You can choose a wiki page from left sidebar or go the the blog for blog archives.

Here are the latest 10 posts with pagination:

Dirty notes on setup mikrotik with VLANs, trunk and switch1-cpu

Blah

  • ether1 : trunk to Edge-Router-X
  • ether2 to ether16 : Vlan LAN
  • ether18,ether20,ether22,ether24 : Vlan Guest
  • ether17,ether19,ether21,ether23 : Vlan IOT
post-v6.41 bridge hw-offload configuration
/interface bridge
add name=bridge1 igmp-snooping=no  protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
...
Add initial VLAN assignments (PVID) to VLAN access ports
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=110 sa-learning=yes
... to ...
add ports=ether16 customer-vid=0 new-customer-vid=110 sa-learning=yes
...
add ports=ether18 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether22 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether24 customer-vid=0 new-customer-vid=120 sa-learning=yes
...
add ports=ether17 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether19 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether21 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether23 customer-vid=0 new-customer-vid=130 sa-learning=yes
  • Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port. Egress-VLAN-Tag entry is mandatory for every VLAN to make VLAN access ports work. If VLAN trunk port has not been chosen yet, Egress-VLAN-Tag entry has to be added with tagged-ports=“”.
we only want switch1-cpu to be accessible through VLAN ID 110 (LAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,switch1-cpu vlan-id=110
add tagged-ports=ether1 vlan-id=120
add tagged-ports=ether1 vlan-id=130
  • VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN traffic valid on those ports.
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,...,ether16 vlan-id=110 learn=yes
add ports=ether1,ether18,ether20,ether22,ether24 vlan-id=120 learn=yes
add ports=ether1,ether17,ether19,ether21,ether23 vlan-id=130 learn=yes
  • After valid VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings.
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8
  • Define IP for switch1-cpu thingy
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=110
/interface vlan
add name=VlanLan interface=bridge1 vlan-id=110
/ip address
add address=192.168.10.9/24 interface=VlanLan
/ip dns
set servers=192.168.10.1
/ip route
set gateway=192.168.10.1
2018/11/05 00:00 · dashie

Network on Amiga using PPP

I am using the not free Roadshow TCP/IP stack since it have builtin PPP support.

I tried with AmiTCP both latest stable and unstable, plus third party PPP and couldn't get anything working properly.

Buy and install Roadshow and configure:

In this file, change the two lines by:

DEVS:NetInterfaces/PPP
device=ppp-serial.device
requiresinitdelay=no

Create this file with:

S:PPP-Configurations/ppp-serial
interface=ppp
device=serial.device
baud=19200
rtscts=no
checkcarrier=no
nullmodem=yes

Notes:

  • 192.168.210.30 ip the ppp0 interface will get on linux side
  • 192.168.210.251 ip the amiga will get
  • 192.168.10.1 my linux-side router
  • enp0s25 is my laptop ethernet connection to the LAN
  • You can skip the whole iptable part if you don't needs to access the LAN and internet from the amiga, it will have only access to the linux ip side
  • beware that the two first iptables commands will DELETE ANY RULES
  • debug will show verbose things
  • nodetach if you want to run it in foreground
amiga-ppp.sh
#!/usr/bin/env bash
 
sudo iptables -F
sudo iptables -t nat -F
 
sudo iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s25 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i ppp0 -o enp0s25 -j ACCEPT
 
sudo pppd file /etc/ppp/peers/amiga
/etc/ppp/peers/amiga
# /etc/ppp/peers/amiga
#
# Created for the RPi/Amiga by Roger North-Row <amiga-ppp@north-row.com>
#
# To quickly see what options are active in this file, use this command:
#   egrep -v '#|^ *$' /etc/ppp/peers/amiga
 
debug
 
nodetach
 
# Serial device
/dev/ttyUSB0
 
# Speed of the serial line, this is probably maximum unless you have a serial
# board
19200
 
# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
ms-dns 192.168.10.1
 
# Specify which WINS Servers the incoming connection Win95 or WinNT should use
ms-wins 192.168.10.1
 
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
noauth
 
# Don't use the modem control lines.
local
 
# Local and remote IP addresses
192.168.210.30:192.168.210.251
 
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0
 
# Enables the "passive" option in the LCP.  With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
passive
 
# With this option, pppd will not transmit LCP packets to initiate a
# connection until a valid LCP packet is received from the peer (as for
# the "passive" option with old versions of pppd).
silent
 
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
proxyarp
 
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
persist
 
# ---<End of File>---

Check that the following exists in:

S:user-startup
;BEGIN Roadshow
if EXISTS S:Network-Startup
  Execute S:Network-Startup
EndIf
;END Roadshow

Launch “amiga-ppp.sh” on the linux side.

reset your amiga, pop a newshell and execute:

ppp_dialer s:PPP-Configurations/ppp-serial

And you can leave that window aside and enjoy slow internet.

