SkullSpace Wiki - User contributions [en]

TPLinkPoE

2026-02-27T05:34:49Z

Markjenkinsparit: Utilization of TP Link PoE switch ports, all on same VLAN

Our TP Link POE switch is a 16 port switch with 8 ports supporting Power over Ethernet (POE).

It supports 802.1Q VLANs. Care should be taken before plugging into it to note which VLAN you are plugging in to. As documentation tends to drift with time, you should verify the expected LAN is present or not.

This switch is on the [[Networking#Access_Controls_and_Cameras_192.168.1.0.2F24|access control and camera LAN]] as 192.168.1.2 with mac address ac:15:a2:30:b6:d3 .

At this time all ports are on the same VLAN.

What's going on with each port

# Closet camera, grey cable with label
# White cable, believe to be one of the new ones to the closet
# Half of a cable split in two, orange (Or) and green (Gr) pairs, cable is white, goes to a camera, blue tape label is wrong
# Not in use
# Other half of same split cable as 3, brown (Br) and blue (Bl) pairs, goes to a camera, blue tape label is wrong
# Not in use
# Half a cable split in two, green (Gr) and orange (Or) pairs, cable is white, goes to a camera
# Other half of same split cable as 7, brown (Br) and blue (Bl) pairs
# yellow cable to Ubiquity unifi white box
# not in use
# not in use
# not in use
# white cable, suspected to be a new run to the closet
# not in use
# not in use
# Blue cable with black boot, goes to access control management workstation

Summit 400-48t

2026-02-27T02:31:16Z

Markjenkinsparit: Problems with the Summit 400-48t, documented as unplugged and not split into VLANs as per docs

A 48 port managed switch.

(gigabit?)

Everything on this page is out of date at the moment. VLANs were established, switch ports were assigned, power cycle tests were done and all seemed fine. Then a big power outage came along and reset everything, calling into question if we can rely on VLANing this switch. This switch is currently powered down.

Has passwords: Mark Jenkins, Chris Cartwright, Edwin Amsler.

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

Old ssh support is enabled, works best through putty.
With OpenSSH, tried
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers +3des-cbc
MACs +hmac-md5
in .ssh/config, which resolved some issues, but still had error
ssh_dispatch_run_fatal: ... invalid format

== VLANs ==
* Default
* skspmgmt
* accessctrlcamera -- Access control system and camera system (currently isolated on the PoESwitch)
* Mgmt -- for management vlan on back
* nowhere
* lesnetpub -- public ip address from les.net

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Les.net Public===
* 35 assigned but empty
* 36 assigned but empty
* 37 assigned but empty
* 38 assigned but empty
* 39 assigned but empty
* 40 assigned but empty

===Access Control and Camera===
Not assigned

===Not assigned to anything===

*41 empty
*42 empty
*43 empty
*44 empty

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Networking

2026-02-27T02:28:31Z

Markjenkinsparit: Link to the newly established TPLinkPoE page

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation
*172.30.6.44 Rasp Pi 2B for controlling Symon Netbrite
*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

===Access Controls and Cameras 192.168.1.0/24===
* 192.168.1.1 - Win7 Blue Iris station 00:13:3b:0e:21:cb
* 192.168.1.2 - [[TPLinkPoE|TPLink PoE]] switch ac:15:a2:30:b6:d3
* 192.168.1.3 - Lubuntu 22.04 virtualization host
* 192.168.1.4 - Mark test record LXD container
* 192.168.1.100 - WinXP virtual machine, Kantech access control management
* 192.168.1.101 - Camera, 00:50:1a:04:2D:B1, IQ541S
* 192.168.1.103 - Camera 00:50:1a:01:7c:c4
* 192.168.1.105 - Camera 00:50:1a:01:84:fd
* 192.168.1.250 - Access control serial port relay
* other cameras undocumented

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

TPLinkPoE

2026-02-27T02:27:24Z

Markjenkinsparit: Fixed linking, proof I haven't been documenting for awhile

TPLinkPoE

2026-02-27T02:25:05Z

Markjenkinsparit: Start a page for the TPLink PoE switch with VLANS

Networking

2025-11-05T01:47:55Z

Markjenkinsparit: rasp pi for Symon Netbrite LED sign

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation
*172.30.6.44 Rasp Pi 2B for controlling Symon Netbrite
*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

===Access Controls and Cameras 192.168.1.0/24===
* 192.168.1.1 - Win7 Blue Iris station 00:13:3b:0e:21:cb
* 192.168.1.2 - TPLink PoE switch ac:15:a2:30:b6:d3
* 192.168.1.3 - Lubuntu 22.04 virtualization host
* 192.168.1.4 - Mark test record LXD container
* 192.168.1.100 - WinXP virtual machine, Kantech access control management
* 192.168.1.101 - Camera, 00:50:1a:04:2D:B1, IQ541S
* 192.168.1.103 - Camera 00:50:1a:01:7c:c4
* 192.168.1.105 - Camera 00:50:1a:01:84:fd
* 192.168.1.250 - Access control serial port relay
* other cameras undocumented

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Summit 400-48t

2024-03-08T02:45:43Z

Markjenkinsparit: march 7 switch changes

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins, Chris Cartwright, Edwin Amsler.

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

Old ssh support is enabled, works best through putty.
With OpenSSH, tried
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers +3des-cbc
MACs +hmac-md5
in .ssh/config, which resolved some issues, but still had error
ssh_dispatch_run_fatal: ... invalid format

== VLANs ==
* Default
* skspmgmt
* accessctrlcamera -- Access control system and camera system (currently isolated on the PoESwitch)
* Mgmt -- for management vlan on back
* nowhere
* lesnetpub -- public ip address from les.net

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Les.net Public===
* 35 assigned but empty
* 36 assigned but empty
* 37 assigned but empty
* 38 assigned but empty
* 39 assigned but empty
* 40 assigned but empty

===Access Control and Camera===
Not assigned

===Not assigned to anything===

*41 empty
*42 empty
*43 empty
*44 empty

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Networking

2023-10-18T00:27:58Z

Markjenkinsparit:

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

===Access Controls and Cameras 192.168.1.0/24===
* 192.168.1.1 - Win7 Blue Iris station 00:13:3b:0e:21:cb
* 192.168.1.2 - TPLink PoE switch ac:15:a2:30:b6:d3
* 192.168.1.3 - Lubuntu 22.04 virtualization host
* 192.168.1.4 - Mark test record LXD container
* 192.168.1.100 - WinXP virtual machine, Kantech access control management
* 192.168.1.101 - Camera, 00:50:1a:04:2D:B1, IQ541S
* 192.168.1.103 - Camera 00:50:1a:01:7c:c4
* 192.168.1.105 - Camera 00:50:1a:01:84:fd
* 192.168.1.250 - Access control serial port relay
* other cameras undocumented

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2023-10-18T00:19:07Z

Markjenkinsparit: access control and camera 192.168.1.0/24 network

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

===Access Controls and Cameras 192.168.1.0/24===
* 192.168.1.1 - Win7 Blue Iris station
* 192.168.1.2 - TPLink PoE switch
* 192.168.1.3 - Lubuntu 22.04 virtualization host
* 192.168.1.4 - Mark test record LXD container
* 192.168.1.100 - WinXP virtual machine, Kantech access control management
* 192.168.1.103 - Camera
* 192.168.1.105 - Camera
* 192.168.1.250 - Access control serial port relay

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Summit 400-48t

2023-10-12T20:05:06Z

Markjenkinsparit:

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins, Chris Cartwright, Edwin Amsler.

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

Old ssh support is enabled, works best through putty.
With OpenSSH, tried
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers +3des-cbc
MACs +hmac-md5
in .ssh/config, which resolved some issues, but still had error
ssh_dispatch_run_fatal: ... invalid format

== VLANs ==
* Default
* skspmgmt
* accessctrlcamera -- Access control system and camera system 192.168.1.100 (vm), 192.168.1.3 (vm host), 192.168.1.4 (mark test lxd container), 192.168.1.250 (serial port relay)
* Mgmt -- for management vlan on back

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Access Control and Camera===

*41 blue cable, black boot, goes to access control management workstation 192.168.1.100 (vm) / 192.168.1.3 (vm host)
*42 white cable, goes to access control serial protocol relay device 192.168.1.250
*43 empty
*44 empty

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Summit 400-48t

2023-08-23T02:28:52Z

Markjenkinsparit:

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins, Chris Cartwright, Edwin Amsler.

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

Old ssh support is enabled, works best through putty.
With OpenSSH, tried
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers +3des-cbc
MACs +hmac-md5
in .ssh/config, which resolved some issues, but still had error
ssh_dispatch_run_fatal: ... invalid format

== VLANs ==
* Default
* skspmgmt
* accessctrlcamera -- Access control system and camera system (192.168.1.100 (vm), 192.168.1.3 (vm host), 192.168.)
* Mgmt -- for management vlan on back

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Access Control and Camera===

*41 blue cable, black boot, goes to access control management workstation 192.168.1.100 (vm) / 192.168.1.3 (vm host)
*42 white cable, goes to access control serial protocol relay device 192.168.1.250
*43 empty
*44 empty

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Summit 400-48t

2023-08-23T01:28:53Z

Markjenkinsparit:

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins (TODO more people)

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

== VLANs ==
* Default
* skspmgmt
* accessctrlcamera -- Access control system and camera system
* Mgmt -- for management vlan on back

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Access Control and Camera===

*41
*42
*43
*44

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Summit 400-48t

2023-08-16T01:55:19Z

Markjenkinsparit:

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins (TODO more people)

Assigned to 172.30.9.2/24 on skspmgmt VLAN and 192.168.30.2/24 on the Mgmnt VLAN (back port mgmt)

== VLANs ==
* Default
* skspmgmt
* Mgmt -- for management vlan on back

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Management group===
*47 grey cable, sksp management network, connected to HP DL380e ILO
*48 grey cable, sksp management network connected to [[vmsrv]] eth3

Networking

2023-08-16T01:31:21Z

Markjenkinsparit:

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Summit 400-48t

2023-08-09T00:05:54Z

Markjenkinsparit: start documenting switch donated by Edwin

A 48 port managed switch.

(gigabit?)

Has passwords: Mark Jenkins (TODO more people)

Was believed to have been assigned a 172.30.9.0/24 ip address on the multi-port management LAN but does not show up

== Ports ==

===LAN group===
#shared optical and twisted port, twisted port has green cable to Cisco internal LAN switch
#shared optical and twisted port, twisted port has blue cable to HP DL380e port 1 (numbered 1-4)
#shared optical and twisted port, unused on both
#shared optical and twisted port, unused on both

===Management group===
*46 grey cable, management network connected to [[vmsrv]] eth3
*47 grey cable, management network, connected ti HP DL380e ILO
*48 blank, but assigned to management network

Networking

2023-08-08T23:48:04Z

Markjenkinsparit: dead link to summit 400-48t

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]
**172.30.9.? Extreme networks [[Summit 400-48t]] switch

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2023-08-08T23:43:57Z

Markjenkinsparit: document

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*172.30.9.0/24 Management network
**172.30.9.5 HP DL380e Gen8 iLO.
**172.30.9.30 [[vmsrv]]
**172.30.9.? Extreme networks Summit 400-48t switch

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2023-07-05T01:02:10Z

Markjenkinsparit:

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
*172.30.6.43 Access Control and camera management workstation

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2023-05-24T00:31:38Z

Markjenkinsparit: Reserved Skullspace LAN IP for new VM server, HP 380e Gen8

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
*172.30.6.32 available
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*173.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2021-10-23T02:26:48Z

Markjenkinsparit: temp reserve of 208.81.6.246

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*173.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
| new irc.skull.space testing
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2020-08-30T21:20:21Z

Markjenkinsparit: pablodraw moved to skullspace 2.0 LAN

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]
*173.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Main Page

2020-08-04T23:58:33Z

Markjenkinsparit: Change of directors, after passing of Chris Johnson, uncontested by-election won by Edwin Amsler

(Back to [http://skullspace.ca Skullspace.ca])

'''''EDITING''''' - if you want to edit this wiki, you'll need an account to be created by the [[Wikigods]]

==What is [http://www.skullspace.ca SkullSpace]?==
SkullSpace is a [http://hackerspaces.org hackerspace] in Winnipeg. It is a place for hackers, builders, programmers, artists and anybody interested in how stuff works to gather in a common place and help focus and share their knowledge and creativity. Whether members are interested in individual or group projects, and whether they're tackling hardware, software, mathematical, design or any other problems, it's our goal to provide the space, tools, freedom, and education to make it happen.

Our physical presence is 2500 sq. ft. of space on the 2nd floor of 374 Donald Street, right across from the Burton Cummings Theatre in the heart of the Exchange District.

Our legal entity is a non-profit corporation within the province of Manitoba. We have a member-elected Board of Directors who also act as Officers consisting of:

* Edwin Amsler
* Kyle Martin
* Mark Campbell
* Michael Kozakewich
* Nate Wild

All Directors can be reached by email at firstname.lastname @ skullspace.ca.
Actually, Thor can be reached without his last name, because his first is just that powerful.

In practice our membership operates as a collective, with members being as involved as much as they want to be in the decision making process. See our [[Bylaws]] for more information.

Also see our [[Press]] coverage.

If you're still unsure what SkullSpace is about, KQED has published a great [http://www.youtube.com/watch?v=wamwklXWK4M short video] on what hackerspaces offer to the community.

==Visiting SkullSpace==

We are located on the second floor of 374 Donald Street in Winnipeg. ([https://www.google.com/maps/place/374+Donald+St/@49.8960111,-97.144483,17z/data=!3m1!4b1!4m2!3m1!1s0x52ea715dcf0040b3:0x83cc84d524e1bcfb Google Maps link])

Meetings, which are open to the public, happen every Tuesday at 6pm. You can browse our previous [[Meeting notes]] archive to stay updated on what we discuss. '''Non-members are welcome to drop in'''!

We also have a variety of events during the week and weekends - see our [[Community_Events|Calendar]] for a complete listing!

==Contact us/Connect with SkullSpace==
We have lots of ways to get in touch us!

The best way to stay informed is by joining our [[Mailing List|mailing lists]]. We have two primary lists - announce@ and discuss@. All members and people interested should join announce@ - it's low traffic, with only a couple emails a week about our important events. If you're more interested in the community, join discuss@, which is high volume. Instructions are on the [[Mailing List]] wiki page.

Our primary social media outlet is our [https://twitter.com/SkullSpaceWpg/ Twitter] page. You can also find SkullSpace on [https://www.facebook.com/SkullSpaceWpg Facebook].

The other online place where you can find us is in our [irc://irc.freenode.net/#SkullSpace irc channel], #SkullSpace on irc.freenode.net. You'll find constant traffic/discussion there. Freenode also offers a webchat client [https://webchat.freenode.net/?channels=%23skullspace&uio=d4 here].

SkullSpace also has a [http://www.meetup.com/Skullspace-Winnipegs-hackerspace/ Meetup] page and a [https://secure.flickr.com/photos/skullspace Flickr] page.

