No access to the GUI from where I am right now. But here is what I have configured to handle something similar.

In this case,
eth0 = WAN - 107.182.76.27
eth1 = LAN1 (10.8.25.0/24) - My network with webservers and stuff 10.8.25.100 = Nginx proxy
eth2 = LAN2 (10.99.0.0/24) - Friend's network with his own router behind this (yes, he's double NAT'd).

Friend uses his own DNS and thus when he tries to get to one of my webservers, he attempts to hit the public IP. The router understands this but cannot hairpin because he is on a different LAN than the port-forward rules.

set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward lan-interface eth1 ...rules here... set port-forward wan-interface eth0

So I had to make hairpin rules for him. Your setup would be similar.

Rule 1 (port 443) and rule 2 (port 80) are looking for traffic coming in on eth2 that are destined for the WAN IP and sending the traffic to the Nginx Proxy instead.

set service nat rule 1 description 'Dwarf LAN HTTPS Hairpin' set service nat rule 1 destination address 107.182.76.27 set service nat rule 1 destination port 443 set service nat rule 1 inbound-interface eth2 set service nat rule 1 inside-address address 10.8.25.100 set service nat rule 1 inside-address port 443 set service nat rule 1 log disable set service nat rule 1 protocol tcp set service nat rule 1 type destination set service nat rule 2 description 'Dwarf LAN HTTP Hairpin' set service nat rule 2 destination address 107.182.76.27 set service nat rule 2 destination port 80 set service nat rule 2 inbound-interface eth2 set service nat rule 2 inside-address address 10.8.25.100 set service nat rule 2 inside-address port 80 set service nat rule 2 log disable set service nat rule 2 protocol tcp set service nat rule 2 type destination

I don't recall why I made masquerade rules (5001 & 5002) I am not sure these are needed. I was significantly not sober when this was implemented.

set service nat rule 5001 description 'Dwarf LAN HTTPS Hairpin' set service nat rule 5001 destination address 10.8.25.100 set service nat rule 5001 destination port 443 set service nat rule 5001 log disable set service nat rule 5001 outbound-interface eth2 set service nat rule 5001 protocol tcp set service nat rule 5001 source address 10.99.0.0/24 set service nat rule 5001 type masquerade set service nat rule 5002 description 'Dwarf LAN HTTP Hairpin' set service nat rule 5002 destination address 10.8.25.100 set service nat rule 5002 destination port 80 set service nat rule 5002 log disable set service nat rule 5002 outbound-interface eth2 set service nat rule 5002 protocol tcp set service nat rule 5002 source address 10.99.0.0/24 set service nat rule 5002 type masquerade set service nat rule 5999 description 'masquerade for WAN' set service nat rule 5999 outbound-interface eth0 set service nat rule 5999 type masquerade

No firewall rules at this time. I still need to implement that to keep his stuff off my network except for the proxy. Maybe I'll go drink with him tonight and do that.

@G-I-Jones said in Spiceworks Custom CSS HelpDesk Theme:

Anyone here using Spiceworks played with the CSSpice plugin?

Has anyone figured out a way to change icons?

It might be a little tedious for all of the icons, but if you want to change a main logo or something you can just base64 encode an image and use that as your CSS.

I took a picture of the Rancher logo and did that to show you:

base64.png

Just do:

some-item { background: url(" data:image/png;base64,<base64 encoded string>"); }

Don't use image/png if it's not a png, use the correct format.

@jt1001001 Thanks. If you are running from PDQ deploy, you won't see anything. But, if you are doing it from PS/ISE or similar, that would be a great help.

I've added this to a larger script that I use, but if you only wanted to automate the naming process the above would work for you.

Else just remove the header #!/bin/sh and add the reset to any setup scripts that you have to automate this portion of the setup.

Thanks everyone for y'alls input as I value the knowledge. This all makes perfect sense. I was just chatting with my colleague's about these details and they are making sense of it too.

@DustinB3403 said in Need video recording software for Fedora:

I assume you're going to be looking to do production quality work with this then?

Meh, down the road, sure. Right now, I feel it is more important to get content created in order to even get an idea on how well it will work for our goal.

Production quality can be hired if it is found to be worth that cost.

@Curtis said in Cron Job - Troobleshooting:

So I just figure out that at least part of the script is running, however the rclone doesn't seem to be syncing the data to the cloud. Maybe I'll break the script into 2 parts to troubleshoot. Funny thing is when I run it manually, it works great.

Are you testing as root when running manually?

@scottalanmiller said in Microsoft Office - Licensing Questions For 3 Scenarios:

@flaxking said in Microsoft Office - Licensing Questions For 3 Scenarios:

I think you must be missing what's going on here. This removes the requirement to integrate more directly with MS Office, instead relying on a separate library that is provided standalone from Office and thus allows saving to Excel. We've had zero issues with using this library, which is actually pretty uncommon for us.

The issue is flexibility. Using third party libraries, you can integrate with Excel or with anything else. Using the Office libraries, every user, in ever system, is bound by the limitations of the most problematic. It makes deployments more costly, and more complex.

That's true, it's the kind of self perpetuating lock-in that has served Microsoft so well. People use Excel, and they ask for saving to Excel spreadsheet, so we create the integration specially to allow Excel and not include ODF, then we help keep the industry locked into using Excel because that's all we support unless you want to just save to CSV.

As for the cost and complexity of deployments... that could be true, except that the installation of our main software is already so complex and costly that dealing with potentially installing this library is the easiest part. I think we probably only have one other developer who would be able to figure out how to install it. I've never heard of any client's IT that have been able to figure out how to install it (just calls from those who have tried), client services has to do literally every install.

@PhlipElder said in deleted/corrupt partition:

@pattonb GetDataBack by Run Time Software. Used it recently to recover data from an Apple MacBook Air SSD

Yeah I've used GetDataBack several times with different levels of recovery.

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:

@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.

This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.

Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.

No one is discussing your own CA though. The CA mechanism is based on trusted roots.

I responded to certs specifically, regardless of context.

And you are correct, in that context. But that's not what context we were thinking of.

@notverypunny said in BitTorrent/P2P technology for distributed file transfer of large files?:

I would add the caveat to test first...

That always goes without saying, it's part of the development process. I take it testing things first is a new concept for you?

@hobbit666 said in Another Cron issue - reboot:

@IRJ @DustinB3403 will give that a try tomorrow if I get a chance otherwise Sunday

Don't do it as a user, as IRJ says. This is because Cron does not use sudo. That would not make sense, if you dig into it.

Here is why....

The reason you put a cron job under a user is to act as that user. If cron tried to sudo, you'd lose the ability for users with sudo access to act as themselves, compromising security and limiting functionality.

Any user with sudo access to root can put the cron job that they want directly under root itself, so #1 doesn't limit their functionality in any way, it only gives them more functionality.

If it used sudo, tracking down where root level things were happening would become enormously difficult, instead of being centralized.

@Markferron said in SAS Drives RPMs:

@scottalanmiller Thanks, figured as much.

Things like fragmentation are real, and will slow the "storage subsystem" in most cases. But that's not the same as the drive slowing. The drive itself works at a predictable speed that only varies when a block cannot be read and the drive has to try again. But even that speed is predictable. So the mechanical speed of the drive never varies (over time), but the throughput of data pulled from the drive can vary based on the rate of magnetic failure. But once that has any real effect, the drive is toast anyway.

Bookmarking site. Thanks @IRJ!

@Pete-S said in Wget - Download a Web Dashboard For Local Viewing?:

Here is Firefox headless mode:
Firefox uses the same browser, just run with the headless switch. Works from version 57 and newer.
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Headless_mode

Thanks. I won't be able to use this with brightsign, but it might work if I have to run windows for a site that I can't view a public dashboard.

Update:
I was able to get it working with a self-signed certificate and the functionality is great. I had NC connected to the OO server with https://localip That worked fine but once left my LAN, from the web it tried to resolve the local ip. That of course will not work and it does zero good to only work while you are on the LAN. I was unsuccessful at getting the self-signed cert to work behind nginx reverse proxy.
Is it possible to just have nginx forward http to the OO server and:

Allow Letsencrypt to verify and issue the certs Actually function behind the proxy if the actual cert is on the OO server directly. I cannot find any good documentation of OO working properly behind the reverse proxy in the normal sense.

Mellanox definitely has the name and reputation in this case, if that means anything. But saving money is saving money 🙂

@JaredBusch said in Which Hosted PBX Provider?:

@JasGot said in Which Hosted PBX Provider?:

I am an Intermedia Reseller and I can't stand their system. Plus as a partner, the end user cannot call Intermedia for support. This is no fun.

Are you looking for a reseller/partner solution? Then I would look at 3CX They have the business model.

Yes. I want to interact with the end user for config of features only (OS and app maintenance handled by anyone other than me) and I want revenue from the sale of hardware and setup, and I want recurring revenue from monthly fees. The recurring revenue must be charged to me so I can bill the customer at my rates.

@Dashrender
Yeah, further troubleshooting shows that DMZ1 can't initiate communication to anything that's on the other side of the FG. Will be testing against stuff in the management subnet tomorrow. Also going to try enabling asymmetric routing as a short-term test. Otherwise it's going to have to be an all-at-once move, which we were hoping to avoid.

Thanks to all for the suggestions and just for a place to get this out of my head and somewhat organised.

@JaredBusch said in Raspberry Pi 4:

I look forward to getting one fo these and seeing if it can now run Netflix/Crunchyroll better. The Pi3 could not do it well.

Please post after your test.