ติดตั้ง Graylog บน Debian12 เพื่อเก็บ Log การใช้งาน Internet

1. อัปเดตระบบ
ก่อนอื่น อัปเดตระบบให้เป็นเวอร์ชันล่าสุด:
root@serv:/home/teee# apt update && sudo apt upgrade -y
root@serv:~# dpkg-reconfigure tzdata
เลือก zone เวลาประเทศไทย Bangkok/Thailand

2. ติดตั้ง Java
Graylog ต้องการ Java 11 หรือสูงกว่า ติดตั้ง OpenJDK 11:
root@serv:/home/teee# sudo apt install openjdk-11-jre-headless -y
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
Package openjdk-11-jre-headless is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package ‘openjdk-11-jre-headless’ has no installation candidate

ถ้าขึ้น Error แบบนี้แสดงว่า ไม่มีแพคเกจนี้ใน repository ให้ลองทำการค้นหาดูก่อน
root@serv:/home/teee# apt-get install aptitude -y
root@serv:/home/teee# aptitude search openjdk
Warning: Invalid locale (please review locale settings, this might lead to problems later):
locale::facet::_S_create_c_locale name not valid

i openjdk-17-jdk-headless – OpenJDK Development Kit (JDK) (headless)

root@serv:/home/teee# apt-get install openjdk-17-jdk-headless -y

ตรวจสอบเวอร์ชัน Java:
root@serv:/home/teee# java -version
openjdk version “17.0.13” 2024-10-15
OpenJDK Runtime Environment (build 17.0.13+11-Debian-2deb12u1)
OpenJDK 64-Bit Server VM (build 17.0.13+11-Debian-2deb12u1, mixed mode, sharing)

3. ติดตั้ง Elasticsearch
Graylog ไม่รองรับ Elasticsearch เวอร์ชัน 8.17.1 เนื่องจาก Graylog รองรับเพียง Elasticsearch เวอร์ชัน 7.x เท่านั้น (ณ เวอร์ชันที่คุณใช้อยู่ 6.1.5) รวมถึง OpenSearch 1.x หรือ 2.x

ถ้ามี version ใหม่กว่าให้ลบออกแล้วลงเวอร์ชัน 7.x

sudo systemctl stop elasticsearch
sudo apt remove –purge elasticsearch -y
sudo apt autoremove -y
sudo rm -rf /etc/elasticsearch /var/lib/elasticsearch

root@serv:~# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

root@serv:~# apt update
root@serv:~# apt install elasticsearch=7.17.10 -y
root@serv:/home/teee# nano /etc/elasticsearch/elasticsearch.yml
#TEEE
cluster.name: graylog
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 127.0.0.1
http.port: 9200
transport.port: 9300
cluster.initial_master_nodes: [“127.0.0.1”]

AddNewUser
root@serv:/home/teee# /usr/share/elasticsearch/bin/elasticsearch-users useradd teee -p (MyPassword) -r superuser
root@serv:/home/teee# cat /etc/elasticsearch/users
teee:$2a$10$239MhoPHF5SOYhzs4/x92uFJnvEDpzCpeB9LE6pLCQaxCHE.wYX4m

ทดสอบการล็อกอินหลังเพิ่มผู้ใช้งานใหม่แล้ว ให้ทดสอบการล็อกอินด้วย curl:
root@serv:/etc/graylog/server# curl -u teee:MyPassword -X GET http://127.0.0.1:9200
{
“name” : “node-1”,
“cluster_name” : “graylog”,
“cluster_uuid” : “EqZOdYvFQ1ehJazh-Olfiw”,
“version” : {
“number” : “7.17.10”,
“build_flavor” : “default”,
“build_type” : “deb”,
“build_hash” : “fecd68e3150eda0c307ab9a9d7557f5d5fd71349”,
“build_date” : “2023-04-23T05:33:18.138275597Z”,
“build_snapshot” : false,
“lucene_version” : “8.11.1”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}

root@serv:/home/teee# systemctl daemon-reload
root@serv:/home/teee# systemctl enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.
root@serv:/home/teee# systemctl start elasticsearch
root@serv:/home/teee# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 502/mongod
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 517/sshd: /usr/sbin
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 2069/java <–ElasticSearch
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 2069/java <–ElasticSearch
tcp6 0 0 :::22 :::* LISTEN 517/sshd: /usr/sbin

4. ติดตั้ง MongoDB
Graylog ใช้ MongoDB เป็นฐานข้อมูล ติดตั้ง MongoDB:
Ref >> https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-debian/
Install MongoDB Community Edition

root@serv:/home/teee# apt-get install gnupg curl
root@serv:/home/teee# curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg \
–dearmor

root@serv:/home/teee# echo “deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/8.0 main” | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list

root@serv:/home/teee# sudo apt-get update
root@serv:/home/teee# sudo apt-get install -y mongodb-org
root@serv:/home/teee# systemctl start mongod
root@serv:/home/teee# systemctl daemon-reload
root@serv:/home/teee# systemctl status mongod
● mongod.service – MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; preset: enabled)
Active: active (running) since Thu 2025-01-30 02:29:30 EST; 21s ago
Docs: https://docs.mongodb.org/manual
Main PID: 4198 (mongod)
Memory: 99.4M
CPU: 795ms
CGroup: /system.slice/mongod.service
└─4198 /usr/bin/mongod –config /etc/mongod.conf

root@serv:/home/teee# systemctl enable mongod
Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /lib/systemd/system/mongod.service.

