Pages

Tuesday, December 9, 2025

Changing the Gateway IP in Rocky Linux

 

Step 1: Find the Real Connection Name

Before you change anything, ask NetworkManager what the connection is actually called. Do not guess.

Run this command:

Bash
nmcli connection show

What to look for:

Focus on the NAME column on the far left.

NAMEUUIDTYPEDEVICE
enp1s05fb06bd0...ethernetenp1s0
Wired connection 12ad18c...ethernetenp1s0

  • In the first row, the connection name matches the device name (enp1s0).

  • In the second row, the connection is named Wired connection 1.

Copy the text from the NAME column exactly.

Step 2: Set the New Gateway

Now that you have the correct name, use nmcli to modify the configuration.

Syntax:

sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.gateway <NEW_IP>

Example (If your name is "enp1s0"):

Bash
sudo nmcli connection modify "enp1s0" ipv4.gateway 192.168.0.70

Example (If your name is "Wired connection 1"):

Bash
sudo nmcli connection modify "Wired connection 1" ipv4.gateway 192.168.0.70

Step 3: Apply the Changes

Modifying the connection only updates the config file on the disk. To make it live, you must reload the interface.

Bash
sudo nmcli connection up "enp1s0"

(Replace enp1s0 with your actual connection name found in Step 1).

Step 4: Verify

Check the kernel routing table to confirm the default route has updated.

Bash
ip route show

You are looking for the line starting with default:

default via 192.168.0.70 dev enp1s0 proto static metric 100

Common Gotcha: DHCP Overrides

If you followed the steps above but ip route still shows the old gateway, your server is likely getting its IP via DHCP.

By default, DHCP provides an IP address and a gateway. The DHCP gateway will override your manual setting every time the interface comes up.

The Fix:

You need to tell NetworkManager to keep the DHCP IP address but ignore the DHCP gateway.

Bash
# 1. Ignore the automatic gateway from DHCP
sudo nmcli connection modify "enp1s0" ipv4.ignore-auto-routes yes

# 2. Enforce your manual gateway
sudo nmcli connection modify "enp1s0" ipv4.gateway 192.168.0.70

# 3. Apply changes
sudo nmcli connection up "enp1s0"

Summary

  • Don't assume the connection name is "System enp1s0".

  • Always check nmcli connection show first.

  • Remember to reload with nmcli connection up after making changes.

Posted by at No comments:
Labels:

Fix "Failed to Mount /sysroot" on Rocky Linux

 There are few things more heart-stopping for a System Administrator than watching a server boot, only to see it hang and drop into the dreaded Dracut Emergency Shell.

If you are seeing the error Failed to mount /sysroot followed by a prompt that looks like dracut:/#, your system has failed to load the root filesystem. On Rocky Linux (and RHEL/AlmaLinux), this is almost always caused by XFS filesystem corruption following a hard shutdown, power loss, or hypervisor crash.

Prerequisite: Understand the Environment

You are currently in the initramfs environment. This is a small, temporary filesystem loaded into memory before the real disk is mounted. Because the real disk is corrupted, the OS cannot transition to it.

Note: Rocky Linux uses XFS as its default filesystem. Unlike EXT4 (which uses fsck), XFS has its own set of tools, specifically xfs_repair.

Step 1: Identify Your Root Partition

First, you need to find the specific device name of your root partition. Since you are in a limited shell, standard commands like lsblk might not show what you expect.

Run the block ID command:

Bash
blkid

You are looking for a device labeled root or an LVM path.

  • Standard Partition: /dev/sda2 or /dev/nvme0n1p2

  • LVM (Most Common): /dev/mapper/rl-root or /dev/mapper/rocky-root

Can't see the /dev/mapper entries? If you use LVM (Logical Volume Manager) and don't see your volumes, they are likely inactive. Activate them manually:

Bash
lvm vgchange -ay

Run blkid again. You should now see your root volume.

Step 2: The Repair Process

Crucial Rule: Never run a filesystem repair on a mounted partition. Since the boot failed, your partition is likely unmounted, which is exactly what we want.

Attempt 1: Standard Repair

Run the repair command against your specific root device (replace the path below with the one you found in Step 1):

Bash
xfs_repair /dev/mapper/rl-root

Scenario A: Success If the command runs, shows a flurry of text, and ends with done, you are safe. Proceed to Step 3.

Scenario B: "Filesystem has a dirty log" If xfs_repair fails and says the log is dirty, it means there is pending metadata in the journal. It will suggest you mount and unmount the filesystem to replay the log.

