Items filtered by date: December 2015

The only difference to default is that I have restricted cpanel web services and webdisk by disabling TLSv1_1 (as pere zeros and one)

Default Ciphers for cPanel 82.0.9

• I have used my fresh server install for this.
• There might be slight differences becasue my server company might of used an old cPanel image.
• This is a references list so if things stop working I can quickly revert back to defaults
• These settings as they are score an A on SSL labs

Apache

• Home »Service Configuration »Apache Configuration »Global Configuration » SSL Cipher Suite
  • Default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • Custom: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • Default and custom are the same
• Home »Service Configuration »Apache Configuration »Global Configuration » SSL/TLS Protocols
  • Default: TLSv1.2
  • Default: TLSv1.2
  • Default and custom are the same

cPanel Web Disk

• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Cipher Suite
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
  • cPanel pre-installed: !SSLv23:!SSLv2:!SSLv3:!TLSv1

cPanel Web Services (cpanel/whm sub-domains etc..)

• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Cipher List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
  • cPanel pre-installed: SSLv23:!SSLv2:!SSLv3

Exim/Email

• Home »Service Configuration »Exim Configuration Manager »Options for OpenSSL
  • Default: +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
  • if the custom is the same as the default then the server selects default
• Home »Service Configuration »Exim Configuration Manager »SSL/TLS Cipher Suite List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

FTP

• Home »Service Configuration »FTP Server Configuration »TLS Encryption Support
  • Default: Optional
  • Custom: Required (Command/Data)
• Home »Service Configuration »FTP Server Configuration »TLS Cipher Suite
  • Default: HIGH
• Home »Service Configuration »FTP Server Selection
  • Default: Pure-FTPD

Mailserver (Dovecot?)

• Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
  • Default: Yes
• Home »Service Configuration »Mailserver Configuration »SSL Cipher List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
• Home »Service Configuration »Mailserver Configuration »SSL Minimum Protocol
  • cPanel pre-installed: TLSv1.2

My Changes for a more secure server

These are the current changes I have made. The rest of the relevant cipher settings are left as default

cPanel Web Disk

• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
  • zerosandones.co.uk: !SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

cPanel Web Services (cpanel/whm sub-domains etc..)

• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
  • Zerosandones.co.uk: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

Mailserver (Dovecot?)

• Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
  • Default: No

Notes

• cipher suites and settings are not moved when you do a cPanel server to server account transfer
• cPanel 82.0.9 only supports TLS1.2 for SSL.
• cPanel TLS1.3 support has not been added yet.
• General cipher information
  • Ciphers | OPENSSL.org
  • How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation
  • Introducing Zero Round Trip Time Resumption (0-RTT) - A new feature of TLS1.3
  • TLS Cipher String · OWASP Cheat Sheet Series
  • GitHub - OWASP/CheatSheetSeries: The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
  • TLSProtocol - ProFTPD
• 3rd party Cpanel Ciphers articles
  • SSL Labs A+ Rating - Ideal settings | cPanel Forums - some good links
  • Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd - Really strong cipher lists for the various cPanel technologies along with some good explanations.
  • Fixing Ciphers on cPanel Servers | GeekGhost Web Hosting and Domains - old
  • Getting an A+ rating on the Qualys SSL Test on all cPanel Domains - old because still has tls1.0 and tls1.1, does mention about configureing other cipher related settings on cPanel.
  • cPanel PCI Compliance - Zeros & Ones - covers all cipher areas and TLS/SSL but is out of date. I did takes some of the configurations but ignored the cipher suites. This setup is not that out of date but does need a refresh.
  • Getting an A+ rating on the Qualys SSL Test on all cPanel Domains - WebDesires - SSLLABS says there are issues with this but does give A+ for some reason, i.e. still has tls1.0 and tls1.1
• Cipher Tests
  • SSL Server Test (Powered by Qualys SSL Labs)
  • SSL Security Test | Scan Web and Email Server SSL TLS STARTTLS Encryption (ImmuniWeb)

This is a collection of resources and software I have come across to help me reset Windows 10 profile passwords. These techniques will also work on other versions of Windows but I am aiming and Windows 10 with my examples.

Software

• Lazesoft Recover My Password Home Edition
  • This by default loads the password resetter, but other than that i think it is the free Lazesoft Recovery Suite - Home Edition
  • Free to use for Non-Commercial
  • Can create a CD or USB boot media
  • Can specify what WinPE version you want. I think this is for compatability of running software within the WinPE that the user needs to run which they supply.
  • Can add WinPE Drivers
  • Can set the USB Boot disk to be either FAT32 or NTFS
  • Easy interface to use.
  • You should select Win10 x64 for the PE version. I think this effect what software you can run in the enviroment. Win8.1 64 bit PE is the default
  • This will also recover the Windows License Key, both from the Windows registry and the BIOS.
  • You can also reset Microsoft accounts. (not on free version)
  • This disk (Lazesoft PE Desktop) also has loads of other utilities on it:
    • Microsoft Tools: Command Prompt, Microsoft Restore Point, Microsoft System Image Recovery, Microsoft Recovery Enviroment
    • Map Network Drive
    • Network Configurator
    • Registry Editor
    • Load RAID/Disk Drivers
    • Lazesoft File Manager
    • Lazesoft Recover My Password
    • Lazesoft Windows Recovery - I think this is a Boot, Registry and File system repair
    • Lazesoft Disk Image Clone
    • Lazesoft Data Recovery
    • Lazesoft Recovery Suite
    • Notepad
  • This Boot DVD seems exactly the same disk as Lazesoft Recovery Suite except the password recovery utility is loaded on startup rather than the recovery suite.
  • CON:
    • You have to select the Windows version of the target PC. This might mean you are limited to only resetting the version of Windows you create the disk for. Limitation of Home version?
• PCUnlocker
  • This seems to be the preferred commercial application people use.
  • Can create a CD or USB boot media
  • This software unlockers Windows passwords of all types, local and Microsoft accounts (by converting it to a local account first)
  • Reset administrator password of virtual machine runs in VMware, Parallels, VirtualBox, Microsoft Virtual PC, Hyper-V (Gen2 & Gen1 VM).
  • CON:
    • not free
• chntpw
  • This is a linux command line utility for resetting Windows passwords directly in the hive. This allows you to reset passwords in an offline Windows installation.
  • This can be used to reset Windows 10 passwords
  • This utility is used by many live linux installations.
  • Comes pre-installed with Partition Magic and althought not free, it is very cheap and I think it is a good way of keeping the project alive.
  • CON:
    • The command line can be tricky, but there are some good tutorials (see below).
• Ophcrac
  
  • This is a password cracker to recover the used password.
  • It is available as a standalone package for many platforms or via ti's own LiveCD
  • I am sure it is pre-installed in many Linux installations.
  • CON:
    • Ophcrack can only recover passwords less than 8 characters. (Have not verified this)
    • Outdated software and doesn’t work with 64-Bit computers. (Have not verified this)
• Spotmau PowerSuite
  • This is getting dated and will not run on some modern PCs, the graphics gets corrupt and lockups can occur. This software was not specifically written for Windows 10 and does not support UEFI. I have included it for reference only.
  • Can create a CD or USB boot media

Tutorials

• How to Reset Windows Local Password with Parted Magic | chntpw - By using Parted Magic and chntpw (which is pre-installed) you can follow these easy instructions.
• How to reset a Windows password with Linux | Opensource.com - By using Fedora and chntpw. These instructions seem a little complicated and certainly indepth.
• Reset Forgotten Microsoft Account Password for Windows 10 / 8 - This tutorial shows you how to use PCUnlocker to convert your Microsoft account to a local account and remove the existing password. 
• Reset a Windows 10 password – 4sysops - This method is a Windows hack that involves swapping utilman.exe with cmd.exe, still is useful and I have done this in the past so I know it works.

Resources

• chntpw | Remove, bypass, unlock and reset forgotten Windows password - This site is the home of chntpw but it also has many tutotirals on how to use it's software and many other tutorials on different methods of resetting Windows passwords with different software and other related things.
• 7 Free Windows Password Recovery Tools (March 2019) - Windows password recovery tools are used to recover Windows log on passwords. Here are the 7 best free Windows password recovery and cracking tools.

• Updated to [OpenWrt Wiki] OpenWrt 21.02.1 - Service Release - 25 October 2021
• This is currently on for pre-DSA firmwares, but I am sure it can be adapted
• The BT Home Hub 5A WiFi driver is not capable of bridge mode so we use Client mode and this is why we have to use RelayD to perform a type of masquerading on the WiFi client IP.
• I do not know if the new DSA firmwares will allow proper bridging without RelayD

 

Disclaimer: This setup has not been tested with IPv6 or extensively tested in the wild apart from my setup here, so if you are relying on this being secure you need to test it yourself before putting it into service

The following instructions will turn your BT Home Hub 5A/Plusnet One OpenWRT router into a WIFI client which has the following features:

• NAT’d network on the Yellow LAN sockets (isolated)
• Bridged network on the Red LAN socket
• Guest network called ‘Clients’ on the 2.4GHz WIFI (isolated)
• Connect to your parent router via the 5GHz WIFI
• The NAT network is secured/isolated and cannot access you primary network, however it can access the internet.
• The Bridge network is isolated from the NAT network but can see all of your parent network and of course the internet.
• You can change the network that each Ethernet sockets belongs to by changing just the VLAN tag under the switch menu.
• The router will have 2 IP addresses
  • 192.168.0.1 - Local IP address, DHCP range 192.168.0.x, this is the NAT'd network
  • 192.168.1.2 - NAT Network IP
  • 192.168.1.3 - Bridge Network IP
• The NAT network has all traffic to private IP addresses blocked (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) No other traffic is blocked i.e. internet

Why?

On my test bench where I work with client laptops and PCs i need a secure network so infected computers do not attack my computers with virus, but I also have a netowrk laser printer that is not wifi capable. So i connect my printer to the red socket on my primary network allowing me to print whilst i can use the yellow ethernet sockets for an isolated network for working on client machines.

This configuration can be adapted for your needs, some people might only want 'Bridge Mode' and by following my instructions you can have that. I quite like the fact you can change the setup of the networks by jsut changing the VLAN tags (except for the AP, i need to check this)

Requirements

• BT Home Hub 5A / Plusnet One
  
  • Flashed with the latest version of OpenWRT (v18.06.2)
  • Reset to defaults.
  • I will refer to this as the OpenWRT router.
• Another router (OpenWRT or 3^rd party)
  • Must be connected to the internet.
  • You can use another OpenWRT router like I have, but it is not required.
  • I will refer to this as the Parent router.
• Ethernet cables
• PC with an Ethernet connection
  

PART 1 - Preparing the Routers

Here we are going to set the groundwork for this project.

Parent Router Configuration

• Getting Started
  • Make sure your PC is not connected to the internet (i.e. disable the wireless) and then connect it to one of the OpenWRT router’s yellow Ethernet sockets by the Ethernet cable. The PC's network card should be set to DHCP.
  • Power the router on.
  • Login to the OpenWRT router (192.168.1.1). Do not set a password yet, you will thank me for this later.
• Set the admin IP and DHCP range of the parent router
  1. If your parent router IP is not 192.168.1.1 then change it's IP to 192.168.1.1 (for the purposes of making this tutorial easier)
  2. You might not need to do this depending on your parent router.
  3. Other IP addresses and IPs will work but are outside the scope of this tutorial and must not be the same IP or range range of the parent router.
• You need 2 static IPs, and for this tutorial we will use
  • 192.168.1.2
  • 192.168.1.3

OpenWRT Router Configuration

• Change the Admin IP of the OpenWRT router before we can begin. I will be using 192.168.2.1 for reasons that will become clear later (but you could use almost any IP/Range you wanted).
  • Set (Network --> Interfaces --> LAN --> Edit --> General Settings --> IPv4 address) = 192.168.2.1
  • Click ‘Save'
  • Change the 'Save & Apply' button to 'Apply unchecked' and then click
    If you get stuck see [OpenWrt Wiki] Change LAN IP in LuCI (to an IP on a different subnet)
    
  • If you just click 'Save & Apply' wait until the error message appears and click 'Apply unchecked'
  • Wait the 90 seconds and then when a message comes up saying ‘Device unreachable!’, power cycle the OpenWRT router (turn it off, wait 10 seconds and then turn it back on again)
    
  • You might need to disable/enable your ethernet connection.
  • The OpenWRT router will now load up on the new IP range/subnet and the IP on your network card will have changed to match the new network range/subnet.
• Login to the router on the new IP (192.168.2.1)
• Change hostname and local time
  
  • Goto (System --> System --> General Settings)
    •  Hostname: officerouter
      • You can pick a name of your choosing but it is easier to keep it like this for now while doing the tutorial.
      • This prevents confusion if using other OpenWRT routers
    • Timezone: Europe/London (this is correct for me)
  • Click 'Save & Apply'
• Delete the following interfaces (Network --> Interfaces)
  
  • WAN
  • WAN6
• Delete the ATM Bridges (Network --> Interfaces --> ATM Bridges)
  
  • There should only be one
• Delete all Wireless Configurations (Network --> Wireless)
  
  • There are only 2 and are labelled as disabled
  • Click 'Remove' for each wireless configuration
• Click 'Save & Apply'
• DSL Reboot Bug (BT Home Hub 5A / Plusnet One only)
  
  • A watchdog bug was discovered which causes the hub to reboot between 24-48 hours if the hub is not connected to an active xDSL line. From Ebilan Forum
  • To Fix: disable dsl_control service. If the DSL port is not going to be used, which it isnt with this configuration.
    
    • Goto (System --> Startup)
    • Find the line with dsl_control
    • Click the 'Enabled' button (this disabled the service from the startup configuration.
    • Click the 'Stop' button (this immediately stops the service.
  • You do not need to click 'Save & Apply' for these settings to take affect.

PART 2 - Make the OpenWRT router a client of your 'Parent Router'

I am going to use the 5GHz radio because my parent router is a 5GHz router and this will give much better connection speed than the 2.4GHz.

• (Network --> Wireless --> Qualcomm Atheros A9880 802.11nac --> Scan)  (radio0 / This is the 5G wireless card)
• Click on 'Join Network' next to your parent routers Wi-Fi network (for the purposes of this tutorial openwrt_5g)
• Fill in your connection details (NB: 'Replace wireless configuration' will wipe any configurations belonging to this radio so dont do it. You can see them on the ‘Wireless Overview’ page)
  
  
  • WPA passphrase: Your 'Parent Routers' WiFi password for openwrt_5g
  • Lock to BSSID
    • If you only have 1 parent router and are not moving this router about (i.e. roaming) then this might be useful and a little extra security, but no good if you are using this image for your mates router etc.. So leave it off unless you know why you need it on.
  • 'Create / Assign firewall-zone' = unspecified
    • we will alter the Firewall rules later
    • you might see wan: (empty) if you are editing the connection and not creating a new one
• Click 'Submit'
• You have now been sent to Wireless Network: Client “openwrt_5g” (radio0.network1)
  
  
• (Interface Configuration --> Wireless Security --> Encryption) = WPA2-PSK/WPA3-SAE Mixed Mode (strong security) (or the encryption of your choice)
• Click ‘Save’
• Click ‘Save and Apply’
• Test the routers connection to the internet because it should be working now. This also assumes your 'Parent router' is on the internet.
  • Goto (Network --> Diagnostics)
  • Run a 'IPv4 Ping' test

PART 3 - Reconfigure the NAT Network (for secure clients)

We now are going to configure the OpenWRT to have a secure NAT'ed network and this will run on the yellow yellow LAN sockets. Make sure you follow each section below in order.

My parent WiFi SSID is openwrt_5g

Reconfigure the LAN and WAN Zone Firewall Zones

These rules only need a few changes because they are already geared up for NAT and all of the preconfigured Firewall rules are applied to these zones so we should keep them for the NAT WIFI Client

We will be re-using the rules that are already present to preserve all of the preconfigured rules for extra security. They might not all be needed, however if you do not want any of them, then delete the rules and just add the new zones with the settings below.

• Goto (Network --> Firewall --> Zones)
  

Edit LAN Zone

• Edit lan zone with the following settings
  
  
  • (The settings below should be the same as the default rules (i.e. just changing the name))
  • Click 'Save'
  • Click 'Save & Apply'

Edit WAN Zone

• Edit wan zone with the following settings
  
  
  • Only the MSS clamping should be different from the default rules and the name. This is to do with packet length and DSL traffic
  • Click 'Save'
  • Click 'Save & Apply'

Create new LAN Interface for Client NAT

• Goto (Network --> Interfaces)
• 'Add a new interface' called nat_lan
  
  
• Click 'Create interface'
• Fill in the following for ‘Interfaces >> NAT_LAN’ page
  
  
  • Remember the 'Parent Router' is on the range 192.168.1.1
• On the Firewall tab ‘Create /Assign firewall-zone’ = nat_lan
  
  
• Leave everything else as it is on the ‘Interfaces >> NAT_LAN’ page
• Click 'Save'
• Edit to the interface NAT_LAN
  
• Enable the DHCP server by clicking on 'Setup DHCP Server'
• Click 'Save'
• Click 'Save & Apply'
• Edit the interface (Network --> Interface --> WWAN)
• Change the protocol to Static address
  
• Click 'Switch Protocol'
• After clicking 'Switch Protocol' the WWAN page will refresh and you should fill in the following information
  
  
  • Device = wlan0 (Wireless Network: Client “openwrt_5g”nat_wwan)
    
  • IPv4 address = 192.168.1.2 (remember my parent router is on the range 192.168.1.1)
• Goto the 'Advanced Settings' Tab
• Use custom DNS servers = 192.168.1.1
  
• Do not setup a DHCP server
• Goto the Firewall tab
• ‘Create /Assign firewall-zone’ = wan (should already be set as shown below)
  
  
• Leave everything else as it is
• Click Save
• Click 'Save & Apply'

Finalise Settings

• Now logon on to the router on 192.168.0.1 (you will have to set a manual IP in your network card)
• Check Connections via the following methods so we know we can access the OpenWRT router via 2 different methods. A second PC is useful here so you can test all connection methods without connecting and reconnecting your PC to multiple Ethernet ports with different IPs. If all has been setup correctly you should have access as shown below:
  
  • Access OpenWRT router (192.168.0.1) via the yellow sockets on the OpenWRT router
  • Access the internet via the yellow sockets on the OpenWRT router
  • The Red socket on the OpenWRT router will not work at this point
  • Access OpenWRT router (192.168.1.2) from the parent router network by either using the parent router Ethernet sockets of WiFi
  • NB: Sometimes the IP will not renew on your PC so stop and start your network card to fix this.
• Backup your settings before we do anything else as a precaution
  • Goto (System --> Backup / Flash Firmware)
• Delete the interface LAN
  • Because we used 192.168.2.1 range for the old LAN interface we can easily delete it now, and just use the 192.168.0.1 range without having to go around the houses to swap the IP ranges over. 
  • Goto (Network --> Interfaces)
  • Click 'Delete' and the LAN will be marked for deletion.
  • Change the 'Save & Apply' button to 'Apply unchecked' and then click it.
  • When a message comes up saying ‘Device unreachable!’, power cycle the router
  • You might need to disable/enable your ethernet connection.
• Backup your configuration again and put it somewhere safe
  • System --> ‘Backup / Flash Firmware

You have now configured your OpenWRT router to act as a WiFi client on your parent network via NAT on the yellow ethernet sockets with the interfaces and firewall rules are clearly labelled

PART 4 - Bridge WIFI Client (Wireless Ethernet Bridge)

This allows us to extend your parent network to your OpenWRT router. This will work alongside the NAT WiFi Client network we just configured or as a standalone by just using the red socket on a separate VLAN.

• relayd does not currently support IPv6
• relayd is NOT a true bridge
  • How the 'Relay Bridge' works
    • Masquerade = NAT.
    • Not all OpenWRT devices have bridge capable drivers.
    • The 'Relay Bridge' bridges 2 networks together because OpenWRT cannot do this natively.
    • The 'Relay Bridge' masquerades the Interface IP on the donour network (i.e. WWAN)  to be able to pass and route the traffic to the target network (i.e. BRIDGE_LAN).
    • The 'Relay Bridge' allows some broadcast traffic through the networks, but it is limited to DHCP (I think).
    • The local addresses on the BRIDGE_LAN even though they are on the same subnet as the WWAN, the traffic is always masqueraded through the WWAN IP.
  • This behaviour can cause issues with routing specific IPs with kit such as pfSense being given the WWAN Ip and not the Device IP.

Background

According to OpenWRT, the open source drivers of this router they use do not support native Client Bridge so you have to use a software workaround using relayd which required the following packages to be installed:

• luci-proto-relay
• relayd

A useful video to watch, the OpenWRT version is an old version but it should help with any issues, How to set up openwrt to be a wireless receiver [Bridge] with Relayd - YouTube

Install Packages

Extra software/packages are required to bridge the networks. We will now install them.

• Goto (System --> Software)
• Click ‘Update lists’
• In filter enter luci-proto-relay
• Click ‘Download and install package’
  • When you click the button, luci-proto-relay will be installed and it will also bring down and install relayd as a dependency.
• Reboot the router.

Create the Firewall Zone (BRIDGE_LAN)

We now need to create a firewall zone for the bridge LAN network

• Goto (Network --> Firewall --> Zones)
• Add a new Firewall Zone
  
  
• Click 'Save'
• Click 'Save & Apply'

Create BRIDGE_LAN Interface

The bridge network needs interfaces creating so the router know where to talk to the network.

• Goto (Network --> Interfaces)
• Add new interface
  
• Click 'Create interface'
• There is nothing to fill in here for unmanaged.
  
• Click 'Save'
• Click 'Save & Apply'
• Edit the BRIDGE_LAN interface again
• On the firewall settings tab: `Create / Assign firewall-zone` = bridge_lan (empty)
  
  
• Click 'Save'
• Click 'Save & Apply'

Create BRIDGE_RELAY Interface

This is the invisible routing node that relayd provides but it does appear as an interface.

• Goto (Network --> Interfaces)
• Add new interface called bridge_relay
  
  
• Click 'Create interface'
• Fill in the following on the  ‘Interfaces – BRIDGE_RELAY’ page
  
  
  • Do not fill in ‘Local IPv4 address’ as this will break this configuration.
• On the firewall settings tab: `Create / Assign firewall-zone` = bridge_lan
  
  
• Click 'Save & Apply'
• Click 'Save'

Finalise Settings

• Power cycle the OpenWRT router, this will apply the settings above
• Once rebooted connect to the red port and make sure you can browse the internet
• Your Interfaces should now look like this
  
• Your Zones should now look like this
  

Cannot access router from BRIDGE_LAN

• With this configuration you cannot access the router from the BRIDGE_LAN
• If you add an IP to the BRIDGE_RELAY or BRIDGE_LAN routing will break.
• If anyone works out the solution please let me know.

(optional) Temporarily disable BRIDGE_RELAY and use Ethernet for BRIDGE_LAN

If you have spent time configuring your router and find that you need to connect BRIDGE_LAN to your 'Parent Network' via the ethernet because of a bad WiFi signal or you just need more speed then that is easy to do.

You cannot have the router sending traffic to the 'Parent Network' whilst getting the 'Parent Network' from the ethernet as this will casue a broadcast storm so we need to correct this with the minimum intervention.

• In the VLANs section below you need to make sure you have more than one ethernet socket available on the BRIDGE_LAN network
• Login to your router via the NAT_LAN network
• Goto (Network --> Interfaces --> BRIDGE_RELAY --> EDIT --> General Settings)
• Remove bridge_lan and wwan from 'Relay between networks'
• Click 'Save'
• Click 'Save & Apply'
• Reboot the router

Part 5 – Network Isolation

I will be investigating VLANs and how to apply them to my 'Primary Router' and it's WiFi so this network is further isolated.

I now need to isolate the NAT network (nat_lan) from my main network because both networks are present on the OpenWRT router, and OpenWRT will always try and figure out the best route for all traffic which is undesirable in this case.

This is different from Wireless client isolation.

Solution

The fix is simple, we need to configure the Firewall Traffic Rules by adding some additional rules.

Adding a Firewall Rule

• Goto (Network --> Firewall -->Traffic Rules)
• Click 'Add'
• Fill in the details for each rule (see below)
• Click 'Save'
• When they are all don, click 'Save & Apply'
• Reboot the router

The Firewall Traffic Rules

• A copy and paste list is at the bottom for those of you more familiar with OpenWrt
• Add each following rules, in order, into LuCi.
• The following rules need to be added at the top of the 'Firewall - Traffic Rules' List (LuCi)
• When you re-order rules in LuCi you need to click 'Save & Apply'

Block 'Parent Network' IPs

Currently if you ping an IP address on the 'Parent Network' from the NAT_LAN network you will get a response because the device on the 'Parent Network' will only see the IP address of the officerouter (192.168.1.2) and will not know the difference (IP Masquerading). Not only can you ping devices,  you can make connections for such things as file sharing and in these modern times if an encryption malware can see a share, it will encrypt it.

• Block - WAN - Class A IPs
  
  • Name: Block - WAN - Class A IPs
  • Protocol: Any
  • Source zone: nat_lan
  • Destination zone: wan
  • Destination address: 10.0.0.0/8
  • Action: reject
  • All the other options should be left as is
• Block - WAN - Class B IPs
  
  • Name: Block - WAN - Class B IPs
  • Protocol: Any
  • Source zone: nat_lan
  • Destination zone: wan
  • Destination address: 172.16.0.0/12
  • Action: reject
  • All the other options should be left as is
• Block - WAN - Class C IPs
  
  • Name: Block Parent Network - C Range
  • Protocol: Any
  • Source zone: nat_lan
  • Destination zone: wan
  • Destination address: 192.168.0.0/16
  • Action: reject
  • All the other options should be left as is

Allow LuCI from the WAN

These rules just allow access to the officerouter's LuCI from the 'Parent Network' via the WAN route on 192.168.1.2

• Allow - WAN - LuCI (HTTP)
  
  • Name: Allow - WAN - LuCI (HTTP) 
  • Protocol: TCP
  • Source zone: wan
  • Destination zone = Device (input)
  • Destination address: 192.168.1.2
  • Destination port: 80
  • Action: accept
  • All the other options should be left as is
• Allow LuCI (HTTPS) - NAT Network IP
  
  • Name: Allow LuCI - NAT Network IP
  • Protocol: TCP
  • Source zone: wan
  • Destination zone: Device (input)
  • Destination address: 192.168.1.2
  • Destination port: 443
  • Action: accept
  • All the other options should be left as is
• Allow SSH - NAT Network IP
  
  • Name: Allow SSH - NAT Network IP
  • Protocol: TCP
  • Source zone: wan
  • Destination zone: Device (input)
  • Destination address: 192.168.1.2
  • Destination port: 22
  • Action: accept
  • All the other options should be left as is

Firewall Rules (Copy and Paste)

This a copy on the whole file (/etc/config/firewall) to make things easier and quicker.

Once you have updated your firewall config reboot your router.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'nat_lan'
	list network 'nat_lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wwan'

config forwarding
	option dest 'wan'
	option src 'nat_lan'

config rule
	option src 'nat_lan'
	option target 'REJECT'
	option dest 'wan'
	list dest_ip '10.0.0.0/8'
	option name 'Block - WAN - Class A IPs'
	list proto 'all'

config rule
	option src 'nat_lan'
	option target 'REJECT'
	option dest 'wan'
	list dest_ip '172.16.0.0/12'
	option name 'Block - WAN - Class B IPs'
	list proto 'all'

config rule
	option target 'REJECT'
	option src 'nat_lan'
	option dest 'wan'
	list dest_ip '192.168.0.0/16'
	option name 'Block - WAN - Class C IPs'
	list proto 'all'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '80'
	option src 'wan'
	list dest_ip '10.0.0.3'
	option name 'Allow - WAN - LuCI (HTTP) '

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '443'
	option src 'wan'
	list dest_ip '10.0.0.3'
	option name 'Allow - WAN - LuCI (HTTPS)'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	list dest_ip '10.0.0.3'
	option name 'Allow - WAN - SSH'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'nat_lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'nat_lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'bridge_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'bridge_lan'
	list network 'bridge_relay'

config forwarding
	option src 'bridge_lan'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'bridge_lan'

PART 6 – Guest WiFi called 'clients'

To get the most out of this tweaked OpenWRT router I am now going to add a guest WiFi network called 'Clients' which will be attached to the NAT network affording it all of the same isolation as that network.

We need to create a an AP on the 2.4GHz kit and bridge it to the NAT network

• Goto (Network --> Wireless --> Wireless Overview --> Atheros AR9287 802.11bgn (This is the 2.4GHz WiFi card / radio1 / wlan1) --> Add
• Configure as follows:
  
  • (Interface Configuration --> General Setup)
    
    
    • Mode = Access Point
    • ESSID = clients
    • Network = nat_lan
    • WMM Mode: ticked
  • (Interface Configuration --> Wireless Security)
    • Encryption = WPA-PSK/WPA2-PSK Mixed Mode (medium security)  (Good for Legacy devices)
      • Or the encryption of your choice
    • Cipher = auto
    • key = Your password you want for the client network
    • Don't use the password on the router because this password will be given out to the public and will be changed often.
  • (Interface Configuration-->Advanced Settings-->Isolate Clients) = Ticked
• Click 'Save'
• Click 'Save & Apply'
• You are now returned to the 'Wireless Overview' page, enable the Clients network by clicking on the 'Enable' button for that network. (if not already enabled)
• You will notice you can connect to the WiFi but not get an IP address. Follow Part 7 below to fix this.

Part 7 - Bridge a WiFi node to a LAN network

Background to this issue

In pre OpenWrt 20.00/pre-DSA we were able to join the eth0.1 and wlan1 networks directly with in the nat_lan interface but this now not currently possible because it requires extra coding to be implemented in OpenWrt 20.00+ by the OpenWrt team, if ever.

These settings were located at (Network-->Interfaces-->NAT_LAN (br-nat_lan)-->Edit -->Common Configuration-->Physical Settings)

It should be noted when you try and setup a bridge device (Network-->Interfaces-->Devices) you are told that you cannot bridge WiFi and ethernet as you once did. Look at the 'Bridge ports' dropdown.

To resolve the missing bridge functionality we have to change the nat_lan device from eth0.1 to br-lan which also sort of follows the rule above. You cannot connect the WiFI to the following devices and have any routing happen. I also thinky the device must be a 'Bridge Device'.

• br-lan.1
• br-lan.2
• eth0 - Not tried this
• eth0.1
• eth0.2

Solution 1 (Easy)

• Goto (Network-->Interfaces)
• Edit the NAT_LAN
• Change the Device from eth0.1 to br-lan
  
• Click 'Save'
• Click 'Save & Apply'

• Traffic will now flow from the wireless on wlan0. My understanding that this traffic by default  on br-lan should be on vlan1 so should still be isolated from eth0.2
• Rebooting the Router several times can sometimes help. It possible it to do with assigning new MAC addresses (my guess)

Solution 2 (Manual)

We are going to create a new 'Bridged device' (Virtualised Interface) that we can use to sit the WiFi and LAN on.

• There is currently a bug where if I delete br-lan and use br-nat_lan (or other name) to connect to eth0.1 then routing on the ethernet stops. This could well be to do with the migration to DSA and that br-lan is hardcoded somewhere to talk to eth0.1 so only use the method below for other VLANs and leave br-lan as is. Maybe a MAC addresses issue.
• You cannot have 2 'Bridge devices' on the same 'Bridge port(s)' as it breaks routing.
• You cannot have a 'Client mode' and an 'AP point' defined on the same Wireless interface, this breaks routing.

• Goto (Network --> Interfaces --> Devices)
  
• Click 'Add device configuration'
  • Device type: Bridge device
  • Device name: br-nat_lan
  • Bridge ports: eth0.1
  • Click 'Save'
• Goto (Network --> Interfaces -->Interfaces)
  • Edit NAT_LAN
  • Change the Device to br-nat_lan
    
  • Click Save
• Goto (Network --> Interfaces --> Devices)
  • Click on the 'Reset' button for the br-lan device
    • This will effectively remove the device
    • You cannot have 2 'Bridge devices' on the same physical interface.
• Goto (Network --> Wireless --> your 'clients' network --> Edit --> Interface Configuration --> General Setup --> Network)
  • change the network to br-nat_lan
• Click 'Save'
• Click 'Save & Apply'
• Reboot

Notes

• You can create multiple interfaces with different names such as br-bridge_lan and put these on other interfaces such as eth0.2
• You can use this method to add WiFi on the the BRIDGE_LAN network. In fact I have add both 24.GHz and a 5GHz Wifi AP point onto my router.

PART 8 - VLAN Assignments (Optional)

Name the VLANs for easy management

• Goto (Network --> Switch --> VLANs on "switch0" (Lantiq XRX200 Switch))

By changing the VLANs to which the ethernet socket belongs to you can change their network assignment.

There are 2 options to select from and just depends on what configuration your want

Option 1

All of the yellow sockets are on your secure 'clients' network and the red socket is on your private network.

• Goto (Network --> Switch --> VLANs on "switch0" (Lantiq XRX200 Switch))
• Fill in the description fields in as follows and you do not need to change the Port assignments.
  

Option 2

All of the yellow sockets are on your 'Private' network and the red socket ins on the 'clients network

• Goto (Network --> Switch --> VLANs on "switch0" (Lantiq XRX200 Switch))
• Fill in the description fields and also change the port assignments to match below.
  

PART 9 – Final configuration

If all is working set your admin password

• Set your admin password
  • Goto (System --> Administration --> Router Password)
  • This is very important now the unit is Configured.
  • I prefer to use the Admin password on the card that (BT Homehub 5A / Plusnet One) router comes with. It makes things a lot easier.
  • Don’t forget to click 'Save & Apply'
• Set the Wireless country code to your region
  • In each of the wireless configurations do the following to set your region.
  • Goto (Network-->Wireless-->SSID: whatever-->Edit-->Device Configuration-->Advanced Settings-->Country Code)
  • Set your Country code to your region
• see Install OpenWrt on a BT Home Hub 5 / Plusnet One Router | QuantumWarp
  • (Optional) WPS on the clients network
  • (Optional) Force HTTPS (the browsers might stat upgrading if you use a domain name rather than IP)
  • (Optional) Add SFTP server to make things much easier
  • (Optional) LEDs (System --> LED Configuration)
    
    • Edit wifi LED
      • Name: NAT_LAN Activity
      • LED Name: blue:wireless
      • Trigger Network device activity (kernel: netdev)
      • Device eth0.1 (Switch VLAN: "eth0.1" (nat_lan)) - This seems flacky. If I save and resave the this LED setting then monitoring will occur, other wise nothing. There might be a fault with the trigger.
        • -- Trying br-lan
        • Device br-lan (Bridge: "br-lan" (nat_lan)) while I cannot access eth0.1 directly.
      • Trigger Mode: Transmit, Receive
    • Edit dsl LED
      
      • Name: BRIDGE_LAN Activity
      • LED Name: red:broadband  (matches the red socket)
      • Trigger Network device activity (kernel: netdev)
      • Device eth0.2 (Switch VLAN: "eth0.2" (bridge_lan)
      • Trigger Mode: Transmit, Receive
    • Edit dimmed
      • Name: dimmed
      • LED Name: dimmed
      • Trigger: Always on (kernel: default-on)
      • Default state: unticked
  • (Optional) installed_packages.txt
    • Add /etc/backup/installed_packages.txt to config backup
    • make sure you run sysupgrade -k -u -b to get an update package with the installed_packages.txt so you can keep it as a full reference archive

PART 10 – Verify Security

I advise you to run through the following test to make sure that the different networks are blocked from each other as they should be before trusting this setup.

• On the default setup you can access the OpenWRT via the following methods
  • 192.168.0.1 - From the yellow ethernet sockets and the 'Clients' WiFi
  • 192.168.1.2 - From the parent network
  • 192.168.1.3 - From the parent network
  • 192.168.1.2 and 192.168.1.3 are unavailable via the red socket

Notes

RelayD LuCI Workaround Notes??

This are notes for a workaround for BT Home Hub 5A / Plusnet One to be able to access the LuCI admin and SSH services on the OpenWRT router on the bridged network.

• Why you cannot access admin IP on a network using relayd
  • By default on OpenWRT all interface IP are bound to the routers services i.e. LuCI on port 80, SSH on port 22.
  • When you use relayd, the interfaces that you bridge between have this direct access removed and traffic is piped through the relay instead so the OpenWRT services are not bound to the IP
  • This means if you try and access OpenWRT admin (or other services) through 192.168.1.3 either through the Red Ethernet socket or from the parent network you will not be able to connect because it is relayd doing the routing and not the OpenWRT core so effectively you cannot see these services and the traffic is just lost/dropped as it has no destination to go to, the services do not exist on the IP 192.168.1.3
  • Zones are also ignored for routing (even thought all the bridge interfaces need to be in the same zone for the bridge to work)
• Solution
  • The wan interface sits on the same physical hardware (wlan0) so we can use the wan zone to allow the traffic through to the IP 192.168.1.3
  • So if you examine the rules above the only real difference is the source_zone
  • I am not sure if this is a good thing or causes any issues and is why I say it is optional.
  • You can always access the OpenWRT admin via 192.168.1.2 along with all other services.
  • 192.168.1.2 and 192.168.1.3 are still unavailable via the red socket
• Solution 2
  • Access through the clients WiFi?

General

• All device names can be found in (System-->Realtime Graphs-->Traffic)

Tutorials

• OpenWRT - WiFi Bridge (LAN to LAN WiFi repeater/extender) - YouTube (Van Tech Corner) In this video, we are going to setup WiFi bridge to extend the LAN network wirelessly on OpenWRT LuCI with relayd package. This is also know as Wi-Fi extender / repeater / bridge configuration. As a result, you will have another extended network via WiFi that has the same LAN IP range/subnet with the primary router.
• Setup LAN/WLAN Bridge with OpenWrt (LuCI) (updated) - Nerd Quickies - A tutorial using relayd as a base.
• OpenWrt: Set up a Basic Network Including WiFi Bridge, IP Address, DHCP | linuxscrew - This article will show you how to configure a basic network with WiFi Bridging, DHCP on a fresh install of OpenWrt – with explanations and screenshots.

Firewall

• Start reading here for firewall information
  • OpenWrt Project: Firewall Configuration -- /etc/config/firewall
  • Firewall configuration [Old OpenWrt Wiki]
• Masquerade is the most common form of SNAT, changing the source of traffic to WAN to the router's public IP. SNAT can also be done manually.
  • https://openwrt.org/docs/guide-user/firewall/firewall_configuration?s[]=masquerading
• OpenWRT firewall process the rules and then stops when it finds a matching rule (from top down)
  
  • https://oldwiki.archive.openwrt.org/doc/uci/firewall (This is where you need to read to understand Firewall Rules)
  • "The UCI Firewall provides a configuration interface that abstracts from the iptables system to provide a simplified configuration model"
  • "The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT"
• Rule Process Order (openwrt firewall process the rules and then stops when it finds a matching rule) (double check order below!!!)
  • openwrt selects the firewall zone
  • then processes the firewall rules (Top to Bottom)
  • then process the zone default rule set
• When browsing the internet the domain is the destination not the parent router gateway address. So it is the final destination that is key, not the route the packet takes so dont get mixed up thinking the gateway is the destination.
• The firewall configurator in openwrt (UCI Firewall) is just a 'GUI' to configure the firewall rules
• CIDR Format
  • 192.168.1.1/24 = CIDR format
  • IPv4 Private Address Space and Filtering - American Registry for Internet Numbers
  • What does the IP "192.168.1.1/24" indicate? - Server Fault
  • networking - CIDR for Dummies - Server Fault
    CIDR    Dotted Quad
    /8      255.0.0.0
    /16     255.255.0.0
    /24     255.255.255.0
    /32     255.255.255.255
  • Why this private IP only range 172.16.0.0 - 172.31.255.255 ? - 64727 - The Cisco Learning Network - This has CIDR examples
  • What does 0.0.0.0/0 mean? : Reddit
  • 192.168.1.1/32 usually refers to asingle IP address
  • ​IP Filtering in Canvas -  This is a noce easy read on IP address and CIDR format.
• openwrt can only route between zones, can only apply rules between zones i.e. when routing
• Cannot apply Firewall rules on bridge network because traffic does not change zones, it is all on the same network/zone 192.168.1.x , relay is between bridge_lan and bridge_wwan. this is a bridge between 'network interfaces' and not 'physical devices'
• OpenWRT firewall rules will only work when traffic is transitioning between zones
• You can apparently control traffic on the same zone using netfilter but this seems complicated and I have not done this.
• Firewall needs an interface to have an IP to be able to route traffic
• DROP vs REJECT
  
  • Drop = Request timed out (with this option you get no positive feedback)
  • Reject = Destination host unreachable (If you use this method you can easily see if the firewall is blocking the traffic.)
  • I am using REJECT in this setup - With a REJECT I can see instantly that the firewall has blocked the traffic and if I get a 'Request Timed Out' that means the target does not exist on the router and or cannot be routed to but if I get 'Destination port unreachable' then I know the firewall is actively blocking the traffic.
  • Drop versus Reject (This helped me decide)
  • linux - REJECT vs DROP when using iptables - Server Fault
• Always reboot after making firewall changes because they 'do not always get applied correctly' / 'IPTABLES need to be flushed'. If you think a rule should be working but it is not this is will likely fix it. I think it is because routes are cached. You can also use the command line to clear the cache.
• If a rule was blocking traffic and then you remove the rule traffic will start flowing, however if trafic was allowed and then blocked you will find the traffic still flows because of rule caching (i am guessing about this being the cause)'
• Firewall rules only work between zones so cannot be used on the same zone.
• You can use Netfilter/iptables to specify network rules but I am not sure how to do this (see link)
• A firewall rule controls what happens when a packet transitions from one device to another which crosses a zone boundary. Or to put it another way when a packet transitions from one zone to another. I.e. this is why Nat is enabled on the firewall zone because this is the point you want to NAT IP address between the interfaces and not in them because routing should be invisible to the interfaces.
• Adding Luci access from parent network
  • Enabling remote SSH access on OpenWRT 12.09 - Real simple instructions on adding the required firewall rule
  • networking - Can't connect via LuCI or SSH from WAN side network to Raspberry Pi 1B running OpenWRT 14.07 - Super User - Don’t forget to make sure the changes are applied
• Zone Controls:
  • Zone / Name = The rule’s name
  • Forwardings =
    • aka Inter-Zone Forwarding which is also covered at the bottom of this list
    • the icons explained in the Zones list because they are confusing
      • 1^st / left = this is the networks in the zone (Covered Networks). Hover over the icon to see them. You will notice that all of these first icons all have the same name as the Zone.
      • 2^nd / right = Allow forwarding to these destination zones
    • Input = default policy for traffic entering this zone
    • Output = default policy for traffic leaving this zone
    • Forward = describes the policy for forwarded traffic between different networks within the zone. I think this stops the zones talking to each other (isolates them)
    • Masquerading = also known as - NAT (network-address-translation)
      • This is why it is required for my network to work. It bridges the networks by the rule and also does NAT on them at the same time
    • MSS Clamping =
      • “A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.”
      • https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems_with_PMTUD
      • Translates DSL type packets to Ethernet sized packets to prevent errors occurring. So I would guess it is only needed on Ethernet ó DSL
    • Covered Networks = those networks that have this rule applied
    • Inter-Zone Forwarding = The options below control the forwarding policies between this zone and other zones. Basically what zones is this zone allowed to talk to and you can also control the traffic directions.
• My WWAN zone has the following rules + explanation
  • Input – reject = blocks requests originating from outside
  • Output = accept – allows communication started from inside to go out the network and consequent have a conversation with that endpoint
  • Forward – reject = prevents any other networks on this zone
  • Masquerading = on – to NAT the connection and allow routing
  • MSS Clamping – not needed because the WWAN is an Ethernet type interface and not a DSL where the MTU size could be less than 1500
  • Covered networks – just itself because this is the only zone that will need NAT’ing and is the main in/out route
  • Allow forward to destination zones: = none
  • Allow forward from source zones: = lan + redlan – these are my 2 ethernet networks
• The Beginner’s Guide to iptables, the Linux Firewall

Distributed Switch Archeitecture (DSA)

This is replacing swconfig which uses the LuCI item (Network --> Switch)

• There is no migration path for targets that switched from swconfig to DSA. In that case, sysupgrade will refuse to proceed with an appropriate error message.
• [OpenWrt Wiki] DSA Mini-Tutorial - This DSA Mini-Tutorial explains how DSA works with OpenWrt.
• [OpenWrt Wiki] Converting to DSA - Some OpenWrt 21.02 (and newer) devices use DSA for configuring network interfaces. If you are upgrading your router to a firmware version that uses DSA, you should read this page. 
• Mini tutorial for DSA network config - Network and Wireless Configuration - OpenWrt Forum - This is more a tutorial but is well explained and has pictures.
• VLANs in OpenWrt 21 | YouTube | OneMarcFifty
  • The VLAN Configuration has changed in OpenWrt 21.02 - Bridge VLAN Filtering and Distributed Switch Architecture (DSA) change the way we configure the network segmentation in a Guest, IOT and LAN Network.
  • A very informative video
  • Assigning the WiFi to the right network is done
    • https://www.youtube.com/watch?v=qeuZqRqH-ug&t=1250s
    • Network --> Wireless --> [WiFi Network] --> Edit --> Interface Configuration --> General Setup --> Network
• [OpenWrt Wiki] Wireless Access Point / Dumb Access Point - Doesnt really cover 20.00+ at the minute.
• Any chance of updated "dumb" access point guide? - #3 by jaromanda - Network and Wireless Configuration - OpenWrt Forum
• Mini tutorial for DSA network config - Network and Wireless Configuration - OpenWrt Forum
• Bridging networks is not currently possbly like it was pre-DSA
  • Wireless Bridge "different" than Wired - For Developers - OpenWrt Forum
  • Any chance of updated "dumb" access point guide? - #7 by jow - Network and Wireless Configuration - OpenWrt Forum

    Specifies the wired ports to attach to this bridge. In order to attach wireless networks, choose the associated interface as network in the wireless settings.

  • Trying to create a bridge with two legs - Network and Wireless Configuration - OpenWrt Forum
  • Is there a way of using VLANs to do this?
  • You could use relayd to bridge the networks like I did for the bridge network.
• Install OpenWRT 21.02 & DSA VLAN Configuration for WAN Interface - YouTube (Van tech Corner) This video shows you how to configure DSA on your router (if present) and how to identify it it has DSA.
• HH5a snapshot with DSA - enabling red WAN port
  • If anyone wishes to enable the red WAN port on HH5a using latest openwrt snapshot which does use DSA, here are the details
  • This might be the only change needed when upgrading your HH5a to a firmware that supports DSA.

  • The vlan settings back in the days (eth0.1, eth0.2 and so on) where the
    only way to separate the ports of the switch. With DSA the vlan hack
    isn't required any longer. The whole idea of DSA is to expose each
    switch port as a network device.
    
    Mathias

Network

• You do not need an IP on the LAN interfaces; I have just left one on the NAT_LAN so I can access the router from its ‘internal’ network if there are issues upstream. If you convert this to ‘unmanaged’ everything will still work you just won’t be able to access the OpenWRT admin from the local network
• You can add VLAN tags by using the notation eth0 --> eth0.0 : eth0 --> eth0.1 etc... I am not sure if all interfaces support this. Certainly the Ethernet and DSL connections do. I.e. dsl.101 to allow BT and Plusnet to work
• The router needs an IP address to be able to route between networks. This is probably obvious.
• When routing between networks they must be in a different IP range to allow routing.
• I think by default interfaces are routed to VLAN.1 – not 100% about this but it seems the case. Could be me not doing things right.
• Interfaces are software endpoints that can sit on a physical interface to interact with it or simple be a bridge. These endpoints are exposed to the OpenWRT core/kernel. The interfaces are not representations of the hardware. Hardware is eth0, wlan0, etc..

Bridge Tutorials

• [OpenWrt Wiki] Wi-Fi extender / repeater / bridge configuration - An old article I think i used as reference
• Setup LAN/WLAN Bridge with OpenWrt (LuCI) (updated) - Nerd Quickies - A tutorial on setting up relayd.
• How to set up IPV6 with relay bridge - Network and Wireless Configuration - OpenWrt Forum - A tutorial on making a bridge using relayd and a BT Home Hub 5a.

