Openwrt network config (WIP)

This is just for reminder on how to configure my home network.

The openwrt router that I use is a WND3800 from ~2015 era. Great value with 680mhz MIPS, 128mb ram 16mb flash. I actual have a few of them ūüôā I think it runs at around 5W-7W from memory. This makes it a perfect device to run a few important jobs.

Before getting started

I don’t like to have to build custom images and all. But this is the easiest path to build a fully configured sysupgrade capable image. The objective is to generate the image such that I can flash a new device and get it up and running without any modification on the device itself.

More than one way to get it done !

  1. You can build yourself the whole kernel and applications.
  2. You can use the image builder to make it quicker and still use opkg for additional packages during the same day.
  3. Have minimal image and use a usb as overlay to install all the applications before restoring configuration backup. Writing a 4Mb image instead of a 10Mb image could save some flash wear ?

I found that enabling CONFIG_TARGET_INITRAMFS_COMPRESSION_XZ=y and generating a xz squashfs saved me a 0.8Mb on a 10Mb file for the effort of building it myself. Worth the wait for the build process ?

I also mess with the router once every 6-18 month. Writing a few time an image and testing a bit should keep the device alive for at least an other 10-15 years right ?

Secret sauce

In both cases, you can supply a /files folder that holds all your configuration and customization.
You could decompress a backup archive there and when you reset your router, it returns to this configuration if you ever mess it up ūüôā

Services to be handled by the router

dhcpd
firewall-wan
duckdns.org ip update
freenom automatic domain renewal
unbound
wireless-ap
wireguard

Network topology

I want to have my VMs on other IP subnet than the rest of my network. This can be archived with VLANs. I will use VLAN 20+ for VMs and create a vmbr20 linux bridge interface that will tag traffic on that vlan in proxmox.

Description VLAN IP Range
ISP->openwrt->switch->1u_switch->PCs vlan1 192.168.1.1/16
->Servers & VMs vlan20+ 10.x.x.1/16
->Infrastructure vlan7 172.16.0.1/16
->wifi->wifi_0->daily_usage wlan1 192.168.1.1/16
->wifi_1->adblock wlan2 192.168.2.1/16
->wifi_2->iot wlan3 192.168.3.1/16
->wifi_3->iot_nonet wlan4 192.168.4.1/16

Routing

It’s all done in the firewall, no hard route to create and maintain !

Allow vlan1->vlan4->vlan1
Allow vlan1->vlan20-50
Allow vlan1->vlan10
Allow vlan10->vlan3,vlan4
Block vlan3->vlan1,vlan20-50,vlan10
Block vlan4->vlan1
Block vlan5->vlan1-4,vlan6-50

Build environment

Set up build environment

I was able to build the images inside a toolbox container after installing a few things. This is for Fedora !

sudo dnf install -skip-broken bash-completion bzip2 gcc gcc-c++ git make ncurses-devel patch perl-Data-Dumper perl-Thread-Queue python2 python3 rsync tar unzip wget perl-base perl-File-Compare perl-File-Copy perl-FindBin diffutils which python flex git-core gettext openssl-devel subversion zlib-devel gawk python3-distutils-extra

There are a few important thing to understand for building images custom images of OpenWRT.

  1. If you use latest version, you may not be able to download packages with opkg.
  2. Bundle all your needed application inside the system image if you use snapshot.
  3. Build all packages just in case and put them on a usb disk on the router
    • Once your image is build and produces no error, uncomment CONFIG_ALL_KMODS=y
  4. Put all configuration files in folder ./files/ so they can be baked in the image.
  5. Build and upload your image to the device. Configure any last bit, export the configuration and update your files.
  6. Rebake new image and test all works well.
  7. Use external USB drive if you want persistent data like logs.

Get source code

Git code and all feeds
git clone https://github.com/openwrt/openwrt.git
git checkout v19.07.6  
cd openwrt
./scripts/feeds update -a
./scripts/feeds install -a

I did run snapshot, but the router crashed once, it would not route and all. Not best if you want to use it as your main router. Just stick to tested release.

