Merge branch 'master' of github.com:HON95/wiki

config/linux-server/applications.md

@@ -861,19 +861,17 @@ See [Team Fortress 2 (TF2)](/config/game-servers/tf2/).
 
 ### Setup
 
-1. Install `tftpd-hpa`.
-1. Update `/etc/default/tftpd-hpa` based on the config below.
-1. Create the folder `/var/tftp` with permissions `777` and user-group pair `tftp:tftp`.
-1. Restart it.
-1. If it shouldn't automatically start, disble it.
-
-File `/etc/default/tftpd-hpa`:
-```
-TFTP_USERNAME="tftp"
-TFTP_DIRECTORY="/var/tftp"
-TFTP_ADDRESS=":69"
-TFTP_OPTIONS="--create --secure"
-```
+1. Install: `apt install tftpd-hpa` (note the `d`)
+1. (Optional) Configure it:
+    - Config file: `/etc/default/tftpd-hpa`
+    - Change dir: `TFTP_DIRECTORY="<dir>"` (e.g. `/var/tftp`)
+    - Change options: `TFTP_OPTIONS="[opt]*"` (see the most relevant options below)
+    - Option `--secure`: Change the root directory to the specified `TFTP_DIRECTORY` directory.
+    - Option `--create`: Allow clients to upload new files. Existing files may be changed regardless.
+1. Fix folder permissions:
+    - Make sure `tftp:tftp` has read access.
+    - If it needs to be TFTP writable, make sure `tftp:tftp` has write access to it.
+1. Restart it: `systemctl restart tftpd-hpa`
 
 ## Unbound
 

config/media/streaming.md

@@ -119,6 +119,8 @@ breadcrumbs:
 
 ### Examples
 
+- [steven2358's FFmpeg cheat sheet](https://gist.github.com/steven2358/ba153c642fe2bb1e47485962df07c730)
+- **TODO** Find my other FFmpeg notes.
 - Record stream to file, automatically split every X seconds, restart if the stream is unavailable:
     - Script: `while true; do ffmpeg -hide_banner -loglevel error -i http://localhost:5555/ -c copy -map 0 -f segment -segment_time $((5*60)) -segment_format mp4 -strftime 1 "%Y-%m-%d_%H-%M-%S.mp4"; sleep 5; done`
 - Record time lapse at 10x speed without audio:

config/network/juniper-junos-switches.md

@@ -25,46 +25,61 @@ breadcrumbs:
 