WiFi/Wireless

• WMM Mode
  • On the wireless interface WMM allows the use of faster speeds without it connections are crippled for some reason. Maybe it allows the use of faster frequencies 20/40/80 MHz….
  • Is WMM a type of QoS?
  • WMM (WiFi Multimedia) | Answer | NETGEAR Support
• You can add an ‘access point’ to your 5ghz range to add an AP on to the 5ghz Wi-Fi alongside the Client Bridge + NAT
• WiFi is not working
  • network --> interfaces --> Wireless Overview --> {our new 5Ghz configuration) --> Edit
  • If you see 'Wireless is not associated' this could be the username or protocol for the wireless connection is wrong.
  • Or it could be a configuration issue, for me it was because I added an extra interface on under physical settings. It should only have wwan in it.
  • Or you have unchecked wwan
  • Rebooting the router always helps just in case the router has got mixed up
• Different Wireless Modes Explained
  • General Setup--> Mode: ?? 
  • Access Point: This is the normal mode for a router where you connect to the Wi-Fi to get internet and is the default setting.
  • Client: This will have the wireless card in the router behave like a wireless card in a PC by having it connect to a network and getting an IP rather than the other way around
  • Ad-Hoc:
  • 802.11s:
  • Pseudo Ad-Hoc (ahdemo):
  • Monitor:
  • Access Point (WDS):
  • Client (WDS):
• When you change the wireless network that your router is a client of, you must change the ESSID (normal SSID). BSSID (mac address) and the password (optional).
  • To get the BSSID
    • Goto Network --> Wireless --> Qualcomm Atheros QCA9880 802.11nac --> Scan
    • Hightlight the relevant BSSID and copy it. Do NOT click 'Join Network', this will destroy the setup.
    • Goto Network --> Wireless --> Qualcomm Atheros QCA9880 802.11nac --> Edit --> Interface Configuration
    • Under 'General Setup' change the ESSID and BSSID to match the new details.
    • Change the password under 'Wireless Security' to match the new password (optional)
    • Click 'Save & Apply'.
• Device is not active / Wireless is not associated
  
  • This can be caused by the following
    • You have upgraded your router and the pacakges are no compatible either the binaries or the sytax in the config files
    • The relevant packages are not installed. Most likely you have upgraded your router, applied your config but not re-installed the required packages.
    • In my case I think it was because I had enabled WPS via (hostpapd/wpad-wolfssd) but had not re-installed this and this setting in the config file was causing my 2.4Ghz wireless to fail.
  • FS#2737 : Radio0 Device is not active - wireless configuration issue
  • Archer C7 V5 - Wireless Device is not active - Installing and Using OpenWrt - OpenWrt Forum - could be a package issue
• VLAN
  • You should really not uses these VLAN numbers
    • 0 = untagged
    • 1 = control plane so do use for networks

Still got questions, then hopefully they should be answered here. This is basically the research I used to make this series of articles.

Common

General Alias Articles

• How Do I Create an Email Alias? – Wodify

Profile Images

• 2017 Social Media Image Sizes: A User's Guide | vieodesign.com - As designers, we've all been there: you create a beautiful new Facebook or Twitter cover photo, only to have the platform change its social media image sizes the next day. (Editor's Note: We update this post as we become aware of changes to social media image sizes and requirements.)
• Image Sizes and Image Dimensions for each Social Network | postcron.com - Image Sizes And Dimensions For Facebook, Instagram, Twitter, Youtube, Google+, Pinterest and More (Includes Sizes for Profile Pictures, Banners, Shared Images and Much More for All the Social Network)
• Google+ Profile Picture and Cover Photo Size Guide | havecamerawilltravel.com - If you're adding photos to your Google+ profile page, here are the image sizes that are displayed.
• Your Google My Business Profile Image - The Most Important Image? - Local University - There probably isn't an image of your business that gets seen more by potential customers and searchers than your Google My Business profile image. There isn't a single image that has more impact on searcher's behaviors. And there isn't an image in the online world that is harder to "get right."

Google

Delete a Gmail profile picture

• How to view the full size and remove old Google Profile pictures - Web Applications Stack Exchange
• How to Delete Gmail Profile Picture - This is via Google+

Forwarding Gmail email

• How to Forward Gmail to Another Email Address Automatically | lifewire
• Automatically forward Gmail messages to another account - Gmail Help

Migrate my Android phone to new Gmail account

• How to migrate contacts to a different Google account on your Android device - TechRepublic
• Google Play
  • Can you transfer your Google Play purchases to another account? - Quora - It’s actually somewhat possible now with a bit of a workaround! The trick is to use Google Play’s new Family Library.
  • Google Play Family Library: Share what you love with the ones you love | Google - This explains the Family Library, a way for up to six family members to share purchases on Google Play.
  • You can install multiple accounts onto an adroid phone and this will give you the benefits of both. For instance the purchased apps from the old account.
  • There is no way to directly move purchases from Google account to another.
  • Newly purchased apps, if eligible for the Family Library will allow you to share these apps to another Google account.
• Download your data - Google Account Help
• Note: if you're adding a new Gmail address to your Google Account, you can't choose an existing Gmail username (even if you delete the other account with Gmail, you can't reuse the Gmail username.)
• the://simpso.net: How to migrate your Google Play Music to a new Google account
• How to Migrate Your Entire Google Account to a New One | lifehacker
• How to Migrate Email from One Gmail Account to Another | lifehacker

Delete an Android Calendar.

• Calendar Cleanup - Apps on Google Play - This did not work for me, but it would of been easier.
• How do I clear the calendar storage? – Business Calendar Customer Support
• How to Delete Calendar on Android with Free Risk

Google Play - You Don't Have Any Devices

• You Don't Have Any Devices - Android Forums at AndroidCentral.com
• This is how to fix "You don't have any devices" in Google Play Store and Android Device Manager | SVARTLING
• How to fix You don't have any devices error on google play store - YouTube

Wipe contacts on my android phone but not from my Google account

• Delete "all" phone contacts - not google contacts - HTC Desire | Android Forums

Android Samsung Notes / S-Memo

• Backing up S-Memo | Samsung Galaxy Note GT-N7000 - Has information on how to backup and restore S-Memo manually using Titanium backup.
• If you create a samsung account it will automatically sync them to Samsungs Cloud.
• Backup and Restore SNotes - Android Forums at AndroidCentral.com - alternative sync options.
• Recovering S-Memo Files after Flashing a ROM | AT&T Samsung Galaxy Note I717 - your old memos can be found on below Loc. even after flashing Application\SMemo\cache
• S Memo/S Note Recovery | How to Recover Notes Files on Samsung Memo App | EaseUS - This is a reputable US company and as a last resort you can try this recovery software.

How to Sync Google Calendar with Outlook

• How to Sync Google Calendar with Outlook - Tech Advisor - Here's how to sync Google and Outlook calendars so that events and all their details are in both calendars.
• How to Sync Microsoft Outlook With Google Calendar - Keep both Outlook Calendar and Google Calendar synchronized with your events, tasks, and appointments. These useful third-party tools fill the gap left behind by Google Calendar Sync.
• See your Google Calendar in Outlook - Outlook
• Import Google Calendar to Outlook - Office Support

Google Play how to see my purchased apps

• How to see all the purchased apps in google play store - Android Enthusiasts Stack Exchange

Gmail Aliases

• How to instantly create a unique Gmail alias without registering | Expert Reviews - If you need a unique email address quickly without registering again, here's a few handy tips you might not know about. Uses the period (.) method for aliases.
• How to Set Up Gmail With Aliases and Import Other Inboxes | WIRED - Uses the + method for aliases.

Moving Google Services to another account

• I have multiple Google Accounts. Can I merge them? - AdWords Help - How to move Google analytics and Adwords.
• How to transfer Google AdWords account ownership | hockseng.net
• How to transfer a google analytics account - Scoop Design - Have you ever needed to transfer a google analytics account to another user profile or email address? This has pictures.
• Transfer Google Webmaster Tools data to another account - Webmasters Stack Exchange

Moving Google Analytics Property

• Easily Move Any Google Analytics Property to a New Account - Google recently made possible moving properties between Analytics accounts. Learn what are the benefits, requirements and how to do it in just a few clicks.
• How to Move a Google Analytics Property From One Google Account to Another - YouTube - In this 90 second video, Scott Hendison shows how to use Google's new "move property" feature inside of Google Analytics, to move a property from one account to another.

YouTube Channel

• How To Make A YouTube Channel! (2018 Beginners Guide) - YouTube - This is a tutorial on how to make a youtube channel for beginners 2018. In this video, i'll guide you through the process of creating an account and even show you how to upload a video along with channel art.
• Manage your Brand Account - Google Account Help - You can set up and manage a special kind of account for your business or brand, called a Brand Account. You can use certain Google services, like Google+ and YouTube, with this account to create an online presence.
• Create a new channel - YouTube Help - With a Google Account, you can watch and like videos and subscribe to channels. However, without a YouTube channel, you have no public presence on YouTube. Even if you have a Google Account, you need to create a YouTube channel to upload videos, comment or make playlists. You can use a computer or the YouTube mobile site to create a new channel.

Google Maps vs Google Places

• Google Maps vs. Google Places: Making Sense of It All - A company can reign supreme on Google Places, but they aren.t #1 on Google Maps. Greta Rose Agency delves into why and how these two differ.
• Google Places vs. Google Local vs. Google Plus • Bixa Media - Befuddled over the difference between Google+, Google Places, and Google+ Local? Bixa Media explains the difference & tells you where your company belongs.

Feedburner

• Learn how to setup Feedburner for Podcasting and Blogging - YouTube - In this video, TeacherCast University will show you how to create a user account for Google Feedburner. Learn how to take an existing feed from Lybsin, WordPress or your favorite source and submit it to iTunes Podcasting Directory.
• Set Up Feedburner RSS Feed for Your Blog in Less than 2 Minutes - YouTube - This video will show you how to set up your Feedburner RSS feed for your blog in less than 2 minutes.

Microsoft

Moving an xbox profile

• Move your Xbox Live profile to another Microsoft account on Xbox 360 - This page explains how to move your Xbox Live profile—including gamertag, achievements, content, etc.—to another Microsoft account by using your Xbox 360 console.
• Switch Your Xbox Live Gamertag to Another Microsoft Account - VisiHow - This article will take you through moving your gamertag onto your main Microsoft account so that all of your achievements and purchases are kept in one place.

Move an email alias between Microsoft accounts

There is an element in risk because the aliases become available immediately after release or up to 30 days. Read these articles to decide.

• Moving email alias to another outlook account - Microsoft Community
• transfer alias to another outlook.com account - Microsoft Community

Microsoft/Outlook.com aliases

• Manage aliases on your Microsoft account | Microsoft
• Add or remove an email alias in Outlook.com - Outlook | office.com

Change Xbox Gamertag

• How to Change Your Xbox Gamertag | xbox.com
• How to Change Microsoft Account Email Address | xbox.com
• https://account.xbox.com/en-US/changegamertag - This is the link to change your gamertag.
• Error 0x8015402d | Microsoft Account Error | Xbox 360 Error
• How do I remove spaces in my gamertag ? | xbox.com - Spaces are ignored when deciding if a gamertag is available.

Xbox Gamerpics

• Change Your Xbox One Gamerpic | xbox.com
• How to create a custom gamerpic for your Xbox Live profile | Windows Central
• Xbox One: How To Upload Custom Gamerpics | Avatar Guide | Walkthroughs | The Escapist
• Xbox One | This new feature is now being tested by Alpha Preview Ring Members | IT Pro

Installing Skype (not from the store)

I do not want to install skpe from the store because I do not want to login into windows with my Microsoft account.

• Fix Can’t Install Skype on Windows 10 – Please install Skype from the Windows Store…

Delete a Skype account

Things have changed now. If you have an old skype account you have to link it to a Microsoft account and then delete the Microsoft account which will delete both.

• How do I close my Skype account? | Skype Support
• How to close your Microsoft account | Microsoft

Change a Skype Username

The answer is you cannot. It is tied into your Microsoft account. I do not know if changing your primary alias will change your skype username.

• Windows Report - Windows 10 and Microsoft News, How-to TipsHow do I change my Skype account name?
• Change Skype ID - Microsoft Community

What is my Skype ID

• What is my Skype Account ID/Name? – italki Help and Support
• How to find out my Skype ID - Quora

Multi Skype

• How to Sign Into Two or More Skype Accounts at Once
• How can I run multiple Skype accounts at the same time? | Skype Support

outlook.com emails going into spam

• A series of articles from a Microsoft Developer explaining this issue and what you can do about it
  1. Why does my email from Facebook, that I forward from my outlook.com account, get rejected? – Terry Zink: Security Talk
  2. An update on the forwarding email problem in Office 365 – Terry Zink: Security Talk
  3. A second update to the problem of email forwarding in Office 365 – Terry Zink: Security Talk

Where to view my Microsoft/Xbox support requests ?

• https://support.microsoft.com/oas/viewincident
• https://support.microsoft.com/en-mt/my/supportrequests?wa=wsignin1.0

Yahoo

Close a Yahoo Account

• How to Delete Your Yahoo Mail Account | lifewire
• Close your Yahoo Account | Yahoo Help - SLN2044
• How to Delete a Flickr Account (with Pictures) - wikiHow

Delete a Flickr Account

You can delete a Flickr account without deleting your Yahoo account and then create a new Flickr account if you want.

• Delete your Flickr account | Yahoo Help - SLN7276
• How to Close a Flickr Account | Chron.com

Forward Yahoo email

• How to Forward Yahoo Mail to Another Email Address | lifewire
• Automatic email forwarding in Yahoo Mail | Yahoo Help - SLN22028
• Yahoo: How to set up automatic forwarding from one account to another account – Support Center | SaneBox

Switch between Classic and Basic Yahoo Mail

• How to Switch to Yahoo Mail Classic | lifewire
• Yahoo Small Business Community
• Don’t Like the New Look of Yahoo Mail? Switch it Back
• Switch back to the previous version of Yahoo Mail | Yahoo Help - SLN15936
• Overview of Basic Mail | Yahoo Help - SLN15090

Yahoo Aliases

• Can I change my Yahoo ID and email address? | Account Help - SLN2059 - You can't change your Yahoo ID or email address, but you can create an additional Yahoo ID or set up an extra email address (alias) for your existing one.
• Create, use, and delete an extra email address | Account Help - SLN15953 - How to add a single alias to your Yahoo account. There are limits on the number of times you can change this within a 12month period.
• How to Change Your Yahoo Email Address | oeupdates.com - Is your current Yahoo email address no longer appropriate? Do you want to change it?

Flickr General

• Geek to Live: Flickr Advanced User Guide | lifehacker
• Create your own personalized Flickr URL | Flickr Help - SLN7320 - Once set, there is no way to change your personalized URL. Your only option is to start over with another account and re-upload your images there

Change Flickr Screen Name / Real Name

• www.flickr.com/account/prefs/screenname/?from=personal - You can change your screen name here. It should be pointed out that your screen name cannot be one currently used by any active or closed account.
• www.flickr.com/profile_edit.gne?from=personal - Change your real name here.
• www.flickr.com/iconbuilder/?from=personal - On Flickr, your profile picture is called a 'buddy icon', you change it here.

Facebook

Facebook app namespace is “Already used by some other app”

When I followed the instructions from EasyBlog I got this error. It is caused by the namespace easyblogapp is already used and you need to add your website.

1. Go to your App.
2. Select Settings option from the left sidebar.
3. then add a namespace.

Facebook app namespace is "Already used by some other app" - Stack Overflow

and

1. Click Apps and then select your app.
2. Click the Settings button on the left side of the screen.
3. In the Basic settings, click the Add Platform button below the settings configuration.
4. Select Website in the platform dialog.
5. Enter your URL (localhost works here).
6. In the App Domains text input, add your domain that matches the one in the URL.
7. Save your settings.

why I am unable to add apps domain to my app ? | Facebook Help Community | Facebook

Create a Facebook Page

• How To Create a Facebook Page - YouTube - How To Create a Facebook Page- Derral demonstrates and explains how to create a Facebook page for business, public figure, charity or cause, any reason that you may need to create a Facebook page.
• How to Create a Facebook Fan Page for Your Blog - A step-by-step tutorial on creating a Facebook fan page for your blog or website. I choose 'Brand or Product' and then 'Website' for my blog.

Delete posts from Facebook

• How do I hide or delete posts I've shared from my Page? | Facebook Help Centre | Facebook

Facebook Instant Articles

• How to Get Started With Facebook Instant Articles - Facebook have opened up Instant Articles to publishers of all sizes. In this post, we'll guide you through how to get started with Instant Articles. 
• How to Setup Facebook Instant Articles for WordPress | wpbeginner.com - Want to add Facebook Instant Articles to your WordPress site? See our step by step instructions on how to to setup Facebook Instant Articles for WordPress.
• Instant Articles - Documentation - Facebook for Developers - Official devloper documentation from Facebook. This includes FAQ and a Quickstart Guide along with information on using Instant Articles in your Facebook account.
• Facebook Page not showing to add Instant Articles
  • page not showing while instant article sign up | Facebook Help Community | Facebook
  • My facebook page is not showing for instant article sign up | Facebook Help Community | Facebook

Twitter

General

• How to change your username | twitter
  • Your username can be up to 15 characters long.
  • Your display name can be up to 50 characters long.
• How to change your Twitter username and display name | Digital Trends
• Security and seconf Factor
  • How to use login verification | twitter - This requires a mobile phone and you can only attach this to one account.
  • About account security | twitter - Any time the email address associated with your Twitter account is changed, we will send an email notification to the previously-used email address on your account. In the event your account is compromised, these alerts will help you take steps to regain control of your account.
  • How to reset a lost or forgotten password | twitter - If you frequently receive password reset messages that you did not request, you can require additional information be entered in order to initiate a password reset.

Wordpress

Username

• Change Your Username — Support — WordPress.com
  • Videos on how to change your username.
  • Once you change your username you will not be able to change it back and the old name will not be available for you or anyone to use. If you just want to show your name differently please only change your Display Name.

Gravatar

• What's Gravatar, Why and How Should You Be Using It | Solvid
• How to Set Up a Gravatar with WordPress - WordPress Theme Detector
• Manage Multiple Identities with One Gravatar Account « Gravatar Blog

Other

Change a GitHub username

• Pitfalls when Renaming your GitHub Account | Thomas Hunter II
• Change GitHub Account username - Stack Overflow
• What happens when I change my username? - User Documentation

Disqus

• Updating your Disqus Settings · Disqus - This explains the different aspects of the profile

OneSignal

• Web Push notifications in Firefox | Firefox Help - this give a great overview into 'Web Push' notfications work. They differer from browser to browser but this explanation will in general be the same for all of them.
• temp my post at stackideas - Update EasyBlog OneSignal documentation (and komento)
• temp - Onesignal Push Notification - Configuration - EasyBlog Documentation 

What Now!!!

So your blog is now all setup, you have you Online Social Identities at the ready, autoposting and other integrations are all done and the question you are asking is: What now?

I will outline some of my thoughts on what is next but you have to appreciate that I have only just got to this stage myself and I have used the process of building my own blog to create these instructions to help me and othersas I go.

What not to do

This is important to get a well liked blog by both Google and the general internet public:

• Popups - People hate these
• Too many adverts - It is ok to have adverts (if you want them) but dont over do it.
• Keyword adverts - not sure what this is.
• Blackhat SEO - This will get your blog penalised.

Don’t be scared to changes things

• If you change categories, slug format or other stuff that might affect Google rankings, don’t be scared to make the changes as Google will sort itself out. You most likely will only make major changes at the beginning anyway.
• I would advise not to make these changes lightly or all of the time. It is true things will sort themselves out but you should only do this when absolutely necessary.

Social Marketing / SEM

Now you have your site up and running your need to advertise it or push it, 'just because you build it, does not mean they will come’. It will take a while for Google to find/index your new site/blog and this is especially true for new domains.

• Create a site map and submit it to Yahoo/Bing/Google
• Google Analytics (does help despite what people say because Google knows you site exists and is run by a human)
• Make sure Facebook, Twitter, LinkedIn and other social media are linked correctly.

Newsletters

• Having a newsletter can be good thing if you dont send them out all of the time.
• A newsletter when you are a blog is most likely just going to be a list of recent articles, so you will might not need a seperate newsletter in this case. The 'newsletter subscription' could just be a wrapper for the blogging system article updates.

Monetise

General Advertising methods will be discussed in another tutorial.

• Disqus with advertising.
• Google/Bing/Yahoo advertising
• Affiliate Links
• Links to your own products
• RSS feeds with adverts via Feedburner
• Newsletters (with stuff in them)
• Cloaked links (where you see an ad before going to the link) – not a fan of these
• Direct advertising banners
• Sell your own advertising

Running your Blog

Just some general ideas that need a mention. I might add to this as I go.

Writing Articles

long articles: pagination / long page / separate articles

when you have to split an article into many parts, it is acceptable to use 1 folder as you might reference the same image through the article, imagine an article like 1 large word document.

• www.myblog.com/carrots-part1
• www.myblog.com/carrots-part2
• www.myblog.com/carrots-part3

All images and media will be stored in

• www.myblog.com/images/blog/2014/carrots/

Blog Attribution

This is a worked example of blog attribution ssing this orginal source Article - Repair a Broken Ethernet Plug: 10 Steps (with Pictures) | instructables

• Search on google for articles 'Ethernet cable plug repair clips'
• And you will see the primary article from instructables heavily copied but everyone has a link back to the original article. Usually it is the article title hyperlinks or the websites domain name.
• Example Articles that uses the instructables article in some way.
  • Repair a Broken Ethernet Plug with Zip Ties | Lifehacker - This uses an image from the instructables article but with some of its own text. The article is short and its main aim is to point you tot he instructables article.
  • How do You Repair an Ethernet Cable with a Broken Locking Clip? | HowToGeek -This is separate article but in the comments it uses images and text from the instructables article but does give links back to that article.

I will not descibe how to config every feature in EasyBlog and Komento, however below is a list of the main interaction features I would setup.

These features tend to focus on user interaction and social integration and just because you set all of these features up does not mean you have to use them but makes life easier to turn them on at a later date.

EasyBlog (System)

• Google Maps (Settings-->General-->Location)
  • Location Services Settings - Configuration - EasyBlog Documentation
• Feedburner (Settings-->General-->RSS)
   
• Akismet (Inbuilt Comments) (Settings-->Comments-->Anti Spam)
• reCAPTCHA (Inbuilt Comments) (Settings-->Comments-->Anti Spam)
• Enable Comments (Komento/Inbuilt Comments) (Settings-->Comments-->Integrations)
  • EasyBlog - Comments Documentation
  • Integrating With Komento - Comments - EasyBlog Documentation
  • Enable your prefered system
     
• Google Adsense (Settings-->Integrations-->Adsense)
  • Integrating With Google Adsense - Integrations - EasyBlog Documentation
• Mailchimp (Settings-->Integrations-->Newsletters)
  • Integrating With Mailchimp - Integrations - EasyBlog Documentation
• Pingomatic (Settings-->Integrations-->Pingomatic)
  
  • Integrating With Pingomatic - Integrations - EasyBlog Documentation
     
• Mailbox Publishing (Settings-->Mailbox Publishing)
  • Email Publishing - Remote Publishing - EasyBlog Documentation
  • EasyBlog - Remote Publishing Documentation - How to remote publish posts.
  • Automatic publishing of posts via and an email account and cron.
     
• Flickr (Settings-->Media-->Flickr)
  • Integrating With Flickr - Integrations - EasyBlog Documentation
  • This allows users to use their Flickr photos via your API that you set up here.
  • By enabling Flickr integrations, user's can access their Flickr images via the media manager (and your Flickr App/API). You will first need to create an application with Flickr and copy the Api key and Secret Key from Flickr. (optional)
     
• OneSignal (Settings-->Notifications-->Push Notification)
  • Onesignal Push Notification - Configuration - EasyBlog Documentation
  • OneSignal - Multi-platform Push Notification Service
  • Push messages to Android, iOS and Web Push for desktops etc..
  • OneSignal provides free web push notifications service.
     
• Social Buttons (Settings-->Social Integrations-->General)
  • Social Integrations - Configuration - EasyBlog Documentation
  • On this guide, you will be able to configure the social buttons that appears on the blog listings. You can determine the size of the social buttons that would appear on the site.
• Facebook (Settings-->Social Integrations-->Facebook)
  • Social Integrations - Configuration - EasyBlog Documentation
  • This covers:
    • Facebook General Options - This guide will help you to configure the behavior of the Facebook button on the site.
    • Facebook Social Analytics - This section will help you setup Google Analytics Social Interactions for social buttons.
    • Facebook Button Styles - This section will help you configure the styling of Facebook button on your site.
    • Facebook Instant Article - This section will help you to configure Facebook instant article. Please visit our documentation on how you may Facebook Instant Article configuration.
• Twitter (Settings-->Social Integrations-->Twitter)
  • Social Integrations - Configuration - EasyBlog Documentation
  • This covers:
    
    • Twitter General Options - This section will help you to configure the Twitter button and Twitter cards.
    • Twitter Social Analytics - This section will help you setup Google Analytics Social Interactions for social buttons.
    • Twitter Remote Tweets - This section will help you to configure fetching remote tweets and convert them as a post.
       
• Facebook Autoposting (Auto Posting-->Facebook)
  • Facebook Autoposting - Autoposting - EasyBlog Documentation
• Twitter Autoposting (Auto Posting-->Twitter)
  • Twitter Autoposting - Autoposting - EasyBlog Documentation
• LinkedIn Autoposting (Auto Posting-->LinkedIn)
  • Linkedin Autoposting - Autoposting - EasyBlog Documentation

EasyBlog (Author/User)

• Facebook Autoposting (Authors-->{User}-->Blog Settings)
  • Facebook Autoposting For Author - Autoposting - EasyBlog Documentation
• Twitter Autoposting (Authors-->{User}-->Blog Settings)
  • Twitter Autoposting For Author - Autoposting - EasyBlog Documentation
• LinkedIn Autoposting (Authors-->{User}-->Blog Settings)
  • Linkedin Autoposting For Author - Autoposting - EasyBlog Documentation
• Feedburner (Authors-->{User}-->Integrations)

Komento

• Akismet (Settings-->Antispam-->Akismet)
• reCaptcha (Settings-->Antispam-->Captcha)
  • How To Setting Up Recaptcha - How Tos - Komento Documentation
• Cleantalk (Settings-->Antispam-->Cleantalk)
  • Anti-spam applications for websites by CleanTalk
  • Anti-Spam Features. CleanTalk protects your website from spam bots and spam.
     
• Google Maps (Settings-->General-->Location)
  • How To Enable Comment Location - How Tos - Komento Documentation
• Social Sharing Buttons (Settings-->General-->Social Sharing)
   
• Enable all required software integrations (Settings-->Integrations)
  • Komento - Integrations Documentation
  • EasyBlog - Integrations - Komento Documentation
  • Enable the integration of Komento for all required Joomla components.
     
• OneSignal (Settings-->Notifications-->Push Notifications)
  • Onesignal Push Notification Configuration - How Tos - Komento Documentation
  • OneSignal - Multi-platform Push Notification Service
  • Push messages to Android, iOS and Web Push for desktops etc..
  • OneSignal provides free web push notifications service.

Sort these

I think one of these will belong to facebook ssytem and one to facbook author

• Obtaining Facebook Profile Id - Autoposting - EasyBlog Documentation
• Obtaining Facebook Page Id - Autoposting - EasyBlog Documentation
• Do the facebook,twitter.linkedin, system API configurations allow the use of these services by the authors or are they seperate. Find out + make notres in this article

Step 19 - Bringing it altogether, what should I use?

Now you have read all my research let’s just review what has been said and then read the final conclusions.

Blogging System

Unless you want to use WordPress as a dedicated blogging system there is only one system you should use for Joomla, Easyblog. Easyblog has additional features such as remote blogging, inbuilt commenting, automatic Twitter and Facebook posting, Team Blogging, configurable URLs and much more rather than just dealing with the content. The beauty is you do not need to start finding additional plugins to do all the basics as you would with Joomla (only) or K2. There are other blogging systems for Joomla but they are paid and even so Easyblog seems to get the most votes and support. I can highly recommend the support, second to none.

My choice: Easyblog

Reasons: Lots of social integrations, configurable URLs and excellent support. Best blogging system for Joomla by far.

Commenting System

Local

If I were going to use a local commenting system I would choose, kommento. I would choose this over Jcomments. Komento it is well supported and has extra features such as automatic comment moderations, technology borrowed from WordPress. It is also made by Stakideas, the same producer as Easyblog. There would be no lag in displaying comments as they are stored in my database.

Remote

There is only one kid on the block for this, Disqus. It is everywhere and you can control comments from multiple sites in one control panel. The downside is the comments are not stored on your website. The comments  are Ajax driven and Google has only really just started indexing them.

My choice: Komento

Reasons: Well designed, allows my to control comments from different areas on my website and the comments are stored locally.

 www or non-www

This is a simple one to answer because I am runing a website with more than a blog on it and it is 2018. but for completeness there is another option if you are runngin a company website giving 2 options

• http://mydemosite.com/ - This should be used for personal websites or blog websites, but if you prefer www you can still use it.
• http://www.mydemosite.com/ - If running a company website you should always include the www as it seems to be the accepted standard.

My choice: non-www

Reasons: It is 2018 and QuantumWarp is more personal than corporate.

http or https

Again because it is 2018 and security and privacy is an issue an easy one to answer for all types of website.

My choice: https

Reasons: This is required for good ranking and security.

News or Blog

One thing to consider is whether your blog is a dedicated blog, personal blog, company websitee witha blog.

1. If you are running a dedicated blog you should have your articles running from the root
   • https://www.mydemosite.com/2014/01/31/{article_title}
   • https://www.mydemosite.com/{article_title}
2. If you are running a website with more than a blog I would run it from a subfolder/menu item called ‘blog’
   • https://www.mydemosite.com/blog/2014/01/31/{article_title}
   • https://www.mydemosite.com/blog/{article_title}
3. If you are running a company website I would run it from a subfolder/menu item called  ‘news’
   • https://www.mydemosite.com/news/2014/01/31/{article_title}
   • https://www.mydemosite.com/news/{article_title}

My Choice: /blog/

Reasons: QuantumWarp is more personal than corporate and I have other stuff on my website.

URL Slug

The only options I would consider are the following basic structures

1. Date Based
   • https://www.mydemosite.com/2014/01/31/{article_title}
   • https://www.mydemosite.com/2014/01/{article_title}
   • https://www.mydemosite.com/2014/{article_title}
2. Article Tiltle Only
   • https://www.mydemosite.com/{article_title}

Date Based: If you do 5 articles a year why would you need to divide your articles up in too months and days? The answer is you wouldn’t and just using the year would probably be ok. For medium article volume sites using the year and the month seems enough this also seems quite popular online. See my notes from earlier on deciding the segmentation based on article post frequency for more information.

If you move your articles from category to category its URL will not get affected and therefore any link juice pointing to that page or indeed incoming links will not be affected. However if you change the article title it would be.

Article Tiltle Only: This URL structure is the simplest and a few large online blogs use it. Again like option 1 changing of an articles category will not affect it and so this is quite resilient. The articles are not arranged by a date in the slug but search engines do not really need this information in the slug anymore.

Not having category information in the URL does not seem to cause many online blogs issues.

My choice: https://www.mydemosite.com/{article_title}

Reasons: This slug is resistant to category change and is a popular method.

Asset storage

NB: This is only required if your bloggin system does not have an inbuilt method of handling assets.

Now this might sounds a really stupid thing to consider but when you are creating your blog articles you want to know where to put the images because of rules rather than having a guess each time or randomly creating a folder or worse, just dumping files anywhere. At first these methods will save you time but the longer you do it the harder it will be to find images, what to call folders and so on... until you wished you started doing things properly in the first place. After research I have came up with an excellent method for storing your images. It is expandable and prevents folders from becoming infinitely full (which can be a pain when enumerating folders with an FTP software) See my notes from earlier about deciding the segmentation level based on article post frequency where you should of already decided what level you requrie.

• images/blog/{year}/{month}/{day}/{article_title}    (For large sites)
• images/blog/{year}/{month}/{article_title}                (For medium sites)
• images/blog/{year}/{article_title}                                  (For small sites)

Again like URLs they can be slightly tweaked to match your needs. The above URLs use Joomla’s image folder as their root as do most content driven stuff in Joomla. I have denoted the blog content with its own folder. These URLs are to be used irrespective of how you actually set you SEF URLs, but that does not mean you cannot match them i.e. if you use in both /{year}/{month}/{day}/{article_title}/.

If you start off with just using the year you can always add in a month folder later if you find you are writing to much content for 1 folder. At the very least you can run with just the year, for one year and then after that start adding in month folders to accommodate your extra writings.

As for the article title, once you have finished tweaking the article you are not likely to ever want to change this, and in the unlikely event you need to alter the article and altering its links will not be the end of the world.

My choice: images/blog/{year}/{article title}

Reasons: My website will only a have a small posting frequency of high quality articles.

Step 20 - Copy and Paste This!!!

This is an overview of what I have chosen and will act as a checklist for my future blog developements.

My Choices

• Blogging System: Easyblog
• Commenting System: Komento
• Domain Prefix: non-www
• Protocol: https
• Location: /blog/
• Slug: /{article_title}
• Asset Storage: images/blog/{year}/{month}/{article_title}
• Full URL: https://mydemosite.com/blog/{article_title}

Commenting is very important for a blog it allows your audience to engage with you and your content. One other advantage is sometime other people can help you improve your content by spotting mistakes or giving you enhancements. I would always want comment system on my blogs.

16- Types of Blogging Systems Research

There are basically 2 types of commenting systems, Local and Remote which i will now go into more depth below:

Local

This is where the software and the comments are made, stored and maintained on your website.  Some blogging systems come with commenting inbuilt and these enough for most people. Then there are the more complex commenting systems you can use to upgrade or replace default one or just install because you don't have one. Some of these systems can have some online services for auto moderating comments integrated to reduce spam, remove bad words and other such things but they do not store any data in the cloud but just the processing power of these services and then store the comments locally on your server after processing.

Remote

This is a new and growing trend in the social internet. I will just list the main pros and cons of using one of these services:

17 - Commenting Systems for Joomla Research

Apart form Disqus all of these commenting systems are for Joomla only.

K2 (inbuilt)

K2 has its own internal commenting system

Easyblog (Internal)

Easyblog comes with its own in-built commenting system. It is similiar to Komento but i dont think it has all of the same functionality.

Komento

This is a paid for extension from Stackideas, the makers of Easyblog and is constantly maintained.

• Komento, by stackideas - Joomla Extension Directory
• Komento - Joomla Comment Extension - StackIdeas

JComments

This is the orginal commenting system for Joomla and is free. It does not seem to be actively maintained anymore but still works.

• JComments, by smart - Joomla Extension Directory
• JComments - comment extension for Joomla

Disqus

This is a cloud based commenting system that is free to use and offers the possibility of advertising revenue. However on large traffic sites you do have topay to use the service. End users never have to pay it is just for the website owners taht the costs can creep in. You need to take this into account if your website is going to scale up. For small websites using this service is an option.

Step 18 - Choose a Commenting System

After reading all of this information, answers to the following questions will allow you to choose the commenting system you want to use:

Do I want local or remote comments?

Followed by:

Which blogging system am I going to use?

Step 12 - Research of Live Blog Sites

Visit loads of online and large blogs and examine their URLS to see how everyone else does it and then consider which is the best format for your blog. URL research online, is a great way to work out what URL you want to use

Below is my research of various blog sites and how they setup their URLs and asset storage.