Get .config
  1. You can get my own
  2. You can get hnyman‘s config and patch
  3. You can get make your own
  4. You can download official openwrt’s version
curl -s https://downloads.openwrt.org/releases/19.07.6/targets/ar71xx/generic/config.buildinfo > .config

Using the .config file

cp .config.wndr3800 .config; make defconfig
make menuconfig

Fixing the damn thing :

Once you ran make defconfig, compilation may break at 2 things; here’s how I fixed it :

sed -i '/^[^#]/ s/\(^.*wolf.*$\)/#\ \1/' .config
sed -i '/^[^#]/ s/(^.openvswitch.$)/#\ \1/' .config

Put all your customization in files/

It’s important that you get things running right before attempting to do this. So if you press the reset button, it will defaults to this configuration. Really useful !

1. Create folders

mkdir -p /etc/config; mkdir -p /etc/cron.d; mkdir -p /etc/dropbear; mkdir -p /etc/opkg; mkdir -p /etc/uci-defaults; mkdir -p /usr/local/bin;

2. Add your ssh key

tee -a files/etc/dropbear/authorized_keys < ~/.ssh/id_ed25519.pub

3. Your own repository with /etc/opkg/distfeeds.conf

I plug a USB key in the modem that will have 2 partitions:
sda1 8Gb for overlay to install additional packages
sda2 ~56Gb for permanent storage, including my own package repository

src/gz local file:///mnt/sda2/openwrt

4. Specify special folders to keep between upgrades

Write them to /etc/sysupgrade.conf

5. Get things cleaned to change version

rm -rf tmp build_dir && make clean &&  ./scripts/feeds update -a -i && ./scripts/feeds install -a -f

It’s all about DNS

  1. DNS query to the internet must be secured with DNSSEC
  2. Requests must be cached
  3. Block any unwanted domains
  4. Custom blocking per device/groupe possible
  5. Serve name resolution for local devices

dnsmasq->adblock->unbound
->piholeVM->

Quick commands

# Create backup with installed package list
sysupgrade -k -b /tmp/backup-$(date +%Y-%m-%d_%H-%M-%S).tar.gz
# Restore backup
sysupgrade -r /tmp/backup-TIMESTAMP.tar.gz

Advertisement

Making a schema/diagram of network and wiring for home(lab)

I want to rewire my house and home lab. That require some planning as it will be expanded a bit. Having looked around, I found a few solutions, but none that really satisfy me fully. I wanted something free & opensource other that libreoffice (by the way, there’s a set of network icons for it !). It has to be scriptable so I can update it automatically. Other applications include MS Visio and Dia.

First, let’s look at the diagrams online.

Screen Shot 2017-09-24 at 11.13.57 PM
Brocade from routexp

hodgesbo1
From Rate my network diagram (site down ?)

drawthe.net : Online drawing, quick, use cisco icons. Based/similar on graphviz ? A bit limited, there’s a docker image on github.

tikz : Was inspired by graphviz, but greatly enhanced. Used with tex to generate book/professionnal graphics. I would like to use it, but the learning curve is a bit harder and I don’t have the time for it now. The good thing is that it can import graphviz files and add custom procedures afterwards. Definitely the best control/look !

Graphviz : The original graph visualization tool. My current pick. There’s a python engine, but I just use the dot files for now. The draw back is that you don’t have fine control on the rendering (or that I’m not well experienced).

There’s also netraph, but I wanted to stick to the original graphviz.

Netgraph

Getting started with Graphviz

I only found one online example. Thanks to this example, I got to try graphviz !

That’s why I wanted to document this to share back to the comunity, specially /r/homelab.

My first try didn’t go really well. I used nodes for ports on my switch. I restarted by using html tables, it’s quick and you don’t have node (ports) misplacement. Also changing the drawing orientation from top-bottom to left right doesn’t screw the graphic !

topo2.dot
Using nodes for ports, look the space between port 1-2

topo4.dot
Using html tables

topo4.dot
Left-right orientation (rankdir=LR)

I am also working on my network. I have the unfinished current state and what I ultimately want it to look like.

computer.dot
Work in progress

computer.idea.svg
Additions I want to add

Coding the dot file

There are a few must have open tabs to get started ! First is the GraphViz reference page and second is google ! As you can find quite a few questions on stackoverflow and others ! See references at bottom. Awesom-graphviz is also a great resource !

The dot language

It’s quite simple and is not a scripting language, it’s just a descriptive language. For diagram, we use the digraph declaration and a few nodes. Also, check this online quick visualizer ! Let’s start with it’s example :

digraph G {
“Welcome” -> “To”
“To” -> “Web”
“To” -> “GraphViz!”
}

webgraphviz
Simple right ?

digraph G {

First
Second
Third
Fourth

First->Second
Second->Third
Third->Fourth
}

Screenshot_20190721_103200
This is what you would expect

 

digraph G {

First
Second
Third
Fourth

First->Second
Second->Third
Third->Fourth
Third->Back->To->First
}

Screenshot_20190721_103120
Oh no, this is not what I expected !

To fix it, use rank=same or prevent arrows from affecting the rank.

digraph G {

First
Second
Third
Fourth

First->Second
Second->Third
Third->Fourth
Third->Back->To->First
{rank=same Third Back}
{rank=same Second To}
}

Screenshot_20190721_103524
This is what I expected

digraph G {

First
Second
Third
Fourth

First->Second
Second->Third
Third->Fourth
Third->Back->To->First [constraint=false]
}

Screenshot_20190721_103723
Might work with “constraint=false” but the ordering is not quite as good as the first with the rank=same exemple

That’s the basic of it. I’ll not go into a in-depth tutorial as I am not so much proficient with it (been playing with it a few hours at best). Let’s go to html code and work on my wiring.

Simple wall plate for Ethernet cabling

61MuxulhPGL._SX425_
Wall plate with 6 connectors

There are many ways to translate this in dot language. The first would be creating a cluster of six nodes as :

digraph P {
rankdir=LR;
subgraph cluster_0 {
label=”Living room plate”;

c_lr_r1 [label=”iptv”];
c_lr_r2 [label=”xbox”];
c_lr_r3 [label=”wifi”];
c_lr_r4 [label=”2e”];
c_lr_r5 [label=”spare1″];
c_lr_r6 [label=”spare2″];

c_lr_r1->c_lr_r2[style=invis];
c_lr_r3->c_lr_r4[style=invis];
c_lr_r5->c_lr_r6[style=invis];

}
}

Screenshot_20190722_110339
This is what you would expect

But now refer to previous image. That’s not the way I choosed to do it. Let’s get to html tables :

wallplate_office [
shape=plaintext
color=blue
fontsize=”10″
label=<
<table border=”1″ cellborder=”1″ cellspacing=”0″ align=”center” cellpadding=”0″>
<tr> // Fix width size with this line and name the plate
<td colspan=”2″ border=”1″ align=”center” valign=”middle” height=”20″ width=”100″ fixedsize=”true”><font point-size=”12″><b>Office</b></font></td>
</tr>
<tr>
<td border=”2″ port=”port1″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port2″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
</tr>
<tr>
<td border=”2″ port=”port3″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port4″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
</tr>
<tr>
<td border=”2″ port=”port5″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port6″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
</tr>
</table>
>];

Screenshot_20190722_111320
Images must be in same folder for it to work. I also found that it’s best to have it resized to desired size first and not try to get graphviz to¬†work it right.

Great, let’s make a switch :

switch_aruba_a[
shape=plaintext
color=blue
fontsize=”10″
label=<
<table border=”1″ cellborder=”1″ cellspacing=”0″ align=”center” cellpadding=”0″>
<tr> // Fix width size with this line and name the plate
<td colspan=”28″ border=”1″ align=”center” valign=”middle” height=”20″ width=”100″ fixedsize=”true”><font point-size=”12″><b>Switch Aruba</b></font></td>
</tr>
<tr>
<td border=”2″ port=”port1″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port2″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port3″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port4″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port5″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port6″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port7″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port8″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port9″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port10″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port11″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port12″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port13″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port14″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port15″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port16″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port17″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port18″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port19″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port20″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port21″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port22″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port23″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port24″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ colspan=”4″></td>
</tr>
<tr>
<td border=”2″ port=”port25″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port26″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port27″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port28″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port29″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port30″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port31″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port32″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port33″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port34″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port35″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port36″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port37″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port38″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port39″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port40″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port41″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port42″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port43″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port44″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port45″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port46″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port47″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port48″><img src=”clipart-rj-45-female-ed05.png” scale=”true” /></td>
<td border=”2″ port=”port_sfp1″><img src=”sfp128.png” scale=”true” /></td>
<td border=”2″ port=”port_sfp2″><img src=”sfp128.png” scale=”true” /></td>
<td border=”2″ port=”port_sfp3″><img src=”sfp128.png” scale=”true” /></td>
<td border=”2″ port=”port_sfp4″><img src=”sfp128.png” scale=”true” /></td>

</tr>
</table>
>];

Now we can link a port on the wall plate to the panel and add some extra information:

wallplate_secondfloor:port1->switch_aruba_a:port1:n [constraint=false, penwidth=5, color=gray, headlabel=””, taillabel=””, label=<<font size=”18″><b> 30ft</b></font>>, labeldistance=5, fontsize=18];

You can adress a port with :portX when declared in the td table and an orientation on where the arrow should come/go :n for north, :s for south.

That should get you working

Adding computers

There are also multiple ways to add computers. You can do simple nodes, html tables or just a record.

Screenshot_20190726_165241

digraph structs {
node [shape=record, border=0];
rankdir=LR

struct6 [width=”5″,label=”<name>TOP6 |{ {<icon> SERVER ICO} | {<eth0>eth0:|<eth1>eth1:|<eth2>eth2:} |{<ip1>192.168.2.1|<ip2>192.172.0.1|<ip3>10.0.0.1}}| CFG | {Location:|<location>RK} “];
struct1 [label=”<f0> top|<f1> middle|<f2> right”];

struct6->struct1[style=invis];
struct1:f1 -> struct6:eth0;
struct1:f2 -> struct6:ip2;
struct1:f0 -> struct6:name:n;
}

But I went for html tags again ūüôā

 

Todo :

  • Make it more pretty : add gradient box around clusters.

 

References :

Net:

Stackoverflow:

Fedora-fu time to upgrade (again)

I decided that the next upgrade will be a complete reinstall. My main NVME 1TB is full at 95%. So I think it’s time to optimize how I configure my storage.

Fedora 33 :

Root 450Mb
/home 248Gb ->
5.2G    godot
5.7G    LinuxVR
14G     VirtualBox VMs
22G     Music
26G     github
29G     Videos
106G    Downloads
/var 239Gb -> mostly libvirt
/steam 321Gb

1TB for rootfs and home

rootfs “/” I will go with btrfs as snapshots can help identify changes to /etc
/home will also be btrfs but on it’s own volume
It’s best to keep them on the same media and encrypted.
Leave lots of space because if you use containers like podman/toolbox it will fill up !

/boot       ext4 2Gb
/           btrfs @ 200Gb
/home       btrfs @home 800Gb

Additional storage

/steam will be xfs for storing large game data on a separate storage 1-2TB

Customising the shell experience

My current prompt is :

prompt

And I wish to work on it.

Time:
Date & time : always useful.

System :
CPU : ok
Jobs : Not really used, having a screen count would be better.
Net : Opened connections from /proc/net/tcp
Users : from who

Filesystem :
Root used/Root total : keep track of free space !

Local folder : information that is not so needed. Will add it to a ls alias instead…

Return value : Add return value of last run cmd.
Time : time all cmd for real/sys time

 

PIA with port forwarding and auto firewall rules

This is a work in progress – opnsense doesn’t provide CLI access or I haven’t found the way to do it. Perhaps calling those php files from bash and parsing args to them ??

Original pfSense script.
Help to configure openvpn on pfSense, for reference.

This is my work log for configuring Opnsense with PIA and enabling port forwarding.

Necessity :
ssh access to opnsense

Install packages :

pkg install xmlstarlet bash curl

“There is one other requirement, which is that you must have already configured a port forward that points at your internal target system.¬†You do this under Firewall -> NAT -> Port forward. ” From Bagpuss

Current script :

#!/usr/local/bin/bash
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin"

#Must parse interface of the VPN
if [ "$1" == ""]; then
 logger -i -t openvpn "PIA : No interface specified, abording."
 exit 0
else
 logger -i -t openvpn "PIA : Interface UP for openvpn device $1" 
fi

###############################################################################
#Get port forwarding from PIA
###############################################################################
PIA_GW=`ifconfig $1 | grep "inet " | awk '{print $4}' `

route add -host 209.222.18.222 $PIA_GW 
logger -i -t openvpn "PIA : Route to 209.222.18.222 set to $PIA_GW" 

client_id=`head -n 100 /dev/urandom | sha256 | tr -d " -"` 
json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` 

