Need help with subinterfaces

tamorgen
Posts: 53
Joined: Wed Jul 17, 2013 1:48 pm

Need help with subinterfaces

Postby tamorgen » Tue Jun 11, 2019 7:38 am

Good morning,
I've been trying to get my Amahi server to hand out multiple DHCP ranges, for normal LAN traffic, and for IOT traffic. I know this is possible, however, some of Amahi's self-correcting mechanisms seem to be wreaking havoc on my system. Here's the situation.

Through the Amahi control panel, my private IP address for my serveri s 192.168.1.72. Amahi hands out IP address from 192.168.1.100-192.168.1.254. I know I can adjust that range though the HDA GUI, but that's the way it currently stands.

The other day, I thought I got it to work. I added a subinterface in /etc/sysconfig/network-scripts.

[XXXXXXXXXXX@XXXXXXXX network-scripts]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether d8:cb:8a:53:ca:2e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.72/24 brd 192.168.1.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fe80::13fc:be51:63e7:3acb/64 scope link
valid_lft forever preferred_lft forever
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 68:05:ca:14:b3:4a brd ff:ff:ff:ff:ff:ff

I added a subinterface to enp2s0, which made it enp2s0.20 (20 to match VLAN 20 on my UniFi USG and Ubiquti Managed Switch). It had the covered the network scope of 192.168.2.0/25. Restarting the network.service, enp2s0.20 showed up, showed the proper range and all. A few checks, and I was able to ping both gateways (192.168.1.1 and 192.168.2.1) on my UniFi USG, and ping both server IPs (192.168.1.72 and 192.168.2.72) from my UniFI USG.

Back in /etc/dnsmasq.d/, I created a new .conf file for that DHCP range. I did not change the amahi-dhcp.conf file.

Back on my UniFi USG, I set the DHCP relay to 192.168.2.72 for VLAN 20.

So, after I did this, Amahi started handing out IP addresses for the 192.168.2.0/25 range. Great. I thought I was up and running.

Shortly after that, Amahi stopped handing out IPs for 192.168.1.0/24. I rebooted the server, and I couldn't get back in. Ther server IP was not responding, and I couldn't get a prompt when I hooked it up to a monitor and keyboard.

I booted into safe mode, and discovered that Amahi had changed enp2s0, as well as all the other standard IP addressing, to the 192.168.2.0/25 range. It was in the unalterable amahi-dhcp.conf, amahi-dns.conf....pretty much all over the place. I tired manually changing them, but Amahi kept changing it back. To top it all off, the Amahi.org control panel showed my server as non-responsive.

I was able to get restore everything back to it's previous state by untarring a backup I made of the /etc folder. This stopped the overwriting behavior I was experiencing, but left me back where I began.

So, my question is, any idea why the 192.168.2.x addresses took over my previous 192.168.1.x ranges? I was under the impression that Amahi referred to the addresses via the installer code, and the only way to alter the main address space was a reinstall. This address space was a subinterface only. It should not have affected the main interface.

Am I missing something that would all DHCP addresses to be handed out to both ranges?

tamorgen
Posts: 53
Joined: Wed Jul 17, 2013 1:48 pm

Re: Need help with subinterfaces

Postby tamorgen » Tue Jun 11, 2019 2:07 pm

Update:

I rebooted the server, and it reverted again to the 192.168.2.x IP space. I again restored from my /etc-backup.tar file, restarted the network services, and it's running again on 192.168.1.x space. However, I logged into the HDA console, and it's showing 192.168.2.x reservations fo the various HDA services, as well as the gateway.


calendar 192.168.2.72
cockpit 192.168.2.72
diskutil 192.168.2.72
esm 192.168.2.72
ghlog 192.168.2.72
hda 192.168.2.72
help 192.168.2.72
router 192.168.2.1
search 192.168.2.72
setup 192.168.2.72
slv 192.168.2.72

This is getting annoying. How do I stop this cycle?

tamorgen
Posts: 53
Joined: Wed Jul 17, 2013 1:48 pm

Re: Need help with subinterfaces

Postby tamorgen » Wed Jun 12, 2019 5:58 am

Anyone? I've spent the past two nights trying to get things back to status quo, but I'm honestly worried I'll loose my network services again if whatever script is running changes my network to the 192.168.2.x. range again.

This subinterface issue definitely had unforeseen consequences. I really don't want to have to do a fresh install of my OS, especially since Fedora 27 is deprecated at this point.

User avatar
cpg
Administrator
Posts: 2603
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: Need help with subinterfaces

Postby cpg » Thu Jun 13, 2019 3:41 am

Well, I'm not sure what we can do.

Amahi was not designed for this kind of under-the-hood hacking with VLANs, multiple interfaces and whatnot.

One thing we can do is capture *what you want to do* (at a high level) in a bug request and we can discuss there.

You list "handing out multiple DHCP ranges, for normal LAN traffic, and for IOT traffic" ... however, the actual reason for wanting that is not stated.

Is it privacy (we like that)? Other things?

Having a virtual interface does not do much for privacy -- basically a sufficiently aware device can scan the network and access anything/everything, so long as the hardware that it's directly connected to does not prevent it (and only fairly expensive hardware does that, home hardware does not usually do that, I believe), any device sufficiently "rogue" can see most things.

We can discuss here, but this was a design choice. There may be hooks we can put to do the things you want, but we need to work on it.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

tamorgen
Posts: 53
Joined: Wed Jul 17, 2013 1:48 pm

Re: Need help with subinterfaces

Postby tamorgen » Thu Jun 13, 2019 5:19 am

I want to be able to have a more in depth view of all of the traffic going through my network and it's DNS inquiries. I have installed Pi-hole on my server, which serves as a DNS blackhole for malware, advertisements, etc. Roughly 10% of my DNS inquiries are blackholed, and I really don't go anyplace of a malicous nature, unless you count Facebook and Google into that category. :D With my primary VLAN traffic, because the server hands out the DHCP reservations, I can see which host is making the inquiry. Right now, my IOT traffic has it's DHCP reservations handed out my router/gateway. Unfortunately, because it is handling that, all I know is that a portion of DNS traffic being blackholed comes from my router/gateway, and I can't tell which host is making the DNS call. With a subinterface, the DHCP reservations would be handed out by the server, and I would have a view into all hosts on each VLAN, and what they are doing.

Subinterfaces aren't that uncommon. In fact, you can set up subinterfaces for different VLANs when you run Anaconda during the Fedora setup. Many web administrators use them so they can have multiple web pages running on their server, and use the same port, but different IP address, and they don't have to use oddball, nonstandard ports. Currently I run the management software for my network (managed switch, access points, secure gateway) on my Amahi server, however, I have ot run it on 8443 instead of 443, since I have my HDA console running on 443. So, when I want to access my mangement software, I need to hit https://hda:8443 instead of https://hda. It's an annoyance.

I know this sort of configuration is a bit beyond the normal setup for Amahi. Amahi is designed to be easy to setup for the basic user, who may not have a lot of experience with Linux. It does a great job at that. The real problem I'm having is that when I created that subinterface with the 192.168.2.x address space, Amahi decided that it wanted to use that as my primary interface instead, which, by my understanding of Amahi, it shouldn't have. I believe you use Monit to ensure users don't change certain configuration files and keeps a backup of those configs somewhere undetermined, which I understand, but the fact that somehow the 192.168.2.x space overwrote the primary 192.168.1.x space is very odd to me. There should be a way for me to get back to that primary IP space, without fearing a reboot witll put change it back to what should have been the subinterface. All I can do now is keep a backup tar ball of my /etc folder, and if a reboot occures, go back in and untar it and restart network.service.

I'd like a better option to fix this.

Who is online

Users browsing this forum: No registered users and 1 guest