*Empty MediaWiki Message*

2015-10-01 20:21:33 +00:00 · 2015-10-01 20:21:33 +00:00 · 766bab4cab
parent c3148ec864
commit 766bab4cab
1 changed files with 255 additions and 0 deletions
--- a/HQ%2FNetzwerk%2FPPPoE_failover.mw
+++ b/HQ%2FNetzwerk%2FPPPoE_failover.mw
@ -292,6 +292,261 @@ exit 0
 Sofern ich an dieser Stelle nichts nennenswertes vergessen habe zu erwähnen, sollte nach einem Container Neustart die PPPoE Einwahl und das Routing schon funktionieren

 === JAIL: dropbert2 ===
+
+„dropbert2“ Container: ucarp installieren
+<source lang=bash>
+pkg install ucarp
+</source>
+
+„dropbert2“ Container: ucarp up & down scripts
+<source lang=bash>
+vi /root/ucarp_up.sh
+ 
+#!/bin/sh
+### ### ### PLITC // ### ### ###
+#// Load variables from rc.conf
+. /etc/rc.subr
+load_rc_config ucarp
+/sbin/ifconfig $ucarp_if alias $ucarp_addr/24
+#// force arp refresh for the shared ip
+ping -S 172.22.99.4 -c 2 -q 172.22.99.7 > /dev/null
+#// delete default gateway
+route -n delete default >/dev/null 2>&1
+#// clean ppp log
+echo "" > /var/log/ppp.log
+#// dialin
+/usr/sbin/ppp -ddial telekom
+#// load firewall after being successful pppoe connection
+while true ; do
+   CHECKPPP=$(cat /var/log/ppp.log | grep -c "Pap Input: SUCCESS")
+   if [ "$CHECKPPP" -eq 1 ]
+   then
+      sleep 5
+      /etc/rc.firewall.local
+      break
+   else
+      sleep 1
+   fi
+done
+### ### ### // PLITC ### ### ###
+# EOF
+ 
+chmod 0755 /root/ucarp_up.sh
+</source>
+
+Die „while true“ Schleife ist notwendig, da ipfw mit dem laden der Regelsätze abbricht wenn ein (noch nicht) vorhandenes Device (in dem Fall: tun0) auf Firewallregeln matchen soll
+
+<source lang=bash>
+vi /root/ucarp_down.sh
+ 
+#!/bin/sh
+# Load variables from rc.conf
+. /etc/rc.subr
+load_rc_config ucarp
+/sbin/ifconfig $ucarp_if -alias $ucarp_addr
+pkill -9 ppp
+#// default gateway
+route add default 172.22.99.4
+# EOF
+ 
+chmod 0755 /root/ucarp_down.sh
+</source>
+
+„dropbert2“ Container: /etc/ppp/ppp.conf (PPPoE Config!)
+<source lang=bash>
+vi /etc/ppp/ppp.conf
+ 
+default:
+        set log Chat Command Connect Filter Phase tun Error Alert
+ 
+telekom:
+        set device PPPoE:epair1b
+        set redial 1 0
+        set reconnect 3 23
+        set mtu max 1492
+        set mru max 1492
+        set speed sync
+        set server /var/run/internet "" 0177
+        set dial
+        set login
+        set authname "000000000000000000000000#0001@t-online.de"
+        set authkey "00000000"
+        disable acfcomp protocomp
+        disable ipv6cp
+        enable mssfixup
+        enable dns
+        enable lqr
+        enable echo
+        accept lqr
+        add default HISADDR
+        set timeout 0
+        open
+</source>
+
+„dropbert2“ Container: /etc/sysctl.conf
+<source lang=bash>
+vi /etc/sysctl.conf
+ 
+# $FreeBSD: releng/9.3/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
+#
+#  This file is read when going to multi-user and its contents piped thru
+#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
+#
+ 
+# Uncomment this to prevent users from seeing information about processes that
+# are being run under another UID.
+#security.bsd.see_other_uids=0
+ 
+net.inet.ip.forwarding=1
+</source>
+
+„dropbert2“ Container: /etc/rc.conf
+<source lang=bash>
+vi /etc/rc.conf
+ 
+### ### ### /etc/rc.conf ### ### ###
+portmap_enable="NO"
+sshd_enable="NO"
+sendmail_enable="NO"
+sendmail_submit_enable="NO"
+sendmail_outbound_enable="NO"
+sendmail_msp_queue_enable="NO"
+hostname="routbert"
+devfs_enable="YES"
+devfs_system_ruleset="devfsrules_common"
+inet6_enable="YES"
