Category Archives: Networking

Install dnsmasq in a Proxmox LXC Container running Ubuntu 16.04

dnsmasq is a very handy DHCP server for the LAN. I also use it as a DNS forwarder, so I can use hostnames for all my virtual machines under the gavowen.local domain.

I had a few little battles setting this up so thought I’d share the step by step.

Step 1 of course is to create your “CT’. It doesn’t need much so I just gave it the following:

root@pve01:/etc/pve/lxc# cat 100.conf
#dnsmasq DNS/DHCP server%0A%0A
arch: amd64
cpulimit: 1
cpuunits: 1024
hostname: dnsmasq
memory: 512
net0: name=eth0,bridge=vmbr1,gw=,hwaddr=00:0A:DE:01:00:10,ip=,ip6=auto,tag=10,type=veth
onboot: 1
ostype: ubuntu
rootfs: ssdmirror:subvol-100-disk-1,size=8G
searchdomain: gavowen.local
startup: order=1,up=10,down=5
swap: 512

1 core, half a gig of RAM/swap and a 8G disk is plenty. That’s by standard amount for smaller containers (CTs).

A few things tripped me up. The debian sources aren’t optimal for me, the local timezone wasn’t set, and “resolvconf” was screwing up dnsmasq.

After creating the CT, some housekeeping:

root@media:/home/hts/.hts# cat /etc/apt/sources.list
deb xenial main restricted universe multiverse
deb xenial-updates main restricted universe multiverse
deb xenial-backports main restricted universe multiverse
deb xenial partner
deb xenial-security main restricted universe multiverse

Those “au” ones are much better for Australia.  You can possibly find even faster ones with this guide, although I don’t know if that works with Ubuntu. It certainly works in Debian.

The timezone wasn’t set so I fixed that with:

dpkg-reconfigure tzdata

Then I went to work with apt:

apt-get update
apt-get dist-upgrade
apt-get autoremove
apt-get remove resolvconf
apt-get install dnsmasq

The resolvconf fix I found here.  If you don’t remove resolvconf, or fix the issue up another way you get something like this:

root@dnsmasq:/etc# service dnsmasq status 
* dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/dnsmasq.service.d
           `-50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
   Active: active (running) since Sun 2016-09-18 03:24:07 UTC; 3s ago
  Process: 910 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf (code=exited, status=0/SUCCESS)
  Process: 953 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 944 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 943 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 952 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           `-952 /usr/sbin/dnsmasq -x /var/run/dnsmasq/ -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpk

Sep 18 03:24:06 dnsmasq dnsmasq[943]: dnsmasq: syntax check OK.
Sep 18 03:24:06 dnsmasq dnsmasq[952]: started, version 2.75 cachesize 500
Sep 18 03:24:06 dnsmasq dnsmasq[952]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset au
Sep 18 03:24:06 dnsmasq dnsmasq-dhcp[952]: DHCP, IP range --, lease time 12h
Sep 18 03:24:06 dnsmasq dnsmasq[952]: using local addresses only for domain gavowen.local
Sep 18 03:24:06 dnsmasq dnsmasq[952]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
Sep 18 03:24:06 dnsmasq dnsmasq[952]: read /etc/hosts - 5 addresses
Sep 18 03:24:06 dnsmasq dnsmasq[952]: read /etc/banner_add_hosts - 0 addresses
Sep 18 03:24:07 dnsmasq dnsmasq[953]: /etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolv
Sep 18 03:24:07 dnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

The DHCP part of dnsmasq works fine, but DNS breaks like this (tcpdump)

03:38:02.900866 IP dnsmasq.gavowen.local.domain > 48699 Refused 0/0/0 (45)
03:38:03.887415 IP > dnsmasq.gavowen.local.domain: 4837+ A? (45)
03:38:03.887523 IP dnsmasq.gavowen.local.domain > 4837 Refused 0/0/0 (45)
03:38:04.076221 IP > dnsmasq.gavowen.local.domain: 59968+ A? (45)
03:38:04.076306 IP dnsmasq.gavowen.local.domain > 59968 Refused 0/0/0 (45)
03:38:05.068785 IP > dnsmasq.gavowen.local.domain: 24507+ A? (45)
03:38:05.068892 IP dnsmasq.gavowen.local.domain > 24507 Refused 0/0/0 (45)

Now for my /etc/dnsmasq.conf

root@dnsmasq:~# cat /etc/dnsmasq.conf
# Configuration file for dnsmasq.

