====== Stellar WLAN Labor auf Basis von KVM ====== * Firewall / Internet-GW auf 192.168.2.254 * DHCP auf 192.168.2.1 * DNS auf 192.168.2.1 * NTP auf 192.168.2.1 * OS6450 auf 192.168.2.10 sowie in allen Client-Netzwerken auf .254 ===== OS6450 Konfiguration ===== Exemplarische Konfiguration auf meinem OS6450-P10. BennyE$ ssh admin@os6450 admin's password for keyboard-interactive method: Welcome to the Alcatel-Lucent OmniSwitch 6450 Software Version 6.7.2.85.R01 Development, August 11, 2017. Copyright(c), ALE USA Inc., 2017. All Rights reserved. OmniSwitch(TM) is a trademark of Alcatel-Lucent Enterprise registered in the United States Patent and Trademark Office. OS6450-P10-> show configuration snapshot ! Stack Manager : ! Chassis : system name OS6450-P10 system contact "Benny Eggerstedt" system location "Benny's Lab" system timezone CET system daylight savings time enable ! Configuration: ! VLAN : vlan 1 disable name "VLAN 1" vlan 2 enable name "192.168.2.x/24 Server" vlan 2 port default 1/8 vlan 10 enable name "192.168.10.x/24 Stellar OV" vlan 10 port default 1/1 vlan 10 port default 1/3 vlan 10 port default 1/5 vlan 10 port default 1/7 vlan 10 port default 1/11 vlan 10 port default 1/12 vlan 11 enable name "192.168.11.x/24" vlan 12 enable name "192.168.12.x/24" vlan 13 enable name "192.168.13.x/24" vlan 14 enable name "192.168.14.x/24" vlan 14 port default 1/6 vlan 14 port default 1/9 vlan 15 enable name "192.168.15.x/24 Stellar Express" ! VLAN SL: ! IP : ip service all ip interface "vlan-2" address 192.168.2.10 mask 255.255.255.0 vlan 2 ifindex 2 ip interface "vlan-10" address 192.168.10.254 mask 255.255.255.0 vlan 10 ifindex 3 ip interface "vlan-11" address 192.168.11.254 mask 255.255.255.0 vlan 11 ifindex 4 ip interface "vlan-12" address 192.168.12.254 mask 255.255.255.0 vlan 12 ifindex 5 ip interface "vlan-13" address 192.168.13.254 mask 255.255.255.0 vlan 13 ifindex 6 ip interface "vlan-14" address 192.168.14.254 mask 255.255.255.0 vlan 14 ifindex 7 ip interface "vlan-15" address 192.168.15.254 mask 255.255.255.0 vlan 15 ifindex 8 ! IPMS : ! AAA : aaa authentication default "local" user password-size min 9 user password-policy min-uppercase 1 user password-policy min-lowercase 1 user password-policy min-digit 1 user password-policy min-nonalpha 1 ! PARTM : ! 802.1x : ! QOS : ! Policy manager : ! Session manager : session timeout cli 999 session prompt default "OS6450-P10->" ! SNMP : snmp authentication trap enable snmp station 192.168.2.15 162 "snmpv3" v3 enable ! RIP : ! IPv6 : ! IP multicast : ! IPRM : ip static-route 0.0.0.0/0 gateway 192.168.2.254 metric 1 ! RIPng : ! Health monitor : ! Interface : interfaces 1/1 alias "Stellar Wireless AP1221 03:d0:60" interfaces 1/5 alias "Stellar Wireless AP1101 00:12:80" interfaces 1/7 alias "Stellar Wireless AP1221 00:1b:d0" interfaces 1/9 alias "RAP3" interfaces 1/10 alias "Uplink zu Debian KVM" ! Udld : ! Port Mapping : ! Link Aggregate : ! VLAN AGG: ! 802.1Q : vlan 11 802.1q 1/1 "TAG PORT 1/1 VLAN 11" vlan 12 802.1q 1/1 "TAG PORT 1/1 VLAN 12" vlan 11 802.1q 1/3 "TAG PORT 1/3 VLAN 11" vlan 12 802.1q 1/3 "TAG PORT 1/3 VLAN 12" vlan 11 802.1q 1/5 "TAG PORT 1/5 VLAN 11" vlan 12 802.1q 1/5 "TAG PORT 1/5 VLAN 12" vlan 11 802.1q 1/7 "TAG PORT 1/7 VLAN 11" vlan 12 802.1q 1/7 "TAG PORT 1/7 VLAN 12" vlan 11 802.1q 1/8 "TAG PORT 1/8 VLAN 11" vlan 12 802.1q 1/8 "TAG PORT 1/8 VLAN 12" vlan 2 802.1q 1/10 "TAG PORT 1/10 VLAN 2" vlan 10 802.1q 1/10 "TAG PORT 1/10 VLAN 10" vlan 11 802.1q 1/10 "TAG PORT 1/10 VLAN 11" vlan 12 802.1q 1/10 "TAG PORT 1/10 VLAN 12" vlan 13 802.1q 1/10 "TAG PORT 1/10 VLAN 