Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- infrastruktur:host:dobby-setup [02.02.2025 12:58] – [Apt Unattended updates] Linus Lüssing
+++ infrastruktur:host:dobby-setup [29.11.2025 04:57] (aktuell) – [Bird2] Linus Lüssing
@@ Zeile 36: / Zeile 36: @@
             * IPv6/CIDR: 2a01:170:1112::8/64
             * Gateway: 2a01:170:1112::1
+===== Basic Network Settings =====
+/etc/systemd/network/lan0.network:
+<code>
+[Match]
+Name=eth0
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=172.23.208.8/23
+Address=2a01:170:1112::8/64
+Address=fd20:bdda:5df0::8/64
+Gateway=172.23.208.1
+Gateway=2a01:170:1112::1
+</code>
+<code>
+apt-get remove ifupdown
+systemctl enable systemd-networkd
+systemctl enable systemd-networkd
+reboot
+</code>
+<code>
+root@dobby:~# cat /etc/resolv.conf
+# --- BEGIN PVE ---
+search nobreakspace.org
+nameserver 172.23.208.1
+nameserver 2a01:170:1112::1
+# --- END PVE ---
+</code>
 ===== Apt Unattended updates =====
@@ Zeile 56: / Zeile 90: @@
 $ reboot
 </code>
 ===== Netfilter Firewall =====
@@ Zeile 71: / Zeile 106: @@
 nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
-nft add rule inet filter forward counter reject
+nft add rule inet filter forward counter reject with icmpx type admin-prohibited
 </code>
-Testen, dann persistent machen:
+Persistent machen:
 <code>
@@ Zeile 87: / Zeile 122: @@
 </code>
+Forwarding aktivieren:
+<code>
+$ echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/10-ip-forward.conf
+net.ipv4.ip_forward=1
+$ echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/10-ip-forward.conf
+</code>
+===== OPNSense Firewall fw01.nobreakspace.org =====
+  * [x]: announce fd20:bdda:5df0::/64 im radvd, statt fd69:2694:4eb5::
+    * https://fw01.nobreakspace.org/ui/interfaces/vip
+    * dort `fd69:2694:4eb5::/48` auf `fd20:bdda:5df0::1/64` geändert
+  * [x]: dobby alias
+    * https://fw01.nobreakspace.org/ui/firewall/alias
+    * Firewall->Aliases, add:
+    * Enabled: true
+    * Name: dobby
+    * Type: Host(s)
+    * Categories: services
+    * Content: 172.23.208.8, 2a01:170:1112::8
+    * Description: dn42 BGP router
+  * [x]: statisches DHCPv4 mapping (optional, eigentlich stat. IPs):
+    * https://fw01.nobreakspace.org/services_dhcp.php?if=lan
+    * MAC address: BC:24:11:0F:A6:06
+    * IP address: 172.23.208.8
+    * Hostname: dobby
+  * [x]: IPv4 port forwarding:
+    * https://fw01.nobreakspace.org/firewall_nat.php
+    * Description: dobby dn42 tunnels
+    * Interface: WAN
+    * Destination: 82.139.255.241
+    * Redirect target IP: 172.23.208.8
+    * Protocol: UDP
+    * Destination port range: 2300-2399
+  * [x]: IPv6 incoming erlauben:
+    * https://fw01.nobreakspace.org/firewall_rules.php?if=wan
+    * Firewall->Rules->Wan, hinzufügen:
+        * Action: Pass
+        * Disabled: false
+        * Quick: Apply the action immediately on match
+        * Interface: WAN
+        * Direction: in
+        * TCP/IP version: IPv6
+        * Protocol: any
+        * Source/invert: false
+        * Source: any
+        * Destination/invert: false
+        * Destination: dobby
+        * Destination port range: from: any, to: any
+        * Gateway: default
+  * [x]: Variante A) statische Routen zu dobby hinzufügen
+    * ~~Routing: General:~~
+        * ~~Enable: yes~~
+    * ~~Routing: STATIC -> General:~~
+        * ~~Enable: yes~~
+    * ~~Routing: STATIC -> Routes, Add:~~
+        * ~~IPv6:~~
+            * ~~Network: fd00::/8~~
+            * ~~Gateway: fd20:bdda:5df0::8~~
+            * ~~Interface: LAN~~
+    * System: Gateways: Configuration, Add:
+        * IPv6:
+            * Name: dobby_dn42_ipv6
+            * Description: dobby dn42 IPv6 Gateway
+            * Interface: LAN
+            * Address Family: IPv6
+            * IP address: fd20:bdda:5df0::8
+            * (Upstream Gateway: no!)
