Veeam Vanguard 2025

Posted on March 15, 2025 by workinghardinit

Veeam Vanguard 2025

I have some fantastic news to share. I’ve been awarded Veeam Vanguard status for the 11th consecutive year! Yes, I made Veeam Vanguard 2025.

A decade of community bliss

I have been a proud and satisfied Veeam customer for over a decade. Throughout this journey, I have shared my experiences and insights from the field while using their products. Over the years, the IT landscape has evolved tremendously. While many advancements have made things easier and more efficient, they have also introduced a more diverse, complex, and fragmented environment that requires data protection and management.
From simple file restores to full-scale disaster recoveries across on-premises, hybrid, and cloud environments, Veeam has continuously evolved to meet these challenges with excellence. Today, Veeam offers such a powerful and versatile suite of products that it has become a benchmark in many architectural designs.
We live in an era of uncertainty, rapid change, and shifting landscapes. The need to navigate these challenges has never been more critical. More than ever, the ability to handle both minor incidents and large-scale catastrophes has become the foundation of modern IT strategies. Ransomware, cybercrime, political instability, and economic turmoil have brought data protection to the forefront of discussions with partners and colleagues. The knowledge and expertise I’ve gained by working with Veeam, alongside the brilliant minds in the Veeam 100 community, have empowered me to contribute to these conversations and develop solutions that address today’s evolving threats.

Thank you, Veeam Community

To my fellow Veeam Vanguards, legends, and MVPs, thank you for being part of this incredible journey. A special shoutout to Mike Resseler for initially bringing me into this program. I also want to express my gratitude to Rick Vanover, Nikola Pejková, Madalina Cristil, Safiya Mohamed, Michael Cade, Edwin Weijdema, and Anton Gostev for their trust and support over the years. Their dedication to making Veeam and its community a success is unparalleled.
The support from Veeam’s leadership, including Anton Gostev and many of their employees, truly makes the Veeam community the best in the industry. They not only enable but actively empower the community in every possible way.
Here’s to another year of great conversations, collaboration, innovation, and success!
hashtag#Veeam hashtag#Veeam100 hashtag#VeeamVanguard hashtag#Community

See Veeam 100 Directory | Veeam Community Resource Hub for more information.

How to fix locking yourself out of OPNsense

Posted on January 14, 2025 by workinghardinit

Introduction

Eventually, we all make the mistake of locking ourselves out of our firewalls. Let’s look at how to fix locking yourself out of OPNsense. Let’s look at how to fix locking yourself out of OPNsense.

With OPNsense, this is mainly due to an error in Interface configuration and firewall rules. You know, when we are too “strict” and deny traffic from private networks on the interface we use for management.

How to fix locking yourself out of OPNsense

Cause 1: Firewall rules are blocking you

These can be user-treated rules or the rules added when you select to block private address ranges on an interface.

There is an easy solution, but it requires console access. If OPNsense runs in a virtual machine, that is relatively easy, especially in the lab or when you are the hypervisor administrator. Now, if OPNsense is running on an appliance, you’ll probably need physical access to that device. Bring a keyboard and a monitor with whatever cable (VGA/DVI/HDMI/DisplayPort/USB-C) is required, or connect a physical console cable to connect to the device. This can only be done remotely if the console port is available over ethernet.

Type:

pfctl -d

Hit “Enter”. This turns the OPNsense device into a router only by disabling the firewall. That means you now have access again via HTTPS or SSH on the interfaces you list for administration despite the error you made in the firewall rules for those interfaces.

Connect via the Web GUI and fix that mistake. When done, turn the firewall back on. To do so type:

pfctl -e

Hit “Enter”. The firewall is now enabled again.

Test whether you still have Web GUI or SSH access. If so, mission accomplished.

Cause 2: You no longer have HTTPS/SSH listening on the interface you have access to

By default, you listen to all non WAN interfaces. You might have reduced this to one or more but accidentally forgot to select the one(s) you need.

No fear, under /conf/conf.xml, you can edit the administrative webgui and ssh settings. In the example below, I have customized those settings (via the WebGUI) to listen to the specified ports.

WebGUI

SSH

Add the missing interface(s) or allow the WebGUI and SSH to listen to all of them again by reverting the settings back to default and not specifying any interfaces, as in the example below.

WebGUI

SSH

To edit these files, you can use vi, which is available by default. If you prefer Nano or such, you can install it via the FreeBSD package manager:

pkg install nano

Voila, those are the most common ways to get out of a pickle when you have locked yourself out of OPNsense.

Proximus IPTV decoder DHCP Options Reference

Posted on January 5, 2025 by workinghardinit

Introduction

This blog serves as a Proximus IPTV decoder DHCP Options Reference. It is nothing more than an ICS DHCP .conf file to leverage in OPNsense to help tweak the configuration for Proximus (Fiber, SIngle VLAN 20) IPTV work on an OPNsense appliance (physical or virtual) instead of via the Internet Box. See DHCP — OPNsense documentation.

I still need to put in the lab time to try to convert my config to KEA DHCP, as ICS DHCP is getting a bit old.

This blog post is meant to be a reference document I can return to and add to when needed. Please feel free to add to it or correct info via the comments. I am working on more elaborate documentation explaining how you can use your 3rd party OPNsense Firewall/Router with Porximus (Internet, IPTV, and VOIP) in the single VLAN 20 setup they are now rolling out. The official documentation is a bit too vague in certain areas. Also, with so many devices, Proximus has no commercial interest in supporting them. That said, OPNsense, pfSense, Unifi, OpenWRT, DD-WRT, MicroTik, and others would cover the most popular ones and do miracles to make an ISP/telco loved instead of seen as a necessary evil. With the prices they charge, they should be able to afford and fund that effort.

Later, when “complete,” I’ll also throw this on GitHub.

Custom ICS DHCP config file Proximus Decoders

You’ll need to use your own interfaces (physical or VLAN) subnet, grab the MAC address of your decoder(s), and verify your decoder(s) hardware version (sniff it or grab it from the system Info via your TV). I got the other values for the DHCP options by capturing DHCP traffic from the decoder. Hence, this blog is my Proximus IPTV decoder DHCP Options Reference.

option space ProximusDecoderV5C;
option ProximusDecoderV5C.serviceName code 4 = text;

# This decoder works with Proximus Fiber To The Home and is the one I could test with.
# Please fill out the MAC address of your decoder. The "1" means ethernet and is not part of the MAC address.
class "ProximusDecoderV5C" {
    match if (substring(hardware, 0, 7) = 1:62:de:c8:c8:ff:47 and substring(option vendor-class-identifier, 0, 19) = "IPTV.CISCO.ISB8320E");
}
# Below classes are older or newer decoders and the info I could find about them for this use case.
# You must figure it out with network captures, Wireshark, and DHCP tests.

# This is an older decoder V5 (Mini?) - Obsolete and probably does not work with Proximus Fiber To The Home
# Please fill out the MAC address of your decoder. The "1" means ethernet and is not part of the MAC address.
#I do not have access, so I could not sniff out DHCP Option 43 to find it.
class "ProximusDecoderV5" {
    match if (substring(hardware, 0, 7) = 1:62:de:c8:c8:ff:48 and substring(option vendor-class-identifier, 0, 18) = "IPTV.CISCO.IPV5001");
}

# This is decoder V6- Obsolete and being replaced. Maybe due to it being Huawei? It might or might not work with Proximus Fiber To The Home.
# I do not have access, so I could not sniff out DHCP Option 43 to find it.
# Please fill out the MAC address of your decoder. The "1" means ethernet and is not part of the MAC address.
class "ProximusDecoderV6" {
    match if (substring(hardware, 0, 7) = 1:62:de:c8:c8:ff:49 and substring(option vendor-class-identifier, 0, 19) = "IPTV.HUAWEI.EC6109V1");
}

#This is decoder V7. I have not had one to play with, so I am unsure of the system version. CHECK IT YOURSELF! Works with Proximus Fiber To The Home.
#I do not have access, so I could not sniff out DHCP Option 43 to find it.
#Please fill out the MAC address of your decoder. The "1" means ethernet and is not part of the MAC address.
class "ProximusDecoderV7" {
    match if (substring(hardware, 0, 7) = 1:62:de:c8:c8:ff:50 and substring(option vendor-class-identifier, 0, 19) = "IPTV.TECHNICOLOR.UIW4020PXM");
}


# Anything else you might plug-in like a smart TV directly - optionally you can just refuse to lease it an address to block use by unknown devices>
# Alteratively you can filter on MAC addresses.
class "NotProximusDecoder" {
    match if not (substring(option vendor-class-identifier, 0, 19) = "IPTV.CISCO.ISB8320E");
}

subnet 192.168.210.0 netmask 255.255.255.0 {
    Pool{
        allow members of "ProximusDecoderV5C";
        range 192.168.210.101 192.168.210.111;

        # Route/GW for the subnet of IPTV VLAN
        option routers 192.168.210.1;

        # Subnetmask for the subnet of IPTV VLAN
        option subnet-mask 255.255.255.0;

        # Broadcast address for the subnet of IPTV VLAN
        option broadcast-address 192.168.210.255;
        # Proximus STB/decoder V5c has this VCI (checked with DHCP client tool and Wireshark
        option vendor-class-identifier "IPTV.CISCO.ISB8320E";
        
        # Vendor-specific option space for IPTV
        vendor-option-space ProximusDecoderV5C;
        
        # Proximus defined IPTV specific options
        option ProximusDecoderV5C.serviceName = "RS";
        
        # Bootfile name for the device
        option bootfile-name "CVT/2/239.255.1.218:64010+SA=239.255.1.218:64010+SAP/3/239.192.4.31:9875"; # Option 67
        
        # Proximus NTP servers (Option 42)
        option ntp-servers 81.244.255.82, 81.240.251.109, 81.244.255.77, 81.240.251.105;
        
        # Proximus DNS servers (Option 6)
        option domain-name-servers 195.238.2.22, 195.238.2.21;
        max-lease-time 86400;
    }
    Pool{
        allow members of "NotProximusDecoder";
        range 192.168.210.201 192.168.210.211;

        # Route/GW for the subnet of IPTV VLAN
        option routers 192.168.210.1;

        # Subnetmask for the subnet of IPTV VLAN
        option subnet-mask 255.255.255.0;

        # Broadcast address for the subnet of IPTV VLAN
        option broadcast-address 192.168.210.255;
            
        # Proximus NTP servers (Option 42)
        option ntp-servers 81.244.255.82, 81.240.251.109, 81.244.255.77, 81.240.251.105;
        
        # Proximus DNS servers (Option 6)
        option domain-name-servers 195.238.2.22, 195.238.2.21;
        max-lease-time 86400;
    }
}

Clear the Git commits and history from the local & remote master repository

Posted on April 11, 2024 by workinghardinit

Introduction

Why would we clear the Git commits and history from the local & remote master repository? When preparing training labs leveraging Azure DevOps and Git, I often need to do a lot of testing and experimenting to empirically get the scenarios right. That means the commit history is cluttered with irrelevant commits for the lab training I am presenting.

Clearing the Git commits and history from the local & remote master repository — Photo by Gabriel Heinzer on Unsplash

Ideally, I reset the history to start a training lab when the repository is at the right stage. The students are then not bothered by the commits of previous demos. But how can we clear the Git commits and history from the local & remote master repository?

Clear the Git commits and history from the local & remote master repository

Git is meant to keep the commit history, as are repositories like Azure DevOps. That means there is no way to reset the commit history in Azure DevOps. Git, being a very powerful and, to a certain extent, also a dangerous tool, can help you overcome this. But how to do it is not always obvious. That said, you can also shoot yourself in the foot with Git, so pay attention and be careful.

Step 1 to Clear the Git commits and history from the local & remote master repository

If you keep branches around things get complicated. For my needs, I don’t need them. To delete a branch via git we need three (3) deletes.

git push origin --delete marshipdev
git branch --delete marshipdev
git branch --delete --remotes origin/marshipdev

The above lines respectively delete:

The remote branch in Azure DevOps
The local branch
The local remote tracking branch

You can also delete remote branches in Azure DevOps via the GUI by selecting a branch and selecting “Delete branch” in the menu. Locally you’ll need to use Git commands or the Git GUI.

Clear the Git commits and history from the local & remote master repository

Step 2

Create a new orphaned branch

git checkout --orphan myresetbranch

The Git option –orphan creates a branch that is in a git init “like” state. That is why we have an alternative option and that is to delete the .git folder in your local repository and run git init in it. That is why i normally keep a copy around of the “perfect” situation with the .git folder removed. I can copy that to create a new local master branch by running git init. I then have that track a new remote repository that still needs initializing via:

git remote add origin  https://[email protected]/workinghardinit/InfraAsCode/_git/AzureFwChildPolMarShip


git push --set-upstream origin master

But that is not what I am doing here, I am using another method.

Step 3

On your workstation in the local repository, make sure to clean and delete or edit and add all the files and folders we want to be in our master repository initial commit.

git add -A

git commit -m “Initial commit”

Note: we use -A here instead of “.” Because we also want to delete any tracked files and folder that are currently being tracked. At the same time, it adds new items to be tracked. In practice it is like running both git -u and git .

Step 4

Now delete the current master branch

git branch -D master

Step 5

Rename the temporary branch to “master”

git branch -m master

We now have a master repository again locally.

Step 6

We now need to update the remote repository with the option –force or -f. That allows us to delete branches and tags as well as rewrite the history. Normally that is no allowed so we nee to temporarily allow this in Azure DevOps.

Now we can run

git push -f origin master

If we had not allowed Force push the above command would fail with an error indicating we need to allow “Force push”.
TF401027: You need the Git ‘ForcePush’ permission to perform this action.

Important: do not forget to set “Force push” back to “Not set”

Step 7 to Clear the Git commits and history from the local & remote master repository

Finally, make sure that the local master branch is set up to track origin/master.

git push --set-upstream origin master

That’s it, you now have a master repository in Azure DevOps that is ready to be cloned and used for labs with a clean commit history. Student can clone it, create branches, work on that repository and they will only see their changes and commit.

Conclusion

Resetting the git commit history of a repository is not a recommend action on production repositories under normal situations. But in situations like training lab repositories, it gives me a clean commit history to start my demos from.

Working Hard In IT

My view on IT from the trenches

Veeam Vanguard 2025