Sysadmin Mega Thread

_hill · October 16, 2019, 9:44pm

Yeah I didn’t even check if it was available or not it just seemed like such an obvious feature. Apparently it’s been requested by Meraki for a while and they have been working on it.

oO.o · October 16, 2019, 9:49pm

Had to juggle around some nonstandard ports, since each site needed it’s own, but nbd. Although I suppose if you’re Cisco, decisions like that need to be well considered if they’re not left up to the user.

_hill · October 16, 2019, 9:53pm

This week has made me not want to ever be a network engineer

My dumbass thought networking would be fun when I first got into IT

sanfordvdev · October 16, 2019, 11:53pm

You always enjoy networking until it crashes and randomly does not work and then you want to burn it all in a fire.

freqlabs · October 17, 2019, 1:20am

We had a 100G switch die in our lab a few weeks ago it was painful for a while

oO.o · October 17, 2019, 10:21pm

Did this today…

oO.o's OPNsense Gateway Config Networking Software

Context I’m going through the process of recording my configuration processes so that I can automate as much of them as possible. This is roughly the config I run on a standalone OPNsense gateway. A configuration with a Gateway, DMZ and internal router is preferable, but I wanted to start with something simpler. So far, this configures OPNsense as a Gateway, connected to one switch, with networking, administrative and server VLANs. Questions and feedback are welcome. Required Public IP and DNS ISP IP address, subnet and gateway (unless provided via DHCP) Preferably public FQDN is already configured Installation Media OPNsense VGA image block copied to a USB Drive or OPNsense ISO image copied to the _iso directory on an Iodd Virtual Disk Drive. Gateway Processor: amd64, AES-NI 2+ Network Ports Managed Switch Admin Workstation Process Physical Prep Plug install media into gateway Plug WAN uplink into port 2 on the gateway Plug all other gateway ports into LAN switch Plug admin computer into LAN switch Admin Workstation Prep On admin workstation, add a virtual interface with VLAN 3 to the physical interface plugged into the switch LAN Switch Prep Turn on the switch Onboard switch (use VLAN2 for management) Configure all ports connected to the gateway as VLAN trunks Install OPNsense on the Gateway Turn on the gateway Configure BIOS to boot from installation media Click through default OPNsense installation (select MBR when prompted) When the system reboots, ensure BIOS is configured to boot into local media where OPNsense was installed Configure Admin User On admin computer, navigate to https://192.168.1.1 Log in as root with password set during installation Navigate to System > Access > Users Click + Add Enter randomly generated strings for Username and Password fields Set Login shell to /sbin/sh Move admins group to Member Of Click Save and go back Click on the edit icon to the ri…

Does anyone know to get Dnsmasq to use the DHCP domain for resolving hosts instead of the system domain? It works that way in EdgeOS and I’d like to get it working like that here as well.

Example is:

Public domain is company.tld. Gateway is configured as whatever.company.tld.

I have DHCP running on VLAN3, with domain admin.company.tld.

computer1 gets a lease. I want host computer1.admin.company.tld to be fqdn for computer1, but instead, dnsmasq is using the system domain, so it’scomputer1.company.tld without the subdomain.

I know it’s a setting somewhere but I forget what it is and it’s difficult to Google.

freqlabs · October 17, 2019, 11:01pm

Is it difficult to open the man page and search for keywords?

oO.o · October 17, 2019, 11:05pm

What keyword would I search?

I mean, yeah I’ll look at the man page later, but just wondering if anyone knew off the top of their head.

freqlabs · October 17, 2019, 11:11pm

DHCP, domain, search

This relevant?

If the address range is given as ip-address/network-size, then a
additional flag “local” may be supplied which has the effect of
adding --local declarations for forward and reverse DNS queries.
Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is
identical to --domain=thekelleys.org.uk,192.168.0.0/24
–local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ The
network size must be 8, 16 or 24 for this to be legal.

-S, --local,
–server=[/[]/[domain/]][[#][@|[#]]
Specify IP address of upstream servers directly. Setting this
flag does not suppress reading of /etc/resolv.conf, use --no-
resolv to do that. If one or more optional domains are given,

Also permitted is a -S flag which gives a domain but no IP
address; this tells dnsmasq that a domain is local and it may
answer queries from /etc/hosts or DHCP but should never forward
queries on that domain to any upstream servers. --local is a
synonym for --server to make configuration files clearer in this
case.

Tons of useful info, I should probably study this document again myself

oO.o · October 17, 2019, 11:27pm

It might be expand-hosts without setting domain= explicitly.

oO.o · October 18, 2019, 4:53pm

So the issue is that only static reservations behave the way I want. Transient leases expand according to the system’s domain and not the domain delivered by DHCP.

freqlabs · October 18, 2019, 5:07pm

So the DHCP server is telling hosts they are in the company.tld instead of the admin.company.tld domain? Does setting --domain=admin.company.tld accomplish what you’re after?

The resolver doesn’t tell hosts what requests to make, so the hosts must be making the wrong requests in the first place. And that would be based on the configuration they are given by the DHCP server.

oO.o · October 18, 2019, 5:15pm

I think it has to do with this:

--host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
    Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may appear in more than one --host-record and therefore be assigned more than one address. Only the first address creates a PTR record linking the address to the name. This is the same rule as is used reading hosts-files. --host-record options are considered to be read before host-files, so a name appearing there inhibits PTR-record creation if it appears in hosts-file also. Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect

Relevant part:

Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect

Unfortunately, OPNsense does not appear to provide any direct access to the dnsmasq server. There is a dnsmasq.conf in /usr/local/etc but it’s just a copy of the sample file with every option commented out. There is a text field to add additional options, but it says that it will be deprecated…

Anyway, I have set the domain for each vlan, and that is what works with the static reservations. I can set the domain in the general config, but then all vlans would have the same domain which is not what I want. Each vlan has it’s own subdomain.

I was incorrect earlier when I mentioned that EdgeOS behaves differently. My memory was just of static reservations. I think this is an issue with dnsmasq. It just appears to handle resolving leases differently from static reservations for whatever reason.

freqlabs · October 18, 2019, 5:31pm

The command line flags correspond to the config file options iirc.
I would check what queries are actually being sent over the wire because it seems most likely to me that it has nothing to do with the DNS server, rather the DHCP server being is misconfigured and handing out the wrong domains to hosts. If you need to configure different domains for different vlans, then you can specify domain=admin.company.tld,10.0.0.0/24 to apply this to the address range on a specific vlan

oO.o · October 18, 2019, 6:09pm

The hosts are picking up the correct domains. Querying the expanded fqdn from another system is where the issue is. Static reservations expand as intended, but pool leases do not. I believe this is by design as described under --host-record.

It’s just unfortunate as I’d prefer to let certain things have dynamic IP assignments while being able to access them via fqdn based on their subnet.

freqlabs · October 19, 2019, 4:19am

when you see it

oO.o · October 19, 2019, 4:27am

I have several extra.

freqlabs · October 19, 2019, 4:28am

Cleaned the pool today

xeon-freebsd ➜  ~ zpool list -v
NAME                             SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
system                           168G  11.2G   157G        -         -     3%     6%  1.00x  ONLINE  -
  mirror                         168G  11.2G   157G        -         -     3%     6%
    gpt/system-S21NNSBFC33884B      -      -      -        -         -      -      -
    gpt/system-S21NNSAG106810R      -      -      -        -         -      -      -
tank                            21.8T  9.35T  12.4T        -         -    12%    42%  1.00x  ONLINE  -
  mirror                        2.72T  1.79T   947G        -         -    18%    65%
    gpt/red-2659                    -      -      -        -         -      -      -
    gpt/red-0D0U                    -      -      -        -         -      -      -
  mirror                        2.72T  1.81T   926G        -         -    20%    66%
    gpt/red-7230                    -      -      -        -         -      -      -
    gpt/red-7VJN                    -      -      -        -         -      -      -
  mirror                        2.72T  1.83T   911G        -         -    21%    67%
    gpt/red-2405                    -      -      -        -         -      -      -
    gpt/red-8459                    -      -      -        -         -      -      -
  mirror                        2.72T  1.31T  1.41T        -         -    15%    48%
    gpt/red-TEK2                    -      -      -        -         -      -      -
    gpt/red-7F2N                    -      -      -        -         -      -      -
  mirror                        2.72T  1.24T  1.48T        -         -    14%    45%
    gpt/red-023L                    -      -      -        -         -      -      -
    gpt/red-WPAU                    -      -      -        -         -      -      -
  mirror                        2.72T  1.23T  1.49T        -         -    12%    45%
    gpt/red-SUF9                    -      -      -        -         -      -      -
    gpt/red-633N                    -      -      -        -         -      -      -
  mirror                        2.72T  68.4G  2.65T        -         -     0%     2%
    gpt/red-SCUT                    -      -      -        -         -      -      -
    gpt/red-C78K                    -      -      -        -         -      -      -
  mirror                        2.72T  67.4G  2.65T        -         -     0%     2%
    gpt/red-1T8J                    -      -      -        -         -      -      -
    gpt/red-5AYR                    -      -      -        -         -      -      -
spare                               -      -      -         -      -      -
  gpt/red-9PEN                      -      -      -        -         -      -      -
  gpt/red-P782                      -      -      -        -         -      -      -

I still have some system datasets on tank that need to move to a recursive boot environment on the system pool, then I can finally export tank and reimport it with the correct name, “storage”

I’ve taken to naming the system pool “system” and the storage pool “storage” rather than the conventional zroot and tank. Call me a rebel…

Success

xeon-freebsd ➜  ~ zpool list
NAME      SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
storage  21.8T  9.32T  12.4T        -         -    11%    42%  1.00x  ONLINE  -
system    168G  47.0G   121G        -         -     3%    27%  1.00x  ONLINE  -

oO.o · October 19, 2019, 4:46am

I still have some ‘tank’s that need to turn into ‘pool1’

Optimization · October 19, 2019, 6:34am

Solid journalism