot of sense describing my issues. I feel like I'm finally getting a handle on explaining it so I don't sound like a complete noob, here. I'm not a pro in this area of the enterprise - but I know enough to have a fairly intelligent conversation - even though some of my recent posts might lead people to believe otherwise. :)
Donno about preferred, but i have had zero issues installing it on x86 Debian, using easy install. ( worked on arm64 Armbian for me too, but only did that once )
Sat Nov 28 2020 16:21:14 EST from ParanoidDelusions @ Uncensored
Is there a prefered distro for Citadel? It certainly ain't anything Debian derived. I'm a big fan of Debian and its variants - but as this is going to be just a server, I'm not really afraid of CentOS or other Redhat distro. A little more headache upfront for me... but once it is running, I don't plan on doing much with it but letting it run.
Didn't answer this. Yeah, they use Cisco routers that are
preconfigured and locked down to open the VPN connection to their
end. If I were Ig, I could probably get around this - but I'm not,
unfortunately - so, that router has to be there.
Right ... as previously mentioned, I did a password recovery on my router, and I moved the VPN-tunneled network off the router's LAN port and onto a separate VLAN of the WAN port. So on my server machine, the untagged VLAN is on the "regular" network while the Internet-facing servers are on a VLAN-tagged network.
If you are brave enough to attempt a password recovery on your router, I can supply the configuration changes you need for the rest.
Nurb432 -- I wanted to do exactly what you're suggesting, and move the router to a VM running on the host machine. They said it's too difficult to support, but I assured them that I would not ask for support so they gave me the tunnel credentials. They believe that the reason their configuration is difficult to support with software is because they use separate credentials for the L2TP and PPP layers. I was able to get that taken care of no problem, the tunnel came up and I was able to ping the far-end interface ... but for some reason it doesn't send any traffic. I feel like I am soooooooooooo close! But I promised I wouldn't ask for support so I'm stuck until I can figure it out.
Sat Nov 28 2020 16:38:29 EST from Nurb432 @ UncensoredDonno about preferred, but i have had zero issues installing it on x86 Debian, using easy install. ( worked on arm64 Armbian for me too, but only did that once )
Sat Nov 28 2020 16:21:14 EST from ParanoidDelusions @ Uncensored
Is there a prefered distro for Citadel? It certainly ain't anything Debian derived. I'm a big fan of Debian and its variants - but as this is going to be just a server, I'm not really afraid of CentOS or other Redhat distro. A little more headache upfront for me... but once it is running, I don't plan on doing much with it but letting it run.
Did you do the easy install? Which verison? Buster or Stretch?
Give details. :)
Sat Nov 28 2020 17:49:19 EST from IGnatius T Foobar @ UncensoredDidn't answer this. Yeah, they use Cisco routers that are
preconfigured and locked down to open the VPN connection to their
end. If I were Ig, I could probably get around this - but I'm not,
unfortunately - so, that router has to be there.
Right ... as previously mentioned, I did a password recovery on my router, and I moved the VPN-tunneled network off the router's LAN port and onto a separate VLAN of the WAN port. So on my server machine, the untagged VLAN is on the "regular" network while the Internet-facing servers are on a VLAN-tagged network.
If you are brave enough to attempt a password recovery on your router, I can supply the configuration changes you need for the rest.
Nurb432 -- I wanted to do exactly what you're suggesting, and move the router to a VM running on the host machine. They said it's too difficult to support, but I assured them that I would not ask for support so they gave me the tunnel credentials. They believe that the reason their configuration is difficult to support with software is because they use separate credentials for the L2TP and PPP layers. I was able to get that taken care of no problem, the tunnel came up and I was able to ping the far-end interface ... but for some reason it doesn't send any traffic. I feel like I am soooooooooooo close! But I promised I wouldn't ask for support so I'm stuck until I can figure it out.
I feel like I could probably handle cracking the Cisco... I've done my fair share of this kind of thing generally - unsupported Android ROMs, jailbreaking iPhones, Hackintosh systems - and before it was *easy*... and back in the 80s, phreaking and cable black boxes. But I don't know that I want to get that deep into this, compared to, "I'm going to put this on a spare Pi and throw it on my home ISP with DDNS and it is what it is..." which is how I started out. I've already gone way beyond that point simply by signing up for the Ace VPN IP service - and then the OptiPlex Tiny was another $125, plus $25 for an SSD.
I'd like to get that up and running, because I think it will solve some of the problems I've got with my Pi and Raspbian, in particular file attachments and uploads - but... it is proving to need more mental cycles than I want to invest right now. The resource cost to get it all migrated to an Intel box is more expensive than I had foreseen.
Maybe I'll play around with Proxmox and VMs on these NUCs for a while and get myself back up to speed with being comfortable with Linux first.
I mean, a month or two ago, I was investing a ton of time in learning how to get AmigaOS working with a Parallel to Ethernet adapter and using CF and SD cards as emulated SCSI drives - and really getting back up to speed with THAT OS. By the end of it, I was feeling quite the Amiga expert. Now after a month away, I sat down and couldn't remember which drawer my web browser was in. It takes just a little time NOT using a platform as your daily driver before you forget the tricks that it is capable of. But, that was 25 years since I last used it - and I was feeling pretty competent after a month of using it every day. It isn't quite like riding a bike, but you still pick it up faster the second or third time around.
Networking is something I just never had a lot of professional training in - my career path was always focused more on systems support. I mean, as SANs got popular systems guys had to learn more about mesh configurations and VMs also required a little more understanding at the systems level - but I never put much into advanced networking concepts. I read about a vlan and I get the general idea - but the application is a little abstract.
Easy install, and never tried using packages since they always lag behind.
