DOCSLIB.ORG

How to Configure Openvpn Shared Key Tunnels Using Pfsense and Openwrt

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How to Configure Openvpn Shared Key Tunnels Using Pfsense and Openwrt How to configure OpenVPN shared key tunnels using pfSense and OpenWRT. Ver. 1.0 (11.1.2006) Author: Ville Leinonen Intro In this document I try to explain how to configure ssl-based site-to-site tunnels using pfSense /1/ and OpenWRT /2/. In this example I use shared key, because it’s easiest way to set up site-to-site tunnel. Bad thing for this is that I can use only one tunnel/key, but it’s enough for me. This document assume that reader have some experience how to use pfSense and OpenWRT. Enviroment Bellow is picture for this document example environment. WAN address for pfSense is picked up in my head. Picture 1. Example network environment. Home office: LAN: 10.0.0.0/24 WAN: dhcp Tun0: 10.0.8.2 pfSense: LAN: 192.168.0.0/24 WAN: 212.212.212.1 Tun0: 10.0.8.1 Generating key You must generate shared static key. Step 1. Take ssh session to your pfSense firewall. Step 2. Select 8 and press enter. pfSense console setup *********************** 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator Enter an option: 8 Step 3. Generate key # openvpn --genkey --secret /tmp/myshared.key Example key: # more /tmp/myshared.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- ef9b9f0bff2268eb3966d6a408398db1 f7e6f9823402c76560d1ce25b8d46be4 1c58e656d2e7633d2481e74b9e328618 3c9e6a7528a46b2474bc08838ae19a4c 7f19878bd381cf8cfb0c4dc14fa52622 7360921e50710d0af689476388df0a25 54e1e86b2c9fcc4139dba763b97861bc 36cd477c6f293e8ca07e1bffaba697bf 948b65c213c5747cf0645fb7886bac4b 893953f697640dff961b95cfd8d2c0f3 ef976540e9c004ed72494648462496be 969a70e7d53910f3415f8d829bdb192e b4aad90e91baec25cac0b260205823e9 e945938896fdd9d33a56c44b90cbd5ce 0d0373923e2cdd33192fdfb4d06399fd 9eb0321402aadb116004721c5249ce61 -----END OpenVPN Static key V1----- Step 4. Copy key into your computer. Step 5. Delete generated key file. # rm /tmp/myshared.key Step 6. Logout # exit Step 7. Choose 0 and press enter. Setup pfSense This document assumes that you have existing and working pfSense environment. Step 1. Select OpenVPN link. Step 2. Select add “new server button”. … Step 3. Create OpenVPN server. - Protocol : TCP (this is communication protocol) - Local port 1194 (server listens this port) - Address pool: 10.0.8.0/24 (client takes tun0 address from this pool) - Cryptography: BF-CBC (128-bit) (we use this cryptography cipher algorithm) - Authentication method: Share key (paste here your generated key) - LZO compression (put mark for this) - Description: OPTIONAL Insert tunnel description - Click Save. Step 4. Select Rules. Step 5. Select “Add new rule”. Step 6. Add rule to allow OpenVPN tunnel traffic. - Action: Pass (allow traffic) - Interface: WAN (select WAN interface if your client connects this interface/address) - Protocol: TCP - Log: Put mark here (Yes we want to log this traffic) - Destination port range: 1194 (allow OpenVPN tunnel connections) - Description: OPTIONAL Insert rule description - Click Save Setup OpenWRT This document assumes that you have working OpenWRT environment. This document assumes that you have update your OpenWRT packages list access to backports. Step 1. Take ssh session to your OpenWRT box. Step 2. Paste your key file /etc/openvpn directory. (OpenWRT use vi editor. vi help /3/) # vi /etc/openvpn/myshared.key - Inside vi press Esc and then i - Paste your key - Press Esc - Write :wq! and press enter Step 3. Generate configuration file to /etc/config/ directory dev tun0 # Generate/use tunnel 0 proto tcp-client # Use tcp keepalive 10 60 # Some ping like messages persist-tun # Some persist options persist-key # Some persist options ifconfig 10.0.8.2 10.0.8.1 # Tun0 ip-address route 192.168.0.0 255.255.255.0 # Route for corporate network remote 212.212.212.1 1194 # OpenVPN server address resolv-retry infinite # Some Road warrior stuff nobind # We don’t need to specific port number mute-replay-warnings # Some WLAN stuff secret /etc/openvpn/myshared.key # Where our secret file is located comp-lzo # Enable compression verb 3 # Log verbosity Example. myopenvpn.cfg file Step 4. Generate startup script for /etc/init.d directory. # Make sure that tun module is loaded insmod tun # Start OpenVPN daemon openvpn --daemon --config /etc/config/openvpn.oma --ifconfig-nowarn # Allow traffic to tunnel /4/ iptables -A INPUT -i tun+ -j ACCEPT # Allow forwarding traffic from tunnel iptables -A FORWARD -i tun+ -j ACCEPT # Allow forwarding traffic from br0 interface to tunnel iptables -A FORWARD -i br0 -o tun+ -j ACCEPT Example. S98openvpn file Step 5. Restart your OpenWRT box and watch your pfSense firewall and OpenVPN logs. There should be something like this Jan 11 12:52:47 openvpn[9494]: Initialization Sequence Completed Jan 11 12:52:46 openvpn[9494]: Peer Connection Initiated with xxx.xxx.xxx.xxx:4356 Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:4356 Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link local (bound): [undef]:1194 Jan 11 12:52:46 openvpn[9494]: TCP connection established with xxx.xxx.xxx.xxx:4356 Links /1/ http://www.pfsense.com /2/ http://www.openwrt.org /3/ http://unixhelp.ed.ac.uk/vi/index.html /4/ http://www.netfilter.org.
Load more

Recommended publications
  • A Letter to the FCC [PDF]
    Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) Amendment of Part 0, 1, 2, 15 and 18 of the ) ET Docket No. 15­170 Commission’s Rules regarding Authorization ) Of Radio frequency Equipment ) ) Request for the Allowance of Optional ) RM­11673 Electronic Labeling for Wireless Devices ) Summary The rules laid out in ET Docket No. 15­170 should not go into effect as written. They would cause more harm than good and risk a significant overreach of the Commission’s authority. Specifically, the rules would limit the ability to upgrade or replace firmware in commercial, off­the­shelf home or small­business routers. This would damage the compliance, security, reliability and functionality of home and business networks. It would also restrict innovation and research into new networking technologies. We present an alternate proposal that better meets the goals of the FCC, not only ensuring the desired operation of the RF portion of a Wi­Fi router within the mandated parameters, but also assisting in the FCC’s broader goals of increasing consumer choice, fostering competition, protecting infrastructure, and increasing resiliency to communication disruptions. If the Commission does not intend to prohibit the upgrade or replacement of firmware in Wi­Fi ​ ​ devices, the undersigned would welcome a clear statement of that intent. Introduction We recommend the FCC pursue an alternative path to ensuring Radio Frequency (RF) compliance from Wi­Fi equipment. We understand there are significant concerns regarding existing users of the Wi­Fi ​ spectrum, and a desire to avoid uncontrolled change. However, we most strenuously advise against prohibiting changes to firmware of devices containing radio components, and furthermore advise against allowing non­updatable devices into the field.
