Pages

Friday, December 5, 2025

How to Configure OPNsense (Rift Raven) with du Internet

 

Switching from a standard ISP router to a dedicated firewall like the Rift Raven gives you enterprise-grade control over your network. However, connecting it to a du (Nokia ONT) connection involves navigating MAC address locking, private WAN IPs, and NAT configurations.

This guide walks through the successful configuration, specifically tailored for a setup requiring a large internal network (/22 subnet) and handling "Double NAT" scenarios.

Phase 1: The Hardware & Cabling

Before touching the software, the physical connections must be correct. The Rift Raven typically has 2 ports: Port 1 (WAN) and Port 2 (LAN).

The Setup

  1. The Source (du): Locate the white/black Nokia ONT on your wall. Find the active LAN port (usually LAN 1 or GE 1).

  2. The Bridge: Connect an Ethernet cable from Nokia LAN 1 directly to Rift Raven Port 1 (WAN).

  3. The Local Network: Connect Rift Raven Port 2 (LAN) to your PC (for setup) or to a Gigabit Switch.

    • Note: Since the Raven only has one LAN port, a switch is required to connect the rest of your home’s wall sockets (Patch Panel).

Critical Step: The "Handshake" Reset

du’s Nokia ONT locks onto the MAC address of the device connected to it. If you simply unplug your old router and plug in the Raven, it will likely block the connection.

The Fix:

  1. Unplug power from the Nokia ONT.

  2. Unplug power from the Rift Raven.

  3. Wait 5 full minutes. (This clears the active session at the exchange).

  4. Power on the Nokia ONT and wait for the "PON/Optical" light to turn solid green.

  5. Power on the Rift Raven.

Phase 2: OPNsense Initial Configuration

Access the OPNsense interface (default: https://192.168.1.1) and run the Wizard.

WAN Settings (For du)

  • Type: DHCP (du uses IPoE, not PPPoE, so no username/password is needed).

  • Block Private Networks: UNCHECK (Crucial: See Phase 4).

  • Block Bogon Networks: UNCHECK.

LAN Settings (The Custom /22 Range)

We configured the LAN to be larger than a standard home network to avoid IP exhaustion.

  • IP Address: 192.168.0.1

  • Subnet Mask: /22 (255.255.252.0)

  • Range: This provides IPs from 192.168.0.1 to 192.168.3.254.

Tip: If changing the LAN IP locks you out of the web interface, use the physical console (VGA/HDMI + Keyboard) and select Option 2 to reset the interface IP.

Phase 3: Troubleshooting "No Internet" (The Gateways)

Once connected, you might see the WAN interface turn green, but devices on the LAN cannot access the internet. This is usually due to two specific issues found in du setups.

Issue 1: The "Double NAT" Problem

The Nokia ONT often acts as a router, assigning the Raven a private IP (e.g., 192.168.70.x) instead of a public one. OPNsense sees this "Private" WAN IP and assumes it shouldn't route traffic out to it.

The Fix: Hybrid Outbound NAT

  1. Go to Firewall > NAT > Outbound.

  2. Change Mode to Hybrid outbound NAT rule generation.

  3. Click Save and Apply.

  4. Ensure a rule exists mapping LAN net to WAN interface.

Issue 2: The Gateway Trap (Critical Configuration Error)

A common mistake is assigning a Gateway to the LAN interface.

  • The Error: In System > Gateways, you might see a gateway named LAN_GW pointing to 192.168.0.1.

  • The Consequence: This creates a routing loop. OPNsense tries to send internet traffic back into the LAN port.

The Fix:

  1. Go to System > Gateways > Configuration.

  2. Delete any Gateway associated with the LAN interface.

  3. Go to Interfaces > [LAN].

  4. Ensure IPv4 Upstream Gateway is set to Auto-detect or None.

Phase 4: Validating the Connection

To confirm everything is working, perform these tests in order:

1. Test from the Firewall (Diagnostics)

Go to Interfaces > Diagnostics > Ping.

  • Ping 8.8.8.8 (Source: WAN): Success means the Raven connects to the internet.

  • Ping https://www.google.com/search?q=google.com (Source: WAN): Success means DNS is working.

2. Test from a LAN Device (PC/Laptop)

Open a command prompt on your computer.

  • ping 8.8.8.8

  • If it fails: It is likely a NAT issue (See Phase 3, Issue 1).

  • If it works: You are online.

Summary Checklist for Future Reference

If you ever reset the device, follow this "Golden Config":

  • [ ] WAN Interface: DHCP enabled, "Block Private Networks" Unchecked.

  • [ ] WAN Gateway: Monitor IP set to 8.8.8.8 (Disable Gateway Monitoring unchecked).

  • [ ] LAN Interface: Static IP (192.168.0.1/22), Upstream Gateway set to None.

  • [ ] NAT: Outbound NAT set to Hybrid.

  • [ ] Cabling: Nokia LAN 1 Raven WAN. Raven LAN Switch.

Final Note on Hardware: Because the Rift Raven has limited ports, ensure your Gigabit Switch is connected to the Raven's LAN port to distribute the connection to the rest of your home's patch panel (D-5, etc.).

Posted by at No comments:

Monday, October 27, 2025

Enable Hibernation in Fedora 42 (With Power Menu Integration)

Fedora 42 is a leading-edge Linux distribution, but hibernation isn’t enabled out of the box. Here’s a step-by-step guide to enable hibernation, resolve common SELinux issues, and add a Hibernate button to the GNOME power menu.

Why Hibernation?

Hibernation saves your entire session by writing RAM to disk and powering off. Next time you boot, everything resumes exactly where you left off—perfect for laptops and desktop users who want to save battery or avoid losing work during shutdowns.​

Prerequisites

  1. UEFI System: Hibernation setup is simpler on UEFI. Run bootctl to confirm; if you see “Not booted with EFI,” a more manual approach is needed.​
  2. Adequate Disk Space: You’ll need a swap file at least as large as your RAM.
  3. SELinux Consideration: SELinux can block hibernation; check the troubleshooting below.

Step 1: Create and Enable Swap

Open your terminal and enter:

SWAPSIZE=$(free | awk '/Mem/ {x=$2/1024/1024; printf "%.0fG", (x<2 ? 2*x : x<8 ? 1.5*x : x) }')
sudo btrfs subvolume create /var/swap
sudo chattr +C /var/swap
sudo restorecon /var/swap
sudo mkswap --file -L SWAPFILE --size $SWAPSIZE /var/swap/swapfile
sudo bash -c 'echo /var/swap/swapfile none swap defaults 0 0 >>/etc/fstab'
sudo swapon -av

This ensures a reliable swap setup compatible with Btrfs and systemd.​

Step 2: Configure Dracut for Hibernation

To make systemd aware of your new swap location:

echo 'add_dracutmodules+=" resume "' | sudo tee /etc/dracut.conf.d/resume.conf
sudo dracut -f

Test it with:

systemctl hibernate

After reboot, your session should restore automatically.​

Step 3: Fix “Access Denied” (SELinux)

If you get Call to Hibernate failed: Access denied, fix permissions:

sudo semanage fcontext -a -t swapfile_t '/var/swap(/.*)?'
sudo restorecon -RF /var/swap

If issues persist, generate and install a SELinux policy:

sudo setenforce 0      # Temporarily disable enforcement for testing
sudo systemctl hibernate
sudo setenforce 1      # Return to enforcing mode


# If hibernate works, make it permanent

sudo audit2allow -b -M systemd_hibernate
sudo semodule -i systemd_hibernate.pp

This sets the required access permissions for hibernation and keeps SELinux enabled for security.​

Step 4: Add Hibernate Button to Power Menu (GNOME)

Fedora’s GNOME desktop doesn’t show Hibernate by default. Here’s how to add it:

Install the GNOME browser connector:

sudo dnf install gnome-browser-connector

Visit Hibernate Status Button Extension in your browser and toggle ON.


Enable the extension in the Extensions app, or via CLI:

gnome-extensions enable hibernate-status@dromi

Restart GNOME Shell (Alt+F2, type r, press Enter).

You’ll now see Hibernate in the top-right Power menu, making it easy to hibernate from the GUI.​

Step 5: Configure Power Button for Hibernate

Want the physical power button to hibernate? Edit /etc/systemd/logind.conf:

HandlePowerKey=hibernate

Restart logind to apply:

sudo systemctl restart systemd-logind

Troubleshooting

Swap too small? Use at least as much as your RAM, possibly up to 1.5x for systems under 8 GB.
Button won’t appear? Ensure systemctl hibernate works, and GNOME Shell extension is compatible.
SSD concerns: Hibernation writes the entire RAM to disk—great for convenience, but means more SSD writes over time. If worried, use suspend instead.​


Posted by at No comments:
Labels: ,

Tuesday, July 8, 2025

Checking Network Connections on Windows Servers

When you're managing Windows servers, being able to quickly check network connections is essential. This helps in troubleshooting issues like applications not connecting, or services not communicating. We'll look at some straightforward commands to help you diagnose these problems.

TESTING SPECIFIC CONNECTIONS (PowerShell)

The Test-NetConnection command is a powerful tool in PowerShell for checking connectivity to a specific IP address and port.

  • How to use it:

    test-netconnection IPAddress -port XXXXX

  • Replace IPAddress with the actual IP address of the server you're trying to reach.

  • Replace XXXXX with the specific port number that the service (like a license server) is listening on.

This command will tell you if a connection can be established, making it great for verifying if a service is reachable on a particular port.

USING TELNET FOR BASIC CONNECTIVITY

Telnet is a simple command-line tool that can test connectivity to a port. It's often used to see if a port is open and listening.

  • ENABLING TELNET CLIENT

    By default, the Telnet Client might not be installed on Windows Server. You need to enable it first.

    dism /online /Enable-Feature /FeatureName:TelnetClient

    This command uses DISM (Deployment Image Servicing and Management) to add the Telnet Client feature.

  • TESTING WITH TELNET

    Once enabled, you can use Telnet to test a connection.

    telnet -a IPAddress XXXXX

    Again, replace IPAddress with the target server's IP and XXXXX with the port. If you see a blank screen or a connection successful message, it usually means the port is open. If it fails quickly, the port might be blocked or the service isn't running.

VIEWING ACTIVE NETWORK CONNECTIONS (NETSTAT)

netstat is a command-line utility that displays active network connections, routing tables, and a number of network interface statistics. It's great for seeing what your server is connected to, and what ports it's listening on.

  • SHOW ALL CONNECTIONS AND LISTENING PORTS

    netstat -a

    This command will list all active TCP connections and the TCP and UDP ports on which the computer is listening.

  • SHOW NUMERICAL ADDRESSES AND PORT NUMBERS

    netstat -n

    This variation shows addresses and port numbers in their numerical form, which can be quicker and avoid DNS lookups.

MANAGING WINDOWS FIREWALL (NETSH ADVFIREWALL)

The Windows Firewall can often be the reason why connections aren't working. The netsh advfirewall command allows you to view and manage firewall settings.

  • SHOW ALL FIREWALL PROFILES

    netsh advfirewall show allprofiles

    This command displays the settings for all firewall profiles (Domain, Private, and Public).

  • CHECK SPECIFIC FIREWALL PROFILES

    You can check the status of individual profiles:

    netsh advfirewall show domainprofile

    netsh advfirewall show privateprofile

    netsh advfirewall show publicprofile

    These commands show the specific settings for the domain, private, or public network profiles respectively.

  • CHANGE FIREWALL PROFILE STATE

    You can enable or disable firewall profiles if needed, though this should be done with caution.

    netsh advfirewall set allprofiles state [on/off]

    Replace [on/off] with on to enable or off to disable all profiles.

Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)