tag:blogger.com,1999:blog-31780146169072560782024-03-25T06:33:22.466+07:00leakungleakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-3178014616907256078.post-20404494503262918872024-03-25T00:32:00.000+07:002024-03-25T00:32:18.482+07:00Pi-hole Mikrotik container<div style="text-align: left;">/system/device-mode/update container=yes<br /><br />/container config<br />set registry-url=https://registry-1.docker.io<br /><br />/interface bridge<br />add name=Docker<br /><br />/ip address<br />add address=10.0.0.1/24 interface=Docker<br /><br />/ip firewall nat<br />add chain=srcnat src-address=10.0.0.0/24 action=masquerade<br /><br />/interface veth<br />add address=10.0.0.12/24 gateway=10.0.0.1 name=veth-pihole<br /><br />/interface bridge port<br />add bridge=Docker interface=veth-pihole<br /><br />/container envs<br />add key=TZ name=pihole_envs value=Asia/Bangkok<br />add key=WEBPASSWORD name=pihole_envs value=mypassword<br />add key=DNSMASQ_USER name=pihole_envs value=root<br /><br />/container mounts<br />add dst=/etc/pihole name=pihole-etc src=/pihole/etc-pihole<br />add dst=/etc/dnsmasq.d name=pihole-dnsmasq src=/pihole/etc-dnsmasq.d<br /><br />/container<br />add interface=veth-pihole remote-image=pihole/pihole:latest envlist=pihole_envs mounts=pihole-etc,pihole-dnsmasq start-on-boot=yes logging=yes</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-78653760531388255442024-03-22T02:08:00.001+07:002024-03-22T11:13:43.182+07:00cloudflare docker<div style="text-align: left;"><br />container_name: tomcat9-jdk8<br />network name: tomcat9-jdk8_default<br />map ports: 8980:8080</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><h4 style="text-align: left;">Quick Tunnels</h4></div><div style="text-align: left;"># host network<br />docker run --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --url http://127.0.0.1:8980<br /><br /># container network<br />docker run --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --url http://tomcat9-jdk8:8080<br /><br /><br /><h4>with cloudflare account</h4><br /># host network<br />public hostname url http://127.0.0.1:8980</div><div style="text-align: left;"> </div><div style="text-align: left;">docker run -d --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX</div><div style="text-align: left;"><br /><br /># container network</div><div style="text-align: left;">public hostname url http://tomcat9-jdk8:8080<br /></div><div style="text-align: left;"><br />docker run -d --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-7604702658161815602024-03-11T00:00:00.001+07:002024-03-11T08:58:57.112+07:00acme.sh with alias challenge and cloudflare api<div style="text-align: left;">issue domain : domain.tld</div><div style="text-align: left;">alias domain : alias-domain.tld</div><div style="text-align: left;"><br /></div><div style="text-align: left;">- set CNAME</div><div style="text-align: left;">_acme-challenge.domain.tld CNAME _acme-challenge.alias-domain.tld</div><div style="text-align: left;"><br /></div><div style="text-align: left;">- cloudflare token for edit dns zone alias-dmain.tld</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">acme.sh command</h3><div style="text-align: left;">Issue cert</div><div style="text-align: left;"><span id="docs-internal-guid-0a6dba51-7fff-32dd-501b-731220c88d60"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">export CF_Token="xxx"</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld -d domain.tld </span>--home /home/user/docker/nginx/acme.sh</p></span></div><div style="text-align: left;"><div><br /></div><div>Install cert<br /></div><div>acme.sh --install-cert -d domain.tld --key-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.key --fullchain-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.crt --reloadcmd "docker exec nginx /etc/init.d/nginx reload" --home /home/user/docker/nginx/acme.sh</div><div><br /></div><div># renew cert<br /></div><div>acme.sh --cron --home /home/user/docker/nginx/acme.sh </div></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">acme.sh docker</h3><div style="text-align: left;">Issue cert</div><div style="text-align: left;">docker run --rm -it -e CF_Token="xxx" -v /home/user/docker/nginx/acme.sh:/acme.sh neilpang/acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld -d domain.tld</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Install cert</div><div style="text-align: left;">docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/cert neilpang/acme.sh --install-cert -d domain.tld --key-file /etc/nginx/certs/domain.tld.key --fullchain-file /etc/nginx/certs/domain.tld.crt && docker exec -it nginx /etc/init.d/nginx restart</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Renew cert</div><div style="text-align: left;"><div>docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/certs neilpang/acme.sh --cron && docker exec -it nginx /etc/init.d/nginx restart</div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-34456984835428394412024-02-18T15:22:00.003+07:002024-02-18T15:22:37.120+07:00Mikrotik persist route to wireguard server for dynamic wan<div style="text-align: left;">Persist route to wireguard server for dynamic wan in case of setting default route via wireguard<br /></div><div style="text-align: left;"> </div><div style="text-align: left;"> </div><div style="text-align: left;"></div><div style="text-align: left;">DHCP client script <br /></div><div style="text-align: left;"> </div><div style="text-align: left;">:if ($bound=1) do={<br /> :ip route remove [/ip route find comment="route-wireguard-wan"]<br /> :ip route add distance=5 gateway=$"gateway-address" dst-address="1.2.3.4/32" scope=30 target-scope=10 comment="route-wireguard-wan"<br />} else={<br /> :ip route remove [/ip route find comment="route-wireguard-wan"]<br />}</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-68080269807504268892024-02-14T22:45:00.000+07:002024-02-14T22:45:03.380+07:00Change ubuntu source list to kku mirror<p>Change ubuntu source list to kku mirror</p><p><br /></p><p>sed -i "s/th.archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list </p><p>or</p><p>sed -i "s/archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list</p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-70053428294440908742023-11-20T17:32:00.003+07:002024-02-18T15:25:35.001+07:00Mikrotik script change wireguard listen port in case of unable to connect<div style="text-align: left;">Base on routerOS 7.12 </div><div style="text-align: left;">wireguard name : wg1<br />port range : 13232 - 13239<br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">/system script<br />add dont-require-permissions=no name=checkWireguard owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local wgName wg1;\r\<br /> \n:local newPort [:rndstr length=1 from=\"23456789\"];\r\<br /> \n:local newPort (\"1323\".\$newPort);\r\<br /> \n\r\<br /> \n:if ([/interface wireguard get [find name=\$wgName] running] = true) do={\r\<br /> \n\r\<br /> \n :local pingResult [/ping count=1 10.10.10.1];\r\<br /> \n\r\<br /> \n :if (\$pingResult = 0) do={\r\<br /> \n\r\<br /> \n :log warning \"\$wgName connection lost. Changing listen port...\";\r\<br /> \n\r\<br /> \n /interface wireguard set [find name=\$wgName] disabled=yes\r\<br /> \n /interface wireguard set [find name=\$wgName] listen-port=\$newPort;\r\<br /> \n /interface wireguard set [find name=\$wgName] disabled=no\r\<br /> \n\r\<br /> \n :local currentPort [/interface wireguard get [find name=\$wgName] listen-port];\r\<br /> \n :log warning \"WireGuard \$wgName listen port changed to \$currentPort\";\r\<br /> \n\r\<br /> \n }\r\<br /> \n \r\<br /> \n}"<br /><br /><br /><br />/system scheduler<br />add interval=1m name=checkWireguard on-event=checkWireguard start-time=startup</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-77007683166962533242023-11-08T16:31:00.004+07:002023-11-08T21:19:50.914+07:00bind9 DNSSEC key with utimaco HSM<p>- ubuntu 20.04<br />- libssl 1.1.1f<br /><br />---<br />apt -y install build-essential<br /><br />apt -y install libssl-dev pkg-config<br />export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/<br /><br />wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz<br />tar -xzf libp11-0.4.12.tar.gz<br />cd libp11-0.4.12/<br />./configure prefix="/usr/local/libp11/"<br />make && make install<br />export LD_LIBRARY_PATH=/usr/local/libp11/lib/:$LD_LIBRARY_PATH<br /><br />mkdir -p /opt/utimaco/bin<br />mkdir -p /opt/utimaco/lib<br />mkdir /etc/utimaco<br /><br />cp csadm p11tool2 /opt/utimaco/bin/<br />chmod +x /opt/utimaco/bin/*<br />cp ADMIN.key /opt/utimaco/bin/<br />cp libcs_pkcs11_R3.so /opt/utimaco/lib/<br />cp cs_pkcs11_R3.cfg /etc/utimaco/<br /><br /># openssl.conf<br />EOF<br />openssl_conf = openssl_init<br /><br />[openssl_init]<br />engines=engine_section<br /><br />[engine_section]<br />pkcs11 = pkcs11_section<br /><br />[pkcs11_section]<br />engine_id = pkcs11<br />dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so<br />MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R3.so<br />init = 0<br />EOF<br /><br />systemctl disable systemd-resolved.service<br />systemctl stop systemd-resolved<br />rm /etc/resolv.conf<br /><br />cat << EOF > /etc/resolv.conf<br />nameserver 192.168.1.1<br />EOF<br /><br />add-apt-repository ppa:isc/bind<br />apt update<br />apt -y install bind9<br /><br />/opt/utimaco/bin/p11tool2 slot=0 Label=bind-hsm Login=ADMIN,/opt/utimaco/bin/ADMIN.key InitToken=ask<br />/opt/utimaco/bin/p11tool2 slot=0 LoginSO=ask InitPin=ask<br /><br />/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="ksk" PrvKeyAttr=CKA_LABEL="ksk" GenerateKeyPair=RSA<br />/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="zsk" PrvKeyAttr=CKA_LABEL="zsk" GenerateKeyPair=RSA<br /><br />/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask ListObjects<br /><br />dnssec-keyfromlabel -E pkcs11 -f KSK -a RSASHA256 -l "pkcs11:token=bind-hsm;object=ksk" example.net<br />dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind-hsm;object=zsk" example.net<br />dnssec-signzone -E pkcs11 -S -o example.net db.example.net</p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-53304261085306982502023-10-27T00:53:00.001+07:002023-10-27T00:53:39.665+07:00build postfix docker image for mikrotik chr<p>- smtp authen for send mail<br />- no mailbox only forward to another email<br /><br />---<br />Dockerfile<br />FROM alpine:latest<br /><br />RUN apk update <br />RUN apk add bash ca-certificates cyrus-sasl cyrus-sasl-login cyrus-sasl-crammd5 iproute2 mailx postfix postfix-pcre rsyslog supervisor tzdata<br />RUN rm -rf /tmp/*<br />RUN rm -rf /var/cache/apk/*<br /><br />EXPOSE 25/tcp <br />EXPOSE 587/tcp<br /><br />COPY ./supervisord.conf /etc/supervisord.conf<br />COPY ./smtpd.pem /etc/postfix/certs/smtpd.pem<br />COPY ./docker-entrypoint.sh /docker-entrypoint.sh<br /><br />RUN chmod +x /docker-entrypoint.sh<br /><br />ENTRYPOINT ["/docker-entrypoint.sh"]<br /><br />CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]<br /><br /><br />---<br />docker-entrypoint.sh<br />#!