VWS Subnetz

Local folder: /home/dang/data/mydirectory/mywork/dailabor/00–current/00daipjsactual/01tubcloud555GHealth/Workplan/vws_vpn

• .https://teklager.se/en/knowledge-base/installing-pfsense-apu-boards-over-serial/
• Network plan: .https://app.creately.com/diagram/qNQ5Nfzkmd3/edit

• .https://pcengines.ch/apu2.htm
  • AMD 64bit

• APU box
  • Hostname: vws-gw
  • Tubit DHCP dai-vws-gw.extern.tu-berlin.de - 141.23.26.226
  • WAN: near serial port: ether 00:0d:b9:44:dc:0c
  • localNet: middle ether 00:0d:b9:44:dc:0d
  • Tubit data port Nr 10, (7,9 defect).

Subnetz: 141.23.26.224

Gateway: 141.23.26.225

Netzmaske: 255.255.255.248

Tubit FW:

• Direct access to WAN: src 130.149.232.0/24 –> vws-gw TCP 80, 443
• VPN access to APU/Pfsense: src * –> vws-gw UDP 2194
• Connect to DAI over VPN: src 130.149.235.220 (dai router) ←- vws-gw UDP 1201

Route:

• PfSense
• 5G Core Subnetz: 192.168.124.0/24
• dummy host 192.168.124.100

am einfachsten wäre es, das VLAN 524 auf einen Port auf dem Cisco-Switch zu konfigurieren und den PC dort anzuschließen. Dann ist er im Health-5G-Backend-Netz (192.168.124.0/24) und kann das Remote-Netz 192.168.125.0/24 direkt erreichen.

Xuan-Thuy Dang  11:52 AM
so ist super. ich weiss noch nicht wie man den swich konfigurieren kann. Kannst Du drauf fern zugreifen? sonst muss ich vorbei kommen.

Thomas Geithner  11:55 AM
Das lässt sich alles remote machen, entweder per SSH auf dem Switch (User admin, Passwort dBTp88is) oder per Web-Frontend [1] (gleiche Login-Daten).
[1] http://netmon.testbed.dai-lab.de/portadmin/sysname=switch-tb-tel-1410.testbed.dai-lab.de

VPN conf:

dev tun
persist-tun
persist-key
#cipher 
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
#pull
resolv-retry infinite
proto udp
remote 130.149.235.220 1201 udp4
route 192.168.124.0 255.255.255.0
ifconfig 192.168.126.2 192.168.126.1
keepalive 10 60
ping-timer-rem
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
28882710f08e217c3fff60fba68ba1b0
48a2204fd518f0d91b517d4ccd09b67b
0c3b753ebcd54d336dead08a4f1149ac
4889bf741af17bdba89d9c128a962a05
5dbba3a87e0301bbb285acacb429048b
1aae5eda46742406ae50c46c46978a6f
5af6213e0ec98b7ca4becc96db1b1546
fb18b4112f14db0fe3a4ba1bcb97e0c0
7c6b43be0d9a085a19bf81101f8978ee
1d3cda45179306319617b53ecf4f7529
d2767f71bf881420fd2849982a7804d9
56b1e37a990dd6d1f0d9bcf205078ee0
21dde89a130d52213445fd177131a4c3
4272d8834d4a5ff0e9b1deb8bff18cbd
4e9da89d1dac437d341ba9434b12d794
511aa20aff42c00d35846f997ca7d5c7
-----END OpenVPN Static key V1-----
</secret>

• pfSense
  • gNb private subnet 192.168.125.0/24
    • LAN1 192.168.125.1
    • More ports with Netgear switch
  • Mgmt local subnet 192.168.130.0/24
    • Mgmt 192.168.130.1

      • WebGUI user admin password pfsense
      Edit

      1.2 VPN setup with pfsense on VWS
• .https://www.provya.com/blog/pfsense-configuring-a-site-to-site-openvpn-instance/

See client part of the above link.

See server part of the above link.

openvpn client conf:

dang@localhost:~/.../Workplan/vws_vpn> cat router-UDP4-2194-config.ovpn 
dev tun
persist-tun
persist-key
#vpn 2.4
cipher AES-256-CBC
#vpn v2.5
#data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
#data-ciphers-fallback AES-256-CBC
auth SHA256
#pull
resolv-retry infinite
proto udp
remote 192.168.0.114 2194 udp4
route 192.168.125.0 255.255.255.0
ifconfig 172.17.1.1 172.17.1.1
keepalive 10 60
ping-timer-rem
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
7a1d0d013290ab656b51385331ee9c23
80b33b9d4ade10b394379d3a3cefc3e5
da1286bd3c18bf9e95fcb63525220f65
39e7f587608aa0afa13b257b98469943
deab2df1c34b95b22e6316f7af58e814
7c9e0f331b3dfe3d59f35ac19fd176b9
10dc1741e88ddb1275fe7e0fa78b4864
73ae9c5f96d0102a4185111d6818718e
1bbc92249ee20b63e5f5877e4cab000a
25144fd9ac62585ff9e87309754e47a2
66300d287d94c049c46be0b655ebd906
4d03c828c2824a4939a9fd2402c414bf
f2e1b4208879e14d31c95a00f6fbde72
b06d0c0b6cece6f5720040fe4acd19b0
f631cf80862efa78a7c7e6f9f612e239
83226688f45f2440ddeb225d69e707aa
-----END OpenVPN Static key V1-----
</secret>

<WRAP center round info 60%> When VPN is connected, access to GUI using remote tunnel IP! </WRAP>

Log into pfsense via IP address or any working domain name Goto System → Advanced → Admin Access and under Alternate Hostnames - key in your new domain name. You can add extra domain names by separating them with spaces.

• .https://www.sparklabs.com/support/kb/article/error-inactivity-timeout-ping-restart/

If FW seems to work. Check if the host has default route set.

route add default gw 192.168.1.254 eth0

Or use the ip command (newer syntax) to route all traffic via 192.168.1.254 gateway connected via eth0 network interface:

  ip route add 192.168.1.0/24 dev eth0
  
  

• .https://wiki.polaire.nl/doku.php?id=firmware_update_pc_engines_apu

The sdcard 32G seems to need bios upgraded.