 ## Initial Setup
 
-1. Connect to the switch using serial (RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control).
-1. Login with username `root` and no password. You'll enter the shell.
-1. Enter the operation mode: `cli`
-1. Disable default virtual chassis ports (VCPs) if not used:
+1. Connect to the switch using serial:
+    - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
+1. Login:
+    - Username `root` and no password.
+    - Logging in as root will always start the shell. Run `cli` to enter the operational CLI.
+1. (Optional) Disable default virtual chassis ports (VCPs) if not used:
     1. Enter op mode.
     1. Show VCPs: `show virtual-chassis vc-port`
     1. Remove VCPs: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
     1. Show again to make sure they disappear. This may take a few seconds.
-1. Enter configuration mode: `configure`
-    - Use `exit` to return to op. mode.
-1. Set host name: `set system host-name <host-name>`
-1. Set domain name: `set system domain-name <domain-name>`
-1. Enable auto snapshotting and restoration on corruption: `set system auto-snapshot`
-1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade`
-1. Set root password: `set system root-authentication plain-text-password` (prompts for password)
-1. Setup a non-root user: `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
-1. Enable SSH server: `set system services ssh`
-1. Disable root login from SSH: `set system services ssh root-login deny`
+1. Enter configuration mode:
+    - Enter: `configure`
+    - Exit: `exit`
+1. Set host name:
+    - `set system host-name <host-name>`
+    - `set system domain-name <domain-name>`
+1. Enable auto snapshotting and restoration on corruption:
+    - `set system auto-snapshot`
+1. Disable DHCP auto image upgrade:
+    - `delete chassis auto-image-upgrade`
+1. Set new root password:
+    - `set system root-authentication plain-text-password` (prompts for password)
+1. Setup a non-root user:
+    - `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
+1. Setup SSH:
+    - Enable server: `set system services ssh`
+    - Disable root login from SSH: `set system services ssh root-login deny`
 1. Set loopback addresses:
     1. `set interfaces lo0.0 family inet address 127.0.0.1/32`
     1. `set interfaces lo0.0 family inet6 address ::1/128`
-1. Set DNS servers: `set system name-server <addr>` (once for each address)
+1. Set DNS servers:
+    - `set system name-server <addr>` (once for each address)
 1. Set time:
     1. (Optional) Set time locally: `set date <YYYYMMDDhhmm.ss>`
     1. Set server to use while booting: `set system ntp boot-server <address>`
     1. Set server to use periodically: `set system ntp server <address>`
     1. Set time zone: `set system time-zone Europe/Oslo` (example)
     1. Note: After committing, use `show ntp associations` to verify NTP.
-1. Delete default interfaces configs: `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
-1. Disable unused interfaces: `wildcard range set interface ge-0/0/[0-47] disable` (example, repeat for all FPCs/PICs)
+1. Delete default interfaces configs:
+    - `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
+1. Disable unused interfaces:
+    - `wildcard range set interface ge-0/0/[0-47] disable` (example, repeat for all FPCs/PICs)
 1. Disable dedicated management port and alarm:
     1. Disable: `set int me0 disable`
     1. Delete logical interface: `delete int me0.0`
     1. Disable link-down alarm: `set chassis alarm management-ethernet link-down ignore`
 1. Disable default VLAN:
-    1. Delete logical interface: `delete vlan.0` (before disabling)
+    1. Delete logical interface (before disabling): `delete vlan.0`
     1. Disable logical interface: `set vlan.0 disable`
-1. Setup config groups: **TODO**
-1. Setup port-ranges: **TODO**
-1. Setup VLANs (not interfaces): `set vlans <name> vlan-id <VID>`
+1. Create VLANs (not interfaces):
+    - `set vlans <name> vlan-id <VID>`
+1. Setup port-ranges:
+    - Declare range: `edit interfaces interface-range <name>`
+    - Add member ports: `member-range <begin-if> to <end-if>`
+    - Configure it as a normal interface, which will be applied to all members.
 1. Setup LACP:
     1. Note: Make sure you allocate enough LACP interfaces and that the interface numbers are below 512 (empirically discovered on EX3300).
     1. Set number of available LACP interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
@@ -93,10 +108,17 @@ breadcrumbs:
 1. Setup static IP routes:
     1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
     1. IPv6 default gateway: ``set routing-options rib inet6.0 static route ::0/0 next-hop <next-hop>``
-1. Enable Ethernet flow control: **TODO**
-1. Configure RSTP: **TODO**
-1. Configure SNMP (public RO): `set snmp community public authorization read-only`
-1. Setup event policies: **TODO**
+1. Enable Ethernet flow control:
+    - **TODO**
+1. Enable EEE:
+    - **TODO**
+1. Configure RSTP:
+    - RSTP is the default STP variant for Junos.
+1. Configure SNMP:
+    - Note: SNMP is extremely slow on the Juniper switches I've tested it on.
+    - Enable public RO access: `set snmp community public authorization read-only`
+1. Configure sFlow:
+    - **TODO**
 1. Commit configuration: `commit [confirmed]`
 1. Backup config to rescue config: `request system configuration rescue save`
 

config/network/switching.md

@@ -45,7 +45,7 @@ Reserved:
 
 (\*) Very incomplete list.
 
-### Notes
+### General
 
 - Use extended system ID for multi-VLAN switches.
 - Make sure all switches are using compatible variants and default priorities.
@@ -54,20 +54,50 @@ Reserved:
 - The bridge priority should generally be a multiple of 4096.
 - PVST and 802.1Q regions cannot interoperate directly, but can through PVST+ regions.
 
+### STP
+
+- The original.
+- Generally uses around 30 seconds after a new device is connected until it starts forwarding data (unless using Cisco's "portfast" or similar).
+- Path cost depends on link speed.
+- Uses BPDUs (bridge protocol data units) to exchange information.
+- Generates and imposes a rooted spanning tree onto the non-acyclic network, where a single switch is designated as the root.
+- Uses a single tree for all physical ports (no per-VLAN support).
+- The BPDU from the root starts with root path cost 0 and accumulates all link costs along the distribution downstream.
+- States:
+    - Listening: The initial state when a device is connected. No data is forwarded and no MAC addresses are learned. Enters the listening state afterwards.
+    - Learning: Like the listening state but with MAC address learning (no data forwarding yet). Enters the forwarding state afterwards.
+    - Forwarding: Data is forwarded.
+    - Blocking: If during the listening, learning or forwarding state a port is determined to be neither a root port (uplink) or a designated port (downlink), it's blocked.
+
+### RSTP (802.1w)
+
+- Generally backwards-compatible with STP.
+- Has much better convergence time for new connections and topology changes than STP.
+- Port roles:
+    - Root port: The uplink port toward the root switch. Every non-root switch has exactly one.
+    - Alternate port: A port which may quickly take over as the root port if the current root port becomes unavailable. (STP doesn't have this type, but e.g. Cisco's "uplinkfast" provides a similar mechanism.)
+    - Designated port: Any downlink ports toward switches downstream from the current one wrt. the tree.
+    - Backup port: Like the alternate port to the root port, it provides a backup for a designated port.
+- Port states:
+    - Discarding (aggregates the blocking, listening and disabled states from STP).
+    - Learning.
+    - Forwarding.
+
+### Special Features
+
+Note: These features are mostly vendor-defined and the specifics of each mechanism depend on the implementations.
+
+- Loop guard: Enabled on root and alternate ports (typically) to move them to the blocking state instead of the forwarding state if they were to stop receiving BPDUs (e.g. due to a unidirectional or congestion), to avoid causing a forwarding loop.
+- Root guard: Enabled on designated and backup ports (downlinks) to prevent downstream switches from taking over as the root bridge (e.g. due to misconfiguration).
+- BPDU guard: Enabled on edge ports to block it if it receives any BPDUs (e.g. due to malicious purposes).
+- BPDU filter: Enabled on edge ports to ignore all received BPDUs.
+- Portfast: Enabled on edge ports to immediately move it to the forwarding state instead of going through the discarding and learning phases first, in order to get clients online as fast as possible.
+
+### Miscellanea
+
 #### Cisco IOS
 
 - VTP can be very dangerous if not used properly and is enabled by default. It also doesn't carry MST configuration.
 - Rapid-PVST+ ignores UplinkFast and BackboneFast and supports UDLD.
 
-### Inter-Model Compatibility Examples
-
-#### Example 1
-
-**TODO** I have not actually tested this properly.
-
-- Cisco IOS (Cat 3750G): `rapid-pvst`
-- Brocade (ICX 6610): `802.1w`
-- Linksys (LGS326): `stp` (slow but works)
-- Use the same default priority, e.g. 32768.
-
 {% include footer.md %}

config/network/tplink-jetstream-switches.md

@@ -72,15 +72,18 @@ breadcrumbs:
     1. Enable server: `ip ssh server`
     1. Disable Telnet: `telnet disable`
 1. Change Switch Database Management (SDM) template:
+    1. Note: Show SDM template info: `show sdm prefer {used|default|...}`
+    1. Note: Show actual usage: `ipv6 source binding`
+    1. Note: `enterpriseV6` is required for enabling IPv6 ND inspection.
     1. Allocate more resources to IPv6: `sdm prefer enterpriseV6`
     1. **TODO** Check how many entries are actually used. The max count seems low.
 1. Setup physical interfaces (basics):
     1. Enter one or multiple interfaces: `int g 1/0/1` or `int range g 1/0/25-28`
     1. Set description: `desc <desc>`
     1. Disable (if unused): `shutdown`
-1. Setup LAGs:
+1. Setup LAGs (LACP):
     1. Set load balancing method (global): `port-channel load-balance src-dst-ip`
-    1. Enter the interface range of member interfaces.
+    1. Enter the member interfaces: `int range g 1/0/23-24` (example)
     1. Make them members of the LAG and use LACP: `channel-group <n> mode active`
     1. Enter port channel interface: `interface port-channel <n>`
     1. Configure it as an interface (applies when the LACP interface is up).
@@ -178,13 +181,21 @@ breadcrumbs:
 1. Setup MLD (IPv6) snooping: **TODO**
 1. (Optional) Setup TACACS+: **TODO**
 1. Enable SNMP: **TODO**
-1. Setup STP (802.1W/RSTP): **TODO**
+1. Setup RSTP:
+    - Set variant: `spanning-tree mode rstp`
+    - Enable globally: `spanning-tree`
+    - Enable on all ports (interface config): `spanning-tree`
+    - Enable portfast for edge ports (interface config): `spanning-tree common-config portfast enable`
+    - Enable BPDU guard for edge ports (interface config): `spanning-tree bpduguard`
+    - Enable loop guard for uplink ports (interface config): `spanning-tree guard loop`
 1. (Optional) Setup sFlow: **TODO**
 1. Set terminal idle timer: **TODO**
 1. Save the config (exec mode): `copy run start`
 
 ## Commands
 
+#### Basics
+
 - System info:
     - Systrem info: `show system-info`
     - Image info: `show image-info`
@@ -203,11 +214,35 @@ breadcrumbs:
 
 - Enter interface range: `int range <type> <full-start>-<end>` (e.g. `int range g 1/0/1-24`)
 
+### Miscellanea
+
+- Reset config and restart: `reset`
+- Restart: `reboot`
+
 ## Tasks
 
 ### Setup Netboot
 
-**TODO**
+- See: [How to configure DHCP Auto Install to let Switch get configuration file and image file from TFTP server? (TP-Link)](https://www.tp-link.com/us/support/faq/2065/)
+- Show status (enable mode): `show boot autoinstall`
+    - When autoinstall is enabled, mode should show `Start` (not `Stop`) and state should show something like `Waiting for boot options` (not `Stopped`).
+- Configuration:
+    - Set autoinstall to begin on boot (as well as now): `boot autoinstall persistent-mode`
+    - Save the autoinstall config as the startup config: `boot autoinstall auto-save`
+    - Reboot after autoinstalling (used with `auto-save`): `boot autoinstall auto-reboot`
+    - Set the retry count: `boot autoinstall retry-count <count>` (e.g. 3)
+    - Enable autoinstall (now!): `boot autoinstall start`
+    - Note that only certain autoboot options are saved in the config.
+- Enabling autoinstall will _immediately_ change to DHCP client mode for whichever interface/VLAN has an IP address (which exactly?).
+- The config does not need to be saved before rebooting the device, since persistent mode and enablement isn't stored in it.
+- When persistent mode is enabled, it's only enabled for the next boot (not permanently, disables itself on reboot).
+- Since autoinstall can't be enabled permanently, it may be required to SSH/telnet into the device and run `boot autoinstall start` in config mode to kickstart it? (**TODO** Needs more testing.)
+- The loaded configuration file is just like any saved/exported configuration file from the switch.
+- Some things need to be set at boot time, like setting the SDM template (required for enabling IPv6 ND inspection). Since the autoinstall config is loaded _after_ boot, either the autoinstall config must be saved and the switch rebooted, or the startup config must have it already set.
+
+**TODO** IPv6?
+**TODO** NTP broken (`show system-time ntp`).
+**TODO** It seems to get merged with the existing config. Add explicit "no" statements to override startup?
 
 ### Upgrade Firmware
 

config/network/vyos.md

@@ -6,14 +6,15 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-## Foreword
-
-As VyOS is Debian-based, the Linux router notes are also highly related.
-
 ## Resources
 
 - [VyOS User Guide](https://docs.vyos.io/)
 