/bin/bash<br /><br />cp -f /usr/share/zoneinfo/Asia/Bangkok /etc/localtime<br />echo Asia/Bangkok > /etc/timezone<br /><br />mkdir -p /var/spool/rsyslog/<br /><br />cat <<EOF > /etc/rsyslog.conf<br />module(load="imuxsock")<br /><br />\$WorkDirectory /var/spool/rsyslog<br /><br />*.* -/dev/stdout<br />EOF<br /><br />mkdir -p /etc/sasl2/<br /><br />cat <<EOF > /etc/sasl2/smtp.conf<br />pwcheck_method: auxprop<br />auxprop_plugin: sasldb<br />mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5<br />log_level: 7<br />EOF<br /><br />echo "user@domain.tld forward@gmail.com" >> /etc/postfix/virtual<br />echo "admin@domain.tld root" >> /etc/postfix/virtual<br /><br />postmap /etc/postfix/virtual<br /><br />postconf -e "virtual_alias_maps = lmdb:/etc/postfix/virtual"<br /><br />postconf -e "mydomain = domain.tld"<br />postconf -e "myhostname = mail.domain.tld"<br />postconf -e "mydestination = localhost, \$myhostname, \$mydomain"<br />postconf -e "inet_interfaces = all"<br />postconf -e "broken_sasl_auth_clients = yes"<br /><br />postconf -e "smtp_tls_security_level=may"<br />postconf -e "smtp_tls_loglevel=1"<br /><br />postconf -e "smtpd_helo_required = yes"<br />postconf -e "smtpd_sasl_auth_enable = yes"<br />postconf -e "smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unauthenticated_sender_login_mismatch, reject_known_sender_login_mismatch, permit_sasl_authenticated, permit"<br />postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination"<br />postconf -e "smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination"<br />postconf -e "smtpd_sasl_authenticated_header = yes"<br /><br />postconf -e "smtpd_use_tls = yes"<br />postconf -e "smtpd_tls_auth_only = yes"<br />postconf -e "smtpd_tls_loglevel = 1"<br />postconf -e "smtpd_tls_cert_file=/etc/postfix/certs/smtpd.pem"<br />postconf -e "smtpd_tls_key_file=/etc/postfix/certs/smtpd.pem"<br />postconf -e "smtpd_tls_CAfile=/etc/postfix/certs/smtpd.pem"<br /><br />postconf -e "smtputf8_enable = yes"<br /><br />postconf -M submission/inet="submission inet n - n - - smtpd"<br />postconf -P "submission/inet/syslog_name=postfix/submission"<br />postconf -P "submission/inet/smtpd_tls_security_level=encrypt"<br />postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"<br />postconf -P "submission/inet/smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination"<br />postconf -P "submission/inet/smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination"<br /><br />echo password | saslpasswd2 -p -c -u domain.tld username <br /><br />chown postfix /etc/sasl2/sasldb2<br /><br />newaliases<br /><br />exec "$@"<br /><br /><br />---<br />smtpd.pem<br />-----BEGIN PRIVATE KEY-----<br />-----END PRIVATE KEY-----<br />-----BEGIN CERTIFICATE-----<br />-----END CERTIFICATE-----<br />-----BEGIN CERTIFICATE-----<br />-----END CERTIFICATE-----<br />-----BEGIN CERTIFICATE-----<br />-----END CERTIFICATE-----<br /><br />---<br />supervisord.conf<br />[supervisord]<br />nodaemon = true<br />user = root<br /><br />[program:rsyslog]<br />autorestart = true<br />command = /usr/sbin/rsyslogd -n<br />priority = 100<br />process_name = rsyslog<br />redirect_stderr = true<br />stdout_logfile = /dev/stdout<br />stdout_logfile_maxbytes = 0<br /><br />[program:postfix]<br />autorestart = true<br />command = /usr/libexec/postfix/master -c /etc/postfix -d<br />process_name = postfix<br />redirect_stderr = true<br />stdout_logfile = /dev/stdout<br />stdout_logfile_maxbytes = 0<br /><br /><br />---<br />build.sh<br />!/bin/bash<br /><br />docker buildx build -t postfix-alpine:latest .<br /><br />docker save postfix-alpine:latest > postfix-alpine.tar<br /><br /><br />---<br />upload postfix-alpine.tar to chr<br /><br />/container<br />add file=postfix-alpine.tar interface=veth-postfix hostname=mail.domain.tld dns=10.10.0.1 logging=yes</p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-66900731744165446102023-10-21T21:34:00.000+07:002023-10-21T21:34:39.865+07:00secure docker with ufw<div style="text-align: left;"><div>Docker and ufw</div><div>Uncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.</div><div><br /></div><div>When you publish a container's ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.</div><div><br /></div><div>Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. These chains are part of the FORWARD chain.</div><div><br /></div><div><br /></div><div>Solving UFW and Docker issues</div><div>This solution needs to modify only one UFW configuration file, all Docker configurations and options remain the default.</div><div><br /></div><div>Modify the UFW configuration file /etc/ufw/after.rules and add the following rules at the end of the file:</div><div><br /></div><div># BEGIN UFW AND DOCKER</div><div>*filter</div><div>:ufw-user-forward - [0:0]</div><div>:ufw-docker-logging-deny - [0:0]</div><div>:DOCKER-USER - [0:0]</div><div>-A DOCKER-USER -j ufw-user-forward</div><div><br /></div><div>-A DOCKER-USER -j RETURN -s 10.0.0.0/8</div><div>-A DOCKER-USER -j RETURN -s 172.16.0.0/12</div><div>-A DOCKER-USER -j RETURN -s 192.168.0.0/16</div><div><br /></div><div>-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN</div><div><br /></div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16</div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8</div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12</div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16</div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8</div><div>-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12</div><div><br /></div><div>-A DOCKER-USER -j RETURN</div><div><br /></div><div>-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "</div><div>-A ufw-docker-logging-deny -j DROP</div><div><br /></div><div>COMMIT</div><div># END UFW AND DOCKER</div><div><br /></div><div><br /></div><div><br /></div><div>ref:</div><div>https://docs.docker.com/network/packet-filtering-firewalls/</div><div>https://github.com/chaifeng/ufw-docker</div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-4874346824339026672023-10-21T17:26:00.005+07:002023-10-22T16:19:17.054+07:00docker build bind9 (authoritative) alpine for mikrotik containerdocker build bind9 (authoritative) alpine for mikrotik container<br /><br /><br /># create Dockerfile<br />FROM alpine:latest<br /><br />RUN apk add --no-cache bind<br /><br />RUN cp /etc/bind/named.conf.authoritative /etc/bind/named.conf<div><br /><div>RUN sed -i "s/127.0.0.1/any/g" /etc/bind/named.conf</div><div><br /></div>RUN mkdir -p /etc/bind/zone/ && chown named: /etc/bind/zone/<br /><br />EXPOSE 53/tcp<br />EXPOSE 53/udp<br /><br />CMD ["named", "-c", "/etc/bind/named.conf", "-g", "-u", "named"]<br /><br /># build image<br />docker buildx build -t bind9-alpine:latest .<br /><br /># save image<br />docker save bind9-alpine:latest > bind9-alpine.tar<br /><br /># upload image to mikrotik<br />echo 'put bind9-alpine.tar' | sftp user@mikrotik<br /><br /><br />---<br />mikrotik<br /><br />/container config<br />set registry-url=https://registry-1.docker.io<br /><br />/interface bridge<br />add name=Docker<br /><br />/ip address<br />add address=10.0.0.1/24 interface=Docker<br /><br />/ip firewall nat<br />add chain=srcnat src-address=10.0.0.0/24 action=masquerade<br /><br />/interface veth<br />add address=10.0.0.10/24 gateway=10.0.0.1 name=veth-bind9<br /><br />/interface bridge port<br />add bridge=Docker interface=veth-bind9<br /><br />/container mounts<br />add name=bind9 src=/bind9 dst=/etc/bind/<br /><br />/container<br />add interface=veth-bind9 file=bind9-alpine.tar mounts=bind9 logging=yes<div><br /></div><div>#start container (check container number with command print)</div><div>start 0</div><div><br /><div># shell to container number 0</div><div>shell 0</div><div><br /></div><div># append zone config to /etc/bind/named.conf</div><div>cat >> /etc/bind/named.conf << 'EOF'</div><div>zone "domain.tld" IN {</div><div> type master;</div><div> file "/etc/bind/zone/db.domain.tld";</div><div>};</div><div>EOF</div><div><br /></div><div># create zone file db.domain.tld</div><div>cat > /etc/bind/zone/db.domain.tld << 'EOF'</div><div>$TTL 3600</div><div>$ORIGIN domain.tld.</div><div>@ SOA ns1.domain.tld. dns.domain.tld. (</div><div> 2023102100 ; Serial</div><div> 28800 ; Refresh</div><div> 7200 ; Retry</div><div> 604800 ; Expire</div><div> 7200 ) ; Minimum</div><div><br /></div><div> NS ns1.domain.tld.</div><div><br /></div><div> MX 10 mail.thnic.co.th.</div><div><br /></div><div> A 10.0.0.10</div><div>www A 10.0.0.10</div><div>ns1 A 10.0.0.10</div><div>EOF</div><div><br /></div><div># reconfig bind</div><div>rndc reconfig</div></div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-30136031438337940102023-10-15T20:03:00.003+07:002023-10-24T02:27:56.679+07:00proxmox install openwrt 23.05<p>---<br />proxmox shell <br /><br />curl -fsSL https://downloads.openwrt.org/releases/23.05.0/targets/x86/64/openwrt-23.05.0-x86-64-generic-ext4-combined.img.gz | gunzip<br /><br />wget -O - https://downloads.openwrt.org/releases/23.05.0/targets/x86/64/openwrt-23.05.0-x86-64-generic-ext4-combined.img.gz | gunzip -c > openwrt.raw<br /><br />qemu-img resize -f raw openwrt.raw 512M<br /><br />mkdir /var/lib/vz/images/770<br /><br />qemu-img convert -f raw -O qcow2 openwrt.raw /var/lib/vz/images/770/vm-770-disk-0.qcow2<br /><br />chmod 540 /var/lib/vz/images/770/vm-770-disk-0.qcow2<br /><br />qm create 770 --name OpenWrt --ostype l26 --cpu host --sockets 1 -cores 1 --memory 1024 --net0 virtio,bridge=vmbr1 --net1 virtio,bridge=vmbr0 --onboot yes --virtio0 local:770/vm-770-disk-0.qcow2<br /><br />qm start 770<br /><br />---<br />OpenWrt console<br /><br />passwd<br /><br />ip a<br /><br />uci set firewall.@zone[1].input='ACCEPT'</p><p></p><p>uci commit<br /><br />service firewall reload<br /></p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-52659186524968275312023-10-02T01:09:00.004+07:002023-10-02T01:09:32.967+07:00Mikrotik set NTP Client<p>/system ntp client servers add address=0.pool.ntp.org<br />/system ntp client servers add address=clock.nectec.or.th<br />/system ntp client servers add address=203.159.70.33<br /><br />/system ntp client set enabled=yes</p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-74326070121315446792023-10-02T00:46:00.003+07:002023-10-10T14:02:37.863+07:00nginx docker with certbot docker (Let's Encrypt)<div style="text-align: left;">nginx docker with certbot docker (Let's Encrypt)<br /><br />docker-compose.yaml<br /> image: nginx:latest<br /> container_name: nginx<br /> volumes:<br /> - ./tmp-acme_challenge:/tmp/acme_challenge<br /> - ./etc-letsencrypt:/etc/letsencrypt:ro<br /> - ./default.conf:/etc/nginx/conf.d/default.conf<br /><br />default.conf<br /><br /> location ^~ /.well-known/acme-challenge/ {<br /> allow all;<br /> root /tmp/acme_challenge;<br /> }<br /><br /><br /> ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;<br /> ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;<br /><br /># issue Let's Encrypt<br />docker run -it --rm -v /home/user/docker/nginx/etc-letsencrypt:/etc/letsencrypt -v /home/user/docker/nginx/tmp-acme_challenge:/tmp/acme_challenge certbot/certbot certonly --expand --webroot -w /tmp/acme_challenge --text --agree-tos --no-eff-email --email me@domain.tld --verbose --keep-until-expiring --preferred-challenges=http -d domain.tld -d www.domain.tld<br /> <br /><br /># renew cert<br />docker run -it --rm -v /home/user/docker/nginx/etc-letsencrypt:/etc/letsencrypt -v /home/user/docker/nginx/tmp-acme_challenge:/tmp/acme_challenge certbot/certbot renew<br /><br />reference<br />- https://eff-certbot.readthedocs.io/en/stable/install.html#running-with-docker<br /><br />reference<br />- https://eff-certbot.readthedocs.io/en/stable/install.html#running-with-docker</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-849038190838262832023-09-29T14:52:00.000+07:002023-09-29T14:52:03.607+07:00Greenbone Community Containers 22.4<p>curl -fsSL get.docker.com | sh<br /><br />sudo usermod -aG docker $USER<br /><br />mkdir greenbone && cd greenbone<br /><br />curl -fsSL https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml<br /><br />docker compose up -d<br /><br />docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=<password> <br /></p><p> <br /></p><p>https://greenbone.github.io/docs/latest/22.4/container/index.html<br /></p>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-76223750621086537042023-09-26T02:06:00.008+07:002023-10-02T00:32:14.490+07:00nginx docker with hosted acme.sh (Let's Encrypt & ZeroSSL)<div></div><div>curl https://get.acme.sh | sh -s email=me@domain.tld</div><div><br /></div><div>docker-compose.yaml</div><div> image: nginx:latest</div><div> container_name: nginx</div><div> volumes:</div><div> - ./etc-nginx-certs/:/etc/nginx/certs/</div><div> - ./tmp-acme_challenge:/tmp/acme_challenge</div><div> - ./default.conf:/etc/nginx/conf.d/default.conf</div><div><br /></div><div>default.conf</div><div><br /></div><div> location ^~ /.well-known/acme-challenge/ {</div><div> allow all;</div><div> root /tmp/acme_challenge;</div><div> }</div><div><br /></div><div> ssl_certificate /etc/nginx/certs/domain.tld.crt;</div><div> ssl_certificate_key /etc/nginx/certs/domain.tld.key;</div><div> </div><div># issue Let's Encrypt<br /></div><div>acme.sh --issue --server letsencrypt -d domain.tld -d www.domain.tld -w /home/user/docker/nginx/tmp-acme_challenge --home /home/user/docker/nginx/acme.sh</div><div><br /></div><div># issue ZeroSSL</div><div>acme.sh --register-account -m me@domain.tld --issue -d domain.tld -d www.domain.tld -w /home/user/docker/nginx/tmp-acme_challenge --home /home/user/docker/nginx/acme.sh</div><div><br /></div><div># install cert<br /></div><div>acme.sh --install-cert -d domain.tld --home /home/user/docker/nginx/acme.sh --key-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.key --fullchain-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.crt --reloadcmd "docker exec nginx /etc/init.d/nginx reload"</div><div><br /></div><div># renew cert<br /></div><div>acme.sh --cron --home /home/user/docker/nginx/acme.sh </div><div> </div><div> </div><div>reference<div style="text-align: left;">- https://github.com/acmesh-official/acme.sh</div> </div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-12865383034411535452023-09-25T17:59:00.000+07:002023-09-25T17:59:00.785+07:00K3S install with Rancher Helm Chart<div style="text-align: left;"><div>---</div><div>SRV01</div><div><br /></div><div>curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=v1.26.9+k3s1 K3S_KUBECONFIG_MODE=644 sh -</div><div><br /></div><div>curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash</div><div><br /></div><div>helm repo add rancher-stable https://releases.rancher.com/server-charts/stable</div><div><br /></div><div>kubectl create namespace cattle-system</div><div><br /></div><div>helm repo add jetstack https://charts.jetstack.io</div><div><br /></div><div>helm repo update</div><div><br /></div><div>kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.crds.yaml</div><div><br /></div><div>kubectl config view --raw > ~/.kube/config</div><div><br /></div><div>chmod 600 ~/.kube/config</div><div><br /></div><div>helm install \</div><div> cert-manager jetstack/cert-manager \</div><div> --namespace cert-manager \</div><div> --create-namespace \</div><div> --version v1.13.0</div><div><br /></div><div>helm install rancher rancher-stable/rancher \</div><div> --namespace cattle-system \</div><div> --set hostname=rancher.my.org \</div><div> --set bootstrapPassword=admin</div><div> </div><div>kubectl -n cattle-system rollout status deploy/rancher</div><div><br /></div><div>kubectl -n cattle-system get deploy rancher</div><div><br /></div><div>sudo cat /var/lib/rancher/k3s/server/token</div><div><br /></div><div>---</div><div>SRV02</div><div><br /></div><div>curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=v1.26.9+k3s1 K3S_URL=https://<SRV01>:6443 K3S_TOKEN=<SRV01_TOKEN> sh -</div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-3777011837250473742023-04-28T23:29:00.002+07:002024-03-25T00:29:55.835+07:00Mikrotik container + adguard home v0.107.29 (latest)<div style="text-align: left;">Mikrotik v7.8<br />AdGuard Home v0.107.29 (latest)<br /><br />image from https://registry-1.docker.io "error response getting manifests: 404"<br /><br />import image form PC instead (both PC and CHR using amd64)<br /><br />$ docker pull adguard/adguardhome:latest<br />$ docker save adguard/adguardhome:latest -o adguard_home_0_107_29.tar<br /><br />upload adguard_home_0_107_29.tar to your CHR<br /><br /><br />Create mount volune to keep config and data for upgrade image version<br />/container mounts<br />add dst=/opt/adguardhome/work name=adguard-work src=/adguard/work<br />add dst=/opt/adguardhome/conf name=adguard-conf src=/adguard/conf<br /><br />/container<br />add file=adguard_home_0_107_29.tar interface=veth-adguard mounts=adguard-conf,adguard-work start-on-boot=yes logging=yes</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-19929131834882276052023-04-04T13:03:00.003+07:002023-10-15T20:05:33.008+07:00proxmox anywhere with mikrotik chr<div style="text-align: left;">Scenario<br />- mini pc with 1 NIC<br />- proxmox CE<br />- mikrotik CHR<br />- cloudflare tunnel</div><div style="text-align: left;"><br />1. Install proxmox with static ip for existing network (192.168.80.20/24)<br /><br /></div><div style="text-align: left;">Network Device : enp1s0<br />Linux Bridge : vmbr0<br /><br /></div><div style="text-align: left;">/etc/network/interfaces<br />iface enp1s0 inet manual</div><div style="text-align: left;"><br /></div><div style="text-align: left;">auto vmbr0<br />iface vmbr0 inet static<br /> address 192.168.80.20/24<br /> gateway 192.168.80.1<br /> bridge-ports enp1s0<br /> bridge-stp off<br /> bridge-fd 0<br /><br />2. Add vmbr1 as LAN (10.80.0.20/24) and set vmbr0 as WAN<br /><br /></div><div style="text-align: left;">/etc/network/interfaces<br />iface enp1s0 inet manual</div><div style="text-align: left;"><br />auto vmbr0<br />iface vmbr0 inet static<br /> address 192.168.80.20/24<br /> gateway 192.168.80.1<br /> bridge-ports enp1s0<br /> bridge-stp off<br /> bridge-fd 0<br />#WAN</div><div style="text-align: left;"><br />auto vmbr1<br />iface vmbr1 inet static<br /> address 10.80.0.20/24<br /> bridge-ports none<br /> bridge-stp off<br /> bridge-fd 0<br />#LAN<br /><br /></div><div style="text-align: left;">3. Install Mikrotik CHR<br /><br /></div><div style="text-align: left;">ether1 : vmbr0 (dhcp client)<br />ehter2 : vmbr1 (10.80.0.1/24)<br />masquerade out-interface ether1<br /><br /></div><div style="text-align: left;">4. Install cloudflare tunnel via proxmox node shell<br /><br /></div><div style="text-align: left;">Add public hostname with service https://10.80.0.20:8006 for proxmox<br />Add public hostname with service http://10.80.0.1 for mikrotik CHR</div><div style="text-align: left;"><br />5. change promox default gateway to vmbr1<br /><br /></div><div style="text-align: left;">/etc/network/interfaces<br />iface enp1s0 inet manual<br /><br /></div><div style="text-align: left;">auto vmbr0<br />iface vmbr0 inet static<br /> address 192.168.80.20/24<br /> bridge-ports enp1s0<br /> bridge-stp off<br /> bridge-fd 0<br />#WAN<br /><br /></div><div style="text-align: left;">auto vmbr1<br />iface vmbr1 inet static<br /> address 10.80.0.20/24<br /> gateway 10.80.0.1<br /> bridge-ports none<br /> bridge-stp off<br /> bridge-fd 0<br />#LAN<br /><br /></div><div style="text-align: left;">6. Access proxmox with public hostname<br /><br /></div><div style="text-align: left;">7. Install other proxmox guest with vmbr1 and access with public hostname</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-28402530496697139812023-03-24T03:16:00.000+07:002023-03-24T03:16:03.415+07:00Mikrotik CHR on ReadyIDC cloud<div style="text-align: left;"><div>ACTIONS -> OPTIONS -> Rebuild virtual server</div><div>select CentOS</div><div><br /></div><div>ACTIONS -> POWER -> Reboot in Recovery</div><div><br /></div><div>sudo yum install unzip</div><div><br /></div><div>mount -t tmpfs tmpfs /tmp/</div><div><br /></div><div>cd /tmp</div><div><br /></div><div>wget https://download.mikrotik.com/routeros/7.8/chr-7.8.img.zip</div><div><br /></div><div>unzip chr-7.8.img.zip</div><div><br /></div><div>dd if=chr-7.8.img of=/dev/vda bs=4M oflag=sync</div><div><br /></div><div>mkdir /media/vda1</div><div><br /></div><div>mount /dev/vda1 /media/vda1</div><div><br /></div><div>mkdir -p /media/vda1/boot/grub2/</div><div><br /></div><div>vi /media/vda1/boot/grub2/grub.cfg</div><div><br /></div><div>setparams 'Grub 2'</div><div>set root=(hd0,msdos1)</div><div>chainloader +1</div><div><br /></div><div>sync</div><div><br /></div><div>umount /dev/vda1</div><div><br /></div><div>echo 1 > /proc/sys/kernel/sysrq</div><div>echo b > /proc/sysrq-trigger</div><div><br /></div><div>ACTIONS -> POWER -> Reboot Virtual Server</div><div><br /></div><div>----- restore rsc and enable container ------</div><div><br /></div><div>ip address add address=192.168.80.99/24 interface=ether1 </div><div><br /></div><div>ip route add gateway=192.168.80.1</div><div><br /></div><div>system reset-configuration no-default=no skip-backup=yes keep-user=no</div><div><br /></div><div>systec backup load name=chr-back-20230323.backup</div><div><br /></div><div>system device-mode update container=yes</div><div><br /></div><div>ACTIONS -> POWER -> Shut Down Virtual Server</div><div>select Power OFF</div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-25091919291940335022023-02-17T02:02:00.003+07:002024-03-25T00:30:10.348+07:00Mikrotik container + adguard + uptime kuma<div style="text-align: left;">Mikrotik v7.7</div><div style="text-align: left;"><br /></div><div style="text-align: left;">adguardhome after this version have an error<br /></div><div style="text-align: left;"> </div><div style="text-align: left;"> </div><div style="text-align: left;">/system/device-mode/update container=yes<br /><br />/container config<br />set registry-url=https://registry-1.docker.io<br /><br />/interface bridge<br />add name=Docker<br /><br />/ip address<br />add address=10.0.0.1/24 interface=Docker<br /><br />/ip firewall nat<br />add chain=srcnat src-address=10.0.0.0/24 action=masquerade<br /><br />/interface veth<br />add address=10.0.0.10/24 gateway=10.0.0.1 name=veth-adguard<br /><br />/interface bridge port<br />add bridge=Docker interface=veth-adguard<br /><br />/container<br />add interface=veth-adguard remote-image=adguard/adguardhome:v0.107.23 start-on-boot=yes logging=yes<br /><br />/interface veth<br />add address=10.0.0.11/24 gateway=10.0.0.1 name=veth-uptimekuma<br /><br />/interface bridge port<br />add bridge=Docker interface=veth-uptimekuma<br /><br />/container mounts<br />add dst=/app/data name=uptimekuma src=/kuma_data<br /><br />/container<br />add interface=veth-uptimekuma mounts=uptimekuma remote-image=louislam/uptime-kuma start-on-boot=yes logging=yes<br /><br />sftp to remove kuma_data/.type after first start</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-14057298868131089872023-02-13T02:03:00.002+07:002023-02-16T21:19:15.466+07:00docker-composer :: php mysql phpmyadmin<div style="text-align: left;"> ubuntu 22.04<br /><br /></div><div style="text-align: left;">file structure</div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div style="text-align: left;">docker-composer.yaml</div><div style="text-align: left;">www/Dockerfile</div><div style="text-align: left;">www/html/index.php</div><div style="text-align: left;">mysql/dbdata/</div></blockquote><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">$ sudo apt update && sudo apt -y upgrade</div><div style="text-align: left;">$ sudo apt install docker-compose docker.io -y</div><div style="text-align: left;"><br /></div><div style="text-align: left;">$ vi docker-compose.yaml</div><div style="text-align: left;"><div>version: "3.8"</div><div>services:</div><div><br /></div><div> www:</div><div> build:</div><div> context: ./www</div><div> dockerfile: Dockerfile</div><div> depends_on:</div><div> - db</div><div> volumes:</div><div> - ./www/html:/var/www/html/</div><div> ports:</div><div> - "8080:80"</div><div> networks:</div><div> - my-network</div><div><br /></div><div> db:</div><div> image: mysql:latest</div><div> environment:</div><div> MYSQL_ROOT_PASSWORD: xxxxxxxxx</div><div> volumes:</div><div> - ./mysql/dbdata:/var/lib/mysql/</div><div> ports:</div><div> - "3306:3306"</div><div> networks:</div><div> - my-network</div><div><br /></div><div> phpmyadmin:</div><div> image: phpmyadmin/phpmyadmin:latest</div><div> depends_on:</div><div> - db</div><div> environment:</div><div> PMA_HOST: db</div><div> ports:</div><div> - "8081:80"</div><div> networks:</div><div> - my-network</div><div><br /></div><div>networks:</div><div> my-network:</div><div><br /></div><div><br /></div><div>$ vi www/Dockerfile</div><div><div>FROM php:8.2-apache</div><div><div><br /></div><div>ENV TZ=Asia/Bangkok</div><div>RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone</div><div><br /></div><div>RUN printf '[PHP]\ndate.timezone = "Asia/Bangkok"\n' > /usr/local/etc/php/conf.d/tzone.ini</div></div><div><br /></div><div>RUN docker-php-ext-install mysqli && docker-php-ext-enable mysqli</div><div>RUN apt-get update && apt-get upgrade -y</div></div><div><br /></div><div>$ sudo docker-compose up -d</div></div><div style="text-align: left;"><br /></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-43626769492658547942023-02-03T15:28:00.003+07:002023-02-03T15:33:03.556+07:00PHP Cloudflare Turnstile<div style="text-align: left;"><div>Turnstile is Cloudflare’s smart CAPTCHA alternative.</div><div><br /></div><div>https://www.cloudflare.com/products/turnstile/</div><div><br /></div></div><div style="text-align: left;"><?php</div><div style="text-align: left;"><div>if (isset($_POST["cf-turnstile-response"])) {</div><div><br /></div><div> $captcha = $_POST['cf-turnstile-response'];</div><div> $secretKey = "__Secret_Key__";</div><div> $ip = $_SERVER['REMOTE_ADDR'];</div><div> $url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';</div><div> $data = array('secret' => $secretKey, 'response' => $captcha, 'remoteip' => $ip);</div><div><br /></div><div> $curl = curl_init();</div><div> curl_setopt($curl, CURLOPT_URL, $url);</div><div> curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);</div><div> curl_setopt($curl, CURLOPT_TIMEOUT, 10);</div><div> curl_setopt($curl, CURLOPT_POST, true);</div><div> curl_setopt($curl, CURLOPT_POSTFIELDS, $data);</div><div> $curlData = curl_exec($curl);</div><div> curl_close($curl);</div><div> </div><div> $result = json_decode($curlData, true);</div><div> </div><div> if (intval($result["success"]) == 1) {</div><div> echo "success";</div><div> exit();</div><div> } else {</div><div> echo "error";</div><div> exit();</div><div> }</div><div>}</div><div>?></div><div><!DOCTYPE html></div><div><html lang="en"></div><div> <head></div><div> <title>Test Turnstile</title></div><div> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script></div><div> </head></div><div> <body></div><div> <form method="POST" action=""></div><div> <div></div><div> <!-- The following line controls and configures the Turnstile widget. --></div><div> <div class="cf-turnstile" data-sitekey="__Site_Key__" data-theme="light"></div></div><div> <!