LTE Failover using pfSense

I was out of town this past week on travel to IT Nation for work when the worst wind storm of our two-years in Maine rolled through knocking down at least a dozen trees on our property; two very narrowly missing our back shed!

Seeing as we lose power (and internet) when a moose-fly farts, the lines didn’t stand a chance against the 50-60mph gusts that battered last Thursday and Friday. While we do have a Generac automatic standby generator, that only handles power. Telling our 2-year old that Blippi and Cocomelon won’t work is quite possibly the most assured method to muster Beelzebub himself; so it became necessary to ensure we stay online, too!

The process for setting up Gateway Failover, as it’s properly called, in pfSense is pretty straightforward. The setup is only really complicated when you chase your tail for 3 days looking for an issue only to find your LTE carrier has disallowed modems and tethering.

Interface Setup

Nothing special to note here. I am using a Netgear LB1121 and have the ethernet cable plugged into OPT1 of my SG-3100. The LB1121 is set to Bridge Mode. Once the ethernet cable is plugged into OPT1, the interface will become available. Add it to pfSense and give it a descriptive name.

System>Routing>Gateways> Add or edit the new LTE gateway, as needed.

System>Routing>Gateway Groups>Add

I have had success by enabling “flush states” when the gateway changes from System> Advanced> Miscellaneous> Gateway Monitoring.

Then it’s just a matter of editing the default firewall rule to append the new Gateway_Group. Edit> Advanced>Gateway.

Running APCUPSD and pfSense

APCUPSD has been my preferred UPS monitoring and controller software for many years. I’ve run it on everything from dedicated Raspberry Pi’s to VMs to on my desktop and now baked directly in pfSense.

Seeing as pfSense is plugged into my “backbone” UPS which also provides redundancy and filtering for my surveillance system and PoE switch, it only makes sense to have apcupsd, by way of pfSense, handle power-outage control. I have my UPS SMT1500RM2U plugged via USB-A cable into my Netgate SG-3100 USB-B running pfSense.

Install apcupsd

If you’re here looking for instructions on how to install a package in pfSense, you’re at the wrong spot on the internet.

Install apcupsd.

Configure apcupsd


Ubuntu 18.04 in Azure – Pt. 5: WordPress

The piece de resistance of this series has arrived! With all of the prerequisites met for WordPress and my own tinfoiled-hat nature, it’s time to let our hair down, throw caution to the wind, and install the most exploited (yet allegedly secure) blogging platform on the planet!

Based on my research, it’s largely older and unpatched instances that are exploited or ones heavily laden with every plugin available both helpful and unnecessary. Also, having unique credentials created for each and every login will help in the event that one of the few plugins I do use is hacked and those credentials pilfered.

…on a somewhat related note, isn’t pilfered a great word!?

mysql -u root -p
Provide the root password created during MySQL install previously.
mysql> CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> GRANT ALL ON wordpress.* TO ‘<uniquewordpressusername>’@’localhost’ IDENTIFIED BY ‘<uniqueWPpassword>’;
mysql> EXIT;

Install PHP extensions needed by WordPress
sudo apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip
sudo systemctl restart apache2

sudo nano /etc/apache2/sites-available/<yourdomain>.conf
Add in the following lines:
<Directory /var/www/<yourdomain>/>
AllowOverride All

sudo a2enmod rewrite
sudo systemctl restart apache2

Ok…so I lied before! Now it’s time to install WordPress!

cd /tmp
curl -O
tar xzvf latest.tar.gz
touch /tmp/wordpress/.htaccess
cp /tmp/wordpress/wp-config-sample.php /tmp/wordpress/wp-config.php
mkdir /tmp/wordpress/wp-content/upgrade
sudo cp -a /tmp/wordpress/. /var/www/<yourdomain>
sudo chown -R www-data:www-data /var/www/<yourdomain>
sudo find /var/www/<yourdomain>/ -type d -exec chmod 750 {} \;
sudo find /var/www/<yourdomain> -type f exec chmod 640 {} \;

curl -s
Make a note of the provided unique values. They are one-time use and should not be shared. If you do not make a note of the values, re-run the command and be sure to copy the values somewhere safely for transcribing next.

sudo nano /var/www/<yourdomain>/wp-config.php
Find the section that contains the dummy values for the unique values provided previously and replace them accordingly.
While in the same wp-config.php file, replace the database connection settings as appropriate.

Now, with everything configured, it is time to complete the install from the WebUI.
Navigate to https://<yourdomain> and the installer wizard will proceed automatically.

This concludes the setup “instructions” for the Azure instance currently running this blog. Total cider count in writing all segments in one sitting: 3. Currently enjoying Downeast Cider. Between the Original Unfiltered, Double Filtered, and the seasonal White I am definitely enjoying myself!

Ubuntu 18.04 in Azure – Pt. 4: SSL & Let’s Encrypt

Create an A record with <yourdomain> pointing to your server’s public IP address.
Create an A record with www.<yourdomain> pointing to your server’s public IP address.
Depending on the speed of your provider, replication of these changes to the global DNS roots may take some time to complete.

