From b79839500c80652b21f5828d938db1876bffe40f Mon Sep 17 00:00:00 2001 From: Petar Cubela Date: Sun, 20 Jul 2025 22:29:13 +0200 Subject: [PATCH] 20250720 regular commit --- archive/.DS_Store | Bin 10244 -> 10244 bytes archive/radiochemie/.DS_Store | Bin 0 -> 6148 bytes diary/2025-07-15.md | 2 + diary/2025-07-16.md | 115 ++++++++++++ diary/2025-07-17.md | 133 ++++++++++++++ diary/2025-07-18.md | 148 ++++++++++++++++ diary/2025-07-20.md | 0 projects/.DS_Store | Bin 10244 -> 10244 bytes projects/cqse/fw-migration/20250718-main.md | 3 + .../dav/20250718-azure-migrate-linux-vms.md | 9 + .../20250716-avahi-scaling.md | 117 +++++++++++++ .../20250716-firewall-rules-bonjour.md | 52 ++++++ .../20250717-project-plan-scaling.md | 164 ++++++++++++++++++ .../avahi_mdns-reflector/20250718-overview.md | 88 ++++++++++ .../20250718-ruckus-sw-cfg.md | 101 +++++++++++ projects/proxmox/firste-steps.md | 5 + .../{ => defaults}/sbx-host-update-cycle.md | 0 projects/sbx/defaults/sbx-lab-network.md | 26 +++ projects/sbx/sbx-lab-network.md | 23 --- projects/tu/glt-mail/20250710-init.md | 2 +- projects/tu/glt-mail/20250716-thoughts.md | 23 +++ projects/tu/weekly/20250717.md | 11 ++ 22 files changed, 998 insertions(+), 24 deletions(-) create mode 100644 archive/radiochemie/.DS_Store create mode 100644 diary/2025-07-16.md create mode 100644 diary/2025-07-17.md create mode 100644 diary/2025-07-18.md create mode 100644 diary/2025-07-20.md create mode 100644 projects/cqse/fw-migration/20250718-main.md create mode 100644 projects/dav/20250718-azure-migrate-linux-vms.md create mode 100644 projects/gg/avahi_mdns-reflector/20250716-avahi-scaling.md create mode 100644 projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md create mode 100644 projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md create mode 100644 projects/gg/avahi_mdns-reflector/20250718-overview.md create mode 100644 projects/gg/avahi_mdns-reflector/20250718-ruckus-sw-cfg.md create mode 100644 projects/proxmox/firste-steps.md rename projects/sbx/{ => defaults}/sbx-host-update-cycle.md (100%) create mode 100644 projects/sbx/defaults/sbx-lab-network.md delete mode 100644 projects/sbx/sbx-lab-network.md create mode 100644 projects/tu/glt-mail/20250716-thoughts.md create mode 100644 projects/tu/weekly/20250717.md diff --git a/archive/.DS_Store b/archive/.DS_Store index 9d99ee065b572e775013ba04e617118e5c26420c..2baa2a6eb59677a03c69d80c918c2f727cfac0ac 100644 GIT binary patch delta 1288 zcmd5*&ubGw6n@jhW@BoaG(T$<76cJYHCcZ}^kNl35L}EXXeI16p;^1#iMty^jcE?{ z77xmJDTsf79z=5zq3D0$$+KsL-m74p*<{nq5b)~4Fgv{Oz4^ZPz1dJV)aN&l`dcIrkHmp|kIUp$d`kp% zIndTjn%tdvBZ77~(36Brf{70z9Y*-|fG~NRXo+z~cNm{bx=I8pV1NTlfT0dG(7=XO z(0G-eieXwed0Z%qm;gWC>n6{japZjfkgusLz0au(>I7f~n&NG&>nQ4XomP%gW*WGZ z*&4;q)00ivK7cAcxja*#0=e9fr)tg1#$fU2C=<2^Cx6lhMdDN$59sJkr#={wk9yrS z95i)l`-!`hvax8fnTdrnURohE2 zDpd+uykl4u++4s7tKxXMrG7vPOW|^Cwsp02>ip@PtSCx5C$|d9xnfQ}TP(KQVJUUw zd0E&`(JnN+sl=c_9tx1>@9<0;-a)Qs zkBu{p1CWc^AL7h1JwAy1&h7|tPsz6blzz^dg$NzhqqH&ep#Eb32Wc-Jrh6gzSCD*3 ORK@E5%|o0pm;VAI$(_9b delta 118 zcmZn(XbG6$&uFnRU^hRb#pDSBI+Gg&ZcJ_v?3wH#v~RM7@T$pjBAX_E6DgS7BbvFn zP|T2VGn0fk<75|U@yS=EW=`glnK1d1jOt`-*;kXZ<<3oxl~3MSx`A~wyTUJ)$%^8- MlLf>lq3fsx07PUe_5c6? diff --git a/archive/radiochemie/.DS_Store b/archive/radiochemie/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..74f00a1983b74303db6f9b8f8b36e3bbc78d9107 GIT binary patch literal 6148 zcmeHKyGlbr5Iw6wf;O=eC2+M*z(2T#1Y%=jVX5W;2J(>HL@jUcKllrNpOv1O9W;+? zkw!#kVCL-3?#yJ*Wp}dxLSx=L1u6i_RKe0NO@YX`=$dSqXNMRxM;~Kk=%a?o+H7|? z1J1y2V?g%q5qImo?cA^ZJLWFVbmWdULmOB0v~YnY>KLJSKAdzr!%2r3} = \hat{H} \Large{|}\ - 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern - 15:00 - 15:15: Rauchen - 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert. +- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen +- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen. HEUTE: Filewave APN neu ## Timestamps (Monday 20250714) diff --git a/diary/2025-07-16.md b/diary/2025-07-16.md new file mode 100644 index 0000000..20df8ab --- /dev/null +++ b/diary/2025-07-16.md @@ -0,0 +1,115 @@ + +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +### SSR offene Themen + +- [ ] Domaenen umziehen + +### TODO + +- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen + +- [ ] powershell script to clean `C:\Temp` folder on Windows machines +- [ ] Nextcloud Updates +- [ ] Doku fuer OPNsense User Portal +- [ ] Ninja: Custom Field to monitor specific Services + +- [ ] TU: CRC: Nextcloud mit Phil und Chat +- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed. +- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt. +- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk. + - [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach +- [ ] TU: Abbild der Netzwerkinfrastruktur +- [ ] TU: IT-Glue Doku erweitern + +- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund. +- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren +- [ ] SSR: FW - Doku machen aller Aenderungen (IT-Glue) + +- [ ] GG: Avahi: Erstelle Liste aller Apple TV's +- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production + +#### TODAY + +- [ ] TU: Mail Server Planning +- [ ] KWA/SSR: APN renewal +- [ ] APSA: Nextcloud + +## Timestamps (Wednesday 20250715) + +- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023 +- 09:15 - 09:30: Rauchen +- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse +- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen +- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs +- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit +- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung. +- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers +- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden. +- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem +- 12:15 - 12:45: mDNS/Bonjour nachdenken. +- 12:45 - 13:30: Pause +- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen +- 13:45 - 14:00: Pause +- 14:00 - 14:30: SHZ: Checke Firewall +- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden +- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ +- 15:45 - 16:30: TU: Mail Server Projekt +- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich. + +## Timestamps (Tueday 20250715) + +- 08:00 - 08:30: Lesen; Kollegen belauschen; +- 08:30 - 09:30: Ticketpflege +- 09:30 - 09:45: Rauchen +- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben +- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben +- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen +- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler +- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue) +- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen +- 12:00 - 13:00: Pause +- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen +- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern +- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/) +- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern +- 15:00 - 15:15: Rauchen +- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert. +- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen +- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen. + +## Timestamps (Monday 20250714) + +- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht + +## Timestamps (Friday 20250711) + +- 14:30 - 15:00: pruefe kwa rechner. setze susanne.knopp user. helfe patryk sein laptop neu zu installieren +- 15:00 - 15:30: TU Nextcloud Zeug (in wirklichkeit rauchen) + +- 16:00 - 16:30: bgsm pruefe firewall und alle 4 NAS, die im Betrieb sind + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing \ No newline at end of file diff --git a/diary/2025-07-17.md b/diary/2025-07-17.md new file mode 100644 index 0000000..c80dc29 --- /dev/null +++ b/diary/2025-07-17.md @@ -0,0 +1,133 @@ + +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +### SSR offene Themen + +- [ ] Domaenen umziehen + +### TODO + +- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen + +- [ ] powershell script to clean `C:\Temp` folder on Windows machines +- [ ] Nextcloud Updates +- [ ] Doku fuer OPNsense User Portal +- [ ] Ninja: Custom Field to monitor specific Services + +- [ ] TU: CRC: Nextcloud mit Phil und Chat +- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed. +- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt. +- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk. + - [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach +- [ ] TU: Abbild der Netzwerkinfrastruktur + +- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund. +- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren +- [ ] SSR: FW - Doku machen aller Aenderungen (IT-Glue) +- [ ] KWA/SSR: Installationsdateien in IT-Glue hinterlegen + +- [ ] GG: Avahi: Erstelle Liste aller Apple TV's +- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production + +#### TODAY + +- [ ] TU: Mail Server Planning +- [ ] KWA/SSR: APN renewal +- [ ] APSA: Nextcloud + +## Timestamps (Thursday 20250717) + +- 08:30 - 08:45: SHZ: Bessler. VPN und Cert +- 08:45 - 09:00: Kommunikation mit Kollegen. Michael Krank. Suche sein Ticket raus. +- 09:00 - 09:05: Versuche Ute Koeller zu erreichen +- 09:05 - 09:20: Telefonat Frau Koeller. OpenVPN installiert. +- 09:20 - 09:30: Fuchsgruber Telefonat +- 09:30 - 09:35: Telefonat Jan. Trudering weitergeben +- 09:35 - 10:45: Gespraech/Meeting mit Tobias Moser. +- 10:45 - 11:45: Versuchen IP Adresse von dem Wago herauszufinden +- 11:45 - 12:00: Mail an Tobias; IP gefunden. In IPAM hinterlegen. +- 12:00 - 13:00: Pause +- 13:00 - 13:45: telefonat mit Max Brosche. Wir sollten eine Liste haben mit allen IPs. Umbau Dezember 24 passier (neue Netze. V82_ohne_MXI64). Hinterlegen es in IPAM. IMC untersuchen -> zeigt Fehlermeldungen +- 13:45 - 14:15: Untersuche IPAM, IMC, Macmon. deb.glt.lan reparieren. nginx nutzt nur ipv6. +- 14:15 - 14:45: Sebastian rcm +- 14:45 - 15:45: Erstelle mir ein Nextcloud Acc. Suche nach WAGO/loytec Dokumenten. Allgemeine dokumente Struktur in IT-Glue anlegen. TUM branding fuer nextcloud config +- 15:45 - 16:45: Analysiere Funktion von gw.glt.tum.de und remote.glt.tum.de; Erstelle neue VM fuer alterts mail server. IPAM pflegen (remote Maschine und neuer Mail Server) + +## Timestamps (Wednesday 20250716) + +- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023 +- 09:15 - 09:30: Rauchen +- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse +- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen +- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs +- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit +- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung. +- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers +- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden. +- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem +- 12:15 - 12:45: mDNS/Bonjour nachdenken. +- 12:45 - 13:30: Pause +- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen +- 13:45 - 14:00: Pause +- 14:00 - 14:30: SHZ: Checke Firewall +- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden +- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ +- 15:45 - 16:30: TU: Mail Server Projekt +- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich. + +## Timestamps (Tueday 20250715) + +- 08:00 - 08:30: Lesen; Kollegen belauschen; +- 08:30 - 09:30: Ticketpflege +- 09:30 - 09:45: Rauchen +- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben +- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben +- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen +- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler +- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue) +- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen +- 12:00 - 13:00: Pause +- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen +- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern +- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/) +- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern +- 15:00 - 15:15: Rauchen +- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert. +- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen +- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen. + +## Timestamps (Monday 20250714) + +- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht + +## Timestamps (Friday 20250711) + +- 14:30 - 15:00: pruefe kwa rechner. setze susanne.knopp user. helfe patryk sein laptop neu zu installieren +- 15:00 - 15:30: TU Nextcloud Zeug (in wirklichkeit rauchen) + +- 16:00 - 16:30: bgsm pruefe firewall und alle 4 NAS, die im Betrieb sind + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing \ No newline at end of file diff --git a/diary/2025-07-18.md b/diary/2025-07-18.md new file mode 100644 index 0000000..8a13fd8 --- /dev/null +++ b/diary/2025-07-18.md @@ -0,0 +1,148 @@ + +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +### SSR offene Themen + +- [ ] Domaenen umziehen + +### TODO + +- [ ] bgsm: anleitung um neue nutzerinnen zu erstellen + +- [ ] sbx: powershell script to clean `C:\Temp` folder on Windows machines +- [ ] sbx: Nextcloud Updates +- [ ] sbx: Doku fuer OPNsense User Portal +- [ ] sbx: Ninja: Custom Field to monitor specific Services + +- [ ] TU: CRC: Nextcloud mit Phil und Chat +- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed. +- [ ] TU: Neuen Physikbau IFP. Switches beschriften - Schluessel fehlt. +- [x] TU: Finde Messschacht IP des Wechselrichters -> nicht im netzwerk. + - [ ] TU: Schreibe HJZ wegen der Cental Management Softwarek fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach +- [ ] TU: Abbild der Netzwerkinfrastruktur + +- [ ] KWA: Margit Bosch Outlook fragt immer wieder nach schluesselbund. +- [ ] KWA: kontakte in busycontacts bis mittwoch klaeren +- [ ] KWA/SSR: Installationsdateien in IT-Glue hinterlegen + +- [ ] GG: Avahi: Erstelle Liste aller Apple TV's +- [ ] GG: Avahi: Pruefe Skalierung, und Belastung. Ab September in Production +- [ ] GG: Broadcast: Beamer. Was fuer ein. Protokoll? + +- [ ] NeoSphere: identity management server + +#### TODAY + +- [x] TU: Mail Server Planning +- [ ] KWA/SSR: APN renewal +- [ ] APSA: Nextcloud + +## Timestamps (Friday 20250718) + +- 07:45 - 08:30: MacBook Susanna: Apps Installieren. +- 08:30 - 09:00: Anfahrt KWA +- 09:00 - 09:30: Susanna Knopp Mac fertig einrichten. Telefonat mit Ottenschlaeger von SHZ. +- 09:30 - 10:00: Meeting mit Sebastian Petar und Nina Schiffel. Beratung Ext Festplatte MacMini (PP). Telefonanlage ist ein Problem. +- 10:00 - 10:30: SSR: Lucas finden. Kerio Calendar Sync mit Toril klaeren. Haken in Kerio Control nicht gesetzt. +- 10:30 - 11:00: Gespraech mit Sebastian zu Netzwerkanforderungen Projekt Pro. Telefonat mit SHZ Chervinski +- 11:00 - 12:00: Anfahrt Sbx Buero +- 12:00 - 13:00: Pause +- 13:00 - 13:15: DAV: Migrate Linux VM from Azure. How To? +- 13:15 - 13:30: Telefonat mit SHZ +- 13:30 - 13:45: Telefonat mit Marko zu GG -> Montag Termin +- 13:45 - 14:00: [x] Martin Beta: SNAT Regel setzn in OPNsense +- 14:00 - 14:15: RCM: Sebastian Wichtler. VPN otp fuer Regineering testen. +- 14:15 - 14:30: Ruckus 10 Gbit/s Switch und OPNsense Cluster platzieren. Aktuelle SG210 Firewall Cluster pruefen +- 14:30 - 14:45: Rauchen +- 14:45 - 15:15: Ticketpflege +- 15:15 - 17:45: Beta: Martin. Telefonat. Gast WLAN geht nicht + +## Timestamps (Thursday 20250717) + +- 08:30 - 08:45: SHZ: Bessler. VPN und Cert +- 08:45 - 09:00: Kommunikation mit Kollegen. Michael Krank. Suche sein Ticket raus. +- 09:00 - 09:05: Versuche Ute Koeller zu erreichen +- 09:05 - 09:20: Telefonat Frau Koeller. OpenVPN installiert. +- 09:20 - 09:30: Fuchsgruber Telefonat +- 09:30 - 09:35: Telefonat Jan. Trudering weitergeben +- 09:35 - 10:45: Gespraech/Meeting mit Tobias Moser. +- 10:45 - 11:45: Versuchen IP Adresse von dem Wago herauszufinden +- 11:45 - 12:00: Mail an Tobias; IP gefunden. In IPAM hinterlegen. +- 12:00 - 13:00: Pause +- 13:00 - 13:45: telefonat mit Max Brosche. Wir sollten eine Liste haben mit allen IPs. Umbau Dezember 24 passier (neue Netze. V82_ohne_MXI64). Hinterlegen es in IPAM. IMC untersuchen -> zeigt Fehlermeldungen +- 13:45 - 14:15: Untersuche IPAM, IMC, Macmon. deb.glt.lan reparieren. nginx nutzt nur ipv6. +- 14:15 - 14:45: Sebastian rcm +- 14:45 - 15:45: Erstelle mir ein Nextcloud Acc. Suche nach WAGO/loytec Dokumenten. Allgemeine dokumente Struktur in IT-Glue anlegen. TUM branding fuer nextcloud config +- 15:45 - 16:45: Analysiere Funktion von gw.glt.tum.de und remote.glt.tum.de; Erstelle neue VM fuer alterts mail server. IPAM pflegen (remote Maschine und neuer Mail Server) + +## Timestamps (Wednesday 20250716) + +- 09:00 - 09:15: Recherche zu Vectorworks Fehler bei 2023 +- 09:15 - 09:30: Rauchen +- 09:30 - 09:45: Telefonat mit SHZ Tulbeckstrasse +- 09:45 - 10:00: S2S Tunnel wieder aufbauen und logs untersuchen +- 10:15 - 10:30: Telefonat mit Marko zu dem Problem und untersuche mit Michael die Logs +- 10:30 - 10:45: Telefonat mit Marko. zu Avahi bei GG. Funktioniert. Pruefe unter Last arbeit +- 10:45 - 11:00: Gespraech mit Oli zu Avahi. SEptember in Production. Pruefe Skalierung. +- 11:00 - 11:15: Diskutiere mit qwerty Skalierung des Avahi Servers +- 11:15 - 12:00: Troubleshooting mit Marko. Firewall Regeln nicht klar, welche Ports genutzt werden. +- 12:00 - 12:15: Gespraech mit Volker zu KWA VW Problem +- 12:15 - 12:45: mDNS/Bonjour nachdenken. +- 12:45 - 13:30: Pause +- 13:30 - 13:45: Proxmox Clustering Projekt mit Maxi besprechen +- 13:45 - 14:00: Pause +- 14:00 - 14:30: SHZ: Checke Firewall +- 14:30 - 15:30: Mit Marko. GG. Epson Beamer ueber VLANs verbinden +- 15:30 - 15:45: Cloud Monitor setzen fuer SHZ +- 15:45 - 16:30: TU: Mail Server Projekt +- 16:30 - 17:00: Kontakt mit KWA (Falk Benz); VW24 installieren. VW23 testen. Geht jetzt ploetzlich. + +## Timestamps (Tueday 20250715) + +- 08:00 - 08:30: Lesen; Kollegen belauschen; +- 08:30 - 09:30: Ticketpflege +- 09:30 - 09:45: Rauchen +- 09:45 - 10:00: VPN Config fuer OPNsense und OpenVPN schreiben +- 10:00 - 10:30: KWA: OPNsense. Alias fuer Syn Web Ports. Ordner fuer MW ins Archiv verschieben +- 10:30 - 10:45: IT-Glue Dokumente sortieren. OPNsense, Sophos und Projekt Notizen Ordnen +- 10:45 - 11:15: [x] Kerio Connect Lizenz (Lisa.Zenz) verlaengern. Mit Unterstuetzung von Sebastian Wichtler +- 11:15 - 11:45: NeoSphere Netzwerk Problem anschauen (NetAdmin Queue) +- 11:45 - 12:00: [x] SSR: OPNsense Doku abschliessen und bloed Ticket schliessen +- 12:00 - 13:00: Pause +- 13:00 - 13:15: Lizenz Datei auf Falk Benz Rechner loeschen. Pruefe Portfreigaben zum Vectorworks Server -> Port offen +- 13:15 - 13:30: [x] SSR: OPNsense Doku erweitern +- 13:30 - 14:30: KWA: VW23 findet den Server nicht. Troubleshooting und Recherche(https://app-help.vectorworks.net/2023/eng/VW2023_Guide/SiteProtection/Vectorworks_site_protection_server_overview.htm, https://forum.vectorworks.net/index.php?/topic/122985-vectorworks-cannot-find-license-server/) +- 14:30 - 15:00: [x] SSR: OPNsense Doku in IT-glue erweitern +- 15:00 - 15:15: Rauchen +- 15:15 - 15:30: TU: Pruefe, ob Sophos IPS bei web Anmeldungen kann. User Portal wird attakiert. +- 15:30 - 16:30: Maximilian Kugler: Proxmox auf Test Laptop installieren und qwerty vorstellen +- 16:30 - 17:00: APSA: nextcloud projekt wieder reinkommen. + +## Timestamps (Monday 20250714) + +- 16:00 - 18:30: Falk Rechner einrichten. manuell weil filewave nicht geht + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing diff --git a/diary/2025-07-20.md b/diary/2025-07-20.md new file mode 100644 index 0000000..e69de29 diff --git a/projects/.DS_Store b/projects/.DS_Store index 7be5f556fb35f4f275d93072653ac75308bb4de2..4a14d2eed55f47c8bab3fc84dfbe2695b13c7fc1 100644 GIT binary patch delta 36 scmZn(XbG6$&uF(XU^hRb-DVzvL+qP-B&yjbHtgHXu5g@va*u==0Q39}CIA2c delta 272 zcmZn(XbG6$&*;1{U^hRb^JX4_L+thJ3H+`AG~63<3-c zjIuy_-hVIvvKSc9ROh4{1}Ep|7J%g#SQ;@^Yjg8c e@G66-D#$>#PGIvX@p|^n> + + +- Spaetestens Dienstag (23.07) \ No newline at end of file diff --git a/projects/gg/avahi_mdns-reflector/20250716-avahi-scaling.md b/projects/gg/avahi_mdns-reflector/20250716-avahi-scaling.md new file mode 100644 index 0000000..2a84354 --- /dev/null +++ b/projects/gg/avahi_mdns-reflector/20250716-avahi-scaling.md @@ -0,0 +1,117 @@ + +To scale your **Avahi server** (used for zeroconf/Bonjour services) in a large environment with **many Apple devices** (e.g., Apple TVs, iPhones, Macs) across **VLANs**, you need to address both **network architecture** and **Avahi configuration**. Below is a structured plan to ensure scalability and performance: + +--- + +### 🧠 **Key Considerations for Scaling Avahi** + +#### 1. **Network Segmentation and VLAN Isolation** + - **Separate Avahi Services per VLAN**: + Run **dedicated Avahi servers** for each VLAN (e.g., one for "Students" and one for "Teachers"). This isolates traffic and prevents cross-VLAN multicast flooding. + - Example: + - **VLAN 10 (Students)**: Avahi server handles only student devices. + - **VLAN 20 (Teachers)**: Avahi server handles only teacher devices. + - **VLAN 30 (Apple TV VLAN)**: Dedicated Avahi server for Apple TVs. + - This reduces the load on any single Avahi instance and prevents unnecessary multicast traffic across VLANs. + + - **Use VLAN-Specific DNS-SD (mDNS)**: + Ensure Apple TVs and devices are configured to use **mDNS within their VLAN**. This avoids cross-VLAN service discovery and reduces broadcast traffic. + +--- + +#### 2. **Avahi Server Optimization** + - **Limit Service Scope**: + Use **`avahi-daemon`** configuration to restrict service broadcasting to specific VLANs. For example: + ```ini + [server] + ; Only allow services on VLAN 10 (e.g., 10.56.2.0/24) + ; This is done via network segmentation, not Avahi itself. + ``` + - **Reduce Redundant Advertisements**: + - **Limit Apple TV service types**: + Apple TVs often advertise multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** or `dns-sd` to restrict only necessary services (e.g., only the "Apple TV" service). + - **Use static service records**: + For critical services (e.g., Apple TV streaming), predefine static DNS-SD records instead of relying on dynamic discovery. This reduces the number of advertisements. + + - **Enable Caching and Query Limiting**: + - Use **`avahi-browse`** to cache service records and reduce redundant queries. + - Limit the number of concurrent queries using `avahi-daemon` configuration (`--max-queries` or `--max-queries-per-sec`). + +--- + +#### 3. **Hardware and OS Considerations** + - **High-Performance Server**: + Run Avahi on a dedicated server with: + - **SSD storage** for faster log writes. + - **Sufficient RAM** (e.g., 8GB+ for 50+ devices). + - **Multi-core CPU** to handle multicast traffic and service resolution. + + - **Use Lightweight OS**: + Avoid heavy OS features (e.g., GUI, unnecessary services) to free up resources. Consider **Debian/Ubuntu minimal** or **Alpine Linux** for Avahi. + +--- + +#### 4. **Network Infrastructure** + - **Enable IGMP Snooping**: + Configure switches to **filter multicast traffic** (e.g., `IGMP Snooping` or `MLD Snooping` for IPv6) to prevent unnecessary flooding. + - **Use QoS for mDNS Traffic**: + Prioritize mDNS UDP packets (port 5353) to ensure low latency for service discovery. + - **Segment Traffic with VLANs**: + Ensure Apple TVs and devices are on their own VLAN to avoid cross-VLAN multicast storms. + +--- + +#### 5. **Monitoring and Failover** + - **Monitor Avahi Logs**: + Use `journalctl` or `avahi-browse` to track service advertisements and detect bottlenecks. + - **Set Up Redundant Avahi Servers**: + Run **two Avahi servers** per VLAN with **split-brain configuration** (e.g., using `avahi-daemon` with `--enable-dbus` and `--enable-dbus-interfaces`). This ensures failover if one server fails. + - **Use External DNS for Large-Scale mDNS**: + For very large environments, consider **external DNS servers** (e.g., `dnsmasq`, `mDNSResponder`) to handle mDNS queries, reducing load on Avahi. + +--- + +#### 6. **Apple-Specific Optimizations** + - **Limit Apple TV Advertisements**: + Apple TVs often broadcast multiple services (e.g., HTTP, DLNA, Bonjour). Use **`avahi-publish`** to restrict only the "Apple TV" service. + - **Use Static IP for Apple TVs**: + Assign static IPs to Apple TVs to avoid dynamic IP conflicts and reduce mDNS advertisement overhead. + - **Enable Bonjour Proxy**: + If Apple devices are on different subnets, use a **Bonjour proxy** (e.g., `dnsmasq` with `--enable-dns-forwarding`) to route mDNS queries efficiently. + +--- + +### πŸ“Œ **Example Configuration for Avahi (Debian/Ubuntu)** + +```bash +# /etc/avahi/avahi-daemon.conf +[server] +; Enable DNS-SD +enable-dns = yes +; Limit query rate +max-queries = 1000 +max-queries-per-sec = 100 +; Use static IP for Apple TVs (if needed) +; (Configure via DHCP or static IP assignment) +``` + +--- + +### πŸ§ͺ **Testing and Validation** +1. **Simulate Load**: + Use tools like `avahi-browse` or `dns-sd` to test service discovery under load. +2. **Monitor Network Traffic**: + Use `tcpdump` or Wireshark to check for multicast traffic and ensure it’s confined to the VLAN. +3. **Stress Test**: + Simulate 50+ Apple TVs and devices broadcasting services to verify Avahi performance. + +--- + +### βœ… **Summary** +- **Isolate VLANs** to prevent cross-traffic. +- **Run dedicated Avahi servers** per VLAN. +- **Optimize service advertisements** and enable caching. +- **Use hardware and OS resources efficiently**. +- **Monitor and scale** based on real-world usage. + +By following these steps, your Avahi server will scale effectively to handle 40–50 Apple TVs and many other devices without performance degradation. \ No newline at end of file diff --git a/projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md b/projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md new file mode 100644 index 0000000..ee68e4d --- /dev/null +++ b/projects/gg/avahi_mdns-reflector/20250716-firewall-rules-bonjour.md @@ -0,0 +1,52 @@ + +You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (49152–65535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**: + +--- + +### 🚫 **Critical Ports to Open (Updated)** +| Port Range | Protocol | Purpose | Required | +|------------------|----------|----------------------------------------------|----------| +| **5353** | UDP | **mDNS/Bonjour** (service discovery) | βœ… Yes | +| **80** | TCP | **HTTP** (web services, streaming) | βœ… Yes | +| **443** | TCP | **HTTPS** (secure web services) | βœ… Yes | +| **554** | TCP/UDP | **RTSP** (media streaming) | βœ… Yes | +| **9876** | TCP | **Apple TV Remote Access** | βœ… Yes | +| **9877** | TCP | **Apple TV Media Streaming** | βœ… Yes | +| **49152–65535** | TCP | **Xsan Filesystem Access** (dynamic range) | βœ… Yes | + +--- + +### πŸ“Œ **Key Notes** +1. **Xsan (49152–65535)** + - **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers. + - **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion. + - **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN). + +2. **Firewall Rules** + - **Direction**: Allow **bidirectional traffic** between VLANs. + - **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions. + - **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable). + +3. **Testing and Validation** + - **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used. + - **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs. + +--- + +### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)** +1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server). +2. **Rule**: + - **Action**: Allow + - **Source**: `VLAN10` (Apple TV VLAN) + - **Destination**: `VLAN20` (Xsan server VLAN) + - **Protocol**: TCP (49152–65535) + - **State**: Enable (for bidirectional traffic). + +--- + +### βœ… **Summary** +- **Xsan** requires the **dynamic port range 49152–65535 (TCP)** for efficient file access. +- Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**. +- Always **verify if Xsan is required** in your environment to avoid unnecessary exposure. + +By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs. \ No newline at end of file diff --git a/projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md b/projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md new file mode 100644 index 0000000..a5c1768 --- /dev/null +++ b/projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md @@ -0,0 +1,164 @@ + +### **Comprehensive Project Plan for VLAN Bridging with mDNS Proxy and Avahi Servers** + +--- + +### **1. Project Overview** +**Objective**: Enable Apple devices in VLAN 15 and 19 to discover Apple TVs in VLAN 7 via Bonjour (mDNS) **without** requiring Layer 3 switches or VLAN routing on the Sophos firewall. +**Key Requirements**: +- **VLANs**: Student (15), Teacher (19), AppleTV (7). +- **Subnets**: + - VLAN 15: `172.16.19.254/255.255.252.0` + - VLAN 19: `192.168.151.254/255.255.252.0` + - VLAN 7: `172.16.111.254/255.255.248.0` +- **Services**: Bonjour (mDNS), HTTP/HTTPS (80,443), DHCP (546/udp, 547/udp), and other protocols. +- **Tools**: + - **Sophos XGS4300**: DHCP server, firewall. + - **ESXi**: Hypervisor for VMs. + - **Debian VMs**: Avahi servers, mDNS proxy. +- **Switches**: Level 2 (no IGMP snooping). +- **VM IPs**: `.250` in each VLAN (e.g., `172.16.19.250`, `192.168.151.250`, `172.16.111.250`). + +--- + +### **2. Network Architecture Design** + +#### **A. VLAN Configuration (ESXi vSwitch)** +- **vSwitch Setup**: + - Create a **vSwitch** (e.g., `vSwitch0`) with **VLAN tags** for each VLAN (15, 19, 7). + - Assign **VMs** to this vSwitch with appropriate VLAN tags. +- **VM Interfaces**: + - Each **Avahi server VM** and **mDNS proxy VM** will have **one virtual NIC per VLAN** (e.g., VLAN 15, VLAN 19, VLAN 7). + - Ensure **untagged interfaces** for management (optional). + +#### **B. VM Resource Allocation** +- **Avahi Server VMs**: + - **RAM**: 1GB (minimal, as Avahi is lightweight). + - **CPU**: 1 core. + - **Storage**: 10GB (for OS and logs). +- **mDNS Proxy VM**: + - **RAM**: 2GB (to handle traffic forwarding). + - **CPU**: 2 cores. + - **Storage**: 20GB (for logs and configurations). + +#### **C. IP Addressing** +- **Avahi Servers**: + - VLAN 15: `172.16.19.250` + - VLAN 19: `192.168.151.250` + - VLAN 7: `172.16.111.250` +- **mDNS Proxy**: + - Assign a **static IP** (e.g., `172.16.111.251`) in VLAN 7 (or use a management VLAN if needed). + +--- + +### **3. Software and Configuration** + +#### **A. Avahi Servers (Per VLAN)** +- **OS**: Debian 12 (Bookworm). +- **Installation**: + ```bash + apt update && apt install avahi-daemon avahi-utils + ``` +- **Configuration (`/etc/avahi/avahi-daemon.conf`)**: + - Ensure `host-name` is set to the VM's hostname (e.g., `avahi15`). + - Set `domain-name` to the local domain (e.g., `local`). +- **Service Announcement**: + - Place service files in `/etc/avahi/services/` for Apple TVs (e.g., `apple-tv.service`). + - Example `apple-tv.service`: + ```xml + + _http._tcp + _apple-tv._sub + 80 + apple-tv.local + + ``` + +#### **B. mDNS Proxy (VM)** +- **Software**: Use **`mdnsproxy`** (not `dnsmasq`) for mDNS forwarding. +- **Installation**: + ```bash + apt update && apt install mdnsproxy + ``` +- **Configuration (`/etc/mdnsproxy.conf`)**: + - Define **forwarding rules** between VLANs: + ```ini + [forward] + 172.16.19.250 192.168.151.250 172.16.111.250 + 192.168.151.250 172.16.19.250 172.16.111.250 + 172.16.111.250 172.16.19.250 192.168.151.250 + ``` + - Ensure **UDP port 5353** is open for mDNS traffic. +- **Firewall Rules (Sophos XGS)**: + - Allow **UDP port 5353** between VLAN 15, 19, and 7. + - Allow **TCP/UDP ports 80, 443, 546, 547** for service access. + +--- + +### **4. Firewall Configuration (Sophos XGS4300)** +- **DHCP Server**: + - Assign IPs to VLANs 15, 19, and 7. + - Ensure **IP ranges** match the subnets (e.g., VLAN 15: `172.16.19.252-254`). +- **Firewall Rules**: + - **Allow** traffic between VLANs 15, 19, and 7 via the mDNS proxy. + - **Deny** direct communication between VLANs (to enforce proxy routing). + - **Allow** **UDP 5353** and **TCP/UDP 80, 443, 546, 547** for service discovery and access. + +--- + +### **5. Testing and Validation** +- **Step 1**: Verify **VLAN tagging** on ESXi vSwitch. Use `ovs-ofctl dump-ports` to confirm VLAN tags. +- **Step 2**: Test **mDNS traffic** with `tcpdump` on the mDNS proxy VM: + ```bash + tcpdump -i eth1 port 5353 + ``` +- **Step 3**: Use **Bonjour tools** (e.g., `dns-sd`) to discover services: + ```bash + dns-sd -B _http._tcp local + ``` +- **Step 4**: Ensure **Apple devices** can access services via the proxy. +- **Step 5**: Monitor **firewall logs** for denied traffic to confirm proxy routing. + +--- + +### **6. Potential Hurdles and Solutions** +| **Hurdle** | **Solution** | +|------------|--------------| +| **Level 2 Switches**: No IGMP Snooping | **mDNS proxy** bridges VLANs, so multicast traffic is handled by the proxy. | +| **Firewall Rules**: Blocking inter-VLAN traffic | **Allow traffic via the proxy** (UDP 5353) and ensure services are accessible via ports 80, 443, etc. | +| **VM IP Conflicts** | Assign **static IPs** in each VLAN (e.g., `.250`) to avoid DHCP conflicts. | +| **mDNS Proxy Not Forwarding** | Verify `mdnsproxy` configuration and ensure VMs are connected to all VLANs. | +| **Service Discovery Failures** | Test with `dns-sd` and ensure Avahi servers are correctly configured. | + +--- + +### **7. Resource Recommendations** +- **ESXi Host**: + - At least 8GB RAM, 4 cores. + - Ensure **vSwitch** is configured with VLAN tags. +- **VMs**: + - **Avahi Servers**: 1GB RAM, 1 core. + - **mDNS Proxy**: 2GB RAM, 2 cores. +- **Storage**: + - Allocate 10-20GB per VM for OS, logs, and service files. + +--- + +### **8. Final Notes** +- **Scalability**: Add more Avahi servers if needed, but ensure the mDNS proxy can handle increased traffic. +- **Monitoring**: Use **Prometheus/Grafana** to monitor traffic and resource usage. +- **Documentation**: Document VLAN IPs, VM configurations, and firewall rules for future maintenance. + +--- + +### **9. Has Anything Been Missed?** +- **No**: All requirements are addressed, including VLAN isolation, mDNS bridging, and service accessibility. +- **Optional Enhancements**: + - Add **load balancing** for the mDNS proxy. + - Use **SNMP** to monitor switch traffic. + - Implement **failover** for critical services. + +--- + +### **10. Conclusion** +This setup is **feasible** and **robust** for your requirements. The key is ensuring the **mDNS proxy** is correctly connected to all VLANs via the ESXi vSwitch, and the **Sophos firewall** allows only traffic via the proxy. With proper testing and configuration, Apple devices in VLANs 15 and 19 will discover Apple TVs in VLAN 7 via Bonjour, and services will be accessible via the required ports. πŸš€ \ No newline at end of file diff --git a/projects/gg/avahi_mdns-reflector/20250718-overview.md b/projects/gg/avahi_mdns-reflector/20250718-overview.md new file mode 100644 index 0000000..d8890c2 --- /dev/null +++ b/projects/gg/avahi_mdns-reflector/20250718-overview.md @@ -0,0 +1,88 @@ + +Here's a **structured summary** of your network requirements and design, incorporating your latest updates and clarifications: + +--- + +### **Network Overview** + +#### **1. VLANs and Subnets** +| VLAN | Subnet | Gateway IP | Avahi Server IP | mDNS Proxy IP | +|------|--------------------------------|------------------|------------------|----------------| +| 15 | 172.16.19.0/255.255.252.0 | 172.16.19.254 | 172.16.19.250 | 172.16.19.251 | +| 19 | 192.168.151.0/255.255.252.0 | 192.168.151.254 | 192.168.151.250 | 192.168.151.251 | +| 7 | 172.16.111.0/255.255.248.0 | 172.16.111.254 | 172.16.111.250 | 172.16.111.251 | + +**Note:** All VLANs are routed via the **Sophos XGS4300**, which acts as the **DHCP server** for all VLANs. + +--- + +#### **2. Avahi Server Configuration** +- **Local Avahi Servers**: + - **VLAN 15**: Runs Avahi on `172.16.19.250` for local discovery. + - **VLAN 19**: Runs Avahi on `192.168.151.250` for local discovery. + - **VLAN 7**: Runs Avahi on `172.16.111.250` for local discovery. +- **Central Avahi Server** (mDNS Proxy): + - **IPs**: `172.16.19.251`, `192.168.151.251`, `172.16.111.251` (untagged interfaces for each VLAN). + - **Configuration**: + ```ini + [reflector] + enable-reflector=yes + #reflect-ipv=no + #reflect-filters=_airplay._tcp.local,_raop._tcp.local + ``` + - **Purpose**: Acts as a **central mDNS reflector** to forward traffic between VLANs, enabling Apple devices in VLANs 15/19 to discover Apple TVs in VLAN 7. + +--- + +#### **3. mDNS Proxy VM (Central Avahi Server)** +- **OS**: Debian. +- **Network Configuration**: + - Uses **`/etc/network/interfaces`** to assign static IPs for each VLAN (ending in `.251`). + - Interfaces are **untagged** (virtual) for each VLAN. +- **Function**: + - Forwards mDNS traffic between VLANs (e.g., `_airplay._tcp.local`, `_raop._tcp.local`). + - Ensures Apple devices in VLANs 15/19 can discover Apple TVs in VLAN 7 via Bonjour. + +--- + +#### **4. ESXi and VLAN Management** +- **Hyper-Visor**: ESXi. +- **vSwitch Configuration**: + - Each VLAN is assigned a **virtual port group** with the corresponding subnet. + - VMs (Avahi servers, mDNS proxy, etc.) are assigned to the appropriate VLAN port group. +- **IP Assignment**: + - VMs use **static IPs** (`.250` for local Avahi servers, `.251` for central Avahi server). + +--- + +#### **5. Switch Configuration** +- **Switches**: Managed Level 2 switches. +- **IGMP Snooping**: + - **Recommendation**: **Enable IGMP snooping** on all switches. + - **Rationale**: + - While mDNS (Bonjour) uses **UDP** and not IGMP, **other multicast services** (e.g., `546/udp` for DHCPv6, `80/443` for HTTP/HTTPS) may rely on IGMP. + - IGMP snooping prevents unnecessary multicast traffic flooding, improving network efficiency. + - **Note**: If only mDNS is used, IGMP snooping is **not strictly required**, but enabling it is **beneficial for future scalability**. + +--- + +### **Key Considerations** +- **Resource Allocation for VMs**: + - **Avahi Servers (VLANs 15, 19, 7)**: Minimal resources (1 vCPU, 512MB RAM). + - **Central Avahi Server (mDNS Proxy)**: Slightly higher resources (2 vCPUs, 1GB RAM) due to traffic forwarding. +- **Firewall Rules**: + - Ensure **UDP ports 80, 443, 546/udp, 546/tcp** are open between VLANs 15/19 and VLAN 7. + - Allow **mDNS traffic (UDP 5353)** for Bonjour discovery. +- **Testing**: + - Use `avahi-browse` on Apple devices to verify Apple TV discovery. + - Test service ports (e.g., `curl http://:80`) to confirm connectivity. + +--- + +### **Summary of Design** +- **VLAN Isolation**: Each VLAN operates independently with its own subnet and Avahi server. +- **Central mDNS Proxy**: Acts as a bridge for Bonjour discovery between VLANs, enabling cross-VLAN service discovery. +- **Network Efficiency**: IGMP snooping is enabled to optimize multicast traffic handling. +- **Scalability**: The design supports future additions (e.g., more Apple devices, services) without overhauling the architecture. + +Let me know if you’d like a **diagram** or **Debian interface configuration examples**! πŸš€ \ No newline at end of file diff --git a/projects/gg/avahi_mdns-reflector/20250718-ruckus-sw-cfg.md b/projects/gg/avahi_mdns-reflector/20250718-ruckus-sw-cfg.md new file mode 100644 index 0000000..5501b82 --- /dev/null +++ b/projects/gg/avahi_mdns-reflector/20250718-ruckus-sw-cfg.md @@ -0,0 +1,101 @@ + +### **Ruckus One Switch Configuration for Your Network Setup** + +#### **1. IGMP Snooping Configuration** +Ruckus One switches support **active** and **passive** IGMP snooping. Here's what to use: + +- **IGMP Snooping Mode**: **Active** + - **Why**: Active mode actively participates in IGMP snooping, ensuring multicast traffic is forwarded only to ports where devices are listening. This is critical if your network has **other multicast traffic** (e.g., video streaming, IP multicast services). While mDNS (Bonjour) uses UDP and not IGMP, enabling active IGMP snooping ensures **compatibility with other multicast services** and prevents unnecessary flooding. + +- **Enable IGMP Snooping**: + - Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > IGMP Snooping**. + - Set **Mode** to **Active**. + - Enable **IGMP Snooping** and **IGMP Snooping Fast Leave** (for faster group leave handling). + +--- + +#### **2. Key Configuration Recommendations for Ruckus One Switches** +Here’s how to configure your switches for **maximal efficiency** and **network quality**: + +##### **A. VLAN Configuration** +- **VLAN Trunking**: Ensure **trunk ports** are used between switches and the core network (e.g., Sophos XGS4300) to carry all VLANs (15, 19, 7). +- **Access Ports**: Assign **access ports** to end-user devices (Apple TVs, macOS/iOS devices) with the correct VLAN tag. +- **VLAN Prioritization**: + - Use **QoS (CoS)** to prioritize critical traffic (e.g., Bonjour, HTTP, HTTPS). + - Example: Assign **CoS 5** to VLAN 7 (AppleTV) and **CoS 4** to VLANs 15/19 (Apple devices). + +##### **B. QoS and Traffic Prioritization** +- **Priority Queuing**: + - Prioritize **UDP ports 80, 443, 546** (HTTP, HTTPS, DHCPv6) for Apple devices. + - Use **DSCP values** (e.g., DSCP 46 for EF class) to mark traffic for low-latency, high-reliability transmission. +- **Traffic Shaping**: + - Limit bandwidth for non-critical traffic (e.g., background updates) to ensure quality for AppleTV and student/teacher devices. + +##### **C. Link Aggregation (LACP)** +- **Enable LACP** on uplinks between switches and the core (Sophos XGS4300) to: + - Improve redundancy. + - Balance traffic across multiple links. + - Avoid single points of failure. + +##### **D. Spanning Tree Protocol (STP)** +- **Enable STP** (RSTP or MSTP) to prevent broadcast storms and loops. +- Set **root bridges** to avoid unnecessary STP convergence delays. + +##### **E. Port Security** +- **Enable Port Security** on access ports to: + - Prevent MAC address spoofing. + - Limit the number of devices per port (e.g., 1 device per port for AppleTV). +- Use **MAC-based filtering** to restrict unauthorized devices. + +##### **F. IGMP Snooping Enhancements** +- **IGMP Snooping Fast Leave**: Reduces delay when devices leave multicast groups. +- **IGMP Snooping Querier Timeout**: Adjust timeout values (e.g., 100 seconds) to balance responsiveness and resource usage. + +##### **G. Monitoring and Analytics** +- **Enable Traffic Monitoring** to track: + - Bandwidth usage per VLAN. + - Multicast traffic patterns. + - QoS policy enforcement. +- Use **Ruckus One Analytics** to identify bottlenecks or misconfigurations. + +--- + +#### **3. CSV File Configuration (Batch Setup)** +If you have a CSV list of all switches, use the **Ruckus One Dashboard** to apply configurations **across all switches**: + +1. **Export Switch Configurations**: + - Navigate to **Ruckus One Dashboard > Switches > [Switch Name] > Export Configuration**. + - Save the configuration as a `.cfg` file. + +2. **Batch Apply Configurations**: + - Use the **"Apply Configuration"** feature to push the same settings to multiple switches. + - For VLANs, QoS, and QoS policies, ensure all switches are configured identically. + +3. **Automate with Ruckus One API** (Optional): + - Use the **Ruckus One API** (via REST or SDK) to programmaticall configure switches in bulk. + - Example: Apply IGMP snooping settings to all switches in a group. + +--- + +#### **4. Additional Best Practices** +- **Firmware Updates**: Ensure all switches are running the **latest firmware** for security and performance improvements. +- **SNMP Monitoring**: Enable SNMP for real-time monitoring of switch metrics (e.g., CPU usage, port status). +- **Security Policies**: + - Disable **unnecessary protocols** (e.g., Telnet, FTP). + - Enable **SSH** and **HTTPS** for secure access. + - Use **802.1X authentication** for access ports to restrict unauthorized devices. + +--- + +### **Summary Table: Ruckus One Switch Configuration Summary** +| Feature | Configuration | Rationale | +|--------------------------|----------------------------------------|-----------| +| IGMP Snooping | **Active** mode, enabled | For multicast services and compatibility | +| VLAN Trunking | Enabled on uplinks | For inter-switch communication | +| QoS (CoS/DSCP) | Prioritize VLAN 7 (AppleTV) | Ensures low-latency traffic | +| Link Aggregation (LACP) | Enabled on uplinks | Redundancy and bandwidth | +| Port Security | Enabled, MAC-based filtering | Prevents unauthorized access | +| STP (RSTP/MSTP) | Enabled, root bridge set | Prevents loops | +| Monitoring | SNMP, Ruckus One Analytics | Identifies performance issues | + +By following these steps, your Ruckus One switches will be optimized for **multicast traffic handling**, **quality of service**, and **network security** in your hybrid AppleTV/education network. Let me know if you need help exporting CSV configurations or scripting API calls! πŸš€ \ No newline at end of file diff --git a/projects/proxmox/firste-steps.md b/projects/proxmox/firste-steps.md new file mode 100644 index 0000000..26fc41b --- /dev/null +++ b/projects/proxmox/firste-steps.md @@ -0,0 +1,5 @@ + + +## Init + +- Repo anpassen \ No newline at end of file diff --git a/projects/sbx/sbx-host-update-cycle.md b/projects/sbx/defaults/sbx-host-update-cycle.md similarity index 100% rename from projects/sbx/sbx-host-update-cycle.md rename to projects/sbx/defaults/sbx-host-update-cycle.md diff --git a/projects/sbx/defaults/sbx-lab-network.md b/projects/sbx/defaults/sbx-lab-network.md new file mode 100644 index 0000000..12c4d8a --- /dev/null +++ b/projects/sbx/defaults/sbx-lab-network.md @@ -0,0 +1,26 @@ + +## network + +- Gateway/Firewall Static IP: 10.11.12.254/24 +- DHCP: 10.11.12.100 - 10.11.12.200 + +### Static IPs + +| hostname | mac | IP | comment | active | +| ------------- | ----------------- | ------------ | -------------------------- | ------ | +| gw | | 10.11.12.254 | sophos fw | true | +| dns1 | | 10.11.12.253 | bind master | true | +| dns2 | | 10.11.12.252 | bind slave | true | +| pve | | 10.11.12.1 | proxmox host | true | +| node1 | | 10.11.12.2 | opnsense cluster test | false | +| node2 | | 10.11.12.3 | opnsense cluster test | false | +| vip-wan | | 10.11.12.4 | opnsense cluster test | false | +| drawio | | 10.11.12.20 | drawio instance | false | +| pve-wazuh | | 10.11.12.40 | patryk test pve | false | +| wazuh-server | | 10.11.12.41 | patryk test wazuh server | false | +| wazuh-win-11 | | 10.11.12.42 | patryk test win11 client | false | +| wazuh-kali | | 10.11.12.50 | patryk test win11 client | false | +| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz | true | +| metabase | | 10.11.12.99 | test for discopharma | false | +| pve-max | | 10.11.12.100 | test pve instance for maxi | false | +| sbx-sw-lab-00 | B0:7C:51:30:64:4E | 10.11.12.220 | central switch | true | diff --git a/projects/sbx/sbx-lab-network.md b/projects/sbx/sbx-lab-network.md deleted file mode 100644 index be4ad50..0000000 --- a/projects/sbx/sbx-lab-network.md +++ /dev/null @@ -1,23 +0,0 @@ - -## network - -- Gateway/Firewall Static IP: 10.11.12.254/24 -- DHCP: 10.11.12.100 - 10.11.12.200 - -### Static IPs - -| hostname | mac | IP | comment | active | -| ------------ | ----------------- | ------------ | ------------------------ | ------ | -| gw | | 10.11.12.254 | sophos fw | true | -| dns1 | | 10.11.12.253 | bind master | true | -| dns2 | | 10.11.12.252 | bind slave | true | -| node1 | | 10.11.12.2 | opnsense cluster test | false | -| node2 | | 10.11.12.3 | opnsense cluster test | false | -| vip-wan | | 10.11.12.4 | opnsense cluster test | false | -| drawio | | 10.11.12.20 | opnsense cluster test | false | -| pve-wazuh | | 10.11.12.40 | patryk test pve | true | -| wazuh-server | | 10.11.12.41 | patryk test wazuh server | true | -| wazuh-win-11 | | 10.11.12.42 | patryk test win11 client | true | -| wazuh-kali | | 10.11.12.50 | patryk test win11 client | true | -| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz | true | -| metabase | | 10.11.12.99 | test for discopharma | false | diff --git a/projects/tu/glt-mail/20250710-init.md b/projects/tu/glt-mail/20250710-init.md index 17ed519..5371dd6 100644 --- a/projects/tu/glt-mail/20250710-init.md +++ b/projects/tu/glt-mail/20250710-init.md @@ -4,7 +4,7 @@ ## Vorstellung -- GLT Meldungen dper Mail an Sammelpostfach +- GLT Meldungen per Mail an Sammelpostfach - Empfaenger adresse benoetigt - zum Beispiel Registrierung Veeam diff --git a/projects/tu/glt-mail/20250716-thoughts.md b/projects/tu/glt-mail/20250716-thoughts.md new file mode 100644 index 0000000..561896e --- /dev/null +++ b/projects/tu/glt-mail/20250716-thoughts.md @@ -0,0 +1,23 @@ +## Abbreviations + +- ga: Gebaeudeautomatisierung +- glt: Gebaeudeleittechnik + + +## Notes + +- Sophos SG Cluster +- Many VLANs -> Open port 25, 465, 587 for all networks to the mail server +- Which domain? @ga.tum.de probably. just mx record needed in local network +- DNS Server. Hopefully, the Sophos can do it +- For outgoing mails use the mail-gw which relays the mails to the LRZ mailservers which relays it further +- LRZ only accepts mails from a @<...>.tum.de domain, which should be given +- I could use mailcow, without all spam, netfilter and ipv6 stuff (though I love ipv6 and would activate it everywhere) +- Single mailbox needed. (mailcow provideds more) +- imap will be needed for accessing the mails +- though this mail server will be more a imap server than a smtp server +- imap for receiving all the alerts; smtp for relaying of some mails which should go outside the local network +- Do I really need SSL/TLS certs? + + +- DOMAIN: ga.tum.de \ No newline at end of file diff --git a/projects/tu/weekly/20250717.md b/projects/tu/weekly/20250717.md new file mode 100644 index 0000000..92da550 --- /dev/null +++ b/projects/tu/weekly/20250717.md @@ -0,0 +1,11 @@ +## TODO + + +- [x] wagos devices ip adressen aufschreiben und beschriften + - chemie (neu) Netz + - nextcloud passwoerter hinterlegen + +- [ ] herausfinden welche portbeleguneg an den switches am besten ist +- [ ] landing page: unterscheidung zwischen remote.glt.tum.de und gw.glt.tum.de soll klar sein. + - gw.glt.tum.de ist die Sophos FW. html5 vpn-portal verbindet sich mit rdp zu servern?? + - remote.glt.tum.de ist die Applikation TSPlus fuer remote Zugriff zu einem bestimmten Server \ No newline at end of file