## SERVER ##

# listen interface and address

## DNS ##

local=/gavowen.local/  # domain(s) to search local /etc/hosts
cache-size=500 # set DNS lookup cache to 500 entries
no-negcache    # don't do negative caching
domain-needed  # never forward plain names
bogus-priv     # never forward bogus private (RFC1918) addresses

# block 'sitefinder' wildcard redirects from VeriSign and others for bogus A records

# no LDAP server for the local domain
#srv-host=_ldap._tcp.gavowen.local # no LDAP server for the local domain

# route rDNS to this server

## DHCP ##


dhcp-option=option:router, # default route
# dhcp-option=option:dns-server,,
dhcp-option=23,50 # set default IP TTL to 50

# Windows clients and Samba
dhcp-option=19,0              # option ip-forwarding off
dhcp-option=44,    # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,    # netbios datagram distribution server
dhcp-option=46,8              # netbios node type
dhcp-option=252,"\n"          # send an empty WPAD option. Windows 7 and possibly later
dhcp-option=vendor:MSFT,2,1i  # Windows release DHCP lease when it shuts down
# These are the node types for netbios options:
#   1 = B-node, 2 = P-node, 4 =M-node, 8 = H-node

# FQDN settings for DHCP

# static leases

touch the following DHCP leases file:

touch /var/lib/misc/dnsmasq.leases #DHCP leases file

Also update /etc/hosts so you can easily ping hosts on your network:

root@dnsmasq:~# cat /etc/hosts localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE --- dnsmasq.gavowen.local dnsmasq
# --- END PVE ---
.69.10.40 pve01.gavowen.local pve01 crashplan.gavowen.local crashplan media.gavowen.local media sarlacc.gavowen.local sarlacc

much easier than IP addresses:

root@dnsmasq:~# ping sarlacc
PING sarlacc.gavowen.local ( 56(84) bytes of data.
64 bytes from sarlacc.gavowen.local ( icmp_seq=1 ttl=64 time=0.333 ms
64 bytes from sarlacc.gavowen.local ( icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from sarlacc.gavowen.local ( icmp_seq=3 ttl=64 time=0.214 ms
--- sarlacc.gavowen.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.214/0.260/0.333/0.053 ms
root@dnsmasq:~# ping media
PING media.gavowen.local ( 56(84) bytes of data.
64 bytes from media.gavowen.local ( icmp_seq=1 ttl=64 time=0.283 ms
64 bytes from media.gavowen.local ( icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from media.gavowen.local ( icmp_seq=3 ttl=64 time=0.027 ms
--- media.gavowen.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.027/0.113/0.283/0.120 ms

last but not least start up dnsmasq:

service dnsmasq start
service dnsmasq status

Hopefully now you are up and away with a nify little DNS and DHCP server.

Setting up a Crashplan FreeNAS Plugin Jail


I backup about 400 Gigabytes of photo RAW files and Lightroom (LR) catalogs to the cloud using CrashPlan. I used to have these files on a single hard drive inside my computer – dangerous!

I realised that I needed my photo files on a RAID array so that I don’t lose everything in case of a single disk failure. Instead of putting a RAID array inside my PC, or directly attaching a RAID array to it using USB or Thunderbolt (called a “DAS” for “directly attached”), I realised I didn’t need to spend money when I already have a perfectly good RAID box already – my NAS running FreeNAS!

I had a rude shock though when it came to backing up with CrashPlan running on my PC, and having my work files on a mapped network drive. CrashPlan refused to touch the files on the mapped network drive! I then to take the plunge and move the CrashPlan engine to my NAS, and do backups from there. Brilliant!

About Running CrashPlan “Headless”

CrashPlan has two basic parts – the CrashPlan application, and the CrashPlan engine. The engine runs continuously and backups up even when the client isn’t running. The client just checks the engine status, and is used to configure it. The Client app is designed to connect to an engine on the local machine and not on a remote machine. Luckily it uses TCP ports, so we can hack the configuration in order to get it to connect to a remote (headless) machine.

Install the CrashPlan Plugin Jail

Setup you jail configuration, if you haven’t already. Mine is as follows:

jail configuration

Install the CrashPlan plugin jail by going to “Plugins > Available” and then highlighting “CrashPlan” and then clicking the “Install” button.

After it has installed, map the files you want to backup into the jail under “View Jails > Storage”. You’ll find detailed instructions on this on the FreeNAS documentation homepage.

My jail storage is as follows:

jail storage

“volume1” is my raid array volume, and “lacie” is an external 12TB USB3.0 drive volume. I initially decided to use CrashPlan to backup all my files (software, multimedia and music) to my external drive, but I found that too slow. Now I just have a backup set to back up my “RAW files” and “Calalogs”, which are contained within my “/software/photography”, as I didn’t want to create another dataset just for those two.

It makes sense to only map your source files as read-only as I have done here – no need to give CrashPlan more permissions than it needs to do its job, and safeguards the files in case something goes drastically wrong. Mapped like this – you can only trash your backups, and not the source.

Update the Plugin Jail

I usually run the following for any new jail to get it up to date:

pkg clean     # clean out old cache
pkg update    # gets the latest list of files
pkg upgrade   # updates the jail software

I also like to install bash with “pkg install bash” and then log out and back into the jail under bash:

sarlacc# jls
 JID IP Address Hostname Path
 1 - crashplan_1 /mnt/volume1/jails/crashplan_1
 2 - dnsmasq /mnt/volume1/jails/dnsmasq
 3 - plexmediaserver_1 /mnt/volume1/jails/plexmediaserver_1
 4 - sabnzbd_1 /mnt/volume1/jails/sabnzbd_1
sarlacc# jexec 1 bash
[root@crashplan_1 /]#

Configure SSH in the Plugin Jail

You’ll need SSH in order to connect your PC to the CrashPlan engine running on the NAS. This is quite straightforward:

Edit “/etc/ssh/sshd_config" and uncomment/edit as follows:

PermitRootLogin yes
PasswordAuthentication yes
AllowTcpForwarding yes

For more security you can create another user such as “adduser crashplan” or “adduser backupuser” etc, but I don’t bother – I just use the root user and set a strong root password (in the jail) with “passwd root” command.

Next get sshd going:

sysrc sshd_enable=YES  # allows sshd to be started as a service
service sshd keygen    # generate sshd keys
service sshd start     # start the sshd service
service sshd status    # check sshd service status - should return the process ID

Update and Start CrashPlan Engine in Plugin Jail

The current problem we face is that the plugin is only version 3.6.3_1, and that’s way behind the exiting GUI version of 4.7, and there are compatibility issues. No problem – just manually update the jail:

su -                    # if not already root
cd /usr/pbi/crashplan-amd64/share/crashplan
wget --no-check-certificate
tar -xf CrashPlan_4.7.0_Linux.tgz
cd crashplan-install
cpio -idv < CrashPlan_4.7.0.cpi
service crashplan stop
cd ..
rm -r lib*
cp -r crashplan-install/lib* .
sysrc crashplan_enable=YES

The above assumes that 4.7 is the latest version, and that the crashplan TARGETDIR is “/usr/pbi/crashplan-amd64/share/crashplan“. Check the install vars here:

root@crashplan_1:/usr/pbi/crashplan-amd64/share/crashplan # cat install.vars 

you may have to change “JAVACOMMON=/usr/pbi/crashplan-amd64/share/crashplan/jre/bin/java” to: “JAVACOMMON=/usr/pbi/crashplan-amd64/bin/java” if you get an error message in /var/log/crashplan/engine_error.log complaining about “”

How I found the correct java:

[root@crashplan_1 /usr/pbi/crashplan-amd64/share/crashplan]# find / -name "java"

/usr/pbi/crashplan-amd64/linux-sun-jre1.7.0/bin/java -version   Java(TM) SE Runtime Environment (build 1.7.0_51-b13) 
/usr/pbi/crashplan-amd64/share/java -version  directory
/usr/pbi/crashplan-amd64/share/crashplan/jre/bin/java -version   - breaks with issue
/usr/pbi/crashplan-amd64/bin/java -version   (build 1.7.0_51-b13)

Go to Plugins > CrashPlan, in the left hand side tree menu in order to accept the Java licence agreement. This trips a lot of people up.

Now start Crashplan

 service crashplan start

You can check that CrashPlan is running with the following:

root@crashplan_1:/mnt/lacie # sockstat -4 | grep java
root java 4859 88 tcp4
root java 4859 105 tcp4 *:*
root java 4859 108 tcp4
root java 4859 119 tcp4

Line 2 is a connection to, which is Code42 Australia, where I am backing up some files to.
Line 3 is listening on the local server for new connections.
Line 4 is a an SSH port map from my Windows PC where I run the GUI. We’ll get to that.
Line 5 is a connection to , which is Code42 (makers of CrashPlan) in the USA. Possibly a license server.

Don’t be alarmed when you see “crashplan is not running”, when issuing a “service crashplan status”. If Java is listening on the 4243 port then it should be fine. 🙂

Configure SSH in Windows

I use a program called SecureCRT to easily setup the portmap, connecting to my jail IP of, and CrashPlan port of 4243, using local Windows port of 4200:

Crashplan port forward secure CRT with crashplan settings

It’s handy to create a save a session for this, and then create a desktop shortcut to the session, so you can just double-click the icon and start it. I like to start it minimised. The target for the shortcut for me is “C:\Program Files\VanDyke Software\SecureCRT\SecureCRT.exe" /S "CrashPlan

NB: Check that 4243 is actually your CrashPlan engine port, with the “sockstat -4 | grep java” command above.

Connecting Windows CrashPlan Client to FreeNAS CrashPlan Engine

After setting up the portmap, we need to finish off by connecting the Windows Client to the FreeNAS server. To do this we need to update the following file:  “C:\ProgramData\CrashPlan\.ui_info” changing port and API key.

e.g. from:




The format is <local port>,<api key>,<IP address>. Where is the API key you might ask? Answer – from the server’s .ui_info file. Run this on the FreeNAS box to check:

cat /var/lib/crashplan/.ui_info

You can double check the server’s port config there.

Once the Windows “.ui_info file” is saved, you should now be able to start the CrashPlan application on your PC and connect to the server.

The .ui_info file reverts back to the previous settings on every reboot of Windows. It is therefore important to create a .bat file to update this on reboot.

Windows Batch File

  1. Copy your newly configured “.ui_info” file to a new file called “freenas.ui_info” in the same directory.
  2. Create a file called “cpcfg.bat” (short for “crashplan configuration”) in the same directory, with the following contents:
    copy C:\ProgramData\CrashPlan\FreeNAS.ui_info C:\ProgramData\CrashPlan\.ui_info
  3. Create a shortcut to that same cpcfg.bat file in the same folder.
  4. Once the shortcut has been created, right-click the file and select Cut.
  5. Press the WindowsKey+R to get to the “Run” dialog box.
  6. Type “shell:startup” in the Run dialog box and hit “OK”.
  7. Paste your “cpcfg.bat” shortcut into that folder.
  8. Right-click on the shortcut and go to “Properties > Shortcut (tab) > Advanced, and click “Run as Administrator”, and then OK, Apply, OK, to save.

Now everytime you reboot, that file will have the correct info. If that doesn’t work then you’ll have to just manually run the .bat file.

Troubleshooting and Tips

I did the following when I was troubleshooting, just following tips on forums, as you do. I’m not sure if they made my setup work or not, but if you have trouble, then it doesn’t hurt to try the following on the server, within the CrashPlan plugin jail:

ln -s /usr/local/bin/bash /bin/bash
/usr/bin/cpuset -l 0 /usr/local/share/crashplan/bin/CrashPlanEngine restart

In the GUI you can doubleclick on the CrashPlan “House” and logo on the top right and bring up the GUI CLI. Type “” and you should see something like this: 

UI Port=4243
HTTP Port=4244

Address= and UI Port=4243 is correct if you’re mapping local port 4200 to server port 4243


Big tip here is to set the CPU usage to 100% (for user present and idle) in the FreeNAS GUI. This is because FreeNAS does CPU management for jails, and 100% within the jail means about 60% overall. The more CPU you throw at it, the better.

It does help to have a very grunty box when doing local backups at speed. I found that my speeds went up, the more I ramped CPU up to 100%, so it’s definitely CPU-bound. I get about 325Mbps  (bits not bytes) to my external Lacie 12TB box over USB3.0 (5Gbps throughput). That would definitely go up with more CPU clock cycles.


There’s no need to compress your files within the jail, if you’ve already turned compression on at the dataset level. You’re just wasting your time and CPU otherwise. It is good to compress when going over the Internet though, so save your network bandwidth.


This draws heavily from these two links:
Using CrashPlan On A Headless Computer
FreeNAS Forums: CrashPlan 4.5 Setup


Avoid MegaBuy

Well the old adage “you get what you pay for” is true when it comes to Internet shopping. I recently ordered from because a search on showed that they were one of the cheapest, if not cheapest, and by a substantial amount. I usually order from – but for this particular item – a WD My Passport Wireless hard drive – they were out of stock.

I proceeded to order from Megabuy. So far so good but then I hit my first snag. Their website wouldn’t let me create an account failing with some code issue. Odd and very amateurish. I emailed them and then that got fixed up. OK moving on – I then proceeded to order – the WD drive, and also a 256GB SSD card.  Crazily – it said the two items would come in two separate boxes, and the combined shipping cost was just over $60! I should have stopped there and then, but the cost including shipping was still just under my preferred supplier Scorptech. I pushed ahead with the order.

Well the hard drive showed up, and you can see terrible the hard drive was packed. This is a harddrive for God’s sake! The drive would have bounced around like a soccer ball in the bigger box, potentially damaging the components. Couriering a hard drive is something I prefer not to do regardless of how it’s packed, but packed like this  – it’s inexcusable. That’s why I’ve been moved to blog about it.

I paid over $30 courier charge for this:


The takeaway is – DO NOT ORDER ANYTHING FROM MEGABUY.COM.AU.  It will end up being a false economy. As always – you get what you pay for. Caveat emptor!

Updating Free VMware EXSi


VMware regularly patch their free ESXi bare metal hypervisor. If you have the free version, then you can do this from the CLI, with the help of the (also free) VMware vSphere Client.


  • Download patch file
  • Shudown VM’s and put the Host into Maintenance mode
  • Enable SSH Server on Host
  • Copy patch file to host
  • Run the patch
  • Reboot

Download Patch File

You need to have a free VMware account to download the patch upgrade file. This is usually a zip.

To update from 6.0.0 to 6.0.0U1, it is called “”, and you can go here to grab it:

VMware patch search

When you search, you should be able to find the file and download it. Note that these instructions should also work for future versions.

Shudown VM’s and put the host into Maintenance mode

Simply shutdown your VM’s and right-click on the Host and “Enter Maintenance Mode”

Enable SSH Server on Host

Click on your Host –> Configuration (tab) –>  Software>Security Profile –> Properties…

VMware SSH enable

In the properties, go down to to “SSH”. If it is “Stopped” then click on the service property “Options” (bottom right), and start it up. I just have it set to the default “Start and stop manually”, as I only go in there to patch ESXi, and so start it when I need it. I have found that after a reboot, it is stopped by default.

You should now be able to able to SSH to your host. If you cannot, then go to the Firewall properties (see screenshot above), and make sure that the “SSH Server” checkbox is enabled.

Copy Patch File to Host

Use the vSphere Client to copy the patch file to the host:

ESXi data store

Don’t change directories – just dump into the root of your datastore:

ESXi data store file xfer

Run the Patch

On the CLI run this:

esxcli software vib update -d /vmfs/volumes/<datastore>/<file>.zip

…where <datastore> is the name of your datastore. For me it’s datastore1, so for me it is:

esxcli software vib update -d /vmfs/volumes/datastore1/

It shouldn’t take long.


When you’re done just reboot, then take your host out of maintenance mode and start your VMs up.


HP Procurve 2524 Switch

I’ve been playing around with my HP ProCurve 2524 (J4813A) managed 24-port 10/100 switch today. The CLI interface is very functional and Cisco-like. It even supports CDP. You can do ‘show run’ to view your config just like in IOS. One thing I like better than Cisco IOS is that even in the configure context you can still have full access to all the ‘show’ commands. I wish IOS did that. There is the IOS-like ‘no …..’ at the front of a configuration line to remove/negate that particular configuration line.

The VLAN configuration is very straightforward. There is no switch-port ACLs like on a Nortel Baystack but not necessary if using full 802.1Q VLANs. Unlike the Baystacks, you can reconfigure VLANs on the fly without having to change any of the settings on the monitoring (mirror) port. The monitoring port can either monitor 1 VLAN, or any number of physical ports. This functionality works quite well. If you had a VLAN which you wanted to have strict control of Internet access to you could have something like this:

untagged 3
tagged 23
tagged 24

For this scenario –
Port 3 has the ‘computer room 3’ switch hanging off it
Port 23 is Internet gateway/router
Port 24 is the DHCP server

You would just say:

vlan 3
no tagged 23

…and then voila – room 3 has no Internet but still has DHCP. You could verify this with a ‘show vlan 3’.

On the topic of DHCP you can have a different DHCP scope for each VLAN by using Intel Proset tools on the DHCP box. Just have a virtual interface on each VLAN and serve a scope to each one. I did that in testing today – worked beautifully. I setup CommTraffic today and played with it in conjunction with VLANs. It worked fine. CommTraffic has all the makings of a good program and it has accurate reporting, but it was just too inflexible in its reporting. There was no easy way to clear the totals, and it annoyed me by seemingly only computing traffic on a per-host basis. Where is the totals for each VLAN? I’d look elsewhere for a tool (possibly still Windows-based) that has better reporting, and probably a more sturdy logging database. Something that dumps to a mysql database would be nice. I think making use of SNMP functionality would be beneficial.