====== Stellar WLAN Labor auf Basis von KVM ======
* Firewall / Internet-GW auf 192.168.2.254
* DHCP auf 192.168.2.1
* DNS auf 192.168.2.1
* NTP auf 192.168.2.1
* OS6450 auf 192.168.2.10 sowie in allen Client-Netzwerken auf .254
===== OS6450 Konfiguration =====
Exemplarische Konfiguration auf meinem OS6450-P10.
BennyE$ ssh admin@os6450
admin's password for keyboard-interactive method:
Welcome to the Alcatel-Lucent OmniSwitch 6450
Software Version 6.7.2.85.R01 Development, August 11, 2017.
Copyright(c), ALE USA Inc., 2017. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent Enterprise registered
in the United States Patent and Trademark Office.
OS6450-P10-> show configuration snapshot
! Stack Manager :
! Chassis :
system name OS6450-P10
system contact "Benny Eggerstedt"
system location "Benny's Lab"
system timezone CET
system daylight savings time enable
! Configuration:
! VLAN :
vlan 1 disable name "VLAN 1"
vlan 2 enable name "192.168.2.x/24 Server"
vlan 2 port default 1/8
vlan 10 enable name "192.168.10.x/24 Stellar OV"
vlan 10 port default 1/1
vlan 10 port default 1/3
vlan 10 port default 1/5
vlan 10 port default 1/7
vlan 10 port default 1/11
vlan 10 port default 1/12
vlan 11 enable name "192.168.11.x/24"
vlan 12 enable name "192.168.12.x/24"
vlan 13 enable name "192.168.13.x/24"
vlan 14 enable name "192.168.14.x/24"
vlan 14 port default 1/6
vlan 14 port default 1/9
vlan 15 enable name "192.168.15.x/24 Stellar Express"
! VLAN SL:
! IP :
ip service all
ip interface "vlan-2" address 192.168.2.10 mask 255.255.255.0 vlan 2 ifindex 2
ip interface "vlan-10" address 192.168.10.254 mask 255.255.255.0 vlan 10 ifindex 3
ip interface "vlan-11" address 192.168.11.254 mask 255.255.255.0 vlan 11 ifindex 4
ip interface "vlan-12" address 192.168.12.254 mask 255.255.255.0 vlan 12 ifindex 5
ip interface "vlan-13" address 192.168.13.254 mask 255.255.255.0 vlan 13 ifindex 6
ip interface "vlan-14" address 192.168.14.254 mask 255.255.255.0 vlan 14 ifindex 7
ip interface "vlan-15" address 192.168.15.254 mask 255.255.255.0 vlan 15 ifindex 8
! IPMS :
! AAA :
aaa authentication default "local"
user password-size min 9
user password-policy min-uppercase 1
user password-policy min-lowercase 1
user password-policy min-digit 1
user password-policy min-nonalpha 1
! PARTM :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
session timeout cli 999
session prompt default "OS6450-P10->"
! SNMP :
snmp authentication trap enable
snmp station 192.168.2.15 162 "snmpv3" v3 enable
! RIP :
! IPv6 :
! IP multicast :
! IPRM :
ip static-route 0.0.0.0/0 gateway 192.168.2.254 metric 1
! RIPng :
! Health monitor :
! Interface :
interfaces 1/1 alias "Stellar Wireless AP1221 03:d0:60"
interfaces 1/5 alias "Stellar Wireless AP1101 00:12:80"
interfaces 1/7 alias "Stellar Wireless AP1221 00:1b:d0"
interfaces 1/9 alias "RAP3"
interfaces 1/10 alias "Uplink zu Debian KVM"
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
vlan 11 802.1q 1/1 "TAG PORT 1/1 VLAN 11"
vlan 12 802.1q 1/1 "TAG PORT 1/1 VLAN 12"
vlan 11 802.1q 1/3 "TAG PORT 1/3 VLAN 11"
vlan 12 802.1q 1/3 "TAG PORT 1/3 VLAN 12"
vlan 11 802.1q 1/5 "TAG PORT 1/5 VLAN 11"
vlan 12 802.1q 1/5 "TAG PORT 1/5 VLAN 12"
vlan 11 802.1q 1/7 "TAG PORT 1/7 VLAN 11"
vlan 12 802.1q 1/7 "TAG PORT 1/7 VLAN 12"
vlan 11 802.1q 1/8 "TAG PORT 1/8 VLAN 11"
vlan 12 802.1q 1/8 "TAG PORT 1/8 VLAN 12"
vlan 2 802.1q 1/10 "TAG PORT 1/10 VLAN 2"
vlan 10 802.1q 1/10 "TAG PORT 1/10 VLAN 10"
vlan 11 802.1q 1/10 "TAG PORT 1/10 VLAN 11"
vlan 12 802.1q 1/10 "TAG PORT 1/10 VLAN 12"
vlan 13 802.1q 1/10 "TAG PORT 1/10 VLAN 13"
vlan 14 802.1q 1/10 "TAG PORT 1/10 VLAN 14"
vlan 15 802.1q 1/10 "TAG PORT 1/10 VLAN 15"
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
sflow receiver 1 name ovAnalyticService address 192.168.2.15 udp-port 6343 packet-size 1400 version 5 timeout 0
sflow sampler 1 1/1 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/2 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/3 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/4 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/5 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/6 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/7 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/8 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/9 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/10 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/11 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/12 receiver 1 rate 128 sample-hdr-size 128
! UDP Relay :