    [Show full text]
  • The Pfsense Book Release
    The pfSense Book Release The pfSense Team May 10, 2017 CONTENTS 1 Preface 1 1.1 Acknowledgements...........................................1 1.2 Feedback.................................................3 1.3 Typographic Conventions........................................3 1.4 Authors..................................................4 2 Foreword 7 3 Introduction 9 3.1 What does pfSense stand for/mean?...................................9 3.2 Why FreeBSD?..............................................9 3.3 Common Deployments.......................................... 10 3.4 Interface Naming Terminology..................................... 11 3.5 Finding Information and Getting Help.................................. 12 3.6 Project Inception............................................. 13 4 Networking Concepts 15 4.1 Understanding Public and Private IP Addresses............................. 15 4.2 IP Subnetting Concepts......................................... 16 4.3 IP Address, Subnet and Gateway Configuration............................. 16 4.4 Understanding CIDR Subnet Mask Notation.............................. 17 4.5 CIDR Summarization.......................................... 18 4.6 Broadcast Domains............................................ 19 4.7 IPv6.................................................... 19 4.8 Brief introduction to OSI Model Layers................................. 32 5 Hardware 33 5.1 Minimum Hardware Requirements................................... 33 5.2 Hardware Selection........................................... 33
    [Show full text]
  • PC-BSD 9 Turns a New Page
    CONTENTS Dear Readers, Here is the November issue. We are happy that we didn’t make you wait for it as long as for October one. Thanks to contributors and supporters we are back and ready to give you some usefull piece of knowledge. We hope you will Editor in Chief: Patrycja Przybyłowicz enjoy it as much as we did by creating the magazine. [email protected] The opening text will tell you What’s New in BSD world. It’s a review of PC-BSD 9 by Mark VonFange. Good reading, Contributing: especially for PC-BSD users. Next in section Get Started you Mark VonFange, Toby Richards, Kris Moore, Lars R. Noldan, will �nd a great piece for novice – A Beginner’s Guide To PF Rob Somerville, Erwin Kooi, Paul McMath, Bill Harris, Jeroen van Nieuwenhuizen by Toby Richards. In Developers Corner Kris Moore will teach you how to set up and maintain your own repository on a Proofreaders: FreeBSD system. It’s a must read for eager learners. Tristan Karstens, Barry Grumbine, Zander Hill, The How To section in this issue is for those who enjoy Christopher J. Umina experimenting. Speed Daemons by Lars R Noldan is a very good and practical text. By reading it you can learn Special Thanks: how to build a highly available web application server Denise Ebery with advanced networking mechanisms in FreeBSD. The Art Director: following article is the �nal one of our GIS series. The author Ireneusz Pogroszewski will explain how to successfully manage and commission a DTP: complex GIS project.
    [Show full text]
  • MNHO-068 DATASHEET Intel® J1900 4 LAN 1 COM Wifi 4G Firewall Router Mini Server
    MNHO-068 DATASHEET Intel® J1900 4 LAN 1 COM WiFi 4G Firewall Router Mini Server https://www.pondesk.com/product/MNHO-068 Features ● Small Security Gateway, Firewall Router, Mini Server ● Intel® Celeron® J1900 Quad Core Processor ● 4 Threads, 2M Cache, up to 2.42 GHz ● Four Intel 82574L Gigabit Ethernet ● Support Network wake-up/PXE ● RJ45-DB9 COM (Cisco Standard) ● Support WiFi, 3G/4G WWAN Networks (optional) ● Watchdog (L256, 0~255 seconds) ● Support up to 8GB DDR3L Memory ● Support Dual Storage (mSATA SSD & 2.5" SATA SSD/HDD) ● VGA Display, USB 2.0 ● Intel® HD Graphics ● Energy Efficient 10W (idle) Low Power Consumption ● Ready for IoT - Simply Connected Using 3G/4G LTE via Mini PCIe ● Support Windows/Linux/Unix/MikroTik/Firewalls etc. ● Can be configured as a Firewall, LAN/WAN Router, VPN, DNS Server, DHCP Server ● Perfect for Security Gateway, Server, VPN and Firewall such as pfSense, Untangle, ● Sophos, Smoothwall, ClearOS, m0n0wall etc. Specifications Dimensions Processor Advanced Technologies Intel® Celeron® Processor J1900 Intel® Virtualization Technology (VT-x) 4 Core, 4 Threads Intel® 64 2M Cache, up to 2.42 GHz Enhanced Intel SpeedStep® Technology Memory Onboard I/O Support up to 8GB 1 x JVGA1 (2*12pin) W DDR3L SODIMM 1.35V Low Voltage 1 x SYS FAN (1*3pin) Single Sided non-ECC Memory 1 x CPU FAN (1*4pin) One Memory Slot 1 x ATX_4P +12V 1 x COM (2*5pin) Storage 1 x SATA2.0 Support 1 x mSATA SSD 1 x JLAN_LED (2*8pin) L H Support 1 x 2.5" SATA SSD/HDD 1 x Full height mini PCIe (For WiFi & 3G module) LAN 1 x mSATA (For SSD) 197mm
    [Show full text]
  • Network Devices Configuration Guide for Packetfence Version 6.5.0 Network Devices Configuration Guide by Inverse Inc
    Network Devices Configuration Guide for PacketFence version 6.5.0 Network Devices Configuration Guide by Inverse Inc. Version 6.5.0 - Jan 2017 Copyright © 2017 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http:// scripts.sil.org/OFL Copyright © Łukasz Dziedzic, http://www.latofonts.com, with Reserved Font Name: "Lato". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Table of Contents About this Guide ............................................................................................................... 1 Other sources of information ..................................................................................... 1 Note on Inline enforcement support ................................................................................... 2 List of supported Network Devices ..................................................................................... 3 Switch configuration .......................................................................................................... 4 Assumptions ............................................................................................................
    [Show full text]
  • Kratka Povijest Unixa Od Unicsa Do Freebsda I Linuxa
    Kratka povijest UNIXa Od UNICSa do FreeBSDa i Linuxa 1 Autor: Hrvoje Horvat Naslov: Kratka povijest UNIXa - Od UNICSa do FreeBSDa i Linuxa Licenca i prava korištenja: Svi imaju pravo koristiti, mijenjati, kopirati i štampati (printati) knjigu, prema pravilima GNU GPL licence. Mjesto i godina izdavanja: Osijek, 2017 ISBN: 978-953-59438-0-8 (PDF-online) URL publikacije (PDF): https://www.opensource-osijek.org/knjige/Kratka povijest UNIXa - Od UNICSa do FreeBSDa i Linuxa.pdf ISBN: 978-953- 59438-1- 5 (HTML-online) DokuWiki URL (HTML): https://www.opensource-osijek.org/dokuwiki/wiki:knjige:kratka-povijest- unixa Verzija publikacije : 1.0 Nakalada : Vlastita naklada Uz pravo svakoga na vlastito štampanje (printanje), prema pravilima GNU GPL licence. Ova knjiga je napisana unutar inicijative Open Source Osijek: https://www.opensource-osijek.org Inicijativa Open Source Osijek je član udruge Osijek Software City: http://softwarecity.hr/ UNIX je registrirano i zaštićeno ime od strane tvrtke X/Open (Open Group). FreeBSD i FreeBSD logo su registrirani i zaštićeni od strane FreeBSD Foundation. Imena i logo : Apple, Mac, Macintosh, iOS i Mac OS su registrirani i zaštićeni od strane tvrtke Apple Computer. Ime i logo IBM i AIX su registrirani i zaštićeni od strane tvrtke International Business Machines Corporation. IEEE, POSIX i 802 registrirani i zaštićeni od strane instituta Institute of Electrical and Electronics Engineers. Ime Linux je registrirano i zaštićeno od strane Linusa Torvaldsa u Sjedinjenim Američkim Državama. Ime i logo : Sun, Sun Microsystems, SunOS, Solaris i Java su registrirani i zaštićeni od strane tvrtke Sun Microsystems, sada u vlasništvu tvrtke Oracle. Ime i logo Oracle su u vlasništvu tvrtke Oracle.
    [Show full text]
  • Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix
    Debian \ Amber \ Arco-Debian \ Arc-Live \ ASLinux \ BeatriX \ BlackRhino \ BlankON \ Bluewall \ BOSS \ Canaima \ Clonezilla Live \ Conducit \ Corel \ Xandros \ DeadCD \ Olive \ DeMuDi \ \ 64Studio (64 Studio) \ DoudouLinux \ DRBL \ Elive \ Epidemic \ Estrella Roja \ Euronode \ GALPon MiniNo \ Gibraltar \ GNUGuitarINUX \ gnuLiNex \ \ Lihuen \ grml \ Guadalinex \ Impi \ Inquisitor \ Linux Mint Debian \ LliureX \ K-DEMar \ kademar \ Knoppix \ \ B2D \ \ Bioknoppix \ \ Damn Small Linux \ \ \ Hikarunix \ \ \ DSL-N \ \ \ Damn Vulnerable Linux \ \ Danix \ \ Feather \ \ INSERT \ \ Joatha \ \ Kaella \ \ Kanotix \ \ \ Auditor Security Linux \ \ \ Backtrack \ \ \ Parsix \ \ Kurumin \ \ \ Dizinha \ \ \ \ NeoDizinha \ \ \ \ Patinho Faminto \ \ \ Kalango \ \ \ Poseidon \ \ MAX \ \ Medialinux \ \ Mediainlinux \ \ ArtistX \ \ Morphix \ \ \ Aquamorph \ \ \ Dreamlinux \ \ \ Hiwix \ \ \ Hiweed \ \ \ \ Deepin \ \ \ ZoneCD \ \ Musix \ \ ParallelKnoppix \ \ Quantian \ \ Shabdix \ \ Symphony OS \ \ Whoppix \ \ WHAX \ LEAF \ Libranet \ Librassoc \ Lindows \ Linspire \ \ Freespire \ Liquid Lemur \ Matriux \ MEPIS \ SimplyMEPIS \ \ antiX \ \ \ Swift \ Metamorphose \ miniwoody \ Bonzai \ MoLinux \ \ Tirwal \ NepaLinux \ Nova \ Omoikane (Arma) \ OpenMediaVault \ OS2005 \ Maemo \ Meego Harmattan \ PelicanHPC \ Progeny \ Progress \ Proxmox \ PureOS \ Red Ribbon \ Resulinux \ Rxart \ SalineOS \ Semplice \ sidux \ aptosid \ \ siduction \ Skolelinux \ Snowlinux \ srvRX live \ Storm \ Tails \ ThinClientOS \ Trisquel \ Tuquito \ Ubuntu \ \ A/V \ \ AV \ \ Airinux \ \ Arabian
    [Show full text]
  • Comparing Embedded Linux Build Systems and Distros
    Comparing embedded Linux build systems and distros Drew Moseley Solutions Architect Mender.io Session overview ● Review of embedded Linux development challenges. ● Define build system and criteria. ● Discuss a few popular options. ● Give me an opportunity to learn about some of the other tools. Goal: Help new embedded Linux developers get started About me Drew Moseley Mender.io ○ 10 years in Embedded Linux/Yocto development. ○ Over-the-air updater for Embedded Linux ○ Longer than that in general Embedded Software. ○ Open source (Apache License, v2) ○ Project Lead and Solutions Architect. ○ Dual A/B rootfs layout (client) [email protected] ○ Remote deployment management (server) https://twitter.com/drewmoseley https://www.linkedin.com/in/drewmoseley/ ○ Under active development https://twitter.com/mender_io Challenges for Embedded Linux Developers Hardware variety Storage Media Software may be maintained in forks Cross development Initial device provisioning Simple Makefiles don't cut it (anymore) Facts: ● These systems are huge ● Dependency Hell is a thing ● Builds take a long time ● Builds take a lot of resources ● Embedded applications require significant customization ● Developers need to modify from defaults Build System Defined _Is_ _Is Not_ ● Mechanism to specify and build ● An IDE ○ Define hardware/BSP ● A Distribution components ● A deployment and provisioning ○ Integrate user-space tool applications; including custom ● An out-of-the-box solution code ● Need reproducibility ● Must support multiple developers ● Allow for parallel
    [Show full text]
  • Presentación De Openwrt Por Jorge Vargas En
