Pastein: # Вариант 3 (etherwave.net) — всё по машинам ## Подсети |Сеть |Маска|Хостов| |----------------|-----|------| |VLAN100 (HQ-SRV)|/29 |6

Загрузка данных
# Вариант 3 (etherwave.net) — всё по машинам

## Подсети

|Сеть            |Маска|Хостов|
|----------------|-----|------|
|VLAN100 (HQ-SRV)|/29  |6     |
|VLAN200 (HQ-CLI)|/27  |30    |
|BR-SRV          |/26  |62    |
|VLAN999 (Mgmt)  |/25  |126   |
|ISP→HQ-RTR      |/28  |—     |
|ISP→BR-RTR      |/28  |—     |
|GRE туннель     |/30  |—     |

-----

# ISP

```bash
hostnamectl set-hostname isp.etherwave.net; exec bash
```

```bash
# enp7s1 — DHCP (к провайдеру)
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=dhcp
EOF

# enp7s2 — к HQ-RTR
mkdir -p /etc/net/ifaces/enp7s2
cat > /etc/net/ifaces/enp7s2/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "172.16.4.1/28" > /etc/net/ifaces/enp7s2/ipv4address
cat > /etc/net/ifaces/enp7s2/ipv4route << 'EOF'
192.168.100.0/29 via 172.16.4.2
192.168.200.0/27 via 172.16.4.2
192.168.99.0/25 via 172.16.4.2
EOF

# enp7s3 — к BR-RTR
mkdir -p /etc/net/ifaces/enp7s3
cat > /etc/net/ifaces/enp7s3/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "172.16.5.1/28" > /etc/net/ifaces/enp7s3/ipv4address
echo "192.168.30.0/26 via 172.16.5.2" > /etc/net/ifaces/enp7s3/ipv4route

systemctl restart network
```

```bash
# NAT
echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf
sysctl -p /etc/net/sysctl.conf
apt-get install -y iptables
iptables -t nat -A POSTROUTING -o enp7s1 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
systemctl enable --now iptables
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ip a
ip r
ping -c 3 172.16.4.2   # HQ-RTR
ping -c 3 172.16.5.2   # BR-RTR
```

-----

# HQ-RTR

```bash
hostnamectl set-hostname hq-rtr.etherwave.net; exec bash
```

```bash
# WAN
mkdir -p /etc/net/ifaces/enp7s1
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "172.16.4.2/28" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 172.16.4.1" > /etc/net/ifaces/enp7s1/ipv4route

# LAN trunk (без IP)
mkdir -p /etc/net/ifaces/enp7s2
cat > /etc/net/ifaces/enp7s2/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF

# VLAN100 — HQ-SRV
mkdir -p /etc/net/ifaces/enp7s2.100
cat > /etc/net/ifaces/enp7s2.100/options << 'EOF'
TYPE=vlan
BOOTPROTO=static
VID=100
HOST=enp7s2
EOF
echo "192.168.100.1/29" > /etc/net/ifaces/enp7s2.100/ipv4address

# VLAN200 — HQ-CLI
mkdir -p /etc/net/ifaces/enp7s2.200
cat > /etc/net/ifaces/enp7s2.200/options << 'EOF'
TYPE=vlan
BOOTPROTO=static
VID=200
HOST=enp7s2
EOF
echo "192.168.200.1/27" > /etc/net/ifaces/enp7s2.200/ipv4address

# VLAN999 — Management
mkdir -p /etc/net/ifaces/enp7s2.999
cat > /etc/net/ifaces/enp7s2.999/options << 'EOF'
TYPE=vlan
BOOTPROTO=static
VID=999
HOST=enp7s2
EOF
echo "192.168.99.1/25" > /etc/net/ifaces/enp7s2.999/ipv4address

systemctl restart network
```

```bash
# GRE туннель
mkdir -p /etc/net/ifaces/gre1
cat > /etc/net/ifaces/gre1/options << 'EOF'
TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.4.2
TUNREMOTE=172.16.5.2
TUNOPTIONS='ttl 64'
HOST=enp7s1
BOOTPROTO=static
MULTICAST=yes
EOF
echo "10.0.0.1/30" > /etc/net/ifaces/gre1/ipv4address

systemctl restart network
ip link set gre1 up
ip link set gre1 multicast on
```

```bash
# Автозапуск туннеля
cat >> /etc/rc.d/rc.local << 'EOF'
ip link set gre1 up
ip link set gre1 multicast on
EOF
chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
```

```bash
# NAT
echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf
sysctl -p /etc/net/sysctl.conf
apt-get install -y iptables
iptables -t nat -A POSTROUTING -o enp7s1 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
systemctl enable --now iptables
```

```bash
# OSPF
apt-get install -y frr
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
systemctl enable --now frr

vtysh
conf t
router ospf
 passive-interface default
 network 10.0.0.0/30 area 0
 network 192.168.100.0/29 area 0
 network 192.168.200.0/27 area 0
 network 192.168.99.0/25 area 0
exit
interface gre1
 no ip ospf passive
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 P@ssw0rd
end
wr
```

```bash
# DHCP для HQ-CLI
apt-get install -y dhcp-server

cat > /etc/dhcp/dhcpd.conf << 'EOF'
subnet 192.168.200.0 netmask 255.255.255.224 {
  range 192.168.200.2 192.168.200.30;
  option routers 192.168.200.1;
  option domain-name-servers 192.168.100.2;
  option domain-name "etherwave.net";
}
EOF

echo 'DHCPDARGS="enp7s2.200"' > /etc/sysconfig/dhcpd
systemctl enable --now dhcpd
```

```bash
# Пользователь firewallwren
useradd firewallwren
passwd firewallwren
# Вводим: P@$$word
usermod -aG wheel firewallwren
sed -i 's/^#\s*%wheel\s*ALL=(ALL:ALL)\s*NOPASSWD: ALL/%wheel ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ip a
ip r
ping -c 3 172.16.4.1   # ISP
ping -c 3 10.0.0.2     # BR-RTR через туннель
vtysh -c "show ip ospf neighbor"
vtysh -c "show ip route ospf"
```

-----

# BR-RTR

```bash
hostnamectl set-hostname br-rtr.etherwave.net; exec bash
```

```bash
# WAN
mkdir -p /etc/net/ifaces/enp7s1
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "172.16.5.2/28" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 172.16.5.1" > /etc/net/ifaces/enp7s1/ipv4route

# LAN
mkdir -p /etc/net/ifaces/enp7s2
cat > /etc/net/ifaces/enp7s2/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "192.168.30.1/26" > /etc/net/ifaces/enp7s2/ipv4address

systemctl restart network
```

```bash
# GRE туннель
mkdir -p /etc/net/ifaces/gre1
cat > /etc/net/ifaces/gre1/options << 'EOF'
TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.5.2
TUNREMOTE=172.16.4.2
TUNOPTIONS='ttl 64'
HOST=enp7s1
BOOTPROTO=static
MULTICAST=yes
EOF
echo "10.0.0.2/30" > /etc/net/ifaces/gre1/ipv4address

systemctl restart network
ip link set gre1 up
ip link set gre1 multicast on
```

```bash
# Автозапуск туннеля
cat >> /etc/rc.d/rc.local << 'EOF'
ip link set gre1 up
ip link set gre1 multicast on
EOF
chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
```

```bash
# NAT
echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf
sysctl -p /etc/net/sysctl.conf
apt-get install -y iptables
iptables -t nat -A POSTROUTING -o enp7s1 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
systemctl enable --now iptables
```

```bash
# OSPF
apt-get install -y frr
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
systemctl enable --now frr

vtysh
conf t
router ospf
 passive-interface default
 network 10.0.0.0/30 area 0
 network 192.168.30.0/26 area 0
exit
interface gre1
 no ip ospf passive
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 P@ssw0rd
end
wr
```

```bash
# Пользователь firewallwren
useradd firewallwren
passwd firewallwren
# Вводим: P@$$word
usermod -aG wheel firewallwren
sed -i 's/^#\s*%wheel\s*ALL=(ALL:ALL)\s*NOPASSWD: ALL/%wheel ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ip a
ip r
ping -c 3 172.16.5.1   # ISP
ping -c 3 10.0.0.1     # HQ-RTR через туннель
vtysh -c "show ip ospf neighbor"
vtysh -c "show ip route ospf"
```

-----

# HQ-SRV

```bash
hostnamectl set-hostname hq-srv.etherwave.net; exec bash
```

```bash
# IP адрес
mkdir -p /etc/net/ifaces/enp7s1
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "192.168.100.2/29" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 192.168.100.1" > /etc/net/ifaces/enp7s1/ipv4route

systemctl restart network
```

```bash
# Пользователь quantumduck
useradd -u 1003 quantumduck
passwd quantumduck
# Вводим: P@ssw0rd
usermod -aG wheel quantumduck
sed -i 's/^#\s*%wheel\s*ALL=(ALL:ALL)\s*NOPASSWD: ALL/%wheel ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
grep NOPASSWD /etc/sudoers
```

```bash
# SSH
cat >> /etc/openssh/sshd_config << 'EOF'

Port 2022
AllowUsers quantumduck
MaxAuthTries 2
PasswordAuthentication yes
Banner /etc/openssh/banner
EOF

echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
```

```bash
# DNS (dnsmasq)
apt-get install -y dnsmasq
systemctl stop dnsmasq
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak

cat > /etc/dnsmasq.conf << 'EOF'
interface=enp7s1
listen-address=192.168.100.2,127.0.0.1
domain=etherwave.net
server=8.8.8.8
no-resolv

host-record=hq-rtr.etherwave.net,192.168.100.1
host-record=hq-srv.etherwave.net,192.168.100.2
host-record=hq-cli.etherwave.net,192.168.200.2
host-record=br-rtr.etherwave.net,192.168.30.1
host-record=br-srv.etherwave.net,192.168.30.2
cname=moodle.etherwave.net,hq-rtr.etherwave.net
cname=wiki.etherwave.net,hq-rtr.etherwave.net

ptr-record=1.100.168.192.in-addr.arpa,hq-rtr.etherwave.net
ptr-record=2.100.168.192.in-addr.arpa,hq-srv.etherwave.net
ptr-record=2.200.168.192.in-addr.arpa,hq-cli.etherwave.net
EOF

systemctl enable --now dnsmasq
systemctl status dnsmasq
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ping -c 3 192.168.100.1              # шлюз
ping -c 3 8.8.8.8                   # интернет
ssh -p 2022 quantumduck@192.168.100.2
host hq-srv.etherwave.net 192.168.100.2
host 192.168.100.1 192.168.100.2
```

-----

# BR-SRV

```bash
hostnamectl set-hostname br-srv.etherwave.net; exec bash
```

```bash
# IP адрес
mkdir -p /etc/net/ifaces/enp7s1
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=static
EOF
echo "192.168.30.2/26" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 192.168.30.1" > /etc/net/ifaces/enp7s1/ipv4route

systemctl restart network
```

```bash
# Пользователь quantumduck
useradd -u 1003 quantumduck
passwd quantumduck
# Вводим: P@ssw0rd
usermod -aG wheel quantumduck
sed -i 's/^#\s*%wheel\s*ALL=(ALL:ALL)\s*NOPASSWD: ALL/%wheel ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
grep NOPASSWD /etc/sudoers
```

```bash
# SSH
cat >> /etc/openssh/sshd_config << 'EOF'

Port 2022
AllowUsers quantumduck
MaxAuthTries 2
PasswordAuthentication yes
Banner /etc/openssh/banner
EOF

echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ping -c 3 192.168.30.1   # шлюз
ping -c 3 8.8.8.8        # интернет
ping -c 3 192.168.100.2  # HQ-SRV (через OSPF)
ssh -p 2022 quantumduck@192.168.30.2
```

-----

# HQ-CLI

```bash
hostnamectl set-hostname hq-cli.etherwave.net; exec bash
```

```bash
# IP по DHCP
cat > /etc/net/ifaces/enp7s1/options << 'EOF'
TYPE=eth
BOOTPROTO=dhcp
EOF
systemctl restart network
```

```bash
# Часовой пояс
timedatectl set-timezone Asia/Yekaterinburg
```

**Проверка:**

```bash
ip a                     # должен получить адрес из 192.168.200.2-30
ping -c 3 192.168.200.1  # шлюз
ping -c 3 8.8.8.8        # интернет
host hq-srv.etherwave.net # DNS работает
```

-----

# Proxmox — VLAN теги

|Машина|Адаптер|VLAN Tag        |
|------|-------|----------------|
|HQ-SRV|enp7s1 |100             |
|HQ-CLI|enp7s1 |200             |
|HQ-RTR|enp7s2 |без тега (trunk)|

На Linux Bridge enp7s2 HQ-RTR поставить галку **VLAN aware**.
Больше возможностей при регистрации:
