| Welcome, Guest |
You have to register before you can post on our site.
|
| Forum Statistics |
» Members: 0
» Latest member: admin
» Forum threads: 10
» Forum posts: 10
Full Statistics
|
| Online Users |
There are currently 30 online users.
» 0 Member(s) | 30 Guest(s)
|
| Latest Threads |
use of BBB script to inst...
Forum: BugBlueButton
Last Post: admin
06-11-2020, 11:47 PM
» Replies: 0
» Views: 158
|
tivo premiere xl not show...
Forum: TiVo Help
Last Post: admin
06-11-2020, 10:43 PM
» Replies: 0
» Views: 96
|
Notes on install of Mail ...
Forum: Mail in a Box (MnABox)
Last Post: admin
01-19-2020, 07:05 AM
» Replies: 0
» Views: 42,012
|
Error with yarn
Forum: Mastodon help
Last Post: admin
01-05-2020, 06:39 PM
» Replies: 0
» Views: 11,490
|
Bridging in ProxMos
Forum: ProxMox VM Host Server
Last Post: admin
12-13-2019, 11:17 PM
» Replies: 0
» Views: 7,242
|
phpMyAdmin showing Object...
Forum: SuSe
Last Post: admin
08-27-2018, 03:00 AM
» Replies: 0
» Views: 28,631
|
PostFix Directory not fou...
Forum: PostFix Email server
Last Post: admin
12-29-2017, 05:05 PM
» Replies: 0
» Views: 13,627
|
pFsense
Forum: Firewalls
Last Post: admin
12-28-2017, 02:31 PM
» Replies: 0
» Views: 17,426
|
Error with yarn
Forum: Mastodon help
Last Post: Guest
Less than 1 minute ago
» Replies: 0
» Views: 6,707
|
Error with yarn
Forum: Mastodon help
Last Post: Guest
Less than 1 minute ago
» Replies: 0
» Views: 6,452
|
|
|
| use of BBB script to install BigBlueButton |
|
Posted by: admin - 06-11-2020, 11:47 PM - Forum: BugBlueButton
- No Replies
|
 |
# bbb-install
`bbb-install.sh` is a shell script that automates the [step-by-step instructions](http://docs.bigbluebutton.org/2.2/install.html) for setting up a BigBlueButton 2.2 server.
With only a few parameters, `bbb-install.sh` can have your BigBlueButton server set up and ready for use in 30 minutes (depending on your server's internet speed to download and install packages).
For example, given an Ubuntu 16.04 64-bit server with a public IP address, to install/update to the latest build of BigBlueButton 2.2 first SSH into the server as root and run the following command:
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -a
~~~
The command will pull down the latest version of `bbb-install.sh`, send it to the BASH shell interpreter, and pass the parameters `-v xenial-22` which specifies you want to install the latest build of BigBlueButton 2.2.N, and `-a` which specifies want to install the API demos (this makes it easy to do a few quick tests on the server).
Note: If your server is behind a firewall -- such as behind a corporate firewall or behind an AWS Security Group -- you will need to manually configure the firewall to forward [specific internet connections](#configuring-the-firewall) to the BigBlueButton server before you can launch the client.
When `bbb-install.sh` finishes, you'll see a message that gives you a test URL to launch the BigBlueButton client and join a meeting called 'Demo Meeting'.
~~~
# Warning: The API demos are installed and accessible from:
#
# http://xxx.xxx.xxx.xxx
#
# and
#
# http://xxx.xxx.xxx.xxx/demo/demo1.jsp
#
# These API demos allow anyone to access your server without authentication
# to create/manage meetings and recordings. They are for testing purposes only.
# If you are running a production system, remove them by running:
#
# sudo apt-get purge bbb-demo
~~~
When you open the URL, you should see a login to join the meeting `Demo Meeting`.
Enter your name and click Join. The BigBlueButton client should then load in your browser and prompt you to join the audio.
Click the '[x]' to skip joining the audio. Why? With the above command, the BigBlueButton server is configured to only use an IP address (no security) and, as such, the browser will block access to the webcam and microphone.
For a production setup of BigBlueButton, the server needs to serve web pages using transport level security (TLS). In other words, you can only access this server via `HTTP` (unencrypted) and not `HTTPS` (encrypted), as the server currently lacks a secure socket level (SSL) certificate configured for the server's hostname.
Without TLS/SSL support, the browser will not allow access to the user's webam or microphone via the builtin real-time communications (WebRTC) libraries.
`bbb-install.sh` can automatically request a TLS/SSL certificate (from Let's Encrypt) and configure the BigBlueButton server to use that certificate. The following sections show you how.
## Getting ready
Before running `bbb-install.sh`, we _strongly_ recommend that you:
* Read through all the documentation in this page
* Ensure that your server meets the [minimal server requirements](http://docs.bigbluebutton.org/install/in...quirements)
* Configure a fully qualified domain name (FQDN), such as `bbb.example.com`, that resolves to the external IP address of the server.
To set up a FQDN, you need to purchase a domain name from a domain name system (DNS) provider, such as [GoDaddy](https://godaddy.com) or [Network Solutions](https://networksolutions.com). Once purchased, you'll use the web tools provided by the DNS provider to create an `A Record` that resolves to the public IP address of your BigBlueButton server. (Check the DNS provider's documentation for details on how to set up the `A Record`.)
With a FQDN domain name place, you can then pass a few additional parameters to `bbb-install.sh` to have it:
* Request and install a 4096 bit TLS/SSL certificate from Let's Encrypt (we love Let's Encrypt), and (optionally)
* Install and configure [Greenlight](http://docs.bigbluebutton.org/greenlight...rview.html) to provide a simple front-end for users to enable them to set up rooms, hold online sessions, and manage recordings. (Greenlight also lets you, the administrator, manage user accounts within Greenlight).
Once the BigBlueButton server is configured with an TLS/SSL certificate, your users can use FireFox and Chrome (recommended browsers) to access and share their audio, video, and screen in a BigBlueButton session via WebRTC.
The full source code for `bbb-install.sh` is [here](https://github.com/bigbluebutton/bbb-install). To make it easy for anyone to run the script with a single command, we host the latest version of the script at [https://ubuntu.bigbluebutton.org/bbb-ins...nstall.sh).
### Server choices
There are many hosting companies that can provide you virtual and dedicated servers to run BigBlueButton. We list a few popular choices below. Note: We are not making any recommendations here, just listing some of the more popular choices.
For quick setup, [Digital Ocean](https://www.digitalocean.com/) offers both virtual servers with Ubuntu 16.04 64-bit and a single public IP address (no firewall). [Hetzner](https://hetzner.cloud/) offers dedicated servers with single IP address.
Other popular choices, such as [ScaleWay](https://www.scaleway.com/) (choose either Bare Metal or Pro servers) and [Google Compute Engine](https://cloud.google.com/compute/), offer servers that are set up behind network address translation (NAT). That is, they have both an internal and external IP address. When installing on these servers, the `bbb-install.sh` will detect the internal/external addresses and configure BigBlueButton accordingly.
Another popular choice is [Amazon Elastic Compute Cloud](https://aws.amazon.com/ec2). We recommend a `c5.xlarge` (or larger) instance. All EC2 servers are, by default, is behind a firewall (which Amazon calls a `security group`). You will need to manually configure the security group before installing BigBlueButton on EC2 and, in a similar manner, on Azure and Google Compute Engine (GCE). (See screen shots in next section.)
Finally, if `bbb-install.sh` is unable to configure your server behind NAT, we recommend going through the [step-by-step](http://docs.bigbluebutton.org/2.2/install.html) for installing BigBlueButton. (Going through the steps is also a good way to understand more about how BigBlueButton works).
### Configuring the firewall
If you want to install BigBlueButton on a server behind a firewall, such an Amazon's EC2 security group, you first need to configure the firewall to forward incoming traffic on the following ports:
* TCP/IP port 22 (for SSH)
* TCP/IP ports 80/443 (for HTTP/HTTPS)
* UDP ports in the range 16384 - 32768 (for FreeSWITCH/HTML5 client RTP streams)
If you are using EC2, you should also assign your server an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/lates...s-eip.html) to prevent it from getting a new IP address on reboot.
On Microsot Azure, when you create an instance you need to add the following inbound port rules to enable incoming connections on ports 80, 443, and UDP port range 16384-32768:
On Google Compute Engine, when you create an instance you need to enable traffic on port 80 and 443.
After the instance is created, you need to add a firewall rule to allow incoming UDP traffic on the port range 16384-32768.
### Installation Videos
Using Digital Ocean as an example, we put together this video to get you going quickly: [Using bbb-install.sh to set up BigBlueButton on Digital Ocean]().
Using Amazon EC2, see [Install using bbb-install.sh on EC2]().
# Command options
You can get help by passing the `-h` option.
~~~
$ wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -h
Installer script for setting up a BigBlueButton 2.2 server.
This script also supports installation of a separate coturn (TURN) server on a separate server.
USAGE:
bbb-install.sh [OPTIONS]
OPTIONS (install BigBlueButton):
-v <version> Install given version of BigBlueButton (e.g. 'xenial-22') (required)
-s <hostname> Configure server with <hostname>
-e <email> Email for Let's Encrypt certbot
-x Use Let's Encrypt certbot with manual dns challenges
-a Install BBB API demos
-g Install GreenLight
-c <hostname>:<secret> Configure with coturn server at <hostname> using <secret>
-p <host> Use apt-get proxy at <host>
-r <host> Use alternative apt repository (such as packages-eu.bigbluebutton.org)
-d Skip SSL certificates request (use provided certificates from mounted volume)
-h Print help
OPTIONS (install coturn):
-c <hostname>:<secret> Configure coturn with <hostname> and <secret> (required)
-e <email> Email for Let's Encrypt certbot (required)
EXAMPLES
Setup a BigBlueButton server
./bbb-install.sh -v xenial-22
./bbb-install.sh -v xenial-22 -s bbb.example.com -e info@example.com
./bbb-install.sh -v xenial-22 -s bbb.example.com -e info@example.com -g
./bbb-install.sh -v xenial-22 -s bbb.example.com -e info@example.com -g -c turn.example.com:1234324
Setup a coturn server
./bbb-install.sh -c turn.example.com:1234324 -e info@example.com
SUPPORT:
Source: https://github.com/bigbluebutton/bbb-install
Community: https://bigbluebutton.org/support
~~~
## Install and configure with an IP address only
To install BigBlueButton 2.2 (no hostname or TLS/SSL certificate):
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22
~~~
That's it. The installation should finish in about 15 minutes (depending on the server's internet connection) with the following message:
~~~
** Potential problems described below **
......
