Infrastructure:New Network

From Reverse Space Wiki
Jump to: navigation, search

Core Network[edit]

A core network segment of 10.100.10.0/23 was taken from the ChaosVPN network segments, to permit access to/from Reverse Space and other hackerspaces on the ChaosVPN network.

The 10.100.10.0/23 network was then further subnetted into four /25 networks:

  • 10.100.10.0/25 (Guest)
  • 10.100.10.128/25 (Member)
  • 10.100.11.0/25 (Cyber Warfare)
  • 10.100.11.128/25 (DMZ)

To Do List[edit]

  • Get ChaosVPN (tinc) up and running to link Reverse Space to other hackerspaces.
    • Configure FW rules to restrict access to/from ChaosVPN
  • Configure switches in rack 3 and 4 to be part of the VLAN domain ("CORE")
  • Set up self-service certificate portal on RS-Guest network
    • Move all wifi networks except RS-Guest to WPA2 using certificates
  • Set up a captive portal for the RS-Guest network
  • Set up a splash page for all other networks that show the Reverse Space ToS/AUP
  • HW Mod wireless access point for external antennas
    • Kit received, 20110308 just need someone with a drill to punch holes in the plastic case of the AP.
  • Get WiFi AP management interface on VLAN 9 through WLAN trunk port
  • Install PoE adapter for WiFi AP
    • PoE injector/splitter shipped 20110308; waiting for it to arrive.
  • Mount WiFi AP in ceiling (zip ties?)

Core switching[edit]

Four Cisco 2948G switches are linked together via 2x100mbit LACP port-channel VLAN trunks. The LACP port-channel trunks permit 200mbit of traffic to flow from switch to switch. Switch 2 is the "core" switch that feeds switches 1, 3, and 4, and has a 2x100mbit LACP trunk to the cobalt router.

VLANs and VLAN trunking were used to make it possible to logically separate networks based on VLAN, and to add flexability to add new networks by enabling a new VLAN tag on the switches and a matching VLAN interface on the router.

VLAN tagged trunks are designed to be only visible to core switching equipment in the server room. If an end-user had access to a VLAN tagged network port, they could place themselves on any network they desire, completely bypassing the core router and firewall ACLs.

Network Segmentation[edit]

There are seven(!) separate networks at the space.

  • Guest (VLAN 10; restricted outbound guest wireless/wired network)
  • Member (VLAN 11; somewhat less restricted outbound wireless/wired network)
  • Cyber-Warfare (VLAN 12; no outbound access at all)
  • DMZ (VLAN 13; servers and space services, very restricted outbound access)
  • Management (VLAN 9)
  • Legacy 172.16.0.0/16 (VLAN 16; member) network
  • Legacy 172.17.0.0/16 (VLAN 17; dmz) network

Virtual LANs[edit]

  • VLAN 9
VLAN 9 is the management network, where switches, routers, access points, etc reside for management.
192.168.1.0/24 gw 192.168.1.10
  • VLAN 10
VLAN 10 is the guest network.
10.100.10.0/25 gw 10.100.10.1
  • VLAN 11
VLAN 11 is the membership network.
10.100.10.128/25 gw 10.100.10.129
  • VLAN 12
VLAN 12 is the cyber warfare network
10.100.11.0/25 gw 10.100.11.1
  • VLAN 13
VLAN 13 is the DMZ network
10.100.11.128/25 gw 10.100.11.129
  • VLAN 16
VLAN 16 is the legacy 172.16.0.0/16 network
  • VLAN 17
VLAN 17 is the legacy 172.17.0.0/16 network

Switches[edit]

Rack 1[edit]

Ports 01: VLAN 17 (connection to coronos)
Ports 02: VLAN 16 (connection to coronos, not yet)
Ports 03-12: VLAN 13 (DMZ)
Ports 13-24: VLAN 13 (DMZ)
Ports 25-36: VLAN 13 (DMZ)
Ports 37-45: VLAN 13 (DMZ)
Ports 47-48: Switch Trunk to Switch 2

Rack 2[edit]

