Difference between revisions of "Projects:Network"

From 57North Hacklab

(Component Overview)
(Networks)
 
(27 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Project
 
{{Project
 
|Description=The 57North Hacklab Network
 
|Description=The 57North Hacklab Network
|People=Irl,
+
|People=User:Irl
 
|Theme=Infrastructure
 
|Theme=Infrastructure
|Status=Idea
+
|Status=Active
 
}}
 
}}
 
The 57North Hacklab Network will provide all the necessary components to connect our hackers to the public Internet using both IPv4 and IPv6 and also to the ChaosVPN, dn42 and Freifunk networks.
 
The 57North Hacklab Network will provide all the necessary components to connect our hackers to the public Internet using both IPv4 and IPv6 and also to the ChaosVPN, dn42 and Freifunk networks.
Line 11: Line 11:
 
                               _ __             
 
                               _ __             
 
                           __( =  =- _         
 
                           __( =  =- _         
                          (-      -  )__- -_  
+
              ----------  (-      -  )__- -_  
                        (  -=  - )  -    _)
+
            /          (_-= _(    =-    _=-   
                        (_-= _(    =-    _=-   
+
            /              -=__(__  _-)-       
                        -(    -    -  _)   
+
          |                    -=-           
                          -=__(__  _-)-       
+
          |                                
                                -=-           
+
          |                                  /`(HE Tunnel Endpoint)
                                  |          
+
          |          +--------------------+
                                  |           
+
          |          | bennachie.57n.dn42 |----(Various dn42 peerings)
                      +---------------------+
+
      +-----------+    +---|0|--|1|---|2|---+
                      | Cisco ADSL Modem  |
+
      | HG612     |________/    |        
                      +---------------------+
+
      +-----------+             |          
                                  | (DMZ)
+
                       +--------|xx|--|xx|---+
                      +---------------------+
+
                      |  Core Switch       |
                      |     Feed Switch    |
+
      +-----------+    +-|xx|-----------|xx|-+
                      +---------------------+
+
      | OpenWRT  |______/
                                  |          
+
      +-----------+
                      +---------------------+
 
                      |     Cisco 3750     |
 
                      +---------------------+
 
                                  | (VLANS)
 
                      +---------------------+                                  
 
                      | Core Switch (Rack)  |                                  
 
                       +---------------------+                                 
 
                        /    |       |     \                                   
 
  +---------------------+    |       |   +---------------------+              
 
  | Network Playground |    |      |    | Core Switch (Table) |              
 
  +---------------------+    |       |   +---------------------+             
 
                              |       |                                        
 
                    +-----------+  +----------+                                
 
                    | Synology  | | Doorbot  |                                 
 
                    |    NAS    |  |          |                                 
 
                    +-----------+ +----------+
 
                    (ChaosVPN)
 
                      (SixXS)
 
  
== ChaosVPN ==
+
bennachie.57n.dn42 is an [https://pcengines.ch/apu3c4.htm apu3c4 board] running OpenBSD. It terminates the PPPoE tunnel from [https://www.converged.co.uk/ Converged] and has a 2G LACP trunk into the core switch in the same rack. This trunk uses 802.1Q encapsulation to carry multiple VLANs as detailed below.
 +
 
 +
In the event of a failure, the configuration for this box is backed up to an SD card. This card appears as `/dev/sd1i` and is mounted normally at `/sdcard`. This is FAT formatted, not FFS, so it is possible to just plug this into whatever to read the contents. On this SD card you'll find a readme and a tar file containing the contents of /etc.
  
          irl ╡ for connecting a hackerspace
+
Step 1: Network interfaces
            ∟ ╡ do the interfaces get bridged?
+
--------------------------
            ∟ ╡ or do we have the /22 and a /32 and do routing?
+
            ∟ ╡ our existing infrastructure is all cisco so i have to think about this a bit
+
  em0- Links to the VDSL modem
      Haegar_ ╡ irl: you don't need a /32
+
          irl ╡ how do the routes work?
+
  em1\
            ∟ ╡ does the chaosvpn interface just not have an address?
+
      > LACP trunk with vlans to the switch
      Haegar_ ╡ irl: you give one IP out of your /22 to the chaosvpn interface, and may even use the same IP on the LAN ethernet
+
  em2/
      Haegar_ ╡ irl: in your cisco router route all chaosvpn target IPs towards that gateway box (physical, vm, or small openwrt, does not matter)
+
      Haegar_ ╡ irl: on the chaosvpn gw you route your /22 towards your cisco, which can then distribute your subnets to where you need them
+
  There are then a bunch of VLANs and tunnels. The descriptions
          irl ╡ but the interfaces aren't bridged?
+
  for these in the hostname.if(5) files will tell you what they
      Haegar_ ╡ no, purely routed
+
  are, those files are the source of truth.
          irl ╡ ok, it doesn't make sense to me yet, but maybe it will when i do it
+
      Haegar_ ╡ only you route just "into the chaos_vpn interface", specifying a gateway IP is not needed there, that happens inside tinc
+
Step 2: Services
          irl ╡ oh ok
+
----------------
            ∟ ╡ that makes more sense
+
      Haegar_ ╡ tinc internally has its own kind of routing-table that linux does not see, and there it connects the real subnets to the nodes
+
Look in /etc/rc.conf.local (or its backup) and you'll find the
              ╡ serving them
+
services that are/were enabled. You'll find their config files and
          irl ╡ cool
+
do the right thing with them.
      Haegar_ ╡ (together with info how to reach the nodes, what public key to use for encryption and so on)
+
 +
Step 3: Packages
 +
----------------
 +
 +
Other than the base system, some packages are configured:
 +
 +
* MRTG
 +
 +
Packages are not critical to the operation of the router. As far
 +
as possible we should use only the base system to make it easier
 +
to keep track of things. Similarly, files in /var are considered
 +
temporary. The only state really is in /etc. This means we don't
 +
backup DHCP leases but we do backup the static assignments, for
 +
example.
  
 +
== Networks ==
  
== Numbers ==
+
When considering new IP ranges, it is necessary to consider which ranges would already be in use in ChaosVPN, dn42 and Freifunk. The range 192.168.0.0/16 is available for local use and not routed outside the hackerspace. For IPv6, the hackerspace has a global scope address block (2001:470:510b::/48), from Hurricane Electric, and this surfaces in Germany ('''who has the account for this?''').
  
When considering new IP ranges, it is necessary to consider which ranges would already be in use in ChaosVPN, dn42 and Freifunk. The range 192.168.0.0/16 is available for local use and not routed outside the hackerspace.
+
Some blocks in this table have been marked as legacy. This is because the addressing they use was from ChaosVPN, and we are now instead looking at dn42 for inter-hackerspace peering. ChaosVPN and dn42 co-ordinate on address space and also peer with each other and so we should not be losing any connectivity.
  
=== IPv4 ===
+
Our DN42 autonomous system number is [https://registry.dn42.us/registry/aut-num/AS4242421057 AS4242421057].
  
 
{| class="wikitable" |
 
{| class="wikitable" |
 +
|-
 
! VLAN
 
! VLAN
 
! Description
 
! Description
 
! Address Range
 
! Address Range
 +
! IPv6
 +
|-
 +
| 120
 +
| LAN
 +
| 172.23.152.0/24
 +
| ?
 +
|}
 +
 +
IP Addressing can be found [[projects:Network/WiredLan]]... even though it says wiredlan, everything is on one /24 now.
 +
 +
IPX support is planned, but will need to happen later due to time constraints. Ideas include just routing IPX over our wired/wireless VLANs but then also between hackerspaces over ChaosVPN.
 +
 +
== Network Rack ==
 +
 +
The network rack is the top, wall mounted rack.
 +
 +
It floats, as if by magic.
 +
 +
=== Rack Layout ===
 +
 +
{| class="wikitable" |
 
|-
 
|-
| DMZ
+
! U (from top)
| DMZ
+
! Hardware
| 89.104.228.104/29
 
 
|-
 
|-
| 100
+
| 1
| Wired Network
+
| Patch Panel
| 172.31.4.0/24
 
 
|-
 
|-
| 110
+
| 2
| Wireless Network
+
| Mesh Blank Panel
| 172.31.5.0/24
 
 
|-
 
|-
| 120
+
| 3
| Spare Network (Reserved for future use)
+
| Cable Tidy
| 172.31.6.0/24
+
|-
 +
| 4
 +
| Switch
 
|-
 
|-
| 130
+
| 5
| Spare Network (Reserved for future use)
+
| Cable Tidy
| 172.31.7.0/24
 
 
|-
 
|-
| 140
+
| 6-7
| Door access
+
| NMS Panel
| 192.168.140.0/24
 
 
|}
 
|}
  
=== IPv6 ===
 
  
=== IPX ===
+
=== Patch Panel ===
 +
 
 +
The Patch Panel in the top rack is currently 
 +
 
 +
{| class="wikitable" |
 +
|-
 +
! Patch Panel Port
 +
! Outlet
 +
|-
 +
| 1
 +
| Back Desk, Left
 +
|-
 +
| 2
 +
| Back Desk, Right
 +
|-
 +
| 3
 +
| Back Desk, Right -1
 +
|-
 +
| 4
 +
| Back Desk Left -1
 +
|-
 +
| 5
 +
| Component Desk
 +
|-
 +
| 6
 +
| Toolbench, Left
 +
|-
 +
| 7
 +
| Printer Desk, Left
 +
|-
 +
| 8
 +
| IP Phone, Right
 +
|-
 +
| 9
 +
| Toolbench, Right
 +
|-
 +
| 10
 +
| Printer Desk, Right
 +
|-
 +
| 11
 +
| IP Phone Left
 +
|-
 +
| 22
 +
| PPPoE Converged
 +
|-
 +
| 23
 +
| Emergency Telephone (NOT TO BE PLUGGED INTO SWITCH)
 +
|-
 +
| 24
 +
| WAN Port
 +
|}
  
This is planned, but will need to happen later due to time constraints. Ideas include just routing IPX over our wired/wireless VLANs but then also between hackerspaces over ChaosVPN.
+
== ChaosVPN ==
  
== Wireless ==
+
[http://wiki.hamburg.ccc.de/ChaosVPN ChaosVPN] is a VPN to connect hackers and hackerspaces. The wired and wireless LANs are connected to ChaosVPN and, via ChaosVPN, dn42 and Freifunk's networks.

