Sysadmin/Routers

From FGWiki
Jump to: navigation, search
Important: The content of this page is outdated. If you have checked or updated this page and found the content to be suitable, please remove this notice.


Overview

The router configuration provides a highly available IPv4 routing, firewall and DHCP auto configuration service.

Configuration

The current configuration consists of spore.shop.lan and seed.shop.lan in a master/backup configuration. A dedicated cross-over cable between the two machines is used to synchronize DHCP and Packet Filter state. carp is used on the internal interfaces for failover with ifstated keeping the external interface in sync with the internal interfaces. Configuration excluding initial install and users is handled by Puppet and is currently in ~tedrek/src/archive on each machine.

Tasks

Rebuilding

Hardware

The current configuration requires at least 3 physical network interfaces, at least 2 of which should be gigabit. The current configuration uses one Dual port Intel PRO/1000MT PCI-X card for the LACP trunk and a Broadcom BCM5704C for the synchronization interface. Alternate hardware will require tweaking of the configuration to account for different interface names.

Disk and CPU requirements are quite modest, 20 GiB of disk will be plenty and a single core 2.0ghz cpu should suffice. One Gigabyte of RAM should also do plenty, of course more hardware is usually better. The current systems are Dual 3.0+ ghz CPUs with 2 GiB of RAM.

Software

Install OpenBSD, do not install any of the X packages as the router does not require a graphic environment, otherwise defaults should work. Once booted install git and ruby-puppet from the [OpenBSD Ports]. Finally obtain a copy of the puppet configuration for the router and apply it. A reboot may be required and is recommended after the initial puppet run/application.

Maintenance

Rebooting/Halting

Useful for vacuuming the server out

 # Give up active router
 # Failure to do this will cause active connections to drop
 sudo ifconfig -g carp carpdemote 50
 sudo reboot

Watching firewall traffic

Get a realtime idea of traffic flowing through the firewall

 sudo tcpdump -n -e -ttt -i pflog0

Watching bandwidth

Identify traffic by bandwidth in realtime. vlan7 is the external interface, it may be required to additionally look at internal interfaces to track bandwidth usage.

 sudo iftop -i vlan10 -B