5. ติดตั้ง Graylog
ดาวน์โหลดและติดตั้ง Graylog:
Ref >> https://packages.graylog2.org/debian/dists/stable
Ref >> https://go2docs.graylog.org/current/downloading_and_installing_graylog/installing_graylog.html#operating-system-packages

root@serv:/home/teee# wget https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.deb
root@serv:/home/teee# sudo dpkg -i graylog-6.1-repository_latest.deb
root@serv:/home/teee# sudo apt-get update
root@serv:/home/teee# apt-get install graylog-server -y

สร้างรหัสผ่านสำหรับ password_secret และ root_password_sha2:
root@serv:/home/teee# apt-get install pwgen
root@serv:/home/teee# pwgen -N 1 -s 96
sCRa5Fkln0DIcesA92N3YRBFuPANWTh7XZbe1qMLe0jxqWqAUnujrpN23Eje66VjwiknOb8n2aWqffqFc1vHe89vPrQWNrL1

echo -n “รหัสผ่านของคุณ” | sha256sum

root@serv:/home/teee# echo -n admin | sha256sum
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

แก้ไขไฟล์คอนฟิก Graylog:

เพิ่มหรือแก้ไขบรรทัดต่อไปนี้:
password_secret = <รหัสที่สร้างจาก pwgen> sCRa5Fkln0DIcesA92N3YRBFuPANWTh7XZbe1qMLe0jxqWqAUnujrpN23Eje66VjwiknOb8n2aWqffqFc1vHe89vPrQWNrL1
root_password_sha2 = <รหัสที่สร้างจาก sha256sum> 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200
mongodb_uri = mongodb://localhost/graylog
elasticsearch_hosts = http://127.0.0.1:9200
elasticsearch_username = teee
elasticsearch_password = MyPassword

root@serv:/home/teee# nano /etc/graylog/server/server.conf
root@serv:/home/teee# systemctl status graylog-server
● graylog-server.service – Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-01-30 03:16:20 EST; 1min 23s ago
Docs: http://docs.graylog.org/
Main PID: 5466 (graylog-server)
Tasks: 31 (limit: 4643)
Memory: 324.2M
CPU: 7.262s
CGroup: /system.slice/graylog-server.service
├─5466 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─5467 /usr/share/graylog-server/jvm/bin/java -Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknow>

ตรวจสอบ Log ของ Graylog:
root@serv:~# tail -f /var/log/graylog-server/server.log
======================================================================================

It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.

Initial configuration is accessible at 0.0.0.0:9000, with username ‘admin’ and password ‘SuTAuVqwmF’.
Try clicking on http://admin:SuTAuVqwmF@0.0.0.0:9000

======================================================================================

http://(IP Address):9000

Wi-Fi Web Authentication Project

Wifi Project

1. Debian 12.8.0
2. MariaDB 10.11.6
3. Apache 2.4.62
4. Php 8.2.26
5. phpMyAdmin 5.2.1
6. FreeRadius 3.2.1
7. daloradius 2.2 beta

 

root@san:/home/teee# apt-get install sudo net-tools -y
root@san:/home/teee# sudo locale-gen

== MariaDB ==

root@san:/home/teee# apt-get install mariadb-server mariadb-client
root@san:/home/teee# mysql_secure_installation
Enter current password for root (enter for none):
Switch to unix_socket authentication [Y/n] y
Change the root password? [Y/n] y
New password: SecurePass
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!

Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

== apache2 ==
root@san:/home/teee# apt-get install apache2 apache2-doc

== PHP ==
root@san:/home/teee# apt-get install php libapache2-mod-php php-mysql php-common php-gd php-mbstring php-curl php-xml

root@san:/home/teee# nano /etc/apache2/mods-available/dir.conf
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.php index.html index.cgi index.pl index.php index.$

root@san:/home/teee# systemctl restart apache2

== Perl ==
root@san:/home/teee# apt-get install perl libapache2-mod-perl2

== Python ==
root@san:/home/teee# apt-get install python3 libapache2-mod-python

==Test PHP ==
root@san:/home/teee# nano /var/www/html/test.php

<?php phpinfo(); ?>

== phpMyAdmin ==
root@san:/home/teee# apt-get install phpmyadmin

root@san:~# nano /etc/apache2/sites-available/phpmyadmin.conf

<VirtualHost *:8081>
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/phpmyadmin

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

root@san:~# nano /etc/apache2/ports.conf
Listen 8081

Enabling site phpmyadmin.
To activate the new configuration, you need to run:
systemctl reload apache2

root@san:~# systemctl reload apache2

http://192.168.64.17:8081

== Install FreeRADIUS on Debian ==
root@san:/home/teee# apt-get install -y freeradius freeradius-utils freeradius-mysql
root@san:/home/teee# systemctl enable freeradius

root@san:/home/teee# systemctl stop freeradius

Next, run FreeRADIUS in debug mode:

root@san:/home/teee# freeradius -X
If everything’s working OK, the output should be something like this:

listen {
type = “acct”
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 39265
Listening on proxy address :: port 40985
Ready to process requests

Log into the MySQL console as root:

root@san:/home/teee# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 68
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]>

Create a database and user for RADIUS:

MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.018 sec)

MariaDB [(none)]> grant all privileges on radius.* to radius@localhost identified by ‘SecurePass’;
Query OK, 0 rows affected (0.024 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.020 sec)

MariaDB [(none)]> quit
Bye

Next, import the FreeRADIUS database schema that shipped with FreeRADIUS

root@san:/home/teee# cd /etc/freeradius/3.0/mods-config/sql/main/mysql/
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# ls
extras process-radacct.sql queries.conf schema.sql setup.sql
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# mysql -u root -p radius < schema.sql
Enter password:

Enable the FreeRADIUS SQL module by creating a symbolic link to the sql module from /etc/freeradius/3.0/mods-available/ to mods-enabled:
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# cd
root@san:~# ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Open /etc/freeradius/3.0/mods-available/sql

root@san:~# nano /etc/freeradius/3.0/mods-available/sql
dialect = “mysql”
driver = “rlm_sql_mysql”
server = “localhost”
port = 3306
login = “radius”
password = “SecurePass”
radius_db = “radius”
read_clients = yes

Disable MySQL SSL connection.
# If any of the files below are set, TLS encryption is enabled
# tls {
# ca_file = “/etc/ssl/certs/my_ca.crt”
# ca_path = “/etc/ssl/certs/”
# certificate_file = “/etc/ssl/certs/private/client.crt”
# private_key_file = “/etc/ssl/certs/private/client.key”
# cipher = “DHE-RSA-AES256-SHA:AES128-SHA”
#
# tls_required = yes
# tls_check_cert = no
# tls_check_cert_cn = no
# }

root@san:~# chown -h freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
root@san:~# ls -l /etc/freeradius/3.0/mods-enabled/sql
lrwxrwxrwx 1 freerad freerad 38 Jan 7 21:01 /etc/freeradius/3.0/mods-enabled/sql -> /etc/freeradius/3.0/mods-available/sql
root@san:~# systemctl restart freeradius

วิธีทดสอบว่า freeradius ใช้ฐานของมูล mysql แล้ว
1. เช็ค Status ของ Service Freeradius ว่ายังสามารถรันได้ปกติ
# netstat -lntup
# systemctl status freeradius

2. ลองเพิ่ม User ใน MySQL แล้วเทส Authen
เข้า mysql
MariaDB [(none)]> USE radius;
INSERT INTO radcheck (username, attribute, op, value) VALUES (‘testuser’, ‘Cleartext-Password’, ‘:=’, ‘testpass’);
MariaDB [radius]> quit

ลองรันเทสดู
root@npx:/home/teee# radtest testuser testpass localhost 0 testing123
Sent Access-Request Id 182 from 0.0.0.0:52750 to 127.0.0.1:1812 length 78
User-Name = “testuser”
User-Password = “testpass”
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = “testpass”
Received Access-Accept Id 182 from 127.0.0.1:1812 to 127.0.0.1:52750 length 20

ถ้าเทสผ่านแล้วเพื่อความปลอดภัยอย่าลืมไปแก้ไข
#nano /etc/freeradius/3.0/clients.conf
มองหาบล็อกประมาณนี้:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}

secret = testing123 <–อยากเปลี่ยนเป็นอะไรก็เปลี่ยนได้
root@san:~#systemctl restart freeradius

== Install daloRADIUS on Debian ==
root@san:~# apt-get install php-mail php-mail-mime php-pear
root@san:~# pear install DB
WARNING: channel “pear.php.net” has updated its protocols, use “pear channel-update pear.php.net” to update
downloading DB-1.12.2.tgz …
Starting to download DB-1.12.2.tgz (137,662 bytes)
………………………..done: 137,662 bytes
install ok: channel://pear.php.net/DB-1.12.2

root@san:~# pear install MDB2
WARNING: channel “pear.php.net” has updated its protocols, use “pear channel-update pear.php.net” to update
downloading MDB2-2.4.1.tgz …
Starting to download MDB2-2.4.1.tgz (121,557 bytes)
……………………..done: 121,557 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use “pear install pear/MDB2#featurename”

https://sourceforge.net/projects/daloradius/files/
root@san:~# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
root@san:~# tar xvf daloradius-0.9-9.tar.gz

root@san:~# apt -y install unzip
root@san:~# wget https://github.com/lirantal/daloradius/archive/master.zip
root@san:~# unzip master.zip
root@san:~# mv daloradius-master daloradius
root@san:~# cd daloradius/
root@san:~/daloradius/contrib/db# sudo mysql -u root -p radius < fr3-mariadb-freeradius.sql
root@san:~/daloradius/contrib/db# sudo mysql -u root -p radius < mariadb-daloradius.sql

root@san:~# mkdir /var/www/html/raddb
root@san:/home/teee/daloradius# cp -R app /var/www/html/raddb/
root@san:/home/teee/daloradius# chown -R www-data:www-data /var/www/html/raddb/

root@san:/home/teee# cp -R daloradius/ /var/www/
root@san:~# cd /var/www/daloradius/
root@san:/var/www/daloradius# mkdir -p var/{log,backup}
root@san:/var/www/daloradius# chown -R www-data:www-data var

sudo tee /etc/apache2/ports.conf<<EOF
Listen 88
Listen 8000

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>
EOF
======================

root@san:/etc/apache2# sudo tee /etc/apache2/sites-available/operators.conf<<EOF
<VirtualHost *:8000>
ServerAdmin operators@localhost
DocumentRoot /var/www/daloradius/app/operators

<Directory /var/www/daloradius/app/operators>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/daloradius>
Require all denied
</Directory>

ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF

==================

root@san:/etc/apache2# sudo tee /etc/apache2/sites-available/users.conf<<EOF
<VirtualHost *:88>
ServerAdmin users@localhost
DocumentRoot /var/www/daloradius/app/users

<Directory /var/www/daloradius/app/users>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/daloradius>
Require all denied
</Directory>

ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF

=======================
root@san:/etc/apache2# sudo a2ensite users.conf operators.conf
Enabling site users.
Enabling site operators.
To activate the new configuration, you need to run:
systemctl reload apache2

root@san:/etc/apache2# mkdir -p /var/log/apache2/daloradius/{operators,users}
root@san:/etc/apache2# sudo a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
systemctl reload apache2

root@san:/etc/apache2# systemctl restart apache2 freeradius
root@san:/etc/apache2# systemctl status apache2 freeradius
● apache2.service – The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-01-08 01:03:12 +07; 41s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 758 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 762 (/usr/sbin/apach)
Tasks: 6 (limit: 4649)
Memory: 20.9M
CPU: 520ms
CGroup: /system.slice/apache2.service
├─762 /usr/sbin/apache2 -k start
├─763 /usr/sbin/apache2 -k start
├─764 /usr/sbin/apache2 -k start
├─765 /usr/sbin/apache2 -k start
├─766 /usr/sbin/apache2 -k start
└─767 /usr/sbin/apache2 -k start

Jan 08 01:03:11 san systemd[1]: Starting apache2.service – The Apache HTTP Server…
Jan 08 01:03:12 san systemd[1]: Started apache2.service – The Apache HTTP Server.

● freeradius.service – FreeRADIUS multi-protocol policy server
Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-01-08 01:03:13 +07; 40s ago
Docs: man:radiusd(8)
man:radiusd.conf(5)
http://wiki.freeradius.org/
http://networkradius.com/doc/
Process: 755 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
Main PID: 769 (freeradius)
Status: “Processing requests”
Tasks: 6 (limit: 4649)
Memory: 78.6M (limit: 2.0G)
CPU: 1.487s
CGroup: /system.slice/freeradius.service
└─769 /usr/sbin/freeradius -f

Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type PAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type CHAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Autz-Type New-TLS-Connection for attr Autz-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type

root@san:/etc/apache2# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 517/mariadbd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 441/sshd: /usr/sbin
tcp6 0 0 :::8000 :::* LISTEN 762/apache2
tcp6 0 0 :::88 :::* LISTEN 762/apache2
tcp6 0 0 :::22 :::* LISTEN 441/sshd: /usr/sbin
udp 0 0 0.0.0.0:68 0.0.0.0:* 363/dhclient
udp 0 0 0.0.0.0:54050 0.0.0.0:* 769/freeradius
udp 0 0 127.0.0.1:18120 0.0.0.0:* 769/freeradius
udp 0 0 0.0.0.0:1812 0.0.0.0:* 769/freeradius
udp 0 0 0.0.0.0:1813 0.0.0.0:* 769/freeradius
udp6 0 0 :::57992 :::* 769/freeradius
udp6 0 0 :::1812 :::* 769/freeradius
udp6 0 0 :::1813 :::* 769/freeradius

http://192.168.64.17:88/login.php
http://192.168.64.17:8000/login.php

Window11 ติดตั้งเครื่องใหม่ข้ามขั้นตอนการ Sign In Microsoft Account

วิธีการข้ามขั้นตอนการ Sign In Microsoft Account หลังจากที่ติดตั้งเครื่องใหม่ของ Windows11

1. เมื่อถึงหน้าให้ต่อ internet กดปุ่ม Shift + F10 เพื่อเปิดหน้าต่าง command prompt ขึ้นมา
2. พิมพ์คำสั่ง oobe\bypassnro กด Enter

3. เลือก i don’t have internet ที่หน้าติดตั้ง windows และทำตามขั้นตอนไปเรื่อยๆจนกว่าจะเสร็จ

สร้าง Hyper-V Virtual Switch

หลังจากที่ได้ติดตั้ง Hyper-V เสร็จเรียบร้อยแล้วและต้องการให้เครื่องใน Hyper-V เชื่อมต่อกับวงเน็ตเวิร์คของเครื่อง Host ที่ใช้งานอยู่
ให้ทำตามขั้นตอนดังต่อไปนี้ :-
1. เลือกไปที่ Virtual Switch Manager

2. จากนั้นเลือก New Virtual Network Switch > External > Create Virtual Switch

3. ตั้งชื่อ และเลือก Network Interface Card ที่ต้องการจะให้ออกเน็ท และ Apply > OK หลังจากเลือก OK เสร็จจะหลุดออกจากระบบแป๊บนึงเพื่อให้เครื่องสร้าง Network Interface ขึ้นมาใหม่

4. ไปดูที่การเชื่อมต่อ Network & Internet จะเห็นว่ามี Interface เพิ่มเตอมที่เราได้สร้างขึ้นมาใหม่

5. สุดท้ายที่การเลือกใช้งาน Interface ของ Hyper-V Virtual Machine ที่ตรง Network Interface ก็ให้มาเลือกเปลี่ยนจาก Default ให้เป็นตัวใหม่ที่เราสร้างขึ้นมาเองด้วย

Debian locale

root@voip:/home/tee# sudo nano /etc/locale.gen
root@voip:/home/teee# sudo locale-gen
root@voip:/home/teee# sudo update-locale LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8

Install FreePBX 17 on Debian 12 with Asterisk 21

Install FreePBX 17 on Debian 12 with Asterisk 21
Ref : https://sangomakb.atlassian.net/wiki/spaces/FP/pages/10682545/How+to+Install+FreePBX+17+on+Debian+12+with+Asterisk+21

