Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- stellar-lab-kvm-pfsense-debian [2017/09/03 15:35] – angelegt benny
+++ stellar-lab-kvm-pfsense-debian [2024/06/09 10:29] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 307: / Zeile 307: @@
 ===== DHCP Konfiguration (isc-dhcp-server) =====
 Debian Stretch
+  * Wichtig ist hier die Option 138 (ovwma) für OmniVista im Stellar AP Netzwerk (Vlan 10)
+  * Der DHCP soll nur im Vlan 2 lauschen, da wir den DHCP Helper im OS6450 verwenden wollen
 <code>
@@ Zeile 451: / Zeile 454: @@
 </code>
+===== DNS Konfiguration (bind9) =====
+Debian Stretch
+  * Wichtig ist den lokalen Netzwerken zu erlauben den DNS auch nutzen zu dürfen
+<code>
+$ cat named.conf
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+acl lan {
+.0.0.1;
+.168.2.0/24;
+.168.10.0/24;
+.168.11.0/24;
+.168.12.0/24;
+.168.13.0/24;
+.168.14.0/24;
+.168.15.0/24;
+};
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+</code>
+<code>
+$ cat named.conf.options
+options {
+	directory "/var/cache/bind";
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+	// If your ISP provided one or more IP addresses for stable
+	// nameservers, you probably want to use them as forwarders.
+	// Uncomment the following block, and insert the addresses replacing
+	// the all-0's placeholder.
+	//forwarders {
+	//	0.0.0.0;
+	//};
+	allow-query { lan; };
+	allow-query-cache { lan; };
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+</code>
+<code>
+$ cat named.conf.local
+//
+// Do any local configuration here
+//
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+zone "home" {
+type master;
+file "/etc/bind/db.home";
+};
+zone "2.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.2.168.192";
+};
+zone "10.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.10.168.192";
+};
+zone "11.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.11.168.192";
+};
+zone "12.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.12.168.192";
+};
+zone "13.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.13.168.192";
+};
+zone "14.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.14.168.192";
+};
+zone "15.168.192.in-addr.arpa" {
+type master;
+file "/etc/bind/db.15.168.192";
+};
+</code>
+<code>
+$ cat db.home
+;
+$TTL	86400
+;@	IN	SOA	localhost. root.localhost. (
+@	IN	SOA	shiva.home. shiva.home. (
+		; Serial
+		; Refresh
+		; Retry
+			2419200		; Expire
+)	; Negative Cache TTL
+;
+@		IN	NS	shiva.home.
+		IN	A	192.168.2.1
+shiva		IN	A	192.168.2.1
+os6450		IN	A	192.168.2.10
+omnivista	IN	A	192.168.2.15
+upam		IN	A	192.168.2.16
+fwinet		IN	A	192.168.2.254
+ap-d060		IN	A	192.168.10.10
+;os6450		IN	A	192.168.10.254
+iphone		IN	A	192.168.11.100
+ipad		IN	A	192.168.11.101
+mbp		IN	A	192.168.11.102
+;os6450		IN	A	192.168.11.254
+;os6450		IN	A	192.168.12.254
+;os6450		IN	A	192.168.13.254
+rap3		IN	A	192.168.14.100
+;os6450		IN	A	192.168.14.254
+;os6450		IN	A	192.168.15.254
+</code>
+<code>
+$ cat db.2.168.192
+;
+$TTL	604800
+;@	IN	SOA	localhost. root.localhost. (
+@	IN	SOA	shiva.home. shiva.home. (
+		; Serial
+		; Refresh
+		; Retry
+			2419200		; Expire
+)	; Negative Cache TTL
+;
+@	IN	NS	shiva.home.
+;
+	IN	PTR	shiva.home.
+	IN	PTR	os6450.home.
+	IN	PTR	omnivista.home.
+	IN	PTR	upam.home.
+	IN	PTR	fwinet.home.
+</code>
+<code>
+$ cat db.10.168.192
+;
+$TTL	604800
+;@	IN	SOA	localhost. root.localhost. (
+@	IN	SOA	shiva.home. shiva.home. (
+		; Serial
+		; Refresh
+		; Retry
+			2419200		; Expire
+)	; Negative Cache TTL
+;
+@	IN	NS	shiva.home.
+;
+;1	IN	PTR	shiva.home.
+	IN	PTR	ap-d060.home.
+	IN	PTR	os6450.home.
+</code>
+===== pfSense Screenshots =====
+==== virtIO: Checksum Offloading ausschalten ====
+Bei virtIO NICs bitte Checksum Offloading ausschalten.
+{{ :pfsense:2.png?direct&600 |}}
+==== LAN Gateway einrichten ====
+Dieses brauchen wir für lokale Netze
+{{ :pfsense:fwinet_home_-_system_routing_gateways.png?direct&600 |}}
+==== Statische Routen einrichten ====
+Hierfür verwenden wir das eben eingerichtete Gateway
+{{ :pfsense:fwinet_home_-_system_routing_static_routes.png?direct&600 |}}
+==== Outbound-NAT kontrollieren ====
+{{ :pfsense:fwinet_home_-_firewall_nat_outbound.png?direct&600 |}}
+==== Firewall-Regeln ausgehend für die lokalen LAN Netze anlegen ====
+Da ich nicht weiß wie man den Alias "LAN Net" ändert, legen wir eigene Regeln an die unseren Traffic durchlassen.
+{{ :pfsense:fwinet_home_-_firewall_rules_lan.png?direct&600 |}}
+==== Ansicht des Dashboards ====
+{{ :pfsense:fwinet_home_-_status_dashboard.png?direct&600 |}}