CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250907

Browse Source
This commit is contained in:
Petar Cubela
2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
projects/gg/avahi_mdns-reflector/prep/20250712-avahi-mdns-planning.md Normal file
View File

@@ -0,0 +1,133 @@
### **Comprehensive Project Plan**
**Objective**: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking.
---
### **1. Project Overview**
- **Firewall**: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic).
- **Avahi Server**: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port.
- **Goal**: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation.
---
### **2. Key Requirements**
1. **Firewall Configuration**:
- Allow **UDP 5353** traffic between specified VLANs.
- Enforce VLAN segmentation (no inter-VLAN communication by default).
2. **Network Infrastructure**:
- **Physical Trunk Port**: Switch provides tagged VLAN traffic to the ESXi host.
- **ESXi Host**: Assigns VLAN tagging to the VMs virtual NIC.
- **Linux VM**: Single interface receives trunked VLAN traffic.
3. **Avahi Server**:
- Installed on Linux VM.
- Configured to act as an mDNS relay across VLANs.
---
### **3. Network Setup**
#### **A. Physical Layer**
1. **Switch Configuration**:
- Configure a **trunk port** on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20).
- Ensure the trunk port is connected to the ESXi host.
#### **B. ESXi Host Configuration**
1. **Port Group Setup**:
- Create a **port group** on the ESXi host for VLAN trunking.
- Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group.
2. **VM Network Adapter**:
- Assign the VM a **virtual NIC (vNIC)** connected to the VLAN trunk port group.
- Ensure the vNIC is configured to **accept VLAN tags** (no need for VLAN sub-interfaces).
#### **C. Linux VM Configuration**
1. **Interface Configuration**:
- Assign **multiple IP addresses** to the VMs interface (e.g., `eth0` or `vmbr0`) for each VLAN.
```bash
auto eth0
iface eth0 inet static
address 192.168.20.251
netmask 255.255.255.0
address 10.56.1.251
netmask 255.255.255.0
gateway 10.56.1.254
```
- Ensure IPs are in **different subnets** (e.g., VLAN 10: `10.56.1.0/24`, VLAN 20: `192.168.20.0/26`).
2. **Routing**:
- Configure default gateway for the primary VLAN (e.g., `10.56.1.254`).
- Ensure routing tables allow traffic between VLANs.
---
### **4. Sophos XGS Firewall Configuration**
1. **VLAN Segmentation**:
- Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20).
- Assign interfaces to respective VLANs.
2. **Traffic Rules**:
- Allow **UDP 5353** traffic between specified VLANs.
- Example rule:
```
Source VLAN: VLAN 10
Destination VLAN: VLAN 20
Protocol: UDP
Destination Port: 5353
```
- Ensure **no other traffic** is allowed between VLANs unless explicitly permitted.
---
### **5. Avahi Server Setup**
1. **Install Avahi**:
- Install Avahi on the Linux VM:
```bash
apt update && apt install avahi-daemon libnss-mdns
```
2. **Configure Avahi**:
- Ensure Avahi is set to **broadcast mDNS packets** across VLANs.
- Adjust `/etc/avahi/avahi-daemon.conf` to allow broadcasting (if needed).
3. **Firewall Rules (Optional)**:
- If the VMs host firewall blocks traffic, add rules to allow **UDP 5353** between VLANs:
```bash
iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT
```
4. **Verify Operation**:
- Test mDNS discovery between devices on different VLANs (e.g., ping, `avahi-browse`).
---
### **6. Testing & Validation**
1. **Ping Test**:
- Confirm connectivity between devices on different VLANs via the Avahi VM.
2. **Firewall Rule Check**:
- Ensure Sophos XGS allows **UDP 5353** traffic between VLANs.
3. **Avahi Discovery**:
- Use `avahi-browse` to verify mDNS services are visible across VLANs.
4. **Traffic Monitoring**:
- Use tools like `tcpdump` or Wireshark to confirm VLAN tagging and traffic flow.
---
### **7. Documentation & Maintenance**
1. **Document VLAN Assignments**:
- Record VLAN IDs, IP ranges, and firewall rules for reference.
2. **Backup Configurations**:
- Save ESXi port group settings, Sophos XGS rules, and Avahi configurations.
3. **Regular Updates**:
- Keep the Linux VM and Avahi software updated to avoid vulnerabilities.
---
### **8. Known Considerations**
- **Trunking Limitations**: Ensure the physical switch and ESXi host support VLAN trunking.
- **Firewall Overlap**: Avoid conflicting rules in Sophos XGS that could block mDNS traffic.
- **Performance**: Monitor network bandwidth to ensure VLAN traffic does not saturate the link.
---
### **9. Success Criteria**
- **mDNS Communication**: Devices on different VLANs can discover and communicate via Avahi.
- **Firewall Compliance**: Only allowed traffic (UDP 5353) is permitted between VLANs.
- **Network Isolation**: VLAN segmentation is enforced, and only required traffic is allowed.
---
This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.