==How do I join?==
Easy! First you should show some interest showing up either online or physically as discussed above. If you like what you see, browse the [[:Category:Required Reading]] category on the wiki, which is the information that every member should know.

Once you've done that, you can apply to become a member! Our membership dues are pay-what-you-can, with a minimum cost of $40/month ($20/month if you're a student). This gets you 24/7 access to the space along with everything else listed on the [[Member Benefits]] page. To apply, fill out the [[Media:Membership Agreement.doc|membership agreement]] and, if you choose, [[Media:SkullSpace PAD.pdf|pre-authorized debit form]]. Bring those forms (and a void cheque if you'd like to use pre-authorized debit) to a Tuesday meeting, if you can; otherwise, email info at skullspace.ca to make other arrangements.

Your name will be emailed to the announce@ mailing list, and if nobody objects to your membership after two weeks you'll be handed a key.

==Can I host events at your space?==
The short answer: Absolutely!

If you're hosting an event at the space, you'll need to coordinate with at least one SkullSpace member, for access. We generally don't give keys to non-members. Of course, becoming a member is easy, so you can simply become a member and have full access! See above for info!

As early as possible, the event needs to be put in the [[Community Events|calendar]] and emailed to the discuss@ mailing list (discuss at skullspace.ca). If it's open to the public, you may also advertise it on the announce@ mailing list, both when it's planned and again shortly before the event as a reminder.

We request that all events at the space be open to SkullSpace members, as the space belongs to us. We also request that you solicit donations for non-members who use our space. We currently don't charge to use our space, but if it becomes popular, and we don't make enough donations to be worth our while, we may start charging non-members.

==Important Links==
===Community===
* [http://www.skullspace.ca/blog/ Blog]
* [[Mailing List]]
* [irc://irc.freenode.net/#SkullSpace #SkullSpace on irc.freenode.net] (or visit [http://webchat.freenode.net/?channels=SkullSpace Freenode Webchat])
* [[Community_Events|Community events Calendar]]
* [[Members]]

===Social networking===
* [https://www.facebook.com/pages/SkullSpace/127670240630811 SkullSpace] (Facebook)
* [https://twitter.com/SkullSpaceWpg/ @SkullSpaceWpg] (Twitter)
* [http://vimeo.com/skullspace Videos] (Vimeo)
* [http://www.skullspace.ca/wiki/index.php/Flickr Photos] (Flickr)
* [https://github.com/skullspace Code] (GitHub)
* [http://www.meetup.com/Skullspace-Winnipegs-hackerspace/ Events Calendar] (Meetup)
* [http://www.strava.com/clubs/skullSpace Trip/Fitness Tracking] (Strava)
* [http://plug.dj/skullspace/ Web Radio] (Plug.DJ)
* [https://www.fundscrip.com/ Giftcard Fundraising] (Invitation code: SS5BMZ)
* [https://trello.com/b/YhudmLje/eventstrikeforce Event Planning and Organization] (Trello; Invite required)
* [http://steamcommunity.com/groups/skullspace Gaming] (Steam)

===Projects===
* [[Wishlist]]
* [[:category:Renovations|Renovations]] - (currently none are planned)
* [[Parts Database]]
* [[Game Collection]]
* [[:Category:Projects|More...]]

===Miscellaneous Resources===
* [[MemberAgreement|Member Agreement]]
* [[Member Benefits]]
* [[Cleaning]]
* [[Equipment]]
* [[:Category:Required Reading|Required Reading]]
* [[Networking]]
* [[Too cool for Skullspace]]
* [[IPXE boot option]]
* [[:Category:Archives|Archived Wiki Documents]]

===Pages for Members===
* [[Meeting notes]]
* [[Strikeforces]]
* [[Wiki_Tips_and_Tricks]]

== Recent Changes==

{{Special:RecentChanges}}

==Sandbox==
Want to play with wiki markup? Play in the [[sandbox]].

[[Category: Required Reading]]
[[Category: Wiki]]

Networking

2020-03-10T17:09:26Z

Markjenkinsparit: 208.81.6.238 ip allocation

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of skullspace websites by way of DNS
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Website hosting, on separate physical host from vmsrv.skullspace.ca
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2020-03-10T16:59:04Z

Markjenkinsparit: Re-purposing of IP assigned to Mark to second vm server

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| (domain name pending)
| For handling migration of
| Mark Jenkins <mark@parit.ca>
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.249
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2019-05-31T23:12:12Z

Markjenkinsparit: /* Current 172.30/16 */

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 Sean's pihole
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Vmsrv

2019-05-24T14:39:24Z

Markjenkinsparit: Revised equipment thanks

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- as a GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, contact Mark Jenkins <mark@parit.ca>

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. To log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session

From outside the space:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (208.81.6.230 port 22 )

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[outbound commercial vpn]]
* [[whonix.skull.space]], conveniently access a Whonix gateway via ssh
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Equipment Donation Thanks==

* Stef for the first motherboard, case, power supply and hard drives (1 of these drives still in use)
* Kenny for our current (2nd) motherboard and paired power supply (which died, rest in peace)
* Whoever abandoned a rack mountable case at Skullspace (came from a closed business I think)
* Mark J and Thor for funding our first replacement hard drives
* The members of Skullspace for RAM upgrades on our first and second motherboards and current replacement power supply
* Alex for getting the project started and providing an uninterruptable power supply (UPS).

==SSH host keys==
Signed by Mark Jenkins(http://markjenkins.ca/gpg/)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:59:ed:95:bc:b8:2c:5c:2e:12:be:2b:01:7d:ba:1a:f1 (RSA)
SHA256:srpC2U3qbLdTOwTv+VH6XjJ/QerY07BEG4mZsLbLntY (RSA)
MD5:af:e7:cc:2d:84:d9:c2:68:fd:f2:86:0e:c8:7a:a5:13 (ECDSA)
SHA256:voapDaz4aJlGMGgPa8kQNKbs2bmWEAoDcwugwL357Dc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc4/jhAAoJEKj4ZJOqTbH7hdQIAJ3akVuGxuFVNtHpoLuLA+bE
ZHnM+noI5+oqBAGYdaAj66hUrLPSvWb+LwVT82qZimOqlrekfXrUsxZc9lLQaI0s
4BLeY2q6tRngY679FfYg416fX/iwWoo56DOh63vEw+TAbZepX9b5m88r7w/jkb2R
oyzx82DwdWKWqghB1dPFUJKOXQRHoZPkqFug/rhXBLLezmPb7FyZnONaLAVm50B+
PLyY5AuN0l9E3NlA1tcZ0tEuJAG+GXJywzaphHjER988Zo1yzsGr1wMWXSGwqcJV
voyWiPF+Yn4UZDSLzcRGs+LrM5y1BPSRI/gPEfJ+COARX2SP5h04/3daNWaWwd8=
=r1fO
-----END PGP SIGNATURE-----

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-23T14:58:12Z

Markjenkinsparit: /* Services offered to members hosted on vmsrv */

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- as a GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, contact Mark Jenkins <mark@parit.ca>

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. To log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session

From outside the space:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (208.81.6.230 port 22 )

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[outbound commercial vpn]]
* [[whonix.skull.space]], conveniently access a Whonix gateway via ssh
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

==SSH host keys==
Signed by Mark Jenkins(http://markjenkins.ca/gpg/)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:59:ed:95:bc:b8:2c:5c:2e:12:be:2b:01:7d:ba:1a:f1 (RSA)
SHA256:srpC2U3qbLdTOwTv+VH6XjJ/QerY07BEG4mZsLbLntY (RSA)
MD5:af:e7:cc:2d:84:d9:c2:68:fd:f2:86:0e:c8:7a:a5:13 (ECDSA)
SHA256:voapDaz4aJlGMGgPa8kQNKbs2bmWEAoDcwugwL357Dc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc4/jhAAoJEKj4ZJOqTbH7hdQIAJ3akVuGxuFVNtHpoLuLA+bE
ZHnM+noI5+oqBAGYdaAj66hUrLPSvWb+LwVT82qZimOqlrekfXrUsxZc9lLQaI0s
4BLeY2q6tRngY679FfYg416fX/iwWoo56DOh63vEw+TAbZepX9b5m88r7w/jkb2R
oyzx82DwdWKWqghB1dPFUJKOXQRHoZPkqFug/rhXBLLezmPb7FyZnONaLAVm50B+
PLyY5AuN0l9E3NlA1tcZ0tEuJAG+GXJywzaphHjER988Zo1yzsGr1wMWXSGwqcJV
voyWiPF+Yn4UZDSLzcRGs+LrM5y1BPSRI/gPEfJ+COARX2SP5h04/3daNWaWwd8=
=r1fO
-----END PGP SIGNATURE-----

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-23T14:57:48Z

Markjenkinsparit: cleanup lots of out of date stuff

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- as a GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, contact Mark Jenkins <mark@parit.ca>

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. To log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session

From outside the space:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (208.81.6.230 port 22 )

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[whonix.skull.space]], conveniently access a Whonix gateway via ssh
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

==SSH host keys==
Signed by Mark Jenkins(http://markjenkins.ca/gpg/)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:59:ed:95:bc:b8:2c:5c:2e:12:be:2b:01:7d:ba:1a:f1 (RSA)
SHA256:srpC2U3qbLdTOwTv+VH6XjJ/QerY07BEG4mZsLbLntY (RSA)
MD5:af:e7:cc:2d:84:d9:c2:68:fd:f2:86:0e:c8:7a:a5:13 (ECDSA)
SHA256:voapDaz4aJlGMGgPa8kQNKbs2bmWEAoDcwugwL357Dc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc4/jhAAoJEKj4ZJOqTbH7hdQIAJ3akVuGxuFVNtHpoLuLA+bE
ZHnM+noI5+oqBAGYdaAj66hUrLPSvWb+LwVT82qZimOqlrekfXrUsxZc9lLQaI0s
4BLeY2q6tRngY679FfYg416fX/iwWoo56DOh63vEw+TAbZepX9b5m88r7w/jkb2R
oyzx82DwdWKWqghB1dPFUJKOXQRHoZPkqFug/rhXBLLezmPb7FyZnONaLAVm50B+
PLyY5AuN0l9E3NlA1tcZ0tEuJAG+GXJywzaphHjER988Zo1yzsGr1wMWXSGwqcJV
voyWiPF+Yn4UZDSLzcRGs+LrM5y1BPSRI/gPEfJ+COARX2SP5h04/3daNWaWwd8=
=r1fO
-----END PGP SIGNATURE-----

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Networking

2019-05-23T14:55:42Z

Markjenkinsparit:

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]]

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Outbound commercial vpn

2019-05-23T14:54:24Z

Markjenkinsparit: connect instructions

An outbound VPN using a commercial service is provided to the space by Mark Jenkins <mark@parit.ca> . Ask for access.

Both styles of TCP port tunneling through ssh are supported:
* SOCKS proxy (-D in openssh), which many applications can be configured to use
* local port forwarding (-L in openssh)

This service is hosted on [[vmsrv]] . Because an ip address is shared with vmsrv.skullspace.ca, you have to connect your ssh client to port 6001, not port 22. A openssh command line example:
$ ssh -D SOCKSPORT -L LOCALPORT:SOMEREMOTESERVER:SOMEREMOTEPORT -p 6001 username@vpnout.skull.space
The distinct vpnout.skull.space domain name can help you avoid typing the port each time you login, just put

Host vpnout.skull.space
HostName vpnout.skull.space
Port 6001

in your ~/.ssh/config file (openssh) or equivilent profile feature in other ssh clients.

==ssh host key hashes==
signed by mark@markjenkins.ca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:03:12:87:3f:4a:7d:e0:28:1e:c0:fd:89:10:90:f9:e1 (RSA)
SHA256:VWrigNiYjqCMbbGxREHNvZfUYaj8W8xCiD2wmLlHBC8 (RSA)
MD5:6f:37:2b:c9:bd:7c:bb:ff:f3:eb:73:a5:3d:76:50:1d (ECDSA)
SHA256:2s7PWA9IBj4DAV0eEbeibTFyk5860Yg+XLX5EodXK+8 (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc5q6VAAoJEKj4ZJOqTbH7Mn4IAINHEXigTjKPL3d77h161IsA
U9Iflef13zZ4klalbe65hzxo1ncjI8AT/r28nKbLATaQxpszn8vUQZfhKL3StANC
ylptUPFzIPlVMFYP8mQ1fhwwylZgGPJ7G7mb3AxQ7iJL5cTmPqEP0ZFzTOESZvhf
73XlKUehhkakppcV+Mjt388em7XQSzpw7pq7PfUgCRdkNCGtb3qv1fHErhgN0KvM
N18D5/SFZdScuuddyVpLXelBvksMtd0VBRqNbz8b8K6wfkrrJf0Qf8TdPGCNExq9
Ozh6AOwnutC5oI+IEJpUWlrFkqyakAj8GHWU5Kh29SYUg3qJBu5ixVJI/qoHmMs=
=Dpw/
-----END PGP SIGNATURE-----

Outbound commercial vpn

2019-05-23T14:31:55Z

Markjenkinsparit: established article

An outbound commercial VPN service is provided to the space by Mark Jenkins <mark@parit.ca> . Ask for access.

==ssh host key hashes==
signed by mark@markjenkins.ca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:03:12:87:3f:4a:7d:e0:28:1e:c0:fd:89:10:90:f9:e1 (RSA)
SHA256:VWrigNiYjqCMbbGxREHNvZfUYaj8W8xCiD2wmLlHBC8 (RSA)
MD5:6f:37:2b:c9:bd:7c:bb:ff:f3:eb:73:a5:3d:76:50:1d (ECDSA)
SHA256:2s7PWA9IBj4DAV0eEbeibTFyk5860Yg+XLX5EodXK+8 (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc5q6VAAoJEKj4ZJOqTbH7Mn4IAINHEXigTjKPL3d77h161IsA
U9Iflef13zZ4klalbe65hzxo1ncjI8AT/r28nKbLATaQxpszn8vUQZfhKL3StANC
ylptUPFzIPlVMFYP8mQ1fhwwylZgGPJ7G7mb3AxQ7iJL5cTmPqEP0ZFzTOESZvhf
73XlKUehhkakppcV+Mjt388em7XQSzpw7pq7PfUgCRdkNCGtb3qv1fHErhgN0KvM
N18D5/SFZdScuuddyVpLXelBvksMtd0VBRqNbz8b8K6wfkrrJf0Qf8TdPGCNExq9
Ozh6AOwnutC5oI+IEJpUWlrFkqyakAj8GHWU5Kh29SYUg3qJBu5ixVJI/qoHmMs=
=Dpw/
-----END PGP SIGNATURE-----

Networking

2019-05-23T14:14:57Z

Markjenkinsparit: /* 172.30.8.5 outbound vpn commercial */

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
**172.30.8.5 [[outbound commercial vpn]] (more documentation to come, ask Mark Jenkins <mark@parit.ca>)

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Vmsrv

2019-05-21T13:12:29Z

Markjenkinsparit: vmsrv host keys

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[whonix.skull.space]], conveniently access a Whonix gateway via ssh
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

==SSH host keys==
Signed by Mark Jenkins(http://markjenkins.ca/gpg/)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5:59:ed:95:bc:b8:2c:5c:2e:12:be:2b:01:7d:ba:1a:f1 (RSA)
SHA256:srpC2U3qbLdTOwTv+VH6XjJ/QerY07BEG4mZsLbLntY (RSA)
MD5:af:e7:cc:2d:84:d9:c2:68:fd:f2:86:0e:c8:7a:a5:13 (ECDSA)
SHA256:voapDaz4aJlGMGgPa8kQNKbs2bmWEAoDcwugwL357Dc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc4/jhAAoJEKj4ZJOqTbH7hdQIAJ3akVuGxuFVNtHpoLuLA+bE
ZHnM+noI5+oqBAGYdaAj66hUrLPSvWb+LwVT82qZimOqlrekfXrUsxZc9lLQaI0s
4BLeY2q6tRngY679FfYg416fX/iwWoo56DOh63vEw+TAbZepX9b5m88r7w/jkb2R
oyzx82DwdWKWqghB1dPFUJKOXQRHoZPkqFug/rhXBLLezmPb7FyZnONaLAVm50B+
PLyY5AuN0l9E3NlA1tcZ0tEuJAG+GXJywzaphHjER988Zo1yzsGr1wMWXSGwqcJV
voyWiPF+Yn4UZDSLzcRGs+LrM5y1BPSRI/gPEfJ+COARX2SP5h04/3daNWaWwd8=
=r1fO
-----END PGP SIGNATURE-----

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Whonix.skull.space

2019-05-21T04:29:15Z

Markjenkinsparit: signed host keys by Mark Jenkins

whonix.skull.space provides a means to access a Skullspace hosted Whonix gateway over ssh.

To obtain an account, contact Mark Jenkins <mark@parit.ca> .

Both styles of TCP port tunneling through ssh are supported:
* SOCKS proxy (-D in openssh), which many applications can be configured to use
* local port forwarding (-L in openssh)

This service is hosted on [[vmsrv]] . Because an ip address is shared with vmsrv.skullspace.ca, you have to connect your ssh client to port 1887, not port 22. A openssh command line example:
$ ssh -D SOCKSPORT -L LOCALPORT:SOMEREMOTESERVER:SOMEREMOTEPORT -p 1887 username@whonix.skull.space
The distinct whonix.skull.space domain name can help you avoid typing the port each time you login, just put

Host whonix.skull.space
HostName whonix.skull.space
Port 1887

in your ~/.ssh/config file (openssh) or equivilent profile feature in other ssh clients.

==Implementation details==

The whonix.skull.space setup consists of two parts:
* a KVM virtual machine using only 256 megabytes of RAM running the whonix cli gateway stack on Debian 9 (10.0.2.15 / 10.152.152.10)
* an unprivileged linux container running Debian 9 and openssh-server locked down to only allow port forwarding. (172.30.8.4 / 10.152.152.51). Uses the whonix gateway (above) as a default route and dns server. Port 1887 is forwarded with a source NAT and destination NAT rule from the vm server host OS so as to come from 172.30.8.1. This node is sort of a subtitute for the Whonix workstation.

==Privacy/Security caution==

Security and convenience are trade-offs, this setup provides the convenience of only requiring ssh and your client applications to use a forwarded port or SOCKS proxy. Using Whonix in the way it was designed, or alternatively the Tor Browser Bundle or Tails is going to be more solid.

Another alternative that still allows you to use whatever choice of operating system and applications on your usual workstation is to run a Whonix gateway yourself on another computer of your own. An old PC with two network cards could be suitable for this. If there's interest, Mark could show people how to build Whonix boxes someday.

Some possible issue to consider when using the Skullspace hosted Whonix gateway:
(This section TODO)

==ssh host key hashes==
These are signed by Mark Jenkins <mark@markjenkins.ca> (http://markjenkins.ca/gpg/)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA256:8RJrSbdshRleYx8hzOuTP+VCfFG1x6aowUqwaw4Fo4A (RSA)
MD5:f6:a1:f9:95:bf:f8:e1:13:21:72:d1:cb:52:dd:b1:55 (RSA)
SHA256:ZPiteHCt00McOADVQl/C1lUBA7dGqh2oalKSZVJKTOc (ECDSA)
MD5:e1:10:b1:80:35:86:fe:82:2d:bf:c3:8a:0d:f4:8b:bc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc433FAAoJEKj4ZJOqTbH7JR4H/3HANDBHyBe5e7E6iKxBp+gi
6klCVdkmLDWr3vgWi1WGZ0eMnaQ8T5BE5cx3bntUlKWG5dGLj2iAyRSKYI+JXpnv
aXc6GlWsWZ89Cpmak5Ac9LbFSDYpo/5PcTpoUiX8DnXXyEGAQJuhGsaFixjdzKYl
vdH1YxtcIpbULMgW2I+trGaIXvbqMPrfP3n3nbUfMmydu+UfJzJ3fedTcPFnmV1y
23xqWWL06NmCH5h2ZDwyRPbXPj+QDGA98hNclFaifNtMB9KETMoQ2G7XZVyawsbU
ifMDdH+vPUINkTI3G2Ng1lUbTYJfVrdGwn8fxTn/buv/l2HEZl5ZNizQw8v3/Cs=
=FCYW
-----END PGP SIGNATURE-----

Networking

2019-05-21T03:38:07Z

Markjenkinsparit: whonix LAN side

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2019-05-21T03:32:18Z

Markjenkinsparit: whonix gateway WAN side

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)

*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
**10.2.0.1 [[vmsrv]]
**10.2.0.15 [[whonix.skull.space]] gateway

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2019-05-21T03:22:03Z

Markjenkinsparit: note whonix ssh portal port forward rule

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2019-05-21T03:20:37Z

Markjenkinsparit: whonix.skull.space reservation on vm server static ip LAN

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
**172.30.8.1 [[vmsrv]]
**172.30.8.2 available
**172.30.8.3 available
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Networking

2019-05-21T03:17:34Z

Markjenkinsparit: free up ip adddress and mumd planned retirement noted

*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
*Also see [[IT Policies]]
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]

== High-level description ==
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>

== Stupid-High Level Diagram ==
<pre>
+-------------------+
| |
| The Tubes |
| On The Roof |
| |
+-- ------+---------+
|
|
+-- ------+-----------+
| LES.net |
| |
| 208.81.6.224/27 |
+----+----------------+
|
|
| +---------------------+
+-------------+---------+ | Skullspace+Router |
ge1+19 | Skullspace+External | ether1| RB450G |
+----------+ Cisco 2960g +-------+ |
| | 172.30.6.2 (ge24)| | 208.81.6.228 |
| +----------------------++ | 172.30.6.1 |
| | +---------------------+
+---------+-----------+ | |ether2
| | | |
| Rest of External | | |
| PUBLIC/LAN | | +---------+-------------+ +------------------+
| | +--------+ Skullspace+Internal | | |
| 208.81.6.224/27 | | Cisco 2960g +------+ Rest of Internal |
| | | 172.30.6.3 | | INTERNAL/LAN |
+---------------------+ +---+-------+-------+---+ | 172.30.6.0/24 |
| | | | |
+--------+ | +--------+ +------------------+
| | |
+------+------+ +------+------+ +------+------+
| WAP+A | | WAP+B | | WAP+C |
| 172.30.6.10 | | 172.30.6.11 | | 172.30.6.12 |
| | | | | |
+-------------+ +-------------+ +-------------+
</pre>
Built using ASCIIFlow - http://asciiflow.com/

== Internet feeds ==
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg) 
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s> 

== Network hardware ==
*Mikrotik Routerboard 450G as main router
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*<strike>2 D-Link DWL-810+ bridges. </strike>
*Netgear GS108T as the lounge switch.
*<strike>D-Link DWL-7100AP AP. </strike>
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
*<strike>Belkin F5D5141-5 switch. </strike>
*Cisco 2950 switches #1 and #2.
*Mikrotik RB750 (small white box) VOI's router
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>

== Wiring ==
Runs
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
E+F+G: from rack to area behind rear black desk.

== Tasks ==
*terminate ethernet lines correctly in a panel once we're sure server room is stable
*label networking equipment (IPs etc) and servers, update this page for the latter
*put read-only and full-access passwords on devices

== Wireless Networks ==
skullspace = main SSID, usual password
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>

New IP Ranges
*172.30.4.x = testing/reserved for later use
*172.30.5.x = half Security/Management network half VPNs
*172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
*172.30.7.x = CTF Network DHCP ??? router .1

== Internal IP usage ==
Check these
=== Legacy IPs ===
*192.168.1.1 Micro-tik Router
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
*192.168.1.12 Samsung CLP-310N printer
*<strike>192.168.1.15 Cisco 2950 switch</strike>
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
*<strike>192.168.1.22 DES-3224</strike>
*192.168.1.26 [[vmsrv]]
*<strike>192.168.1.27 Who took this and didn't document?</strike>
*<strike>192.168.1.31 not in use, but don't use</strike>
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
*<strike>192.168.1.34-35 Kenny servers</strike>
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
*192.168.1.37 Ben's server
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
*<strike>192.168.1.39 open for use</strike>
*<strike>192.168.1.40 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.</strike>

=== Current 172.30/16 ===
*172.30.6.1 Micro-tik Router
*172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
*172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
*172.30.6.15 esx.intarweb.ca
*172.30.6.16 ips.intarweb.ca

*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
*172.30.6.31 [[sksp-virt3|sksp-virt3-mgr]]
*172.30.6.32 [[sksp-virt3|sksp-virt3-1]]
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
*172.30.6.38 available
*172.30.6.39 Ben's VM on [[vmsrv]]
*172.30.6.40 [[vmsrv]]
*172.30.6.41 tftp server for [[IPXE boot option]]

*172.30.6.50-53 Chris Otto Servers
*172.30.6.100-240 Main router DHCP space
*172.30.6.241-254 VPN IPs
**172.30.6.245 - sean VPN IP (sean cody)
**172.30.6.247 - cchilds VPN IP
**172.30.6.248 - jordansamulaitis VPN IP
**172.30.6.249 - gygar VPN IP
**172.30.6.250 - nwild VPN IP
**172.30.6.251 - cstanners-router VPN IP
**172.30.6.252 - odin VPN IP
**172.30.6.254 - cstanners VPN IP

*172.30.7.1 Micro-tik Router (WIFI VLAN)

*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) LAN
**172.30.8.1 [[vmsrv]]
**172.30.8.2 Mark private ubuntu vpn
**172.30.8.3 Mark private project ubuntu (Container on [[vmsrv]])

*10.50.31.0/24 TheLEDSign LAN
**10.50.31.16 The Sign
**10.50.31.17 The controlling container ([[vmsrv]])
*10.50.32.0/30 Mark project private Point to Point link LAN

== IP Usage ==

=== LES IP Delegation ===
<pre>
IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
</pre>
<pre>
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1: 2605:e200:53:2::

</pre>

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.224
| TBD
| LES.net Network
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.225
| TBD
| LES.net Gateway
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.226
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.227
| TBD
| LES.net RESERVED
| porting AT les DOT net
| all machines
| required by network design
|-
|-
| 208.81.6.228
| TBD
| Skullspace Router
| it AT skullspace.ca
| Skullspace LAN
|
|-
|-
| 208.81.6.229
| TBD
| ns1.skullspace.ca
| it AT skullspace.ca
| Skullspace DNS
|
|-
|-
| 208.81.6.230
| vmsrv.skullspace.ca
| Virtual Machine Server [[vmsrv]]
| mark AT markjenkins DOT ca
| VM server open to all members.
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
|-
|-
| 208.81.6.231
| ripe.skullspace.ca
| RIPE Probe
| colin AT insecure DASH complexity DOT ca
|
|
|-
|-
| 208.81.6.232
| shell.skull.space
| [[shell.skull.space]]
| mark AT markjenkins DOT ca
| Shell accounts for all members.
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
|-
|-
| 208.81.6.233
| mail.skull.space
| [[SkullMail]] email forwarding service
| mark AT markjenkins DOT ca
|
|
|-
|-
| 208.81.6.234
| nessus.skullspace.ca
| SkullSpace Nessus scanner
| alexwebr at gmail dot com
|
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
|-
|-
| 208.81.6.235
| tmp.skullspace.ca
| Temporary address
| Open to anyone
|
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
|-
|-
| 208.81.6.236
|
|
|
|
|
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 208.81.6.237
| broot.ca
| Personal webserver, Git, DNS, mail
| Alex Weber <alexwebr@gmail.com>
| Nothing. Can be moved elsewhere if we need IP space back.
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
|-
|-
| 208.81.6.238
| tmpskspproxy.parit.ca
| Temporary, proxies some traffic for https://parit.ca
| Mark Jenkins <mark@markjenkins.ca>
| Ubuntu 16.04 vm hosted on [[vmsrv]]
| Will some TCP proxying on ports used by vmsrv host OS
|-
|-
| 208.81.6.239
|
|
|
|
|
|-
|-
| 208.81.6.240
| loki.madcowlabs.com
| [[loki.madcowlabs.com]]
| cotto at ieee point org
| Chris's Server
| Experimental development project server
|-
|-
| 208.81.6.241
|
|
|
|
|
|-
|-
| 208.81.6.242
| library.skullspace.ca
| The Evergreen server for the (experimental) SkullSpace library
| Alex (alexwebr@gmail.com)
| SkullSpace
| Uses Websockets, and Websockets need a legitimate SSL certificate?
|-
|-
| 208.81.6.243
|
|
|
|
|
|-
|-
| 208.81.6.244
|
|
|
|
|
|-
|-
| 208.81.6.245
|
|
|
|
|
|-
|-
| 208.81.6.246
|
|
|
|
|
|-
|-
| 208.81.6.247
| irc.skull.space (not set up yet)
| IRC server - /knock #admin
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)
| members & the public
| Running an ircd - not easy to proxy to a private address
|-
|-
| 208.81.6.248
|
|
|
|
|
|-
|-
| 208.81.6.249
|
|
|
|
|
|-
|-
| 208.81.6.250
| lab.intarweb.ca
| lab.intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|
|
|
|
|-
|-
| 208.81.6.251
| tmp.intarweb.ca
| tmp.intarweb.ca Temporary rsync issues test.
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.252
| amsler.ca
| Production Appserver / Personal Webspace
| edwinguy_gmail
| Skullspace LAN
| Edwin Amsler
|-
|-
| 208.81.6.253
| intarweb.ca
| intarweb.ca
| sean AT tinfoilhat.ca
| Sean Cody
| Sean Cody
|-
|-
| 208.81.6.254
|
|
|
|
|
|-
|-
| 208.81.6.255
| TBD
| LES.net Broadcast
| LES.net
| all machines
| required by network design
|-
|}

=== VOI IP Delegation ===
<strike>
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

