Difference between revisions of "Networking"

From SkullSpace Wiki
Jump to navigation Jump to search
m (Stupid-High Level Diagram)
m (VOI IP Delegation)
Line 681: Line 681:
 
|-
 
|-
 
|}
 
|}
| Ron's server
+
|  
| ron @ skullsecurity.net
+
|  
| Now
+
|
| Websites and stuff
+
|  
 
|-
 
|-
 
| 206.220.196.60
 
| 206.220.196.60

Revision as of 04:35, 15 November 2015

  • Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
  • Also see IT Policies
  • We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
  • this page is finally being updated for Sksp2, old page is at Networking/Old


High-level description

The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.

Stupid-High Level Diagram

                              +-------------------+                                                     
                              |                   |                                                     
                              |     The Tubes     |                                                     
                              |    On The Roof    |                                                     
                              |                   |                                                     
                              +--+--------------+-+                                                     
                                 |              |                                                       
                                 |              | port1                                               
             +-------------------+-+          +-+-------------------+                                   
             |     LES.net         |    port2 |       VOI           |                                   
             |                     |   +------+     CPE/Router      |                                   
             |   208.81.6.224/27   |   |      |   206.220.196.49    |                                   
             +-----------------+---+   |      +------------+--------+                                   
                               |       |                   | port3(SKSP)                                           
                               |       |                   | ether3                                     
                               | fa20  | fa24        +-----+---------------+                            
                     +---------+-------+-----+       |  Skullspace+Router  |                            
           fa1-19    |  Skullspace+External  | ether1|       RB450G        |                            
          +----------+      Cisco 2850       +-------+  206.220.196.50     |                            
          |          |      172.30.6.2 (fa23)| fa21  |  208.81.6.228       |                            
          |          +----------------------++       |  172.30.6.1         |                            
          |                                 |        +---------+-----------+                            
+---------+-----------+                     |                  |ether2                                  
|                     |                     |                  |                                         
|  Rest of External   |                     |                  |                                         
|     PUBLIC/LAN      |                     |        +---------+-------------+      +------------------+
|                     |                     +--------+  Skullspace+Internal  |      |                  |
|  206.220.196.48/28  |                              |  3+Com L2 Old Junk    +------+ Rest of Internal |
|  206.220.193.64/29  |                              |                       |      |   INTERNAL/LAN   |
|  208.61.6.224/27    |                              +---+-------+-------+---+      |   172.30.6.0/24  |
+---------------------+                                  |       |       |          |                  |
                                                +--------+       |       +--------+ +------------------+
                                                |                |                |                     
                                         +------+------+  +------+------+  +------+------+              
                                         |    WAP+A    |  |    WAP+B    |  |    WAP+C    |              
                                         | 172.30.6.10 |  | 172.30.6.11 |  | 172.30.6.12 |              
                                         |             |  |             |  |             |              
                                         +-------------+  +-------------+  +-------------+  

Built using ASCIIFlow - http://asciiflow.com/

Internet feeds

B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg)
B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).

Network hardware

  • Mikrotik Routerboard 450G as main router
  • Netgear WNDR3700 router, donated by Project Bismark. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.
  • Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss.
  • Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef.
  • Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef.
  • A 3Com 4924 (:A0) as the main switch, by default everything connects here.
  • A 3Com 4924 (:??) a spare switch.
  • 2 D-Link DWL-810+ bridges.
  • Netgear GS108T as the lounge switch.
  • D-Link DWL-7100AP AP.
  • D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
  • A Belkin F5D8236 wireless-N router as spare
  • 3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares.
  • Belkin F5D5141-5 switch.
  • Cisco 2950 switches #1 and #2.
  • Mikrotik RB750 (small white box) VOI's router
  • Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris.

Wiring

Runs A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP. C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam. E+F+G: from rack to area behind rear black desk.


Tasks

  • terminate ethernet lines correctly in a panel once we're sure server room is stable
  • label networking equipment (IPs etc) and servers, update this page for the latter
  • put read-only and full-access passwords on devices

Wireless Networks

skullspace = main SSID, usual password skullspace_rear: linksys G router in the server rack, as a backup.


New IP Ranges

  • 172.30.4.x = testing/reserved for later use
  • 172.30.5.x = half Security/Management network half VPNs
  • 172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
  • 172.30.7.x = CTF Network DHCP ??? router .1

Internal IP usage

Check these

Legacy IPs

  • 192.168.1.1 Micro-tik Router
  • 192.168.1.9 noel, alex's linux container on vmsrv
  • 192.168.1.10 kyle, a linux container on vmsrv
  • 192.168.1.11 stefen, a linux container on vmsrv
  • 192.168.1.12 Samsung CLP-310N printer
  • 192.168.1.15 Cisco 2950 switch
  • 192.168.1.16 Netgear GS108T workshop switch
  • 192.168.1.17 Cisco 4924 Switch-1 (main)
  • 192.168.1.18 Cisco 4924 Switch-2
  • 192.168.1.22 DES-3224
  • 192.168.1.26 vmsrv
  • 192.168.1.27 Who took this and didn't document?
  • 192.168.1.31 not in use, but don't use
  • 192.168.1.32 Skullhost on vmsrv
  • 192.168.1.33 iscsi server on vmsrv
  • 192.168.1.34-35 Kenny servers
  • 192.168.1.36 VPN server on vmsrv - contact Jay or Alex
  • 192.168.1.37 Ben's server
  • 192.168.1.38 Driftnet laptop
  • 192.168.1.39 open for use
  • 192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.

Current 172.30/16

  • 172.30.6.1 Micro-tik Router
  • 172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
  • 172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
  • 172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
  • 172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
  • 172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
  • 172.30.6.13 intarweb.ca (Sean's server, inside interface)
  • 172.30.6.16 Netgear GS108T
  • 172.30.6.30 latest Ubuntu graphical shell service on vmsrv
  • 172.30.6.31-32 Mark's temporary project ips
  • 172.30.6.33 UniFI AP Controller (Container on vmsrv)
  • 172.30.6.34 Jay Bots (Container on vmsrv)
  • 172.30.6.40 vmsrv
  • 172.30.6.41 Mark's test router
  • 172.30.6.50-53 Chris Otto Servers
  • 172.30.6.100-240 Main router DHCP space
  • 172.30.6.241-254 VPN IPs
    • 172.30.6.245 - sean VPN IP (sean cody)
    • 172.30.6.247 - cchilds VPN IP
    • 172.30.6.248 - jordansamulaitis VPN IP
    • 172.30.6.249 - gygar VPN IP
    • 172.30.6.250 - nwild VPN IP
    • 172.30.6.251 - cstanners-router VPN IP
    • 172.30.6.252 - odin VPN IP
    • 172.30.6.254 - cstanners VPN IP
  • 172.30.7.1 Micro-tik Router (WIFI VLAN)
  • 172.30.8.0/24 Virtual Machine Server (vmsrv) LAN
    • 172.30.8.1 vmsrv
    • 172.30.8.2 Mark private ubuntu vpn
    • 172.30.8.3 Mark private project ubuntu (Container on vmsrv)
  • 10.50.31.0/24 TheLEDSign LAN
    • 10.50.31.16 The Sign
    • 10.50.31.17 The controlling container (vmsrv)
  • 10.50.32.0/30 Mark project private Point to Point link LAN

IP Usage

LES IP Delegation

LES allocated 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
IP DNS Use Contact used by? reason for public IP and notes
208.81.6.224 TBD LES.net Network LES.net all machines required by network design
208.81.6.225 TBD LES.net Gateway LES.net all machines required by network design
208.81.6.226 TBD LES.net RESERVED LES.net all machines required by network design
208.81.6.227 TBD LES.net RESERVED LES.net all machines required by network design
208.81.6.228 TBD Skullspace Router it AT skullspace.ca Skullspace LAN
208.81.6.229 TBD ns1.skullspace.ca it AT skullspace.ca Skullspace DNS
208.81.6.230 Mark's test router
208.81.6.231
208.81.6.232
208.81.6.233
208.81.6.234
208.81.6.235
208.81.6.236
208.81.6.237
208.81.6.238
208.81.6.239
208.81.6.240
208.81.6.241
208.81.6.242
208.81.6.243
208.81.6.244
208.81.6.245
208.81.6.246
208.81.6.247
208.81.6.248
208.81.6.249
208.81.6.250
208.81.6.251
208.81.6.252
208.81.6.253 TBD intarweb.ca sean AT tinfoilhat.ca Skullspace LAN Sean Cody
208.81.6.254
208.81.6.255 TBD LES.net Broadcast LES.net all machines required by network design

VOI IP Delegation

VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

IP DNS Use Contact used by? reason for public IP and notes
206.220.193.65 TBD VOI router VOI all machines required by network design
206.220.193.66
Fwd:
Rev:
Mark temporary use
206.220.193.67
Fwd:
Rev:
206.220.193.68
Fwd:
Rev:
206.220.193.69
Fwd:
Rev:
Richard's Server rjr point work at gmail development server, potentially Starbound server
206.220.193.70
Fwd:
Rev:
Chris's Server cotto at ieee point org development server, occasionally Terraria server
206.220.196.49
Fwd: h49-skullspace.winnipeg.voinetworks.net.
Rev: h49-skullspace.winnipeg.voinetworks.net.
VOI Mikrotik RB750? router VOI Networks now required by network design
206.220.196.50
Fwd:
Rev:
Sksp Main Router it@skullspace.ca
206.220.196.51 2604:4280:1:c0de::53
Fwd: ns1.skullspace.ca (Pending)
Rev: ns1.skullspace.ca (Pending)
2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
SKSP DNS it@skullspace.ca 2014-10-08 Skullspace Primary DNS Server
206.220.196.52
Fwd: <several>
Rev: mail.nepharia.org
Vobster Nepharia Services mak@kolybabi.com and dave@ysarro.com 2012-02-17 Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
206.220.196.53
Fwd: <several>
Rev: mail.skullspace.ca
Vobster SkullSpace Services mak@kolybabi.com and dave@ysarro.com 2012-02-17 Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
206.220.196.54
Fwd: ctf.skullspace.ca
Rev: ctf.skullspace.ca
Vobster CTF Services mak@kolybabi.com and dave@ysarro.com 2013-04-09
206.220.196.55
Fwd:
Rev:
Edwin Amsler edwinguy at gmail dot calm 2015-02-23
206.220.196.56
Fwd:
Rev:
Colin / Jeremy FreeBSD server phoul@insecure-complexity.com 2013-10-01
206.220.196.57
Fwd:
Rev:
vmsrv mark@parit.ca 2012-08-27 VM server open to all members, will run an http proxy to allow this one ip to host many web servers
206.220.196.58 2604:4280:1:c0de::314
Fwd: intarweb.ca
Rev:
Sean's server. sean _at_ tinfoilhat _dot_ ca 2013-09-27 L2TP etc.
206.220.196.59
Fwd:
Rev:
206.220.196.60
Fwd:
Rev:
Colin's project server CStanners @ gmail Occasional IPv6, VPN services and testing
206.220.196.61
Fwd:
Rev:
Ben's server ben@benbergman.ca 2012-12-18 http/ssh/vpn/other
206.220.196.62
Fwd: dangerzone.skullspace.ca
Rev: dangerzone.skullspace.ca
The Danger Zone ctfadmin@ 2012-06-01 The home of the SkullSpace Teaching CTF.

Access

All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.