+ip6addrctl_enable="YES"
+ 
+ucarp_enable="YES"
+ucarp_if="epair1b"
+ucarp_vhid="1"
+ucarp_pass="TOPSECRET"
+ucarp_preempt="YES"
+ucarp_facility="daemon"
+ucarp_src="172.22.99.92"
+ucarp_addr="172.22.99.4"
+ucarp_advbase="1"
+ucarp_advskew="10"
+ucarp_upscript="/root/ucarp_up.sh"
+ucarp_downscript="/root/ucarp_down.sh"
+ 
+cloned_interfaces="tun"
+gateway_enable="YES"
+firewall_enable="YES"
+# firewall_type="OPEN"
+firewall_logging="YES"
+firewall_type="/etc/firewall.rules"
+firewall_script="/etc/rc.firewall.local"
+ 
+ppp_enable="YES"
+ppp_mode="ddial"
+# ppp_nat="YES" # if you want to enable nat for your local network, otherwise NO (or nat with ipfw)
+ppp_user="root"
+ppp_profile="telekom"
+# EOF
+</source>
+
+„dropbert2“ Container: /etc/rc.local
+<source lang=bash>
+vi /etc/rc.local
+ 
+#!/bin/sh
+NEWINTERFACE=$(ifconfig | grep "flags" | grep "epair" | awk '{print $1}' | sed 's/://')
+find /etc -name "rc.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
+find /etc -name "firewall.rules" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
+find /etc/ppp -name "ppp.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
+/usr/local/etc/rc.d/ucarp start
+exit 0
+# EOF
+ 
+chmod 0755 /etc/rc.local
+</source>
+
+„dropbert2“ Container: /etc/firewall.rules
+<source lang=bash>
+vi /etc/firewall.rules
+ 
+### ### ### etc/firewall.rules ### ### ###
+ 
+### stage0 // ###
+#/ add 00001 check-state
+#/ add 00003 deny tcp from any to any established in via epair1b
+### // statefull ###
+#
+add 00002 deny all from any to any frag in via epair1b
+#
+### // stage0 ###
+ 
+### stage1 - Uplink Filter // ###
+# Throw away RFC 1918 networks
+#/ add 10 drop all from 10.0.0.0/8 to any in via epair1b
+#/ add 11 drop all from 172.16.0.0/12 to any in via epair1b
+#/ add 12 drop all from 192.168.0.0/16 to any in via epair1b
+#
+add 00045 count icmp from any to any via epair1b
+add 00046 count ipv6-icmp from any to any via epair1b
+add 00047 count icmp from any to any via tun0
+add 00048 count ipv6-icmp from any to any via tun0
+### // stage1 - Uplink Filter ###
+ 
+### stage2 // ###
+add 00098 allow ip4 from me to any
+add 00099 allow ip6 from me6 to any
+### // stage2 ###
+ 
+### stage3 - Admin SSH // ###
+### // stage3 - Admin SSH ###
+ 
+### stage4 // ###
+#
+nat 1 config if tun0 reset
+add 10001 nat 1 ip4 from any to any via tun0
+#
+### // stage4 ###
+ 
+### stage9 // ###
+add 60100 allow ip from any to any via lo0
+add 60200 deny ip from any to 127.0.0.0/8
+add 60300 deny ip from 127.0.0.0/8 to any
+add 60400 deny ip from any to ::1
+add 60500 deny ip from ::1 to any
+add 60600 allow ipv6-icmp from :: to ff02::/16
+add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
+add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
+add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
+add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
+### // stage9 ###
+ 
+### stage10 // ###
+add 65001 allow ip4 from any to any
+add 65002 allow ip6 from any to any
+### // stage10 ###
+ 
+# EOF
+</source>
+
+„dropbert2“ Container: /etc/rc.firewall.local
+<source lang=bash>
+vi /etc/rc.firewall.local
+ 
+#!/bin/sh
+### ### ### etc/rc.firewall.local // ### ### ###
+/sbin/ipfw -q flush
+/sbin/ipfw -q pipe flush
+/sbin/ipfw -q queue flush
+/sbin/ipfw -q /etc/firewall.rules
+### ### ### // etc/rc.firewall.local ### ### ###
+# EOF
+ 
+chmod 0755 /etc/rc.firewall.local
+</source>
+
+Das sollte es gewesen sein!
+
+Nun sollte man einmal die „routbert“ JAIL, per FreeNAS Web GUI, neustarten lassen
+
+
+
 <source lang=bash>

 </source>