• Ars Technica - (WordPress)
  • URL - http://arstechnica.com/information-technology/2014/02/video-ars-rolls-in-with-a-telepresence-robot/
  • Image - http://cdn.arstechnica.net/wp-content/uploads/2014/01/DSC_1314-640x425.jpg
  • URL - http://arstechnica.com/security/2014/02/what-a-fake-antivirus-attack-on-a-trusted-website-looks-like/
  • Image - http://cdn.arstechnica.net/wp-content/uploads/2014/01/fake-av-attack-640x344.jpg
  • Ignore the CDN locations, imagine they were local
• LiferHacker – (not sure what they use)
  • URL - http://lifehacker.com/do-you-use-a-shredder-1517659663
  • Image - http://img.gawkerassets.com/img/19evqdigl4sitjpg/ku-xlarge.jpg
  • URL - http://lifehacker.com/how-we-work-2014-tessa-millers-gear-and-productivity-1513968211
  • Image - http://img.gawkerassets.com/img/19edjn960d41hjpg/ku-xlarge.jpg
• TechCrunch – (WordPress)
  • URL - http://techcrunch.com/2014/02/06/opentable-ness/
  • Image - http://tctechcrunch2011.files.wordpress.com/2013/04/ness-launchscreen.png?w=400
  • URL - http://techcrunch.com/2014/02/06/apple-sapphire-display-manufacturing-components/
  • Image - http://tctechcrunch2011.files.wordpress.com/2013/09/iphone5c-front-apps-low-angle.png?w=738
• How To Geek – (WordPress)
  • URL - http://www.howtogeek.com/181866/how-do-you-repair-an-ethernet-cable-with-a-broken-locking-clip/
  • Image - http://cdn.howtogeek.com/wp-content/uploads/2014/02/howdoyourepairanethernetcablewithabrokenlockingclip00.jpg
• Paul Thurrott’s Super Site for Windows
  • URL - http://winsupersite.com/windows-8/windows-81-update-1-modernmix
  • Image - http://winsupersite.com/site-files/winsupersite.com/files/imagecache/large_img/uploads/2014/02/modernmix-w81u1-hero.jpg
  • URL - http://winsupersite.com/xbox/xbox-one-february-2014-system-update-set-next-week
  • Image - http://winsupersite.com/site-files/winsupersite.com/files/imagecache/large_img/uploads/2014/02/xbox-feb11-hero.jpg
• Gizmodo
  • URL - http://www.gizmodo.co.uk/2014/02/fighter-pilots-couldnt-ask-for-a-better-wingman-than-the-little-buddy/
  • Image - http://media.gizmodo.co.uk/wp-content/uploads/2014/02/19erqwn83x5lajpg.jpg
  • Image - http://img.gawkerassets.com/img/19erqwn7zct7yjpg/ku-xlarge.jpg
  • URL - http://www.gizmodo.co.uk/2014/02/the-worlds-most-powerful-laser-is-headed-for-a-czech-research-lab/
  • Image - http://media.gizmodo.co.uk/wp-content/uploads/2014/02/19evpt6g21e3cjpg.jpg
    
• mashable.com
  • URL - http://mashable.com/2014/02/07/mark-zuckerberg-facebook-stake/
  • Image - http://rack.1.mshcdn.com/media/ZgkyMDE0LzAyLzA3LzJhL3p1Y2tlcmJlcmc0LjRiZDMyLmpwZwpwCXRodW1iCTk1MHg1MzQjCmUJanBn/3c4719f7/bf2/zuckerberg4.jpg
  • URL - http://mashable.com/2014/02/07/olympics-scandals-map/
  • Image - http://rack.3.mshcdn.com/media/ZgkyMDE0LzAyLzA3LzM1L0FQMzU5ODQ2OTk5LjBiYTNhLmpwZwpwCXRodW1iCTk1MHg1MzQjCmUJanBn/2e60e334/3ec/AP359846999234.jpg
• techtricksworld.com - (WordPress)
  • URL - http://www.techtricksworld.com/2014/02/satya-nadella-microsoft-ceo.html
  • Image - http://www.techtricksworld.com/wp-content/uploads/2014/02/satya-nadella-.jpg
  • URL - http://www.techtricksworld.com/2014/02/nexus-6-the-concept-phone.html
  • Image - http://www.techtricksworld.com/wp-content/uploads/2014/02/nexus_6-1024x576.jpg
• seobook.com
  • URL - http://www.seobook.com/measure-business-benefit
  • Image - http://www.seobook.com/images/mattcuttsguest.png
  • URL - http://www.seobook.com/divide-and-conquer-algorithm
  • Image - http://www.seobook.com/images/kool-aid-man.jpg
• seoroundtable.com
  • URL - http://www.seroundtable.com/google-german-link-penalty-18075.html
  • Image - http://images.seroundtable.com/german-agency-1391738363.png
  • URL - http://www.seroundtable.com/google-url-removal-tool-bug-18079.html
  • Image - http://images.seroundtable.com/t-google-404-1303660172.jpg
• Prestashop Blog
  • URL - http://www.prestashop.com/blog/en/omni-channel-the-future-of-commerce/
  • Image - http://www.prestashop.com/blog/en/files/2014/02/ebay-logo.jpg
  • URL - http://www.prestashop.com/blog/en/prestashop-world-tour-stepworks-shares-hong-kong-ecommerce-trends/
  • Image - http://www.prestashop.com/blog/en/files/2014/02/Hong-kong.jpeg

Step 13 - Blogging System URLs

I will list here the various CMS systems and their URLs. This will help to see what other people use and why.

Joomla

URLs are purely controlled by the following things. This allows a lot manual control but can be time consuming.

• Menu item/Menu Alias
• Category/Category Alias
• Article Alias

K2

URLs are purely controlled by the following things (same as Joomla). This allows a lot manual control but can be time consuming.

• Menu item/Menu Alias
• Category/Category Alias
• Article Alias

Easyblog

Below is the list of Easyblog URL options and I will go through each one.

• Enable Unicode aliases - If enabled, EasyBlog will insert an id of your content as part of your permalink. E.g. 24-your-blog-title. This will support any Unicode characters such as Hebrew, Russian or Polish languages in your permalinks.
• Enable language translations for URL - Enable or disable language translations on EasyBlog URLs. If you choose to enable this option, your language file for EasyBlog must be able to support this feature.
• URL Format for your entry - see table below
  

Easyblog URL Pros and Cons

Overview Pros and Cons of Easyblog URLs

This will give an overview of the Easyblog URL setup because it has so many different internal options

WordPress

Now we will look at the WordPress URL options and list them here. WordPress calls SEF links Permalinks.

Primary URL Option

Wordpress Optional URL Settings

If you like, you may enter custom structures for your category and tag URLs here. For example, using topics as your category base would make your category links like http://www.yoursite.com/topics/uncategorised/. If you leave these blank the defaults will be used.

• Category Base
• Tag Base

Conclusion

As you can see, WordPress allows very specific configuration of its URL structure. This is by far the most configurable URL system. Most people running blogs use only the primary URL option as it suits most needs.

All of the URLs above (before adding ‘Category Base’ and ‘Tag Base)

Step 14 - Category and Article URLs

Planning your URLs is very important, it is how search engines access and index your website. You cannot change an established link without consequences but it can be done if needed. How often have you added a link to your bookmarks only to come back to it later to find the page is no longer there. I am trying to avoid this situation by having good planning.

Using the information from the research above I made the following notes and my Joomla Blog Software research

• All articles should not have category routes on them? (SEOrountable.com uses this method). This allows you to move an article to another category without affecting its UR and therefore SEO ranking
• All large dedicated blog sites use the root for their blog
• News sites and non-dedicated blogging websites tend to put their blog in a sub-folder/menu such as ‘news’ or 'blog'
• Seoroundtable, seobook and lifehacker all use the URL format - http://www.mydemosite.com/{article_title}
• Best to only put your article in 1 category and use tags
• it is the URL that is important and cannot be changed without hurting SEO, whereas not so important for the images and assets as these can be moved without hurting SEO (not much if any) and they primary location is decided by organisational considerations i.e. /2014/ , /2014/12/
• You need to use SEF URLs at all times not those ugly ones with ?/= in them
• Do not use .html at the end of your link. It is the old way of doing things.
• If an article title or category have an ID in the URL this is ok because google understands them. These can also prevent duplicate URL/content because the item Id are always unique.

I recommend to use one of the following, no date or category in the url. However if you choose to use wordpress I would read the 'How many articles will you write?' section.

• http://www.mydemosite.com/{article_title}
• http://www.mydemosite.com/news/{article_title}
• http://www.mydemosite.com/blog/{article_title}

Step 15 - Image/Asset storage location for articles

We now have addressed what URLs to use for the articles and blog but the articles will most likely have images or assets that need to go somewhere. The rules to where you store your article assets are separate to the URL format however they could match depending on your setup.

Blogging systems with in-built asset handling:

• Wordpress
  • Will store all assets in a folder based on date e.g. wp-content/uploads/2017/12/profile-cropped-300.jpg so there is no real manual intervention you can do or need to do. The date structure is based on what Permalink Common Settings you select in the Wordpress admin options. I have not verify the different possibilities but this is an educated guess from my live blog research above.
• EasyBlog
  • By default Easyblog uses /images/Easyblog and possibly needs changing
  • Easyblog has team blogging and a user’s files will be stored in a folder such as /images/Easyblog/user_files/789/{assets here} . A user’s image folder is separate to everyone else’s images,  /images/Easyblog/user_files/789/ is their root folder.
  • When using Easyblog a particular users image files will be in a different root folder and will have the users ID added as a folder to its root, this being said you should follow the same rules you pick for the rest of the site but applied to individual users if you want all of their files separate.
  • You can use my rules below in EasyBlog but you should stick with the in-built system.

Blogging systems without in-built assets handling:

This is my attempt to create a generic system for storing your files and will reflect the frequency of new articles created in your blog and these rules really come into their own when the system you are using does not have an automatic system for handling assets. Using these rule will require you to manually place those assets according according to the rules unless you can configure the system you are using to follow these rules. These rules can be applied to systems that are not blogs.

The reason for these rules are:

• Make writing articles easier to write because the author knows where to place the assets.
• Single folders will not hold 1000s of assets. This can cause enumeration issues aswell as making it difficult to identify what assets belong to which article.
• Make it easier to manage assets already on the server.

How many articles will you write?

Before making your selection you should figure out how many articles are likely to be created on your blog. You can use any of these levels for any amount of articles but there is no point in overcomplicating things so these guidelines below will help you determine what the level of folder structure that is required to keep your files organised and prevent a single folder becoming bloated.

• 1 article every 5 days = 73 articles a year
• Use /2014/{article_title}

• 1 article every 3 days = 121.667 articles a year
• This is on the limit of /2014/{article_title} you should use /2014/12/{article_title}

• 1 article every 1 day = 365 articles a year
• Use /2014/12/{article_title}

• 1+ article every 1 day (or team blogging) = 365+ articles a year
• Use /2014/12/31/{article_title}

Once you have picked a level, you need to stick with it for a year. Come the next year you can then choose upgrade/downgrade/same depending on the amount of articles you have done or have not done. Doing this keeps all your files in order and maintains the 'year' container so the rules are not swapped mid-stream causing issue about which rules to follow.

You now need to check over the information and select which option is best for you:

Table Notes

• {article_title} is the SEF URL slug generated for the article.
• {article_id} is the article ID of the article.
• Because I am using the Joomla, the base folder for all user assets is /images/and therefore is the one I am using. If you do not use Joomla you might want to select a different base folder.
• All assets for the blog should be within a /blog/ folder and then that folder should be within the base folder you choose e.g. /images/blog/.
• All Joomla blog images should be in /images/blog/ as the blogs image root.
• All of these assume the article title will not change.
• Size of the site referers to new article creation frequency.

Step 10 - Research Software

Because I use Joomla I need to look at all of the different blogging systems available along with commenting systems. I will assess them to see shich is the best setup.

Joomla Only

Using Joomla as is can be an option for some.

Conclusion

Too basic and not enough control over URLs. This might be ok for a news section of a website.

K2

This is a Joomla CCK with lots of content features but has blogging abilities. It does not have things like autoposting to social media built in.

Pros

Conclusion

Has more than standard Joomla such as image auto resizing and an inbuilt commenting system but is still too basic without plugins for a dedicated blog. Too basic and not enough control over URLs. This might be all right for a news section of a website.

Easyblog

Easyblog seems to be a blogging system with all the tools built in.

Conclusion

Easyblog is basically trying to be a clone of WordPress running as a native component in Joomla. It has all the features of a dedicated blogging system and allows the use of Joomla content plugins. One of the selling factors of Easyblog is that you can, like WordPress, configure the URLs separate to articles and categories. Easyblog also has a lot of social integration making it an ideal choise. This is a must as you won’t lose SEO ranking or traffic because you have a reorganise.

Links

• Blogging With Joomla: EasyBlog from StackIdeas | OSTraining

WordPress for Joomla

There are 2 WordPress integrations for Joomla. Both of which have slightly different reviews.  There are some bridges and post copier extensions but I would not count these as use for this project.

WordPress is the go to standalone blogging platform but I am looking at this whilst using Joomla as I want all the benefits of Joomla with a Blog. You could in theory run WordPress and Joomla side-by-side with the same themes but this is extra work and would take more configurations.

Conclusion

WordPress is without doubt an excellent blogging system but that is all it is. It is similar to Joomla in that you can use plugins to extend the platform but when you start doing this it is much easier to use Joomla. WordPress for Joomla does not allow you to use Joomla plugins for the content in WordPress and not all WordPress plugins will work. So basically if you want to use WordPress, use it but without the Joomla wrapper anything else seems pointless

Joomla Integration Plugins

• WordPress Blog for Joomla!
• WP4J

Step 11 - Choose Software

Now you have read my research you can either can look at some of the other platforms on the internet or pick one and move to the next step.