690 lines
20 KiB
Plaintext
690 lines
20 KiB
Plaintext
[[Datei:Plitc_pppoe_failover.jpg|thumbnail|left|serverseitiges PPPoE Failover]]
|
||
|
||
== Switch (Partitionierung) mit filter source-port ==
|
||
|
||
Der Switch "diethylether" (OBEN / mit der IP: '''.7''') hat per CLI einen [http://whp-hou4.cold.extweb.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap10-Traf-Security-Filts.pdf HP ProCurve - filter source-port] Regelsatz.
|
||
|
||
Dieser Regelsatz dient weitgehend zur Trennung der Übertragung für PPPoE zu dem restlichen Netzwerk.
|
||
|
||
* Port 1-4 dürfen nur mit Trk2 / Trk3 kommunizieren
|
||
** Port 1 ist für das PPPoE DSL Modem
|
||
** Port 2 (Notfall) Ratbert (generell ausgeschaltet)
|
||
** Port 3 (für Debugzwecke zum Port-Mirroring)
|
||
** Port 4 (Fritzbox für VoIP zum Asterisk LXC)
|
||
* Der zweite Teil der Segmentierung sie wie folgt aus:
|
||
** Port 5-8 (ist der Trunk von Trk2 & Trk3)
|
||
** Trk2 ist freenas/storage server
|
||
** Trk3 ist flatbert server
|
||
* (einige) Port 9-20 und Trk1 (Port 21-24) dient der Kommunikation mit dem Switch (UNTEN / mit der IP: '''.6''') der das eigentliche [[HQ]], über das Patchfeld, versorgt
|
||
(untagged als auch VLAN 100-105)
|
||
|
||
== Schema ==
|
||
|
||
* Der [[Server/flatbert]] hat den LXC Container: '''[[dropbert1]]''' mit der IP: '''.91''' (primärer PPPoE Dialin/Routing Container).
|
||
* Der [[Server/storage]] hat die [[jail]] '''[[dropbert2]]''' mit der IP: '''.92''' (backup PPPoE Dialin/Routing Container)
|
||
|
||
* Da es sich beim [[Server/flatbert]] um einen [[Server]] mit Linux ([[Debian]]) und [[Server/storage]] um einen [[Server]] mit [[FreeNAS]] ([[FreeBSD]]) handelt, wird zur gegenseitigen "failover" Verständigung, innerhalb der Container, [http://www.pureftpd.org/project/ucarp ucarp] verwendet.
|
||
|
||
== Funktionen der Container ==
|
||
* PPPoE Dialin
|
||
** [[debian:PPPoE]]
|
||
** [[freebsd-handbook:pppoe]])
|
||
* Routing
|
||
** https://www.debian.org/doc/manuals/network-administrator/ch-tcpip.html
|
||
** [[freebsd-handbook:network-routing]])
|
||
* NAT
|
||
** [[debian:iptables]]
|
||
** [[freebsd-handbook:firewalls-ipfw]]
|
||
|
||
== Einrichtung vom System auf dem Host ==
|
||
|
||
=== Flatbert (Linux) ===
|
||
|
||
System auf den aktuellen Stand halten
|
||
<source lang=bash>
|
||
apt-get autoclean; apt-get clean; apt-get update; apt-get upgrade
|
||
</source>
|
||
|
||
Umgebungs-/Debugtools installieren
|
||
<source lang=bash>
|
||
apt-get install git iptables tcpdump sockstat iputils-ping
|
||
</source>
|
||
|
||
Kernelmodule laden
|
||
<source lang=bash>
|
||
vi /etc/modules
|
||
|
||
### pppoe routing // ###
|
||
pppoe
|
||
ip_tables
|
||
ip6_tables
|
||
ip6t_MASQUERADE
|
||
## ("pkttype" packet type match support) filter multicast
|
||
xt_pkttype
|
||
tun
|
||
### // pppoe routing ###
|
||
|
||
modprobe pppoe ip_tables ip6_tables ip6t_MASQUERADE xt_pkttype tun
|
||
</source>
|
||
|
||
Container erstellen
|
||
<source lang=bash>
|
||
lxc-fancy create
|
||
</source>
|
||
|
||
Container stoppen und LXC-Container-Config anpassen (für pppoe kernel support)
|
||
<source lang=bash>
|
||
lxc-stop -n dropbert1
|
||
|
||
vi /var/lib/lxc/dropbert1/config
|
||
|
||
#// ppp/pppoe support
|
||
lxc.cgroup.devices.allow = c 108:0 rwm
|
||
lxc.mount.entry = /dev/ppp dev/ppp none bind,optional,create=file
|
||
#// lxc-to-go bridge 1
|
||
lxc.network.link=vswitch0
|
||
</source>
|
||
|
||
WICHTIG: durch das Flatbert Netzwerkschema muss! vswitch1 nach vswitch0 umgeschrieben werden, damit „dropbert1“ direkt über die erste Bridge angebunden wird und nicht an der zweiten Bridge, die ProxyARP/ProxyNDP verwendet!
|
||
|
||
=== FreeNAS/Storage (FreeBSD) ===
|
||
|
||
Da wir zunächst ein „Buildenvironment“ benötigen, erstellen wir uns über die FreeNAS Web GUI eine Jail mit der Bezeichnung „buildbert“
|
||
|
||
„buildbert“ Container: login
|
||
<source lang=bash>
|
||
jls
|
||
|
||
JID IP Address Hostname Path
|
||
1 - buildbert /mnt/zroot/jails/buildbert
|
||
|
||
jexec 1 /bin/sh
|
||
</source>
|
||
|
||
„buildbert“ Container: auf den aktuellsten Stand bringen
|
||
<source lang=bash>
|
||
pkg update; pkg upgrade
|
||
</source>
|
||
|
||
„buildbert“ Container: FreeNAS (9.3) selbst bauen, dazu bitte der Anleitung unter [https://github.com/freenas/freenas github.com/freenas/freenas] folgen
|
||
|
||
WICHTIG: damit nun die NetGraph PPP/PPPoE Module mitgebaut werden, müssen folgende Zeilen, in der Konfig, angepasst werden, siehe Zeilennummer:
|
||
<source lang=bash>
|
||
vi /mnt/zroot/jails/buildbert/buildbert/freenas/build/nano_env
|
||
|
||
159 add_nano_modules netgraph/ppp netgraph/pppoe netgraph/nat netgraph/car netgraph/echo
|
||
|
||
166 add_nano_modules netgraph/ether netgraph/socket netgraph/ppp netgraph/pppoe netgraph/nat netgraph/car netgraph/echo
|
||
|
||
339 #WITHOUT_PPP=true
|
||
</source>
|
||
|
||
sofern der „make release“ abgeschlossen wurde, können die benötigten Kernelmodule ins FreeNAS System kopiert und geladen werden
|
||
<source lang=bash>
|
||
cp /mnt/zroot/jails/buildbert/buildbert/freenas/objs/os-base/amd64/buildbert/freenas/FreeBSD/src/sys/FREENAS.amd64/modules/buildbert/freenas/FreeBSD/src/sys/modules/netgraph/ppp/ng_ppp.ko /boot/kernel
|
||
cp /mnt/zroot/jails/buildbert/buildbert/freenas/objs/os-base/amd64/buildbert/freenas/FreeBSD/src/sys/FREENAS.amd64/modules/buildbert/freenas/FreeBSD/src/sys/modules/netgraph/pppoe/ng_pppoe.ko /boot/kernel
|
||
cp /mnt/zroot/jails/buildbert/buildbert/freenas/objs/os-base/amd64/buildbert/freenas/FreeBSD/src/sys/FREENAS.amd64/modules/buildbert/freenas/FreeBSD/src/sys/modules/netgraph/nat/ng_nat.ko /boot/kernel
|
||
cp /mnt/zroot/jails/buildbert/buildbert/freenas/objs/os-base/amd64/buildbert/freenas/FreeBSD/src/sys/FREENAS.amd64/modules/buildbert/freenas/FreeBSD/src/sys/modules/netgraph/car/ng_car.ko /boot/kernel
|
||
cp /mnt/zroot/jails/buildbert/buildbert/freenas/objs/os-base/amd64/buildbert/freenas/FreeBSD/src/sys/FREENAS.amd64/modules/buildbert/freenas/FreeBSD/src/sys/modules/netgraph/echo/ng_echo.ko /boot/kernel
|
||
</source>
|
||
|
||
Download PLITC: [https://blog.plitc.eu/downloads/freenas/freenas_9.3_amd64_netgraph_pppoe.tar.gz freenas_9.3_amd64_netgraph_pppoe.tar.gz]*
|
||
<source lang=bash>
|
||
MD5 (freenas_9.3_amd64_netgraph_pppoe.tar.gz) = 0be216df688c0ba9257fbbfe7a910a6b
|
||
</source>
|
||
|
||
*Download ohne Gewähr
|
||
|
||
NetGraph Kernelmodule laden
|
||
<source lang=bash>
|
||
kldstat
|
||
kldload ng_ppp ng_pppoe ng_socket ng_nat ng_car ng_echo
|
||
kldstat
|
||
</source>
|
||
|
||
damit auch die NetGraph Module bei einem Systemstart mitgeladen werden, müssen über die FreeNAS Web GUI, ein paar Tunables gesetzt werden
|
||
|
||
'''System -> Tunables'''
|
||
|
||
[[Datei:Plitc_pppoe_failover_freenas.jpg]]
|
||
|
||
'''Wichtig ist ebenso die „pfil“ Einträge zu setzen! sonst werden die PPPoE Pakete, auf der FreeNAS Bridge, gedroppt!'''
|
||
|
||
Erklärung dazu unter: FreeBSD [https://www.freebsd.org/cgi/man.cgi?if_bridge if_bridge]
|
||
|
||
FreeNAS Reboot!
|
||
<source lang=bash>
|
||
reboot
|
||
</source>
|
||
|
||
Nach dem FreeNAS Systemreboot kann jetzt per Web GUI die JAIL: „dropbert2“ erstellt und eingerichtet werden
|
||
|
||
== Container Einrichtung ==
|
||
|
||
=== LXC: dropbert1 ===
|
||
|
||
„dropbert1“ Container: starten und einloggen
|
||
<source lang=bash>
|
||
lxc-start -n dropbert1
|
||
lxc-attach -n dropbert1
|
||
</source>
|
||
|
||
Der Container sollte automatisch per DHCP eine IP Adresse zugewiesen bekommen.
|
||
|
||
„dropbert1“ Container: ucarp und pppoeconf installieren
|
||
<source lang=bash>
|
||
apt-get autoclean; apt-get clean; apt-get update; apt-get upgrade
|
||
|
||
apt-get install ucarp pppoeconf
|
||
</source>
|
||
|
||
„dropbert1“ Container: pppoe einrichten
|
||
<source lang=bash>
|
||
pppoeconf
|
||
</source>
|
||
|
||
„dropbert1“ Container: Netzwerk Interface Konfiguration
|
||
<source lang=bash>
|
||
vi /etc/network/interfaces
|
||
|
||
auto lo
|
||
iface lo inet loopback
|
||
|
||
auto eth0
|
||
iface eth0 inet manual
|
||
pre-up ifconfig eth0 up
|
||
post-down ifconfig eth0 down
|
||
|
||
auto eth1
|
||
iface eth1 inet static
|
||
address 172.22.99.91
|
||
netmask 255.255.255.0
|
||
gateway 172.22.99.4
|
||
up /usr/sbin/ucarp -i eth1 -f daemon -B -p TOPSECRET -P -z -u /usr/share/ucarp/vip-up -d /usr/share/ucarp/vip-down -b 1 -k 1 -s 172.22.99.91 -a 172.22.99.4 -v 1
|
||
up ping -S 172.22.99.4 -c 2 -q 172.22.99.7
|
||
down pkill ucarp
|
||
|
||
# The carp network interface, on top of eth0
|
||
iface eth1:ucarp inet static
|
||
#/ address 172.22.99.90
|
||
address 172.22.99.4
|
||
netmask 255.255.255.0
|
||
|
||
auto dsl-provider
|
||
iface dsl-provider inet ppp
|
||
pre-up /bin/ip link set eth0 up # line maintained by pppoeconf
|
||
provider dsl-provider
|
||
|
||
# EOF
|
||
</source>
|
||
|
||
„dropbert1“ Container: damit nach dem failover Moduswechsel (von BACKUP auf MASTER) auch der tatsächliche Switch die neue MAC Adresse zur virtuellen (virtual shared) IP erhält, wird das ucarp-up Skript angepasst indem man einfach ein Ping anschließend senden lässt
|
||
|
||
<source lang=bash>
|
||
vi /usr/share/ucarp/vip-up
|
||
|
||
#!/bin/sh
|
||
|
||
# /sbin/ifup $1:ucarp
|
||
/sbin/ifup eth1:ucarp
|
||
|
||
sleep 1 && ping -S 172.22.99.4 -c 2 -q 172.22.99.7
|
||
</source>
|
||
|
||
„dropbert1“ Container: /etc/sysctl.conf & /etc/rc.local anpassen
|
||
<source lang=bash>
|
||
vi /etc/sysctl.conf
|
||
|
||
### ### ### ROUTING // ### ### ###
|
||
net.ipv4.conf.all.forwarding=1
|
||
net.ipv6.conf.eth0.accept_ra=0
|
||
### ### ### // ROUTING ### ### ###
|
||
|
||
# EOF
|
||
</source>
|
||
|
||
<source lang=bash>
|
||
vi /etc/rc.local
|
||
|
||
#!/bin/sh
|
||
#
|
||
# rc.local
|
||
#
|
||
# This script is executed at the end of each multiuser runlevel.
|
||
# Make sure that the script will "exit 0" on success or any other
|
||
# value on error.
|
||
#
|
||
# In order to enable or disable this script just change the execution
|
||
# bits.
|
||
#
|
||
# By default this script does nothing.
|
||
#
|
||
### ### ### C3D2 // ### ### ###
|
||
|
||
|
||
#/ echo "stage0"
|
||
iptables -F
|
||
iptables -X
|
||
iptables -t nat -F
|
||
iptables -t nat -X
|
||
iptables -t mangle -F
|
||
iptables -t mangle -X
|
||
iptables -P INPUT ACCEPT
|
||
iptables -P FORWARD ACCEPT
|
||
iptables -P OUTPUT ACCEPT
|
||
|
||
ip6tables -F
|
||
ip6tables -X
|
||
ip6tables -t nat -F
|
||
ip6tables -t nat -X
|
||
ip6tables -t mangle -F
|
||
ip6tables -t mangle -X
|
||
ip6tables -P INPUT ACCEPT
|
||
ip6tables -P FORWARD ACCEPT
|
||
ip6tables -P OUTPUT ACCEPT
|
||
|
||
#/ echo "stage1"
|
||
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
|
||
sysctl net.ipv4.conf.default.forwarding=1 > /dev/null 2>&1
|
||
sysctl net.ipv4.conf.eth0.forwarding=1 > /dev/null 2>&1
|
||
|
||
exit 0
|
||
### ### ### C3D2 // ### ### ###
|
||
# EOF
|
||
</source>
|
||
|
||
Sofern ich an dieser Stelle nichts nennenswertes vergessen habe zu erwähnen, sollte nach einem Container Neustart die PPPoE Einwahl und das Routing schon funktionieren
|
||
|
||
=== JAIL: dropbert2 ===
|
||
|
||
„dropbert2“ Container: ucarp installieren
|
||
<source lang=bash>
|
||
pkg install ucarp
|
||
</source>
|
||
|
||
„dropbert2“ Container: ucarp up & down scripts
|
||
<source lang=bash>
|
||
vi /root/ucarp_up.sh
|
||
|
||
#!/bin/sh
|
||
### ### ### C3D2 // ### ### ###
|
||
#// Load variables from rc.conf
|
||
. /etc/rc.subr
|
||
load_rc_config ucarp
|
||
#// check weird behavior
|
||
ping -S .92 -c 4 -q .91 > /dev/null
|
||
if [ $? -eq 0 ]
|
||
then
|
||
/usr/bin/logger "[WARNING] PPPoE Failover false/positive!"
|
||
exit 1
|
||
else
|
||
: # dummy
|
||
fi
|
||
#// starting CARP failover
|
||
/sbin/ifconfig $ucarp_if alias $ucarp_addr/24
|
||
/sbin/ifconfig $ucarp_if inet6 2001:BLA:BLA:BLA::5 prefixlen 64 alias
|
||
#// force arp refresh for the shared ip
|
||
ping -S .4 -c 2 -q .7 > /dev/null
|
||
#// delete default gateway
|
||
route -n delete default >/dev/null 2>&1
|
||
#// clean ppp log
|
||
echo "" > /var/log/ppp.log
|
||
#// dialin
|
||
/usr/sbin/ppp -ddial telekom
|
||
#// load firewall after being successful pppoe connection
|
||
while true ; do
|
||
CHECKPPP=$(cat /var/log/ppp.log | grep -c "Pap Input: SUCCESS")
|
||
if [ "$CHECKPPP" -eq 1 ]
|
||
then
|
||
sleep 5
|
||
/etc/rc.firewall.local
|
||
sleep 1
|
||
/usr/local/etc/rc.d/sixxs-aiccu onestart
|
||
break
|
||
else
|
||
sleep 1
|
||
fi
|
||
done
|
||
### ### ### // C3D2 ### ### ###
|
||
# EOF
|
||
|
||
chmod 0755 /root/ucarp_up.sh
|
||
</source>
|
||
|
||
Die „while true“ Schleife ist notwendig, da ipfw mit dem laden der Regelsätze abbricht wenn ein (noch nicht) vorhandenes Device (in dem Fall: tun0) auf Firewallregeln matchen soll
|
||
|
||
<source lang=bash>
|
||
vi /root/ucarp_down.sh
|
||
|
||
#!/bin/sh
|
||
# Load variables from rc.conf
|
||
. /etc/rc.subr
|
||
load_rc_config ucarp
|
||
/sbin/ifconfig $ucarp_if -alias $ucarp_addr
|
||
/sbin/ifconfig $ucarp_if inet6 2001:BLA:BLA:BLA::5 prefixlen 64 -alias
|
||
pkill -9 ppp
|
||
#// default gateway
|
||
route add default 172.22.99.4
|
||
/usr/local/etc/rc.d/sixxs-aiccu onestop
|
||
# EOF
|
||
|
||
chmod 0755 /root/ucarp_down.sh
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/ppp/ppp.conf (PPPoE Config!)
|
||
<source lang=bash>
|
||
vi /etc/ppp/ppp.conf
|
||
|
||
default:
|
||
set log Chat Command Connect Filter Phase tun Error Alert
|
||
|
||
telekom:
|
||
set device PPPoE:epair1b
|
||
set redial 1 0
|
||
set reconnect 3 23
|
||
set mtu max 1492
|
||
set mru max 1492
|
||
set speed sync
|
||
set server /var/run/internet "" 0177
|
||
set dial
|
||
set login
|
||
set authname "000000000000000000000000#0001@t-online.de"
|
||
set authkey "00000000"
|
||
disable acfcomp protocomp
|
||
disable ipv6cp
|
||
enable mssfixup
|
||
enable dns
|
||
enable lqr
|
||
enable echo
|
||
accept lqr
|
||
add default HISADDR
|
||
set timeout 0
|
||
open
|
||
</source>
|
||
|
||
„dropbert2“ Container: sixxs (aiccu) einrichten
|
||
<source lang=bash>
|
||
cd /usr/ports/net/sixxs-aiccu/ && make install clean
|
||
|
||
vi /usr/local/etc/aiccu.conf
|
||
|
||
### ### ### C3D2 ### ### ###
|
||
# AICCU Configuration
|
||
|
||
username GEHEIM
|
||
password GEHEIM
|
||
protocol tic
|
||
server tic.sixxs.net
|
||
# Interface names to use (default: aiccu)
|
||
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
|
||
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
|
||
# or tunX (eg tun0) for AYIYA tunnels.
|
||
ipv6_interface gif0
|
||
tunnel_id GEHEIM
|
||
verbose false
|
||
daemonize true
|
||
automatic true
|
||
requiretls false
|
||
defaultroute true
|
||
# PID File
|
||
#pidfile /var/run/aiccu.pid
|
||
# Script to run after setting up the interfaces (default: none)
|
||
#setupscript /usr/local/etc/aiccu-subnets.sh
|
||
# Make heartbeats (default true)
|
||
# In general you don't want to turn this off
|
||
# Of course only applies to AYIYA and heartbeat tunnels not to static ones
|
||
#makebeats true
|
||
# Don't configure anything (default: false)
|
||
#noconfigure true
|
||
# Behind NAT (default: false)
|
||
# Notify the user that a NAT-kind network is detected
|
||
#behindnat true
|
||
# Local IPv4 Override (default: none)
|
||
# Overrides the IPv4 parameter received from TIC
|
||
# This allows one to configure a NAT into "DMZ" mode and then
|
||
# forwarding the proto-41 packets to an internal host.
|
||
#
|
||
# This is only needed for static proto-41 tunnels!
|
||
# AYIYA and heartbeat tunnels don't require this.
|
||
#local_ipv4_override
|
||
### ### ### C3D2 ### ### ###
|
||
# EOF
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/sysctl.conf
|
||
<source lang=bash>
|
||
vi /etc/sysctl.conf
|
||
|
||
# $FreeBSD: releng/9.3/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
|
||
#
|
||
# This file is read when going to multi-user and its contents piped thru
|
||
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
|
||
#
|
||
|
||
# Uncomment this to prevent users from seeing information about processes that
|
||
# are being run under another UID.
|
||
#security.bsd.see_other_uids=0
|
||
|
||
### ### ### C3D2 ### ### ###
|
||
net.inet.ip.forwarding=1
|
||
net.inet6.ip6.forwarding=1
|
||
### ### ### C3D2 ### ### ###
|
||
# EOF
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/rc.conf
|
||
<source lang=bash>
|
||
vi /etc/rc.conf
|
||
|
||
### ### ### /etc/rc.conf ### ### ###
|
||
portmap_enable="NO"
|
||
sshd_enable="NO"
|
||
sendmail_enable="NO"
|
||
sendmail_submit_enable="NO"
|
||
sendmail_outbound_enable="NO"
|
||
sendmail_msp_queue_enable="NO"
|
||
hostname="dropbert2"
|
||
devfs_enable="YES"
|
||
devfs_system_ruleset="devfsrules_common"
|
||
inet6_enable="YES"
|
||
ip6addrctl_enable="YES"
|
||
|
||
ucarp_enable="YES"
|
||
ucarp_if="epair1b"
|
||
ucarp_vhid="1"
|
||
ucarp_pass="TOPSECRET"
|
||
ucarp_preempt="YES"
|
||
ucarp_facility="daemon"
|
||
ucarp_src="172.22.99.92"
|
||
ucarp_addr="172.22.99.4"
|
||
ucarp_advbase="1"
|
||
ucarp_advskew="10"
|
||
ucarp_upscript="/root/ucarp_up.sh"
|
||
ucarp_downscript="/root/ucarp_down.sh"
|
||
|
||
cloned_interfaces="tun"
|
||
gateway_enable="YES"
|
||
firewall_enable="YES"
|
||
# firewall_type="OPEN"
|
||
firewall_logging="YES"
|
||
firewall_type="/etc/firewall.rules"
|
||
firewall_script="/etc/rc.firewall.local"
|
||
|
||
ppp_enable="YES"
|
||
ppp_mode="ddial"
|
||
# ppp_nat="YES" # if you want to enable nat for your local network, otherwise NO (or nat with ipfw)
|
||
ppp_user="root"
|
||
ppp_profile="telekom"
|
||
|
||
sixxs_aiccu_enable="NO"
|
||
# EOF
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/rc.local
|
||
<source lang=bash>
|
||
vi /etc/rc.local
|
||
|
||
#!/bin/sh
|
||
NEWINTERFACE=$(ifconfig | grep "flags" | grep "epair" | awk '{print $1}' | sed 's/://')
|
||
find /etc -name "rc.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||
find /etc -name "firewall.rules" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||
find /etc/ppp -name "ppp.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||
/usr/local/etc/rc.d/ucarp start
|
||
/sbin/ifconfig gif0 create
|
||
exit 0
|
||
# EOF
|
||
|
||
chmod 0755 /etc/rc.local
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/firewall.rules
|
||
<source lang=bash>
|
||
vi /etc/firewall.rules
|
||
|
||
### ### ### etc/firewall.rules ### ### ###
|
||
|
||
### stage0 // ###
|
||
#/ add 00001 check-state
|
||
#/ add 00003 deny tcp from any to any established in via epair1b
|
||
### // statefull ###
|
||
#
|
||
add 00002 deny all from any to any frag in via epair1b
|
||
#
|
||
### // stage0 ###
|
||
|
||
### stage1 - Uplink Filter // ###
|
||
# Throw away RFC 1918 networks
|
||
#/ add 10 drop all from 10.0.0.0/8 to any in via epair1b
|
||
#/ add 11 drop all from 172.16.0.0/12 to any in via epair1b
|
||
#/ add 12 drop all from 192.168.0.0/16 to any in via epair1b
|
||
#
|
||
add 00045 count icmp from any to any via epair1b
|
||
add 00046 count ipv6-icmp from any to any via epair1b
|
||
add 00047 count icmp from any to any via tun0
|
||
add 00048 count ipv6-icmp from any to any via tun0
|
||
### // stage1 - Uplink Filter ###
|
||
|
||
### stage2 // ###
|
||
add 00098 allow ip4 from me to any
|
||
add 00099 allow ip6 from me6 to any
|
||
### // stage2 ###
|
||
|
||
### stage3 - Admin SSH // ###
|
||
### // stage3 - Admin SSH ###
|
||
|
||
### stage4 // ###
|
||
#
|
||
nat 1 config if tun0 reset
|
||
add 10001 nat 1 ip4 from any to any via tun0
|
||
#
|
||
### // stage4 ###
|
||
|
||
### stage9 // ###
|
||
add 60100 allow ip from any to any via lo0
|
||
add 60200 deny ip from any to 127.0.0.0/8
|
||
add 60300 deny ip from 127.0.0.0/8 to any
|
||
add 60400 deny ip from any to ::1
|
||
add 60500 deny ip from ::1 to any
|
||
add 60600 allow ipv6-icmp from :: to ff02::/16
|
||
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
||
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
||
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
|
||
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
|
||
### // stage9 ###
|
||
|
||
### stage10 // ###
|
||
add 65001 allow ip4 from any to any
|
||
add 65002 allow ip6 from any to any
|
||
### // stage10 ###
|
||
|
||
# EOF
|
||
</source>
|
||
|
||
„dropbert2“ Container: /etc/rc.firewall.local
|
||
<source lang=bash>
|
||
vi /etc/rc.firewall.local
|
||
|
||
#!/bin/sh
|
||
### ### ### etc/rc.firewall.local // ### ### ###
|
||
/sbin/ipfw -q flush
|
||
/sbin/ipfw -q pipe flush
|
||
/sbin/ipfw -q queue flush
|
||
/sbin/ipfw -q /etc/firewall.rules
|
||
### ### ### // etc/rc.firewall.local ### ### ###
|
||
# EOF
|
||
|
||
chmod 0755 /etc/rc.firewall.local
|
||
</source>
|
||
|
||
Das sollte es gewesen sein!
|
||
|
||
Nun sollte man einmal die „dropbert2“ JAIL, per FreeNAS Web GUI, neustarten lassen
|
||
|
||
== PPPoE Failover Test ==
|
||
|
||
„dropbert1“ Container: stoppen
|
||
<source lang=bash>
|
||
lxc-stop -n dropbert1
|
||
</source>
|
||
|
||
Nach dem stoppen von dem „dropbert1“ LXC sollte die „dropbert2“ JAIL in den Mastermode gehen
|
||
|
||
Log auf „dropbert2“
|
||
<source lang=bash>
|
||
cat /var/log/messages
|
||
|
||
Sep 30 22:21:05 dropbert2 ucarp[7034]: [WARNING] Switching to state: BACKUP
|
||
Sep 30 22:21:05 dropbert2 ucarp[7034]: [WARNING] Spawning [/root/ucarp_down.sh epair1b 172.22.99.4]
|
||
Sep 30 22:21:09 dropbert2 ucarp[7034]: [WARNING] Switching to state: MASTER
|
||
Sep 30 22:21:09 dropbert2 ucarp[7034]: [WARNING] Spawning [/root/ucarp_up.sh epair1b 172.22.99.4]
|
||
</source>
|
||
|
||
und mit dem PPP dailin beginnen.
|
||
|
||
== Quality of Service / Traffic Shaping ==
|
||
|
||
=== LXC: dropbert1 ===
|
||
<source lang=bash>
|
||
cat /root/codel.sh
|
||
#!/bin/sh
|
||
|
||
IF_WAN=ppp0
|
||
UP_RATE=900
|
||
|
||
tc qdisc del dev $IF_WAN root 2> /dev/null > /dev/null
|
||
tc qdisc add dev $IF_WAN root handle 1 hfsc default 1
|
||
|
||
tc class add dev $IF_WAN parent 1: classid 1:1 hfsc sc rate ${UP_RATE}kbit ul rate ${UP_RATE}kbit
|
||
tc qdisc add dev $IF_WAN parent 1:1 handle 11: fq_codel
|
||
#tc filter add dev $IF_WAN parent 11: handle 11 protocol all flow hash keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
|
||
tc filter add dev $IF_WAN parent 11: handle 11 protocol all flow hash keys nfct-src divisor 1024
|
||
</source>
|
||
|
||
'''Status'''
|
||
|
||
<source lang=bash>
|
||
tc -s qdisc
|
||
</source>
|
||
|
||
=== JAIL: dropbert2 ===
|
||
|
||
Zuerst auf dem FreeNAS HOST "dummynet.ko" laden und per Web GUI als Tunable eintragen!
|
||
|
||
Dummynet Kernelmodul laden
|
||
<source lang=bash>
|
||
kldload dummynet
|
||
</source>
|
||
|
||
'''System -> Tunable''': ''dummynet_load'' | ''YES'' | ''loader'' | ''DummyNet''
|
||
|
||
'''Dummynet Regeln sind derzeit nicht eingerichtet!'''
|
||
<source lang=bash>
|
||
|
||
</source>
|
||
|
||
== Ergänzungen ==
|
||
|
||
=== am 01.10.2015 ===
|
||
|
||
PPPoE Timeout: CARP wechselt gleich nach 1-2 Sekunden die IP, jedoch bis die alte PPPoE Session ausgelaufen ist und die neue sich wieder aufbauen lässt können so ca. um die 120 Sekunden vergehen.
|