+## Info
+
+- Debian-based.
+- Forked from Vyatta.
+
 ## Installation
 
 See [Installation (VyOS)](https://docs.vyos.io/en/latest/install.html).
@@ -48,19 +49,34 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
     1. Remove default NTP servers: `delete system ntp <server>` (for each server)
     1. Add new NTP servers: `set system ntp server ntp.justervesenet.no` (example)
 1. (Optional) Enable Ctrl+Alt+Del reboot: `set system options ctrl-alt-del-action reboot` (or `ignore`)
-1. Replace default user:
-    1. Add new user with password: `set system login user <username> authentication plaintext-password "<password>"` (remember quotation marks if it contains spaces)
-    1. Commit and log into the new user.
-    1. Delete the default user: `delete system login user vyos`
 1. Set up a plain WAN-facing interface with an IP address (without LAG or VLAN):
     1. Show all Ethernet interfaces: `run show interfaces ethernet`
     1. Enter interface config: `edit interfaces ethernet <if>`
+    1. Set the MAC address for the interface to bind to if missing: `set hw-id <mac-addr>`
     1. Set description: `set description <description>`
     1. (Alternative) Set static address (IPv4 + IPv6): `set address <addr>/<prefix-length>`
     1. (Alternative) Set to get IPv4 address from DHCPv4: `set address dhcp`
     1. (Alternative) Set to get IPv6 address from DHCPv6: `set address dhcpv6`
     1. (Alternative) Set to get IPv6 address from SLAAC: `set ipv6 address autoconf`
     1. (Optional) Set firewall policies: `set firewall {local | in | out} <...>`
+1. Set default routes: `set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop>` (for IPv4 and IPv6)
+1. (Optional) Setup basic SSHD:
+    1. Enable server: `set service ssh`
+    1. (Optional) Commit and log in through SSH instead of the console.
+1. Replace default user:
+    1. Note: You may want to skip ahead to the SSHD step so you can paste stuff vis SSH instead of manually writing it into the console.
+    1. Enter new user: `system login user <username>`
+    1. Set password: `set authentication plaintext-password "<password>"`
+        - Remember quotation marks if the password string spaces.
+        - To generate an `encrypted-password` instead of specifying it as plaintext, run `openssl passwd -6` on a "safe" machine.
+    1. (Optional) Add your personal SSH pubkey:
+        1. Set key type: `set authentication public-keys <name> type ssh-rsa`
+        1. Set key (only the Base64-encoded part): `set authentication public-keys <name> key <key>`
+    1. Commit and log into the new user.
+    1. Delete the default user: `delete system login user vyos`
+1. Setup SSHD:
+    1. Enable server: `set service ssh`
+    1. (Optional) Disable password login (pubkeys only): `set service ssh disable-password-authentication`
 1. (Optional) Set up a LAG interface:
     1. Enter interface config: `edit interfaces bonding bond<n>`
     1. Set member interfaces: `set member interface <if>`
@@ -71,37 +87,27 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
     1. Enter the parent/physical interface config.
     1. Enter the VLAN subinterface config: `edit vif <VID>`
     1. Configure as a normal interface.
-1. Set default routes: `set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop>` (for IPv4 and IPv6)
 1. (Optional) Set black hole route: `set protocols static route[6] <prefix> blackhole` (for IPv4 and IPv6)
 1. Enable LLDP: `set service lldp interface all`
-1. Setup SSHD:
-    1. Enable server: `set service ssh`
-    1. (Optional) Commit and log in through SSH instead of the console.
-    1. (Optional) Add your personal pubkey by entering it:
-        1. Enter section: `edit system login user <user> authentication public-keys <some-key-id>`
-        1. Set key type: `set type ssh-rsa`
-        1. Set key (only the Base64-encoded part): `set key <key>`
-    1. (Optional) Add your personal pubkey bu downloading it: `loadkey <username> <URI>`
-    1. Disable password login (pubkeys only): `set service ssh disable-password-authentication`
 1. Enable unicast reverse path forwarding (uRPF) globally: `set firewall source-validation strict`
-1. Set firewall options:
-    1. Enter firewall section.
-    1. `set all-ping enable` (default) (still recommended to add ping rules)
-    1. `set broadcast-ping disable`
-    1. `set receive-redirects disable`
-    1. `set ipv6-receive-redirects disable`
-    1. `set ip-src-route disable`
-    1. `set ipv6-src-route disable`
-    1. `set log-martians disable`
-    1. `set send-redirects disable`
-1. Setup firewall:
+1. Set firewall:
+    1. Enter `firewall` section.
+    1. Set options:
+        1. `set all-ping enable` (default) (still recommended to add ping rules)
+        1. `set broadcast-ping disable`
+        1. `set receive-redirects disable`
+        1. `set ipv6-receive-redirects disable`
+        1. `set ip-src-route disable`
+        1. `set ipv6-src-route disable`
+        1. `set log-martians disable`
+        1. `set send-redirects disable`
     1. Set default policies:
         - `set firewall state-policy established action accept`
         - `set firewall state-policy related action accept`
         - `set firewall state-policy invalid action drop`
     1. Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with `-4` and `-6` to avoid conflict.
     1. Attach rule sets to interfaces (typically "local" and "out").
-1. Tuning:
+1. (Optional) Tuning (bare metal):
     - **TODO** This can be done in the interface ethernet configs instead.
     - See the Linux router notes.
     - Enable GRO (example): `ethtool -K <if> gro on`

index.md

@@ -88,7 +88,7 @@ Random collection of config notes and miscellaneous stuff. _Technically not a wi
 - [TP-Link JetStream Switches](/config/network/tplink-jetstream-switches/)
 - [Ubiquiti UniFi Controllers](/config/network/ubiquiti-unifi-controllers/)
 - [Uniquiti UniFi Access Points](/config/network/ubiquiti-unifi-aps/)
-- [VyOS](//config/network/vyos/)
+- [VyOS](/config/network/vyos/)
 
 ### PC
 

it/network/switching.md

@@ -6,6 +6,8 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+**TODO** Organize stuff better. See the config page for STP.
+
 ## Ethernet Switching Modes
 
 - Store and forward switching: