Startseite Erkunden Hilfe
Registrieren Anmelden
jeremy
/
HON95-wiki
Mirror von https://github.com/HON95/wiki
1
0
Fork 0
Dateien Issues 0 Wiki
Quellcode durchsuchen

Stuff

Håvard Ose Nordstrand vor 3 Jahren
Ursprung
f7d9e750ee
Commit
e7cd975e4f
3 geänderte Dateien mit 74 neuen und 16 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 20 0
      config/linux-server/applications.md
  2. 25 4
      config/network/ubiquiti-unifi-aps.md
  3. 29 12
      config/network/ubiquiti-unifi-controllers.md

+ 20 - 0
config/linux-server/applications.md
Datei anzeigen 

@@ -88,9 +88,24 @@ Sends an emails when APT updates are available.
 
     - [DNSSEC Guide (BIND 9 docs)](https://bind9.readthedocs.io/en/latest/dnssec-guide.html)
 
     - [Tutorial: How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 16.04 (DigitalOcean)](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-16-04)
 
     - [Tutorial: How To Setup DNSSEC on an Authoritative BIND DNS Server (DigitalOcean)](https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2)
 
+- Docker image notes:
 
+    - The `-g` CLI arg forces all output to stderr, which breaks logging. Use `-f` instead.
 
+- Example config: See my private configs.
 
 
 ### Usage
 
 
+#### Config
 
+
 
+- Show full user config: `named-checkconf -p`
 
+
 
+#### Zones
 
+
 
+- Most tools are from the `bind9utils` package.
 
+- Convert signed zone in raw format to text format: `named-compilezone -f raw -F text -o zone.tmp <zone> <zone-file>.signed`
 
+- Convert the DNSKEY records to DS records: `dnssec-dsfromkey <dnskey-file>` (use the one with digest type 2 (SHA-256))
 
+
 
+#### Validation
 
+
 
 - Valdiate config: `named-checkconf`
 
 - Validate DNSSEC validation:
 
     - `dig cloudflare.com @<server>` should give status `NOERROR` and contain the `ad` flag (for "authentic data", i.e. it passed DNSSEC validation).
 
@@ -101,6 +116,11 @@ Sends an emails when APT updates are available.
 
     - [Verisign DNSSEC Debugger](https://dnssec-debugger.verisignlabs.com/)
 
     - [DNSViz](https://dnsviz.net/)
 
 
+#### Miscellanea
 
+
 
+- Show BIND host version: `dig chaos txt version.bind @<server>`
 
+- Show BIND host hostname: `dig chaos txt hostname.bind @<server>`
 
+
 
 ## bitwarden_rs
 
 
 A free community backend for Bitwarden.

+ 25 - 4
config/network/ubiquiti-unifi-aps.md
Datei anzeigen 

@@ -24,10 +24,31 @@ breadcrumbs:
 
     - The DHCP option is typically the most appropriate IMO.
 
 - Reset: Hold RESET button until the front light alternate between black, white and blue.
 
 - Default credentials (after RESET and before adoption): Username `ubnt` with password `ubnt`.
 
-- IPv6 management: It does not seem to support DHCPv6. I don't know about SLAAC.
 
-- Problematic settings:
 
-    - "Guest Policy": For client isolation and captive portal. Does not support IPv6. May cause communication to fail after connecting to the AP.
 
-    - "High Performance Devices": May cause the connection establishment to to fail.
 
+- IPv6 management: It does not seem to support SLAAC or DHCPv6 (**TODO** Needs re-testing.).
 
+- **TODO** Does it apply settings to all APs in an ESS simultaneously such that the whole ESS goes down?
 
+
 
+## Settings
 
+
 
+- 2.4GHz & 5GHz:
 
+    - Generally use both 2.4GHz and 5GHz with the same SSID and password.
 
+    - Consider disabling 2.4GHz if it may cause interference or may suffer from bad scaling due to fewer channels (e.g. at LAN parties).
 
+    - IoT devices typically support only 2.4GHz (which is appropriate due to low data rates and good range).
 
+- "Legacy Support" (802.11b): Only enable old versions if you really need to, as their low bandwidths and old protocols may clutter the same spectrum as the newer, efficient verions are also using.
 
+- "L2 Isolation" (client isolation): Enable if clients don't need to communicate with eachother. This may increase performance (less broadcasting/multicasting) and security (assuming the network is also firewalled from outside).
 
+- Roaming:
 
+    - Roaming (of clients between APs) requires that the APs use/provide the same SSID, password and subnet.
 
+    - **TODO** "Enable Fast Roaming" (802.11r)?
 
+- Security:
 
+    - WPA-2 (personal): Fine for small networks with a _secret_ password. Anyone _with the password/PSK_ can easily sniff traffic from other clients by de-authing them and sniffing the handshake, so this doesn't provide any benefits if the password is public.
 
+    - WPA-3 (personal): Like WPA-2 but newer and more secure (better initial key exchange and provides forward secrecy). Only newer devices support it.
 
+    - WPA-2/WPA-3 (personal): The most appropriate for "personal" setups, with v2 for compatibility and v3 for better security for devices supporting it. **TODO** PMF optional if transitional (WPA2+3)?
 
+    - WPA-2 enterprise and WPA-3 enterprise: You'll already know if you need this.
 
+- "WiFi AI": For automatically moving APs to less interfering channels. Probably bad, but I haven't tested it yet (**TODO**).
 
+- "Guest Policy": For client isolation and captive portal. Does not support IPv6. May cause communication to fail after connecting to the AP. (**TODO** This was converted into "L2 Isolation" and "Guest Hotspot" in newer versions?)
 
+- "High Performance Devices": Forces some clients onto the 5GHz band. May cause the connection establishment to to fail.
 
+- "Multicast Enhancement": **TODO** This broke my printer, I think. Needs re-testing.
 
+- "Airtime Fairness": Generally keep it enabled, esp. if many clients. It prevents devices (esp. those using old/slow 802.11 variants) from hogging bandwidth and starving other clients.
 
+- "Auto-Optimize Network": Always keep disabled to prevent it from changing your settings in bad ways.
 
 
 ## Wireless Uplink (Meshing)

+ 29 - 12
config/network/ubiquiti-unifi-controllers.md
Datei anzeigen 

@@ -11,7 +11,28 @@ breadcrumbs:
 
 
 - [Ubiquiti UniFi Access Points](/config/network/ubiquiti-unifi-aps/)
 
 
-## Cloud Key
 
+## General
 
+
 
+- Relevant ports (incoming) (from [Ports Used (UniFi)](https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used)):
 
+    - TCP 8443: GUI/API (for admins)
 
+    - TCP 8880: HTTP portal (for guests)
 
+    - TCP 8843: HTTPS portal (for guests)
 
+    - TCP 6789: Mobile speedtest (for admins)
 
+    - TCP 8080: Device-controller communication (for devices)
 
+    - UDP 1900: L2 adoption (for devices, optional)
 
+    - UDP 3478: STUN (for devices)
 
+    - UDP 10001: Device discovery (for devices)
 
+    - UDP 5514: Syslog (for monitoring)
 
+
 
+## Setup
 
+
 
+Setup alternatives:
 
+
 
+- Cloud Key (official hardware controller)
 
+- Linux package (official)
 
+- Docker image (unofficial)
 
+
 
+### Cloud Key
 
 
 - A standalone device by Ubiquiti.
 
 - Costs money.
 
@@ -19,7 +40,7 @@ breadcrumbs:
 
 - Doen't require setting it up yourself, which can be a little tricky/uncomfortable.
 
 - Supports a limited amount of devices and clients, however most small-to-mid-size deployments are unlikely to reach that limit.
 
 
-## Debian
 
+### Debian 9
 
 
 UniFi 5 is the latest version and does only officially support Debian 9 (Stretch) and Ubuntu Desktop/Server 16.04 for Linux. It requires Java 8 and other stuff which is an absolute pain to install on later versions of Debian. There is also the official physical Cloud Key device and multiple unofficial Docker images and installation packages for Linux servers.
 
 
@@ -27,16 +48,8 @@ Official installation instructions: [UniFi: How to Install & Upgrade the UniFi N
 
 
 1. Install Debian 9 (later versions don't have the required versions of Java etc.).
 
 1. Configure it: See [Debian Server](/config/linux-server/debian/) (for Debian 10).
 
-1. Allow the following incoming ports (see [UniFi - Ports Used](https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used)):
 
-    - TCP 8080: Device-controller communication (for devices)
 
-    - TCP 8443: GUI/API (for admins)
 
-    - TCP 8880: HTTP portal (for guests)
 
-    - TCP 8843: HTTPS portal (for guests)
 
-    - TCP 6789: Mobile speedtest (for admins)
 
-    - UDP 1900: L2 adoption (for devices, optional)
 
-    - UDP 3478: STUN (for devices)
 
-    - UDP 10001: Device discovery (for devices)
 
-1. (Optional) NAT port 443 to 8443 in IPTables: `iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443`
 
+1. Open incoming ports: See note above.
 
+1. (Optional) NAT port 443 to 8443 (to access it from the normal HTTPS port): `iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443`
 
 1. (Alternative 1) Install via repo: See [How to Install and Update via APT on Debian or Ubuntu (UniFi)](https://help.ui.com/hc/en-us/articles/220066768-UniFi-How-to-Install-and-Update-via-APT-on-Debian-or-Ubuntu).
 
 1. (Alternative 2) Install via downloaded package: Go to the UniFi downloads page and download for Linux/Debian.
 
 1. Configure:
 
@@ -54,4 +67,8 @@ Official installation instructions: [UniFi: How to Install & Upgrade the UniFi N
 
     1. Delete the local files.
 
     1. Start UniFi.
 
 
+### Unofficial Docker Image
 
+
 
+See [jacobalberty/unifi-docker (GitHub)](https://github.com/jacobalberty/unifi-docker).
 
+
 
 {% include footer.md %}