Dev Ops – Page 8 – My Point of View

A Brief Introduction to Cat6 vs Cat6a vs Cat7 vs Fiber

To put it simple, the twisted pair specifications: Cat6 (Class E), Cat6a (Class EA), and Cat7 (Class F) all support 10GBASE-T applications with differentiated performances.

Check the below chart to get a full understanding of the specifications and typical applications of Cat6 vs Cat6a vs Cat7.

ALL backward compatible – you can plug a newer twisted pair cable into a device that is designed for a slower cable.

The fastest Ethernet cable yet is Cat8, which can support data rate up to 40Gbps, four times of Cat6a cable. If you are looking for high-speed data center and server room cabling, check out Cat8 Cable for 25GBASE-T and 40GBASE-T Network.

The minimum grade of cabling to be deployed in a 10GBASE-T network should be Cat6a cable.

Fiber Cable

Multimode Fiber Patch Cables are a good choice for transmitting data and voice signals over shorter distances. They are typically used for data and audio/visual applications in local-area networks and connections within buildings. Multimode cables are generally color-coded orange or aqua;

The Aqua Fiber Patch Cables are for higher performance 10Gbps, 40Gbps, and 100Gbps Ethernet and fiber channel applications.

Singlemode Fiber Patch Cables are the best choice for transmitting data over long distances. They are usually used for connections over large areas, such as college campuses and cable television networks. They have a higher bandwidth than multimode cables to deliver up to twice the throughput. Most singlemode cabling is color-coded yellow.

Reference

https://community.fs.com/blog/should-we-use-cat6-or-cat6a-for-10gbase-t.html

UDM Pro commands

List of commands to troubleshoot UDM Pro;

The best command for packet related issues is tcpdump

tcpdump <interface> -w <filename.pcap>

Most of the commands are just Linux commands. However some are unique to the UDM/UDM-P.

Cisco/EdgeOS/VyOs Command/Best description	UDM/UDM-P SSH Command
show version	info
show system hardware and installed software	ubnt-device-info summary
show cpu tempeture	ubnt-systool cputemp
show fan speed	ubnt-fan-speed
show uptime	uptime
show ip route	netstat -rt -n
show tech-support (dump a file for tech support)	ubnt-make-support-file <file.tar.gz>
show ppp summery	pppstats
show current user	whoami
show log	cat /var/log/messages
show interface summary	ifstat
show interfaces	ifconfig
show other Ubiquiti devices on local LAN segment (ubnt-discovery)	ubnt-tools ubnt-discover
show config (wireless)	cat /mnt/data/udapi-config/unifi
show DHCP leases (to NSname)	cat /mnt/data/udapi-config/dnsmasq.lease
packet capture	tcpdump
shutdown	poweroff
reload	reboot
show ipsec sa	ipsec statusall
factory reset	factory-reset.sh
show system burnt in MAC address	ubnt-tools hwaddr
Unifi Server commands (logs files)
show unifi server logs	cat /mnt/data/unifi-os/unifi/logs/server.log
show unifi server setttings	cat /mnt/data/unifi-os/unifi-core/config/settings.yaml
show unifi server http logs	cat /mnt/data/unifi-os/unifi-core/logs/http.log
show unifi server http logs (errors)	cat /mnt/data/unifi-os/unifi-core/logs/errors.log
show unifi server discovery log	cat /mnt/data/unifi-os/unifi-core/logs/discovery.log
show unifi system logs	cat /mnt/data/unifi-os/unifi-core/logs/system.log

Tested with 1.8.3-5

To restart UDM Pro to release memory pressure without restarting, SSH and enter this;

unifi-os restart

To update udm pro software;

Start unifi shell = “unifi-os shell” and then apt update && upgrade

Resource

Click this link to see the reference.

Cloud key upgrade

Upgrading cloud key sucks but works. After upgrade log in to unifi ui. You would see blue lights back on. Disable system-d. Check if dnsmasq is working, if not try to install resloveconf package.

Enable systemd using these commands;

sudo systemctl enable systemd-resolved
sudo systemctl start systemd-resolved
sudo systemctl status systemd-resolved

DNS resolution will not work. The problem is pihole unbound resolution. Add these lines to /etc/resolveconf.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

check the status of dnsmasq;

#disable systemd-resolved first
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl status dnsmasq
sudo systemctl status dnsmasq

If dnsmasq is running, proceed. don’t restart. reinstall pihole and restore from backup. Follow these after pihole installation (couldn’t find an easier solution);

#Reconfigure lighttpd port (for example 8080)
nano /etc/lighttpd/lighttpd.conf
#Restart lighttpd
/etc/init.d/lighttpd restart
#Change the pi-hole random password to your liking
pihole -a -p

Pi-hole has dnsmasq embedded in pihole-FTL, and a separate dnsmasq on the host is not required and causes problems as you have discovered.

sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:5335 \|:8953 \|:67 \|:80 \|:471'

sudo service dnsmasq stop

sudo systemctl disable dnsmasq

sudo apt-get remove dnsmasq-base

sudo service pihole-FTL start

Pihole somehow keep existing configuration. Navigate to the URL and it should be up and running.

To re-purpose cloud key, follow this link.

Resources

https://stackoverflow.com/questions/24967855/curl-6-could-not-resolve-host-google-com-name-or-service-not-known

Setting Traefik on unRAID

This is a basic Traefik setup. Follow these steps to setup Traefik as reverse proxy on unRAID.

We will be using Traefik 2.x as reverse proxy on unRAID v 6.9.x. we will be setting up unRAID ui and Traefik dashboard to show traffic can be routed to any container running on unRAID.

DNS records configuration

We need to create DNS records, all pointing to unRAID box. We will be using unRAID default “local” domain running on 192.168.1.20. Since we own foo.com domain so our DNS records would be;

tower.local.foo.com -> 192.168.1.20
traefik-dashboard.local.foo.com -> 192.168.1.20

How and where to configure these depends on the DNS server, for example PI-HOLE etc.

Reconfiguring unRAID HTTP Port

unRAID web ui is using port 80 but Traefik will be listening on port 80. We need to reconfigure this port.

Go to Settings -> Management Access, and change HTTP port to 8080 from 80.

In case Traefik container is not working, we can always access unRAID server at http://192.168.1.20:8080.

Traefik configuration

In order to configure Trafik we will be using a mix of dynamic configuration (via Docker labels), and static configuration (via configuration files).

Place the following yml configuration files in your appdata share.

appdata/traefik/traefik.yml

api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":80"

providers:
  docker: {}
  file:
    filename: /etc/traefik/dynamic_conf.yml
    watch: true

appdata/traefik/dynamic_conf.yml

http:
  routers:
    unraid:
      entryPoints:
      - http
      service: unraid
      rule: "Host(`tower.local.foo.com`)"
  services:
    unraid:
      loadBalancer:
        servers:
        - url: "http://192.168.1.20:8080/"

Make sure yml has two space indentation.

Setup Traefik Container

Go to the Docker tab in unRAID and ADD CONTAINER.
We need to fill in the following configuration:

Name: traefik
Repository: traefik:latest
Network Type: bridge

Add a port mapping from 80 → 80, so that Traefik can listen for incoming HTTP traffic.

Add a path where we mount our /mnt/user/appdata/traefik to /etc/traefik so that Traefik can actually read our configuration.

Add another path where we mount our Docker socket /var/run/docker.sock to /var/run/docker.sock. Read-only is sufficient here.

This is required so Traefik can listed for new containers and read their labels, which is used for the dynamic configuration part. We are using this exact mechanism to expose the Treafik dashboard now.

Add a label
• key = traefik.http.routers.api.entrypoints
• value = http

Add another label
• key = traefik.http.routers.api.service
• value = api@internal

And a final label
• key = traefik.http.routers.api.rule
• value = Host(`traefik-dashboard.local.foo.com`)

Our container configuration should look like this;

Run container, and view container log to make sure its running. You will see something like this;

The screen will scroll with new logs. Traefik is up and running.

Open browser, we are able to access unRAID at http://tower.local.foo.com, and the Traefik dashboard at http://traefik-dashboard.local.foo.com.

Proxying any Container

In order to add another container to our Traefik configuration we simply need to add a single label to it.

Assuming we have a Portainer container running we can add a label with

key = traefik.http.routers.portainer.rule
value = Host(`portainer.local.foo.com`)

If our container is only exposing a single port, Traefik is smart enough to pick it up, and no other configuration is required.

If Portainer container would expose multiple ports, but the webUI is accessible on port 3900 we would need to add an additional label with

key = traefik.http.services.portainer.loadbalancer.server.port
value = 8080

For external hosts to take advantage of terafik, point their DNS entry to traefik host. Obviously we have to define router and services in traefik dynamic file.

Resources

https://datosh.github.io/post/unraid_reverse_traefik/

Reddit reference

Move Pi-Hole databases and list to different location

Create a new folder in new location, for example pihole-db.

mkdir pihole-db
# make sure folder has this permission
chmod 775 pihole-db
# change user/group to pihole on this folder
chown pihole:pihole pihole-db

We will be creating symlink (symbolic link) by copying database to pihole-db.

https://unix.stackexchange.com/questions/218557/how-to-change-ownership-of-symbolic-links

# Pihole-FTL.db
# stop Pihole service
sudo service pihole-FTL stop
cp /etc/pihole/pihole-FTL.db /srv/pihole-data
chown pihole:pihole pihole-FTL.db
# rm /etc/pihole/pihole-FTL.db
# create link in /etc/pihole
ln -s /srv/pihole-db/pihole-FTL.db pihole-FTL.db
# change owner/group of symlinks
sudo chown -h pihole:pihole pihole-FTL.db

# start the service
sudo service pihole-FTL start
# check service status
# systemctl status pihole-FTL

Open browser, navigate to a site and see if pihole-FTL works.

Pihole-FTL started working. Let’s move others;

# gravity.db
sudo service pihole-FTL stop
cp /etc/pihole/gravity.db /srv/pihole-db
ls -l /srv/pihole-db
chown pihole:pihole /srv/pihole-db/gravity.db
rm /etc/pihole/gravity.db
# create symlink in /etc/pihole
ln -s /srv/pihole-db/gravity.db gravity.db
# change owner/group of symlinks
sudo chown -h pihole:pihole gravity.db

# verify
sudo service pihole-FTL start

# macvendor.db
sudo service pihole-FTL stop
cp /etc/pihole/macvendor.db /srv/pihole-db
ls -l /srv/pihole-db

chown pihole:pihole /srv/pihole-db/macvendor.db
rm /etc/pihole/macvendor.db
# create symlink in /etc/pihole
ln -s /srv/pihole-db/macvendor.db macvendor.db
sudo chown -h pihole:pihole macvendor.db
# verify
sudo service pihole-FTL start

# list.1.raw.githubusercontent.com.domains
sudo service pihole-FTL stop
cp /etc/pihole/list.1.raw.githubusercontent.com.domains /srv/pihole-db
ls -l /srv/pihole-db

rm /etc/pihole/list.1.raw.githubusercontent.com.domains
# create symlink in /etc/pihole
ln -s /srv/pihole-db/list.1.raw.githubusercontent.com.domains list.1.raw.githubusercontent.com.domains
# verify
sudo service pihole-FTL start

Make sure you have changed owner and group of sym(Symbolic) links of these databases.

https://www.freecodecamp.org/news/symlink-tutorial-in-linux-how-to-create-and-remove-a-symbolic-link/

sudo chown -h pihole:pihole pihole-FTL.db
sudo chown -h pihole:pihole macvendor.db
sudo chown -h pihole:pihole gravity.db

Make sure you can see these permissions;

To reset, run this command;

chmod 664 gravity.db

Here is your modified file system;

To rebuild gravity database, run this and see the time stamp;

pihole -g

https://discourse.pi-hole.net/t/gravity-database/46182

For macvendor database refer to this;

Resources

https://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/