{| class="wikitable"
|-
! IP
! DNS
! Use
! Contact
! used by?
! reason for public IP and notes
|-
| 206.220.193.65
| TBD
| VOI router
| VOI
| all machines
| required by network design
|-
| 206.220.193.66
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
|
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.68
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.193.69
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Richard's Server
| rjr point work at gmail
|
| development server, potentially Starbound server
|-
| 206.220.193.70
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.49
|
{|
|-
| Fwd: h49-skullspace.winnipeg.voinetworks.net.
|-
| Rev: h49-skullspace.winnipeg.voinetworks.net.
|-
|}
| VOI Mikrotik RB750? router
| VOI Networks
| now
| required by network design
|-
| 206.220.196.50
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Sksp Main Router
| it@skullspace.ca
|
|
|-
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
{|
|-
| Fwd: ns1.skullspace.ca (Pending)
|-
| Rev: ns1.skullspace.ca (Pending)
|-
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
|-
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
|}
| [[SKSP DNS]]
| it@skullspace.ca
| 2014-10-08
| Skullspace Primary DNS Server
|-
| 206.220.196.52
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.nepharia.org
|-
|}
| Vobster Nepharia Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
|-
| 206.220.196.53
|
{|
|-
| Fwd: <several>
|-
| Rev: mail.skullspace.ca
|-
|}
| Vobster SkullSpace Services
| mak@kolybabi.com and dave@ysarro.com
| 2012-02-17
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
|-
| 206.220.196.54
|
{|
|-
| Fwd: ctf.skullspace.ca
|-
| Rev: ctf.skullspace.ca
|-
|}
| Vobster CTF Services
| mak@kolybabi.com and dave@ysarro.com
| 2013-04-09
| Runs SSH-related services, for now.|
|-
| 206.220.196.55
||
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Edwin Amsler
| edwinguy at gmail dot calm
| 2015-02-23
|
|-
| 206.220.196.56
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin / Jeremy FreeBSD server
| phoul@insecure-complexity.com
| 2013-10-01
|
|-
| 206.220.196.57
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.58
| 2604:4280:1:c0de::314
{|
|-
| Fwd: intarweb.ca
|-
| Rev:
|-
|}
| Sean's server.
| sean _at_ tinfoilhat _dot_ ca
| 2013-09-27
| L2TP etc.
|-
| 206.220.196.59
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
|
|
|
|
|-
| 206.220.196.60
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Colin's project server
| CStanners @ gmail
| Occasional
| IPv6, VPN services and testing
|-
| 206.220.196.61
|
{|
|-
| Fwd:
|-
| Rev:
|-
|}
| Ben's server
| ben@benbergman.ca
| 2012-12-18
| http/ssh/vpn/other
|-
| 206.220.196.62
|
{|
|-
| Fwd: dangerzone.skullspace.ca
|-
| Rev: dangerzone.skullspace.ca
|-
|}
| The Danger Zone
| ctfadmin@
| 2012-06-01
| The home of the SkullSpace Teaching CTF.
|-
|}
</strike>

== Access ==
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.

[[Category:Space]]
[[Category:Networking]]
[[Category:Required Reading]]

Whonix.skull.space

2019-05-21T03:14:29Z

Markjenkinsparit: start of article, lots of text

Vmsrv

2019-05-21T03:05:27Z

Markjenkinsparit: whonix.skull.space is now offered

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[whonix.skull.space]], conveniently access a Whonix gateway via ssh
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T03:03:29Z

Markjenkinsparit: clarify existing vmsrv services

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[mail.skull.space]], an inbound mail relay to assist you in running a home email server. (please don't use for state department business)
** (currently used to inbound relay @markjenkins.ca)
* [[Mumd|MUMD]] -- Our old graphical shell account service, to be retired

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T03:00:16Z

Markjenkinsparit: /* Linux Containers (LXC) ask mark */

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

Ask Mark Jenkins <mark@parit.ca> to set your account up for this

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:59:36Z

Markjenkinsparit: More rollout for unprivileged Linux Containers (LXC)

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as an unprivileged Linux Container (LXC).

The main vmsrv kernel directly runs your processes, all under your own user account (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. You have root in the container even though its not root on the host system. (achieved with process id mapping) There are performance upsides to using the host OS kernel directly and this reduces the RAM usage overall.

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:56:50Z

Markjenkinsparit: skullspace 2.0 lan address long ago replaced skullspace 1.0 address

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 172.30.6.40
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:54:56Z

Markjenkinsparit: unprivileged lxc containers now available, preferred

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 192.168.1.26
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** Unprivileged Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage. Our recommended choice if you need to run a supported GNU/Linux distribution and your use-case would work in a LXC container
** qemu-kvm managed by libvirt (full machine virtualization), for everything else

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:51:55Z

Markjenkinsparit: lxc container save ram

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 192.168.1.26
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** qemu-kvm managed by libvirt (full machine virtualization), our recommend choice for most users
** Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation and reducing the RAM usage

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:51:10Z

Markjenkinsparit: debian 9, not 8

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 9 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 192.168.1.26
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** qemu-kvm managed by libvirt (full machine virtualization), our recommend choice for most users
** Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-05-21T02:50:30Z

Markjenkinsparit: note now running Debian 9

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 8 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 192.168.1.26
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** qemu-kvm managed by libvirt (full machine virtualization), our recommend choice for most users
** Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>

Vmsrv

2019-04-14T23:50:22Z

Markjenkinsparit: update mobo link

==Philosophy==
The Skullspace virtual machine service (vmsrv) is offered to members as a means to share the benefits of best-available hardware.
<blockquote>
"Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total."
</blockquote>
We focus our virtual machine service on two styles of computing
* Interactive computing -- temporary bursts of high resource use (IO/CPU/memory) by a single user for the purpose of "figuring stuff out", "getting stuff done", "hacking", etc. with the ethic of ensuring resources are freed when not in use. "Always yield to the Hands-On Imperative!"
* General service computing -- always up and running services with reasonable IO, CPU, and memory use that doesn't impair the above. See our section in intense resource usage.

==System==
* [http://www.amd.com/us/products/desktop/processors/phenom-ii/Pages/phenom-ii-model-number-comparison.aspx AMD Phenom II X6 1055T], which has 6 core, 512k L2 cache per core, a shared 6M L3 cache, and AMD's virtualization extensions
* [https://www.asus.com/ca-en/Motherboards/M5A88V_EVO/specifications/ Asus M5A88-V EVO] motherboard
* 4x4G (16G total) of DDR3 RAM in unganged mode, 1333.33 MT/s configuration,
* 2X1TB SATA hard drives in RAID 1 configuration, [[wikipedia:Logical_Volume_Manager_%28Linux%29LVM|LVM]] block layer
* Debian GNU/Linux 6.0 amd64 host operating system
* 1GBit internal NIC on SkullSpace lan (on host Linux bridge skspprivbr), 192.168.1.26
* 100Mbit PCI NIC on VOI public IP switch (on host Linux bridge skspvoipubbr), 206.220.196.57
* power backed by UPS
* Two types of virtualization:
** qemu-kvm managed by libvirt (full machine virtualization), our recommend choice for most users
** Linux Containers (LXC) ([[wikipedia:Operating_system-level_virtualization|OS-level virtualization]]), offered some performance advantages for users running linux guests over full-machine virtualation

==Ask for Help! Free migrations available==
Don't be afraid to ask for help, email Mark Jenkins <mark@parit.ca> and catch me in person on Tuesdays, hackathons (third Saturdays), special events, and by appointment.

Some free (but not unlimited) migration consulting and assistance is also available.

==Linux Containers (LXC)==
If you want to run a Linux-based x86_64 or x86 based guest, you should consider the benefits of running it as a Linux Container (LXC).

The main vmsrv kernel (version 2.6.32) directly runs your processes (starting with /sbin/init!) in an independent process space and gives you your own network stack (interfaces, routing tables, iptables) to work with. There are performance upsides to using the host OS kernel directly.

There are also downsides, see the [[Vmsrv_lxc_containers]] page for more info. You probably want to use our primary virtualization offering, qemu-kvm (see next section)

==qemu-kvm with libvirt==
Users with accounts on the vmsrv machine are able to run qemu-[http://www.linux-kvm.org/page/Main_Page kvm] based virtual machines that are managed by [http://libvirt.org/ libvirt]. We use [http://virt-manager.org/ virt-manager] as a libvirt front-end.

Because a fully featured x86/x86_64 machine is emulated and virtualized, a large variety of [http://www.linux-kvm.org/page/Guest_Support_Status#UNIX_Family:_BSD guest OSs] are supported.

virt-manager exposes a large number of features of libvirt and qemu-kvm -- asa GUI app this makes it largely self-documenting. Experiment!

We welcome improvements to this documentation as well.

===Accounts===
To get an account, visit the account claiming page, [http://claimid.vmsrv.skullspace.ca http://claimid.vmsrv.skullspace.ca] from the Skullspace LAN (not available from the outside). At that page, there are two options:
* Claiming a regular vmsrv account, which will work right away.
* Claim an account on [[mumd]], which thanks to LDAP can also be used to log into vmsrv. But, such an account has to be manually added to the libvirt group, so you'll have to contact Mark Jenkins <mark@parit.ca>.

Accounts are for Skullspace members only.

===How to login and start virt-manager===
The host vm machine is 172.30.6.40 on the skullspace LAN. Two ways to log in the from the Skullspace network:
* A [[wikipedia:Secure_Shell| SSH]] client (port 22), for graphics use -X or port forward a vnc session
* [[wikipedia:RDP | RDP]] client (port 3389)

From outside the space, there are two options:
* [[wikipedia:Secure_Shell|SSH]] to vmsrv.skullspace.ca (206.220.196.57 port 22 )
* [[wikipedia:RDP | RDP]] client to vmsrv.skullspace.ca (206.220.196.57 port 3389)

The default desktop environment is [[wikipedia:LXDE | LXDE]] which is fairly lightweight, but still least has a menu in the corner and a task bar. virt-manager can be found in the applications menu (bottom left corner) in the System Tools menu, the menu entry says "Virtual Machine Manager".

There's a button on the top, left hand side of virt-manager for creating a new virtual machine.

===Memory settings===
Your choice of memory setting is very important. Feel free to be more on the greedy side (3 gigabyte) if you're just starting your vm, doing your thing, and shutting it down when you're done (interactive use).

If you're planning on running all the time, than you should use 1G at most except by special request to the vm server administrator Mark Jenkins <mark@parit.ca> .

Keep us in the loop as to how often you're using the VM service and what kind of RAM requirements you're hitting -- this will help us justify eventual for an even higher capacity machine.

===Network settings===
Join the skspprivbr bridge for the skullspace network and the skspvoipubbr bridge if you have a VOI public ip addresses allocated to you [[Networking |on the networking page]].

===Remote Access===
We recommend installing guest operating systems with remote access features that are either built in or installable and enabling these features shortly after completing your install.

This will allow you to go for direct logins to your virtual machine.

If your guest operating system lacks a proper remote access facility or if your going to end up spending a lot of time doing console access for other reasons, you should look into the feature where a graphic card can be emulated as a vnc server you can directly connect to and also consider the remote access features built-in to the qemu-kvm serial port emulation which can be used as a console on some OSs as well.

===virtio===
To improve performance, qemu-kvm emulates traditional PC hardware and supports the [http://wiki.libvirt.org/page/Virtio virtio] standard. If you're running a Linux or Windows based guest, we recommend installing the virtio network and disk drivers and uses these options for network and disk in the virt-manager hardware manager so that we can all have better performance.

===Always running VMs===
VMs created in virt-manager by default will come up on system start-up. There's a checkbox you can check to ensure your VM does come up if required. Please keep the vmsrv administrator (Mark Jenkins <mark@parit.ca>) in the loop as to which VMs you intend to keep up all the time.

===Courtesy===
If you virtual machine is for experimental/casaual/interactive use and does not need to be on 24/7, please take care to turn it off when you're done. If you notice that allocated RAM is running short, let the server administrator know -- its rude to just shut off someone elses virtual machine -- you can't tell just from looking if its being used or not, especially given the use of remote access.

==Services offered to members hosted on vmsrv==
The following services being offered to members are hosted on vmsrv:
* [[shell.skull.space]] -- Newer shell account service
* [[Mumd|MUMD]] -- Our old shell account service
* [[Skullhost]], a shared web hosting service. (not everyone needs to run their own dedicated web server!)
* [[skullmail]], mail relay to assist you in running a home email server, messages are not stored here

==Intense resource usage==
As described by in our philosphy section, our priority for the vm server is support members' hacking and not ongoing, high volume "serrious business". The activities of hackers are generally high intensity bursts that are monitored and terminated upon completion, or ongoing low resource services that have minimal impact.

Please respect our sugested memory limits for qemu-kvm/libvirt dedicated VMs. For temporary higher memory use that exceeds these guidelines, we would prefer that you run your processes directly on the host operating system, under your own linux container, or under one of our linux container hosted services (MUMD, Skullhost) as memory effectively allocated (and swapped out) by the host OS kernel for these, whereas dedicated VMs hog whatever memory they're set to use.

You can also get better access to the CPU by running processes on the host OS, your own linux container, or one of our linux container hosted services (MUMD, Skullhost) -- in fact, you're welcome to use all 6 cores. But, you should also be "nice" and use the nice command on your intensive processes:
* "nice -n 1" if your intensive processes is highly interactive (such as raster editor running a filter) and could use your near immediate feedback
* "nice -n 2" if your're looking for your process to finish ASAP, but its the kind of thing where you sit back or take a break while it runs, e.g. http://xkcd.com/303/
* "nice -n 15" if it's the kind of thing that runs so long you're end up working on other things until it's done

As an exception to our focus on "short run intensive, long run unintensive", we do permit our users to operate longer runing processes that are only CPU intensive (not memory or disk access) as long as they're run on the host OS or linux containers, as the kernel can effectively schedule these to be out of the way of everything else with minimal task switching costs. Thanks to modern CPU design, these kinds of processes do raise our electrical bills, so we ask that the number of cores be limited if run times are expected to be longer than one day. Our nice level and number of cores expectation is
* "nice -n 16" and limited to 6 cores if run time less than 2 days
* "nice -n 17" and limited to 3 cores if run time less than 5 days
* "nice -n 18" and limited to 1 core if run time expected is less than 30 days
* "nice -n 19" and limited to 1 core if run time expected to exceed 30 days

Many intensive multi-core programs come with options to control the number of cores in use. If this isn't available, you can use the taskset command, e.g.
* "taskset -c 0 nice -n 19 intensive_monster.py" runs on CPU 0 with nice 19
* "tasket -c 0,1,2 nice -n 17" runs on CPUs 0, 1, and 2 with nice 17

==Administrators==
* Mark Jenkins <mark@parit.ca>
* Alex Weber <alexwebr@gmail.com> (I'm new still)

==Thanks==

To Kenny for our current 2nd generation equipment, Stef for the first generation equipment, the members of Skullspace for funding the RAM upgrades to the first and second generation servers, and Alex for getting the project started and providing an uninterrupted power supply (UPS).

[[Category:Projects]]
<nowiki>Insert non-formatted text here</nowiki>