Welcome to my personal website

Dynamic DNS (DDNS) on MikroTik If your Internet service provider (ISP) does not provide a static IP address, you can use Dynamic DNS (DDNS) to map a domain name to your dynamic IP address. MikroTik will take care of updating the DNS record when your public DNS is changed by your ISP. Add DDNS configuration open WinBox and connect to your MikroTik router go to IP > Cloud set DDNS Enabled to yes press apply Mikrotik will automatically generate a domain name for you in the format xxxx.mynetname.net, where xxxx is a unique identifier for your router. ...

WireGuard VPN To establish a WireGuard VPN on a MikroTik router for remote devices, you’ll need to configure a WireGuard interface, assign it an IP address, and set up peers for the remote devices. You’ll also need to configure firewall rules to allow connections to the WireGuard server and ensure proper routing for traffic between the remote devices and the MikroTik’s local network. Prerequisites A MikroTik router running RouterOS v7 or later, as WireGuard is not supported in earlier versions Remote devices (e.g., smartphones, laptops) with WireGuard client software installed A basic understanding of networking concepts like IP addresses, subnets, and routing Configure the WireGuard Interface on the MikroTik Router Navigate to /interface/wireguard in WinBox or the command-line interface Create a new WireGuard interface Assign a unique name to the interface (e.g. wg-ca) Set the MTU (Maximum Transmission Unit), e.g. 1500 Set the listen port (e.g. keep default 13231) for incoming connections Keep private key empty and mikrotik will generate it for you Press Apply to create the interface Assign an IP Address to the WireGuard Interface Navigate to /ip/address Create a new IP address entry Enter the IP address you want to assign to the WireGuard interface (e.g., 192.168.100.1/24) Select the WireGuard interface you created in the previous step wg-ca Optionally, you can set a comment for the address (e.g., “WireGuard VPN”) Configure Peers (Remote Devices) Navigate to /interface/wireguard/peers Create a new peer for each remote device Give the peer a name (e.g., iPhone) Optionally add a comment to identify the peer Select the WireGuard interface wg-ca Set private key to auto, MikroTik will generate it for you along with public key Specify the allowed addresses – these are the IP addresses or subnets on the remote device’s side that the MikroTik should accept traffic from (e.g., the client’s IP address or the entire remote subnet). e.g. 192.168.100.2/32 Put the same value into Client Address field Set Client DNS to 192.168.100.1 Press Apply to see Client Config snippet and Client QR for it Firewall Rules: Create a firewall rule to allow incoming connections to the WireGuard listen port on the MikroTik You might also need to create rules to allow traffic between the WireGuard interface and the local network (if your default firewall policy is not permissive) Configure the WireGuard Client (on mobile device) Install the WireGuard client software on your remote devices (available in App Store and Google Store) Add a new WireGuard tunnel and then choose Create from QR code - scan QR generated by mikrotik for the peer created before Give it a name e.g. same as mikrotik interface wg-ca Tunnel created from QR code does not contain Endpoint (even if you add it to the Peer config). To fix it press Edit and set Endpoint IP:31231, where IP is public IP address of your mikrotik router or a DNS name.

Prerequisites Single node kubernetes cluster with RBAC authorization mode enabled. check kube-apiserver has RBAC enabled prlctl exec scorpius "ps -aef | grep kube-apiserver | grep authorization-mode | sed 's/ --/\n--/g'" Resulting output for kube-apiserver process start command should contain --authorization-mode=RBAC. If authorization mode has other modes enabled but RBAC then RBAC would not work root 1624 1312 3 19:37 ? 00:00:42 kube-apiserver --advertise-address=10.211.55.49 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key Configure pod view access for user Bob in his namespace Create dedicated namespace for Bob with name bob-space ...

Highly Available Stacked Kubernetes cluster requires: 3 virtual machines to provision nodes with control plane and etcd database 1-3 worker nodes each VM requires 4 CPU cores, 4 GB RAM virtual machine with DHCP reservation Configure Parallels Network First reduce DHCP IP range to be able to set VIP without causing IP conflict with DHCP assigned IPs prlsrvctl net set Shared --ip-scope-end $(prlsrvctl net info Shared | grep DHCPv4 -A3 | tail -n 1 | awk -F ": " '{print $2}' | awk -F"." '{print $1"."$2"."$3"."199}') Provision nodes for control Plane and etcd Create 3 control-plane VMs from k8s-vm-template. One of the way of achieving high availability is to use keepalived in combination with haproxy load balancer. keepalived relies on Linux Virtual Server (IPVS) kernel module providing Layer 4 load balancing. A second virtual IP will be assigned to one of the VMs based on election process. haproxy ...

To provision a single node cluster which you can access from your host machine requires: 4 CPU cores, 4 GB RAM virtual machine with DHCP reservation CNI plugin to enable Core DNS Create and Configure Single Node Cluster If you do not have k8s-vm-tenplate follow steps from Create Kubernetes VM Template in Parallels post to create it. Create single node virtual machine scorpius prlctl create scorpius --ostemplate k8s-vm-template prlctl set scorpius --cpus=4 --memsize=4G --startup-view headless --on-window-close keep-running --sync-vm-hostname on --device-set net0 --mac 00:00:00:00:01:01 prlctl start scorpius # update hostname in hosts prlctl exec scorpius sed -i -e 's/vm-template/scorpius/g' /etc/hosts # configure DHCP client to use mac address for IP assignments prlctl exec scorpius netplan set ethernets.enp0s5.dhcp-identifier=mac prlctl exec scorpius netplan apply prlctl exec scorpius ip a # pull images prlctl exec scorpius kubeadm config images pull Initialize kubernetes cluster ...

In the end you’ll have parallels VM template which later you can use to create virtual machines for a single or multi node kubernetes cluster with high availability feature on or off. Let’s begin. Download ubuntu server ISO image wget https://cdimage.ubuntu.com/releases/24.04/release/ubuntu-24.04.2-live-server-arm64.iso Create, configure and start a new virtual machine vm-template using prlctl command line tool provided by Parallels. prlctl create vm-template --ostype linux --distribution ubuntu prlctl set vm-template --device-set cdrom0 --image ~/Downloads/ubuntu-24.04.2-live-server-arm64.iso --connect prlctl start vm-template Find vm-template Parallels Control Center, double-click to connect and proceed with installation. During installation set user cka, name vm-template, enable ssh. You can keep the rest of parameters as is. Reboot after installation is finished. ...