CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

]

Browse Source
This commit is contained in:
Petar Cubela
2025-07-15 15:36:24 +02:00
parent f6398bf45c
commit 252a91dbcc
162 changed files with 4584 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
projects/gg/avahi_mdns-reflector/20250712-avahi-mdns-planning.md Normal file
View File

@@ -0,0 +1,133 @@
### **Comprehensive Project Plan**
**Objective**: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking.
---
### **1. Project Overview**
- **Firewall**: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic).
- **Avahi Server**: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port.
- **Goal**: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation.
---
### **2. Key Requirements**
1. **Firewall Configuration**:
- Allow **UDP 5353** traffic between specified VLANs.
- Enforce VLAN segmentation (no inter-VLAN communication by default).
2. **Network Infrastructure**:
- **Physical Trunk Port**: Switch provides tagged VLAN traffic to the ESXi host.
- **ESXi Host**: Assigns VLAN tagging to the VMs virtual NIC.
- **Linux VM**: Single interface receives trunked VLAN traffic.
3. **Avahi Server**:
- Installed on Linux VM.
- Configured to act as an mDNS relay across VLANs.
---
### **3. Network Setup**
#### **A. Physical Layer**
1. **Switch Configuration**:
- Configure a **trunk port** on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20).
- Ensure the trunk port is connected to the ESXi host.
#### **B. ESXi Host Configuration**
1. **Port Group Setup**:
- Create a **port group** on the ESXi host for VLAN trunking.
- Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group.
2. **VM Network Adapter**:
- Assign the VM a **virtual NIC (vNIC)** connected to the VLAN trunk port group.
- Ensure the vNIC is configured to **accept VLAN tags** (no need for VLAN sub-interfaces).
#### **C. Linux VM Configuration**
1. **Interface Configuration**:
- Assign **multiple IP addresses** to the VMs interface (e.g., `eth0` or `vmbr0`) for each VLAN.
```bash
auto eth0
iface eth0 inet static
address 192.168.20.251
netmask 255.255.255.0
address 10.56.1.251
netmask 255.255.255.0
gateway 10.56.1.254
```
- Ensure IPs are in **different subnets** (e.g., VLAN 10: `10.56.1.0/24`, VLAN 20: `192.168.20.0/26`).
2. **Routing**:
- Configure default gateway for the primary VLAN (e.g., `10.56.1.254`).
- Ensure routing tables allow traffic between VLANs.
---
### **4. Sophos XGS Firewall Configuration**
1. **VLAN Segmentation**:
- Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20).
- Assign interfaces to respective VLANs.
2. **Traffic Rules**:
- Allow **UDP 5353** traffic between specified VLANs.
- Example rule:
```
Source VLAN: VLAN 10
Destination VLAN: VLAN 20
Protocol: UDP
Destination Port: 5353
```
- Ensure **no other traffic** is allowed between VLANs unless explicitly permitted.
---
### **5. Avahi Server Setup**
1. **Install Avahi**:
- Install Avahi on the Linux VM:
```bash
apt update && apt install avahi-daemon libnss-mdns
```
2. **Configure Avahi**:
- Ensure Avahi is set to **broadcast mDNS packets** across VLANs.
- Adjust `/etc/avahi/avahi-daemon.conf` to allow broadcasting (if needed).
3. **Firewall Rules (Optional)**:
- If the VMs host firewall blocks traffic, add rules to allow **UDP 5353** between VLANs:
```bash
iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT
```
4. **Verify Operation**:
- Test mDNS discovery between devices on different VLANs (e.g., ping, `avahi-browse`).
---
### **6. Testing & Validation**
1. **Ping Test**:
- Confirm connectivity between devices on different VLANs via the Avahi VM.
2. **Firewall Rule Check**:
- Ensure Sophos XGS allows **UDP 5353** traffic between VLANs.
3. **Avahi Discovery**:
- Use `avahi-browse` to verify mDNS services are visible across VLANs.
4. **Traffic Monitoring**:
- Use tools like `tcpdump` or Wireshark to confirm VLAN tagging and traffic flow.
---
### **7. Documentation & Maintenance**
1. **Document VLAN Assignments**:
- Record VLAN IDs, IP ranges, and firewall rules for reference.
2. **Backup Configurations**:
- Save ESXi port group settings, Sophos XGS rules, and Avahi configurations.
3. **Regular Updates**:
- Keep the Linux VM and Avahi software updated to avoid vulnerabilities.
---
### **8. Known Considerations**
- **Trunking Limitations**: Ensure the physical switch and ESXi host support VLAN trunking.
- **Firewall Overlap**: Avoid conflicting rules in Sophos XGS that could block mDNS traffic.
- **Performance**: Monitor network bandwidth to ensure VLAN traffic does not saturate the link.
---
### **9. Success Criteria**
- **mDNS Communication**: Devices on different VLANs can discover and communicate via Avahi.
- **Firewall Compliance**: Only allowed traffic (UDP 5353) is permitted between VLANs.
- **Network Isolation**: VLAN segmentation is enforced, and only required traffic is allowed.
---
This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.

15
projects/gg/avahi_mdns-reflector/20250713-infrastructure.md Normal file
View File

@@ -0,0 +1,15 @@
## Firewall
| Name | VLAN | Network | Notes |
| ------------------- | ---- | ------------------ | ----- |
| V04_Mgmt-Netz | 1 | 192.168.5.254/24 | |
| V15_WFi_gg-lehrer | 15 | 192.168.151.254/22 | |
| V19_WFi_gg-schueler | 19 | 172.16.19.254/22 | |
| V18_WFi_Guest | 18 | 192.168.18.254/24 | |
## Networks
## ESXi

48
projects/gg/avahi_mdns-reflector/20250714-apple-tv-devices.md Normal file
View File

@@ -0,0 +1,48 @@
## List
- Apple TV-2.OG.06
- Apple TV-2.OG.06
- Apple TV-2.OG.06
- Apple TV-2.OG.16
- Apple TV-2.OG.16
- Apple TV-2.OG.16
- Apple TV 3.OG.06
- Apple TV 3.OG.06
- Apple TV 3.OG.06
- Apple TV-3.OG.10
- Apple TV-3.OG.10
- Apple TV-3.OG.10
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.18
- Apple TV-3.OG.18
- Apple TV-3.OG.19
- Apple TV-3.OG.19
- Apple TV-4.EG.11
- Apple TV-4.EG.11
- Apple TV-4.EG.11
- Apple TV-4.EG.13
- Apple TV-4.EG.13
- Apple TV-4.EG.14
- Apple TV-4.EG.14
- Apple TV-4.OG.06
- Apple TV-4.OG.06
- Apple TV-4.OG.06
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.10
- Apple TV-4.OG.10
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.13
- Apple TV-4.OG.13
- Apple TV-4.OG.13
- Apple TV-4.OG.14
- Apple TV-4.OG.14

74
projects/gg/avahi_mdns-reflector/20250714-esxi-networking.md Normal file
View File

@@ -0,0 +1,74 @@
You're absolutely correct. In **VMware ESXi**, the **"VLAN ID" field** in the **"Add Port Group"** wizard is **only for Access VLANs** (single VLAN). To configure a **trunk port group** (multiple VLANs), you need to **manually edit the port group settings** after creation. Here's the step-by-step guide to configure a **trunk port group** with multiple VLANs:
---
### **Step-by-Step: Configure Trunk Port Group in ESXi**
#### **1. Create the Port Group (Access Mode)**
1. Go to **vSphere Client** > **Networking** > **Switches** > **vSwitches**.
2. Select the **vSwitch** you want to use.
3. Click **Add Port Group**.
4. Enter a **Name** (e.g., `MGMT_VLAN`).
5. Select **VLAN Type**: **Access** (this is the default).
6. Enter the **VLAN ID** for the **management VLAN** (e.g., `10`).
7. Click **OK**.
> ⚠️ **Note**: This creates an **Access VLAN** (single VLAN). To enable **trunking**, you must **edit the port group** manually.
---
#### **2. Edit the Port Group to Enable Trunking**
1. Right-click the port group (e.g., `MGMT_VLAN`) and select **Edit Settings**.
2. Under **VLAN Settings**, change **VLAN Type** to **Trunk**.
3. In the **Tagged VLANs** field, enter the **VLAN IDs** you want to allow (e.g., `10,20,30`).
- **Important**: Separate VLAN IDs with commas (no spaces).
4. Click **OK**.
> ✅ **Example**: If your management VLAN is `10` and you need mDNS traffic on VLANs `20` and `30`, enter `10,20,30` in the **Tagged VLANs** field.
---
#### **3. Assign the VM to the Port Group**
1. Go to the **VM's settings**.
2. Under **Network Adapter**, select the port group you configured (`MGMT_VLAN`).
3. Ensure the VM is assigned to the correct VLANs (the port group will handle the tagging).
---
### **Key Notes**
- **Trunking is not available in the "Add Port Group" wizard**. You must **manually edit** the port group to enable trunking.
- **Physical Switch Configuration**: Ensure the **physical switch port** connected to the ESXi host is configured as a **trunk** with the same VLANs (e.g., `10,20,30`).
- **VM Configuration**: The VM will receive an IP address from the **untagged VLAN** (e.g., VLAN `10`) and will have access to the **tagged VLANs** (e.g., `20,30`) via the trunk port group.
---
### **Why This Works**
- **Trunking** allows the VM to communicate on **multiple VLANs** via a **single physical interface**.
- The **untagged VLAN** (e.g., `10`) is used for **management or default traffic**.
- The **tagged VLANs** (e.g., `20,30`) are used for **specific services** (like mDNS).
---
### **Alternative: Use Command Line (PowerCLI)**
If you prefer using the **command line**, you can configure trunking with PowerCLI:
```powershell
# Connect to vCenter
Connect-VIServer -Server vcenter.example.com
# Get the vSwitch and port group
$vs = Get-VirtualSwitch -Name "vSwitch0"
$pg = Get-VMHostNetworkAdapter -VMHost $vmhost -Name "MGMT_VLAN"
# Set the port group to Trunk with VLANs 10,20,30
Set-VMHostNetworkAdapter -VMHost $vmhost -NetworkAdapter $pg -VlanId 10,20,30
```
---
### **Summary**
- **Trunk port groups** in ESXi require **manual editing** after creation.
- Use the **Tagged VLANs** field to specify multiple VLANs (e.g., `10,20,30`).
- Ensure the **physical switch** is also configured as a trunk with the same VLANs.
Let me know if you need help verifying the switch configuration or troubleshooting VLAN tagging! 🛠️

102
projects/gg/avahi_mdns-reflector/20250714-linux-interface-conf.md Normal file
View File

@@ -0,0 +1,102 @@
To configure VLANs with **static IP addresses** on Debian using the native `/etc/network/interfaces` file, follow this setup. This replicates your current configuration using VLANs on `eth0` and assigns static IPs to `eth0.20` and `eth0.30`.
---
### 📁 **/etc/network/interfaces Configuration**
```bash
# Define VLAN interfaces with static IPs
auto eth0
iface eth0 inet static
address 10.56.0.243/24
gateway 10.56.0.1
dns-nameservers 8.8.8.8 8.8.4.4
auto eth0.20
iface eth0.20 inet static
address 10.56.2.103/24
gateway 10.56.2.1
dns-nameservers 8.8.8.8 8.8.4.4
inet6 address 2001:db8::1/64
inet6 gateway 2001:db8::1
inet6 dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
auto eth0.30
iface eth0.30 inet static
address 10.56.3.108/24
gateway 10.56.3.1
dns-nameservers 8.8.8.8 8.8.4.4
inet6 address 2001:db8::2/64
inet6 gateway 2001:db8::2
inet6 dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
```
---
### 🧰 **Steps to Apply the Configuration**
1. **Install `vconfig`** (required for VLANs):
```bash
sudo apt update
sudo apt install vconfig
```
2. **Create VLAN interfaces** (if not already created):
```bash
sudo vconfig add eth0 20
sudo vconfig add eth0 30
```
3. **Update `/etc/network/interfaces`** with the above configuration.
4. **Restart networking**:
```bash
sudo systemctl restart networking
```
5. **Verify interfaces**:
```bash
ip a
```
You should see `eth0.20` and `eth0.30` with static IPs assigned.
---
### 📌 **Key Notes**
1. **VLAN Interface Creation**:
- The `vconfig` tool creates the VLAN interfaces (`eth0.20`, `eth0.30`).
- Ensure `vconfig` is installed to manage VLANs.
2. **Static IPs**:
- Use `address` for IPv4 and `inet6 address` for IPv6.
- Set `gateway` and `dns-nameservers` for routing and DNS.
3. **IPv6 Support**:
- IPv6 addresses are configured using `inet6 address` and `inet6 gateway`.
- Ensure your network supports IPv6 or adjust accordingly.
4. **Parent Interface (`eth0`)**:
- `eth0` is configured with a static IP (`10.56.0.243/24`) and a default gateway (`10.56.0.1`).
---
### 🧪 **Validation**
After applying the configuration:
- Check IP addresses:
```bash
ip a
```
- Test connectivity:
```bash
ping -c 4 8.8.8.8
ping -c 4 2001:4860:4860::8888
```
---
### 📝 Summary
This `/etc/network/interfaces` configuration sets up VLANs (`eth0.20`, `eth0.30`) with **static IPv4 and IPv6 addresses**, matching your original setup. It avoids manual `ip link` commands and ensures consistent networking behavior.