2018/10/21 00:00 · dashie

Debian diskless using PXE and root on NFS.

I wanted to have a debian bootable using PXE with full persistency so I opted for root on NFS.

It use debian stretch for both the server and the target.

The pxelinux config by default select to boot on the local drive, so I can set my workstation to boot by default on PXE and be able to boot the debian without having to spawn the bios to select the PXE.

Conventions I used at this time

  • PXE/tftp server IP: 192.168.10.11
  • TFTP root dir: /mnt/zfs/deadpool0/public/TFTP
  • NFS root dir: /nfsroot
  • OS on PXE/tftp server: debian stretch, same for the target nfs root
  • Kernel for target (if your debian/version have a newer, use the latest): 4.9.0-4-amd64
  • My NFS root is shared from ZFS using parameters:
    rw=@192.168.10.0/24,no_root_squash,async,insecure
    • You should be able to use the same parameters with
      /etc/exports

EdgeRouter

To be able to PXE boot I needed to add the following in my DHCP “vlan_lan” service:

bootfile-server 192.168.10.11
bootfile-name /pxelinux.0

Prerequisite

apt install tftpd-hpa syslinux initramfs-tools pxelinux debootstrap

Configuring TFTP server

I use TFTPD-HPA so I changed the config file to:

/etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/mnt/zfs/deadpool0/public/TFTP"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure --create"

Configure pxelinux

cd /mnt/zfs/deadpool0/public/TFTP
cp /usr/lib/PXELINUX/pxelinux.0 .
mkdir -p pxelinux.cfg boot/isolinux/
cp -r /usr/lib/syslinux/modules/bios/* boot/isolinux/
cp /boot/initrd.img-4.9.0-4-amd64 /boot/initrd.img-4.9.0-6-amd64 .
pxelinux.cfg/default
DEFAULT menu.c32
 
PROMPT 0
TIMEOUT 300
ONTIMEOUT local
 
LABEL reboot
        MENU LABEL reboot computer
        COM32 reboot.c32
 
LABEL local
        MENU LABEL boot local drive
        LOCALBOOT 0
 
LABEL linux
        MENU LABEL Linux Debian 4.9.0-4-amd64
        KERNEL vmlinuz-4.9.0-4-amd64
        APPEND root=/dev/nfs initrd=initrd.img-4.9.0-4-amd64 nfsroot=192.168.10.11:/nfsroot ip=dhcp rw

Install target nfs root

# create /nfsroot if not exists, don't forget the NFS export
debootstrap stretch /nfsroot
# Then after finish:
cp /etc/network/interfaces /nfsroot/etc/network/interfaces
cp /etc/hosts /nfsroot/etc/
cp /etc/fstab /nfsroot/etc/

Now edit the two last files to be like that:

/nfsroot/etc/hosts
127.0.0.1       localhost
127.0.1.1       pxeboot
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/nfsroot/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/ram0  /       ext4   defaults    0   0
proc       /proc      proc   defaults    0   1
tmpfs      /tmp       tmpfs  defaults    0   1

Then chroot to the target and edit some more things:

chroot /nfsroot
echo pxeboot > /etc/hostname
apt update
# If you want more stuff and a GUI like MATE:
apt install task-mate-desktop openssh-server screen tmux sudo htop vim
# Don't forget a root password
passwd root
# And an user with the right groups!
useradd -m -G adm,dialout,cdrom,sudo,dip,plugdev,users dashie
passwd dashie

Now you can boot any computer on PXE and it should get a full diskless debian!

2018/03/07 00:00 · dashie

Elka Concorde 405 - project state.

I've just got an Elka Concorde 405 and this will one one of the two major projects for 2018.

I've been looking for one since years and I finally got one, really cheap, for parts, and huge delivery price.