-- end. --></div><div> </div></div><div> <button type="submit">Sign in</button></div><div> </form></div><div> </body></div><div></html></div></div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-90800167430668013472023-01-26T23:07:00.001+07:002023-01-26T23:07:22.012+07:00Mikrotik load balance with recursive route<div style="text-align: left;">RouterOS7</div><div style="text-align: left;"><br />ehter1 : 192.168.1.x/24<br />ether2 : 192.168.2.x/24<br />LAN : 192.168.25.1/24<br /><br /></div><div style="text-align: left;">ether1 ping check : 1.0.0.1<br />ether2 ping check : 8.8.4.4<br /><br /></div><div style="text-align: left;">/ip firewall mangle<br />add action=accept chain=prerouting dst-address=192.168.1.0/24<br />add action=accept chain=prerouting dst-address=192.168.2.0/24<br />add action=accept chain=prerouting dst-address=192.168.25.0/24<br />add action=mark-connection chain=input in-interface=ether1 new-connection-mark=wan1_input passthrough=yes<br />add action=mark-connection chain=input in-interface=ether2 new-connection-mark=wan2_input passthrough=yes<br />add action=mark-routing chain=output comment="WAN1 Input" connection-mark=wan1_input new-routing-mark=WAN1 passthrough=no<br />add action=mark-routing chain=output comment="WAN2 Input" connection-mark=wan2_input new-routing-mark=WAN2 passthrough=no<br />add action=mark-connection chain=prerouting in-interface=ether1 new-connection-mark=wan1_conn passthrough=yes<br />add action=mark-connection chain=prerouting in-interface=ether2 new-connection-mark=wan2_conn passthrough=yes<br />add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=br-lan new-routing-mark=WAN1 passthrough=no<br />add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=br-lan new-routing-mark=WAN2 passthrough=no<br />add action=mark-connection chain=prerouting comment=4/0 dst-address-type=!local in-interface=br-lan new-connection-mark=wan1_lb passthrough=yes per-connection-classifier=both-addresses:4/0<br />add action=mark-connection chain=prerouting comment=4/1 dst-address-type=!local in-interface=br-lan new-connection-mark=wan2_lb passthrough=yes per-connection-classifier=both-addresses:4/1<br />add action=mark-connection chain=prerouting comment=4/2 dst-address-type=!local in-interface=br-lan new-connection-mark=wan1_lb passthrough=yes per-connection-classifier=both-addresses:4/2<br />add action=mark-connection chain=prerouting comment=4/3 dst-address-type=!local in-interface=br-lan new-connection-mark=wan2_lb passthrough=yes per-connection-classifier=both-addresses:4/3<br />add action=mark-routing chain=prerouting connection-mark=wan1_lb in-interface=br-lan new-routing-mark=WAN1 passthrough=no<br />add action=mark-routing chain=prerouting connection-mark=wan2_lb in-interface=br-lan new-routing-mark=WAN2 passthrough=no<br /><br /></div><div style="text-align: left;">/queue simple<br />add dst=ether1 limit-at=1M/1M max-limit=10M/10M name=wan1 queue=pcq-upload-default/pcq-download-default target=192.168.25.0/24<br />add dst=ether2 limit-at=1M/1M max-limit=10M/10M name=wan2 queue=pcq-upload-default/pcq-download-default target=192.168.25.0/24<br /><br /></div><div style="text-align: left;">/ip route<br />add distance=1 dst-address=1.0.0.1/32 gateway=192.168.1.1 routing-table=main scope=10<br />add distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1 routing-table=main scope=10<br />add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main target-scope=30<br />add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=main target-scope=30<br />add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=WAN1 target-scope=30<br />add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=WAN2 target-scope=30</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-44597377499958085362022-12-25T03:45:00.000+07:002022-12-25T03:45:00.503+07:00Kali Linux TP-Link TP-W772N V.4<div style="text-align: left;">Kali Linux 2022.4</div><div style="text-align: left;">rtl8188eus v5.3.9</div><div style="text-align: left;"><br /></div><div style="text-align: left;"># apt update && apt -y upgrade<br /># apt install bc<br /># apt install linux-headers-$(uname -r)<br /># apt install dkms<br /># rmmod r8188eu.ko<br /># echo "blacklist r8188eu" >> "/etc/modprobe.d/realtek.conf"<br /># reboot<br /># git clone https://github.com/aircrack-ng/rtl8188eus<br /># cd rtl8188eus<br /># sed -i 's/$(srctree)\/$(src)/$(pwd)\/$(src)/'g Makefile<br /># make<br /># make install <br /># modprobe 8188eu</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.comtag:blogger.com,1999:blog-3178014616907256078.post-6443310116764287672022-12-20T04:40:00.004+07:002022-12-25T12:15:09.525+07:00Mikrotik script :: Add default route to wireguard for dynamic wan ip<div style="text-align: left;">RouterOS7</div><div style="text-align: left;"><br />wireguard server public ip 10.0.0.1<br />wireguard server private ip 192.168.0.1</div><div style="text-align: left;"><br />/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=10 check-gateway=ping</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Change dhcp-client "Default Route Distance" to 5 <br />#### script dhcp-client</div><div style="text-align: left;"><br />:if ($bound=1) do={<span> </span></div><div style="text-align: left;"><span> </span>/ip route remove [/ip route find comment="route-wireguard-wan"]</div><div style="text-align: left;"><span> </span>/ip route add gateway=$"gateway-address" dst-address="10.0.0.1" scope=10 comment="route-wireguard-wan"<br />} else={<br /><span> </span>/ip route remove [/ip route find comment="route-wireguard-wan"]<br />}</div>leakunghttp://www.blogger.com/profile/04829352610971906465noreply@blogger.com