Try to mount it manually to let the journal replay:

  1. mount /dev/mapper/rl-root /sysroot

  2. umount /sysroot

  3. Run xfs_repair /dev/mapper/rl-root again.

Attempt 2: Force Log Zeroing (The "Nuclear" Option)

If the mount fails, or if xfs_repair refuses to run because the log is too corrupt, you must use the -L flag.

Warning: The -L flag forces the filesystem to zero out the log. This means you may lose the metadata for the most recent file operations that were occurring exactly when the server crashed. However, this is often the only way to make the disk mountable again.

Bash
xfs_repair -L /dev/mapper/rl-root

You should see output indicating that the log is being destroyed and the filesystem is being rebuilt.

Step 3: Verify and Reboot

Once the repair returns cleanly, verify that the filesystem is mountable.

  1. Test Mount:

    Bash
    mount /dev/mapper/rl-root /sysroot

    If this command returns no output, it worked.

  2. Reboot: You can now exit the Dracut shell. The system will detect the exit and attempt to resume the boot process.

    Bash
    exit

    (Alternatively, type reboot to restart the machine entirely).

Troubleshooting: "It still won't boot!"

If xfs_repair says the disk is clean but you still get boot errors, the issue might be in your /etc/fstab file (e.g., a secondary drive is failing, and the OS refuses to boot without it).

To check this from the Dracut shell:

  1. Mount the system: mount /dev/mapper/rl-root /sysroot

  2. Change root: chroot /sysroot

  3. Edit fstab: vi /etc/fstab

Comment out any non-essential drives (like data drives or swap) to see if the system will boot with just the root drive.

Summary

The "Failed to mount /sysroot" error is intimidating, but xfs_repair is a robust tool.

  1. Use blkid to find your device.

  2. Use lvm vgchange -ay if using LVM.

  3. Run xfs_repair /dev/device-name.

  4. Use -L only if absolutely necessary.

Posted by at No comments:
Labels:

Friday, December 5, 2025

How to Configure OPNsense (Rift Raven) with du Internet

 

Switching from a standard ISP router to a dedicated firewall like the Rift Raven gives you enterprise-grade control over your network. However, connecting it to a du (Nokia ONT) connection involves navigating MAC address locking, private WAN IPs, and NAT configurations.

This guide walks through the successful configuration, specifically tailored for a setup requiring a large internal network (/22 subnet) and handling "Double NAT" scenarios.

Phase 1: The Hardware & Cabling

Before touching the software, the physical connections must be correct. The Rift Raven typically has 2 ports: Port 1 (WAN) and Port 2 (LAN).

The Setup

  1. The Source (du): Locate the white/black Nokia ONT on your wall. Find the active LAN port (usually LAN 1 or GE 1).

  2. The Bridge: Connect an Ethernet cable from Nokia LAN 1 directly to Rift Raven Port 1 (WAN).

  3. The Local Network: Connect Rift Raven Port 2 (LAN) to your PC (for setup) or to a Gigabit Switch.

    • Note: Since the Raven only has one LAN port, a switch is required to connect the rest of your home’s wall sockets (Patch Panel).

Critical Step: The "Handshake" Reset

du’s Nokia ONT locks onto the MAC address of the device connected to it. If you simply unplug your old router and plug in the Raven, it will likely block the connection.

The Fix:

  1. Unplug power from the Nokia ONT.

  2. Unplug power from the Rift Raven.

  3. Wait 5 full minutes. (This clears the active session at the exchange).

  4. Power on the Nokia ONT and wait for the "PON/Optical" light to turn solid green.

  5. Power on the Rift Raven.

Phase 2: OPNsense Initial Configuration

Access the OPNsense interface (default: https://192.168.1.1) and run the Wizard.

WAN Settings (For du)

  • Type: DHCP (du uses IPoE, not PPPoE, so no username/password is needed).

  • Block Private Networks: UNCHECK (Crucial: See Phase 4).

  • Block Bogon Networks: UNCHECK.

LAN Settings (The Custom /22 Range)

We configured the LAN to be larger than a standard home network to avoid IP exhaustion.

  • IP Address: 192.168.0.1

  • Subnet Mask: /22 (255.255.252.0)

  • Range: This provides IPs from 192.168.0.1 to 192.168.3.254.

Tip: If changing the LAN IP locks you out of the web interface, use the physical console (VGA/HDMI + Keyboard) and select Option 2 to reset the interface IP.

Phase 3: Troubleshooting "No Internet" (The Gateways)

Once connected, you might see the WAN interface turn green, but devices on the LAN cannot access the internet. This is usually due to two specific issues found in du setups.