โปรแกรมที่เกี่ยวข้อง

1.FreePBX17
2.Asterisk21
3.PHP 8.2
4.Maria DB (v10.11)
5.Node JS (v18.16)
6.64-bit Intel/AMD (x86_64) platform
7.Linux Debian12 6.1.112-1 (2024-09-30)

1.Prerequisite recommended OS update
root@fs:/home/tee# apt-get update
root@fs:/home/tee# apt-get upgrade
root@fs:/home/tee# apt -y install build-essential git curl wget libnewt-dev libssl-dev libncurses5-dev subversion libsqlite3-dev libjansson-dev libxml2-dev uuid-dev default-libmysqlclient-dev htop sngrep lame ffmpeg mpg123
root@fs:/home/tee# apt-get install -y locales
root@fs:/home/tee# sed -i ‘s/^# *\(en_US.UTF-8\)/\1/’ /etc/locale.gen
root@fs:/home/tee# locale-gen
Generating locales (this might take a while)…
en_US.UTF-8… done
Generation complete.
root@fs:/home/tee# echo “export LC_ALL=en_US.UTF-8” >> ~/.bashrc
root@fs:/home/tee# echo “export LANG=en_US.UTF-8” >> ~/.bashrc
root@fs:/home/tee# echo “export LANGUAGE=en_US.UTF-8” >> ~/.bashrc
root@fs:/home/tee# locale -a
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8): No such file or directory
root@fs:/home/tee# nano /etc/default/locale
LANG=C.UTF-8
LC_CTYPE=en_US.UTF-8
LC_ALL=en_US.UTF-8
root@fs:/home/tee# locale -a

root@fs:/home/tee# apt -y install git vim curl wget libnewt-dev libssl-dev libncurses5-dev subversion libsqlite3-dev build-essential libjansson-dev libxml2-dev uuid-dev expect

2.PHP 8.2 Installation
root@fs:/home/tee# apt-get install -y build-essential linux-headers-`uname -r` openssh-server apache2 mariadb-server mariadb-client bison flex php8.2 php8.2-curl php8.2-cli php8.2-common php8.2-mysql php8.2-gd php8.2-mbstring php8.2-intl php8.2-xml php-pear curl sox libncurses5-dev libssl-dev mpg123 libxml2-dev libnewt-dev sqlite3 libsqlite3-dev pkg-config automake libtool autoconf git unixodbc-dev uuid uuid-dev libasound2-dev libogg-dev libvorbis-dev libicu-dev libcurl4-openssl-dev odbc-mariadb libical-dev libneon27-dev libsrtp2-dev libspandsp-dev sudo subversion libtool-bin python-dev-is-python3 unixodbc vim wget libjansson-dev software-properties-common nodejs npm ipset iptables fail2ban php-soap

root@fs:/home/tee# php -v
PHP 8.2.26 (cli) (built: Nov 25 2024 17:21:51) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.26, Copyright (c) Zend Technologies
with Zend OPcache v8.2.26, Copyright (c), by Zend Technologies

3.Asterisk Installation
root@fs:/home/tee# cd /usr/src
root@fs:/usr/src# wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21-current.tar.gz
root@fs:/usr/src# tar xvf asterisk-21-current.tar.gz
root@fs:/usr/src# cd asterisk-21*/
root@fs:/usr/src/asterisk-21.6.0#
root@fs:/usr/src/asterisk-21.6.0# contrib/scripts/get_mp3_source.sh
A addons/mp3
A addons/mp3/layer3.c
A addons/mp3/interface.c
A addons/mp3/MPGLIB_TODO
A addons/mp3/mpg123.h
A addons/mp3/mpglib.h
A addons/mp3/decode_ntom.c
A addons/mp3/MPGLIB_README
A addons/mp3/common.c
A addons/mp3/huffman.h
A addons/mp3/tabinit.c
A addons/mp3/Makefile
A addons/mp3/README
A addons/mp3/decode_i386.c
A addons/mp3/dct64_i386.c
Exported revision 204.

root@fs:/usr/src/asterisk-21.6.0# contrib/scripts/install_prereq install
root@fs:/usr/src/asterisk-21.6.0# ./configure –libdir=/usr/lib64 –with-pjproject-bundled –with-jansson-bundled

root@fs:/usr/src/asterisk-21.6.0# make menuselect
root@fs:/usr/src/asterisk-21.6.0# make
root@fs:/usr/src/asterisk-21.6.0# make install
root@fs:/usr/src/asterisk-21.6.0# make samples
root@fs:/usr/src/asterisk-21.6.0# make config
root@fs:/usr/src/asterisk-21.6.0# ldconfig

Create asterisk user and give permission

root@fs:/usr/src/asterisk-21.6.0# groupadd asterisk
root@fs:/usr/src/asterisk-21.6.0# useradd -r -d /var/lib/asterisk -g asterisk asterisk
root@fs:/usr/src/asterisk-21.6.0# usermod -aG audio,dialout asterisk
root@fs:/usr/src/asterisk-21.6.0# chown -R asterisk:asterisk /etc/asterisk
root@fs:/usr/src/asterisk-21.6.0# chown -R asterisk:asterisk /var/{lib,log,spool}/asterisk
root@fs:/usr/src/asterisk-21.6.0# chown -R asterisk:asterisk /usr/lib64/asterisk
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s|#AST_USER|AST_USER|’ /etc/default/asterisk
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s|#AST_GROUP|AST_GROUP|’ /etc/default/asterisk
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s|;runuser|runuser|’ /etc/asterisk/asterisk.conf
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s|;rungroup|rungroup|’ /etc/asterisk/asterisk.conf
root@fs:/usr/src/asterisk-21.6.0# echo “/usr/lib64” >> /etc/ld.so.conf.d/x86_64-linux-gnu.conf
root@fs:/usr/src/asterisk-21.6.0# ldconfig

4.Configure Apache web server

root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s/\(^upload_max_filesize = \).*/\120M/’ /etc/php/8.2/apache2/php.ini
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s/\(^memory_limit = \).*/\1256M/’ /etc/php/8.2/apache2/php.ini
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s/^\(User\|Group\).*/\1 asterisk/’ /etc/apache2/apache2.conf
root@fs:/usr/src/asterisk-21.6.0# sed -i ‘s/AllowOverride None/AllowOverride All/’ /etc/apache2/apache2.conf
root@fs:/usr/src/asterisk-21.6.0# a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
systemctl restart apache2
root@fs:/usr/src/asterisk-21.6.0# systemctl restart apache2
root@fs:/usr/src/asterisk-21.6.0# rm /var/www/html/index.html

5.Configure ODBC
root@fs:/usr/src/asterisk-21.6.0# cat < /etc/odbcinst.ini
[MySQL]
Description = ODBC for MySQL (MariaDB)
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmaodbc.so
FileUsage = 1
EOF
root@fs:/usr/src/asterisk-21.6.0# cat /etc/odbcinst.ini
[MySQL]
Description = ODBC for MySQL (MariaDB)
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmaodbc.so
FileUsage = 1

root@fs:/usr/src/asterisk-21.6.0# cat < /etc/odbc.ini
[MySQL-asteriskcdrdb]
Description = MySQL connection to ‘asteriskcdrdb’ database
Driver = MySQL
Server = localhost
Database = asteriskcdrdb
Port = 3306
Socket = /var/run/mysqld/mysqld.sock
Option = 3
EOF

6.Install FreePBX
root@fs:/usr/src/asterisk-21.6.0# cd /usr/local/src
root@fs:/usr/local/src# wget http://mirror.freepbx.org/modules/packages/freepbx/freepbx-17.0-latest-EDGE.tgz
root@fs:/usr/local/src# tar zxvf freepbx-17.0-latest-EDGE.tgz
root@fs:/usr/local/src# cd /usr/local/src/freepbx/
root@fs:/usr/local/src/freepbx# ./start_asterisk start
STARTING ASTERISK
Asterisk Started

root@fs:/usr/local/src/freepbx# ./install -n
Generating default configurations…
Finished generating default configurations
You have successfully installed FreePBX

7.Get the rest of the modules
root@fs:/usr/local/src/freepbx# fwconsole ma installall
root@fs:/usr/local/src/freepbx# fwconsole reload
Reload Started
Reload Complete
root@fs:/usr/local/src/freepbx# fwconsole restart
Running FreePBX shutdown…

Running Asterisk pre from Core module
Stopping Call Transfer Monitoring Service
Core FastAGI Server is not running
Running Asterisk pre from Ucp module
Stopping UCP Node Server
[->————————–] 1 sec
Stopped UCP Node Server
Shutting down Asterisk Gracefully. Will forcefully kill after 30 seconds.
Press C to Cancel
Press N to shut down NOW
[============================] < 1 sec Running FreePBX startup… Starting Asterisk… [============================] 2 secs Asterisk Started Running Asterisk post from Core module Starting Call Transfer Monitoring Service Stopping Call Transfer Monitoring Service Restarting Call Transfer Monitoring Service Starting Core FastAGI Server…

[->————————–] 1 sec
Started Core FastAGI Server. PID is 95704
Running Asterisk post from Ucp module
Starting UCP Node Server…
[->————————–] < 1 sec
Started UCP Node Server. PID is 95803

 

8.Set up systemd (startup script)
root@fs:/usr/local/src/freepbx# cat < /etc/systemd/system/freepbx.service
[Unit]
Description=FreePBX VoIP Server
After=mariadb.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/fwconsole start -q
ExecStop=/usr/sbin/fwconsole stop -q
[Install]
WantedBy=multi-user.target
EOF

root@fs:/usr/local/src/freepbx# cat /etc/systemd/system/freepbx.service
[Unit]
Description=FreePBX VoIP Server
After=mariadb.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/fwconsole start -q
ExecStop=/usr/sbin/fwconsole stop -q
[Install]
WantedBy=multi-user.target

root@fs:/usr/local/src/freepbx# systemctl daemon-reload
root@fs:/usr/local/src/freepbx# systemctl enable freepbx
Created symlink /etc/systemd/system/multi-user.target.wants/freepbx.service → /etc/systemd/system/freepbx.service.

9.Goto URL Web Management
Username >
Password >
Email >
System name >

[Submit]

Firewall to Our IPPBX Server

root@fs:/usr/local/src/freepbx# iptables –version
iptables v1.8.9 (nf_tables)
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p tcp –dport 8088 -j ACCEPT # HTTP
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p tcp –dport 22 -j ACCEPT # SSH
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p tcp –dport 443 -j ACCEPT # HTTPS
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p udp –dport 5060 -j ACCEPT # SIP
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p udp –dport 5061 -j ACCEPT # PJSIP
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p udp –dport 10000:20000 -j ACCEPT # RTP
root@fs:/usr/local/src/freepbx# iptables -A INPUT -p udp –dport 5038 -j ACCEPT # AMI
root@fs:/usr/local/src/freepbx# iptables -A INPUT -j DROP

root@fs:/usr/local/src/freepbx# mkdir /etc/iptables/
root@fs:/usr/local/src/freepbx# iptables-save > /etc/iptables/rules.v4

root@fs:/etc/iptables# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 220 ACCEPT 6 — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
29 2012 ACCEPT 6 — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9696
0 0 ACCEPT 6 — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
892 531K ACCEPT 17 — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
892 531K ACCEPT 17 — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5061
0 0 ACCEPT 17 — * * 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT 6 — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5038
2 104 DROP 0 — * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 906 packets, 482K bytes)
pkts bytes target prot opt in out source destination

บันทึกกฎ iptables:

เพื่อให้กฎยังคงอยู่หลังรีบูตระบบ คุณต้องบันทึกกฎ:

root@fs:/etc/fail2ban# apt-get install iptables-persistent -y
root@fs:/etc/iptables# sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
root@fs:/etc/iptables# sudo netfilter-persistent reload
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start

 

ติดตั้ง Fail2Ban เพื่อเพิ่มความปลอดภัย

Fail2Ban เป็นเครื่องมือช่วยป้องกันการโจมตี Brute Force และ DDoS ผ่านการบล็อก IP ที่ไม่ปลอดภัยอัตโนมัติ โดยเฉพาะกับการโจมตี SIP

root@fs:/etc/fail2ban# sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 10m
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port = 9696
logpath = /var/log/auth.log
maxretry = 3

[asterisk]
enabled = true
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/full
maxretry = 5

root@fs:/etc/iptables# systemctl status fail2ban

Update Timezone Debian

root@fs:/# dpkg-reconfigure tzdata
เลือก zone เวลาประเทศไทย Bangkok/Thailand

กรณีใช้ ssh connection ด้วย private key ต้องการที่จะอนุญาตให้ใช้ password ได้ด้วย

[admin@Teee-MKT] > ip ssh/ print
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: no
allow-none-crypto: no
host-key-size: 2048
host-key-type: rsa

[admin@Teee-MKT] > ip ssh set always-allow-password-login=yes

LAB-เชื่อมต่อ Internet ด้วย Fortigate Firewall และ Cisco Switch แยก Vlan

1. Fortigate
Port WAN1 —DHCP Gateway 192.168.1.1
MGMT — 172.16.1.1/24

2. Static Route > 0.0.0.0 gateway 192.168.1.1

3. Interface 1
VLAN 10 192.168.10.1/24 DHCP 192.168.10.10-200
VLAN 20 192.168.20.1/24 DHCP 192.168.20.10-200
VLAN 30 192.168.30.1/24 DHCP 192.168.30.10-200
VLAN 100 192.168.100.1/24 DHCP 192.168.100.10-200

4. กำหนดค่าที่ Firewall

Allow Physical Port

Allow VLAN(10,20,30,100) ออกอินเทอร์เน็ต

หน้าไฟล์วอล์ทั้งหมดที่สร้าง

จากนั้นไปกำหนดค่าที่ Cisco Switch

Switch(config)#no logging console
Switch(config)#hostname C3850

C3850(config)#vlan 10
C3850(config-vlan)#exit
C3850(config)#vlan 20
C3850(config-vlan)#exit
C3850(config)#vlan 30
C3850(config-vlan)#exit
C3850(config)#vlan 100
C3850(config-vlan)#exit

C3850(config)#interface vlan 10
C3850(config-if)#ip address 192.168.10.254 255.255.255.0
C3850(config-if)#no shut
C3850(config-if)#exit

C3850(config)#interface vlan 20
C3850(config-if)#ip address 192.168.20.254 255.255.255.0
C3850(config-if)#no shut
C3850(config-if)#exit

C3850(config)#interface vlan 30
C3850(config-if)#ip address 192.168.30.254 255.255.255.0
C3850(config-if)#no shut
C3850(config-if)#exit

C3850(config)#interface vlan 100
C3850(config-if)#ip address 192.168.100.254 255.255.255.0
C3850(config-if)#no shut
C3850(config-if)#exit

C3850(config)#interface range gigabitEthernet 1/0/1-5
C3850(config-if-range)#switchport mode access
C3850(config-if-range)#switchport access vlan 10
C3850(config-if-range)#no shut
C3850(config-if-range)#exit

C3850(config)#interface range gigabitEthernet 1/0/6-10
C3850(config-if-range)#switchport mode access
C3850(config-if-range)#switchport access vlan 20
C3850(config-if-range)#no shut
C3850(config-if-range)#exit

C3850(config)#interface range gigabitEthernet 1/0/11-15
C3850(config-if-range)#switchport mode access
C3850(config-if-range)#switchport access vlan 30
C3850(config-if-range)#no shut
C3850(config-if-range)#exit

C3850(config)#interface range gigabitEthernet 1/0/16-20
C3850(config-if-range)#switchport mode access
C3850(config-if-range)#switchport access vlan 100
C3850(config-if-range)#no shut
C3850(config-if-range)#exit

C3850(config)#interface gigabitEthernet 1/0/23
C3850(config-if)#switchport mode trunk
C3850(config-if)#switchport trunk allowed vlan 10,20,30,100
C3850(config-if)#no shut
C3850(config-if)#exit

