Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- infrastruktur:host:dobby-setup [03.02.2025 23:53] – [ROA updaten] Linus Lüssing
+++ infrastruktur:host:dobby-setup [15.02.2025 01:32] (aktuell) – [Netfilter Firewall] Linus Lüssing
@@ Zeile 106: / Zeile 106: @@
 nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
-nft add rule inet filter forward counter reject
+nft add rule inet filter forward counter reject with icmpx type admin-prohibited
 </code>
@@ Zeile 132: / Zeile 132: @@
 ===== OPNSense Firewall fw01.nobreakspace.org =====
-* [x]: announce fd20:bdda:5df0::/64 im radvd, statt fd69:2694:4eb5::
+  * [x]: announce fd20:bdda:5df0::/64 im radvd, statt fd69:2694:4eb5::
     * https://fw01.nobreakspace.org/ui/interfaces/vip
     * dort `fd69:2694:4eb5::/48` auf `fd20:bdda:5df0::1/64` geändert
-* [x]: dobby alias
+  * [x]: dobby alias
     * https://fw01.nobreakspace.org/ui/firewall/alias
     * Firewall->Aliases, add:
@@ Zeile 144: / Zeile 144: @@
     * Content: 172.23.208.8, 2a01:170:1112::8
     * Description: dn42 BGP router
-* [x]: statisches DHCPv4 mapping (optional, eigentlich stat. IPs):
+  * [x]: statisches DHCPv4 mapping (optional, eigentlich stat. IPs):
     * https://fw01.nobreakspace.org/services_dhcp.php?if=lan
     * MAC address: BC:24:11:0F:A6:06
     * IP address: 172.23.208.8
     * Hostname: dobby
-* [x]: IPv4 port forwarding:
+  * [x]: IPv4 port forwarding:
     * https://fw01.nobreakspace.org/firewall_nat.php
     * Description: dobby dn42 tunnels
@@ Zeile 157: / Zeile 157: @@
     * Protocol: UDP
     * Destination port range: 2300-2399
-* [x]: IPv6 incoming erlauben:
+  * [x]: IPv6 incoming erlauben:
     * https://fw01.nobreakspace.org/firewall_rules.php?if=wan
     * Firewall->Rules->Wan, hinzufügen:
@@ Zeile 173: / Zeile 173: @@
         * Destination port range: from: any, to: any
         * Gateway: default
-* [x]: Variante A) statische Routen zu dobby hinzufügen
+  * [x]: Variante A) statische Routen zu dobby hinzufügen
     * ~~Routing: General:~~
         * ~~Enable: yes~~
@@ Zeile 215: / Zeile 215: @@
                 * Gateway: dobby_dn42_ipv4
                 * Description: ChaosVPN, neonetwork, Freifunk/ICVPN (via dn42)
-* [ ]: Variante B) full BGP import von dobby, export Filter auf dobby (-> Routing: BGP)
+  * [ ]: Variante B) full BGP import von dobby, export Filter auf dobby (-> Routing: BGP)
+  * [x]: DNS hinzufügen: https://dn42.dev/services/DNS
+    * Services: Unbound DNS: Advanced:
+      * Private Domains: add "dn42"
+    * Services: Unbound DNS: Query Forwarding -> Custom forwarding, add:
+      * Enabled: yes
+      * Domain: dn42
+      * Address: fd42:d42:d42:54::1
+      * Description: dn42 DNS
 ===== Bird2 =====
@@ Zeile 400: / Zeile 406: @@
         export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block;
+        import limit 9000 action block;
     };
@@ Zeile 413: / Zeile 419: @@
         };
         export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
-        import limit 1000 action block;
+        import limit 9000 action block;
     };
 }
@@ Zeile 526: / Zeile 532: @@
         neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
 }
+EOF
 </code>
+Oder alternativ/präferiert via multiprotocol "extended next hop" (IPv4 via v6 next hop):
+<code>
+$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
+protocol bgp dn42_${PEERNAME}_v6 from dnpeers {
+        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
+        ipv4 {
+                extended next hop on;
+        };
+}
+EOF
+</code>
+Dann hat man lustige Routen wie diese:
+<code>
+$ ip -4 route show prot bird via inet6 fe80::b
+.26.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.29.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.37.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.56.0.0/16 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+.60.128.0/20 via inet6 fe80::b dev dn42_ffda_wg src 172.23.208.8 metric 32
+...
+</code>
+Und man benötigt keine IPv4 Adress Absprachen für den Wireguard Tunnel, für dn42-${PEERNAME}-wg.network.

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge