Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- raspberry-pi-aufsetzen [2016/08/19 22:19] – benny
+++ raspberry-pi-aufsetzen [2024/06/09 10:29] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 206: / Zeile 206: @@
 Optional
 (smcroute)
+===== IPv6 deaktivieren (wahlweise) =====
+<code bash>
+echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+</code>
+bzw. in der sysctl.conf
+<code bash>
+net.ipv6.conf.all.disable_ipv6 = 1
+</code>
+===== iptables für NAT zwischen wlan0 und eth0 =====
+<code bash>
+sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
+sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
+# In /etc/network/interfaces o.ae. irgendwo unten
+up iptables-restore < /etc/iptables.ipv4.nat
+</code>
 ===== Multicast am OmniSwitch 6450 (6.7.1.86.R03) + Raspberry Pi =====
@@ Zeile 344: / Zeile 366: @@
 pi@pi2:~ $ sudo smcroute -j eth0 239.0.10.1
 </code>
+> Startet den Prozess als Daemon (Superuser Rechte sind Muss!)
+>> sudo smcroute -d
+> Sendet einen "IGMP-Join" über die angegebene Schnittstelle und registriert dies lokal auch im Kernel
+>> sudo smcroute -j eth0 239.0.10.1
+> Sendet einen IGMP-Leave" über die angegebene Schnittstele
+>> sudo smcroute -l eth0 239.0.10.1
+> Beendet den Prozess
+>> sudo smcroute -k
+Alternativ kann man das Paket "socat" verwenden (mir gefällt smcroute derzeit besser):
+> Registriert die Adresse 239.0.10.1 auf der Schnittstelle eth0
+>> pi@pi2:~ $ socat STDIO UDP4-RECV:1234,ip-add-membership=239.0.10.1:eth0
 **Pi2 SSH Session 2**
@@ Zeile 415: / Zeile 450: @@
 </code>
+Es fällt auf dass der Eintrag der 239er Multicast Gruppe immer wieder "vergessen" wird vom Switch. Dies liegt daran dass der smcroute Daemon nicht selbstständig die Registrierung aktiv hält, sondern darum gebeten werden muss.
+**Wir aktivieren dafür "ip multicast querying" auf dem OmniSwitch 6450**
+<code>
+-> show ip multicast
+Status                                          = enabled,
+Querying                                        = disabled,
+Proxying                                        = disabled,
+Spoofing                                        = disabled,
+Zapping                                         = disabled,
+Querier Forwarding                              = disabled,
+Flood Unknown                                   = disabled,
+Dynamic control drop-all status                 = disabled,
+Version                                         = 2,
+Robustness                                      = 2,
+Query Interval (seconds)                        = 125,
+Query Response Interval (tenths of seconds)     = 100,
+Last Member Query Interval (tenths of seconds)  = 10,
+Unsolicited Report Interval (seconds)           = 1,
+Router Timeout (seconds)                        = 90,
+Source Timeout (seconds)                        = 30,
+Max-group                                       = 0,
+Max-group action                                = none
+-> ip multicast querying enable
+-> show ip multicast
+Status                                          = enabled,
+Querying                                        = enabled,
+Proxying                                        = disabled,
+Spoofing                                        = disabled,
+Zapping                                         = disabled,
+Querier Forwarding                              = disabled,
+Flood Unknown                                   = disabled,
+Dynamic control drop-all status                 = disabled,
+Version                                         = 2,
+Robustness                                      = 2,
+Query Interval (seconds)                        = 125,
+Query Response Interval (tenths of seconds)     = 100,
+Last Member Query Interval (tenths of seconds)  = 10,
+Unsolicited Report Interval (seconds)           = 1,
+Router Timeout (seconds)                        = 90,
+Source Timeout (seconds)                        = 30,
+Max-group                                       = 0,
+Max-group action                                = none
+-> show ip multicast querier
+Total 1 Queriers
+Host Address    VLAN  Port  Static  Count  Life
+---------------+-----+-----+-------+------+-----
+.168.5.104    1    CPU   no      0      24
+</code>
+Diese Konfiguration sorgt dafür dass der Switch regelmäßig fragt wer für welche Gruppen registriert ist und darauf reagiert der smcroute Daemon dann auch und der Eintrag wird aktiv gehalten.
+<code>
+-> show ip multicast group
+Total 1 Groups
+Group Address   Source Address  VLAN  Port  Mode     Static  Count  Life  RVLAN
+---------------+---------------+-----+-----+--------+-------+------+-----+------
+.0.10.1      0.0.0.0          1    1/3   exclude  no      5      257   -
+-> show ip multicast group
+Total 1 Groups
+Group Address   Source Address  VLAN  Port  Mode     Static  Count  Life  RVLAN
+---------------+---------------+-----+-----+--------+-------+------+-----+------
+.0.10.1      0.0.0.0          1    1/3   exclude  no      7      173   -
+-> show ip multicast group
+Total 1 Groups
+Group Address   Source Address  VLAN  Port  Mode     Static  Count  Life  RVLAN
+---------------+---------------+-----+-----+--------+-------+------+-----+------
+.0.10.1      0.0.0.0          1    1/3   exclude  no      5      259   -
+->
+->
+</code>
+**So sieht dies auf Seite des Pi2 aus**
+<code>
+pi@pi2:~ $ sudo tshark -i eth0 -Y igmp
+tshark: Lua: Error during loading:
+ [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'eth0'
+  16.914403 192.168.5.156 -> 239.0.10.1   IGMPv2 46 Membership Report group 239.0.10.1
+  24.554366 192.168.5.156 -> 239.0.10.1   IGMPv2 46 Membership Report group 239.0.10.1
+  30.954357 192.168.5.156 -> 239.0.10.1   IGMPv2 46 Membership Report group 239.0.10.1
+  41.338705 192.168.5.104 -> 224.0.0.1    IGMPv2 60 Membership Query, general             <---------
+  48.614361 192.168.5.156 -> 224.0.0.251  IGMPv2 46 Membership Report group 224.0.0.251
+  50.834353 192.168.5.156 -> 239.0.10.1   IGMPv2 46 Membership Report group 239.0.10.1    <- !!!!
+^C6 packets captured
+</code>
+Nun fällt auf dass der Pi2 nicht auf den ICMP Echo Request antwortet, obwohl er ihn erhält (geht ja an eine Multicast Adresse).
+**Dies aktivieren wir für diesen Test wie folgt:**
+<code>
+pi@pi2:~ $ cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+pi@pi2:~ $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts=0
+net.ipv4.icmp_echo_ignore_broadcasts = 0
+</code>
+**Hier nun das finale Ergebnis (Multicast Echo Request, Unicast Echo Response)**
+<code>
+pi@pi2:~ $ sudo tshark -i eth0 -Y "igmp or ip.dst==239.0.10.1 or ip.dst == 192.168.5.155"
+tshark: Lua: Error during loading:
+ [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'eth0'
+   4.793110 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=2/512, ttl=1
+   4.793220 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=2/512, ttl=64
+   5.793032 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=3/768, ttl=1
+   5.793124 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=3/768, ttl=64
+   6.793028 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=4/1024, ttl=1
+   6.793128 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=4/1024, ttl=64
+   7.793004 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=5/1280, ttl=1
+   7.793078 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=5/1280, ttl=64
+   8.793011 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=6/1536, ttl=1
+   8.793096 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=6/1536, ttl=64
+   9.793004 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=7/1792, ttl=1
+   9.793076 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=7/1792, ttl=64
+  10.793052 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=8/2048, ttl=1
+  10.793149 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=8/2048, ttl=64
+  11.793021 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=9/2304, ttl=1
+  11.793093 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=9/2304, ttl=64
+  12.793017 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=10/2560, ttl=1
+  12.793100 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=10/2560, ttl=64
+  13.149535 192.168.5.104 -> 224.0.0.1    IGMPv2 60 Membership Query, general
+  13.793005 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=11/2816, ttl=1
+  13.793076 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=11/2816, ttl=64
+  14.793031 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=12/3072, ttl=1
+  14.793119 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=12/3072, ttl=64
+  15.793022 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=13/3328, ttl=1
+  15.793091 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=13/3328, ttl=64
+  16.793035 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=14/3584, ttl=1
+  16.793121 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=14/3584, ttl=64
+  17.135066 192.168.5.156 -> 239.0.10.1   IGMPv2 46 Membership Report group 239.0.10.1
+  17.793027 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=15/3840, ttl=1
+  17.793098 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=15/3840, ttl=64
+  18.793047 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=16/4096, ttl=1
+  18.793144 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=16/4096, ttl=64
+  19.793026 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=17/4352, ttl=1
+  19.793099 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=17/4352, ttl=64
+  20.793037 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=18/4608, ttl=1
+  20.793124 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=18/4608, ttl=64
+  21.793024 192.168.5.155 -> 239.0.10.1   ICMP 98 Echo (ping) request  id=0x0699, seq=19/4864, ttl=1
+  21.793100 192.168.5.156 -> 192.168.5.155 ICMP 98 Echo (ping) reply    id=0x0699, seq=19/4864, ttl=64
+  22.765096 192.168.5.156 -> 224.0.0.251  IGMPv2 46 Membership Report group 224.0.0.251
+^C39 packets captured
+</code>
+Nun wurde mir seitens eines geschätzten Business Partners berichtet dass es eine Herausforderung gibt, wenn der Client der den Multicast erhalten soll per "User-Network-Profile" (UNP) angebunden und per non-supplicant Authentifizierung ist. (Dann sollte kein Eintrag in der Ausgabe von "ip multicast group" auftauchen)
+**Authentifizierung auf dem OmniSwitch einrichten**
+<code>
+-> aaa radius-server rad01 host 192.168.5.1 key verysecret
+->
+-> aaa test-radius-server rad01 type authentication user alcatel password alcatel method pap
+Testing Radius Server <192.168.5.1/rad01>
+Access-Accept from 192.168.5.1 Port 1812 Time: 2 ms
+Returned Attributes
+-> vlan port mobile 1/3
+-> vlan port 1/3 802.1x enable
+-> ! Durch folgendes Kommando halten wir uns nicht mit 802.1x auf sondern machen direkt "non-supplicant"
+-> 802.1x 1/3 supp-polling retry 0
+->
+-> 802.1x 1/3 non-supplicant policy authentication pass default-vlan fail block
+->
+-> aaa authentication mac rad01
+->
+-> ! Der häufigste Fehler ist die folgende Zeile nicht zu haben, also daher los!
+-> aaa authentication 802.1x rad01
+->
+-> ! Gleich mal probieren, Pi2 abgezogen und aufgesteckt ...
+-> show 802.1x non-supplicant
+Slot  MAC               MAC Authent      Classification      Vlan
+Port  Address           Status           Policy              Learned
+-----+-----------------+----------------+-------------------+--------
+/03 b8:27:eb:61:78:ec Authenticated    Basic-Dft VLAN      1
+-> ! Aber es ging ja um das UNP, daher ..
+-> aaa user-network-profile name "mcasttest" vlan 1
+-> show 802.1x non-supplicant
+Slot  MAC               MAC Authent      Classification      Vlan
+Port  Address           Status           Policy              Learned
+-----+-----------------+----------------+-------------------+--------
+/03 b8:27:eb:61:78:ec Authenticated    Basic-UNP-Auth Svr  1
+-> show 802.1x non-supplicant unp
+Slot  MAC               Vlan  HIC             Dynamic
+Port  Address                 Status          UNP
+-----+-----------------+-----+---------------+-----------------
+/03 b8:27:eb:61:78:ec     1 Not Started     mcasttest
+-> show ip multicast group
+Total 1 Groups
+Group Address   Source Address  VLAN  Port  Mode     Static  Count  Life  RVLAN
+---------------+---------------+-----+-----+--------+-------+------+-----+------
+.0.10.1      0.0.0.0          1    1/3   exclude  no      2      155   -
+</code>
+Der Ping läuft auch wie zuvor. Da scheint der Aufbau beim Partner doch irgendwie anders zu sein. :(
+**Das sagt der Freeradius (v2)**
+<code>
+rad_recv: Access-Request packet from host 192.168.5.104 port 1030, id=4, length=98
+	User-Name = "B827EB6178EC"
+	User-Password = "B827EB6178EC"
+	NAS-IP-Address = 192.168.5.104
+	NAS-Port = 77
+	NAS-Port-Type = Ethernet
+	Calling-Station-Id = "b827eb6178ec"
+	Service-Type = Call-Check
+# Executing section authorize from file /etc/freeradius/sites-enabled/default
++group authorize {
+++[preprocess] = ok
+++[chap] = noop
+++[mschap] = noop
+++[digest] = noop
+[suffix] No '@' in User-Name = "B827EB6178EC", looking up realm NULL
+[suffix] No such realm "NULL"
+++[suffix] = noop
+[eap] No EAP-Message, not doing EAP
+++[eap] = noop
+[files] users: Matched entry B827EB6178EC at line 98
+++[files] = ok
+++[expiration] = noop
+++[logintime] = noop
+++[pap] = updated
++} # group authorize = updated
+Found Auth-Type = PAP
+# Executing group from file /etc/freeradius/sites-enabled/default
++group PAP {
+[pap] login attempt with password "B827EB6178EC"
+[pap] Using clear text password "B827EB6178EC"
+[pap] User authenticated successfully
+++[pap] = ok
++} # group PAP = ok
+# Executing section post-auth from file /etc/freeradius/sites-enabled/default
++group post-auth {
+++[exec] = noop
++} # group post-auth = noop
+Sending Access-Accept of id 4 to 192.168.5.104 port 1030
+	Framed-Filter-Id = "mcasttest"
+Finished request 0.
+Going to the next request
+Waking up in 4.9 seconds.
+Cleaning up request 0 ID 4 with timestamp +23
+</code>