CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250720 regular commit

Browse Source
This commit is contained in:
Petar Cubela
2025-07-20 22:29:13 +02:00
parent 252a91dbcc
commit b79839500c
22 changed files with 998 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
archive/.DS_Store vendored
View File

Binary file not shown.

BIN
archive/radiochemie/.DS_Store vendored Normal file
View File

Binary file not shown.

2
diary/2025-07-15.md
View File

@@ -44,6 +44,8 @@ $i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\
- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern
- 15:00 - 15:15: Rauchen
- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert.
- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen
- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen.
HEUTE: Filewave APN neu
## Timestamps (Monday 20250714)

115
diary/2025-07-16.md Normal file
View File

@@ -0,0 +1,115 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
### SSR offene Themen
- [ ] Domaenen umziehen
### TODO
- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen
- [ ] powershell script to clean `C:\Temp` folder on Windows machines
- [ ] Nextcloud Updates
- [ ] Doku fuer OPNsense User Portal
- [ ] Ninja: Custom Field to monitor specific Services
- [ ] TU: CRC: Nextcloud mit Phil und Chat
- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed.
- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt.
- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk.
- [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach
- [ ] TU: Abbild der Netzwerkinfrastruktur
- [ ] TU: IT-Glue Doku erweitern
- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund.
- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren
- [ ] SSR: FW - Doku machen aller Aenderungen (IT-Glue)
- [ ] GG: Avahi: Erstelle Liste aller Apple TV's
- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production
#### TODAY
- [ ] TU: Mail Server Planning
- [ ] KWA/SSR: APN renewal
- [ ] APSA: Nextcloud
## Timestamps (Wednesday 20250715)
- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023
- 09:15 - 09:30: Rauchen
- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse
- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen
- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs
- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit
- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung.
- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers
- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden.
- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem
- 12:15 - 12:45: mDNS/Bonjour nachdenken.
- 12:45 - 13:30: Pause
- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen
- 13:45 - 14:00: Pause
- 14:00 - 14:30: SHZ: Checke Firewall
- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden
- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ
- 15:45 - 16:30: TU: Mail Server Projekt
- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich.
## Timestamps (Tueday 20250715)
- 08:00 - 08:30: Lesen; Kollegen belauschen;
- 08:30 - 09:30: Ticketpflege
- 09:30 - 09:45: Rauchen
- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben
- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben
- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen
- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler
- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue)
- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen
- 12:00 - 13:00: Pause
- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen
- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern
- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/)
- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern
- 15:00 - 15:15: Rauchen
- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert.
- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen
- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen.
## Timestamps (Monday 20250714)
- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht
## Timestamps (Friday 20250711)
- 14:30 - 15:00: pruefe kwa rechner. setze susanne.knopp user. helfe patryk sein laptop neu zu installieren
- 15:00 - 15:30: TU Nextcloud Zeug (in wirklichkeit rauchen)
- 16:00 - 16:30: bgsm pruefe firewall und alle 4 NAS, die im Betrieb sind
## todo
### General
- [ ] handout fuer jeweils sophos und opnsense als vergleich
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] backup on external drive for pve.lab.softbox.net
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing

133
diary/2025-07-17.md Normal file
View File

@@ -0,0 +1,133 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
### SSR offene Themen
- [ ] Domaenen umziehen
### TODO
- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen
- [ ] powershell script to clean `C:\Temp` folder on Windows machines
- [ ] Nextcloud Updates
- [ ] Doku fuer OPNsense User Portal
- [ ] Ninja: Custom Field to monitor specific Services
- [ ] TU: CRC: Nextcloud mit Phil und Chat
- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed.
- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt.
- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk.
- [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach
- [ ] TU: Abbild der Netzwerkinfrastruktur
- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund.
- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren
- [ ] SSR: FW - Doku machen aller Aenderungen (IT-Glue)
- [ ] KWA/SSR: Installationsdateien in IT-Glue hinterlegen
- [ ] GG: Avahi: Erstelle Liste aller Apple TV's
- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production
#### TODAY
- [ ] TU: Mail Server Planning
- [ ] KWA/SSR: APN renewal
- [ ] APSA: Nextcloud
## Timestamps (Thursday 20250717)
- 08:30 - 08:45: SHZ: Bessler. VPN und Cert
- 08:45 - 09:00: Kommunikation mit Kollegen. Michael Krank. Suche sein Ticket raus.
- 09:00 - 09:05: Versuche Ute Koeller zu erreichen
- 09:05 - 09:20: Telefonat Frau Koeller. OpenVPN installiert.
- 09:20 - 09:30: Fuchsgruber Telefonat
- 09:30 - 09:35: Telefonat Jan. Trudering weitergeben
- 09:35 - 10:45: Gespraech/Meeting mit Tobias Moser.
- 10:45 - 11:45: Versuchen IP Adresse von dem Wago herauszufinden
- 11:45 - 12:00: Mail an Tobias; IP gefunden. In IPAM hinterlegen.
- 12:00 - 13:00: Pause
- 13:00 - 13:45: telefonat mit Max Brosche. Wir sollten eine Liste haben mit allen IPs. Umbau Dezember 24 passier (neue Netze. V82_ohne_MXI64). Hinterlegen es in IPAM. IMC untersuchen -> zeigt Fehlermeldungen
- 13:45 - 14:15: Untersuche IPAM, IMC, Macmon. deb.glt.lan reparieren. nginx nutzt nur ipv6.
- 14:15 - 14:45: Sebastian rcm
- 14:45 - 15:45: Erstelle mir ein Nextcloud Acc. Suche nach WAGO/loytec Dokumenten. Allgemeine dokumente Struktur in IT-Glue anlegen. TUM branding fuer nextcloud config
- 15:45 - 16:45: Analysiere Funktion von gw.glt.tum.de und remote.glt.tum.de; Erstelle neue VM fuer alterts mail server. IPAM pflegen (remote Maschine und neuer Mail Server)
## Timestamps (Wednesday 20250716)
- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023
- 09:15 - 09:30: Rauchen
- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse
- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen
- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs
- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit
- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung.
- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers
- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden.
- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem
- 12:15 - 12:45: mDNS/Bonjour nachdenken.
- 12:45 - 13:30: Pause
- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen
- 13:45 - 14:00: Pause
- 14:00 - 14:30: SHZ: Checke Firewall
- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden
- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ
- 15:45 - 16:30: TU: Mail Server Projekt
- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich.
## Timestamps (Tueday 20250715)
- 08:00 - 08:30: Lesen; Kollegen belauschen;
- 08:30 - 09:30: Ticketpflege
- 09:30 - 09:45: Rauchen
- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben
- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben
- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen
- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler
- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue)
- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen
- 12:00 - 13:00: Pause
- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen
- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern
- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/)
- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern
- 15:00 - 15:15: Rauchen
- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert.
- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen
- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen.
## Timestamps (Monday 20250714)
- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht
## Timestamps (Friday 20250711)
- 14:30 - 15:00: pruefe kwa rechner. setze susanne.knopp user. helfe patryk sein laptop neu zu installieren
- 15:00 - 15:30: TU Nextcloud Zeug (in wirklichkeit rauchen)
- 16:00 - 16:30: bgsm pruefe firewall und alle 4 NAS, die im Betrieb sind
## todo
### General
- [ ] handout fuer jeweils sophos und opnsense als vergleich
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] backup on external drive for pve.lab.softbox.net
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing

148
diary/2025-07-18.md Normal file
View File

@@ -0,0 +1,148 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
### SSR offene Themen
- [ ] Domaenen umziehen
### TODO
- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen
- [ ] sbx: powershell script to clean `C:\Temp` folder on Windows machines
- [ ] sbx: Nextcloud Updates
- [ ] sbx: Doku fuer OPNsense User Portal
- [ ] sbx: Ninja: Custom Field to monitor specific Services
- [ ] TU: CRC: Nextcloud mit Phil und Chat
- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed.
- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt.
- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk.
- [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach
- [ ] TU: Abbild der Netzwerkinfrastruktur
- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund.
- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren
- [ ] KWA/SSR: Installationsdateien in IT-Glue hinterlegen
- [ ] GG: Avahi: Erstelle Liste aller Apple TV's
- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production
- [ ] GG: Broadcast: Beamer. Was fuer ein. Protokoll?
- [ ] NeoSphere: identity management server
#### TODAY
- [x] TU: Mail Server Planning
- [ ] KWA/SSR: APN renewal
- [ ] APSA: Nextcloud
## Timestamps (Friday 20250718)
- 07:45 - 08:30: MacBook Susanna: Apps Installieren.
- 08:30 - 09:00: Anfahrt KWA
- 09:00 - 09:30: Susanna Knopp Mac fertig einrichten. Telefonat mit Ottenschlaeger von SHZ.
- 09:30 - 10:00: Meeting mit Sebastian Petar und Nina Schiffel. Beratung Ext Festplatte MacMini (PP). Telefonanlage ist ein Problem.
- 10:00 - 10:30: SSR: Lucas finden. Kerio Calendar Sync mit Toril klaeren. Haken in Kerio Control nicht gesetzt.
- 10:30 - 11:00: Gespraech mit Sebastian zu Netzwerkanforderungen Projekt Pro. Telefonat mit SHZ Chervinski
- 11:00 - 12:00: Anfahrt Sbx Buero
- 12:00 - 13:00: Pause
- 13:00 - 13:15: DAV: Migrate Linux VM from Azure. How To?
- 13:15 - 13:30: Telefonat mit SHZ
- 13:30 - 13:45: Telefonat mit Marko zu GG -> Montag Termin
- 13:45 - 14:00: [x] Martin Beta: SNAT Regel setzn in OPNsense
- 14:00 - 14:15: RCM: Sebastian Wichtler. VPN otp fuer Regineering testen.
- 14:15 - 14:30: Ruckus 10 Gbit/s Switch und OPNsense Cluster platzieren. Aktuelle SG210 Firewall Cluster pruefen
- 14:30 - 14:45: Rauchen
- 14:45 - 15:15: Ticketpflege
- 15:15 - 17:45: Beta: Martin. Telefonat. Gast WLAN geht nicht
## Timestamps (Thursday 20250717)
- 08:30 - 08:45: SHZ: Bessler. VPN und Cert
- 08:45 - 09:00: Kommunikation mit Kollegen. Michael Krank. Suche sein Ticket raus.
- 09:00 - 09:05: Versuche Ute Koeller zu erreichen
- 09:05 - 09:20: Telefonat Frau Koeller. OpenVPN installiert.
- 09:20 - 09:30: Fuchsgruber Telefonat
- 09:30 - 09:35: Telefonat Jan. Trudering weitergeben
- 09:35 - 10:45: Gespraech/Meeting mit Tobias Moser.
- 10:45 - 11:45: Versuchen IP Adresse von dem Wago herauszufinden
- 11:45 - 12:00: Mail an Tobias; IP gefunden. In IPAM hinterlegen.
- 12:00 - 13:00: Pause
- 13:00 - 13:45: telefonat mit Max Brosche. Wir sollten eine Liste haben mit allen IPs. Umbau Dezember 24 passier (neue Netze. V82_ohne_MXI64). Hinterlegen es in IPAM. IMC untersuchen -> zeigt Fehlermeldungen
- 13:45 - 14:15: Untersuche IPAM, IMC, Macmon. deb.glt.lan reparieren. nginx nutzt nur ipv6.
- 14:15 - 14:45: Sebastian rcm
- 14:45 - 15:45: Erstelle mir ein Nextcloud Acc. Suche nach WAGO/loytec Dokumenten. Allgemeine dokumente Struktur in IT-Glue anlegen. TUM branding fuer nextcloud config
- 15:45 - 16:45: Analysiere Funktion von gw.glt.tum.de und remote.glt.tum.de; Erstelle neue VM fuer alterts mail server. IPAM pflegen (remote Maschine und neuer Mail Server)
## Timestamps (Wednesday 20250716)
- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023
- 09:15 - 09:30: Rauchen
- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse
- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen
- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs
- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit
- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung.
- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers
- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden.
- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem
- 12:15 - 12:45: mDNS/Bonjour nachdenken.
- 12:45 - 13:30: Pause
- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen
- 13:45 - 14:00: Pause
- 14:00 - 14:30: SHZ: Checke Firewall
- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden
- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ
- 15:45 - 16:30: TU: Mail Server Projekt
- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich.
## Timestamps (Tueday 20250715)
- 08:00 - 08:30: Lesen; Kollegen belauschen;
- 08:30 - 09:30: Ticketpflege
- 09:30 - 09:45: Rauchen
- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben
- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben
- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen
- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler
- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue)
- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen
- 12:00 - 13:00: Pause
- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen
- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern
- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/)
- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern
- 15:00 - 15:15: Rauchen
- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert.
- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen
- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen.
## Timestamps (Monday 20250714)
- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht
## todo
### General
- [ ] handout fuer jeweils sophos und opnsense als vergleich
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] backup on external drive for pve.lab.softbox.net
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing

0
diary/2025-07-20.md Normal file
View File

BIN
projects/.DS_Store vendored
View File

Binary file not shown.

3
projects/cqse/fw-migration/20250718-main.md Normal file
View File

@@ -0,0 +1,3 @@
## General

9
projects/dav/20250718-azure-migrate-linux-vms.md Normal file
View File

@@ -0,0 +1,9 @@
- Azure Migrate Appliance Configuration Manager
- from hyper-v to azure.
- it scans the network, finds the vms, connects to them and uses all required information to migrate it
- Runs from a Windows Server via Software
- <https://learn.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical?view=migrate-classic>
- Spaetestens Dienstag (23.07)

117
projects/gg/avahi_mdns-reflector/20250716-avahi-scaling.md Normal file
View File

@@ -0,0 +1,117 @@
To scale your **Avahi server** (used for zeroconf/Bonjour services) in a large environment with **many Apple devices** (e.g., Apple TVs, iPhones, Macs) across **VLANs**, you need to address both **network architecture** and **Avahi configuration**. Below is a structured plan to ensure scalability and performance:
---
### 🧠 **Key Considerations for Scaling Avahi**
#### 1. **Network Segmentation and VLAN Isolation**
- **Separate Avahi Services per VLAN**:
Run **dedicated Avahi servers** for each VLAN (e.g., one for "Students" and one for "Teachers"). This isolates traffic and prevents cross-VLAN multicast flooding.
- Example:
- **VLAN 10 (Students)**: Avahi server handles only student devices.
- **VLAN 20 (Teachers)**: Avahi server handles only teacher devices.
- **VLAN 30 (Apple TV VLAN)**: Dedicated Avahi server for Apple TVs.
- This reduces the load on any single Avahi instance and prevents unnecessary multicast traffic across VLANs.
- **Use VLAN-Specific DNS-SD (mDNS)**:
Ensure Apple TVs and devices are configured to use **mDNS within their VLAN**. This avoids cross-VLAN service discovery and reduces broadcast traffic.
---
#### 2. **Avahi Server Optimization**
- **Limit Service Scope**:
Use **`avahi-daemon`** configuration to restrict service broadcasting to specific VLANs. For example:
```ini
[server]
; Only allow services on VLAN 10 (e.g., 10.56.2.0/24)
; This is done via network segmentation, not Avahi itself.
```
- **Reduce Redundant Advertisements**:
- **Limit Apple TV service types**:
Apple TVs often advertise multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** or `dns-sd` to restrict only necessary services (e.g., only the "Apple TV" service).
- **Use static service records**:
For critical services (e.g., Apple TV streaming), predefine static DNS-SD records instead of relying on dynamic discovery. This reduces the number of advertisements.
- **Enable Caching and Query Limiting**:
- Use **`avahi-browse`** to cache service records and reduce redundant queries.
- Limit the number of concurrent queries using `avahi-daemon` configuration (`--max-queries` or `--max-queries-per-sec`).
---
#### 3. **Hardware and OS Considerations**
- **High-Performance Server**:
Run Avahi on a dedicated server with:
- **SSD storage** for faster log writes.
- **Sufficient RAM** (e.g., 8GB+ for 50+ devices).
- **Multi-core CPU** to handle multicast traffic and service resolution.
- **Use Lightweight OS**:
Avoid heavy OS features (e.g., GUI, unnecessary services) to free up resources. Consider **Debian/Ubuntu minimal** or **Alpine Linux** for Avahi.
---
#### 4. **Network Infrastructure**
- **Enable IGMP Snooping**:
Configure switches to **filter multicast traffic** (e.g., `IGMP Snooping` or `MLD Snooping` for IPv6) to prevent unnecessary flooding.
- **Use QoS for mDNS Traffic**:
Prioritize mDNS UDP packets (port 5353) to ensure low latency for service discovery.
- **Segment Traffic with VLANs**:
Ensure Apple TVs and devices are on their own VLAN to avoid cross-VLAN multicast storms.
---
#### 5. **Monitoring and Failover**
- **Monitor Avahi Logs**:
Use `journalctl` or `avahi-browse` to track service advertisements and detect bottlenecks.
- **Set Up Redundant Avahi Servers**:
Run **two Avahi servers** per VLAN with **split-brain configuration** (e.g., using `avahi-daemon` with `--enable-dbus` and `--enable-dbus-interfaces`). This ensures failover if one server fails.
- **Use External DNS for Large-Scale mDNS**:
For very large environments, consider **external DNS servers** (e.g., `dnsmasq`, `mDNSResponder`) to handle mDNS queries, reducing load on Avahi.
---
#### 6. **Apple-Specific Optimizations**
- **Limit Apple TV Advertisements**:
Apple TVs often broadcast multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** to restrict only the "Apple TV" service.
- **Use Static IP for Apple TVs**:
Assign static IPs to Apple TVs to avoid dynamic IP conflicts and reduce mDNS advertisement overhead.
- **Enable Bonjour Proxy**:
If Apple devices are on different subnets, use a **Bonjour proxy** (e.g., `dnsmasq` with `--enable-dns-forwarding`) to route mDNS queries efficiently.
---
### 📌 **Example Configuration for Avahi (Debian/Ubuntu)**
```bash
# /etc/avahi/avahi-daemon.conf
[server]
; Enable DNS-SD
enable-dns = yes
; Limit query rate
max-queries = 1000
max-queries-per-sec = 100
; Use static IP for Apple TVs (if needed)
; (Configure via DHCP or static IP assignment)
```
---
### 🧪 **Testing and Validation**
1. **Simulate Load**:
Use tools like `avahi-browse` or `dns-sd` to test service discovery under load.
2. **Monitor Network Traffic**:
Use `tcpdump` or Wireshark to check for multicast traffic and ensure its confined to the VLAN.
3. **Stress Test**:
Simulate 50+ Apple TVs and devices broadcasting services to verify Avahi performance.
---
### ✅ **Summary**
- **Isolate VLANs** to prevent cross-traffic.
- **Run dedicated Avahi servers** per VLAN.
- **Optimize service advertisements** and enable caching.
- **Use hardware and OS resources efficiently**.
- **Monitor and scale** based on real-world usage.
By following these steps, your Avahi server will scale effectively to handle 4050 Apple TVs and many other devices without performance degradation.

52
projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md Normal file
View File

@@ -0,0 +1,52 @@
You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (4915265535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**:
---
### 🚫 **Critical Ports to Open (Updated)**
| Port Range | Protocol | Purpose | Required |
|------------------|----------|----------------------------------------------|----------|
| **5353** | UDP | **mDNS/Bonjour** (service discovery) | ✅ Yes |
| **80** | TCP | **HTTP** (web services, streaming) | ✅ Yes |
| **443** | TCP | **HTTPS** (secure web services) | ✅ Yes |
| **554** | TCP/UDP | **RTSP** (media streaming) | ✅ Yes |
| **9876** | TCP | **Apple TV Remote Access** | ✅ Yes |
| **9877** | TCP | **Apple TV Media Streaming** | ✅ Yes |
| **4915265535** | TCP | **Xsan Filesystem Access** (dynamic range) | ✅ Yes |
---
### 📌 **Key Notes**
1. **Xsan (4915265535)**
- **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers.
- **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion.
- **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN).
2. **Firewall Rules**
- **Direction**: Allow **bidirectional traffic** between VLANs.
- **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions.
- **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable).
3. **Testing and Validation**
- **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used.
- **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs.
---
### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)**
1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server).
2. **Rule**:
- **Action**: Allow
- **Source**: `VLAN10` (Apple TV VLAN)
- **Destination**: `VLAN20` (Xsan server VLAN)
- **Protocol**: TCP (4915265535)
- **State**: Enable (for bidirectional traffic).
---
### ✅ **Summary**
- **Xsan** requires the **dynamic port range 4915265535 (TCP)** for efficient file access.
- Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**.
- Always **verify if Xsan is required** in your environment to avoid unnecessary exposure.
By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.

164
projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md Normal file
View File

@@ -0,0 +1,164 @@
### **Comprehensive Project Plan for VLAN Bridging with mDNS Proxy and Avahi Servers**
---
### **1. Project Overview**
**Objective**: Enable Apple devices in VLAN 15 and 19 to discover Apple TVs in VLAN 7 via Bonjour (mDNS) **without** requiring Layer 3 switches or VLAN routing on the Sophos firewall.
**Key Requirements**:
- **VLANs**: Student (15), Teacher (19), AppleTV (7).
- **Subnets**:
- VLAN 15: `172.16.19.254/255.255.252.0`
- VLAN 19: `192.168.151.254/255.255.252.0`
- VLAN 7: `172.16.111.254/255.255.248.0`
- **Services**: Bonjour (mDNS), HTTP/HTTPS (80,443), DHCP (546/udp, 547/udp), and other protocols.
- **Tools**:
- **Sophos XGS4300**: DHCP server, firewall.
- **ESXi**: Hypervisor for VMs.
- **Debian VMs**: Avahi servers, mDNS proxy.
- **Switches**: Level 2 (no IGMP snooping).
- **VM IPs**: `.250` in each VLAN (e.g., `172.16.19.250`, `192.168.151.250`, `172.16.111.250`).
---
### **2. Network Architecture Design**
#### **A. VLAN Configuration (ESXi vSwitch)**
- **vSwitch Setup**:
- Create a **vSwitch** (e.g., `vSwitch0`) with **VLAN tags** for each VLAN (15, 19, 7).
- Assign **VMs** to this vSwitch with appropriate VLAN tags.
- **VM Interfaces**:
- Each **Avahi server VM** and **mDNS proxy VM** will have **one virtual NIC per VLAN** (e.g., VLAN 15, VLAN 19, VLAN 7).
- Ensure **untagged interfaces** for management (optional).
#### **B. VM Resource Allocation**
- **Avahi Server VMs**:
- **RAM**: 1GB (minimal, as Avahi is lightweight).
- **CPU**: 1 core.
- **Storage**: 10GB (for OS and logs).
- **mDNS Proxy VM**:
- **RAM**: 2GB (to handle traffic forwarding).
- **CPU**: 2 cores.
- **Storage**: 20GB (for logs and configurations).
#### **C. IP Addressing**
- **Avahi Servers**:
- VLAN 15: `172.16.19.250`
- VLAN 19: `192.168.151.250`
- VLAN 7: `172.16.111.250`
- **mDNS Proxy**:
- Assign a **static IP** (e.g., `172.16.111.251`) in VLAN 7 (or use a management VLAN if needed).
---
### **3. Software and Configuration**
#### **A. Avahi Servers (Per VLAN)**
- **OS**: Debian 12 (Bookworm).
- **Installation**:
```bash
apt update && apt install avahi-daemon avahi-utils
```
- **Configuration (`/etc/avahi/avahi-daemon.conf`)**:
- Ensure `host-name` is set to the VM's hostname (e.g., `avahi15`).
- Set `domain-name` to the local domain (e.g., `local`).
- **Service Announcement**:
- Place service files in `/etc/avahi/services/` for Apple TVs (e.g., `apple-tv.service`).
- Example `apple-tv.service`:
```xml
<service>
<type>_http._tcp</type>
<subtype>_apple-tv._sub</subtype>
<port>80</port>
<host>apple-tv.local</host>
</service>
```
#### **B. mDNS Proxy (VM)**
- **Software**: Use **`mdnsproxy`** (not `dnsmasq`) for mDNS forwarding.
- **Installation**:
```bash
apt update && apt install mdnsproxy
```
- **Configuration (`/etc/mdnsproxy.conf`)**:
- Define **forwarding rules** between VLANs:
```ini
[forward]
172.16.19.250 192.168.151.250 172.16.111.250
192.168.151.250 172.16.19.250 172.16.111.250
172.16.111.250 172.16.19.250 192.168.151.250
```
- Ensure **UDP port 5353** is open for mDNS traffic.
- **Firewall Rules (Sophos XGS)**:
- Allow **UDP port 5353** between VLAN 15, 19, and 7.
- Allow **TCP/UDP ports 80, 443, 546, 547** for service access.
---
### **4. Firewall Configuration (Sophos XGS4300)**
- **DHCP Server**:
- Assign IPs to VLANs 15, 19, and 7.
- Ensure **IP ranges** match the subnets (e.g., VLAN 15: `172.16.19.252-254`).
- **Firewall Rules**:
- **Allow** traffic between VLANs 15, 19, and 7 via the mDNS proxy.
- **Deny** direct communication between VLANs (to enforce proxy routing).
- **Allow** **UDP 5353** and **TCP/UDP 80, 443, 546, 547** for service discovery and access.
---
### **5. Testing and Validation**
- **Step 1**: Verify **VLAN tagging** on ESXi vSwitch. Use `ovs-ofctl dump-ports` to confirm VLAN tags.
- **Step 2**: Test **mDNS traffic** with `tcpdump` on the mDNS proxy VM:
```bash
tcpdump -i eth1 port 5353
```
- **Step 3**: Use **Bonjour tools** (e.g., `dns-sd`) to discover services:
```bash
dns-sd -B _http._tcp local
```
- **Step 4**: Ensure **Apple devices** can access services via the proxy.
- **Step 5**: Monitor **firewall logs** for denied traffic to confirm proxy routing.
---
### **6. Potential Hurdles and Solutions**
| **Hurdle** | **Solution** |
|------------|--------------|
| **Level 2 Switches**: No IGMP Snooping | **mDNS proxy** bridges VLANs, so multicast traffic is handled by the proxy. |
| **Firewall Rules**: Blocking inter-VLAN traffic | **Allow traffic via the proxy** (UDP 5353) and ensure services are accessible via ports 80, 443, etc. |
| **VM IP Conflicts** | Assign **static IPs** in each VLAN (e.g., `.250`) to avoid DHCP conflicts. |
| **mDNS Proxy Not Forwarding** | Verify `mdnsproxy` configuration and ensure VMs are connected to all VLANs. |
| **Service Discovery Failures** | Test with `dns-sd` and ensure Avahi servers are correctly configured. |
---
### **7. Resource Recommendations**
- **ESXi Host**:
- At least 8GB RAM, 4 cores.
- Ensure **vSwitch** is configured with VLAN tags.
- **VMs**:
- **Avahi Servers**: 1GB RAM, 1 core.
- **mDNS Proxy**: 2GB RAM, 2 cores.
- **Storage**:
- Allocate 10-20GB per VM for OS, logs, and service files.
---
### **8. Final Notes**
- **Scalability**: Add more Avahi servers if needed, but ensure the mDNS proxy can handle increased traffic.
- **Monitoring**: Use **Prometheus/Grafana** to monitor traffic and resource usage.
- **Documentation**: Document VLAN IPs, VM configurations, and firewall rules for future maintenance.
---
### **9. Has Anything Been Missed?**
- **No**: All requirements are addressed, including VLAN isolation, mDNS bridging, and service accessibility.
- **Optional Enhancements**:
- Add **load balancing** for the mDNS proxy.
- Use **SNMP** to monitor switch traffic.
- Implement **failover** for critical services.
---
### **10. Conclusion**
This setup is **feasible** and **robust** for your requirements. The key is ensuring the **mDNS proxy** is correctly connected to all VLANs via the ESXi vSwitch, and the **Sophos firewall** allows only traffic via the proxy. With proper testing and configuration, Apple devices in VLANs 15 and 19 will discover Apple TVs in VLAN 7 via Bonjour, and services will be accessible via the required ports. 🚀

88
projects/gg/avahi_mdns-reflector/20250718-overview.md Normal file
View File

@@ -0,0 +1,88 @@
Here's a **structured summary** of your network requirements and design, incorporating your latest updates and clarifications:
---
### **Network Overview**
#### **1. VLANs and Subnets**
| VLAN | Subnet | Gateway IP | Avahi Server IP | mDNS Proxy IP |
|------|--------------------------------|------------------|------------------|----------------|
| 15 | 172.16.19.0/255.255.252.0 | 172.16.19.254 | 172.16.19.250 | 172.16.19.251 |
| 19 | 192.168.151.0/255.255.252.0 | 192.168.151.254 | 192.168.151.250 | 192.168.151.251 |
| 7 | 172.16.111.0/255.255.248.0 | 172.16.111.254 | 172.16.111.250 | 172.16.111.251 |
**Note:** All VLANs are routed via the **Sophos XGS4300**, which acts as the **DHCP server** for all VLANs.
---
#### **2. Avahi Server Configuration**
- **Local Avahi Servers**:
- **VLAN 15**: Runs Avahi on `172.16.19.250` for local discovery.
- **VLAN 19**: Runs Avahi on `192.168.151.250` for local discovery.
- **VLAN 7**: Runs Avahi on `172.16.111.250` for local discovery.
- **Central Avahi Server** (mDNS Proxy):
- **IPs**: `172.16.19.251`, `192.168.151.251`, `172.16.111.251` (untagged interfaces for each VLAN).
- **Configuration**:
```ini
[reflector]
enable-reflector=yes
#reflect-ipv=no
#reflect-filters=_airplay._tcp.local,_raop._tcp.local
```
- **Purpose**: Acts as a **central mDNS reflector** to forward traffic between VLANs, enabling Apple devices in VLANs 15/19 to discover Apple TVs in VLAN 7.
---
#### **3. mDNS Proxy VM (Central Avahi Server)**
- **OS**: Debian.
- **Network Configuration**:
- Uses **`/etc/network/interfaces`** to assign static IPs for each VLAN (ending in `.251`).
- Interfaces are **untagged** (virtual) for each VLAN.
- **Function**:
- Forwards mDNS traffic between VLANs (e.g., `_airplay._tcp.local`, `_raop._tcp.local`).
- Ensures Apple devices in VLANs 15/19 can discover Apple TVs in VLAN 7 via Bonjour.
---
#### **4. ESXi and VLAN Management**
- **Hyper-Visor**: ESXi.
- **vSwitch Configuration**:
- Each VLAN is assigned a **virtual port group** with the corresponding subnet.
- VMs (Avahi servers, mDNS proxy, etc.) are assigned to the appropriate VLAN port group.
- **IP Assignment**:
- VMs use **static IPs** (`.250` for local Avahi servers, `.251` for central Avahi server).
---
#### **5. Switch Configuration**
- **Switches**: Managed Level 2 switches.
- **IGMP Snooping**:
- **Recommendation**: **Enable IGMP snooping** on all switches.
- **Rationale**:
- While mDNS (Bonjour) uses **UDP** and not IGMP, **other multicast services** (e.g., `546/udp` for DHCPv6, `80/443` for HTTP/HTTPS) may rely on IGMP.
- IGMP snooping prevents unnecessary multicast traffic flooding, improving network efficiency.
- **Note**: If only mDNS is used, IGMP snooping is **not strictly required**, but enabling it is **beneficial for future scalability**.
---
### **Key Considerations**
- **Resource Allocation for VMs**:
- **Avahi Servers (VLANs 15, 19, 7)**: Minimal resources (1 vCPU, 512MB RAM).
- **Central Avahi Server (mDNS Proxy)**: Slightly higher resources (2 vCPUs, 1GB RAM) due to traffic forwarding.
- **Firewall Rules**:
- Ensure **UDP ports 80, 443, 546/udp, 546/tcp** are open between VLANs 15/19 and VLAN 7.
- Allow **mDNS traffic (UDP 5353)** for Bonjour discovery.
- **Testing**:
- Use `avahi-browse` on Apple devices to verify Apple TV discovery.
- Test service ports (e.g., `curl http://<AppleTV-IP>:80`) to confirm connectivity.
---
### **Summary of Design**
- **VLAN Isolation**: Each VLAN operates independently with its own subnet and Avahi server.
- **Central mDNS Proxy**: Acts as a bridge for Bonjour discovery between VLANs, enabling cross-VLAN service discovery.
- **Network Efficiency**: IGMP snooping is enabled to optimize multicast traffic handling.
- **Scalability**: The design supports future additions (e.g., more Apple devices, services) without overhauling the architecture.
Let me know if youd like a **diagram** or **Debian interface configuration examples**! 🚀

101
projects/gg/avahi_mdns-reflector/20250718-ruckus-sw-cfg.md Normal file
View File

@@ -0,0 +1,101 @@
### **Ruckus One Switch Configuration for Your Network Setup**
#### **1. IGMP Snooping Configuration**
Ruckus One switches support **active** and **passive** IGMP snooping. Here's what to use:
- **IGMP Snooping Mode**: **Active**
- **Why**: Active mode actively participates in IGMP snooping, ensuring multicast traffic is forwarded only to ports where devices are listening. This is critical if your network has **other multicast traffic** (e.g., video streaming, IP multicast services). While mDNS (Bonjour) uses UDP and not IGMP, enabling active IGMP snooping ensures **compatibility with other multicast services** and prevents unnecessary flooding.
- **Enable IGMP Snooping**:
- Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > IGMP Snooping**.
- Set **Mode** to **Active**.
- Enable **IGMP Snooping** and **IGMP Snooping Fast Leave** (for faster group leave handling).
---
#### **2. Key Configuration Recommendations for Ruckus One Switches**
Heres how to configure your switches for **maximal efficiency** and **network quality**:
##### **A. VLAN Configuration**
- **VLAN Trunking**: Ensure **trunk ports** are used between switches and the core network (e.g., Sophos XGS4300) to carry all VLANs (15, 19, 7).
- **Access Ports**: Assign **access ports** to end-user devices (Apple TVs, macOS/iOS devices) with the correct VLAN tag.
- **VLAN Prioritization**:
- Use **QoS (CoS)** to prioritize critical traffic (e.g., Bonjour, HTTP, HTTPS).
- Example: Assign **CoS 5** to VLAN 7 (AppleTV) and **CoS 4** to VLANs 15/19 (Apple devices).
##### **B. QoS and Traffic Prioritization**
- **Priority Queuing**:
- Prioritize **UDP ports 80, 443, 546** (HTTP, HTTPS, DHCPv6) for Apple devices.
- Use **DSCP values** (e.g., DSCP 46 for EF class) to mark traffic for low-latency, high-reliability transmission.
- **Traffic Shaping**:
- Limit bandwidth for non-critical traffic (e.g., background updates) to ensure quality for AppleTV and student/teacher devices.
##### **C. Link Aggregation (LACP)**
- **Enable LACP** on uplinks between switches and the core (Sophos XGS4300) to:
- Improve redundancy.
- Balance traffic across multiple links.
- Avoid single points of failure.
##### **D. Spanning Tree Protocol (STP)**
- **Enable STP** (RSTP or MSTP) to prevent broadcast storms and loops.
- Set **root bridges** to avoid unnecessary STP convergence delays.
##### **E. Port Security**
- **Enable Port Security** on access ports to:
- Prevent MAC address spoofing.
- Limit the number of devices per port (e.g., 1 device per port for AppleTV).
- Use **MAC-based filtering** to restrict unauthorized devices.
##### **F. IGMP Snooping Enhancements**
- **IGMP Snooping Fast Leave**: Reduces delay when devices leave multicast groups.
- **IGMP Snooping Querier Timeout**: Adjust timeout values (e.g., 100 seconds) to balance responsiveness and resource usage.
##### **G. Monitoring and Analytics**
- **Enable Traffic Monitoring** to track:
- Bandwidth usage per VLAN.
- Multicast traffic patterns.
- QoS policy enforcement.
- Use **Ruckus One Analytics** to identify bottlenecks or misconfigurations.
---
#### **3. CSV File Configuration (Batch Setup)**
If you have a CSV list of all switches, use the **Ruckus One Dashboard** to apply configurations **across all switches**:
1. **Export Switch Configurations**:
- Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > Export Configuration**.
- Save the configuration as a `.cfg` file.
2. **Batch Apply Configurations**:
- Use the **"Apply Configuration"** feature to push the same settings to multiple switches.
- For VLANs, QoS, and QoS policies, ensure all switches are configured identically.
3. **Automate with Ruckus One API** (Optional):
- Use the **Ruckus One API** (via REST or SDK) to programmaticall configure switches in bulk.
- Example: Apply IGMP snooping settings to all switches in a group.
---
#### **4. Additional Best Practices**
- **Firmware Updates**: Ensure all switches are running the **latest firmware** for security and performance improvements.
- **SNMP Monitoring**: Enable SNMP for real-time monitoring of switch metrics (e.g., CPU usage, port status).
- **Security Policies**:
- Disable **unnecessary protocols** (e.g., Telnet, FTP).
- Enable **SSH** and **HTTPS** for secure access.
- Use **802.1X authentication** for access ports to restrict unauthorized devices.
---
### **Summary Table: Ruckus One Switch Configuration Summary**
| Feature | Configuration | Rationale |
|--------------------------|----------------------------------------|-----------|
| IGMP Snooping | **Active** mode, enabled | For multicast services and compatibility |
| VLAN Trunking | Enabled on uplinks | For inter-switch communication |
| QoS (CoS/DSCP) | Prioritize VLAN 7 (AppleTV) | Ensures low-latency traffic |
| Link Aggregation (LACP) | Enabled on uplinks | Redundancy and bandwidth |
| Port Security | Enabled, MAC-based filtering | Prevents unauthorized access |
| STP (RSTP/MSTP) | Enabled, root bridge set | Prevents loops |
| Monitoring | SNMP, Ruckus One Analytics | Identifies performance issues |
By following these steps, your Ruckus One switches will be optimized for **multicast traffic handling**, **quality of service**, and **network security** in your hybrid AppleTV/education network. Let me know if you need help exporting CSV configurations or scripting API calls! 🚀

5
projects/proxmox/firste-steps.md Normal file
View File

@@ -0,0 +1,5 @@
## Init
- Repo anpassen

0
projects/sbx/sbx-host-update-cycle.md → projects/sbx/defaults/sbx-host-update-cycle.md
View File

26
projects/sbx/defaults/sbx-lab-network.md Normal file
View File

@@ -0,0 +1,26 @@
## network
- Gateway/Firewall Static IP: 10.11.12.254/24
- DHCP: 10.11.12.100 - 10.11.12.200
### Static IPs
| hostname | mac | IP | comment | active |
| ------------- | ----------------- | ------------ | -------------------------- | ------ |
| gw | | 10.11.12.254 | sophos fw | true |
| dns1 | | 10.11.12.253 | bind master | true |
| dns2 | | 10.11.12.252 | bind slave | true |
| pve | | 10.11.12.1 | proxmox host | true |
| node1 | | 10.11.12.2 | opnsense cluster test | false |
| node2 | | 10.11.12.3 | opnsense cluster test | false |
| vip-wan | | 10.11.12.4 | opnsense cluster test | false |
| drawio | | 10.11.12.20 | drawio instance | false |
| pve-wazuh | | 10.11.12.40 | patryk test pve | false |
| wazuh-server | | 10.11.12.41 | patryk test wazuh server | false |
| wazuh-win-11 | | 10.11.12.42 | patryk test win11 client | false |
| wazuh-kali | | 10.11.12.50 | patryk test win11 client | false |
| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz | true |
| metabase | | 10.11.12.99 | test for discopharma | false |
| pve-max | | 10.11.12.100 | test pve instance for maxi | false |
| sbx-sw-lab-00 | B0:7C:51:30:64:4E | 10.11.12.220 | central switch | true |

23
projects/sbx/sbx-lab-network.md
View File

@@ -1,23 +0,0 @@
## network
- Gateway/Firewall Static IP: 10.11.12.254/24
- DHCP: 10.11.12.100 - 10.11.12.200
### Static IPs
| hostname | mac | IP | comment | active |
| ------------ | ----------------- | ------------ | ------------------------ | ------ |
| gw | | 10.11.12.254 | sophos fw | true |
| dns1 | | 10.11.12.253 | bind master | true |
| dns2 | | 10.11.12.252 | bind slave | true |
| node1 | | 10.11.12.2 | opnsense cluster test | false |
| node2 | | 10.11.12.3 | opnsense cluster test | false |
| vip-wan | | 10.11.12.4 | opnsense cluster test | false |
| drawio | | 10.11.12.20 | opnsense cluster test | false |
| pve-wazuh | | 10.11.12.40 | patryk test pve | true |
| wazuh-server | | 10.11.12.41 | patryk test wazuh server | true |
| wazuh-win-11 | | 10.11.12.42 | patryk test win11 client | true |
| wazuh-kali | | 10.11.12.50 | patryk test win11 client | true |
| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz | true |
| metabase | | 10.11.12.99 | test for discopharma | false |

2
projects/tu/glt-mail/20250710-init.md
View File

@@ -4,7 +4,7 @@
## Vorstellung
- GLT Meldungen dper Mail an Sammelpostfach
- GLT Meldungen per Mail an Sammelpostfach
- Empfaenger adresse benoetigt
- zum Beispiel Registrierung Veeam

23
projects/tu/glt-mail/20250716-thoughts.md Normal file
View File

@@ -0,0 +1,23 @@
## Abbreviations
- ga: Gebaeudeautomatisierung
- glt: Gebaeudeleittechnik
## Notes
- Sophos SG Cluster
- Many VLANs -> Open port 25, 465, 587 for all networks to the mail server
- Which domain? @ga.tum.de probably. just mx record needed in local network
- DNS Server. Hopefully, the Sophos can do it
- For outgoing mails use the mail-gw which relays the mails to the LRZ mailservers which relays it further
- LRZ only accepts mails from a @<...>.tum.de domain, which should be given
- I could use mailcow, without all spam, netfilter and ipv6 stuff (though I love ipv6 and would activate it everywhere)
- Single mailbox needed. (mailcow provideds more)
- imap will be needed for accessing the mails
- though this mail server will be more a imap server than a smtp server
- imap for receiving all the alerts; smtp for relaying of some mails which should go outside the local network
- Do I really need SSL/TLS certs?
- DOMAIN: ga.tum.de

11
projects/tu/weekly/20250717.md Normal file
View File

@@ -0,0 +1,11 @@
## TODO
- [x] wagos devices ip adressen aufschreiben und beschriften
- chemie (neu) Netz
- nextcloud passwoerter hinterlegen
- [ ] herausfinden welche portbeleguneg an den switches am besten ist
- [ ] landing page: unterscheidung zwischen remote.glt.tum.de und gw.glt.tum.de soll klar sein.
- gw.glt.tum.de ist die Sophos FW. html5 vpn-portal verbindet sich mit rdp zu servern??
- remote.glt.tum.de ist die Applikation TSPlus fuer remote Zugriff zu einem bestimmten Server