Hetzner – Proxmox / ESX – Sophos / pfSense additional IP network config – working & solved

Got a root server at Hetzner with 1 extra public IP address (next to the one provided). Wanted to install Debian and Proxmox on it so I can have a cheap Virtual Machine host. You can also install VMware ESX but then you need to ask them to attach a KVM-over-IP unit and didn’t want to bother.

Networking was a bit of a pain but I got it all configured:

– Proxmox is using the first public IP address so you can manage it externally.
– The second public IP address is needed to assign it to Sophos UTM / pfSense or any firewall of your choice.

This firewall will then NAT incoming traffic to your internal VM’s. In this example, is the MAIN public IP address and is the ADDITIONAL one.

Proxmox network config: 

# network interface settings
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth0 inet6 static
 address 2b01:4g8:140:14d7::2
 netmask 64
 gateway fe80::1
auto vmbr0 ## Public IP address for Proxmox
iface vmbr0 inet static
 bridge_ports eth0
 bridge_stp off
 bridge_fd 0
auto vmbr1 ## Interface for internal LAN networking
iface vmbr1 inet static
 bridge_ports none
 bridge_stp off
 bridge_fd 0

Check if you can reach your Proxmox server on your public IP address. Now, get an additional IP address using Hetzner’s Robot control panel. Once assigned, make sure you request a separate MAC address for the new IP address !!! In this example, has a separate MAC address of 00:50:xx:00:xx:EE

Screen Shot 2015-03-18 at 14.15.12

In Proxmox, create a new VM and assign 2 network cards. One will be used for the LAN (vmbr1) and the other one for the WAN (vmbr0). Screen Shot 2015-03-18 at 14.15.03   The MAC address of the WAN address needs to match the MAC address you’ve requested previously using Hetzner’s Robot ! Screen Shot 2015-03-18 at 14.16.56       To configure your Sophos or pfSense firewall, you’ll need to create a SSH tunnel to the internal IP address of the firewall, as it won’t yet have the additional public IP address configured and probably need to finish the configuration using SSH or a browser. So, use this command (please adjust for your IP settings):

sudo ssh -L 4444: root@

In your browser, navigate to https://localhost:4444/ and finish configuring your firewall. Important: your WAN IP address is the additional IP address. Gateway and netmask are the same as the MAIN IP address.

Enable a DHCP server on your LAN and that’s it! Now you can install your VM’s and get an internal private IP address (as long as you assign vmbr01 in Proxmox to the VM) and use your firewall to NAT outside traffic to the inside.

Synology Cloud Station and the pesky TailCharacterConflict error

At my (previous) company we’re using Synology Cloud Station with 20 users and lots of files. One user was complaining that the folder names were renamed with this nice addition:

Company Name B.V._PC_Name_UserName_Jan-27-145750-2015_TailCharacterConflict

Everything I tried didn’t help: renaming the folder, deleting it from the server, resyncing, everything. Google wasn’t a big help either. The folder kept being renamed with this very irritating TailCharacterConflict.

Until I saw the pattern.

You CAN’T let you folder name end with a trailing PERIOD. In this case, the folder name was Company Name B.V.

Changing the folder name to Company Name BV (with the periods) solved the problem. Insane, but true!

Postfix smtp relay on OS X Yosemite 10.10

I’m lazy, and for email testing this is great. Who doesn’t need an email relay at some point? As there was no off the shelf solution, here it is for Yosemite.

Define the relay host:
sudo vim /etc/postfix/main.cf
Add section after the existing ‘relayhost’ example:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_sasl_mechanism_filter = plain

Add your account for the relay to use.
sudo vim /etc/postfix/sasl_passwd
[smtp.gmail.com]:587 name@somedomain.org:password

Make sure it starts at boot. If you don’t want this, skip this!
sudo vi /System/Library/LaunchDaemons/org.postfix.master.plist
add this:

sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

Then stop postfix:
sudo launchctl stop org.postfix.master
And start it again (so it reads the config changes):
sudo launchctl start org.postfix.master
sudo postfix start

Check it’s listening:
netstat -an | grep LISTEN | grep 25
It should output something like this:
tcp6 0 0 ::1.25 *.* LISTEN
tcp4 0 0 *.* LISTEN

You can test it like so:
df -kH | mail -s “contents” your@yourdomain.com

1) You can screw your postfix if you don’t pay attention. Be carefull.
2) gmail was used as an example. I’m not endorsed, sponsored or whatever.

This is based on:
Using MacOSX Lion command line mail with Gmail as SMTP
Mac OS X 10.10 Yosemite Postfix SASL authentication failed

How to setup NTPd on OS X

So if you would like to have a Mac acting as a ntp server, the steps are pretty straightforward. This works on all recent client and server versions of OS X.

1) Unload the ntp plist (most definitely needed on the server OS):
launchctl unload /System/Library/LaunchDaemons/org.ntp.ntpd.plist

2) Modify the ntp-restrict.conf
The following lines in the file:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Should become:
restrict default kod nomodify notrap nopeer
restrict -6 default kod nomodify notrap nopeer

Basically the ‘noquery’ needs to be removed.

3) Load the ntp plist.
launchctl load /System/Library/LaunchDaemons/org.ntp.ntpd.plist

That’s it! Piece of raw brownie (better than cake, trust me).
Then modify whatever box that needs an ntp server to point to you freshly modified Mac.

Get the latest BlackBerry App World update; without getting stuck in the loop.

Browse to this link with your BB to get the latest App World update; without getting stuck in the ‘You need to update App World before you can download App World using the App World app’-loop.


Solved: “[Firmware Bug] ACPI No _BQC method”, initial brightness problem when installing Linux

Tried to install OpenElec and Ubuntu on a mini-ITX Sapphire White system and every time I tried to run the installer, I got a blank screen.
So I booted OpenElec (and Ubuntu) without the ‘quiet’ option from the kernel parameters and I was able to see this error:

[Firmware Bug] ACPI No _BQC method, cannot determine initial brightness


My system is NOT a laptop so I don’t care about brightness. Searching for a solution on the internet got me nowhere; it involved recompiling kernels but that’s not very useful when I still need to install the Linux distribution.

But I found a solution! Forcing this entry into the kernel parameters while booting the installer:


… it solved my problems! So, OpenElec and Ubuntu are now installing without problems.

BUT, don’t forget to modify your installed distro to reflect the same parameter! If you use OpenElec, you’ll need to manually add the parameter when booting it, SSH into your box and remount the /flash mount as RW (mount -o remount,rw /flash), so you can edit the syslinux.cfg file and add the parameter.

Raspberry Pi (rPi) and Pi-Lite led board testing

Got this little gem: http://shop.ciseco.co.uk/pi-lite-lots-of-leds-for-the-raspberry-pi-0805-red/

And this python script to make it talk:

#!/usr/bin/env python

# Pi-Lite init part...
import serial
from time import sleep
baud = 9600
port = '/dev/ttyAMA0'
ser = serial.Serial(port, baud)
ser.timeout = 0

# And from here, the actual programming !

import sys

Use it like this:

python write.py "Hello, my name is Dick"

Cisco SG300 / SG500 switch SSH Public key authentication

Argh! I wasn’t able to paste my public SSH key into the switch’s GUI (keeps on giving me a very annoying error:

Invalid key string.
When a Key is entered, it should contain the “BEGIN” and “END” markers.

So, let’s try the CLI. I presume you already know how to handle a Cisco from the terminal.

– Enable ssh-server on the switch

switchxxxxxx(config)# ip ssh server

– Enable public key authentication

switchxxxxxx(config)# ip ssh pubkey-auth auto-login

– Add a user:

switchxxxxxx(config)# username martijn password SecretPassword privilege 15

– Then, add user’s public key

switchxxxxxx(config)# crypto key pubkey-chain ssh
switchxxxxxx(config-pubkey-chain)# user-key martijn rsa
switchxxxxxx(config-pubkey-key)# key-string

(paste your id_rsa.pub here)

– Check if the fingerprint is correct:

switchxxxxxx# show crypto key pubkey-chain ssh

Username Fingerprint
————– —————————————————————
martijn 35:ea:60:06:fc:d7:f7:d3:3b:d1:0f:10:63:f7:0b:02

Now try to ssh to your switch; no password should be asked.