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache

DNS replication from above must be complete and verified before progressing. I recommend running a simple ping <yourdomain> to see if it returns the public IP of your server. Once it does, continue.
sudo certbot –apache -d <your domain> -d www.<yourdomain>
Fill out the field as prompted through the wizard. If everything is set properly, the HTTPS certificate will be created.
I recommend redirecting HTTP to HTTPS because, why not?

Verify automated certificate renewal is working:
sudo certbot renew –dry-run

If everything completes without errors, we’re done and the certificate is in-place!

Ubuntu 18.04 in Azure – Pt. 3: Virtual Hosts

Create a new directory.
sudo mkdir /var/www/<yourdomain>
sudo chown -R $USER:$USER /var/www/<yourdomain>

Make a placeholder webpage in HTML.
sudo nano /var/www/<yourdomain>/index.html
<title>Welcome to Your_Domain!</title>
<h1> Success! The your_domain server block is working!</h1>

Make a new Apache configuration file.
sudo nano /etc/apache2/sites-available/<yourdomain>.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName <yourdomain>
ServerAlias www.<yourdomain>
DocumentRoot /var/www/<yourdomain>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

sudo a2ensite <yourdomain>.conf
sudo a2dissite 000-default.conf
sudo systemctl restart apache2

Ubuntu 18.04 in Azure – Pt. 2: LAMP

Now that we’re sufficiently protected from all the bad h4x0r5 in the world, it’s time to install Apache, MySQL, and PHP for our upcoming (and obviously already completed) WordPress install.

sudo apt install apache2 -y
sudo ufw allow in “Apache Full”

Be sure, at this point, to create a firewall rule in Azure> Networking to enable inbound communication on 80 and 443.

Once Apache is installed and allowed to communicate, it is time to install MySQL.

sudo apt install mysql-server -y
sudo mysql_secure_installation
Create applicable password as prompted.
Press Y and <enter> for remaining prompts.
sudo mysql
mysql> ALTER user ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘<new very secure password>’
mysql> exit

Last but not least, time to install PHP.

sudo apt install php libapache2-mod-php php-mysql
Move index.php to the first position after DirectoryIndex within /etc/apache2/mods-enabled/dir.conf
<IfModule mod_dir.c>
index.php index.html index.cgi index.xhtml index.htm

sudo systemctl restart apache2

FIN. I love LAMP.

Image result for I love LAMP

Ubuntu 18.04 in Azure – Pt. 1: Setup and A/V

Getting this server running this blog I’m typing on now was the culmination of a few different blogs scattered around the good ol’ interwebz. This will be my combination of the steps to achieve where I am today.

Step 1 – Create Azure VM

Not going to spoonfeed creating a virtual machine in Azure. There are plenty of other blogs around for that.

This VM is using the default recommendation of 2vCPU, 8GB of RAM with 30GB HDD. I did select HDD to help reduce costs for the VM seeing as it is just a blog, largely static.

I selected Ubuntu 18.04 as the OS to install and allowed SSH, 22, inbound from everywhere initially using the Setup Wizard.

Rather than mess with IP-based access rules, since I am on a dynamic IP, I choose to just disable SSH whenever I am not actively using it. This also helps to completely eliminate brute-force risks.

As another tinfoil-hat-esque security measure, create a custom non-root username that is equally difficult to guess as its password; assuming you’re not using certificate-based SSH.

Step 2 – Update Ubuntu 18.04

In true Microsoft fashion, like Windows 10 telling you “looking for updates…installing updates” then greeting you with a Feature Update on first boot, a new Ubuntu 18.04 server still requires updates. Run the obligatory sudo apt update && upgrade -y command and let it run. Go grab a coffee…or a cider!

Downeast Original Blend Cider

Step 3 – Install A/V

Seeing as I do work for ESET, and they are the ones footing the bill for this Azure instance, I would be remiss if I did not install our newest release for testing. That way I can say these resource I’m hogging for my new, top-of-the-charts blog are “for research purposes”. #GameTheSystemKids

chmod +x ./
sudo ./ \
–skip-license \
–hostname=<ESMC FQDN Here> or <ESMC IP Here>
–port=2222 (default, change accordingly) \
–webconsole-user=Username \
–webconsole-password=Password \
–webconsole-port=2223 (default, change accordingly)

If all values are correct, confirm the server-provided certificate and complete the install of the management agent.

Since ESET File Security for Linux 7.x is not yet released to the installation repository, we must install it manually.
chmod +x ./efs.x86_64.bin
sudo ./efs.x86_64.bin

Complete the install as prompted. Make note of the provided Username:Password combination at completion of install. Due to a known issue, the password cannot be changed by policy so definitely make a note of it. The password can be changed locally within the WebUI after install but you need that initial password for first-time login.

That’s it for Part 1.

It’s not talking to yourself if it’s a BLOG!

In an effort to organize, categorize, and get a general handle on the litany of notepad, notepad++, and cherrytree documents floating around my computer, hard drives, and cloud storage.

Any homelabber will know the woes of those drunken Friday night experiments that go largely undocumented or, if documented, don’t make a damn lick of sense.

This platform will serve more to publicize those drunken ramblings rather than make them clearer. So if you’re hoping to use this as a resource, I recommend taking an evening drink (or two) and then see if it makes more sense!

Enjoy! And cheers!