Fortunately, as usual, the delivery carrier dropped the thing on the ground, because, hey, why taking care when you pay 70€ for delivery ? (yes, that was the delivery price)

So here is the current issues:

  • whole bracket with connectors (pedal, power, headphones) and transformer are ripped from the case
  • PCB for the connectors is broken in four parts (I may need to do a whole new PCB for it)
  • some PSU cables are partially snapped because of the transformer drop
  • one magnet HP was ripped from it and was attached to the transformer
  • the same HP has his whole cone without any edge foam (the thing to attach the cone to the armature)
  • some boards are in a V shape, that's strange since they are attached on top with spacers…
  • some leds (most) doesn't works
  • some buttons works or not I don't know since no leds are working
  • the reverb tank has lost one spring and I can't find it in the case, the other one was detached and attached to another HP magnet …
  • the bass HP (I think) seems to have some issues and vibrations
  • the flycase does have various issues, broken handle, corners snapped, hinge does not perform as hinge anymore

But except for that, it does produce sound, four or five keys doesn't works only.

So well, lot of work, still 4 to 7 times cheaper than a “second hand” one who would works perfectly.

The first thing I will do will be, not in order :

  • reslot all cards and clean all contacts
  • dump some EPROMS for conservation
  • look on the PCB issue (this does not cause issues for the moment)
  • look how to get a schematic (free or paid)
  • check PSU voltages
  • replace some leaky capacitors
  • check all swiches and clean
  • check all keys and clean

For the reverb tank it will probably be hard to find the right spring, so I will may end up replacing the whole tank.

And now, some pictures:


2017/12/26 00:00 · dashie

How to work-around firefox lack of respect for the CSP specification for CSP reports to Sentry

As stated in https://bugzilla.mozilla.org/show_bug.cgi?id=1192684#c8 Firefox doesn't respect the specification and doesn't include the fields effective-directive or status-code.

Sentry expect them, and then refuse the reports because of that.

To workaround the issue, I used Nginx LUA module to manipulate the JSON body before it is send to the uwsgi backend of Sentry.

Note: use it at your own risks.

The CSP should contains:

Content-Security-Policy: whatever-you; want;... report-uri https://sentry.sigpipe.me/api/the_project_id/csp-report/?sentry_key=your_key&sentry_version=5

Makes sures the module is enabled, on Debian it's something like:

# cat /etc/nginx/modules-enabled/00-mod-http-ndk.conf
load_module modules/ndk_http_module.so;
# cat /etc/nginx/modules-enabled/50-mod-http-lua.conf
load_module modules/ngx_http_lua_module.so;
 
# Makes sure there is:
include /etc/nginx/modules-enabled/*.conf;
# before the http {} directive in /etc/nginx/nginx.conf

I also needed to do in /etc/nginx/nginx.conf because the paths seems wrong by default:

http {
...
	lua_package_path "/usr/share/lua/5.1/?.lua;;";
	lua_package_cpath '/usr/lib/x86_64-linux-gnu/lua/5.1/?.so;;';
...

Packages needed are:

nginx-extras libnginx-mod-http-lua libnginx-mod-http-ndk lua-cjson

Add LUA call in the virtual host of your Sentry:

...
	location ~ ^/api/(?<projet>[0-9]+)/csp-report/ {
		access_by_lua_file /etc/nginx/proxy_csp.lua;
		include uwsgi_params;
		uwsgi_pass 127.0.0.1:9000;
	}

	location / {
		include uwsgi_params;
		uwsgi_pass 127.0.0.1:9000;
	}
...

And the most usefull file:

/etc/nginx/proxy_csp.lua
if ngx.req.get_method() == "POST" then
    local cjson = require "cjson"
 
    -- read body and set local variables, also dump into logs for debugging if needed
    ngx.req.read_body()
    local body = ngx.req.get_body_data()
    --ngx.log(ngx.STDERR, body)
    -- read json body
    local json = cjson.new().decode(body)
 
    -- We need to manipulate the JSON body to add if missing:
    -- effective-directive: the violated directive name
    -- status-code: HTTP status code of the violated directive
 
    if (not json['csp-report']['effective-directive']) then
	-- ugly split thing to get the directive name
    	words = {}
    	local vd = json['csp-report']['violated-directive']
    	for word in vd:gmatch("[a-zA-Z0-9-]+") do table.insert(words, word) end
 
    	if (words[1]) then
        	json['csp-report']['effective-directive'] = words[1]
    	else
        	json['csp-report']['effective-directive'] = 'Unknown violation wrong format string'
    	end
    end
 
    if (not json['csp-report']['status-code']) then
    	json['csp-report']['status-code'] = 200
    end
 
    -- reencode new body
    new_json = cjson.encode(json)
    -- set new body
    ngx.req.set_body_data(new_json)
 
    -- we are done
    return
end
2017/04/19 00:00 · dashie

Older entries >>

  • start.txt
  • Last modified: 2016/12/28 23:02
  • by dashie