Latest revision as of 21:58, 30 July 2019

Network
Description The 57North Hacklab Network
People User:User:Irl
Theme Infrastructure
Website
Status Active

The 57North Hacklab Network will provide all the necessary components to connect our hackers to the public Internet using both IPv4 and IPv6 and also to the ChaosVPN, dn42 and Freifunk networks.

Component Overview

                             _ __            
                          __( =  =- _        
             ----------  (-       -  )__- -_ 
            /          (_-= _(    =-    _=-  
           /              -=__(__  _-)-      
          |                     -=-          
          |                                  
          |                                  /`(HE Tunnel Endpoint)
          |           +--------------------+
          |           | bennachie.57n.dn42 |----(Various dn42 peerings)
     +-----------+    +---|0|--|1|---|2|---+
     | HG612     |________/     |          
     +-----------+              |            
                      +--------|xx|--|xx|---+
                      |  Core Switch        |
     +-----------+    +-|xx|-----------|xx|-+
     | OpenWRT   |______/
     +-----------+

bennachie.57n.dn42 is an apu3c4 board running OpenBSD. It terminates the PPPoE tunnel from Converged and has a 2G LACP trunk into the core switch in the same rack. This trunk uses 802.1Q encapsulation to carry multiple VLANs as detailed below.

In the event of a failure, the configuration for this box is backed up to an SD card. This card appears as `/dev/sd1i` and is mounted normally at `/sdcard`. This is FAT formatted, not FFS, so it is possible to just plug this into whatever to read the contents. On this SD card you'll find a readme and a tar file containing the contents of /etc.

Step 1: Network interfaces
--------------------------

  em0- Links to the VDSL modem

  em1\
      > LACP trunk with vlans to the switch
  em2/

 There are then a bunch of VLANs and tunnels. The descriptions
 for these in the hostname.if(5) files will tell you what they
 are, those files are the source of truth.

Step 2: Services
----------------

Look in /etc/rc.conf.local (or its backup) and you'll find the
services that are/were enabled. You'll find their config files and
do the right thing with them.

Step 3: Packages
----------------

Other than the base system, some packages are configured:

* MRTG

Packages are not critical to the operation of the router. As far
as possible we should use only the base system to make it easier
to keep track of things. Similarly, files in /var are considered
temporary. The only state really is in /etc. This means we don't
backup DHCP leases but we do backup the static assignments, for
example.

Networks

When considering new IP ranges, it is necessary to consider which ranges would already be in use in ChaosVPN, dn42 and Freifunk. The range 192.168.0.0/16 is available for local use and not routed outside the hackerspace. For IPv6, the hackerspace has a global scope address block (2001:470:510b::/48), from Hurricane Electric, and this surfaces in Germany (who has the account for this?).

Some blocks in this table have been marked as legacy. This is because the addressing they use was from ChaosVPN, and we are now instead looking at dn42 for inter-hackerspace peering. ChaosVPN and dn42 co-ordinate on address space and also peer with each other and so we should not be losing any connectivity.

Our DN42 autonomous system number is AS4242421057.

VLAN Description Address Range IPv6
120 LAN 172.23.152.0/24 ?

IP Addressing can be found projects:Network/WiredLan... even though it says wiredlan, everything is on one /24 now.

IPX support is planned, but will need to happen later due to time constraints. Ideas include just routing IPX over our wired/wireless VLANs but then also between hackerspaces over ChaosVPN.

Network Rack

The network rack is the top, wall mounted rack.

It floats, as if by magic.

Rack Layout

U (from top) Hardware
1 Patch Panel
2 Mesh Blank Panel
3 Cable Tidy
4 Switch
5 Cable Tidy
6-7 NMS Panel


Patch Panel

The Patch Panel in the top rack is currently

Patch Panel Port Outlet
1 Back Desk, Left
2 Back Desk, Right
3 Back Desk, Right -1
4 Back Desk Left -1
5 Component Desk
6 Toolbench, Left
7 Printer Desk, Left
8 IP Phone, Right
9 Toolbench, Right
10 Printer Desk, Right
11 IP Phone Left
22 PPPoE Converged
23 Emergency Telephone (NOT TO BE PLUGGED INTO SWITCH)
24 WAN Port

ChaosVPN

ChaosVPN is a VPN to connect hackers and hackerspaces. The wired and wireless LANs are connected to ChaosVPN and, via ChaosVPN, dn42 and Freifunk's networks.