13" vlan 14 802.1q 1/10 "TAG PORT 1/10 VLAN 14" vlan 15 802.1q 1/10 "TAG PORT 1/10 VLAN 15" ! Spanning tree : bridge mode 1x1 ! Bridging : ! Bridging : ! Port mirroring : sflow receiver 1 name ovAnalyticService address 192.168.2.15 udp-port 6343 packet-size 1400 version 5 timeout 0 sflow sampler 1 1/1 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/2 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/3 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/4 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/5 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/6 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/7 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/8 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/9 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/10 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/11 receiver 1 rate 128 sample-hdr-size 128 sflow sampler 1 1/12 receiver 1 rate 128 sample-hdr-size 128 ! UDP Relay : ip helper per-vlan only ip helper address 192.168.2.1 vlan 10 ip helper address 192.168.2.1 vlan 11 ip helper address 192.168.2.1 vlan 12 ip helper address 192.168.2.1 vlan 13 ip helper address 192.168.2.1 vlan 14 ip helper address 192.168.2.1 vlan 15 ! System service : ip name-server 192.168.2.1 ip domain-name home ip domain-lookup swlog console level info ! SSH : ! VRRP : ! Web : ! AMAP : ! Lan Power : lanpower stop 1/2 lanpower stop 1/4 lanpower stop 1/6 lanpower stop 1/8 ! NTP : ntp server 192.168.2.1 key 0 version 4 minpoll 6 prefer ntp client enable ! RDP : ! VLAN STACKING: ! Ethernet-OAM : ! EFM-OAM : ! SAA : ! Loopback-detection : ! ERP : ! TEST-OAM : ! PPPOE-IA : ! DHL : ! LLDP : lldp chassis tlv management port-description enable system-name enable system-description enable system-capabilities enable lldp chassis tlv management management-address enable lldp chassis tlv dot1 vlan-name enable port-vlan enable lldp chassis tlv dot3 mac-phy enable lldp chassis tlv med capability enable ! DHCP Server : ! Stack Split-Protection Helper : ! Openflow : ! DHCPv6 : ! TWAMP : ===== Konfiguration der Linux Bridges ===== Virtuelle Maschinen können so direkt an jedes Netz angebunden werden (KVM). $ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface #allow-hotplug eth0 #iface eth0 inet dhcp # Interface towards ISP auto brWAN iface brWAN inet manual bridge_ports eno5 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off # Interface towards internal network - eno1 # VLAN dot1q 2, 10, 11, 12, 13, 14, 15 auto eno1.2 eno1.10 eno1.11 eno1.12 eno1.13 eno1.14 eno1.15 # Ensure that there is no IP address on the interfaces #iface eno1.1 inet manual iface eno1.2 inet manual iface eno1.10 inet manual iface eno1.11 inet manual iface eno1.12 inet manual iface eno1.13 inet manual iface eno1.14 inet manual iface eno1.15 inet manual auto brvlan2 iface brvlan2 inet static address 192.168.2.1 network 192.168.2.0 netmask 255.255.255.0 gateway 192.168.2.254 bridge_ports eno1.2 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off # Routing towards clients through OS6450 up /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10 up /sbin/route add -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10 up /sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10 up /sbin/route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10 up /sbin/route add -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10 up /sbin/route add -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10 down /sbin/route delete -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10 auto brvlan10 iface brvlan10 