CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250907

Browse Source
This commit is contained in:
Petar Cubela
2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
projects/gg/avahi_mdns-reflector/prep/20250712-avahi-mdns-planning.md Normal file
View File

@@ -0,0 +1,133 @@
### **Comprehensive Project Plan**
**Objective**: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking.
---
### **1. Project Overview**
- **Firewall**: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic).
- **Avahi Server**: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port.
- **Goal**: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation.
---
### **2. Key Requirements**
1. **Firewall Configuration**:
- Allow **UDP 5353** traffic between specified VLANs.
- Enforce VLAN segmentation (no inter-VLAN communication by default).
2. **Network Infrastructure**:
- **Physical Trunk Port**: Switch provides tagged VLAN traffic to the ESXi host.
- **ESXi Host**: Assigns VLAN tagging to the VMs virtual NIC.
- **Linux VM**: Single interface receives trunked VLAN traffic.
3. **Avahi Server**:
- Installed on Linux VM.
- Configured to act as an mDNS relay across VLANs.
---
### **3. Network Setup**
#### **A. Physical Layer**
1. **Switch Configuration**:
- Configure a **trunk port** on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20).
- Ensure the trunk port is connected to the ESXi host.
#### **B. ESXi Host Configuration**
1. **Port Group Setup**:
- Create a **port group** on the ESXi host for VLAN trunking.
- Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group.
2. **VM Network Adapter**:
- Assign the VM a **virtual NIC (vNIC)** connected to the VLAN trunk port group.
- Ensure the vNIC is configured to **accept VLAN tags** (no need for VLAN sub-interfaces).
#### **C. Linux VM Configuration**
1. **Interface Configuration**:
- Assign **multiple IP addresses** to the VMs interface (e.g., `eth0` or `vmbr0`) for each VLAN.
```bash
auto eth0
iface eth0 inet static
address 192.168.20.251
netmask 255.255.255.0
address 10.56.1.251
netmask 255.255.255.0
gateway 10.56.1.254
```
- Ensure IPs are in **different subnets** (e.g., VLAN 10: `10.56.1.0/24`, VLAN 20: `192.168.20.0/26`).
2. **Routing**:
- Configure default gateway for the primary VLAN (e.g., `10.56.1.254`).
- Ensure routing tables allow traffic between VLANs.
---
### **4. Sophos XGS Firewall Configuration**
1. **VLAN Segmentation**:
- Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20).
- Assign interfaces to respective VLANs.
2. **Traffic Rules**:
- Allow **UDP 5353** traffic between specified VLANs.
- Example rule:
```
Source VLAN: VLAN 10
Destination VLAN: VLAN 20
Protocol: UDP
Destination Port: 5353
```
- Ensure **no other traffic** is allowed between VLANs unless explicitly permitted.
---
### **5. Avahi Server Setup**
1. **Install Avahi**:
- Install Avahi on the Linux VM:
```bash
apt update && apt install avahi-daemon libnss-mdns
```
2. **Configure Avahi**:
- Ensure Avahi is set to **broadcast mDNS packets** across VLANs.
- Adjust `/etc/avahi/avahi-daemon.conf` to allow broadcasting (if needed).
3. **Firewall Rules (Optional)**:
- If the VMs host firewall blocks traffic, add rules to allow **UDP 5353** between VLANs:
```bash
iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT
```
4. **Verify Operation**:
- Test mDNS discovery between devices on different VLANs (e.g., ping, `avahi-browse`).
---
### **6. Testing & Validation**
1. **Ping Test**:
- Confirm connectivity between devices on different VLANs via the Avahi VM.
2. **Firewall Rule Check**:
- Ensure Sophos XGS allows **UDP 5353** traffic between VLANs.
3. **Avahi Discovery**:
- Use `avahi-browse` to verify mDNS services are visible across VLANs.
4. **Traffic Monitoring**:
- Use tools like `tcpdump` or Wireshark to confirm VLAN tagging and traffic flow.
---
### **7. Documentation & Maintenance**
1. **Document VLAN Assignments**:
- Record VLAN IDs, IP ranges, and firewall rules for reference.
2. **Backup Configurations**:
- Save ESXi port group settings, Sophos XGS rules, and Avahi configurations.
3. **Regular Updates**:
- Keep the Linux VM and Avahi software updated to avoid vulnerabilities.
---
### **8. Known Considerations**
- **Trunking Limitations**: Ensure the physical switch and ESXi host support VLAN trunking.
- **Firewall Overlap**: Avoid conflicting rules in Sophos XGS that could block mDNS traffic.
- **Performance**: Monitor network bandwidth to ensure VLAN traffic does not saturate the link.
---
### **9. Success Criteria**
- **mDNS Communication**: Devices on different VLANs can discover and communicate via Avahi.
- **Firewall Compliance**: Only allowed traffic (UDP 5353) is permitted between VLANs.
- **Network Isolation**: VLAN segmentation is enforced, and only required traffic is allowed.
---
This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.

15
projects/gg/avahi_mdns-reflector/prep/20250713-infrastructure.md Normal file
View File

@@ -0,0 +1,15 @@
## Firewall
| Name | VLAN | Network | Notes |
| ------------------- | ---- | ------------------ | ----- |
| V04_Mgmt-Netz | 1 | 192.168.5.254/24 | |
| V15_WFi_gg-lehrer | 15 | 192.168.151.254/22 | |
| V19_WFi_gg-schueler | 19 | 172.16.19.254/22 | |
| V18_WFi_Guest | 18 | 192.168.18.254/24 | |
## Networks
## ESXi

48
projects/gg/avahi_mdns-reflector/prep/20250714-apple-tv-devices.md Normal file
View File

@@ -0,0 +1,48 @@
## List
- Apple TV-2.OG.06
- Apple TV-2.OG.06
- Apple TV-2.OG.06
- Apple TV-2.OG.16
- Apple TV-2.OG.16
- Apple TV-2.OG.16
- Apple TV 3.OG.06
- Apple TV 3.OG.06
- Apple TV 3.OG.06
- Apple TV-3.OG.10
- Apple TV-3.OG.10
- Apple TV-3.OG.10
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.17
- Apple TV-3.OG.18
- Apple TV-3.OG.18
- Apple TV-3.OG.19
- Apple TV-3.OG.19
- Apple TV-4.EG.11
- Apple TV-4.EG.11
- Apple TV-4.EG.11
- Apple TV-4.EG.13
- Apple TV-4.EG.13
- Apple TV-4.EG.14
- Apple TV-4.EG.14
- Apple TV-4.OG.06
- Apple TV-4.OG.06
- Apple TV-4.OG.06
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.07
- Apple TV-4.OG.10
- Apple TV-4.OG.10
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.11
- Apple TV-4.OG.13
- Apple TV-4.OG.13
- Apple TV-4.OG.13
- Apple TV-4.OG.14
- Apple TV-4.OG.14

74
projects/gg/avahi_mdns-reflector/prep/20250714-esxi-networking.md Normal file
View File

@@ -0,0 +1,74 @@
You're absolutely correct. In **VMware ESXi**, the **"VLAN ID" field** in the **"Add Port Group"** wizard is **only for Access VLANs** (single VLAN). To configure a **trunk port group** (multiple VLANs), you need to **manually edit the port group settings** after creation. Here's the step-by-step guide to configure a **trunk port group** with multiple VLANs:
---
### **Step-by-Step: Configure Trunk Port Group in ESXi**
#### **1. Create the Port Group (Access Mode)**
1. Go to **vSphere Client** > **Networking** > **Switches** > **vSwitches**.
2. Select the **vSwitch** you want to use.
3. Click **Add Port Group**.
4. Enter a **Name** (e.g., `MGMT_VLAN`).
5. Select **VLAN Type**: **Access** (this is the default).
6. Enter the **VLAN ID** for the **management VLAN** (e.g., `10`).
7. Click **OK**.
> ⚠️ **Note**: This creates an **Access VLAN** (single VLAN). To enable **trunking**, you must **edit the port group** manually.
---
#### **2. Edit the Port Group to Enable Trunking**
1. Right-click the port group (e.g., `MGMT_VLAN`) and select **Edit Settings**.
2. Under **VLAN Settings**, change **VLAN Type** to **Trunk**.
3. In the **Tagged VLANs** field, enter the **VLAN IDs** you want to allow (e.g., `10,20,30`).
- **Important**: Separate VLAN IDs with commas (no spaces).
4. Click **OK**.
> ✅ **Example**: If your management VLAN is `10` and you need mDNS traffic on VLANs `20` and `30`, enter `10,20,30` in the **Tagged VLANs** field.
---
#### **3. Assign the VM to the Port Group**
1. Go to the **VM's settings**.
2. Under **Network Adapter**, select the port group you configured (`MGMT_VLAN`).
3. Ensure the VM is assigned to the correct VLANs (the port group will handle the tagging).
---
### **Key Notes**
- **Trunking is not available in the "Add Port Group" wizard**. You must **manually edit** the port group to enable trunking.
- **Physical Switch Configuration**: Ensure the **physical switch port** connected to the ESXi host is configured as a **trunk** with the same VLANs (e.g., `10,20,30`).
- **VM Configuration**: The VM will receive an IP address from the **untagged VLAN** (e.g., VLAN `10`) and will have access to the **tagged VLANs** (e.g., `20,30`) via the trunk port group.
---
### **Why This Works**
- **Trunking** allows the VM to communicate on **multiple VLANs** via a **single physical interface**.
- The **untagged VLAN** (e.g., `10`) is used for **management or default traffic**.
- The **tagged VLANs** (e.g., `20,30`) are used for **specific services** (like mDNS).
---
### **Alternative: Use Command Line (PowerCLI)**
If you prefer using the **command line**, you can configure trunking with PowerCLI:
```powershell
# Connect to vCenter
Connect-VIServer -Server vcenter.example.com
# Get the vSwitch and port group
$vs = Get-VirtualSwitch -Name "vSwitch0"
$pg = Get-VMHostNetworkAdapter -VMHost $vmhost -Name "MGMT_VLAN"
# Set the port group to Trunk with VLANs 10,20,30
Set-VMHostNetworkAdapter -VMHost $vmhost -NetworkAdapter $pg -VlanId 10,20,30
```
---
### **Summary**
- **Trunk port groups** in ESXi require **manual editing** after creation.
- Use the **Tagged VLANs** field to specify multiple VLANs (e.g., `10,20,30`).
- Ensure the **physical switch** is also configured as a trunk with the same VLANs.
Let me know if you need help verifying the switch configuration or troubleshooting VLAN tagging! 🛠️

102
projects/gg/avahi_mdns-reflector/prep/20250714-linux-interface-conf.md Normal file
View File

@@ -0,0 +1,102 @@
To configure VLANs with **static IP addresses** on Debian using the native `/etc/network/interfaces` file, follow this setup. This replicates your current configuration using VLANs on `eth0` and assigns static IPs to `eth0.20` and `eth0.30`.
---
### 📁 **/etc/network/interfaces Configuration**
```bash
# Define VLAN interfaces with static IPs
auto eth0
iface eth0 inet static
address 10.56.0.243/24
gateway 10.56.0.1
dns-nameservers 8.8.8.8 8.8.4.4
auto eth0.20
iface eth0.20 inet static
address 10.56.2.103/24
gateway 10.56.2.1
dns-nameservers 8.8.8.8 8.8.4.4
inet6 address 2001:db8::1/64
inet6 gateway 2001:db8::1
inet6 dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
auto eth0.30
iface eth0.30 inet static
address 10.56.3.108/24
gateway 10.56.3.1
dns-nameservers 8.8.8.8 8.8.4.4
inet6 address 2001:db8::2/64
inet6 gateway 2001:db8::2
inet6 dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
```
---
### 🧰 **Steps to Apply the Configuration**
1. **Install `vconfig`** (required for VLANs):
```bash
sudo apt update
sudo apt install vconfig
```
2. **Create VLAN interfaces** (if not already created):
```bash
sudo vconfig add eth0 20
sudo vconfig add eth0 30
```
3. **Update `/etc/network/interfaces`** with the above configuration.
4. **Restart networking**:
```bash
sudo systemctl restart networking
```
5. **Verify interfaces**:
```bash
ip a
```
You should see `eth0.20` and `eth0.30` with static IPs assigned.
---
### 📌 **Key Notes**
1. **VLAN Interface Creation**:
- The `vconfig` tool creates the VLAN interfaces (`eth0.20`, `eth0.30`).
- Ensure `vconfig` is installed to manage VLANs.
2. **Static IPs**:
- Use `address` for IPv4 and `inet6 address` for IPv6.
- Set `gateway` and `dns-nameservers` for routing and DNS.
3. **IPv6 Support**:
- IPv6 addresses are configured using `inet6 address` and `inet6 gateway`.
- Ensure your network supports IPv6 or adjust accordingly.
4. **Parent Interface (`eth0`)**:
- `eth0` is configured with a static IP (`10.56.0.243/24`) and a default gateway (`10.56.0.1`).
---
### 🧪 **Validation**
After applying the configuration:
- Check IP addresses:
```bash
ip a
```
- Test connectivity:
```bash
ping -c 4 8.8.8.8
ping -c 4 2001:4860:4860::8888
```
---
### 📝 Summary
This `/etc/network/interfaces` configuration sets up VLANs (`eth0.20`, `eth0.30`) with **static IPv4 and IPv6 addresses**, matching your original setup. It avoids manual `ip link` commands and ensures consistent networking behavior.

117
projects/gg/avahi_mdns-reflector/prep/20250716-avahi-scaling.md Normal file
View File

@@ -0,0 +1,117 @@
To scale your **Avahi server** (used for zeroconf/Bonjour services) in a large environment with **many Apple devices** (e.g., Apple TVs, iPhones, Macs) across **VLANs**, you need to address both **network architecture** and **Avahi configuration**. Below is a structured plan to ensure scalability and performance:
---
### 🧠 **Key Considerations for Scaling Avahi**
#### 1. **Network Segmentation and VLAN Isolation**
- **Separate Avahi Services per VLAN**:
Run **dedicated Avahi servers** for each VLAN (e.g., one for "Students" and one for "Teachers"). This isolates traffic and prevents cross-VLAN multicast flooding.
- Example:
- **VLAN 10 (Students)**: Avahi server handles only student devices.
- **VLAN 20 (Teachers)**: Avahi server handles only teacher devices.
- **VLAN 30 (Apple TV VLAN)**: Dedicated Avahi server for Apple TVs.
- This reduces the load on any single Avahi instance and prevents unnecessary multicast traffic across VLANs.
- **Use VLAN-Specific DNS-SD (mDNS)**:
Ensure Apple TVs and devices are configured to use **mDNS within their VLAN**. This avoids cross-VLAN service discovery and reduces broadcast traffic.
---
#### 2. **Avahi Server Optimization**
- **Limit Service Scope**:
Use **`avahi-daemon`** configuration to restrict service broadcasting to specific VLANs. For example:
```ini
[server]
; Only allow services on VLAN 10 (e.g., 10.56.2.0/24)
; This is done via network segmentation, not Avahi itself.
```
- **Reduce Redundant Advertisements**:
- **Limit Apple TV service types**:
Apple TVs often advertise multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** or `dns-sd` to restrict only necessary services (e.g., only the "Apple TV" service).
- **Use static service records**:
For critical services (e.g., Apple TV streaming), predefine static DNS-SD records instead of relying on dynamic discovery. This reduces the number of advertisements.
- **Enable Caching and Query Limiting**:
- Use **`avahi-browse`** to cache service records and reduce redundant queries.
- Limit the number of concurrent queries using `avahi-daemon` configuration (`--max-queries` or `--max-queries-per-sec`).
---
#### 3. **Hardware and OS Considerations**
- **High-Performance Server**:
Run Avahi on a dedicated server with:
- **SSD storage** for faster log writes.
- **Sufficient RAM** (e.g., 8GB+ for 50+ devices).
- **Multi-core CPU** to handle multicast traffic and service resolution.
- **Use Lightweight OS**:
Avoid heavy OS features (e.g., GUI, unnecessary services) to free up resources. Consider **Debian/Ubuntu minimal** or **Alpine Linux** for Avahi.
---
#### 4. **Network Infrastructure**
- **Enable IGMP Snooping**:
Configure switches to **filter multicast traffic** (e.g., `IGMP Snooping` or `MLD Snooping` for IPv6) to prevent unnecessary flooding.
- **Use QoS for mDNS Traffic**:
Prioritize mDNS UDP packets (port 5353) to ensure low latency for service discovery.
- **Segment Traffic with VLANs**:
Ensure Apple TVs and devices are on their own VLAN to avoid cross-VLAN multicast storms.
---
#### 5. **Monitoring and Failover**
- **Monitor Avahi Logs**:
Use `journalctl` or `avahi-browse` to track service advertisements and detect bottlenecks.
- **Set Up Redundant Avahi Servers**:
Run **two Avahi servers** per VLAN with **split-brain configuration** (e.g., using `avahi-daemon` with `--enable-dbus` and `--enable-dbus-interfaces`). This ensures failover if one server fails.
- **Use External DNS for Large-Scale mDNS**:
For very large environments, consider **external DNS servers** (e.g., `dnsmasq`, `mDNSResponder`) to handle mDNS queries, reducing load on Avahi.
---
#### 6. **Apple-Specific Optimizations**
- **Limit Apple TV Advertisements**:
Apple TVs often broadcast multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** to restrict only the "Apple TV" service.
- **Use Static IP for Apple TVs**:
Assign static IPs to Apple TVs to avoid dynamic IP conflicts and reduce mDNS advertisement overhead.
- **Enable Bonjour Proxy**:
If Apple devices are on different subnets, use a **Bonjour proxy** (e.g., `dnsmasq` with `--enable-dns-forwarding`) to route mDNS queries efficiently.
---
### 📌 **Example Configuration for Avahi (Debian/Ubuntu)**
```bash
# /etc/avahi/avahi-daemon.conf
[server]
; Enable DNS-SD
enable-dns = yes
; Limit query rate
max-queries = 1000
max-queries-per-sec = 100
; Use static IP for Apple TVs (if needed)
; (Configure via DHCP or static IP assignment)
```
---
### 🧪 **Testing and Validation**
1. **Simulate Load**:
Use tools like `avahi-browse` or `dns-sd` to test service discovery under load.
2. **Monitor Network Traffic**:
Use `tcpdump` or Wireshark to check for multicast traffic and ensure its confined to the VLAN.
3. **Stress Test**:
Simulate 50+ Apple TVs and devices broadcasting services to verify Avahi performance.
---
### ✅ **Summary**
- **Isolate VLANs** to prevent cross-traffic.
- **Run dedicated Avahi servers** per VLAN.
- **Optimize service advertisements** and enable caching.
- **Use hardware and OS resources efficiently**.
- **Monitor and scale** based on real-world usage.
By following these steps, your Avahi server will scale effectively to handle 4050 Apple TVs and many other devices without performance degradation.

52
projects/gg/avahi_mdns-reflector/prep/20250716-firewall-rules-bonjour.md Normal file
View File

@@ -0,0 +1,52 @@
You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (4915265535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**:
---
### 🚫 **Critical Ports to Open (Updated)**
| Port Range | Protocol | Purpose | Required |
|------------------|----------|----------------------------------------------|----------|
| **5353** | UDP | **mDNS/Bonjour** (service discovery) | ✅ Yes |
| **80** | TCP | **HTTP** (web services, streaming) | ✅ Yes |
| **443** | TCP | **HTTPS** (secure web services) | ✅ Yes |
| **554** | TCP/UDP | **RTSP** (media streaming) | ✅ Yes |
| **9876** | TCP | **Apple TV Remote Access** | ✅ Yes |
| **9877** | TCP | **Apple TV Media Streaming** | ✅ Yes |
| **4915265535** | TCP | **Xsan Filesystem Access** (dynamic range) | ✅ Yes |
---
### 📌 **Key Notes**
1. **Xsan (4915265535)**
- **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers.
- **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion.
- **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN).
2. **Firewall Rules**
- **Direction**: Allow **bidirectional traffic** between VLANs.
- **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions.
- **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable).
3. **Testing and Validation**
- **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used.
- **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs.
---
### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)**
1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server).
2. **Rule**:
- **Action**: Allow
- **Source**: `VLAN10` (Apple TV VLAN)
- **Destination**: `VLAN20` (Xsan server VLAN)
- **Protocol**: TCP (4915265535)
- **State**: Enable (for bidirectional traffic).
---
### ✅ **Summary**
- **Xsan** requires the **dynamic port range 4915265535 (TCP)** for efficient file access.
- Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**.
- Always **verify if Xsan is required** in your environment to avoid unnecessary exposure.
By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.

164
projects/gg/avahi_mdns-reflector/prep/20250717-project-plan-scaling.md Normal file
View File

@@ -0,0 +1,164 @@
### **Comprehensive Project Plan for VLAN Bridging with mDNS Proxy and Avahi Servers**
---
### **1. Project Overview**
**Objective**: Enable Apple devices in VLAN 15 and 19 to discover Apple TVs in VLAN 7 via Bonjour (mDNS) **without** requiring Layer 3 switches or VLAN routing on the Sophos firewall.
**Key Requirements**:
- **VLANs**: Student (15), Teacher (19), AppleTV (7).
- **Subnets**:
- VLAN 15: `172.16.19.254/255.255.252.0`
- VLAN 19: `192.168.151.254/255.255.252.0`
- VLAN 7: `172.16.111.254/255.255.248.0`
- **Services**: Bonjour (mDNS), HTTP/HTTPS (80,443), DHCP (546/udp, 547/udp), and other protocols.
- **Tools**:
- **Sophos XGS4300**: DHCP server, firewall.
- **ESXi**: Hypervisor for VMs.
- **Debian VMs**: Avahi servers, mDNS proxy.
- **Switches**: Level 2 (no IGMP snooping).
- **VM IPs**: `.250` in each VLAN (e.g., `172.16.19.250`, `192.168.151.250`, `172.16.111.250`).
---
### **2. Network Architecture Design**
#### **A. VLAN Configuration (ESXi vSwitch)**
- **vSwitch Setup**:
- Create a **vSwitch** (e.g., `vSwitch0`) with **VLAN tags** for each VLAN (15, 19, 7).
- Assign **VMs** to this vSwitch with appropriate VLAN tags.
- **VM Interfaces**:
- Each **Avahi server VM** and **mDNS proxy VM** will have **one virtual NIC per VLAN** (e.g., VLAN 15, VLAN 19, VLAN 7).
- Ensure **untagged interfaces** for management (optional).
#### **B. VM Resource Allocation**
- **Avahi Server VMs**:
- **RAM**: 1GB (minimal, as Avahi is lightweight).
- **CPU**: 1 core.
- **Storage**: 10GB (for OS and logs).
- **mDNS Proxy VM**:
- **RAM**: 2GB (to handle traffic forwarding).
- **CPU**: 2 cores.
- **Storage**: 20GB (for logs and configurations).
#### **C. IP Addressing**
- **Avahi Servers**:
- VLAN 15: `172.16.19.250`
- VLAN 19: `192.168.151.250`
- VLAN 7: `172.16.111.250`
- **mDNS Proxy**:
- Assign a **static IP** (e.g., `172.16.111.251`) in VLAN 7 (or use a management VLAN if needed).
---
### **3. Software and Configuration**
#### **A. Avahi Servers (Per VLAN)**
- **OS**: Debian 12 (Bookworm).
- **Installation**:
```bash
apt update && apt install avahi-daemon avahi-utils
```
- **Configuration (`/etc/avahi/avahi-daemon.conf`)**:
- Ensure `host-name` is set to the VM's hostname (e.g., `avahi15`).
- Set `domain-name` to the local domain (e.g., `local`).
- **Service Announcement**:
- Place service files in `/etc/avahi/services/` for Apple TVs (e.g., `apple-tv.service`).
- Example `apple-tv.service`:
```xml
<service>
<type>_http._tcp</type>
<subtype>_apple-tv._sub</subtype>
<port>80</port>
<host>apple-tv.local</host>
</service>
```
#### **B. mDNS Proxy (VM)**
- **Software**: Use **`mdnsproxy`** (not `dnsmasq`) for mDNS forwarding.
- **Installation**:
```bash
apt update && apt install mdnsproxy
```
- **Configuration (`/etc/mdnsproxy.conf`)**:
- Define **forwarding rules** between VLANs:
```ini
[forward]
172.16.19.250 192.168.151.250 172.16.111.250
192.168.151.250 172.16.19.250 172.16.111.250
172.16.111.250 172.16.19.250 192.168.151.250
```
- Ensure **UDP port 5353** is open for mDNS traffic.
- **Firewall Rules (Sophos XGS)**:
- Allow **UDP port 5353** between VLAN 15, 19, and 7.
- Allow **TCP/UDP ports 80, 443, 546, 547** for service access.
---
### **4. Firewall Configuration (Sophos XGS4300)**
- **DHCP Server**:
- Assign IPs to VLANs 15, 19, and 7.
- Ensure **IP ranges** match the subnets (e.g., VLAN 15: `172.16.19.252-254`).
- **Firewall Rules**:
- **Allow** traffic between VLANs 15, 19, and 7 via the mDNS proxy.
- **Deny** direct communication between VLANs (to enforce proxy routing).
- **Allow** **UDP 5353** and **TCP/UDP 80, 443, 546, 547** for service discovery and access.
---
### **5. Testing and Validation**
- **Step 1**: Verify **VLAN tagging** on ESXi vSwitch. Use `ovs-ofctl dump-ports` to confirm VLAN tags.
- **Step 2**: Test **mDNS traffic** with `tcpdump` on the mDNS proxy VM:
```bash
tcpdump -i eth1 port 5353
```
- **Step 3**: Use **Bonjour tools** (e.g., `dns-sd`) to discover services:
```bash
dns-sd -B _http._tcp local
```
- **Step 4**: Ensure **Apple devices** can access services via the proxy.
- **Step 5**: Monitor **firewall logs** for denied traffic to confirm proxy routing.
---
### **6. Potential Hurdles and Solutions**
| **Hurdle** | **Solution** |
|------------|--------------|
| **Level 2 Switches**: No IGMP Snooping | **mDNS proxy** bridges VLANs, so multicast traffic is handled by the proxy. |
| **Firewall Rules**: Blocking inter-VLAN traffic | **Allow traffic via the proxy** (UDP 5353) and ensure services are accessible via ports 80, 443, etc. |
| **VM IP Conflicts** | Assign **static IPs** in each VLAN (e.g., `.250`) to avoid DHCP conflicts. |
| **mDNS Proxy Not Forwarding** | Verify `mdnsproxy` configuration and ensure VMs are connected to all VLANs. |
| **Service Discovery Failures** | Test with `dns-sd` and ensure Avahi servers are correctly configured. |
---
### **7. Resource Recommendations**
- **ESXi Host**:
- At least 8GB RAM, 4 cores.
- Ensure **vSwitch** is configured with VLAN tags.
- **VMs**:
- **Avahi Servers**: 1GB RAM, 1 core.
- **mDNS Proxy**: 2GB RAM, 2 cores.
- **Storage**:
- Allocate 10-20GB per VM for OS, logs, and service files.
---
### **8. Final Notes**
- **Scalability**: Add more Avahi servers if needed, but ensure the mDNS proxy can handle increased traffic.
- **Monitoring**: Use **Prometheus/Grafana** to monitor traffic and resource usage.
- **Documentation**: Document VLAN IPs, VM configurations, and firewall rules for future maintenance.
---
### **9. Has Anything Been Missed?**
- **No**: All requirements are addressed, including VLAN isolation, mDNS bridging, and service accessibility.
- **Optional Enhancements**:
- Add **load balancing** for the mDNS proxy.
- Use **SNMP** to monitor switch traffic.
- Implement **failover** for critical services.
---
### **10. Conclusion**
This setup is **feasible** and **robust** for your requirements. The key is ensuring the **mDNS proxy** is correctly connected to all VLANs via the ESXi vSwitch, and the **Sophos firewall** allows only traffic via the proxy. With proper testing and configuration, Apple devices in VLANs 15 and 19 will discover Apple TVs in VLAN 7 via Bonjour, and services will be accessible via the required ports. 🚀

88
projects/gg/avahi_mdns-reflector/prep/20250718-overview.md Normal file
View File

@@ -0,0 +1,88 @@
Here's a **structured summary** of your network requirements and design, incorporating your latest updates and clarifications:
---
### **Network Overview**
#### **1. VLANs and Subnets**
| VLAN | Subnet | Gateway IP | Avahi Server IP | mDNS Proxy IP |
|------|--------------------------------|------------------|------------------|----------------|
| 15 | 172.16.19.0/255.255.252.0 | 172.16.19.254 | 172.16.19.250 | 172.16.19.251 |
| 19 | 192.168.151.0/255.255.252.0 | 192.168.151.254 | 192.168.151.250 | 192.168.151.251 |
| 7 | 172.16.111.0/255.255.248.0 | 172.16.111.254 | 172.16.111.250 | 172.16.111.251 |
**Note:** All VLANs are routed via the **Sophos XGS4300**, which acts as the **DHCP server** for all VLANs.
---
#### **2. Avahi Server Configuration**
- **Local Avahi Servers**:
- **VLAN 15**: Runs Avahi on `172.16.19.250` for local discovery.
- **VLAN 19**: Runs Avahi on `192.168.151.250` for local discovery.
- **VLAN 7**: Runs Avahi on `172.16.111.250` for local discovery.
- **Central Avahi Server** (mDNS Proxy):
- **IPs**: `172.16.19.251`, `192.168.151.251`, `172.16.111.251` (untagged interfaces for each VLAN).
- **Configuration**:
```ini
[reflector]
enable-reflector=yes
#reflect-ipv=no
#reflect-filters=_airplay._tcp.local,_raop._tcp.local
```
- **Purpose**: Acts as a **central mDNS reflector** to forward traffic between VLANs, enabling Apple devices in VLANs 15/19 to discover Apple TVs in VLAN 7.
---
#### **3. mDNS Proxy VM (Central Avahi Server)**
- **OS**: Debian.
- **Network Configuration**:
- Uses **`/etc/network/interfaces`** to assign static IPs for each VLAN (ending in `.251`).
- Interfaces are **untagged** (virtual) for each VLAN.
- **Function**:
- Forwards mDNS traffic between VLANs (e.g., `_airplay._tcp.local`, `_raop._tcp.local`).
- Ensures Apple devices in VLANs 15/19 can discover Apple TVs in VLAN 7 via Bonjour.
---
#### **4. ESXi and VLAN Management**
- **Hyper-Visor**: ESXi.
- **vSwitch Configuration**:
- Each VLAN is assigned a **virtual port group** with the corresponding subnet.
- VMs (Avahi servers, mDNS proxy, etc.) are assigned to the appropriate VLAN port group.
- **IP Assignment**:
- VMs use **static IPs** (`.250` for local Avahi servers, `.251` for central Avahi server).
---
#### **5. Switch Configuration**
- **Switches**: Managed Level 2 switches.
- **IGMP Snooping**:
- **Recommendation**: **Enable IGMP snooping** on all switches.
- **Rationale**:
- While mDNS (Bonjour) uses **UDP** and not IGMP, **other multicast services** (e.g., `546/udp` for DHCPv6, `80/443` for HTTP/HTTPS) may rely on IGMP.
- IGMP snooping prevents unnecessary multicast traffic flooding, improving network efficiency.
- **Note**: If only mDNS is used, IGMP snooping is **not strictly required**, but enabling it is **beneficial for future scalability**.
---
### **Key Considerations**
- **Resource Allocation for VMs**:
- **Avahi Servers (VLANs 15, 19, 7)**: Minimal resources (1 vCPU, 512MB RAM).
- **Central Avahi Server (mDNS Proxy)**: Slightly higher resources (2 vCPUs, 1GB RAM) due to traffic forwarding.
- **Firewall Rules**:
- Ensure **UDP ports 80, 443, 546/udp, 546/tcp** are open between VLANs 15/19 and VLAN 7.
- Allow **mDNS traffic (UDP 5353)** for Bonjour discovery.
- **Testing**:
- Use `avahi-browse` on Apple devices to verify Apple TV discovery.
- Test service ports (e.g., `curl http://<AppleTV-IP>:80`) to confirm connectivity.
---
### **Summary of Design**
- **VLAN Isolation**: Each VLAN operates independently with its own subnet and Avahi server.
- **Central mDNS Proxy**: Acts as a bridge for Bonjour discovery between VLANs, enabling cross-VLAN service discovery.
- **Network Efficiency**: IGMP snooping is enabled to optimize multicast traffic handling.
- **Scalability**: The design supports future additions (e.g., more Apple devices, services) without overhauling the architecture.
Let me know if youd like a **diagram** or **Debian interface configuration examples**! 🚀

101
projects/gg/avahi_mdns-reflector/prep/20250718-ruckus-sw-cfg.md Normal file
View File

@@ -0,0 +1,101 @@
### **Ruckus One Switch Configuration for Your Network Setup**
#### **1. IGMP Snooping Configuration**
Ruckus One switches support **active** and **passive** IGMP snooping. Here's what to use:
- **IGMP Snooping Mode**: **Active**
- **Why**: Active mode actively participates in IGMP snooping, ensuring multicast traffic is forwarded only to ports where devices are listening. This is critical if your network has **other multicast traffic** (e.g., video streaming, IP multicast services). While mDNS (Bonjour) uses UDP and not IGMP, enabling active IGMP snooping ensures **compatibility with other multicast services** and prevents unnecessary flooding.
- **Enable IGMP Snooping**:
- Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > IGMP Snooping**.
- Set **Mode** to **Active**.
- Enable **IGMP Snooping** and **IGMP Snooping Fast Leave** (for faster group leave handling).
---
#### **2. Key Configuration Recommendations for Ruckus One Switches**
Heres how to configure your switches for **maximal efficiency** and **network quality**:
##### **A. VLAN Configuration**
- **VLAN Trunking**: Ensure **trunk ports** are used between switches and the core network (e.g., Sophos XGS4300) to carry all VLANs (15, 19, 7).
- **Access Ports**: Assign **access ports** to end-user devices (Apple TVs, macOS/iOS devices) with the correct VLAN tag.
- **VLAN Prioritization**:
- Use **QoS (CoS)** to prioritize critical traffic (e.g., Bonjour, HTTP, HTTPS).
- Example: Assign **CoS 5** to VLAN 7 (AppleTV) and **CoS 4** to VLANs 15/19 (Apple devices).
##### **B. QoS and Traffic Prioritization**
- **Priority Queuing**:
- Prioritize **UDP ports 80, 443, 546** (HTTP, HTTPS, DHCPv6) for Apple devices.
- Use **DSCP values** (e.g., DSCP 46 for EF class) to mark traffic for low-latency, high-reliability transmission.
- **Traffic Shaping**:
- Limit bandwidth for non-critical traffic (e.g., background updates) to ensure quality for AppleTV and student/teacher devices.
##### **C. Link Aggregation (LACP)**
- **Enable LACP** on uplinks between switches and the core (Sophos XGS4300) to:
- Improve redundancy.
- Balance traffic across multiple links.
- Avoid single points of failure.
##### **D. Spanning Tree Protocol (STP)**
- **Enable STP** (RSTP or MSTP) to prevent broadcast storms and loops.
- Set **root bridges** to avoid unnecessary STP convergence delays.
##### **E. Port Security**
- **Enable Port Security** on access ports to:
- Prevent MAC address spoofing.
- Limit the number of devices per port (e.g., 1 device per port for AppleTV).
- Use **MAC-based filtering** to restrict unauthorized devices.
##### **F. IGMP Snooping Enhancements**
- **IGMP Snooping Fast Leave**: Reduces delay when devices leave multicast groups.
- **IGMP Snooping Querier Timeout**: Adjust timeout values (e.g., 100 seconds) to balance responsiveness and resource usage.
##### **G. Monitoring and Analytics**
- **Enable Traffic Monitoring** to track:
- Bandwidth usage per VLAN.
- Multicast traffic patterns.
- QoS policy enforcement.
- Use **Ruckus One Analytics** to identify bottlenecks or misconfigurations.
---
#### **3. CSV File Configuration (Batch Setup)**
If you have a CSV list of all switches, use the **Ruckus One Dashboard** to apply configurations **across all switches**:
1. **Export Switch Configurations**:
- Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > Export Configuration**.
- Save the configuration as a `.cfg` file.
2. **Batch Apply Configurations**:
- Use the **"Apply Configuration"** feature to push the same settings to multiple switches.
- For VLANs, QoS, and QoS policies, ensure all switches are configured identically.
3. **Automate with Ruckus One API** (Optional):
- Use the **Ruckus One API** (via REST or SDK) to programmaticall configure switches in bulk.
- Example: Apply IGMP snooping settings to all switches in a group.
---
#### **4. Additional Best Practices**
- **Firmware Updates**: Ensure all switches are running the **latest firmware** for security and performance improvements.
- **SNMP Monitoring**: Enable SNMP for real-time monitoring of switch metrics (e.g., CPU usage, port status).
- **Security Policies**:
- Disable **unnecessary protocols** (e.g., Telnet, FTP).
- Enable **SSH** and **HTTPS** for secure access.
- Use **802.1X authentication** for access ports to restrict unauthorized devices.
---
### **Summary Table: Ruckus One Switch Configuration Summary**
| Feature | Configuration | Rationale |
|--------------------------|----------------------------------------|-----------|
| IGMP Snooping | **Active** mode, enabled | For multicast services and compatibility |
| VLAN Trunking | Enabled on uplinks | For inter-switch communication |
| QoS (CoS/DSCP) | Prioritize VLAN 7 (AppleTV) | Ensures low-latency traffic |
| Link Aggregation (LACP) | Enabled on uplinks | Redundancy and bandwidth |
| Port Security | Enabled, MAC-based filtering | Prevents unauthorized access |
| STP (RSTP/MSTP) | Enabled, root bridge set | Prevents loops |
| Monitoring | SNMP, Ruckus One Analytics | Identifies performance issues |
By following these steps, your Ruckus One switches will be optimized for **multicast traffic handling**, **quality of service**, and **network security** in your hybrid AppleTV/education network. Let me know if you need help exporting CSV configurations or scripting API calls! 🚀