PORTNUM=`echo $json | grep -o '[0-9]\+'`
len=`expr $PORTNUM : '.*'`
#Check if lengt is ok
if [ $len -gt 5 ]; then
    logger -i -t openvpn "PIA : Got invalid port from PIA $PORTNUM"
    exit 0
else
    logger -i -t openvpn "PIA : Port forwarding is set to $PORTNUM"
fi


if [ "$json" == "" ]; then 
    logger -i -t openvpn "PIA : Port forwarding couldn't be initialised." 
else 
    logger -i -t openvpn "PIA : Port forwarding is set to $PORTNUM)" 
fi 

#Put this on a webpage to update destination host if needed.
echo $PORTNUM > /usr/local/www/pia_${1}_forward.txt


logger -i -t openvpn "PIA : Route to 209.222.18.222 will be removed." 
route del -host 209.222.18.222 $PIA_GW 
logger -i -t openvpn "PIA : Route to 209.222.18.222 removed." 

###############################################################################
#Configuring the firewall
###############################################################################
#Must have a NAT rule created before ! Go Firewall->NAT->Port Forward
#Description must be "ovpnc1 port forward rule"
#Create a rule for every openvpn client (ovpnc2...)

#Get curent local forwarded port 
CUR_PORTNUM=`xml sel -t -v '///rule[descr="'$VPN_IF' port forward rule"]/destination/port' /conf/config.xml`

#Check if firewall rule was created
if [ "$CUR_PORTNUM" == "" ]; then
 logger -i -t openvpn "PIA : Firewall rule doesn't exist, abording."
 exit 0
fi

if [ "$CUR_PORTNUM" != "$PORTNUM" ]; then
    #Update
    #TODO - FIXME !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    #Run ssh cmd ?
    logger -i -t openvpn "PIA : Firewall rule was updated to new port $PORTNUM"
else
    logger -i -t openvpn "PIA : Firewall rule was already in place."
fi

logger -i -t openvpn "PIA : Finished configuration"

 

Syslog for multi-hosts

Monitoring logs and security

Configuring a Debian container to act as a logging server to centralize all logging. It will only run this in hope to minimize attack surface. It will be in a container so it can be moved easily to other machines if needed. Following this guide. Following that will be a log analyser and email setup for emergency.

Security

apt update
apt dist-upgrade -y
apt install ufw vim

#Firewall
#systemctl enable ufw
ufw allow 514/udp
ufw allow 514/tcp
ufw allow 22/tcp
ufw enable
ufw reload

Disable password login from ssh

/etc/rsyslog.conf for receiver system

$ModLoad imuxsock
$ModLoad imklog

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

#$AllowedSender TCP, 127.0.0.1, 10.110.50.0/24, *.yourdomain.com

#Rules for processing logs
template(name="FileFormat" type="list") {
    property(name="timestamp" dateFormat="rfc3339")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on" )
    property(name="msg" droplastlf="on" )
    constant(value="\n")
    }

#template (name="DynFile" type="string" string="/var/log/system-%HOSTNAME%.log")
$template Messages,"/var/log/clients/%fromhost%/%programname%.log"
*.* ?Messages

# An other way to do it
# Log each remote host into it's own directory and then discard remote server logs:
#$template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"


#Discard remote server logs
if ($hostname != '<ServerName>') then ?RemoteHost
& ~

###########################
#### GLOBAL DIRECTIVES ####
###########################
#

# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022


#
# Where to place spool and state files
# I think this is only for local logs as remote logs where flushed

$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#

$IncludeConfig /etc/rsyslog.d/*.conf

#
# First some standard log files.  Log by facility.
#

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
cron.*                          /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err


# Some "catch-all" log files.
#
#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#Special catchall
*.emerg         /var/log/emerg.log
*.alert         /var/log/alert.log
*.crit          /var/log/crit.log


#IPTABLES logging of --log-level 7
*.*;auth,authpriv,kern.none   /var/log/syslog
kern.*                        /var/log/kern.log
kern.debug                    stop
*.=debug;\
  auth,authpriv.none;\
  news.none;mail.none         /var/log/debug
#
# Emergencies are sent to everybody logged in.
#
#*.emerg                                :omusrmsg:*
#