Ports 01-12: VLAN 10 (Guest)
Ports 13-24: VLAN 11 (Member)
Ports 25-29: VLAN 12 (Cyber-Warfare)
Ports 30-33: VLAN 8 (InternetTrunk)
Port 37: WiFi Trunk
Port 38: WiFi Management (temporary until management interface is on VLAN9)
Ports 39-40: Spare Trunk
Ports 41-42: LACP Trunk to Switch 2 (rack 2)
Ports 43-44: LACP Trunk to Switch 1 (rack 1)
Ports 45-46: LACP Trunk to Switch 3 (rack 3)
Ports 47-48: LACP Trunk to cobalt router

Rack 3[edit]

Ports 01-12: VLAN x
Ports 13-24: VLAN x
Ports 25-36: VLAN x
Ports 37-48: VLAN x

Rack 4[edit]

Ports 01-12: VLAN x
Ports 13-24: VLAN x
Ports 25-36: VLAN x
Ports 37-48: VLAN x

Front Switch[edit]

Ports 01-12: VLAN x
Ports 13-24: VLAN x
Ports 25-36: VLAN x
Ports 37-48: VLAN x

Wireless Connectivity[edit]

A Linksys E2000 running DD-WRT with four virtual access points expose VLANS 10 through 13 wirelessly.

Currently all four wireless networks are WPA2-Personal, this is temporary.

Future plans[edit]

  • Captive portal on all four networks, with a ToS/AuP splash page.
  • Self-service SSL certificate generation on RS-Guest network for members - which will grant access to RS-Member, RS-Warfare and RS-DMZ networks. All wireless networks but the RS-Guest network will require a certificate.
  • Gigabit Power-over-Ethernet injector/splitter to permit the AP to be mounted in the ceiling of the space.
  • Configure management interface of the AP to be on VLAN9 (management VLAN)
  • Hardware antenna +7 DB external antenna modification

Wireless SSIDs[edit]

  • RS-Guest (VLAN 10)
  • RS-Member (VLAN 11)
  • RS-Warfare (VLAN 12)
  • RS-DMZ (VLAN 13)

Low-level Wireless Configuration[edit]

Wireless Interface Virtual Access Points[edit]

The wl0 interface is split into four pieces:

  • wl/wl0 - RS-Guest
  • wl0.1 - RS-Member
  • wl0.2 - RS-Warfare
  • wl0.3 - RS-DMZ
Internal Bridges[edit]

Each wireless interface is bridged inside the WAP to a VLAN.

  • br10: eth1 (wl/wl0) <--> vlan10
  • br11: wl0.1 <--> vlan11
  • br12: wl0.2 <--> vlan12
  • br13: wl0.3 <--> vlan13
NVRAM Settings[edit]

Each VLAN is configured via NVRAM settings in the WAP to trunk the VLANs (pass the traffic out an interface with the VLAN Tags still on the packets) out the WAN port. The WAN port has been reconfigured to be a part of the 5 port switch built into the WAP.

The end result is that someone connects to one of the SSIDs listed above, their traffic gets packaged up inside a VLAN tag inside the WAP, and exits the WAN port still tagged. The switch then passes the tagged traffic to its destination (a port with the same VLAN tag, or the router VLAN interface).

vlanXports[edit]

These setting set what VLANs are exposed to what Switch ports, and if they are (t)agged or not. The * character notes a default port for a packet, if it doesn't belong anywhere else.

  • Port 0 = WAN port
  • Port 1-4 = Switch ports.
  • Port 8 = internal CPU port
  • vlan12ports="0t 8"
  • vlan2ports="0 8"
  • vlan10ports="0t 8"
  • vlan13ports="0t 8"
  • vlan11ports="0t 8"
  • vlan1ports="4 3 2 1 8*"
portXvlans[edit]
  • port5vlans=1 10 11 12 13 16 # <<< port 5 == port 8 above, this is the CPU port.
  • port3vlans=1 10 11 13 14 16 # <<< bug here, this should be 1,11,12,13,14,16
  • port1vlans=1
  • port4vlans=1
  • port2vlans=1
  • port0vlans=1 10 11 12 13 # <<< this is the WAN port
vlanXhwname[edit]

These settings dictate what physical interface is to have VLAN tags bolted onto it. et0 is the wireless interface.

  • vlan13hwname=et0
  • vlan2hwname=et0
  • vlan12hwname=et0
  • vlan1hwname=et0
  • vlan11hwname=et0
  • vlan10hwname=et0

Current Issues[edit]

  • Management interface (VLAN1; 192.168.1.1) is not currently trunking over the WAN port.
A second WAP has been purchased to create a development environment for getting the management interface trunked on VLAN9 out the WAN port.
The management interface is currently plugged into Switch 2, port 36, where it gets VLAN tagged into VLAN 9.

Core Router[edit]

A Cobalt Raq 4 system running a modified version of Fedora Core 4 (yes, the hardware is just that old) with four interfaces.

  • eth0: internet uplink to a cablemodem
  • eth1: (unused)
  • eth2/eth3: LACP (linux bonding) port-channel VLAN trunk to the 2948G switch in Rack 2. Connected to ports 2/47 and 2-48 on Switch 2.

Core Router VLAN interfaces[edit]

  • VLAN 9: 192.168.1.10/24
  • VLAN 10: 10.100.10.1/25
  • VLAN 11: 10.100.10.129/25
  • VLAN 12: 10.100.11.1/25
  • VLAN 13: 10.100.11.129/25
  • VLAN 16: <none>
  • VLAN 17: 172.17.0.10/16

Core Routes[edit]

New Net <--> Legacy 172.16.0.0/16

  • 10.100.10.0/23 --> 172.16.0.0/16
  • 172.16.0.0/16 --> 10.100.10.0/23

New Net <--> Legacy 172.17.0.0/16

  • 10.100.10.0/23 --> 172.17.0.0/16
  • 172.17.0.0/16 --> 10.100.10.0/23

Member --> DMZ

  • 10.100.10.128/25 -> 10.100.11.128/25

Guest -> Internet

  • 10.100.10.0/25 -> internet (bulk data ports, e.g. http)
  • 10.100.10.0/25 -> internet (shell services)

Member -> Internet

  • 10.100.10.128/25 -> internet (ipv6)
  • 10.100.10.128/25 -> internet (shell services)
  • 10.100.10.128/25 -> internet (bulk data ports, e.g. http)
  • 10.100.10.128/25 -> internet (mail)
  • 10.100.10.128/25 -> internet (chat)

DMZ -> internet

  • laika -> internet (sip udp)
  • laika -> internet (sip tcp)

TBD: Member-> Cyber Warfare

Core Router Services[edit]

  • DHCP (VLANs 10-13)
  • DNS (with dynamic DNS updates to forward and reverse DNS via DHCP for VLANs 10-13)
  • NTP
  • Firewall logs
  • PXEBoot CentOS 5.5/x86 and CentOS 5.5/x64 install
  • PXEBoot memtest86+ memory testing system
  • ChaosVPN endpoint (not active yet)

Core Forwarded Services[edit]

  • commons.reversespace.com
Reverse Space members-only forums website, used for leading projects, internal discussions, etc
Lead: Chris
  • cassini.reversespace.com
HP ProLiant DL380 G4, running CentOS 5.6 x64 providing VirtualBox, and TBD core services
Asterisk PBX system, as well as Sun Ray services are in progress.
Lead: Alex
  • endeavour.reversespace.com
Sun Fire V240, running Solaris 11 Express
Currently hosting CentOS mirror (internal only) for network install of CentOS 5.6 i386 and x64, Scientific Linux 6.0 x86 and x64; Ubuntu and Debian coming soon.
Lead: Alex
  • cronos.reversespace.com
(legacy firewall)
Currently on legacy 172.16.0.0/15 network - needs to be migrated to DMZ network to provide LDAP/RADIUS services to the new 10.100.10.0/23 networks.
Current RADIUS and LDAP services
Lead: Derek