CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2025 - notes before eastern

Browse Source
This commit is contained in:
Petar Cubela
2025-04-19 00:11:51 +02:00
parent ee2da8ceb6
commit 214941710d
13 changed files with 400 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

14
.obsidian/workspace.json vendored
View File

@@ -37,7 +37,7 @@
"state": {
"type": "markdown",
"state": {
"file": "diary/2025-04-15.md",
"file": "diary/2025-04-17.md",
"mode": "source",
"source": true,
"backlinks": true,
@@ -52,7 +52,7 @@
}
},
"icon": "lucide-file",
"title": "2025-04-15"
"title": "2025-04-17"
}
},
{
@@ -307,11 +307,14 @@
"active": "b865e0663684cf60",
"lastOpenFiles": [
"projects/phytron/nextcloud_gitlab_after_hack.md",
"diary/2025-04-17.md",
"projects/kwa/firewall_migration/20250414-preparation.md",
"projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md",
"diary/2025-04-16.md",
"projects/ipv6/basics.md",
"diary/2025-04-15.md",
"projects/sbx/sbx-lab-network.md",
"diary/2025-04-14.md",
"projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md",
"projects/kwa/firewall_migration/20250414-preparation.md",
"projects/kwa/firewall_migration/20250318-OPNsense_Migration.md",
"projects/win10_2_win11/20250411-Meeting-JM.md",
"diary/2025-04-11.md",
@@ -331,10 +334,7 @@
"diary/2025-04-02.md",
"projects/sbx/manuals/Sophos-SG_PPPoE-data.md",
"projects/sbx/manuals",
"diary/2025-04-01.md",
"projects/ssr/202504-4architekten",
"projects/discopharma/20250311-metabase-environment.md",
"projects/discopharma/Meetings/20250310-Next_Steps.md",
"projects/sbx/firewall-std",
"projects/boschmann+feth",
"files/discopharma/discopharma-infra.drawio.png",

10
diary/2025-04-15.md
View File

@@ -15,7 +15,15 @@ $i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\
- 09:45 - 10:00: Pause
- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
- 10.30 - 11:00: cloud.sbx.de design gestalten
- 11:00 - 12:00:
- 11:00 - 11:15: private: tmux config mac, kube_on_nix repo, shell config mac
- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
- 12:00 - 13:00: Pause
- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
- 14:30 - 15:00: Rauchen, ???
- 15:00 - 16:00: tga cloud erreichen
## Monday

101
diary/2025-04-16.md Normal file
View File

@@ -0,0 +1,101 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Do-It
- handout: Sophos und OPNsense
- qumulo - zeichne endlich
- phytron - nextcloud abschliessen
## Timestamps
- 08:15 - 08:30: Lesen, Kaffee kochen
- 08:30 - 09:00: ipv6 lernen
- 09:00 - 09:30: rauchen
- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann
- 09:45 - 10:15: MicroShit Support schreiben
- 10:15 - 11:00: Pause, ipv6 lernen
- 11:00 - 12:30: ipv6 lernen
- 12:30 - 13:30: Pause
- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben?
- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt
- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo
## Tuesday
- 09:00 - 09:30: Ankunft, Ticketpflege
- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen
- 09:45 - 10:00: Pause
- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
- 10.30 - 11:00: cloud.sbx.de design gestalten
- 11:00 - 11:15: private: tmux config mac, kube_on_nix repo, shell config mac
- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
- 12:00 - 13:00: Pause
- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
- 14:30 - 15:00: Rauchen, ???
- 15:00 - 16:00: tga cloud erreichen
## Monday
- 08:30 - 09:00: mails beantworten
- 09:00 - 09:30: Pause
- 09:30 - 10:00: Ticketpflege
- 10:15 - 10:45: Ticketpflege
- 10:45 - 11:30: privaten vpn einrichten
- 11:30 - 11:45: SSR Mac/Mitarbeiterin Eintrichtungs Doku anpassen
- 11:45 - 12:00: ssh key exchange for pc.de
- 12:00 - 13:00: Pause
- 13:00 - 14:00: Discopharma Gespraech wegen pymysql and certificates
- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen
- 15:00 - 15:30: Mailstore authentifizerungs problem
- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build
- 16:00 - 16:30: TestCluster aufbauen und anschalten
- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen
## todo
### General
- [ ] handout fuer jeweils sophos und opnsense als vergleich
- [ ] aufgaben fuer wartung rausschreiben
- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
- [ ] neosphere - ueberblick anleitung zum qumulo und dem computing cluster
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] kube cluster on pve.lab.softbox.net
- [ ] backup on external drive for pve.lab.softbox.net
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

115
diary/2025-04-17.md Normal file
View File

@@ -0,0 +1,115 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Do-It
- handout: Sophos und OPNsense
- qumulo - zeichne endlich
- phytron - nextcloud abschliessen
## Timestamps
- 08:45 - 09:00: Ueber MicroShit Support mail aergern
- 09:00 - 09:45: aldi milch einkauf, quatchen
- 09:45 - 10:00: Sammeln, kaffee
- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer für die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen
- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren
- 10:45 - 11:00: Rauchen
- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen
- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa
- 12:00 - 13:30: Pause
- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen
- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen
## Wednesday
- 08:15 - 08:30: Lesen, Kaffee kochen
- 08:30 - 09:00: ipv6 lernen
- 09:00 - 09:30: rauchen
- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann
- 09:45 - 10:15: MicroShit Support schreiben
- 10:15 - 11:00: Pause, ipv6 lernen
- 11:00 - 12:30: ipv6 lernen
- 12:30 - 13:30: Pause
- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben?
- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt
- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo
## Tuesday
- 09:00 - 09:30: Ankunft, Ticketpflege
- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen
- 09:45 - 10:00: Pause
- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
- 10.30 - 11:00: cloud.sbx.de design gestalten
- 11:00 - 11:15: private: tmux config mac, kube_on_nix repo, shell config mac
- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
- 12:00 - 13:00: Pause
- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
- 14:30 - 15:00: Rauchen, ???
- 15:00 - 16:00: tga cloud erreichen
## Monday
- 08:30 - 09:00: mails beantworten
- 09:00 - 09:30: Pause
- 09:30 - 10:00: Ticketpflege
- 10:15 - 10:45: Ticketpflege
- 10:45 - 11:30: privaten vpn einrichten
- 11:30 - 11:45: SSR Mac/Mitarbeiterin Eintrichtungs Doku anpassen
- 11:45 - 12:00: ssh key exchange for pc.de
- 12:00 - 13:00: Pause
- 13:00 - 14:00: Discopharma Gespraech wegen pymysql and certificates
- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen
- 15:00 - 15:30: Mailstore authentifizerungs problem
- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build
- 16:00 - 16:30: TestCluster aufbauen und anschalten
- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen
## todo
### General
- [ ] handout fuer jeweils sophos und opnsense als vergleich
- [ ] aufgaben fuer wartung rausschreiben
- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
- [ ] neosphere - ueberblick anleitung zum qumulo und dem computing cluster
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] kube cluster on pve.lab.softbox.net
- [ ] backup on external drive for pve.lab.softbox.net
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

BIN
files/.DS_Store vendored
View File

Binary file not shown.

BIN
files/ssr/.DS_Store vendored Normal file
View File

Binary file not shown.

BIN
projects/.DS_Store vendored Normal file
View File

Binary file not shown.

157
projects/ipv6/basics.md Normal file
View File

@@ -0,0 +1,157 @@
# IPv6 Cheat Sheet
This cheat sheet goes together with videos that I have made:
1. [IPv6 from Scratch - Introduction to IPv6](https://youtu.be/oItwDXraK1M)
2. [IPv6 Explained - SLAAC and DHCPv6 (IPv6 from Scratch Part 2)](https://youtu.be/jlG_nrCOmJc)
3. [IPv6 with OpenWrt](https://youtu.be/LJPXz8eA3b8)
## Address Length and Format
The IPv6 address is **128 bits** (i.e. 16 bytes) long and is written in **8 groups of 2 bytes** in hexadecimal numbers, separated by colons:
fddd:f00d:cafe:0000:0000:0000:0000:0001
Leading zeros of each block can be omitted, the above address can be written like this:
fddd:f00d:cafe:0:0:0:0:1
We can abbreviate whole blocks of zeros with `::` and write:
fddd:f00d:cafe::1
However, this can only be done _once_ per address in order to void ambiguity:
ff:0:0:0:1:0:0:1 (correct)
ff::1:0:0:1 (correct)
ff::1::1 (ambiguous, wrong)
According to RFC 5952 `ff:0:0:0:1::1` is not correct either because the longest group of concurrent zeroes must be shortened.
## Protocols
| Number | Protocol | Purpose |
| ------ | --------- | ------------------------------------------------------------------------------------------------------- |
| 6 | TCP | Stateful - Confirms if packets have arrived. Important for use cases with validation. |
| 17 | UDP | Stateless - Does not confirm if packets have arrived. Good for streaming applications, VoIP calls, etc. |
| 58 | IPv6-ICMP | Information, Error reporting, diagnostics based use cases. |
## Methods to Assign IPv6 Addresses
**Static** - Fixed Address,
**SLAAC** - Stateless Address Auto-Configuration (Address generated by Host),
**DHCPv6** - Dynamic Host Configuration Protocol (Address assigned by a central DHCP server).
## Scopes and Special Addresses
When working in the world of IPv6, our addresses can vary depending on our scope (i.e. what part of a network):
**GLOBAL** - Everything (i.e. the whole internet),
**UNIQUE LOCAL** - Everything in our LAN (behind the internet gateway),
**LINK LOCAL** - Everything within the same collision domain that will not be routed (i.e. attached to the same switch).
| Range | Purpose |
| --------- | -------------------------------- |
| ::1/128 | Loopback Address (localhost) |
| ::/128 | Unspecified Address |
| 2000::/3 | GLOBAL Unicast (Internet) |
| fc00::/7 | Unique-Local (LAN) |
| fe80::/10 | Link-Local Unicast (Same switch) |
You should always use the smallest possible scope for communication.
A host can have **multiple** addresses in different scopes, even on the same interface.
## Subnetting
<img src=address_format.png width=600>
As in IPv4, IPv6 includes support for network segmentation via Subnetting. In the image below, the first 64 bits are designated as the `Network` portion, while the last 64 bits are for `Host` identification. Within the network portion, the first 48 bits are the `Routing Prefix` - aka the Network Address. The next and final 16 bits of the network notion is the `Subnet ID` or subnet address.
**Network+Subnet = Prefix**
The following address:
`2003:1000:1000:1600:1234::1` formatted fully as `2003:1000:1000:1600:1234:0000:0000:0001`, consists of the following segments:
- `2003:1000:1000:1600` - Prefix (Combined of Routing Prefix and Subnet ID)
- `2003:1000:1000` - Routing Prefix / Network Address
- `1600` - Subnet ID / Subnet
If my ISP provider **delegated** a portion of the prefix to me (e.g. `2003:1000:1000:1600/56`), then I could use the subnets `1600` through to `16FF` for my own purposes (Which would give me 256 available subnets).
## IPv6 Addresses in URIs/URLs
Because IPv6 address notation uses colons to isolate hextets, it is necessary to encase the address in square brackets in URIs. For example `http://[2a00:1450:4001:82a::2004]`. If you wish to specify a port, you can do so as normal using a colon following the closing square bracket: `http://[2a00:1450:4001:82a::2004]:80`.
## Multicast
Communication from one node to another is called **Unicast**. Communication from one node to many is called **Multicast**.
The following IPv6 multicast addresses may be used in in the link-local scope:
| Range | Purpose |
| --------- | -------------------------------------- |
| ff02::1 | All Nodes within the network segment |
| ff02::2 | All Routers within the network segment |
| ff02::fb | mDNSv6 |
| ff02::1:2 | All DHCP Servers and Agents |
| ff02::101 | All NTP Servers |
A full list is maintained by [IANA](https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml)
You can actually ping these addresses, e.g. `ping ff02::1`
## ICMP Message Types
ICMP does not use ports in order to communicate, but rather **types**. Critical/important types have numbers ranging from 1-127, while informational types have the numbers 128 and above. Each **type** can have subtypes or rather **codes** that can be used for further specifications.
Here are some frequently used IPv6 ICMP types:
| Type | Code | Purpose |
| ---- | ---- | ------------------------------ |
| 0 | | Reserved |
| 1 | | Destination Unreachable |
| 1 | 0 | No Route to Destination |
| 1 | 2 | Beyond Scope of Source Address |
| 3 | | Time Exceeded |
| 3 | 0 | Hop Limit Exceeded in Transit |
| Type | Code | Purpose |
| ---- | ---- | ------------------------- |
| 128 | 0 | Echo Request ("ping") |
| 129 | 0 | Echo Reply |
| 133 | 0 | Router Solicitation |
| 134 | 0 | Router Advertisement |
| 135 | 0 | Neighbo(u)r Solicitation |
| 136 | 0 | Neighbo(u)r Advertisement |
A full list is maintained by [IANA](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml)
## DHCPv6
IPv6 addresses can be distributed using the IPv6 version of the **Dynamic Host Configuration Protocol (DHCPv6)**. If a host wishes to obtain an IPv6 address via DHCPv6, it sends out a **DHCP Solicitation** from UDP port 546 to port 547 on the DHCP multicast address `ff02::1:2`. The DHCP server then replies to the client (from UDP port 547 to UDP port 546) with **DHCP Advertisement**. This handshake can be completed by the client sending out a **DHCP Request** and the server responding with a **DHCP Reply**
The DHCPv6 protocol is explained in more detail in this [Wikipedia Article](https://en.wikipedia.org/wiki/DHCPv6)
## DHCPv6 vs. SLAAC
Depending on how the router and the client are set up, the client can (and will) use both mechanisms (i.e. SLAAC and DHCP) to acquire IPv6 address allocations. The following table highlights the possible configuration combinations:
<img src=dhcp_slaac.jpg>
## Using WireShark
To gain a greater understanding of IPv6's functionality, you can use the packet sniffing tool WireShark to trace the message flow. Here are some WS filters for IPv6 ICMP, DHCPv6 and Router Solicitation and Advertisements:
Show ping and ping reply: `icmpv6 and (icmpv6.type==128) or (icmpv6.type==129)` <br>
Router solicit and advertise: `icmpv6 and (icmpv6.type==133) or (icmpv6.type==134)` <br>
Show DHCPv6 traffic: `dhcpv6` <br>
Router Solicit/Advertise and DHCPv6: `dhcpv6 or (icmpv6 and (icmpv6.type==134) or (icmpv6.type==133))` <br>
### Unicast vs. Multicast vs. Broadcast vs. Anycast
Within IPv6, there are a range of message options. All of these message types have a single host transmitting the message and all delivery is handled by the switch or router:
- **Unicast** is a message sent from a host to one receiver (One to One),
- **Broadcast** is a message sent from a host to all other hosts on the same broadcast domain (One to All),
- **Multicast** is a message sent from a host to all subscribers of a Multicast group (One to Specific),
- **Anycast** is a message sent from a host to the fastest / nearest subscriber of a specific address (One to Specific - Fastest Receiver / Nearest Node will receive).

BIN
projects/kwa/.DS_Store vendored Normal file
View File

Binary file not shown.

16
projects/kwa/firewall_migration/20250414-preparation.md
View File

@@ -12,11 +12,11 @@
### Network
| Name | Interface | Network | Note |
| ---------- | --------- | -------------- | -------------- |
| WAN | WAN | 10.0.70.2/32 | FritzBox PPPoE |
| MGMT | LAN | 10.70.0.254/24 | |
| SERVER | LAN | | |
| CLIENT | LAN | | |
| WLAN | LAN | | |
| WLAN_GUEST | LAN | | |
| Name | Interface | Network | Note |
| ---------- | --------- | ----------------- | -------------- |
| WAN | WAN | 10.0.70.2/32 | FritzBox PPPoE |
| MGMT | LAN | 192.168.50.254/24 | |
| SERVER | LAN | 192.168.70.254/24 | |
| CLIENT | LAN | 192.168.20.254/24 | |
| WLAN | LAN | 192.168.30.254/24 | |
| WLAN_GUEST | LAN | 192.168.40.254/24 | |

6
projects/phytron/nextcloud_gitlab_after_hack.md
View File

@@ -1,6 +1,6 @@
## General
- [x] Change Admin Passwords to: General Domain Administrator Password
- [x] Change Admin Passwords [to](): General Domain Administrator Password
- [ ] setup send-only mailbox
## Nextcloud
@@ -18,8 +18,8 @@ Domain: https://cloud.phytron.de
### Design
- [ ] Integrate Phytron CI
- [ ] Primary Gray/ Secondary Red (Related to Homepage)
- [x] Integrate Phytron CI - 20250415 hat sich von selbst erledigt
- [x] Primary Gray/ Secondary Red (Related to Homepage)
### Folder

BIN
projects/ssr/.DS_Store vendored Normal file
View File

Binary file not shown.