+        * IPv4:
+            * Name: dobby_dn42_ipv4
+            * Description: dobby dn42 IPv4 Gateway
+            * Interface: LAN
+            * Address Family: IPv4
+            * IP address: 172.23.208.8
+            * (Upstream Gateway: no!)
+        * System: Routes: Configuration, Add:
+            * IPv6:
+                * Network Address: fd00::/8
+                * Gateway: dobby_dn42_ipv6
+                * Description: dn42 (+Freifunk) IPv6
+            * IPv4, dn42:
+                * Network Address: 172.20.0.0/14
+                * Gateway: dobby_dn42_ipv4
+                * Description: dn42 IPv4
+            * IPv4, ChaosVPN:
+                * Network Address: 172.31.0.0/16
+                * Gateway: dobby_dn42_ipv4
+                * Description: ChaosVPN (via dn42)
+            * IPv4, ChaosVPN, neonetwork, Freifunk:
+                * Network Address: 10.0.0.0/8
+                * Gateway: dobby_dn42_ipv4
+                * Description: ChaosVPN, neonetwork, Freifunk/ICVPN (via dn42)
+  * [ ]: Variante B) full BGP import von dobby, export Filter auf dobby (-> Routing: BGP)
+  * [x]: DNS hinzufügen: https://dn42.dev/services/DNS
+    * Services: Unbound DNS: Advanced:
+      * Private Domains: add "dn42"
+    * Services: Unbound DNS: Query Forwarding -> Custom forwarding, add:
+      * Enabled: yes
+      * Domain: dn42
+      * Address: fd42:d42:d42:54::1
+      * Description: dn42 DNS
 ===== Bird2 =====
@@ Zeile 216: / Zeile 353: @@
 {
   local as OWNAS;
-  neighbor fd42:4242:2601:ac12::1 as 4242422602;
+  #neighbor fd42:4242:2601:ac12::1 as 4242422602;
+  neighbor fd42:d42:d42:179::1 as 4242422602;
   # enable multihop as the collector is not locally connected
@@ Zeile 269: / Zeile 407: @@
         export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block;
+        import limit 9000 action block;
     };
@@ Zeile 282: / Zeile 420: @@
         };
         export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block;
+        import limit 9000 action block;
     };
 }
@@ Zeile 290: / Zeile 428: @@
 </code>
+==== ROA updaten ====
+<code>
+# /etc/systemd/system/dn42-roa.service
+[Unit]
+Description=Update DN42 ROA
+[Service]
+Type=oneshot
+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
+ExecStart=birdc configure
+</code>
+<code>
+# /etc/systemd/system/dn42-roa.timer
+[Unit]
+Description=Update DN42 ROA periodically
+[Timer]
+OnBootSec=2m
+OnUnitActiveSec=15m
+AccuracySec=1m
+[Install]
+WantedBy=timers.target
+</code>
+<code>
+$ systemctl daemon-reload
+$ systemctl enable dn42-roa.timer
+$ systemctl start dn42-roa.timer
+</code>
 ==== Peer hinzufügen ====
@@ Zeile 362: / Zeile 533: @@
         neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
 }
+EOF
 </code>
+Oder alternativ/präferiert via multiprotocol "extended next hop" (IPv4 via v6 next hop):
+<code>
+$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
+protocol bgp dn42_${PEERNAME}_v6 from dnpeers {
+        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
+        ipv4 {
+                extended next hop on;
+        };
+}
+EOF
+</code>
+Dann hat man lustige Routen wie diese:
+<code>
+$ ip -4 route show prot bird via inet6 fe80::b
+.26.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.29.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.37.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.56.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.60.128.0/20 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+...
+</code>
+Und man benötigt keine IPv4 Adress Absprachen für den Wireguard Tunnel, für dn42-${PEERNAME}-wg.network.

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge