| Age | Commit message (Collapse) | Author |
|---|
|
Before:
- enp1s0: wan
- enp2s0: lan (with VLANs)
- enp3s0: mgt
Changes in this patch:
- wan is moved to VLAN id 5
- bond0 is created, replacing lan as lower device for VLANs
- mgt config is removed (could be reconfigured as a VLAN, and
made a available on a switch port)
- all 3 ports are enslaved in bond0
From the switch towards the space server load-balance algorithm
src-dst-ip* is used.
From the space server towards the switch L3+L4 is used.
Therefore a single IP pair will always use the same 1G
from the swith to the space server, a client therefore
needs to multiplex over multiple IPs in order to
*) The src-dst-ip algorithm on the switch hasn't been
tested with IPv6 yet. Hopefully we can find a better
switch at some point, so we can include the L4 ports in
the hashing on the switch.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
|
|
time.cloudflare.com has much lower ping than any of the
default N.fedora.pool.ntp.org servers.
|
|
|
|
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Fixes: 78688483 space_server: add Asbjorn's colo addresses and net
|
|
|
|
|
|
|
|
|
|
..rather radvd
|
|
..rather than overriding ExecStart to call
networkd-wait-online with --ignore
|
|
|
|
|
|
|
|
|
|
|
|
..to avoid overlapping /32 announced by DKUUG.
|
|
..to default routes
|
|
The trick to overwriting the ExecStart option is to clear
it first with ExecStart=
|
|
|
|
..on lan interfaces with IPv6
|
|
|