For x86, it looks like its Buster for the latest install i just did ( to bring back an install i thought i had saved, but apparently didnt. Always back up before you blow away VMs and never assume :) ) But the install i lost, was on stretch. On arm64, i suspect it was stretch as buster was still sid at that point.
I did a bare os install, only base tools and SSH server, so i had to add wget first, but other than that, easy install just 'worked'...
Sat Nov 28 2020 18:37:53 EST from ParanoidDelusions @ Uncensored
Did you do the easy install? Which verison? Buster or Stretch?
Give details. :)
Yeah, I'm an idiot. I was going to say in my last post that I had been drinking so I was done effing around with Linux tonight. Then I logged off, drank some more, and effed around with Linux some more. Uninstalled the package, and ran the easy install script again. Wondered why I was getting those weird messages, and looked at the "install" file that the easy-install downloads. Everything looked right, and not at ALL like the error message I was getting...
So I thought, "maybe I need to run this install as a script". I had tried before... and I seem to remember scripts needed to be in the format ./script to run, or something like that... traditionally. That wasn't working. So I looked at the install repositories, and I have BASH installed - so it wasn't that I was trying to run a script for a shell I didn't have installed.
"Am I running the script wrong?"
"Google, how do I run a BASH script?"
"Bash script.sh"
Hmmmm...
bash install <enter>
Duh...
There is a good chance that everything I bitch about over the next week or so will be operator error.Sat Nov 28 2020 19:35:35 EST from Nurb432 @ UncensoredEasy install, and never tried using packages since they always lag behind.
For x86, it looks like its Buster for the latest install i just did ( to bring back an install i thought i had saved, but apparently didnt. Always back up before you blow away VMs and never assume :) ) But the install i lost, was on stretch. On arm64, i suspect it was stretch as buster was still sid at that point.
I did a bare os install, only base tools and SSH server, so i had to add wget first, but other than that, easy install just 'worked'...
Sat Nov 28 2020 18:37:53 EST from ParanoidDelusions @ Uncensored
Did you do the easy install? Which verison? Buster or Stretch?
Give details. :)
Is this how it is supposed to work, and it is just inferred that you know it? That you download easy-install then run "bash install", or is it supposed to be that you just download easy-install and it auto-executes the script and you answer some questions?
Because the current document isn't totally clear about that - if you're not familiar with Linux.
Now if I can just figure out how to export my current Citadel to this install - I'm in business. Well, I'm at least setting up for business.
yay
Sat Nov 28 2020 20:06:58 EST from ParanoidDelusions @ Uncensored
There is a good chance that everything I bitch about over the next week or so will be operator error.Sat Nov 28 2020 19:35:35 EST from Nurb432 @ UncensoredEasy install, and never tried using packages since they always lag behind.
For x86, it looks like its Buster for the latest install i just did ( to bring back an install i thought i had saved, but apparently didnt. Always back up before you blow away VMs and never assume :) ) But the install i lost, was on stretch. On arm64, i suspect it was stretch as buster was still sid at that point.
I did a bare os install, only base tools and SSH server, so i had to add wget first, but other than that, easy install just 'worked'...
Sat Nov 28 2020 18:37:53 EST from ParanoidDelusions @ Uncensored
Did you do the easy install? Which verison? Buster or Stretch?
Give details. :)
I did something unusual (for me) today. I passed a certification exam.
People around my workplace were saying things like "no surprise, he's really good at this stuff" but I actually have a *really* hard time with certification programs. The tests are optimized for people with photographic memories.
I can't remember every command for every program. That's why user interfaces have tab completion. I'm a thinker not a memorizer.
Nevertheless, I passsed the "Professional VMware NSX-T Data Center" exam.
This conveys the VCP-NV certification. Yay me.
Me too. I lost a job once because the guy doing the interview expected me to be able to snap answers off the top of my head in these abstract scenarios. I find that I'm actually far more successful at resolving issues than my peers who are encyclopedic in their knowledge of what works. They tend to do it by the book, and when that doesn't work, they do the next thing in the book, until they run out of book and ideas.
Meanwhile, I'm over here *thinking* about the issue and trying to understand what is going wrong - and it might be a messier process - but in the long run, I often figure out what the problem is - often by breaking the rules and doing things you're "not supposed to do." Then the encyclopedia guys look at what I did and how I did it and go, "Oh! That shouldn't work. You're not supposed to be able to do THAT! That must mean THIS is broken..." and fix the actual problem, and then the "by the book," way works and they go, "I *fixed* it! Good thing, because that other guy was really BREAKING things trying to solve the issue!"
Mon Dec 07 2020 18:07:28 EST from IGnatius T Foobar @ Uncensored
I'm a thinker not a memorizer.
Yeah - guys like you are why I have a career in IT. I actually picked up a job at a Linux consultancy in Ohio after I left management for the Windows hosting healthcare company.
Everyone there was dubious about the bosses decision. Within about 6 weeks, they were like, "you're gonna end up the manager here." One thing that I aced that everyone else was afraid of was SAMBA setup.
But, I've always run into skeptics in my professional career. My thrashing about in the Citadel Support room makes it clear why. :)
Tue Dec 08 2020 13:37:19 EST from IGnatius T Foobar @ UncensoredI've turned down a lot of job applicants who can't think outside the book.
Yeah - guys like you are why I have a career in IT. I actually picked
Well you'll be disappointed to hear that I am not a hiring manager anymore.
I left management to become a senior engineer and eventually an architect.
It's a great gig. Lots of brainy stuff and very little grunt work.
I am winning bigly right now. But if it ever comes to an end for whatever reason, the same person who originally hired me nearly 20 years ago would be eager to hire me again. (He's reading this but I'll leave names out so no one starts pestering him for a job.)