Benutzer-Werkzeuge

Webseiten-Werkzeuge


stellar-lab-kvm-pfsense-debian

Stellar WLAN Labor auf Basis von KVM

  • Firewall / Internet-GW auf 192.168.2.254
  • DHCP auf 192.168.2.1
  • DNS auf 192.168.2.1
  • NTP auf 192.168.2.1
  • OS6450 auf 192.168.2.10 sowie in allen Client-Netzwerken auf .254

OS6450 Konfiguration

Exemplarische Konfiguration auf meinem OS6450-P10.

BennyE$ ssh admin@os6450
admin's password for keyboard-interactive method: 
  
Welcome to the Alcatel-Lucent OmniSwitch 6450
Software Version 6.7.2.85.R01 Development, August 11, 2017. 

Copyright(c), ALE USA Inc., 2017. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent Enterprise registered
in the United States Patent and Trademark Office.
  
OS6450-P10-> show configuration snapshot 
! Stack Manager :
! Chassis :
system name OS6450-P10
system contact "Benny Eggerstedt"
system location "Benny's Lab"
system timezone CET
system daylight savings time enable
! Configuration:
! VLAN :
vlan 1 disable name "VLAN 1"
vlan 2 enable name "192.168.2.x/24 Server"
vlan 2 port default 1/8
vlan 10 enable name "192.168.10.x/24 Stellar OV"
vlan 10 port default 1/1
vlan 10 port default 1/3
vlan 10 port default 1/5
vlan 10 port default 1/7
vlan 10 port default 1/11
vlan 10 port default 1/12
vlan 11 enable name "192.168.11.x/24"
vlan 12 enable name "192.168.12.x/24"
vlan 13 enable name "192.168.13.x/24"
vlan 14 enable name "192.168.14.x/24"
vlan 14 port default 1/6
vlan 14 port default 1/9
vlan 15 enable name "192.168.15.x/24 Stellar Express"
! VLAN SL:
! IP :
ip service all
ip interface "vlan-2" address 192.168.2.10 mask 255.255.255.0 vlan 2 ifindex 2
ip interface "vlan-10" address 192.168.10.254 mask 255.255.255.0 vlan 10 ifindex 3
ip interface "vlan-11" address 192.168.11.254 mask 255.255.255.0 vlan 11 ifindex 4
ip interface "vlan-12" address 192.168.12.254 mask 255.255.255.0 vlan 12 ifindex 5
ip interface "vlan-13" address 192.168.13.254 mask 255.255.255.0 vlan 13 ifindex 6
ip interface "vlan-14" address 192.168.14.254 mask 255.255.255.0 vlan 14 ifindex 7
ip interface "vlan-15" address 192.168.15.254 mask 255.255.255.0 vlan 15 ifindex 8
! IPMS :
! AAA :
aaa authentication default "local" 
user password-size min 9
user password-policy min-uppercase 1
user password-policy min-lowercase 1
user password-policy min-digit 1
user password-policy min-nonalpha 1
! PARTM :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
session timeout cli 999
session prompt default "OS6450-P10->"
! SNMP :
snmp authentication trap enable
snmp station 192.168.2.15 162 "snmpv3" v3 enable
! RIP :
! IPv6 :
! IP multicast :
! IPRM :
ip static-route 0.0.0.0/0 gateway 192.168.2.254 metric 1
! RIPng :
! Health monitor :
! Interface :
interfaces 1/1 alias "Stellar Wireless AP1221 03:d0:60"
interfaces 1/5 alias "Stellar Wireless AP1101 00:12:80"
interfaces 1/7 alias "Stellar Wireless AP1221 00:1b:d0"
interfaces 1/9 alias "RAP3"
interfaces 1/10 alias "Uplink zu Debian KVM"
! Udld :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
vlan 11 802.1q 1/1 "TAG PORT 1/1 VLAN 11"
vlan 12 802.1q 1/1 "TAG PORT 1/1 VLAN 12"
vlan 11 802.1q 1/3 "TAG PORT 1/3 VLAN 11"
vlan 12 802.1q 1/3 "TAG PORT 1/3 VLAN 12"
vlan 11 802.1q 1/5 "TAG PORT 1/5 VLAN 11"
vlan 12 802.1q 1/5 "TAG PORT 1/5 VLAN 12"
vlan 11 802.1q 1/7 "TAG PORT 1/7 VLAN 11"
vlan 12 802.1q 1/7 "TAG PORT 1/7 VLAN 12"
vlan 11 802.1q 1/8 "TAG PORT 1/8 VLAN 11"
vlan 12 802.1q 1/8 "TAG PORT 1/8 VLAN 12"
vlan 2 802.1q 1/10 "TAG PORT 1/10 VLAN 2"
vlan 10 802.1q 1/10 "TAG PORT 1/10 VLAN 10"
vlan 11 802.1q 1/10 "TAG PORT 1/10 VLAN 11"
vlan 12 802.1q 1/10 "TAG PORT 1/10 VLAN 12"
vlan 13 802.1q 1/10 "TAG PORT 1/10 VLAN 13"
vlan 14 802.1q 1/10 "TAG PORT 1/10 VLAN 14"
vlan 15 802.1q 1/10 "TAG PORT 1/10 VLAN 15"
! Spanning tree :
bridge mode 1x1 
! Bridging :
! Bridging :
! Port mirroring :
sflow receiver 1 name ovAnalyticService address 192.168.2.15 udp-port 6343 packet-size 1400 version 5 timeout 0
sflow sampler 1 1/1 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/2 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/3 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/4 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/5 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/6 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/7 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/8 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/9 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/10 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/11 receiver 1 rate 128 sample-hdr-size 128
sflow sampler 1 1/12 receiver 1 rate 128 sample-hdr-size 128
! UDP Relay :
ip helper per-vlan only  
ip helper address 192.168.2.1 vlan 10 
ip helper address 192.168.2.1 vlan 11 
ip helper address 192.168.2.1 vlan 12 
ip helper address 192.168.2.1 vlan 13 
ip helper address 192.168.2.1 vlan 14 
ip helper address 192.168.2.1 vlan 15 
! System service :
ip name-server 192.168.2.1
ip domain-name home
ip domain-lookup
swlog console level info
! SSH :
! VRRP :
! Web :
! AMAP :
! Lan  Power :
lanpower stop 1/2
lanpower stop 1/4
lanpower stop 1/6
lanpower stop 1/8
! NTP :
ntp server 192.168.2.1 key 0 version 4 minpoll 6 prefer
ntp client enable
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! SAA :
! Loopback-detection :
! ERP :
! TEST-OAM :
! PPPOE-IA :
! DHL :
! LLDP :
lldp chassis tlv management  port-description enable system-name enable system-description enable system-capabilities enable
lldp chassis tlv management  management-address enable
lldp chassis tlv dot1 vlan-name enable port-vlan enable
lldp chassis tlv dot3  mac-phy enable
lldp chassis tlv med  capability enable
! DHCP Server :
! Stack Split-Protection Helper :
! Openflow :
! DHCPv6 :
! TWAMP :

Konfiguration der Linux Bridges

Virtuelle Maschinen können so direkt an jedes Netz angebunden werden (KVM).

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

# Interface towards ISP

auto brWAN
iface brWAN inet manual
	bridge_ports eno5
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off

# Interface towards internal network - eno1

# VLAN dot1q 2, 10, 11, 12, 13, 14, 15
auto eno1.2 eno1.10 eno1.11 eno1.12 eno1.13 eno1.14 eno1.15

# Ensure that there is no IP address on the interfaces
#iface eno1.1 inet manual
iface eno1.2 inet manual
iface eno1.10 inet manual
iface eno1.11 inet manual
iface eno1.12 inet manual
iface eno1.13 inet manual
iface eno1.14 inet manual
iface eno1.15 inet manual

auto brvlan2
iface brvlan2 inet static
	address 192.168.2.1
	network 192.168.2.0
	netmask 255.255.255.0
	gateway 192.168.2.254
	bridge_ports eno1.2
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off
	# Routing towards clients through OS6450
	up /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10
	up /sbin/route add -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10
	up /sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10
	up /sbin/route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10
	up /sbin/route add -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10
	up /sbin/route add -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.11.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.14.0 netmask 255.255.255.0 gw 192.168.2.10
	down /sbin/route delete -net 192.168.15.0 netmask 255.255.255.0 gw 192.168.2.10

auto brvlan10
iface brvlan10 inet manual
	bridge_ports eno1.10
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off

auto brvlan11
iface brvlan11 inet manual
	bridge_ports eno1.11
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off


auto brvlan12
iface brvlan12 inet manual
	bridge_ports eno1.12
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off


auto brvlan13
iface brvlan13 inet manual
	bridge_ports eno1.13
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off

auto brvlan14
iface brvlan14 inet manual
	bridge_ports eno1.14
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off

auto brvlan15
iface brvlan15 inet manual
	bridge_ports eno1.15
	bridge_fd 5
	bridge_hello 2
	bridge_maxage 12
	bridge_maxwait 0
	bridge_stp off

DHCP Konfiguration (isc-dhcp-server)

Debian Stretch

  • Wichtig ist hier die Option 138 (ovwma) für OmniVista im Stellar AP Netzwerk (Vlan 10)
  • Der DHCP soll nur im Vlan 2 lauschen, da wir den DHCP Helper im OS6450 verwenden wollen
$ cat /etc/dhcp/dhcpd.conf

#
# Sample configuration file for ISC dhcpd for Debian
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "home";
option domain-name-servers 192.168.2.1;

default-lease-time 6000;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

#
# Classify Stellar AP as STELLAR
#

class "STELLAR" {
	match if substring (option vendor-class-identifier, 0, 4) = "HAP.";
}

#
# Create custom option 138
#

option ovwma code 138 = ip-address;


subnet 192.168.2.0 netmask 255.255.255.0 {
	range 192.168.2.100 192.168.2.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.2.10;
	option broadcast-address 192.168.2.255;
	default-lease-time 6000;
	max-lease-time 72000;
}

subnet 192.168.10.0 netmask 255.255.255.0 {
	option routers 192.168.10.254;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.10.255;
	default-lease-time 6000;
	max-lease-time 72000;
	# Pool for Stellar AP
	pool {
		allow members of "STELLAR";
		range 192.168.10.10 192.168.10.20;
		option ovwma 192.168.2.15;
	}
	pool {
		range 192.168.10.21 192.168.10.50;
		allow unknown-clients;
	}
}

subnet 192.168.11.0 netmask 255.255.255.0 {
	range 192.168.11.100 192.168.11.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.11.254;
	option broadcast-address 192.168.11.255;
	default-lease-time 6000;
	max-lease-time 72000;
}

subnet 192.168.12.0 netmask 255.255.255.0 {
	range 192.168.12.100 192.168.12.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.12.254;
	option broadcast-address 192.168.12.255;
	default-lease-time 6000;
	max-lease-time 72000;
}

subnet 192.168.13.0 netmask 255.255.255.0 {
	range 192.168.13.100 192.168.13.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.13.254;
	option broadcast-address 192.168.13.255;
	default-lease-time 6000;
	max-lease-time 72000;
}

subnet 192.168.14.0 netmask 255.255.255.0 {
	range 192.168.14.100 192.168.14.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.14.254;
	option broadcast-address 192.168.14.255;
	default-lease-time 6000;
	max-lease-time 72000;
}

subnet 192.168.15.0 netmask 255.255.255.0 {
	range 192.168.15.100 192.168.15.200;
	option subnet-mask 255.255.255.0;
	option routers 192.168.15.254;
	option broadcast-address 192.168.15.255;
	default-lease-time 6000;
	max-lease-time 72000;
}
$ cat /etc/default/isc-dhcp-server 
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid

# Additional options to start dhcpd with.
#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
#INTERFACES="brvlan2"
INTERFACESv4="brvlan2"

DNS Konfiguration (bind9)

Debian Stretch

  • Wichtig ist den lokalen Netzwerken zu erlauben den DNS auch nutzen zu dürfen
$ cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local


acl lan {
	127.0.0.1;
	192.168.2.0/24;
	192.168.10.0/24;
	192.168.11.0/24;
	192.168.12.0/24;
	192.168.13.0/24;
	192.168.14.0/24;
	192.168.15.0/24;
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
$ cat named.conf.options 
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	//forwarders {
	//	0.0.0.0;
	//};

	allow-query { lan; };
	allow-query-cache { lan; };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};
$ cat named.conf.local 
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "home" {
type master;
file "/etc/bind/db.home";
};

zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.2.168.192";
};

zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.10.168.192";
};

zone "11.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.11.168.192";
};

zone "12.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.12.168.192";
};

zone "13.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.13.168.192";
};

zone "14.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.14.168.192";
};

zone "15.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.15.168.192";
};
$ cat db.home 
;
$TTL	86400
;@	IN	SOA	localhost. root.localhost. (
@	IN	SOA	shiva.home. shiva.home. (
			      7		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			  86400 )	; Negative Cache TTL
;
@		IN	NS	shiva.home.
		IN	A	192.168.2.1

shiva		IN	A	192.168.2.1
os6450		IN	A	192.168.2.10
omnivista	IN	A	192.168.2.15
upam		IN	A	192.168.2.16
fwinet		IN	A	192.168.2.254

ap-d060		IN	A	192.168.10.10
;os6450		IN	A	192.168.10.254
iphone		IN	A	192.168.11.100
ipad		IN	A	192.168.11.101
mbp		IN	A	192.168.11.102

;os6450		IN	A	192.168.11.254
;os6450		IN	A	192.168.12.254
;os6450		IN	A	192.168.13.254
rap3		IN	A	192.168.14.100
;os6450		IN	A	192.168.14.254
;os6450		IN	A	192.168.15.254
$ cat db.2.168.192 
;
$TTL	604800
;@	IN	SOA	localhost. root.localhost. (
@	IN	SOA	shiva.home. shiva.home. (
			      4		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	shiva.home.
;
1	IN	PTR	shiva.home.
10	IN	PTR	os6450.home.
15	IN	PTR	omnivista.home.
16	IN	PTR	upam.home.
254	IN	PTR	fwinet.home.
$ cat db.10.168.192 
;
$TTL	604800
;@	IN	SOA	localhost. root.localhost. (
@	IN	SOA	shiva.home. shiva.home. (
			      5		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	shiva.home.
;
;1	IN	PTR	shiva.home.
10	IN	PTR	ap-d060.home.
254	IN	PTR	os6450.home.

pfSense Screenshots

virtIO: Checksum Offloading ausschalten

Bei virtIO NICs bitte Checksum Offloading ausschalten.

LAN Gateway einrichten

Dieses brauchen wir für lokale Netze

Statische Routen einrichten

Hierfür verwenden wir das eben eingerichtete Gateway

Outbound-NAT kontrollieren

Firewall-Regeln ausgehend für die lokalen LAN Netze anlegen

Da ich nicht weiß wie man den Alias „LAN Net“ ändert, legen wir eigene Regeln an die unseren Traffic durchlassen.

Ansicht des Dashboards

stellar-lab-kvm-pfsense-debian.txt · Zuletzt geändert: 2017/09/08 17:44 von benny