inet manual bridge_ports eno1.10 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off auto brvlan11 iface brvlan11 inet manual bridge_ports eno1.11 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off auto brvlan12 iface brvlan12 inet manual bridge_ports eno1.12 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off auto brvlan13 iface brvlan13 inet manual bridge_ports eno1.13 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off auto brvlan14 iface brvlan14 inet manual bridge_ports eno1.14 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off auto brvlan15 iface brvlan15 inet manual bridge_ports eno1.15 bridge_fd 5 bridge_hello 2 bridge_maxage 12 bridge_maxwait 0 bridge_stp off ===== DHCP Konfiguration (isc-dhcp-server) ===== Debian Stretch * Wichtig ist hier die Option 138 (ovwma) für OmniVista im Stellar AP Netzwerk (Vlan 10) * Der DHCP soll nur im Vlan 2 lauschen, da wir den DHCP Helper im OS6450 verwenden wollen $ cat /etc/dhcp/dhcpd.conf # # Sample configuration file for ISC dhcpd for Debian # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # option definitions common to all supported networks... option domain-name "home"; option domain-name-servers 192.168.2.1; default-lease-time 6000; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # # Classify Stellar AP as STELLAR # class "STELLAR" { match if substring (option vendor-class-identifier, 0, 4) = "HAP."; } # # Create custom option 138 # option ovwma code 138 = ip-address; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; option subnet-mask 255.255.255.0; option routers 192.168.2.10; option broadcast-address 192.168.2.255; default-lease-time 6000; max-lease-time 72000; } subnet 192.168.10.0 netmask 255.255.255.0 { option routers 192.168.10.254; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; default-lease-time 6000; max-lease-time 72000; # Pool for Stellar AP pool { allow members of "STELLAR"; range 192.168.10.10 192.168.10.20; option ovwma 192.168.2.15; } pool { range 192.168.10.21 192.168.10.50; allow unknown-clients; } } subnet 192.168.11.0 netmask 255.255.255.0 { range 192.168.11.100 192.168.11.200; option subnet-mask 255.255.255.0; option routers 192.168.11.254; option broadcast-address 192.168.11.255; default-lease-time 6000; max-lease-time 72000; } subnet 192.168.12.0 netmask 255.255.255.0 { range 192.168.12.100 192.168.12.200; option subnet-mask 255.255.255.0; option routers 192.168.12.254; option broadcast-address 192.168.12.255; default-lease-time 6000; max-lease-time 72000; } subnet 192.168.13.0 netmask 255.255.255.0 { range 192.168.13.100 192.168.13.200; option subnet-mask 255.255.255.0; option routers 192.168.13.254; option broadcast-address 192.168.13.255; default-lease-time 6000; max-lease-time 72000; } subnet 192.168.14.0 netmask 255.255.255.0 { range 192.168.14.100 192.168.14.200; option subnet-mask 255.255.255.0; option routers 192.168.14.254; option broadcast-address 192.168.14.255; default-lease-time 6000; max-lease-time 72000; } subnet 192.168.15.0 netmask 255.255.255.0 { range 192.168.15.100 192.168.15.200; option subnet-mask 255.255.255.0; option routers 192.168.15.254; option broadcast-address 192.168.15.255; default-lease-time 6000; max-lease-time 72000; } $ cat /etc/default/isc-dhcp-server # Defaults for isc-dhcp-server initscript # sourced by /etc/init.d/isc-dhcp-server # installed at /etc/default/isc-dhcp-server by the maintainer scripts # # This is a POSIX shell fragment # # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). #DHCPD_CONF=/etc/dhcp/dhcpd.conf # Path to dhcpd's PID file (default: /var/run/dhcpd.pid). #DHCPD_PID=/var/run/dhcpd.pid # Additional options to start dhcpd with. # Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead #OPTIONS="" # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". #INTERFACES="brvlan2" INTERFACESv4="brvlan2" ===== DNS Konfiguration (bind9) ===== Debian Stretch * Wichtig ist den lokalen Netzwerken zu erlauben den DNS auch nutzen zu dürfen $ cat named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local acl lan { 127.0.0.1; 192.168.2.0/24; 192.168.10.0/24; 192.168.11.0/24; 192.168.12.0/24; 192.168.13.0/24; 192.168.14.0/24; 192.168.15.0/24; }; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; $ cat named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. //forwarders { // 0.0.0.0; //}; allow-query { lan; }; allow-query-cache { lan; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; $ cat named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "home" { type master; file "/etc/bind/db.home"; }; zone "2.168.192.in-addr.arpa" { type master; file "/etc/bind/db.2.168.192"; }; zone "10.168.192.in-addr.arpa" { type master; file "/etc/bind/db.10.168.192"; }; zone "11.168.192.in-addr.arpa" { type master; file "/etc/bind/db.11.168.192"; }; zone "12.168.192.in-addr.arpa" { type master; file "/etc/bind/db.12.168.192"; }; zone "13.168.192.in-addr.arpa" { type master; file "/etc/bind/db.13.168.192"; }; zone "14.168.192.in-addr.arpa" { type master; file "/etc/bind/db.14.168.192"; }; zone "15.168.192.in-addr.arpa" { type master; file "/etc/bind/db.15.168.192"; }; $ cat db.home ; $TTL 86400 ;@ IN SOA localhost. root.localhost. ( @ IN SOA shiva.home. shiva.home. ( 7 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS shiva.home. IN A 192.168.2.1 shiva IN A 192.168.2.1 os6450 IN A 192.168.2.10 omnivista IN A 192.168.2.15 upam IN A 192.168.2.16 fwinet IN A 192.168.2.254 ap-d060 IN A 192.168.10.10 ;os6450 IN A 192.168.10.254 iphone IN A 192.168.11.100 ipad IN A 192.168.11.101 mbp IN A 192.168.11.102 ;os6450 IN A 192.168.11.254 ;os6450 IN A 192.168.12.254 ;os6450 IN A 192.168.13.254 rap3 IN A 192.168.14.100 ;os6450 IN A 192.168.14.254 ;os6450 IN A 192.168.15.254 $ cat db.2.168.192 ; $TTL 604800 ;@ IN SOA localhost. root.localhost. ( @ IN SOA shiva.home. shiva.home. ( 4 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS shiva.home. ; 1 IN PTR shiva.home. 10 IN PTR os6450.home. 15 IN PTR omnivista.home. 16 IN PTR upam.home. 254 IN PTR fwinet.home. $ cat db.10.168.192 ; $TTL 604800 ;@ IN SOA localhost. root.localhost. ( @ IN SOA shiva.home. shiva.home. ( 5 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS shiva.home. ; ;1 IN PTR shiva.home. 10 IN PTR ap-d060.home. 254 IN PTR os6450.home. ===== pfSense Screenshots ===== ==== virtIO: Checksum Offloading ausschalten ==== Bei virtIO NICs bitte Checksum Offloading ausschalten. {{ :pfsense:2.png?direct&600 |}} ==== LAN Gateway einrichten ==== Dieses brauchen wir für lokale Netze {{ :pfsense:fwinet_home_-_system_routing_gateways.png?direct&600 |}} ==== Statische Routen einrichten ==== Hierfür verwenden wir das eben eingerichtete Gateway {{ :pfsense:fwinet_home_-_system_routing_static_routes.png?direct&600 |}} ==== Outbound-NAT kontrollieren ==== {{ :pfsense:fwinet_home_-_firewall_nat_outbound.png?direct&600 |}} ==== Firewall-Regeln ausgehend für die lokalen LAN Netze anlegen ==== Da ich nicht weiß wie man den Alias "LAN Net" ändert, legen wir eigene Regeln an die unseren Traffic durchlassen. {{ :pfsense:fwinet_home_-_firewall_rules_lan.png?direct&600 |}} ==== Ansicht des Dashboards ==== {{ :pfsense:fwinet_home_-_status_dashboard.png?direct&600 |}}