ThatGuyJack/networking-layout
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First Push

Browse Source
This commit is contained in:
Jack 2023-08-31 19:27:52 +01:00
commit 4f93deea55
8 changed files with 462 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Monitoring VPS/docker-compose.yml Normal file
View File

@ -0,0 +1,58 @@
version: '3'
networks:
default:
enable_ipv6: true
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "true"
ipam:
driver: default
config:
- subnet: fd00:0:0:1:3::/64
gateway: fd00:0:0:1:3::1
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
services:
ipv6nat:
container_name: ipv6nat
restart: unless-stopped
image: robbertkl/ipv6nat
privileged: true
network_mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /lib/modules:/lib/modules:ro
nginx-proxy-manager:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
container_name: mainstack-nginxproxymanager
ports:
- '80:80'
- '443:443'
volumes:
- ./nginx-proxy-manager/data:/data
- ./nginx-proxy-manager/letsencrypt:/etc/letsencrypt
networks:
default:
ipv6_address: "fd00:0:0:1:3::2"
depends_on:
- uptime-kuma
- boris-uptime-koom
uptime-kuma:
image: louislam/uptime-kuma:latest
container_name: uptime-kuma
restart: unless-stopped
volumes:
- ./uptime-kuma:/app/data
networks:
default:
ipv6_address: "fd00:0:0:1:3::3"
telegraf:
restart: unless-stopped
image: telegraf:latest
container_name: telegraf
volumes:
- ./telegraf.conf:/etc/telegraf/telegraf.conf

10
Monitoring VPS/homeaccesswg.conf Normal file
View File

@ -0,0 +1,10 @@
[Interface]
PrivateKey =
Address = 172.16.16.6/32
#DNS = 172.16.16.1
[Peer]
PublicKey =
AllowedIPs = 172.16.16.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.11.0/30, 192.168.10.0/30
PersistentKeepalive = 25
Endpoint = router.internal.tgj.services:51830

3
Monitoring VPS/readme.md Normal file
View File

@ -0,0 +1,3 @@
* Configs from vps.tgj.services runs uptime kuma (https://status.tgj.services)[https://status.tgj.services] and telegraf to collect ping data (https://tgj.services/graph/goto/hnhB7DkIR?orgId=1)[https://tgj.services/graph/goto/hnhB7DkIR?orgId=1]
** Server is a small one core system provided by a friend who runs a hosting provider Gets IPV6 from a huricane electric runnel, Also contains a wireguard tunnel to my house for internal service monitoring

30
Monitoring VPS/telegraf.conf Normal file
View File

@ -0,0 +1,30 @@
# Configuration for telegraf agent
[agent]
interval = "10s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 10000
collection_jitter = "0s"
flush_interval = "10s"
flush_jitter = "0s"
precision = ""
hostname = "TGJ-UK"
omit_hostname = false
[[outputs.influxdb_v2]]
urls = ["https://influx.db.tgj.services"]
token = "<mytoken>"
organization = "TGJ "
bucket = "pings"
[[inputs.ping]]
interval = '5s'
# urls = ['router.internal.tgj.services','thatguyjack.co.uk','google.com','mail.uk.tgj.services','borishub.co.uk','luke.tgj.services','1.1.1.1','router.internal.borishub.co.uk','router.internal.swittcorp.net','router.internal.iwouldntdownloadacar.co.uk','2a12:bec0:210::1','2a12:bec0:212::1','2a12:bec0:213::1','2a12:bec0:214::1','2a12:bec0:215::1','2a12:bec0:216::1','2a12:bec0:21d::1','2a12:bec0:219::1','2a12:bec0:218::1','2a12:bec0:210:2::2', '2a12:bec0:210:3::2', '2a12:bec0:210:5::2', '2a12:bec0:210:4::2','149.18.80.30','149.18.80.31','149.18.80.32','149.18.80.33','149.18.80.35','149.18.80.36','149.18.80.37','149.18.80.38','149.18.80.39']
urls = ['router.internal.tgj.services','thatguyjack.co.uk','google.com','mail.uk.tgj.services','borishub.co.uk','luke.tgj.services','1.1.1.1','router.internal.borishub.co.uk','router.internal.swittcorp.net','router.internal.iwouldntdownloadacar.co.uk','2a12:bec0:210::1','2a12:bec0:212::1','2a12:bec0:213::1','2a12:bec0:214::1','2a12:bec0:215::1','2a12:bec0:216::1','2a12:bec0:21d::1','2a12:bec0:219::1','2a12:bec0:218::1','2a12:bec0:210:2::2', '2a12:bec0:210:3::2', '2a12:bec0:210:5::2', '2a12:bec0:210:4::2','149.18.80.30','149.18.80.31','149.18.80.32','149.18.80.33','149.18.80.35','149.18.80.36','149.18.80.37','149.18.80.38','149.18.80.39','45.61.173.144','45.61.173.145','45.61.173.146','45.61.173.147','45.61.173.148','45.61.173.149','45.61.173.150','45.61.173.151','45.61.173.152','45.61.173.153']
count = 1
ping_interval = 1.0
timeout = 3.0
deadline = 3

310
VDS/bird.conf Normal file
View File

@ -0,0 +1,310 @@
router id 45.61.173.144;
log syslog all;
log "/var/log/bird/bird.log" { debug, trace, info, remote, warning, error, auth, fatal, bug };
protocol kernel {
ipv6;
scan time 15;
# learn;
}
protocol kernel {
ipv4;
scan time 15;
# learn;
}
protocol device {
scan time 10;
}
protocol static announcev6 {
ipv6;
description "Static v6 Routes";
route 2a12:bec0:210::/44 blackhole; #default Blackhole for subnet
route 2a12:bec0:210:4::/64 via 2a12:bec0:210:4::1; #Pete-tunnel
route 2a12:bec0:218::/48 via 2a12:bec0:210:4::2; #Pete-range
route 2a12:bec0:210:2::/64 via 2a12:bec0:210:2::1; #TGJ-tunnel
route 2a12:bec0:214::/48 via 2a12:bec0:210:2::2; #TGJ-range
route 2a12:bec0:210:5::/64 via 2a12:bec0:210:5::1; #Hugo-tunnel
route 2a12:bec0:21d::/48 via 2a12:bec0:210:5::2; #Hugo-range
route 2a12:bec0:210:3::/64 via 2a12:bec0:210:3::1; #Boris-tunnel
route 2a12:bec0:219::/48 via 2a12:bec0:210:3::2; #Boris-Range
route 2a12:bec0:210:6::/64 via 2a12:bec0:210:6::1; #Khem
route 2a12:bec0:213::/48 via 2a12:bec0:210:6::2; #Khem-Range
route 2a12:bec0:210:8::/64 via 2a12:bec0:210:8::1; #Jake
route 2a12:bec0:215::/48 via 2a12:bec0:210:8::2; #Jake-Range
# route 2a12:bec0:210:7::/64 via 2a12:bec0:210:7::1; #Khempi
# route 2a12:bec0:212::/48 via 2a12:bec0:210:7::2; #Khempi-Range
}
protocol static announcev4 {
ipv4;
description "Static v4 Routes";
# route 2a12:bec0:215::/48 blackhole; #default Blackhole for subnet
}
protocol static {
ipv6;
}
protocol static {
ipv4;
}
define BOGON_ASNS = [
0, # RFC 7607
23456, # RFC 4893 AS_TRANS
64496..64511, # RFC 5398 and documentation/example ASNs
64512..65534, # RFC 6996 Private ASNs
65535, # RFC 7300 Last 16 bit ASN
65536..65551, # RFC 5398 and documentation/example ASNs
65552..131071, # RFC IANA reserved ASNs
4200000000..4294967294, # RFC 6996 Private ASNs
4294967295 # RFC 7300 Last 32 bit ASN
];
define V6_BOGON_PREFIXES = [
#v6 bogon
::/8+, # RFC 4291 IPv4-compatible, loopback, et al
0100::/64+, # RFC 6666 Discard-Only
2001:2::/48+, # RFC 5180 BMWG
2001:10::/28+, # RFC 4843 ORCHID
2001:db8::/32+, # RFC 3849 documentation
2002::/16+, # RFC 7526 6to4 anycast relay
3ffe::/16+, # RFC 3701 old 6bone
fc00::/7+, # RFC 4193 unique local unicast
fe80::/10+, # RFC 4291 link local unicast
fec0::/10+, # RFC 3879 old site local unicast
ff00::/8+ # RFC 4291 multicast
];
define V4_BOGON_PREFIXES = [
#v4 bogon
0.0.0.0/8+, # RFC 1122 'this' network
10.0.0.0/8+, # RFC 1918 private space
100.64.0.0/10+, # RFC 6598 Carrier grade nat space
127.0.0.0/8+, # RFC 1122 localhost
169.254.0.0/16+, # RFC 3927 link local
172.16.0.0/12+, # RFC 1918 private space
192.0.2.0/24+, # RFC 5737 TEST-NET-1
192.88.99.0/24+, # RFC 7526 6to4 anycast relay
192.168.0.0/16+, # RFC 1918 private space
198.18.0.0/15+, # RFC 2544 benchmarking
198.51.100.0/24+, # RFC 5737 TEST-NET-2
203.0.113.0/24+, # RFC 5737 TEST-NET-3
224.0.0.0/4+, # multicast
240.0.0.0/4+ # reserved
];
function reject_bogon_asns() {
if (bgp_path ~ BOGON_ASNS) then
{
print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
reject;
}
}
function reject_v4_bogon_prefixes() {
if (net ~ V4_BOGON_PREFIXES) then
{
print "Reject: Bogon prefix: ", net, " ", bgp_path;
reject;
}
}
function reject_v6_bogon_prefixes() {
if (net ~ V6_BOGON_PREFIXES) then
{
print "Reject: Bogon prefix: ", net, " ", bgp_path;
reject;
}
}
function reject_smallv6_prefixes() {
if (net.len > 64) then
{
print "Reject: Too small prefix: ", net, " ", bgp_path;
reject;
}
}
function reject_smallv4_prefixes() {
if (net.len > 24) then
{
print "Reject: Too small prefix: ", net, " ", bgp_path;
reject;
}
}
function reject_long_aspaths() {
if (bgp_path.len > 100) then
{
print "Reject: Too long AS path: ", net, " ", bgp_path;
reject;
}
}
filter rt_import {
reject_bogon_asns();
reject_v4_bogon_prefixes();
reject_v6_bogon_prefixes();
reject_smallv6_prefixes();
reject_smallv4_prefixes();
reject_long_aspaths();
accept;
}
filter rt_export {
if (proto = "announcev4") then
accept;
if (proto = "announcev6") then
accept;
reject;
}
#EBGP upstream sessions
protocol bgp scaleblade {
local 2a12:bec0:7000:1:149:18:80:30 as 199519;
# local 2a12:bec1:b00b:b00b:b00b:b00b:b00b:b00b as 199519;
neighbor 2a12:bec0:7000::1 as 52041;
multihop 255;
ipv6 {
export limit 20;
import filter rt_import;
export filter rt_export;
graceful restart on;
};
}
#protocol bgp R64 {
# local 2a0f:5707:abf8:134::2 as 199519;
# neighbor 2a0f:5707:abf8:134::1 as 212895;
# ipv6 {
# import none;
# export filter rt_export;
# };
#}
#IBGP sessions
protocol bgp TGJHOME {
local 2a12:bec0:210:2::1 as 199519;
neighbor 2a12:bec0:210:2::2 as 199519;
multihop 255;
ipv6 {
import limit 20;
import filter rt_import;
export filter rt_export;
};
}
protocol bgp hugo {
local 2a12:bec0:210:5::1 as 199519;
neighbor 2a12:bec0:210:5::2 as 199519;
multihop 255;
ipv6 {
import limit 10;
import filter rt_import;
export filter rt_export;
};
}
protocol bgp pete {
local 2a12:bec0:210:4::1 as 199519;
neighbor 2a12:bec0:210:4::2 as 199519;
multihop 255;
ipv6 {
import limit 10;
import filter rt_import;
export filter rt_export;
};
}
protocol bgp boris {
local 2a12:bec0:210:3::1 as 199519;
neighbor 2a12:bec0:210:3::2 as 199519;
multihop 255;
ipv6 {
import limit 10;
import filter rt_import;
export filter rt_export;
};
}
protocol bgp khem {
local 2a12:bec0:210:6::1 as 199519;
neighbor 2a12:bec0:210:6::2 as 199519;
multihop 255;
ipv6 {
import limit 20;
import filter rt_import;
export filter rt_export;
};
}
protocol bgp luke {
local 2a12:bec0:210:7::1 as 199519;
neighbor 2a12:bec0:210:7::2 as 199519;
multihop 255;
ipv6 {
import limit 20;
import filter rt_import;
export filter rt_export;
};
}
#iBGP Customers
#protocol bgp mrcool {
# local 2a12:bec0:210:10::1 as 199519;
# neighbor 2a12:bec0:210:10::2 as 199187;
# multihop 255;
# ipv6 {
# import limit 10;
# import filter rt_import;
# export filter rt_export;
# };
#}
protocol bgp jake {
local 2a12:bec0:210:8::1 as 199519;
neighbor 2a12:bec0:210:8::2 as 199519;
multihop 255;
ipv6 {
import limit 10;
import filter rt_import;
export filter rt_export;
};
}
#Monitoring
protocol bgp QRT {
local 45.61.173.144 as 199519;
neighbor 178.248.237.29 as 197068;
multihop 255;
ipv6 {
import filter rt_import;
export filter rt_export;
};
}
# off till full table
#protocol bgp bgptools {
# local 2a12:bec0:7000:1:149:18:80:30 as 199519;
# neighbor 2a0c:2f07:9459::b6 as 212232;
# multihop 255;
# ipv6 {
# import all;
# export all;
# };
#}

1
VDS/readme.md Normal file
View File

@ -0,0 +1 @@
* Configs from vds.tgj.services

6
VDS/tayga.conf Normal file
View File

@ -0,0 +1,6 @@
tun-device nat64 #Virtual Device name
ipv4-addr 192.168.255.1 #Nat64 v4 address range
ipv6-addr 2a12:bec0:210:65::1 #ipv6 address for external access
prefix 2a12:bec0:210:64::/96 #ipv6 subnet for DNS64'd requests
dynamic-pool 192.168.255.0/24 #Dynamic pool for v4 Clients
data-dir /var/spool/tayga

44
VDS/wireguard-example.conf Normal file
View File

@ -0,0 +1,44 @@
#ipv6 ibgp wireguard
#Server PrivateKey
#Server Publickey
[Interface]
PrivateKey =
Address = 2a12:bec0:210:2::1/64,172.23.10.1/30 #Local Interface addresses
ListenPort = 51819
MTU = 1430 #MTU supported on a standard GPON network
PreUp = iptables -t nat -A PREROUTING -d <ExternalIP> -p tcp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 #Forward all TCP ports on external IP to Peers Address
PreUp = iptables -t nat -A PREROUTING -d <ExternalIP> -p udp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 #Forward all UDP ports on external IP to Peers Address
PreUp = iptables -t nat -A POSTROUTING -s 172.23.10.2/30 -j SNAT --to-source <ExternalIP> #Add SNAT (source NAT) rule for outgoing traffic
PreUp = ip6tables -A FORWARD -i ens18 -o wg1 -j ACCEPT #allow BGP'd traffic between interfaces
PreUp = ip6tables -A FORWARD -i wg1 -o ens18 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg2 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg3 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg4 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg5 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg9 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o wg10 -j ACCEPT
PreUp = ip6tables -A FORWARD -i wg1 -o nat64 -j ACCEPT
PreUp = ip6tables -A FORWARD -i nat64 -o wg1 -j ACCEPT
#Same as above but removing rules
PostDown = ip6tables -D FORWARD -i nat64 -o wg1 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o nat64 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg2 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg3 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg4 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg5 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg9 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o wg10 -j ACCEPT
PostDown = ip6tables -D FORWARD -i ens18 -o wg1 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg1 -o ens18 -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -d <ExternalIP> -p tcp --dport 1:65000 -j DNAT --to-destination 172.23.10.2
PostDown = iptables -t nat -D PREROUTING -d <ExternalIP> -p udp --dport 1:65000 -j DNAT --to-destination 172.23.10.2
PostDown = iptables -t nat -D POSTROUTING -s 172.23.10.2/30 -j SNAT --to-source <ExternalIP>
[Peer]
#PublicKey =
PublicKey =
AllowedIPs = 2a12:bec0:210:2::2/64,2a12:bec0:214::/48,172.23.10.2/30