C3850(config)#ip routing
C3850(config)#ip default-gateway 192.168.100.1
C3850(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
C3850(config)#ip name-server 8.8.8.8 1.1.1.1
C3850(config)#ntp server time.navy.mi.th

C3850(config-if)#do wr

LAB เชื่อมต่อ Internet ด้วย Cisco Router และ Switch – แบบที่ 2

(ISP 192.168.1.1)——dhcp—— 192.168.1.x(C1800)===vlan(10,20,30)==(C-SW3850)===vlan(10,20,30)

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname cisco1800

cisco1800(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 unassigned YES unset administratively down down

cisco1800(config)#interface fastEthernet 0/0
cisco1800(config-if)#ip address dhcp
cisco1800(config-if)#no shut
cisco1800(config-if)#exit

cisco1800(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
cisco1800(config)#do show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.1

cisco1800(config-if)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.181 YES DHCP up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 unassigned YES unset administratively down down

cisco1800(config)#interface fastEthernet 0/1
cisco1800(config-if)#no shut
cisco1800(config-subif)#exit

cisco1800(config)#interface fastEthernet 0/1.10
cisco1800(config-subif)#encapsulation dot1Q 10
cisco1800(config-subif)#ip address 10.10.10.1 255.255.255.0
cisco1800(config-subif)#no shut
cisco1800(config-subif)#exit

cisco1800(config)#interface fastEthernet 0/1.20
cisco1800(config-subif)#encapsulation dot1Q 20
cisco1800(config-subif)#ip address 10.10.20.1 255.255.255.0
cisco1800(config-subif)#no shut
cisco1800(config-subif)#exit

cisco1800(config)#interface fastEthernet 0/1.30
cisco1800(config-subif)#encapsulation dot1Q 30
cisco1800(config-subif)#ip address 10.10.30.1 255.255.255.0
cisco1800(config-subif)#no shut
cisco1800(config-subif)#exit

cisco1800(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.181 YES DHCP up up
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet0/1.10 10.10.10.1 YES manual administratively down down
FastEthernet0/1.20 10.10.20.1 YES manual administratively down down
FastEthernet0/1.30 10.10.30.1 YES manual administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 unassigned YES unset administratively down down

cisco1800(config)#ip dhcp pool 10
cisco1800(dhcp-config)#network 10.10.10.0 /24
cisco1800(dhcp-config)#default-router 10.10.10.1
cisco1800(dhcp-config)#dns-server 8.8.8.8 1.1.1.1
cisco1800(dhcp-config)#exit

cisco1800(config)#ip dhcp pool 20
cisco1800(dhcp-config)#network 10.10.20.0 /24
cisco1800(dhcp-config)#default-router 10.10.20.1
cisco1800(dhcp-config)#dns-server 8.8.8.8 1.1.1.1
cisco1800(dhcp-config)#exit

cisco1800(config)#ip dhcp pool 30
cisco1800(dhcp-config)#network 10.10.30.0 /24
cisco1800(dhcp-config)#default-router 10.10.30.1
cisco1800(dhcp-config)#dns-server 8.8.8.8 1.1.1.1
cisco1800(dhcp-config)#exit

cisco1800(config)#interface fastEthernet 0/0
cisco1800(config-if)#ip nat outside
cisco1800(config-if)#exit

cisco1800(config)#interface fastEthernet 0/1.10
cisco1800(config-subif)#ip nat inside
cisco1800(config-subif)#exit

cisco1800(config)#interface fastEthernet 0/1.20
cisco1800(config-subif)#ip nat inside
cisco1800(config-subif)#exit

cisco1800(config)#interface fastEthernet 0/1.30
cisco1800(config-subif)#ip nat inside
cisco1800(config-subif)#exit

cisco1800(config)#ip access-list standard Local
cisco1800(config-std-nacl)#permit 10.10.10.0 0.0.0.255
cisco1800(config-std-nacl)#permit 10.10.20.0 0.0.0.255
cisco1800(config-std-nacl)#permit 10.10.30.0 0.0.0.255
cisco1800(config-std-nacl)#exit

cisco1800(config)# ip nat inside source list Local interface FastEthernet 0/0 overload
cisco1800(config)#exit
cisco1800(config)#wr

SWITCH Cisco Catalyst 3850 24 port

Switch#conf t
Switch(config)#no logging console
Switch(config)#interface GigabitEthernet 1/0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#no shutdown
Switch(config-if)#exit

Switch(config)#vlan 10
Switch(config-vlan)#name IT
Switch(config-vlan)#no shut
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name WIFI
Switch(config-vlan)#no shut
Switch(config-vlan)#exit
Switch(config)#vlan 30
Switch(config-vlan)#name SUPPORT
Switch(config-vlan)#no shut
Switch(config-vlan)#exit

Switch(config)#interface range GigabitEthernet 1/0/1-5
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit

Switch(config)#interface range GigabitEthernet 1/0/6-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit

Switch(config)#interface range GigabitEthernet 1/0/11-15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 30
Switch(config-if-range)#exit

Switch#show vlan

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Gi1/0/24
Gi1/1/1, Gi1/1/2, Gi1/1/3
Gi1/1/4
10 IT active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5
20 WIFI active Gi1/0/6, Gi1/0/7, Gi1/0/8
Gi1/0/9, Gi1/0/10
30 SUPPORT active Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Switch#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/24 1-4094

Port Vlans allowed and active in management domain
Gi1/0/24 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/24 1,10,20,30