Winter Shutdown and Aspirations for the Future

[TerryJC]

That looks fine, as long as the interface names are right and haven't been swapped somehow.

They look right to me. In any case, the 0.0.0.0 is the conduit from both ends.

One thought: why are we using eth* names, instead of the more stable enx******** names that are guaranteed to not change between reboots or hardware changes? Using those in the future might make this easier.

My understanding is that the new-style enx******** names were the default on Raspberry Pi OS nowadays.

That's news to me. I usually start off with a brand-new download of RPi OS burnt to the SD Card and I've never seen en0 or similar.

Looking online, it seems that predictable interface names can be enabled in raspi-config.

It looks like a good idea, but a lot of work now that we have so many Pis deployed.

[hamishmb]

Okay, I guess I was wrong then - it's been a while since I've set a Pi up fresh.

Yes, maybe one to do at some undefined point in the future when we're doing a big OS upgrade so it's already disrupted anyway.

[TerryJC]

I will have one last attempt to get to the bottom of this through the Linux User Group. There has been one new thing discovered; there doesn't seem to be a route between the VPN Server and the Webserver. It seems to me that would account for the behaviour I'm seeing but I can't see why the routing isn't working at the moment.

Well after several valiant efforts I still can't get to the bottom of this.

I rather suspect that the culprit here is nodogsplash. On initial connection to the Webserver nodogsplash kicks in and directs the User's browser to the Splash page (the 'press continue to access our content' thing). It is possible that this hijacks contact from sources not on the WMT Server and thus prevents 'normal' access. Additionally, nodogsplash has some extremely complex iptables rules configured, which may be preventing access from outside connections via VPN but allowing internal access from devices on the 192.168.0.0/24 network. I can't understand them but I think it is possible.

At the end of the day, the functionality provided by the DNS server is not super critical, so we can continue to live with it I think. In the long term, I could move the DNS Server off the Webserver and onto another WMT Network device. There aren't any obvious candidates but we could use the Minster Music Pi for example. I had hoped that the NAS Box could host a DNS Server, but alas it doesn't seem to support it (my ReadyNAS has a DNS Server as an App).

As I say, I'm sure we could live with this.

[TerryJC]

I have just uploaded a Composite Document for the Webserver at https://wmtprojectsforum.altervista.org ... =Webserver.

[hamishmb]

Why are we allowing port 22 under "FirewallRuleSet: users-to-router"? I guess what I asking is: What is the "router" here?

I appreciate we have other security measures in place, but this doesn't seem like a great idea.

[TerryJC]

I think that the 'router' in this context is the Webserver itself which acts as a router at different times.

When I first installed nodogsplash around 3-4 years ago, I was following a tutorial somewhere; I can't remember where. At the time, I think that I believed that this was necessary to allow staff who logged in to the WMT Network access to the Webserver to make changes etc. I guess it isn't really necessary, but I would be reluctant to take it out of the live system at the moment in case we lost access completely.

I can't do it right now but I could resurrect my reference kit and see what happens if I took that line out.

[hamishmb]

You're probably right and it isn't an issue.

Maybe when we don't have anything that needs doing/fixing, that would be an idea.

[Penri]

This probably needs a new thread but let me ask the question first.

Would it be possible to add "QR code functionality" to the web-server.

We will be upgrading the signage around WMT over the coming winter and I'd like to be able to add QRs to them so that visitors can get additional information on their devices.

[TerryJC]

I'm sure it could be done. A QR code simply contains a number or a string. A web address is simply a string.

All we need then is to pass the string to the default browser.

We'd need to update the on screen instructions, but that's all.

Give me a day or two.

[Penri]

That's very good news, thanks.