ip helper per-vlan only
ip helper address 192.168.2.1 vlan 10
ip helper address 192.168.2.1 vlan 11
ip helper address 192.168.2.1 vlan 12
ip helper address 192.168.2.1 vlan 13
ip helper address 192.168.2.1 vlan 14
ip helper address 192.168.2.1 vlan 15
! System service :
ip name-server 192.168.2.1
ip domain-name home
ip domain-lookup
swlog console level info
! SSH :
! VRRP :
! Web :
! AMAP :
! Lan Power :
lanpower stop 1/2
lanpower stop 1/4
lanpower stop 1/6
lanpower stop 1/8
! NTP :
ntp server 192.168.2.1 key 0 version 4 minpoll 6 prefer
ntp client enable
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! SAA :
! Loopback-detection :
! ERP :
! TEST-OAM :
! PPPOE-IA :
! DHL :
! LLDP :
lldp chassis tlv management port-description enable system-name enable system-description enable system-capabilities enable
lldp chassis tlv management management-address enable
lldp chassis tlv dot1 vlan-name enable port-vlan enable
lldp chassis tlv dot3 mac-phy enable
lldp chassis tlv med capability enable
! DHCP Server :
! Stack Split-Protection Helper :
! Openflow :
! DHCPv6 :
! TWAMP :
===== Konfiguration der Linux Bridges =====
Virtuelle Maschinen können so direkt an jedes Netz angebunden werden (KVM).
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
# Interface towards ISP
auto brWAN
iface brWAN inet manual
bridge_ports eno5
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
# Interface towards internal network - eno1
# VLAN dot1q 2, 10, 11, 12, 13, 14, 15
auto eno1.2 eno1.10 eno1.11 eno1.12 eno1.13 eno1.14 eno1.15
# Ensure that there is no IP address on the interfaces
#iface eno1.1 inet manual
iface eno1.2 inet manual
iface eno1.10 inet manual
iface eno1.11 inet manual
iface eno1.12 inet manual
iface eno1.13 inet manual
iface eno1.14 inet manual
iface eno1.15 inet manual
auto brvlan2
iface brvlan2 inet static
address 192.168.2.1
network 192.168.2.0
netmask 255.255.255.0
gateway 192.168.2.254
bridge_ports eno1.2
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
# Routing towards clients through OS6450
up /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10
up /sbin/route add -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10
up /sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10
up /sbin/route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10
up /sbin/route add -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10
up /sbin/route add -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10
down /sbin/route delete -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10
auto brvlan10
iface brvlan10 inet manual
bridge_ports eno1.10
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
auto brvlan11
iface brvlan11 inet manual
bridge_ports eno1.11
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
auto brvlan12
iface brvlan12 inet manual
bridge_ports eno1.12
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
auto brvlan13
iface brvlan13 inet manual
bridge_ports eno1.13
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
auto brvlan14
iface brvlan14 inet manual
bridge_ports eno1.14
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
auto brvlan15
iface brvlan15 inet manual
bridge_ports eno1.15
bridge_fd 5
bridge_hello 2
bridge_maxage 12
bridge_maxwait 0
bridge_stp off
===== DHCP Konfiguration (isc-dhcp-server) =====
Debian Stretch
* Wichtig ist hier die Option 138 (ovwma) für OmniVista im Stellar AP Netzwerk (Vlan 10)
* Der DHCP soll nur im Vlan 2 lauschen, da wir den DHCP Helper im OS6450 verwenden wollen
$ cat /etc/dhcp/dhcpd.conf
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "home";
option domain-name-servers 192.168.2.1;
default-lease-time 6000;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
#
# Classify Stellar AP as STELLAR
#
class "STELLAR" {
match if substring (option vendor-class-identifier, 0, 4) = "HAP.";
}
#
# Create custom option 138
#
option ovwma code 138 = ip-address;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.200;
option subnet-mask 255.255.255.0;
option routers 192.168.2.10;
option broadcast-address 192.168.2.255;
default-lease-time 6000;
max-lease-time 72000;
}
subnet 192.168.10.0 netmask 255.255.255.0 {
option routers 192.168.10.254;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 6000;
max-lease-time 72000;
# Pool for Stellar AP
pool {
allow members of "STELLAR";
range 192.168.10.10 192.168.10.20;
option ovwma 192.168.2.15;
}
pool {
range 192.168.10.21 192.168.10.50;
allow unknown-clients;
}
}
subnet 192.168.11.0 netmask 255.255.255.0 {
range 192.168.11.100 192.168.11.200;
option subnet-mask 255.255.255.0;
option routers 192.168.11.254;
option broadcast-address 192.168.11.255;
default-lease-time 6000;
max-lease-time 72000;
}
subnet 192.168.12.0 netmask 255.255.255.0 {
range 192.168.12.100 192.168.12.200;
option subnet-mask 255.255.255.0;
option routers 192.168.12.254;
option broadcast-address 192.168.12.255;
default-lease-time 6000;
max-lease-time 72000;
}
subnet 192.168.13.0 netmask 255.255.255.0 {
range 192.168.13.100 192.168.13.200;
option subnet-mask 255.255.255.0;
option routers 192.168.13.254;
option broadcast-address 192.168.13.255;
default-lease-time 6000;
max-lease-time 72000;
}
subnet 192.168.14.0 netmask 255.255.255.0 {
range 192.168.14.100 192.168.14.200;
option subnet-mask 255.255.255.0;
option routers 192.168.14.254;
option broadcast-address 192.168.14.255;
default-lease-time 6000;
max-lease-time 72000;
}
subnet 192.168.15.0 netmask 255.255.255.0 {
range 192.168.15.100 192.168.15.200;
option subnet-mask 255.255.255.0;
option routers 192.168.15.254;
option broadcast-address 192.168.15.255;
default-lease-time 6000;
max-lease-time 72000;
}
$ cat /etc/default/isc-dhcp-server
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
#INTERFACES="brvlan2"
INTERFACESv4="brvlan2"
===== DNS Konfiguration (bind9) =====
Debian Stretch
* Wichtig ist den lokalen Netzwerken zu erlauben den DNS auch nutzen zu dürfen
$ cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
acl lan {
127.0.0.1;
192.168.2.0/24;
192.168.10.0/24;
192.168.11.0/24;
192.168.12.0/24;
192.168.13.0/24;
192.168.14.0/24;
192.168.15.0/24;
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
$ cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//forwarders {
// 0.0.0.0;
//};
allow-query { lan; };
allow-query-cache { lan; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
$ cat named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "home" {
type master;
file "/etc/bind/db.home";
};
zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.2.168.192";
};
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.10.168.192";
};
zone "11.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.11.168.192";
};
zone "12.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.12.168.192";
};
zone "13.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.13.168.192";
};
zone "14.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.14.168.192";
};
zone "15.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.15.168.192";
};
$ cat db.home
;
$TTL 86400
;@ IN SOA localhost. root.localhost. (
@ IN SOA shiva.home. shiva.home. (
7 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS shiva.home.
IN A 192.168.2.1
shiva IN A 192.168.2.1
os6450 IN A 192.168.2.10
omnivista IN A 192.168.2.15
upam IN A 192.168.2.16
fwinet IN A 192.168.2.254
ap-d060 IN A 192.168.10.10
;os6450 IN A 192.168.10.254
iphone IN A 192.168.11.100
ipad IN A 192.168.11.101
mbp IN A 192.168.11.102
;os6450 IN A 192.168.11.254
;os6450 IN A 192.168.12.254
;os6450 IN A 192.168.13.254
rap3 IN A 192.168.14.100
;os6450 IN A 192.168.14.254
;os6450 IN A 192.168.15.254
$ cat db.2.168.192
;
$TTL 604800
;@ IN SOA localhost. root.localhost. (
@ IN SOA shiva.home. shiva.home. (
4 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS shiva.home.
;
1 IN PTR shiva.home.
10 IN PTR os6450.home.
15 IN PTR omnivista.home.
16 IN PTR upam.home.
254 IN PTR fwinet.home.
$ cat db.10.168.192
;
$TTL 604800
;@ IN SOA localhost. root.localhost. (
@ IN SOA shiva.home. shiva.home. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS shiva.home.
;
;1 IN PTR shiva.home.
10 IN PTR ap-d060.home.
254 IN PTR os6450.home.
===== pfSense Screenshots =====
==== virtIO: Checksum Offloading ausschalten ====
Bei virtIO NICs bitte Checksum Offloading ausschalten.
{{ :pfsense:2.png?direct&600 |}}
==== LAN Gateway einrichten ====
Dieses brauchen wir für lokale Netze
{{ :pfsense:fwinet_home_-_system_routing_gateways.png?direct&600 |}}
==== Statische Routen einrichten ====
Hierfür verwenden wir das eben eingerichtete Gateway
{{ :pfsense:fwinet_home_-_system_routing_static_routes.png?direct&600 |}}
==== Outbound-NAT kontrollieren ====
{{ :pfsense:fwinet_home_-_firewall_nat_outbound.png?direct&600 |}}
==== Firewall-Regeln ausgehend für die lokalen LAN Netze anlegen ====
Da ich nicht weiß wie man den Alias "LAN Net" ändert, legen wir eigene Regeln an die unseren Traffic durchlassen.
{{ :pfsense:fwinet_home_-_firewall_rules_lan.png?direct&600 |}}
==== Ansicht des Dashboards ====
{{ :pfsense:fwinet_home_-_status_dashboard.png?direct&600 |}}