Issue 1: The "Double NAT" Problem

The Nokia ONT often acts as a router, assigning the Raven a private IP (e.g., 192.168.70.x) instead of a public one. OPNsense sees this "Private" WAN IP and assumes it shouldn't route traffic out to it.

The Fix: Hybrid Outbound NAT

  1. Go to Firewall > NAT > Outbound.

  2. Change Mode to Hybrid outbound NAT rule generation.

  3. Click Save and Apply.

  4. Ensure a rule exists mapping LAN net to WAN interface.

Issue 2: The Gateway Trap (Critical Configuration Error)

A common mistake is assigning a Gateway to the LAN interface.

  • The Error: In System > Gateways, you might see a gateway named LAN_GW pointing to 192.168.0.1.

  • The Consequence: This creates a routing loop. OPNsense tries to send internet traffic back into the LAN port.

The Fix:

  1. Go to System > Gateways > Configuration.

  2. Delete any Gateway associated with the LAN interface.

  3. Go to Interfaces > [LAN].

  4. Ensure IPv4 Upstream Gateway is set to Auto-detect or None.

Phase 4: Validating the Connection

To confirm everything is working, perform these tests in order:

1. Test from the Firewall (Diagnostics)

Go to Interfaces > Diagnostics > Ping.

  • Ping 8.8.8.8 (Source: WAN): Success means the Raven connects to the internet.

  • Ping https://www.google.com/search?q=google.com (Source: WAN): Success means DNS is working.

2. Test from a LAN Device (PC/Laptop)

Open a command prompt on your computer.

  • ping 8.8.8.8

  • If it fails: It is likely a NAT issue (See Phase 3, Issue 1).

  • If it works: You are online.

Summary Checklist for Future Reference

If you ever reset the device, follow this "Golden Config":

  • [ ] WAN Interface: DHCP enabled, "Block Private Networks" Unchecked.

  • [ ] WAN Gateway: Monitor IP set to 8.8.8.8 (Disable Gateway Monitoring unchecked).

  • [ ] LAN Interface: Static IP (192.168.0.1/22), Upstream Gateway set to None.

  • [ ] NAT: Outbound NAT set to Hybrid.

  • [ ] Cabling: Nokia LAN 1 Raven WAN. Raven LAN Switch.

Final Note on Hardware: Because the Rift Raven has limited ports, ensure your Gigabit Switch is connected to the Raven's LAN port to distribute the connection to the rest of your home's patch panel (D-5, etc.).

Posted by at No comments:

Monday, October 27, 2025

Enable Hibernation in Fedora 42 (With Power Menu Integration)

Fedora 42 is a leading-edge Linux distribution, but hibernation isn’t enabled out of the box. Here’s a step-by-step guide to enable hibernation, resolve common SELinux issues, and add a Hibernate button to the GNOME power menu.

Why Hibernation?

Hibernation saves your entire session by writing RAM to disk and powering off. Next time you boot, everything resumes exactly where you left off—perfect for laptops and desktop users who want to save battery or avoid losing work during shutdowns.​

Prerequisites

  1. UEFI System: Hibernation setup is simpler on UEFI. Run bootctl to confirm; if you see “Not booted with EFI,” a more manual approach is needed.​
  2. Adequate Disk Space: You’ll need a swap file at least as large as your RAM.
  3. SELinux Consideration: SELinux can block hibernation; check the troubleshooting below.

Step 1: Create and Enable Swap

Open your terminal and enter:

SWAPSIZE=$(free | awk '/Mem/ {x=$2/1024/1024; printf "%.0fG", (x<2 ? 2*x : x<8 ? 1.5*x : x) }')
sudo btrfs subvolume create /var/swap
sudo chattr +C /var/swap
sudo restorecon /var/swap
sudo mkswap --file -L SWAPFILE --size $SWAPSIZE /var/swap/swapfile
sudo bash -c 'echo /var/swap/swapfile none swap defaults 0 0 >>/etc/fstab'
sudo swapon -av

This ensures a reliable swap setup compatible with Btrfs and systemd.​

Step 2: Configure Dracut for Hibernation

To make systemd aware of your new swap location:

echo 'add_dracutmodules+=" resume "' | sudo tee /etc/dracut.conf.d/resume.conf
sudo dracut -f

Test it with:

systemctl hibernate

After reboot, your session should restore automatically.​

Step 3: Fix “Access Denied” (SELinux)

If you get Call to Hibernate failed: Access denied, fix permissions:

sudo semanage fcontext -a -t swapfile_t '/var/swap(/.*)?'
sudo restorecon -RF /var/swap

If issues persist, generate and install a SELinux policy:

sudo setenforce 0      # Temporarily disable enforcement for testing
sudo systemctl hibernate
sudo setenforce 1      # Return to enforcing mode


# If hibernate works, make it permanent

sudo audit2allow -b -M systemd_hibernate
sudo semodule -i systemd_hibernate.pp

This sets the required access permissions for hibernation and keeps SELinux enabled for security.​

Step 4: Add Hibernate Button to Power Menu (GNOME)

Fedora’s GNOME desktop doesn’t show Hibernate by default. Here’s how to add it:

Install the GNOME browser connector:

sudo dnf install gnome-browser-connector

Visit Hibernate Status Button Extension in your browser and toggle ON.


Enable the extension in the Extensions app, or via CLI:

gnome-extensions enable hibernate-status@dromi

Restart GNOME Shell (Alt+F2, type r, press Enter).

You’ll now see Hibernate in the top-right Power menu, making it easy to hibernate from the GUI.​

Step 5: Configure Power Button for Hibernate

Want the physical power button to hibernate? Edit /etc/systemd/logind.conf:

HandlePowerKey=hibernate

Restart logind to apply:

sudo systemctl restart systemd-logind

Troubleshooting

Swap too small? Use at least as much as your RAM, possibly up to 1.5x for systems under 8 GB.
Button won’t appear? Ensure systemctl hibernate works, and GNOME Shell extension is compatible.
SSD concerns: Hibernation writes the entire RAM to disk—great for convenience, but means more SSD writes over time. If worried, use suspend instead.​


Posted by at No comments:
Labels: ,

Tuesday, July 8, 2025

Checking Network Connections on Windows Servers

When you're managing Windows servers, being able to quickly check network connections is essential. This helps in troubleshooting issues like applications not connecting, or services not communicating. We'll look at some straightforward commands to help you diagnose these problems.

TESTING SPECIFIC CONNECTIONS (PowerShell)

The Test-NetConnection command is a powerful tool in PowerShell for checking connectivity to a specific IP address and port.

  • How to use it:

    test-netconnection IPAddress -port XXXXX

  • Replace IPAddress with the actual IP address of the server you're trying to reach.

  • Replace XXXXX with the specific port number that the service (like a license server) is listening on.

This command will tell you if a connection can be established, making it great for verifying if a service is reachable on a particular port.

USING TELNET FOR BASIC CONNECTIVITY

Telnet is a simple command-line tool that can test connectivity to a port. It's often used to see if a port is open and listening.

  • ENABLING TELNET CLIENT

    By default, the Telnet Client might not be installed on Windows Server. You need to enable it first.

    dism /online /Enable-Feature /FeatureName:TelnetClient

    This command uses DISM (Deployment Image Servicing and Management) to add the Telnet Client feature.

  • TESTING WITH TELNET

    Once enabled, you can use Telnet to test a connection.

    telnet -a IPAddress XXXXX

    Again, replace IPAddress with the target server's IP and XXXXX with the port. If you see a blank screen or a connection successful message, it usually means the port is open. If it fails quickly, the port might be blocked or the service isn't running.

VIEWING ACTIVE NETWORK CONNECTIONS (NETSTAT)

netstat is a command-line utility that displays active network connections, routing tables, and a number of network interface statistics. It's great for seeing what your server is connected to, and what ports it's listening on.

  • SHOW ALL CONNECTIONS AND LISTENING PORTS

    netstat -a

    This command will list all active TCP connections and the TCP and UDP ports on which the computer is listening.

  • SHOW NUMERICAL ADDRESSES AND PORT NUMBERS

    netstat -n

    This variation shows addresses and port numbers in their numerical form, which can be quicker and avoid DNS lookups.

MANAGING WINDOWS FIREWALL (NETSH ADVFIREWALL)

The Windows Firewall can often be the reason why connections aren't working. The netsh advfirewall command allows you to view and manage firewall settings.

  • SHOW ALL FIREWALL PROFILES

    netsh advfirewall show allprofiles

    This command displays the settings for all firewall profiles (Domain, Private, and Public).

  • CHECK SPECIFIC FIREWALL PROFILES

    You can check the status of individual profiles:

    netsh advfirewall show domainprofile

    netsh advfirewall show privateprofile

    netsh advfirewall show publicprofile

    These commands show the specific settings for the domain, private, or public network profiles respectively.

  • CHANGE FIREWALL PROFILE STATE

    You can enable or disable firewall profiles if needed, though this should be done with caution.

    netsh advfirewall set allprofiles state [on/off]

    Replace [on/off] with on to enable or off to disable all profiles.

Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)