    OPENWRT POR JORGE VARGAS OPENWRT Distribución de linux para dispositivos embebidos Proviene de Linksys WRT54G Empezo en el 2004 OPENWRT Los nombres de las versiones son bebidas alcoholicas: White Russian Kamikaze Backre Attitude Adjustment Barrier Breaker Chaos Calmer Designated Driver OPENWRT El espacio de usuario es ash, uClibc o musl, y busybox con muchos scripts en lua Manejador de paquetes opkg Unied Conguration Interface (UCI) Conguras todo en un solo lugar - /etc/cong Puedes usar un editor de texto, CLI o GUI Sencillo hacer backups de tu conguracion PROYECTOS SIMILARES DD-WRT Tomato LibreCMC DebianWRT CONTRAS DD-WRT: Es muy dicil realizar contribuciones. Tomato: La licencia de la interfaz de usuario es restrictiva. LibreCMC: OpenWrt sin blobs binarios. DebianWRT: Es Debian. PROFUNDIZANDO Bootloader Arquitecturas Memoria Flash BOOTLOADER En dispositivos embebidos, un "bootloader" inicializa el hardware y luego carga el kernel. Bootloader -> Kernel. Comparado con una PC, que es BIOS -> Grub -> Kernel Das U-Boot (GPL) es el bootloader mas comun BOOTLOADER Los fabricantes tienden a modicar el bootloader Limites de tamano de kernel arbitrarios Valores magicos necesitan estar presentes en el kernel Requieren un formato de rmware especial No soportan ELF Ver http://wiki.openwrt.org/doc/techref/bootloader ARQUITECTURAS La mayoria de los routers son de arquitectura MIPS Tienen una buena relacion rendimiento/costo/poder Tambien soporta ARM, PowerPC y x86 Ver https://dev.openwrt.org/wiki/platforms MEMORIA FLASH Maneja dos formatos principalmente: SquashFS JFFS2 SQUASHFS SquashFS es un sistema de archivos de solo lectura comprimido con LZMA En este tipo de imagen, OpenWrt guarda todo el sistema en una partion de SquashFS, y usa una particion JFFS2 para sobreponer cambios JFFS2 JFFS2 es de lectura/escritura y tambien esta comprimido con LZMA, pero SquashFS es 20-30% mas pequeno SQUASHFS En mi opinion, usar la imagen de SquashFS es la mejor opcion ya que utiliza ambos sistemas de archivos, lo que te permite hacer un "factory reset" COMO EMPEZAR 1.
    [Show full text]
  • Introduzione Al Mondo Freebsd Corso Avanzato
    Introduzione al mondo FreeBSD corso Avanzato •Struttura •Installazione •Configurazione •I ports •Gestione •Netstudent http://netstudent.polito.it •E.Richiardone [email protected] •Novembre 2012 •CC-by http://creativecommons.org/licenses/by/3.0/it/ The FreeBSD project - 1 • E` un progetto software open • Lo scopo e` mantenere e sviluppare il sistema operativo FreeBSD • Nasce su CDROM come FreeBSD 1.0 nel 1993 • Deriva da un patchkit per 386BSD, eredita codice da UNIX versione Berkeley 1977 • Per problemi legali subisce un rallentamento, release 2.0 nel 1995 con codice royalty-free • Dalla release 4.0 (2000) assume la struttura che ha oggi • Disponibile per x86 32 e 64bit, ia64, MIPS, ppc, sparc... • La mascotte (Beastie) nasce nel 1984 The FreeBSD project - 2 • Erede di 4.4BSD (e` la stessa gente...) • Sistema stabile; sviluppo uniforme; codice molto chiaro, ordinato e ben commentato • Documentazione ufficiale ben curata • Licenza molto permissiva, spesso attrae aziende per progetti commerciali: • saltuariamente progetti collaborano con implementazioni ex-novo (i.e. Intel, GEOM, NDISwrapper, ZFS, GNU/Linux emulation) • Semplificazione di molte caratteristiche tradizionali UNIX Di cosa si tratta Il progetto FreeBSD include: • Un sistema base • Bootloader, kernel, moduli, librerie di base, comandi e utility di base, servizi tradizionali • Sorgenti completi in /usr/src (~500MB) • E` gia` completo (i.e. ipfw, ppp, bind, ...) • Un sistema di gestione per software aggiuntivo • Ports e packages • Documentazione, canali di assistenza, strumenti
