Benutzer-Werkzeuge

Webseiten-Werkzeuge

infrastruktur:host:dobby-setup

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
infrastruktur:host:dobby-setup [02.02.2025 12:58] – [Apt Unattended updates] Linus Lüssinginfrastruktur:host:dobby-setup [15.02.2025 01:32] (aktuell) – [Netfilter Firewall] Linus Lüssing
Zeile 36: Zeile 36:
             * IPv6/CIDR: 2a01:170:1112::8/64             * IPv6/CIDR: 2a01:170:1112::8/64
             * Gateway: 2a01:170:1112::1             * Gateway: 2a01:170:1112::1
 +
 +===== Basic Network Settings =====
 +
 +/etc/systemd/network/lan0.network:
 +
 +<code>
 +[Match]
 +Name=eth0
 +
 +[Network]
 +DHCP=no
 +IPv6AcceptRA=no
 +Address=172.23.208.8/23
 +Address=2a01:170:1112::8/64
 +Address=fd20:bdda:5df0::8/64
 +Gateway=172.23.208.1
 +Gateway=2a01:170:1112::1
 +</code>
 +
 +<code>
 +apt-get remove ifupdown
 +systemctl enable systemd-networkd
 +systemctl enable systemd-networkd
 +reboot
 +</code>
 +
 +<code>
 +root@dobby:~# cat /etc/resolv.conf 
 +# --- BEGIN PVE ---
 +search nobreakspace.org
 +nameserver 172.23.208.1
 +nameserver 2a01:170:1112::1
 +# --- END PVE ---
 +</code>
  
 ===== Apt Unattended updates ===== ===== Apt Unattended updates =====
Zeile 49: Zeile 83:
  
 <code> <code>
-echo 'Unattended-Upgrade::Automatic-Reboot "true";' > /etc/apt/apt.conf.d/52unattended-upgrades-local +echo 'Unattended-Upgrade::Automatic-Reboot "true";' > /etc/apt/apt.conf.d/52unattended-upgrades-local 
-echo 'Unattended-Upgrade::Automatic-Reboot-Time "03:42";' >> /etc/apt/apt.conf.d/52unattended-upgrades-local+echo 'Unattended-Upgrade::Automatic-Reboot-Time "03:42";' >> /etc/apt/apt.conf.d/52unattended-upgrades-local
 </code> </code>
  
Zeile 56: Zeile 90:
 $ reboot $ reboot
 </code> </code>
 +
 ===== Netfilter Firewall ===== ===== Netfilter Firewall =====
  
Zeile 71: Zeile 106:
 nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
-nft add rule inet filter forward counter reject+nft add rule inet filter forward counter reject with icmpx type admin-prohibited
 </code> </code>
  
-Testen, dann persistent machen:+Persistent machen:
  
 <code> <code>
Zeile 87: Zeile 122:
 </code> </code>
  
 +Forwarding aktivieren:
 +
 +<code>
 +$ echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/10-ip-forward.conf
 +net.ipv4.ip_forward=1
 +$ echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/10-ip-forward.conf
 +</code>
 +
 +===== OPNSense Firewall fw01.nobreakspace.org =====
 +
 +  * [x]: announce fd20:bdda:5df0::/64 im radvd, statt fd69:2694:4eb5::
 +    * https://fw01.nobreakspace.org/ui/interfaces/vip
 +    * dort `fd69:2694:4eb5::/48` auf `fd20:bdda:5df0::1/64` geändert
 +  * [x]: dobby alias
 +    * https://fw01.nobreakspace.org/ui/firewall/alias
 +    * Firewall->Aliases, add:
 +    * Enabled: true
 +    * Name: dobby
 +    * Type: Host(s)
 +    * Categories: services
 +    * Content: 172.23.208.8, 2a01:170:1112::8
 +    * Description: dn42 BGP router
 +  * [x]: statisches DHCPv4 mapping (optional, eigentlich stat. IPs):
 +    * https://fw01.nobreakspace.org/services_dhcp.php?if=lan
 +    * MAC address: BC:24:11:0F:A6:06
 +    * IP address: 172.23.208.8
 +    * Hostname: dobby
 +  * [x]: IPv4 port forwarding:
 +    * https://fw01.nobreakspace.org/firewall_nat.php
 +    * Description: dobby dn42 tunnels
 +    * Interface: WAN
 +    * Destination: 82.139.255.241
 +    * Redirect target IP: 172.23.208.8
 +    * Protocol: UDP
 +    * Destination port range: 2300-2399
 +  * [x]: IPv6 incoming erlauben:
 +    * https://fw01.nobreakspace.org/firewall_rules.php?if=wan
 +    * Firewall->Rules->Wan, hinzufügen:
 +        * Action: Pass
 +        * Disabled: false
 +        * Quick: Apply the action immediately on match
 +        * Interface: WAN
 +        * Direction: in
 +        * TCP/IP version: IPv6
 +        * Protocol: any
 +        * Source/invert: false
 +        * Source: any
 +        * Destination/invert: false
 +        * Destination: dobby
 +        * Destination port range: from: any, to: any
 +        * Gateway: default
 +  * [x]: Variante A) statische Routen zu dobby hinzufügen
 +    * ~~Routing: General:~~
 +        * ~~Enable: yes~~
 +    * ~~Routing: STATIC -> General:~~
 +        * ~~Enable: yes~~
 +    * ~~Routing: STATIC -> Routes, Add:~~
 +        * ~~IPv6:~~
 +            * ~~Network: fd00::/8~~
 +            * ~~Gateway: fd20:bdda:5df0::8~~
 +            * ~~Interface: LAN~~
 +    * System: Gateways: Configuration, Add:
 +        * IPv6:
 +            * Name: dobby_dn42_ipv6
 +            * Description: dobby dn42 IPv6 Gateway
 +            * Interface: LAN
 +            * Address Family: IPv6
 +            * IP address: fd20:bdda:5df0::8
 +            * (Upstream Gateway: no!)
 +        * IPv4:
 +            * Name: dobby_dn42_ipv4
 +            * Description: dobby dn42 IPv4 Gateway
 +            * Interface: LAN
 +            * Address Family: IPv4
 +            * IP address: 172.23.208.8
 +            * (Upstream Gateway: no!)
 +        * System: Routes: Configuration, Add:
 +            * IPv6:
 +                * Network Address: fd00::/8
 +                * Gateway: dobby_dn42_ipv6
 +                * Description: dn42 (+Freifunk) IPv6
 +            * IPv4, dn42:
 +                * Network Address: 172.20.0.0/14
 +                * Gateway: dobby_dn42_ipv4
 +                * Description: dn42 IPv4
 +            * IPv4, ChaosVPN:
 +                * Network Address: 172.31.0.0/16
 +                * Gateway: dobby_dn42_ipv4
 +                * Description: ChaosVPN (via dn42)
 +            * IPv4, ChaosVPN, neonetwork, Freifunk:
 +                * Network Address: 10.0.0.0/8
 +                * Gateway: dobby_dn42_ipv4
 +                * Description: ChaosVPN, neonetwork, Freifunk/ICVPN (via dn42)
 +  * [ ]: Variante B) full BGP import von dobby, export Filter auf dobby (-> Routing: BGP)
 +  * [x]: DNS hinzufügen: https://dn42.dev/services/DNS
 +    * Services: Unbound DNS: Advanced:
 +      * Private Domains: add "dn42"
 +    * Services: Unbound DNS: Query Forwarding -> Custom forwarding, add:
 +      * Enabled: yes
 +      * Domain: dn42
 +      * Address: fd42:d42:d42:54::1
 +      * Description: dn42 DNS
 ===== Bird2 ===== ===== Bird2 =====
  
Zeile 269: Zeile 406:
  
         export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };         export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block;+        import limit 9000 action block;
     };     };
  
Zeile 282: Zeile 419:
         };         };
         export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };         export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block; +        import limit 9000 action block; 
     };     };
 } }
Zeile 290: Zeile 427:
 </code> </code>
  
 +==== ROA updaten ====
 +
 +<code>
 +# /etc/systemd/system/dn42-roa.service
 +[Unit]
 +Description=Update DN42 ROA
 +
 +[Service]
 +Type=oneshot
 +ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
 +ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
 +ExecStart=birdc configure
 +</code>
 +
 +<code>
 +# /etc/systemd/system/dn42-roa.timer
 +[Unit]
 +Description=Update DN42 ROA periodically
 +
 +[Timer]
 +OnBootSec=2m
 +OnUnitActiveSec=15m
 +AccuracySec=1m
 +
 +[Install]
 +WantedBy=timers.target
 +</code>
 +
 +<code>
 +$ systemctl daemon-reload
 +$ systemctl enable dn42-roa.timer
 +$ systemctl start dn42-roa.timer
 +</code>
 ==== Peer hinzufügen ==== ==== Peer hinzufügen ====
  
Zeile 362: Zeile 532:
         neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};         neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
 } }
 +EOF
 </code> </code>
 +
 +Oder alternativ/präferiert via multiprotocol "extended next hop" (IPv4 via v6 next hop):
 +
 +<code>
 +$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
 +protocol bgp dn42_${PEERNAME}_v6 from dnpeers {
 +        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
 +        
 +        ipv4 {
 +                extended next hop on;
 +        };
 +}
 +EOF
 +</code>
 +
 +Dann hat man lustige Routen wie diese:
 +
 +<code>
 +$ ip -4 route show prot bird via inet6 fe80::b
 +10.26.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32 
 +10.29.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32 
 +10.37.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32 
 +10.56.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32 
 +10.60.128.0/20 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
 +...
 +</code>
 +
 +Und man benötigt keine IPv4 Adress Absprachen für den Wireguard Tunnel, für dn42-${PEERNAME}-wg.network.
infrastruktur/host/dobby-setup.1738501106.txt.gz · Zuletzt geändert: 02.02.2025 12:58 von Linus Lüssing

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution 4.0 International