# Warning: The API demos are installed and accessible from:
#
# http://xxx.xxx.xxx.xxx/demo/demo1.jsp
#
# These API demos allow anyone to access your server without authentication
# to create/manage meetings and recordings. They are for testing purposes only.
# If you are running a production system, remove them by running:
#
# sudo apt-get purge bbb-demo
~~~
The script also installs the `bbb-demo` package so you can immediately test out the install. If you want to remove the API demos, use the command
~~~
sudo apt-get purge bbb-demo
~~~
If you want to use this server with a third-party integration, such as Moodle, you can get the BigBlueButton server's hostname and shared secret with the command `sudo bbb-conf --secret`.
~~~
# bbb-conf --secret
URL: http://xxx.xxx.xxx.xxx/bigbluebutton/
Secret: yyy
Link to the API-Mate:
http://mconf.github.io/api-mate/#server=...Secret=yyy
~~~
Since this default use of `bbb-install.sh` does not configure a SSL/TLS certificate, while you can login to the server, you won't be able to share audio/video as WebRTC requires a SSL/TLS certificate.
## Install with SSL/TLS
Before `bbb-install.sh` can install a SSL/TLS certificate, you will need to provide two pieces of information:
* A fully qualified domain name (FQDN), such as `bbb.example.com`, that resolves to the public IP address of your server
* An e-mail address
When you have set up the FQDN, check that it correctly resolves to the external IP address of the server using the `dig` command.
~~~
dig bbb.example.com @8.8.8.8
~~~
Note: we're using `bbb.example.com` as an example hostname. You would substitute your real hostname for the check (and for the commands below).
With just these two pieces of information -- FQDN and e-mail address -- you can use `bbb-install.sh` to automate the configuration of the BigBlueButton server with a TLS/SSL certificate. For example, to install BigBlueButton 2.2 with a TLS/SSL certificate from Let's Encrypt using `bbb.example.com` and `info@example.com`, enter the command
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com
~~~
(again, you would substitute `bbb.example.com` and `info@example.com` with your server's FQDN and your e-mail address).
The `bbb-install.sh` script will also install a cron job that automatically renews the Let's Encrypt certificate so it doesn't expire. Cool.
### Installing in a private network
The default installation is meant to be for servers that are publicly available. This is because Let's Encrypt requires to access nginx in order to automatically validate the FQDN provided.
When installing BigBlueButton in a private network, it is possible to validate the FQDN manually, by adding the option `-x` to the command line. As in:
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com -x
~~~
Confirm the use of the email account.
```
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
```
Confirm the use of the IP address
```
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
```
A challenge will be generated and shown in the console.
```
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.bbb.example.com with the following value:
0bIA-3-RqbRo2EfbYTkuKk7xq2mzszUgVlr6l1OWjW8
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
```
Before hitting Eneter, create a TXT record in the DNS with the challenge that was generated.
```
_acme-challenge.bbb.example.com. TXT "0bIA-3-RqbRo2EfbYTkuKk7xq2mzszUgVlr6l1OWjW8" 60
```
The downside of this is that because Let's Encrypt SSL certificates expire after 90 days, it will be necessary to manually update the certificates. In that case an email is sent a few days before the expiration and the next command has to be executed through the console.
```
certbot --email info@example.com --agree-tos -d bbb.example.com --deploy-hook 'systemctl restart nginx' --no-bootstrap --manual-public-ip-logging-ok --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory certonly
```
## Install API Demos
You can install the API demos by adding the `-a` option.
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com -a
~~~
Warning: These API demos allow anyone to access your server without authentication to create/manage meetings and recordings. They are for testing purposes only. Once you are finished testing, you can remove the API demos with `sudo apt-get purge bbb-demo`.
## Install Greenlight
[Greenlight](https://docs.bigbluebutton.org/greenligh...rview.html) is a simple front-end for BigBlueButton written in Ruby on Rails. It lets users create accounts, have permanent rooms, and manage their recordings. It also lets you, as the administrator, manage the user accounts (such as approve or deny users).
You can install [Greenlight](http://docs.bigbluebutton.org/install/green-light.html) by adding the `-g` option.
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com -g
~~~
Once Greenlight is installed, it redirects the default home page to Greenlight. You can also configure GreenLight to use [OAuth2 authentication](http://docs.bigbluebutton.org/greenlight...omize.html).
To launch Greenlight, simply open the URL of your server, such as `https://bbb.example.com/`. You should see the Greenlight landing page.
To set up an administrator account for Greenlight (so you can approve/deny signups), enter the following commands
~~~
cd greenlight/
docker exec greenlight-v2 bundle exec rake admin:create
~~~
This command will create an admin account and set a default password. After running this command, login using the given username/password and change the default password. Next, select 'Administrator' and choose 'Organization'.
You can then select 'Site Settings' on the left-hand side and change the Registration Method to 'Approve/Decline'.
You can now contol who creates accounts on your BigBlueButton server. For more information see [Greenlight administration](http://docs.bigbluebutton.org/greenlight/gl-admin.html).
## Linking /var/bigbluebutton to another directory
The install script allows you to pass a path which will be used to create a symbolic link with /var/bigbluebutton
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -m /mnt/test
~~~
This allows users to store the contents of /var/bigbluebutton, which can get quite large in a seperate volume
## Doing everything with a single command
If you want to set up BigBlueButton 2.2 with a TLS/SSL certificate and GreenLight, you can do this all with a single command:
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com -g
~~~
Furthermore, you can re-run the same command later to update your server to the latest version of BigBlueButton 2.2. We announce updates to BigBlueButton to the [bigbluebutton-dev](https://groups.google.com/forum/#!forum/...button-dev) mailing list.
# Install a TURN server
You can use `bbb-install.sh` to automate the steps to [set up a TURN server for BigBlueButton](http://docs.bigbluebutton.org/install/in...urn-server).
Note: This step is optional, but recommended if your BigBlueButton server is publically available on the internet and will be accessed by users who may be behind restrictive firewalls.
BigBlueButton normally requires a wide range of UDP ports to be available for WebRTC communication. In some network restricted sites or development environments, such as those behind NAT or a firewall that restricts outgoing UDP connections, users may be unable to make outgoing UDP connections to your BigBlueButton server.
The TURN protocol is designed to allow UDP-based communication flows like WebRTC to bypass NAT or firewalls by having the client connect to the TURN server, and then have the TURN server connect to the destination on their behalf.
You need a separate server (not the BigBlueButton server) to set up as a TURN server. Specifically you need:
* An Ubuntu 18.04 server with a public IP address
On the TURN server, you need to have the following ports (in additon port 22) availalbe for BigBlueButton to connect (port 3478 and 443) and for the coturn to connect to your BigBlueButton server (49152 - 65535).
| Ports | Protocol | Description |
| ------------- | ------------- | ----------- |
| 3478 | TCP/UDP | coturn listening port |
| 443 | TCP/UDP | TLS listening port |
| 49152-65535 | UDP | relay ports range |
We recommend Ubuntu 18.04 as it has a later version of [coturn](https://github.com/coturn/coturn) than Ubuntu 16.04. Also, this TURN server does not need to be very powerful as it will only relay communications from the BigBlueButton client to the BigBlueButton server when necessary. A dual core server on Digital Ocean, for example, which offers servers with public IP addresses, is a good choice.
Next, to configure the TURN server you need:
* A fully qualified domain name (FQDN) with a DNS entry that resolves to the external public IP address of the TURN server
* An e-mail address for Let's Encrypt
* A secret key (it can be an 8 to 16 character random string that you create).
With the above information, you can set up a TURN server for BigBlueButton using `bbb-install.sh` as follows
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c <FQDN>:<SECRET> -e <EMAIL>
~~~
Note, we've omitted the `-v` option, which causes `bbb-install.sh` to just install and configure coturn. For example, using `turn.example.com` as the FQDN, `1234abcd` as the shared secret, and `info@example.com` as the email address, you can set up a TURN server for BigBlueButton using the command
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c turn.example.com:1234abcd -e info@example.com
~~~
`bbb-install.sh` uses Let's Encrypt to configure coturn to use a SSL certificate. With a SSL certificate in place, coturn can relay access to your BigBlueButton server via TCP/IP on port 443. This means if a user is behind a restrictive firewall that blocks all outgoing UDP connections, the TURN server can accept connections from the user via TCP/IP on port 443 and relay the data to your BigBlueButton server via UDP.
With the TURN server in place, you can configure your BigBlueButton server to use the TURN server by running the `bbb-install.sh` command again and adding the same `-c <FQDN>:<SECRET>`. For example,
~~~
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v xenial-22 -s bbb.example.com -e info@example.com -g -c turn.example.com:1234abcd
~~~
You can re-use a single TURN server for multiple BigBlueButton installations.
# Next Steps
If you intend to use this server for production you should uninstall the API demos using the command
~~~
apt-get purge bbb-demo
~~~
You can also do a number of [customizations](http://docs.bigbluebutton.org/2.2/customize.html) to your server as well.
## Troubleshooting
### Packaging server is blocked
We are currently hosting the packaging on a Digital Ocean servlet, but recently the IP range for some Digital Ocean servers has been [blocked in some countries](https://www.digitalocean.com/community/q...rom-russia).
If you're having troubles installing, try running the `bbb-install.sh` command but change the value
~~~
https://ubuntu.bigbluebutton.org/bbb-install.sh
~~~
to
~~~
https://packages-eu.bigbluebutton.org/bbb-install.sh
~~~
### Greenlight not running
If on first install Greenlight gives you a `500 error` when accessing it, you can [restart Greenlight](http://docs.bigbluebutton.org/install/gr...docker-run).
### Tomcat7 not running
If on the initial install you see
~~~
# Not running: tomcat7 or grails LibreOffice
~~~
just run `sudo bbb-conf --check` again. Tomcat7 may take a bit longer to start up and isn't running the first time you run `sudo bbb-conf --check`.
### Getting Help
If you have feedback on the script, or need help using it, please post to the [BigBlueButton Setup](https://bigbluebutton.org/support/community/) mailing list with details of the issue (and include related information such as steps to reproduce the error).
If you encounter an error with the script (such as it not completing or throwing an error), please open [GitHub issue](https://github.com/bigbluebutton/bbb-install/issues) and provide steps to reproduce the issue.
# Limitations
If you are running your BigBlueButton behind a firewall, such as on EC2, this script will not configure your firewall. You'll need to [configure the firewall](#configuring-the-firewall) manually.
|
|
|
| tivo premiere xl not showing apps selection |
|
Posted by: admin - 06-11-2020, 10:43 PM - Forum: TiVo Help
- No Replies
|
|
In order to switch back the Premiere XL to HD menu, please follow these steps.
1. Make sure that the TiVo is connected to the service. Settings & Messages > Settings > Network > Connect to the TiVo Service Now
2. Restart the TiVo box. Go to Settings & Messages > Help > Restart Box.
3. Once back up, go to Settings & Messages > Restart or Reset System > Choose TiVo Menus (Widescreen)
Your apps should now be working again.
|
|
|
|
| Bridging in ProxMos |
|
Posted by: admin - 12-13-2019, 11:17 PM - Forum: ProxMox VM Host Server
- No Replies
|
|
bridge
A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.
The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard. [1]. The original Linux bridging was first done in Linux 2.2, then rewritten by Lennert Buytenhek. The code for bridging has been integrated into 2.4 and 2.6 kernel series.
Bridging and Firewalling
A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic. The combination of bridging and firewalling is done with the companion projectebtables.
Status
The code is updated as part of the 2.4 and 2.6 kernels available at kernel.org.
Possible future enhancements are: - Document STP filtering
- Netlink interface to control bridges (prototype in 2.6.18)
- STP should be in user space
- Support RSTP and other 802.1d STP extensions
Downloading
Bridging is supported in the current 2.4 (and 2.6) kernels from all the major distributors. The required administration utilities are in the bridge-utils package in most distributions. Package releases are maintained on the Download page.
You can also build your own up to date version by getting the latest kernel from kernel.org and build the utilities based from the source code in bridge-utils GIT repository.
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git
$ cd bridge-utils
$ autoconf
$ ./configure
Kernel Configuration
You need to enable bridging in the kernel. Set “networking → 802.1d Ethernet Bridging” to either yes or module
Manual Configuration
Network cards
Before you start make sure both network cards are set up and working properly. Don't set the IP address, and don't let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.
The command ifconfig should show both network cards, and they should be DOWN.
Module loading
In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.
If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.
# brctl
# commands:
addbr <bridge> add bridge
delbr <bridge> delete bridge
addif <bridge> <device> add interface to bridge
delif <bridge> <device> delete interface from bridge
setageing <bridge> <time> set ageing time
setbridgeprio <bridge> <prio> set bridge priority
setfd <bridge> <time> set bridge forward delay
sethello <bridge> <time> set hello time
setmaxage <bridge> <time> set max message age
setpathcost <bridge> <port> <cost> set path cost
setportprio <bridge> <port> <prio> set port priority
show show a list of bridges
showmacs <bridge> show a list of mac addrs
showstp <bridge> show bridge stp info
stp <bridge> <state> turn stp on/off
Creating a bridge device
The command
brctl addbr "bridgename"
creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge as a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface.
The corresponding shutdown command is:
brctl delbr //bridgename//
Adding devices to a bridge
The command
brctl addif //bridgename// //device//
adds the network device device to take part in the bridging of “bridgename.” All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn't make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward.
The corresponding command to take an interface out of the bridge is:
brctl delif//bridgename// //device//
Showing devices in a bridge
The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:
# brctl addbr br549
# brctl addif br549 eth0
# brctl addif br549 eth1
# brctl show
bridge name bridge id STP enabled interfaces
br549 8000.00004c9f0bd2 no eth0
eth1
Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).
# brctl showmacs br549
port no mac addr is local? ageing timer
1 00:00:4c:9f:0b:ae no 17.84
1 00:00:4c:9f:0b:d2 yes 0.00
2 00:00:4c:9f:0b:d3 yes 0.00
1 00:02:55:1a:35:09 no 53.84
1 00:02:55:1a:82:87 no 11.53
...
The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay around forever. Normally there should be no need to modify this parameter, but it can be changed with (time is in seconds).
# brctl setageing //bridgename// //time//
Setting ageing time to zero makes all entries permanent.
Spanning Tree Protocol
If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.
# brctl stp br549 on
You can see the STP parameters with:
# brctl showstp br549
br549
bridge id 8000.00004c9f0bd2
designated root 0000.000480295a00
root port 1 path cost 104
max age 20.00 bridge max age 200.00
hello time 2.00 bridge hello time 20.00
forward delay 150.00 bridge forward delay 15.00
ageing time 300.00 gc interval 0.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 0.33
flags
eth0 (1)
port id 8001 state forwarding
designated root 0000.000480295a00 path cost 100
designated bridge 001e.00048026b901 message age timer 17.84
designated port 80c1 forward delay timer 0.00
designated cost 4 hold timer 0.00
flags
eth1 (2)
port id 8002 state disabled
designated root 8000.00004c9f0bd2 path cost 100
designated bridge 8000.00004c9f0bd2 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
STP tuning
There are a number of parameters related to the Spanning Tree Protocol that can be configured. The code autodetects the speed of the link and other parameters, so these usually don't need to be changed.
Bridge priority
Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.
# brctl setbridgeprio //bridgename// //priority//
The bridge with the lowest priority will be elected as the root bridge. The root bridge is the “central” bridge in the spanning tree.
Path priority and cost
Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs.
# brctl //setpathcost bridge port cost//
For multiple ports with the same cost there is also a priority
Forwarding delay
Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating.
# brctl setfd //bridgename// //time//
Hello time
Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.
# brctl sethello //bridgename// //time//
Max age
If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead. This timeout is set with:
# brctl maxage//bridgename// //time//
Multicast (IGMP) snooping
IGMP snooping support is not yet included in bridge-utils or iproute2, but it can be easily controlled through sysfs interface. For brN, the settings can be found under /sys/devices/virtual/net/brN/bridge.
multicast_snooping
This option allows the user to disable IGMP snooping completely. It also allows the user to reenable snooping when it has been automatically disabled due to hash collisions. If the collisions have not been resolved however the system will refuse to reenable snooping.
multicast_router
This allows the user to forcibly enable/disable ports as having multicast routers attached. A port with a multicast router will receive all multicast traffic.
The value 0 disables it completely. The default is 1 which lets the system automatically detect the presence of routers (currently this is limited to picking up queries), and 2 means that the ports will always receive all multicast traffic.
Note: this setting can be enabled/disable on a per-port basis, also through sysfs interface (e.g. if eth0 is some bridge's active port, then you can adjust /sys/…../eth0/brport/multicast_router)
hash_{max,elasticity}
These settings allow the user to control the hash elasticity/max parameters. The elasticity setting does not take effect until the next new multicast group is added. At which point it is checked and if after rehashing it still can't be satisfied then snooping will be disabled.
The max setting on the other hand takes effect immediately. It must be a power of two and cannot be set to a value less than the current number of multicast group entries. This is the only way to shrink the multicast hash.
remaining multicast_* options
These allow the user to control various values related to IGMP snooping.
More details about the options, some discussions and rationale can be found in http://thread.gmane.org/gmane.linux.network/153338
Sample setup
The basic setup of a bridge is done like:
# ifconfig eth0 0.0.0.0
# ifconfig eth1 0.0.0.0
# brctl addbr mybridge
# brctl addif mybridge eth0
# brctl addif mybridge eth1
# ifconfig mybridge up
This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.
Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:
# ifconfig mybridge 192.168.100.5 netmask 255.255.255.0
If you want your bridge to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), do this:
# ifconfig eth0 0.0.0.0
# ifconfig eth1 0.0.0.0
# brctl addbr mybridge
# brctl addif mybridge eth0
# brctl addif mybridge eth1
# dhclient mybridge
If you do this many times, you may end up with lots of dhclient processes. Either kill them impolitely or learn about omshell(1).
Configuration with /etc/net
In /etc/net we first configure two ethernet devices port0 and port1:
# cat >> /etc/net/iftab
port0 mac 00:13:46:66:01:5e
port1 mac 00:13:46:66:01:5f
^D
# mkdir /etc/net/ifaces/port0
# cat > /etc/net/ifaces/port0/options
TYPE=eth
MODULE=via-rhine
# mkdir /etc/net/ifaces/port1
# cat > /etc/net/ifaces/port1/options
TYPE=eth
MODULE=via-rhine
^D
Then we describe the bridge:
# mkdir /etc/net/ifaces/mybridge
# cat > /etc/net/ifaces/mybridge/options
TYPE=bri
HOST='port0 port1'
^D
# cat > /etc/net/ifaces/mybridge/brctl
stp AUTO on
^D
Now we can use “ifup mybridge” to bring it up. port0 and port1 will be brought up automatically.
FAQ
What does a bridge do?
A bridge transparently relays traffic between multiple network interfaces. In plain English this means that a bridge connects two or more physical Ethernets together to form one bigger (logical) Ethernet.
Is it protocol independent?
Yes. The bridge knows nothing about protocols, it only sees Ethernet frames. As such, the bridging functionality is protocol independent, and there should be no trouble relaying IPX, NetBEUI, IP, IPv6, etc.
Why is this code better than a switch?
Please note that this code wasn't written with the intent of having Linux boxes take over from dedicated networking hardware. Don't see the Linux bridging code as a replacement for switches, but rather as an extension of the Linux networking capabilities. Just as there are situations where a Linux router is better than a dedicated router (and vice versa), there are situations where a Linux bridge is better than a dedicated bridge (and vice versa).
Most of the power of the Linux bridging code lies in its flexibility. There is a whole lot of bizarre stuff you can do with Linux already (read Linux Advanced Routing and Traffic Control document to see some of the possiblities), and the bridging code adds some more filter into the mix.
One of the most significant advantages of a Linux solution over a dedicated solution that come to mind is Linux' extensive firewalling capabilities. It is possible to use the full functionality of netfilter (iptables) in combination with bridging, which provides way more functionality than most proprietary offerings do.
Why is this code worse than a switch?
In order to act a a bridge, the network device must be placed into promiscuous mode which means it receives all traffic on a network. On a really busy network, this can eat significant bandwidth out of the processor, memory slowing the system down. The answer is to setup either a separate dedicated Linux box as the bridge, or use a hardware switch.
What is the performance of the bridge?
The performance is limited by the network cards used and the processor. A research paper was done by James Yu at Depaul University comparing Linux bridging with a Catalyst switchYu-Linux-TSM2004.pdf
My bridge does not show up in traceroute!
It's not supposed to. The operation of a bridge is (supposed to be) fully transparent to the network, the networks that a bridge connects together are actually to be viewed as one big network. That's why the bridge does not show up in traceroute; the packets do not feel like they are crossing a subnet boundary.
For more information on this, read a book about TCP/IP networking.
It doesn't work!
It says: “br_add_bridge: bad address” when I try to add a bridge!
Either your kernel is old (2.2 or earlier), or you forgot to configure Ethernet bridging into your kernel.
No traffic gets trough (except ARP and STP)
Your kernel might have ethernet filtering (ebtables, bridge-nf, arptables) enabled, and traffic gets filtered. The easiest way to disable this is to go to /proc/sys/net/bridge. Check if the bridge-nf-* entries in there are set to 1; in that case, set them to zero and try again.
# cd /proc/sys/net/bridge
# ls
bridge-nf-call-arptables bridge-nf-call-iptables
bridge-nf-call-ip6tables bridge-nf-filter-vlan-tagged
# for f in bridge-nf-*; do echo 0 > $f; done
Does bridging work on 2.2?
The base kernel for 2.2, did not support the current bridging code. The original development was on 2.2, and there used to be patches available for it. But these patches are no longer maintained.
Are there plans for RSTP (802.1w) support?
Yes, work is being done to integrate RSTP support in a future 2.6 release. The code was done for a version of 2.4 and needs to be cleaned up, tested and updated.
What can be bridged?
Linux bridging is very flexible; the LAN's can be either traditional Ethernet device's, or pseudo-devices such as PPP, VPN's or VLAN's. The only restrictions are that the devices: - All devices share the same maximum packet size (MTU). The bridge doesn't fragment packets.
- Devices must look like Ethernet. i.e have 6 byte source and destination address.
- Support promiscuous operation. The bridge needs to be able to receive all network traffic, not just traffic destined for its own address.
- Allow source address spoofing. The bridge must be able to send data over network as if it came from another host.
Can I do bridging in combination with netfilter/iptables?
Yes. The code for this is available in most kernels. See ebtables project. Does it work with Token Ring , FDDI, or Firewire?
No, the addressing and frame sizes are different.
I keep getting the message **retransmitting tcn bpdu**!
It means that your Linux bridge is retransmitting a Topology Change Notification Bridge Protocol Data Unit (so now you know what the letters are for ![[Image: icon_smile.gif]](https://wiki.linuxfoundation.org/lib/images/smileys/icon_smile.gif) . Seriously, there is probably another switch (or Linux bridge) nearby that isn't complying to the rules of the spanning tree protocol (which is what bridges speak).
In each bridged local area network, there is one 'master bridge', which is also called the root bridge. You can find out which bridge this is using brctl.
When the topology of a bridged local area network changes (f.e. somebody unplugs a cable between two bridges), the bridge which detects this sends a topology change notification to the root bridge. The root bridge will respond to this by setting a 'topology changed' bit in the hello packets it sends out for the next X seconds (X usually being 30). This way, all bridges will learn of the topology change, so that they can take measures like timing out learned MAC entries faster for example.
After having sent out a topology change notification, if a bridge does not find the 'topology changed' bit set in the hello packets received (which in essence serves as the 'acknowledgment' of the topology change notification), it concludes that the topology change notification was lost. So it will retransmit it. However, some bridges run lobotomized implementations of the Spanning Tree Protocol which causes them not to acknowledge topology change notifications. If you have one of those bridges as your root bridge, all of the other bridges will keep retransmitting their topology changed notifications. Which will lead to these kinds of syslog messages.
There are a number of things you can do: - Find out which bridge is the root bridge, find out where it is located, and what internetworking software it runs. Please report this info to the mailing list (or to me directly), so that I can keep a blacklist.
- Force the linux bridge to be the root bridge. See what the priority of the current root bridge is, and use the brctl 'setbridgeprio' command to set the priority of the linux bridge to 1 lower. (The bridge with the lowest priority always becomes the root bridge.)
- Disable the spanning tree protocol on your linux bridge altogether. In this case, watch out for bridging loops! If you have loops in your topology, and if no bridge in the loop is running the spanning tree protocol, mayhem will come your way, as packets will be forwarded forever. Don't Do This™.
It doesn't work with my regular Ethernet card!
Unfortunately, some network cards have buggy drivers that fail under load. The situation is improving, so having a current kernel and network driver can help. Also try swapping with another brand.
Please report all problems to the Bridge mailing list: bridge@osdl.org. If your network card doesn't work (even without bridging) then try the Linux networking mailing list linux-net@vger.kernel.org
It doesn't work with my Wireless card!
This is a known problem, and it is not caused by the bridge code. Many wireless cards don't allow spoofing of the source address. It is a firmware restriction with some chipsets. You might find some information in the bridge mailing list archives to help. Has anyone found a way to get around Wavelan not allowing anything but its own MAC address? (answer by Michael Renzmann (mrenzmann at compulan.de))
Well, for 99% of computer users there will never be a way to get rid of this. For this function a special firmware is needed. This firmware can be loaded into the RAM of any WaveLAN card, so it could do its job with bridging. But there is no documentation on the interface available to the public. The only way to achieve this is to have a full version of the hcf library which controls every function of the card and also allows accessing the card's RAM. To get this full version Lucent wants to know that it will be a financial win for them, also you have to sign an NDA. So be sure that you won't most probably get access to this peace of software until Lucent does not change its mind in this (which I doubt never will happen).
I still don't understand!!
Doing full bridging of wireless (802.11) requires supporting =5066]WDS . The current implementation doesn't do it.
It is possible to do limited wireless to Ethernet functionality with some wireless drivers. This requires the device to be able to support a different sender address and source address. That is what WDS provides.
There are ways to make it work, but it is not always straightforward and you probably won't get it right without a pretty solid understanding of 802.11, it's modes, and the frame header format.
I get the error 'too much work in interrupt'
This is because the network card is getting lots of packets. There are a few things you can try. First, build the driver with NAPI support (if it isn't on by default). NAPI means the driver will do the receive processing at soft IRQ, not at the low level interrupt.
If the driver doesn't support NAPI, you can try to increase the amount of work a driver will attempt to do in an interrupt. For 3c59x this is done with the option max_interrupt_work (so add something like 'options 3c59x max_interrupt_work=10000' to your /etc/modules.conf file), other cards might have similar options.
Does DHCP work over/through a bridge?
The bridge will forward DHCP traffic (broadcasts) and responses. You can also use DHCP to set the local IP address of the bridge pseudo-interface.
One common mistake is that the default bridge forwarding delay setting is 30 seconds. This means that for the first 30 seconds after an interface joins a bridge, it won't send anything. This is because if the bridge is being used in a complex topology, it needs to discover other bridges and not create loops. This problem was one of the reasons for the creation of Rapid Spanning Tree Protocol (RSTP).
If the bridge is being used standalone (no other bridges near by). Then it is safe to turn the forwarding delay off (set it to zero), before adding interface to a bridge. Then you can run DHCP client right away.
# brctl setfd br0 0
# brctl addif br0 eth0
# dhclient eth0
|
|
|
|
| phpMyAdmin showing Object now found |
|
Posted by: admin - 08-27-2018, 03:00 AM - Forum: SuSe
- No Replies
|
|
After installing OpenSuse Leap 15.1 and a complete LAMP server, I installed phpMyAdmin this worked great accessed MySQL just fine but once an additional host was added I got "Object Not Found" installed fresh copy of the server no site added and all is once again fine.
Any idea's
Keith
|
|
|
|
| PostFix Directory not found |
|
Posted by: admin - 12-29-2017, 05:05 PM - Forum: PostFix Email server
- No Replies
|
|
I found this answer which fixed my issue of this error message
Try this in a Terminal windows this is using Linux Ubuntu 16.04 and Postfix Ver 3.1.0 and the Webmin interface ver 1.870.
the command will of course work regardless of the webmin use or not
possible solution:
Code: thufir@mordor:~$
thufir@mordor:~$ sudo touch /var/mail/thufir
thufir@mordor:~$ sudo chown thufir:mail /var/mail/thufir
thufir@mordor:~$ sudo chmod o-r /var/mail/thufir
thufir@mordor:~$ sudo chmod g+rw /var/mail/thufir
thufir@mordor:~$
thufir@mordor:~$ mail
No mail for thufir
thufir@mordor:~$
|
|
|
|
| pFsense |
|
Posted by: admin - 12-28-2017, 02:31 PM - Forum: Firewalls
- No Replies
|
|
I installed and began the configuration of the firewall two weeks ago, very nice device, a little intimidating but have been googling and watching youtube. I would like to monitor all traffic origins to a particular computer and connection to any ports
|
|
|
|
|