    [Show full text]
  • Μvirt: Virtualization on Openwrt
    μVirt: Virtualization on OpenWrt Mathew McBride <[email protected]> @mcbridematt Why virtualize? ● “Universal CPE” concept ○ Telco point of view: Standardized (“whitebox”) CPE, (Truck)roll once, deploy many ○ Often as a method of extending private cloud to customer “edge” https://www.sdxcentral.com/articles/contributed/understanding-use-universal-cpe/2017/07/ Image from article (ADVA Optical Networking / SDxcentral) Goals ● Demonstrator for small virtualization on ARM64 ● Particular emphasis on “Universal CPE” use case ○ Customer sites with “appliance” spec boxes (typical 4-16GB RAM, <=256GB SSD) ○ Typical setup: Firewall, VoIP, IDS/IPS, SD-WAN VM’s ● Easy to use - works standalone ○ vs OpenStack, Industry (MANO) or commercial NFV stacks. ● Playground for end-to-end solutions ○ Working towards a demonstrator involving central management, SD-WAN/VPN, remote IPMI and full life cycle provisioning via LTE ● Would like to make advanced acceleration techniques available while still integrating with existing OpenWrt config structures Other use cases ● Deploying value add applications to existing fleet ○ E.g Home automation / Smart Home, media servers for residential CPE ○ Some carriers’ residential CPE are in the “micro” uCPE class already ● Multi-tenant virtualized router for MDUs ● Home router and server in a box ○ e.g OpenWrt + NextCloud ● Run software too complex for OpenWrt ● Isolation via VMs Why on OpenWrt? ● Small footprint ○ Fitting inside unmanaged flash (NOR/NAND) provides BOM savings ■ 128MB,1G,64GB,> 128GB price/technology barriers
    [Show full text]
  • Network Devices Configuration Guide
    Network Devices Configuration Guide PacketFence v11.0.0 Version 11.0.0 - September 2021 Table of Contents 1. About this Guide . 2 1.1. Other sources of information . 2 2. Note on Inline enforcement support. 3 3. Note on RADIUS accounting . 4 4. List of supported Network Devices. 5 5. Switch configuration . 6 5.1. Assumptions . 6 5.2. 3COM . 6 5.3. Alcatel . 12 5.4. AlliedTelesis . 16 5.5. Amer . 21 5.6. Aruba. 22 5.7. Avaya. 24 5.8. Brocade. 25 5.9. Cisco . 28 5.10. Cisco Small Business (SMB) . 61 5.11. D-Link. 63 5.12. Dell . 65 5.13. Edge core . 70 5.14. Enterasys . 71 5.15. Extreme Networks. 74 5.16. Foundry . 78 5.17. H3C . 80 5.18. HP . 83 5.19. HP ProCurve . 84 5.20. Huawei . 94 5.21. IBM . 97 5.22. Intel. 98 5.23. Juniper . 98 5.24. LG-Ericsson . 104 5.25. Linksys . 105 5.26. Netgear . 106 5.27. Nortel . 108 5.28. Pica8. 110 5.29. SMC . 111 5.30. Ubiquiti. 112 6. Wireless Controllers and Access Point Configuration . 116 6.1. Assumptions. 116 6.2. Unsupported Equipment . 116 6.3. Aerohive Networks . 117 6.4. Anyfi Networks . 135 6.5. Avaya . 138 6.6. Aruba . 138 6.7. Belair Networks (now Ericsson) . 158 6.8. Bluesocket . 158 6.9. Brocade . 159 6.10. Cambium . 159 6.11. Cisco. 163 6.12. CoovaChilli. 204 6.13. D-Link. 206 6.14. Extricom . 206 6.15. Fortinet FortiGate . 207 6.16. Hostapd .
    [Show full text]