Difference between revisions of "Networking"

From SkullSpace Wiki
Jump to navigation Jump to search
(Wireless Networks)
 
(295 intermediate revisions by 22 users not shown)
Line 1: Line 1:
~ Please keep an updated copy of this page printed out and posted in the server room, so we have access to documentation even if the network / internet has issues ~
+
*Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
 +
*Also see [[IT Policies]]
 +
*We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
 +
*this page is finally being updated for Sksp2, old page is at [[Networking/Old]]
  
== Network status ==
 
Skullspace internal network is fine but needs better organization and documentation, see tasks section. Internet connection has occasional issues when the SkSp or AW routers have trouble getting an IP, this is being troubleshooted.
 
  
== Nigh-level description ==
+
 
Internet is furnished by VOI, goes to the internet switch where multiples routers and servers connect. There is a Linksys router for the main Skullspace network; this connects to a 24-port gigabit switch which has a few sub-switches in different rooms. There are APs around Skullspace with the "skullspace" SSID and some near the fire escape connected to dishes outside, with different SSIDs.
+
== High-level description ==
 +
<strike>The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.</strike>
 +
 
 +
== Stupid-High Level Diagram ==
 +
<pre>
 +
                              +-------------------+
 +
                              |                  |
 +
                              |    The Tubes    |
 +
                              |    On The Roof    |
 +
                              |                  |
 +
                              +-- ------+---------+
 +
                                        |
 +
                                        |
 +
                              +-- ------+-----------+
 +
                              |    LES.net        |
 +
                              |                    |
 +
                              |  208.81.6.224/27  |
 +
                              +----+----------------+
 +
                                  |
 +
                                  |
 +
                                  |                +---------------------+
 +
                    +-------------+---------+      |  Skullspace+Router  |
 +
          ge1+19    |  Skullspace+External  | ether1|      RB450G        |
 +
          +----------+      Cisco 2960g      +-------+                    |
 +
          |          |      172.30.6.2 (ge24)|      |  208.81.6.228      |
 +
          |          +----------------------++      |  172.30.6.1        |
 +
          |                                |        +---------------------+
 +
+---------+-----------+                    |                  |ether2
 +
|                    |                    |                  |
 +
|  Rest of External  |                    |                  |
 +
|    PUBLIC/LAN      |                    |        +---------+-------------+      +------------------+
 +
|                    |                    +--------+  Skullspace+Internal  |      |                  |
 +
|  208.81.6.224/27  |                              |    Cisco 2960g      +------+ Rest of Internal |
 +
|                    |                              |      172.30.6.3      |      |  INTERNAL/LAN  |
 +
+---------------------+                              +---+-------+-------+---+      |  172.30.6.0/24  |
 +
                                                        |      |      |          |                  |
 +
                                                +--------+      |      +--------+ +------------------+
 +
                                                |                |                |
 +
                                        +------+------+  +------+------+  +------+------+
 +
                                        |    WAP+A    |  |    WAP+B    |  |    WAP+C    |
 +
                                        | 172.30.6.10 |  | 172.30.6.11 |  | 172.30.6.12 |
 +
                                        |            |  |            |  |            |
 +
                                        +-------------+  +-------------+  +-------------+
 +
</pre>
 +
Built using ASCIIFlow - http://asciiflow.com/
  
 
== Internet feeds ==
 
== Internet feeds ==
Primary: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 20mbit up to Speedtest.net Winnipeg, with large packets) comes from a drop in the middle of the space, connects to line #?? below the drop, goes to the server room where its PoE is; afterwards goes to the primary internet switch. We have permission to use a few IPs (currently being assigned by DHCP, but that may change - that's why they have the small white Microtik router) and a 'reasonable' amount of bandwidth.
+
B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg)<br>
 +
<s>B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).</s><BR>
  
 
== Network hardware ==
 
== Network hardware ==
All switches and their interconnects are gigabit (a few exceptions below), so two machines doing 100mbit of transfer won't fill any pipes on the way.
+
*Mikrotik Routerboard 450G as main router
*Linksys WRT54G2 as main router. G wireless has been tested to 33mbit. Port forwarding rules are noted later in this page. Also used as switch (100mbit only) LAN ports connected to the main switch. WAN MAC is 00:25:9c:3a:70:9e, IP is currently 206.220.194.191.
+
*<strike>Netgear WNDR3700 router, donated by [http://projectbismark.net Project Bismark]. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.</strike>
*Netgera WNDR3700 top-end router, donated by [http://projectbismark.net Project Bismark] will likely replace the Netgear as main internet router.
+
*<strike>Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss. </strike>
*A Cisco 4924 (:A0) as the main switch, by default everything connects here.
+
*<strike>Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef. </strike>
*A Cisco 4924 (:??) a spare switch
+
*<strike>Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef. </strike>
*Netgear GS108T as the workshop switch
+
*<strike>A 3Com 4924 (:A0) as the main switch, by default everything connects here. </strike>
*D-Link DWL-7100AP as a testing 2ghz/5ghz wireless AP in the workshop, still unproven
+
*<strike>A 3Com 4924 (:??) a spare switch. </strike>
*A Belkin F5D8236 wireless-N router in the lounge room is setup as an AP and switch (100mbit only), connected to the main SkSp network
+
*<strike>2 D-Link DWL-810+ bridges. </strike>
*2 Cisco Aironet 1100 APs modified with pigtails to connect to outside dishes
+
*Netgear GS108T as the lounge switch.
*Belkin F5D5141-5 switch in the lounge.
+
*<strike>D-Link DWL-7100AP AP. </strike>
*Intel 510T switch - currently unused. Old, only telnet management
+
*<strike>D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").</strike>
*Cisco 2950 switches #1 and #2 - currently unused, will setup as internet-side switches
+
*<strike>A Belkin F5D8236 wireless-N router as spare </strike>
*MT RB450? (small white box) VOI's router
+
*<strike>3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares. </strike>
 +
*<strike>Belkin F5D5141-5 switch. </strike>
 +
*Cisco 2950 switches #1 and #2.
 +
*Mikrotik RB750 (small white box) VOI's router
 +
*<strike>Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris. </strike>
  
 
== Wiring ==
 
== Wiring ==
Please follow the standard below when labeling any new lines. LSB is closest to the RJ45. Unless otherwise noted, all wires below originate from the main rack.
+
Runs
 +
A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP.
 +
C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam.
 +
E+F+G: from rack to area behind rear black desk.
 +
 
 +
 
 +
== Tasks ==
 +
*terminate ethernet lines correctly in a panel once we're sure server room is stable
 +
*label networking equipment (IPs etc) and servers, update this page for the latter
 +
*put read-only and full-access passwords on devices
 +
 
 +
== Wireless Networks ==
 +
skullspace = main SSID, usual password
 +
<strike>skullspace_rear: linksys G router in the server rack, as a backup.</strike>
 +
 
 +
 
 +
New IP Ranges
 +
*172.30.4.x = testing/reserved for later use
 +
*172.30.5.x = half Security/Management network  half VPNs
 +
*172.30.6.x = Main network  DHCP  .100-.240  router .1  network gear .10-.29  printers .30-.39  VMs, servers .40-.99  VPNs .241-254
 +
*172.30.7.x = CTF Network  DHCP ???  router .1
 +
 
 +
== Internal IP usage ==
 +
Check these
 +
=== Legacy IPs ===
 +
*192.168.1.1  Micro-tik Router
 +
*<strike>192.168.1.9 noel, alex's linux container on [[vmsrv]]</strike>
 +
*<strike>192.168.1.10 kyle, a linux container on [[vmsrv]]</strike>
 +
*<strike>192.168.1.11 stefen, a linux container on [[vmsrv]]</strike>
 +
*192.168.1.12 Samsung CLP-310N printer
 +
*<strike>192.168.1.15 Cisco 2950 switch</strike>
 +
*<strike>192.168.1.16 Netgear GS108T workshop switch</strike>
 +
*<strike>192.168.1.17 Cisco 4924 Switch-1 (main)</strike>
 +
*<strike>192.168.1.18 Cisco 4924 Switch-2</strike>
 +
*<strike>192.168.1.22 DES-3224</strike>
 +
*192.168.1.26 [[vmsrv]]
 +
*<strike>192.168.1.27 Who took this and didn't document?</strike>
 +
*<strike>192.168.1.31 not in use, but don't use</strike>
 +
*192.168.1.32 [[Skullhost]] on [[vmsrv]]
 +
*<strike>192.168.1.33 iscsi server on [[vmsrv]]</strike>
 +
*<strike>192.168.1.34-35 Kenny servers</strike>
 +
*<strike>192.168.1.36 VPN server on [[vmsrv]] - contact Jay or Alex</strike>
 +
*192.168.1.37 Ben's server
 +
*<strike>192.168.1.38 [[Driftnet]] laptop</strike>
 +
*<strike>192.168.1.39 open for use</strike>
 +
 
 +
=== Current 172.30/16 ===
 +
*172.30.6.1  Micro-tik Router
 +
*172.30.6.2  SkullSpace-External (Cisco 2850 Switch)
 +
*172.30.6.3  SkullSpace-Internal (Cisco 2850 Switch)
 +
*172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
 +
*172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
 +
*172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
 +
*172.30.6.13 intarweb.ca (Sean's server, inside interface)
 +
*172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
 +
*172.30.6.15 esx.intarweb.ca
 +
*172.30.6.16 ips.intarweb.ca
 +
 
 +
*172.30.6.30 [[mumd|latest Ubuntu]] old graphical shell service on [[vmsrv]] (to be retired)
 +
*172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
 +
*172.30.6.32 available
 +
*172.30.6.33 UniFI AP Controller (Container on [[vmsrv]])
 +
*172.30.6.34 Jay Bots (Container on [[vmsrv]])
 +
*172.30.6.38 Sean's pihole
 +
*172.30.6.39 Ben's VM on [[vmsrv]]
 +
*172.30.6.40 [[vmsrv]]
 +
*172.30.6.41 tftp server for [[IPXE boot option]]
 +
*172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
 +
*172.30.6.43 Access Control and camera management workstation
 +
 
 +
*172.30.6.50-53 Chris Otto Servers
 +
*172.30.6.100-240  Main router DHCP space
 +
*172.30.6.241-254  VPN IPs
 +
**172.30.6.245 - sean VPN IP (sean cody)
 +
**172.30.6.247 - cchilds VPN IP
 +
**172.30.6.248 - jordansamulaitis VPN IP
 +
**172.30.6.249 - gygar VPN IP
 +
**172.30.6.250 - nwild VPN IP
 +
**172.30.6.251 - cstanners-router VPN IP
 +
**172.30.6.252 - odin VPN IP
 +
**172.30.6.254 - cstanners VPN IP
 +
 
 +
*172.30.7.1  Micro-tik Router (WIFI VLAN)
 +
 
 +
*172.30.8.0/24 Virtual Machine Server ([[vmsrv]]) static LAN (no DHCP, reserve here)
 +
**172.30.8.1 [[vmsrv]]
 +
**172.30.8.2 available
 +
**172.30.8.3 available
 +
**172.30.8.4 [[whonix.skull.space]] ssh login portal for TCP forwarding (port 1887 on whonix.skull.space forwarded to 172.30.8.4:22)
 +
**172.30.8.5 [[outbound commercial vpn]]
 +
 
 +
*172.30.9.0/24 Management network
 +
**172.30.9.2 Extreme networks [[Summit 400-48t]] switch
 +
**172.30.9.5 HP DL380e Gen8 iLO.
 +
**172.30.9.30 [[vmsrv]]
 +
 
 +
 
 +
*10.2.0.0/24 [[whonix.skull.space]] gateway WAN side on [[vmsrv]]
 +
**10.2.0.1 [[vmsrv]]
 +
**10.2.0.15 [[whonix.skull.space]] gateway
 +
 
 +
*10.152.152.0/24 [[whonix.skull.space]] LAN side behind Whonix gateway (isolated network virbr2 on [[vmsrv]]
 +
**10.152.152.10 Whonix gateway, a full KVM vm on [[vmsrv]], acts as gateway/default route and nameserver
 +
**10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)
 +
 
 +
*10.50.31.0/24 TheLEDSign LAN
 +
**10.50.31.16 The Sign
 +
**10.50.31.17 The controlling container ([[vmsrv]])
 +
*10.50.32.0/30 Mark project private Point to Point link LAN
 +
 
 +
===Access Controls and Cameras 192.168.1.0/24===
 +
* 192.168.1.1 - Win7 Blue Iris station 00:13:3b:0e:21:cb
 +
* 192.168.1.2 - TPLink PoE switch ac:15:a2:30:b6:d3
 +
* 192.168.1.3 - Lubuntu 22.04 virtualization host
 +
* 192.168.1.4 - Mark test record LXD container
 +
* 192.168.1.100 - WinXP virtual machine, Kantech access control management
 +
* 192.168.1.101 - Camera, 00:50:1a:04:2D:B1, IQ541S
 +
* 192.168.1.103 - Camera 00:50:1a:01:7c:c4
 +
* 192.168.1.105 - Camera 00:50:1a:01:84:fd
 +
* 192.168.1.250 - Access control serial port relay
 +
* other cameras undocumented
 +
 
 +
== IP Usage ==
 +
 
 +
=== LES IP Delegation ===
 +
<pre>
 +
IPv4
 +
Allocation 208.81.6.224/27 (255.255.255.224).
 +
208.81.6.225 Gateway
 +
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
 +
DNS1: 208.81.7.10
 +
DNS2: 208.81.7.14
 +
</pre>
 +
<pre>
 +
IPv6
 +
Allocation 2605:e200:c212::/48
 +
2605:e200:c201:2::4 Gateway
 +
DNS1:  2605:e200:53:2::
 +
 
 +
</pre>
 +
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! num
+
! IP
! in binary R/G
+
! DNS
! Description
+
! Use
! Connects to
+
! Contact
 +
! used by?
 +
! reason for public IP and notes
 +
|-
 +
| 208.81.6.224
 +
| TBD
 +
| LES.net Network
 +
| porting AT les DOT net
 +
| all machines
 +
| required by network design
 +
|-
 +
|-
 +
| 208.81.6.225
 +
| TBD
 +
| LES.net Gateway
 +
| porting AT les DOT net
 +
| all machines
 +
| required by network design
 +
|-
 +
|-
 +
| 208.81.6.226
 +
| TBD
 +
| LES.net RESERVED
 +
| porting AT les DOT net
 +
| all machines
 +
| required by network design
 +
|-
 +
|-
 +
| 208.81.6.227
 +
| TBD
 +
| LES.net RESERVED
 +
| porting AT les DOT net
 +
| all machines
 +
| required by network design
 +
|-
 +
|-
 +
| 208.81.6.228
 +
| TBD
 +
| Skullspace Router
 +
| it AT skullspace.ca
 +
| Skullspace LAN
 +
|
 
|-
 
|-
| 00
 
| RRR (000)
 
| Workshop pole
 
| ?
 
 
|-
 
|-
| 01
+
| 208.81.6.229
| RRG (001)
+
| TBD
| wirelss APs (1of3)
+
| ns1.skullspace.ca
| ?
+
| it AT skullspace.ca
 +
| Skullspace DNS
 +
|  
 
|-
 
|-
| 02
 
| RGR (010)
 
| Workbench south
 
| GS108 switch?
 
 
|-
 
|-
| 03
+
| 208.81.6.230
| RGG (011)
+
| vmsrv.skullspace.ca
| Workbench North
+
| Virtual Machine Server [[vmsrv]]
| nothing
+
| mark AT markjenkins DOT ca
 +
| VM server open to all members.
 +
| Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
 
|-
 
|-
| 04
 
| GRR (100)
 
| Classroom west
 
| nothing
 
 
|-
 
|-
| 05
+
| 208.81.6.231
| GRG (101)
+
| ripe.skullspace.ca
| Drink machine
+
| RIPE Probe
| nothing
+
| colin AT insecure DASH complexity DOT ca
 +
|  
 +
|  
 
|-
 
|-
| 06
 
| RRG (110)
 
| Lounge north pole
 
| nothing
 
 
|-
 
|-
| 07
+
| 208.81.6.232
| GGG (111)
+
| shell.skull.space
| Lounge south pole
+
| [[shell.skull.space]]
| Belkin switch, etc
+
| mark AT markjenkins DOT ca
 +
| Shell accounts for all members.
 +
| Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
 
|-
 
|-
| 08
 
| GRRR (1000)
 
| Electrical room/Assentworks (1of2)
 
| AW internet?
 
 
|-
 
|-
| 09
+
| 208.81.6.233
| GRRG (1001)
+
| mail.skull.space
| Electrical room/Assentworks (2of2)
+
| [[SkullMail]] email forwarding service
| sksp to AW link
+
| mark AT markjenkins DOT ca
 +
|  
 +
|  
 
|-
 
|-
| 10
 
| GRGR (1010)
 
| War Room 1of2
 
| nothing
 
 
|-
 
|-
| 11
+
| 208.81.6.234
| GRGG (1011)
+
| nessus.skullspace.ca
| War Room 2of2
+
| SkullSpace Nessus scanner
| nothing
+
| alexwebr at gmail dot com
 +
|
 +
| If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
 +
|-
 +
|-
 +
| 208.81.6.235
 +
| tmp.skullspace.ca
 +
| Temporary address
 +
| Open to anyone
 +
|
 +
| Check before use, use briefly. Example use, migration of skullspace.ca website on [[skullhost]] when [[vmsrv]] is being serviced.
 +
|-
 +
|-
 +
| 208.81.6.236
 +
 +
 +
 +
|
 +
|
 +
|-
 +
! IP
 +
! DNS
 +
! Use
 +
! Contact
 +
! used by?
 +
! reason for public IP and notes
 +
|-
 +
| 208.81.6.237
 +
| broot.ca
 +
| Personal webserver, Git, DNS, mail
 +
| Alex Weber <alexwebr@gmail.com>
 +
| Nothing. Can be moved elsewhere if we need IP space back.
 +
| Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
 +
|-
 +
|-
 +
| 208.81.6.238
 +
| (domain name pending)
 +
| For handling migration of skullspace websites by way of DNS
 +
| Mark Jenkins <mark@parit.ca>
 +
| Ubuntu 18.04 vm hosted on [[sksp-virt3-1]]
 +
| Website hosting, on separate physical host from vmsrv.skullspace.ca
 +
|-
 +
|-
 +
| 208.81.6.239
 +
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.240
 +
|  loki.madcowlabs.com
 +
|  [[loki.madcowlabs.com]]
 +
|  cotto at ieee point org
 +
| Chris's Server
 +
| Experimental development project server
 +
|-
 +
|-
 +
| 208.81.6.241
 +
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.242
 +
|  library.skullspace.ca
 +
|  The Evergreen server for the (experimental) SkullSpace library
 +
|  Alex (alexwebr@gmail.com)
 +
| SkullSpace
 +
| Uses Websockets, and Websockets need a legitimate SSL certificate?
 +
|-
 +
|-
 +
| 208.81.6.243
 +
 +
 +
 +
 +
|
 +
|-
 +
|-
 +
| 208.81.6.244
 +
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.245
 +
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.246
 +
| new irc.skull.space testing
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.247
 +
| irc.skull.space
 +
| IRC server - /knock #admin
 +
| Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though)  
 +
| members & the public
 +
| Running an ircd - not easy to proxy to a private address
 +
|-
 +
|-
 +
| 208.81.6.248
 +
| lab.intarweb.ca
 +
| lab.intarweb.ca
 +
| sean AT tinfoilhat.ca
 +
| Sean Cody
 +
| Sean Cody
 +
|-
 +
|-
 +
| 208.81.6.249
 +
| lab.intarweb.ca
 +
| lab.intarweb.ca
 +
| sean AT tinfoilhat.ca
 +
| Sean Cody
 +
| Sean Cody
 +
|-
 +
|-
 +
| 208.81.6.250
 +
| lab.intarweb.ca
 +
| lab.intarweb.ca
 +
| sean AT tinfoilhat.ca
 +
| Sean Cody
 +
| Sean Cody 
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.251
 +
| tmp.intarweb.ca
 +
| tmp.intarweb.ca  Temporary rsync issues test.
 +
| sean AT tinfoilhat.ca
 +
| Sean Cody
 +
| Sean Cody
 +
|-
 +
|-
 +
| 208.81.6.252
 +
|  amsler.ca
 +
|  Production Appserver / Personal Webspace
 +
|  edwinguy_gmail
 +
|  Skullspace LAN
 +
|  Edwin Amsler
 +
|-
 +
|-
 +
| 208.81.6.253
 +
| intarweb.ca
 +
| intarweb.ca
 +
| sean AT tinfoilhat.ca
 +
| Sean Cody
 +
| Sean Cody
 +
|-
 +
|-
 +
| 208.81.6.254
 +
 +
 +
 +
|
 +
|
 +
|-
 +
|-
 +
| 208.81.6.255
 +
| TBD
 +
| LES.net Broadcast
 +
| LES.net
 +
| all machines
 +
| required by network design
 +
|-
 
|}
 
|}
  
The above runs were conservative - in many cases only a single drop because we were low on cat5, when it'd have been preferable to put 2 drops to be prepared for the future - but they still total up to 2000ft of cable, and quite a few hrs of wiring work.
+
=== VOI IP Delegation ===
 
+
<strike>
== Tasks ==
+
VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.
*discover why the routers aren't getting IPs occasionally
 
*finish mapping and labeling ethernet lines
 
*terminate lines correctly in a panel once we're sure server room is stable
 
*run 12? lines cleanly from networking rack to the blue racks.
 
*label networking equipment (IPs etc) and servers, update this page for the latter
 
*separate security/camera network from Skullspace network
 
*organize secondary internet feed, better router and switch for it
 
*put read-only and full-access passwords on devices
 
  
== Wireless Networks ==
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! SSID
+
! IP
! speeds
+
! DNS
! password
+
! Use
! description
+
! Contact
 +
! used by?
 +
! reason for public IP and notes
 +
|-
 +
| 206.220.193.65
 +
| TBD
 +
| VOI router
 +
| VOI
 +
| all machines
 +
| required by network design
 +
|-
 +
| 206.220.193.66
 +
|
 +
{|
 +
|-
 +
| Fwd: 
 +
|-
 +
| Rev: 
 +
|-
 +
|}
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|
 +
|
 +
{|
 +
|-
 +
| Fwd: 
 +
|-
 +
| Rev: 
 +
|-
 +
|}
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
| 206.220.193.68
 +
|
 +
{|
 +
|-
 +
| Fwd: 
 +
|-
 +
| Rev: 
 +
|-
 +
|}
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
| 206.220.193.69
 +
|
 +
{|
 +
|-
 +
| Fwd: 
 +
|-
 +
| Rev: 
 +
|-
 +
|}
 +
| Richard's Server
 +
| rjr point work at gmail
 +
|
 +
| development server, potentially Starbound server
 +
|-
 +
| 206.220.193.70
 +
|
 +
{|
 +
|-
 +
| Fwd: 
 +
|-
 +
| Rev: 
 +
|-
 +
|}
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
| 206.220.196.49
 +
|
 +
{|
 +
|-
 +
| Fwd:  h49-skullspace.winnipeg.voinetworks.net.
 +
|-
 +
| Rev:  h49-skullspace.winnipeg.voinetworks.net.
 +
|-
 +
|}
 +
| VOI Mikrotik RB750? router
 +
| VOI Networks
 +
| now
 +
| required by network design
 +
|-
 +
| 206.220.196.50
 +
|
 +
{|
 +
|-
 +
| Fwd:
 +
|-
 +
| Rev:
 +
|-
 +
|}
 +
| Sksp Main Router
 +
| it@skullspace.ca
 +
|
 +
 +
|-
 +
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 206.220.196.51]
 +
|[http://wiki.skullspace.ca/index.php?title=SKSP_DNS 2604:4280:1:c0de::53]
 +
{|
 
|-
 
|-
| skullspace
+
| Fwd: ns1.skullspace.ca (Pending)
| G/2.4N
 
| (normal)
 
| main network; APs in server room, lounge.
 
 
|-
 
|-
| skullspace[25]ghz_test
+
| Rev: ns1.skullspace.ca (Pending)
| A/G
 
| (normal)
 
| AP in workshop, being tested
 
 
|-
 
|-
| Skullspace-dish-aimedatKingsHead
+
| 2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca  (testing)
| B
 
| (normal)
 
| east-pointed dish on fire escape ladder.
 
 
|-
 
|-
| Skullspace-dish-aimedatSeccuris
+
| 2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
| B
 
| (normal)
 
| south-pointed dish on fire escape ladder that no one uses
 
 
|}
 
|}
 
+
| [[SKSP DNS]]
== King's Head Pub AP ==
+
| it@skullspace.ca
 
+
| 2014-10-08
A popular meeting space in Winnipeg, 1 block away from Skullspace, which doesn't have wifi - but we can see the rear of its brick building from Skullspace. So we used a donated Cisco Aironet 1100AP, modified it for external antenna connection, ran some LMR400 cable outside the fire escape door and up the fire escape ladder, and pointed a 19dbi dish towards the pub. SSID is SkullSpace-dish-aimedatKingsHead, ask a member for the password. It doesn't work at all in the south main-floor area, but it does have coverage in most parts of the north main-floor area. Speedtests: 1 to 4mbit down on a laptop with a good wireless card (Atheros N). Attempted to replace the Cisco 802.11B card in the AP with a 802.11G upgrade card (AIR-MP21G-A-K9), but it became almost impossible to connect - likely because Cisco was becoming involved with Broadcom at the time that G card was made, the latter is known for the low sensitivity and receiver quality of their chipsets.
+
| Skullspace Primary DNS Server
 
+
|-
Plans to increase coverage:
+
| 206.220.196.52
*upgrade 19dbi to 24dbi antenna - only issue is they're huge and a lot of windload to put on the fire escape ladder (especially if they ice up in the winter), would prefer a roofmount pad. We'd need to calculate that the smaller beamwidth of the higher-gain antennas doesn't lose coverage of the edges of the King's Head - this math would be size of Kings's Head building x distance = degrees of view?
+
|
*add antenna receive diversity - again, the second antenna would be better on an additional (spaced farther apart horizontally) roofmount pad; vertical diversity on the fire escape ladder wouldn't help as much.
+
{|
*move antenna - currently the view (all the way up the fire escape ladder) to the front of King's Head is blocked by a concrete building. 5-10ft south on a roofmount would be ideal.
+
|-
*add an amplifier or a higher-power radio. The Cisco puts out 100mw, have a 500mw amplifier. Since this isn't an omni but a highly directional antenna, we could maybe classify it under the rule that allows 24dbi gain and 24dbm power output (500mw is 27dbm, but we're losing 3 db in the 40ft of LMR cable and connections, which brings us nicely to 24dbm).
+
| Fwd: <several>
*ground the fire escape ladder - would be a good idea.
+
|-
*check that the antenna and LMR cable/connections are running at full efficiency - this is old gear from a garage.
+
| Rev: mail.nepharia.org
 
+
|-
Signal in the North-main floor area is currently -82 to -87 when connection is possible, with all of the above it'd be good to get it to mid-70s numbers which should allow for pretty good coverage, considering we're a block away and going through thick brick/concrete.
+
|}
 
+
| Vobster Nepharia Services
 
+
| mak@kolybabi.com and dave@ysarro.com
== Main router Port Forwarding entries ==
+
| 2012-02-17
If ever we need to reset the main router, these will be put back in, so keep them updated.
+
| Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
 
+
|-
{| class="wikitable"
+
| 206.220.196.53
 +
|
 +
{|
 +
|-
 +
| Fwd: <several>
 +
|-
 +
| Rev: mail.skullspace.ca
 +
|-
 +
|}
 +
| Vobster SkullSpace Services
 +
| mak@kolybabi.com and dave@ysarro.com
 +
| 2012-02-17
 +
| Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
 +
|-
 +
| 206.220.196.54
 +
|
 +
{|
 +
|-
 +
| Fwd: ctf.skullspace.ca
 +
|-
 +
| Rev: ctf.skullspace.ca
 +
|-
 +
|}
 +
| Vobster CTF Services
 +
| mak@kolybabi.com and dave@ysarro.com
 +
| 2013-04-09
 +
| Runs SSH-related services, for now.|
 +
|-
 +
| 206.220.196.55
 +
||
 +
{|
 +
|-
 +
| Fwd:
 +
|-
 +
| Rev:
 +
|-
 +
|}
 +
| Edwin Amsler
 +
| edwinguy at gmail dot calm
 +
| 2015-02-23
 +
|
 +
|-
 +
| 206.220.196.56
 +
|
 +
{|
 +
|-
 +
| Fwd:
 +
|-
 +
| Rev:
 +
|-
 +
|}
 +
| Colin / Jeremy FreeBSD server
 +
| phoul@insecure-complexity.com
 +
| 2013-10-01
 +
|
 +
|-
 +
| 206.220.196.57
 +
|
 +
{|
 +
|-
 +
| Fwd:
 
|-
 
|-
! Name
+
| Rev:
! Port range
 
! Protocol
 
! Dest IP
 
! Enabled?
 
! Notes
 
 
|-
 
|-
| russvent
+
|}
| 3784
+
|  
| Both
+
|  
| .99
+
|  
| Y
+
|  
| -
 
 
|-
 
|-
| Access
+
| 206.220.196.58
| 58027
+
| 2604:4280:1:c0de::314
| Both
+
{|
| .5
 
| Y
 
| -
 
 
|-
 
|-
| mumd
+
| Fwd: intarweb.ca
| 22
 
| TCP
 
| .10
 
| Y
 
| Notes
 
 
|-
 
|-
| russtot
+
| Rev:
| 993
 
| TCP
 
| .99
 
| Y
 
| Notes
 
 
|-
 
|-
| webcam3
+
|}
| 31338
+
| Sean's server.
| TCP
+
| sean _at_ tinfoilhat _dot_ ca
| .251
+
| 2013-09-27
| Y
+
| L2TP etc.
| Notes
 
 
|-
 
|-
| webcam4
+
| 206.220.196.59
| 31339
+
|
| Both
+
{|
| .252
 
| Y
 
| Notes
 
 
|-
 
|-
| webcam5
+
| Fwd:
| 554
 
| TCP
 
| .252
 
| Y
 
| Notes
 
 
|-
 
|-
| webcam6
+
| Rev:
| 31340
 
| Both
 
| .252
 
| Y
 
| Notes
 
 
|-
 
|-
 
|}
 
|}
 
+
|
== internal IP usage ==
+
|
*192.168.1.1  Linksys WRT54G2 router in server room
+
|
*192.168.1.2  Reserved
+
|  
*192.168.1.3  Belkin F5D8236 Router in Lounge area
+
|-
*192.168.1.4  Cisco 1100AP (King's Head)
+
| 206.220.196.60
*192.168.1.5  Reserved
+
|
*192.168.1.6  Intel 510T switch
+
{|
*192.168.1.7  Cisco 1100AP (south)
+
|-
*192.168.1.8  HP 300x? parallel print server
+
| Fwd:
*192.168.1.9  [[mumd|MUMD]] host distro
+
|-
*192.168.1.10  [[mumd|MUMD]] latest Ubuntu (currently natty 11.04)
+
| Rev:
*192.168.1.11 [[mumd|MUMD]] Debian 6.0 (wheezy)
 
*192.168.1.12 Samsung CLP-310N printer
 
*192.168.1.13 [[mumd|MUMD]] Debian stable, system services
 
*192.168.1.15 Cisco 2950 switch
 
*192.168.1.16 Netgear GS108T workshop switch
 
*192.168.1.17 Cisco 4924 Switch-1 (main)
 
*192.168.1.18 Cisco 4924 Switch-2
 
*192.168.1.20 D-link DWL-7100AP for testing
 
*192.168.1.42 Andrew's server - internal interface
 
*192.168.1.69 Ayecee's server - internal interface
 
*192.168.1.99  Russ' netbook
 
*192.168.1.100-199  Linksys DHCP space
 
*192.168.200-220 Network lab address space
 
*192.168.1.250  Old crappy cameras (currently offline)
 
*192.168.1.251  New Camera
 
*192.168.1.252  Cameras
 
 
 
 
 
== Servers ==
 
{| class="wikitable"
 
 
|-
 
|-
! Name
+
|}
! Model/setup
+
| Colin's project server
! IPs and MACs
+
| CStanners @ gmail
! Description/contact
+
| Occasional
 +
| IPv6, VPN services and testing
 
|-
 
|-
| Russ' Netbook
+
| 206.220.196.61
| White Acer Netbook
+
|
| 192.168.1.99 / 00-23-8b-3f-f2-52
+
{|
| russmilne at gmail, do not open - short in hinges
 
 
|-
 
|-
| Ayecee's
+
| Fwd:  
| HP Proliant ML350 4U
 
| external:&nbsp;206.220.194.196&nbsp;/&nbsp;00:0b:cd:4d:e3:a4&nbsp;dhcp internal:&nbsp;192.168.1.69&nbsp;/&nbsp;00:08:02:ed:cc:a0 LOM:&nbsp;192.168.1.70&nbsp;/&nbsp;00:0b:cd:2f:e0:17
 
| ayecee AT gmail DOT com
 
 
|-
 
|-
| Andrew's Prime Hunter
+
| Rev:  
| Dell PowerEdge 1750 1U
 
| 206.220.194.144 / 00:11:43:59:f8:da
 
| andrew AT andreworr DOT ca  Details on it's prime hunting progress here: [http://www.primegrid.com/show_host_detail.php?hostid=229945 http://www.primegrid.com/show_host_detail.php?hostid=229945]
 
 
|-
 
|-
| Ben's
+
|}
| White case w/ front game port
+
| Ben's server
| 206.220.194.212 / 00:4f:49:0b:f7:fb
 
 
| ben@benbergman.ca
 
| ben@benbergman.ca
 +
| 2012-12-18
 +
| http/ssh/vpn/other
 
|-
 
|-
| Mark's MUMD
+
| 206.220.196.62
| Ghetto case, no lights connected
+
|
| 192.168.1.9-11,13 / 00-0e-a6-7d-41-e6
+
{|
| mark at parit . ca ?
 
 
|-
 
|-
| Andrew's prime hunter 2
+
| Fwd: dangerzone.skullspace.ca
| Dell Poweredge 1600SC
 
| 206.220.194.187 / 00:c0:9f:24:c0:2a
 
| andrew AT andreworr DOT ca
 
 
|-
 
|-
| Alex's shiny server
+
| Rev: dangerzone.skullspace.ca
| Shiny case
 
| 206.220.194.204 / 00:50:8d:b4:1a:4c
 
| alexwebr (a) gmail.com
 
 
|-
 
|-
| Alex' Dell server
+
|}
| Dell Dimension 8250
+
| The Danger Zone
| 206.220.194.166 / 00:50:5d:6c:5e:92
+
| ctfadmin@
| alexwebr (a) gmail.com
+
| 2012-06-01
 +
| The home of the SkullSpace Teaching CTF.
 
|-
 
|-
| Stef's server
+
|}
| Whitebox PC?
+
</strike>
| 206.220.194.143? / ??????
 
| stefan.penner asign gmail.com
 
|-
 
| Mak's server
 
| noobbox9001
 
| 206.220.194.??? / ???
 
| mak (a) kolybabi.com
 
|-|}
 
  
 +
== Access ==
 +
All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.
  
 
[[Category:Space]]
 
[[Category:Space]]
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Required Reading]]
 
[[Category:Required Reading]]
 
== Keys ==
 
The following members have keys to the server room:
 
* Ron Bowes
 
* Andrew Orr
 
* Mak Kolybabi
 
* Colin Stanners
 
 
If you'd like a key, and you have a reason, let me know and I'll make sure you get one! --[[User:Ron|Ron]]
 

Latest revision as of 00:27, 18 October 2023

  • Please keep an updated copy of this page printed out and posted in the server room, so there is access to documentation even if the network / internet is down
  • Also see IT Policies
  • We have many people working with the equipment, remember to attach or tie down anything that could get unplugged/fall/etc. We twice lost internet - first time the router fell and power switch got pressed, second time the power plug was pulled out of main internet switch.
  • this page is finally being updated for Sksp2, old page is at Networking/Old


High-level description

The main router is a RB450G, connected to the main switch (port 2), security switch (4, later), internet feed (3), and other networks later. Main internal switch is a 3Com4924 in the server rack, feeds a GS108T at the lounge PC and a 5-port GigE switch near the meeting table. The main HP AP has SSID skullspace and is mounted on the roof in the middle of the space.

Stupid-High Level Diagram

                              +-------------------+
                              |                   |
                              |     The Tubes     |
                              |    On The Roof    |
                              |                   |
                              +-- ------+---------+
                                        |
                                        |
                              +-- ------+-----------+
                              |     LES.net         |
                              |                     |
                              |   208.81.6.224/27   |
                              +----+----------------+
                                   |
                                   |
                                   |                 +---------------------+
                     +-------------+---------+       |  Skullspace+Router  |
           ge1+19    |  Skullspace+External  | ether1|       RB450G        |
          +----------+      Cisco 2960g      +-------+                     |
          |          |      172.30.6.2 (ge24)|       |  208.81.6.228       |
          |          +----------------------++       |  172.30.6.1         |
          |                                 |        +---------------------+
+---------+-----------+                     |                  |ether2
|                     |                     |                  |
|  Rest of External   |                     |                  |
|     PUBLIC/LAN      |                     |        +---------+-------------+      +------------------+
|                     |                     +--------+  Skullspace+Internal  |      |                  |
|   208.81.6.224/27   |                              |     Cisco 2960g       +------+ Rest of Internal |
|                     |                              |      172.30.6.3       |      |   INTERNAL/LAN   |
+---------------------+                              +---+-------+-------+---+      |   172.30.6.0/24  |
                                                         |       |       |          |                  |
                                                +--------+       |       +--------+ +------------------+
                                                |                |                |
                                         +------+------+  +------+------+  +------+------+
                                         |    WAP+A    |  |    WAP+B    |  |    WAP+C    |
                                         | 172.30.6.10 |  | 172.30.6.11 |  | 172.30.6.12 |
                                         |             |  |             |  |             |
                                         +-------------+  +-------------+  +-------------+
 

Built using ASCIIFlow - http://asciiflow.com/

Internet feeds

B: Internet from LES.net (wifi-based Ubiquity, tested 94.83mbit down, 96.22mbit up to Speedtest.net Winnipeg)
B: Internet from VOI (wifi-based Ubiquity NB5, tested 60mbit down 40mbit up to Speedtest.net Winnipeg).

Network hardware

  • Mikrotik Routerboard 450G as main router
  • Netgear WNDR3700 router, donated by Project Bismark. It had a problem (routed packets fine but services like DHCP/DNS/web server didn't work) so was taken out of the network to test.
  • Linksys WRT54G2 v1.5 as spare. WAN port may sometime have packet loss.
  • Linksys WRT350N with DD-WRT v24SP2 firmware as a spare. Lent by Stef.
  • Linksys WRT54G v2 with tomato 1.28 firmware as a spare. Lent by Stef.
  • A 3Com 4924 (:A0) as the main switch, by default everything connects here.
  • A 3Com 4924 (:??) a spare switch.
  • 2 D-Link DWL-810+ bridges.
  • Netgear GS108T as the lounge switch.
  • D-Link DWL-7100AP AP.
  • D-Link DES-3224 as a public IP switch, set to management only on port 7 (Telnet, username "D-Link").
  • A Belkin F5D8236 wireless-N router as spare
  • 3 Cisco Aironet 1100 APs with .B cards and one (:90) with a .G card as spares.
  • Belkin F5D5141-5 switch.
  • Cisco 2950 switches #1 and #2.
  • Mikrotik RB750 (small white box) VOI's router
  • Western Multiplex Tsunami 100 5.8ghz - two links (4x IDU, 2x high ODU, 2x low ODU) unused. Panel antenna loaned from Seccuris.

Wiring

Runs A1+B1: from rack to wiring area on top of bathrooms, A2+B2 from wiring area on top of bathrooms to pole in front of classroom. One will be used to feed wifi AP. C+D: from rack to next to a couch in lounge area. A wire goes under the nearby door to the wiring area of the space next door and above a window for the temporary garbage-cam. E+F+G: from rack to area behind rear black desk.


Tasks

  • terminate ethernet lines correctly in a panel once we're sure server room is stable
  • label networking equipment (IPs etc) and servers, update this page for the latter
  • put read-only and full-access passwords on devices

Wireless Networks

skullspace = main SSID, usual password skullspace_rear: linksys G router in the server rack, as a backup.


New IP Ranges

  • 172.30.4.x = testing/reserved for later use
  • 172.30.5.x = half Security/Management network half VPNs
  • 172.30.6.x = Main network DHCP .100-.240 router .1 network gear .10-.29 printers .30-.39 VMs, servers .40-.99 VPNs .241-254
  • 172.30.7.x = CTF Network DHCP ??? router .1

Internal IP usage

Check these

Legacy IPs

  • 192.168.1.1 Micro-tik Router
  • 192.168.1.9 noel, alex's linux container on vmsrv
  • 192.168.1.10 kyle, a linux container on vmsrv
  • 192.168.1.11 stefen, a linux container on vmsrv
  • 192.168.1.12 Samsung CLP-310N printer
  • 192.168.1.15 Cisco 2950 switch
  • 192.168.1.16 Netgear GS108T workshop switch
  • 192.168.1.17 Cisco 4924 Switch-1 (main)
  • 192.168.1.18 Cisco 4924 Switch-2
  • 192.168.1.22 DES-3224
  • 192.168.1.26 vmsrv
  • 192.168.1.27 Who took this and didn't document?
  • 192.168.1.31 not in use, but don't use
  • 192.168.1.32 Skullhost on vmsrv
  • 192.168.1.33 iscsi server on vmsrv
  • 192.168.1.34-35 Kenny servers
  • 192.168.1.36 VPN server on vmsrv - contact Jay or Alex
  • 192.168.1.37 Ben's server
  • 192.168.1.38 Driftnet laptop
  • 192.168.1.39 open for use

Current 172.30/16

  • 172.30.6.1 Micro-tik Router
  • 172.30.6.2 SkullSpace-External (Cisco 2850 Switch)
  • 172.30.6.3 SkullSpace-Internal (Cisco 2850 Switch)
  • 172.30.6.10 WAP-A (UniFI AP Management IP) - MAC = 0418D64E8BDE
  • 172.30.6.11 WAP-B (UniFI AP Management IP) - MAC = 0418D64E8AED
  • 172.30.6.12 WAP-C (UniFI AP Management IP) - MAC = 0418D64E8AE4
  • 172.30.6.13 intarweb.ca (Sean's server, inside interface)
  • 172.30.6.14 (new, ask Alex W about this) UniFI AP Controller - VM on vmsrv.skullspace.ca
  • 172.30.6.15 esx.intarweb.ca
  • 172.30.6.16 ips.intarweb.ca
  • 172.30.6.30 latest Ubuntu old graphical shell service on vmsrv (to be retired)
  • 172.30.6.31 vmsrv92, HP 380e Gen8 with 92GB of RAM, Debian 12, Mark Jenkins
  • 172.30.6.32 available
  • 172.30.6.33 UniFI AP Controller (Container on vmsrv)
  • 172.30.6.34 Jay Bots (Container on vmsrv)
  • 172.30.6.38 Sean's pihole
  • 172.30.6.39 Ben's VM on vmsrv
  • 172.30.6.40 vmsrv
  • 172.30.6.41 tftp server for IPXE boot option
  • 172.30.6.42 Pablodraw VM - http://picoe.ca/pablodraw/ for the client.
  • 172.30.6.43 Access Control and camera management workstation
  • 172.30.6.50-53 Chris Otto Servers
  • 172.30.6.100-240 Main router DHCP space
  • 172.30.6.241-254 VPN IPs
    • 172.30.6.245 - sean VPN IP (sean cody)
    • 172.30.6.247 - cchilds VPN IP
    • 172.30.6.248 - jordansamulaitis VPN IP
    • 172.30.6.249 - gygar VPN IP
    • 172.30.6.250 - nwild VPN IP
    • 172.30.6.251 - cstanners-router VPN IP
    • 172.30.6.252 - odin VPN IP
    • 172.30.6.254 - cstanners VPN IP
  • 172.30.7.1 Micro-tik Router (WIFI VLAN)
  • 172.30.8.0/24 Virtual Machine Server (vmsrv) static LAN (no DHCP, reserve here)
  • 172.30.9.0/24 Management network
    • 172.30.9.2 Extreme networks Summit 400-48t switch
    • 172.30.9.5 HP DL380e Gen8 iLO.
    • 172.30.9.30 vmsrv


  • 10.152.152.0/24 whonix.skull.space LAN side behind Whonix gateway (isolated network virbr2 on vmsrv
    • 10.152.152.10 Whonix gateway, a full KVM vm on vmsrv, acts as gateway/default route and nameserver
    • 10.152.152.51 Whonix ssh login portal for TCP port forwarding (also present as 172.30.8.4)
  • 10.50.31.0/24 TheLEDSign LAN
    • 10.50.31.16 The Sign
    • 10.50.31.17 The controlling container (vmsrv)
  • 10.50.32.0/30 Mark project private Point to Point link LAN

Access Controls and Cameras 192.168.1.0/24

  • 192.168.1.1 - Win7 Blue Iris station 00:13:3b:0e:21:cb
  • 192.168.1.2 - TPLink PoE switch ac:15:a2:30:b6:d3
  • 192.168.1.3 - Lubuntu 22.04 virtualization host
  • 192.168.1.4 - Mark test record LXD container
  • 192.168.1.100 - WinXP virtual machine, Kantech access control management
  • 192.168.1.101 - Camera, 00:50:1a:04:2D:B1, IQ541S
  • 192.168.1.103 - Camera 00:50:1a:01:7c:c4
  • 192.168.1.105 - Camera 00:50:1a:01:84:fd
  • 192.168.1.250 - Access control serial port relay
  • other cameras undocumented

IP Usage

LES IP Delegation

IPv4
Allocation 208.81.6.224/27 (255.255.255.224).
208.81.6.225 Gateway
208.81.6.226, 208.81.6.227 RESERVED for LES.net usage.
DNS1: 208.81.7.10
DNS2: 208.81.7.14
IPv6
Allocation 2605:e200:c212::/48
2605:e200:c201:2::4 Gateway
DNS1:  2605:e200:53:2::

IP DNS Use Contact used by? reason for public IP and notes
208.81.6.224 TBD LES.net Network porting AT les DOT net all machines required by network design
208.81.6.225 TBD LES.net Gateway porting AT les DOT net all machines required by network design
208.81.6.226 TBD LES.net RESERVED porting AT les DOT net all machines required by network design
208.81.6.227 TBD LES.net RESERVED porting AT les DOT net all machines required by network design
208.81.6.228 TBD Skullspace Router it AT skullspace.ca Skullspace LAN
208.81.6.229 TBD ns1.skullspace.ca it AT skullspace.ca Skullspace DNS
208.81.6.230 vmsrv.skullspace.ca Virtual Machine Server vmsrv mark AT markjenkins DOT ca VM server open to all members. Running an http proxy to allow this one IP address to host many web servers, and doing TCP port forwarding to allow many different virtual servers to share this one IP address
208.81.6.231 ripe.skullspace.ca RIPE Probe colin AT insecure DASH complexity DOT ca
208.81.6.232 shell.skull.space shell.skull.space mark AT markjenkins DOT ca Shell accounts for all members. Being able to bind to port 22 vs having some other port forwarded by vmsrv.skullspace.ca will make this much easier to get users for. Plus, Mak has brought with him a many users from his own system where he used to have his own users with shell accounts. They're already used to port 22 and a different hostname pointing here. Leaving that alone will help keep them. That old system was taking up it's own IP address anyway.
208.81.6.233 mail.skull.space SkullMail email forwarding service mark AT markjenkins DOT ca
208.81.6.234 nessus.skullspace.ca SkullSpace Nessus scanner alexwebr at gmail dot com If it shared an IP with other infrastructure, tools like Fail2Ban could block more than intended
208.81.6.235 tmp.skullspace.ca Temporary address Open to anyone Check before use, use briefly. Example use, migration of skullspace.ca website on skullhost when vmsrv is being serviced.
208.81.6.236
IP DNS Use Contact used by? reason for public IP and notes
208.81.6.237 broot.ca Personal webserver, Git, DNS, mail Alex Weber <alexwebr@gmail.com> Nothing. Can be moved elsewhere if we need IP space back. Makes life easier if it has its own IP. If Sksp infrastructure needs an IP, this can go.
208.81.6.238 (domain name pending) For handling migration of skullspace websites by way of DNS Mark Jenkins <mark@parit.ca> Ubuntu 18.04 vm hosted on sksp-virt3-1 Website hosting, on separate physical host from vmsrv.skullspace.ca
208.81.6.239
208.81.6.240 loki.madcowlabs.com loki.madcowlabs.com cotto at ieee point org Chris's Server Experimental development project server
208.81.6.241
208.81.6.242 library.skullspace.ca The Evergreen server for the (experimental) SkullSpace library Alex (alexwebr@gmail.com) SkullSpace Uses Websockets, and Websockets need a legitimate SSL certificate?
208.81.6.243
208.81.6.244
208.81.6.245
208.81.6.246 new irc.skull.space testing
208.81.6.247 irc.skull.space IRC server - /knock #admin Abuse: alexwebr@gmail.com or mark@parit.ca (not owned by Alex/Mark though) members & the public Running an ircd - not easy to proxy to a private address
208.81.6.248 lab.intarweb.ca lab.intarweb.ca sean AT tinfoilhat.ca Sean Cody Sean Cody
208.81.6.249 lab.intarweb.ca lab.intarweb.ca sean AT tinfoilhat.ca Sean Cody Sean Cody
208.81.6.250 lab.intarweb.ca lab.intarweb.ca sean AT tinfoilhat.ca Sean Cody Sean Cody
208.81.6.251 tmp.intarweb.ca tmp.intarweb.ca Temporary rsync issues test. sean AT tinfoilhat.ca Sean Cody Sean Cody
208.81.6.252 amsler.ca Production Appserver / Personal Webspace edwinguy_gmail Skullspace LAN Edwin Amsler
208.81.6.253 intarweb.ca intarweb.ca sean AT tinfoilhat.ca Sean Cody Sean Cody
208.81.6.254
208.81.6.255 TBD LES.net Broadcast LES.net all machines required by network design

VOI IP Delegation

VOI gave us 206.220.196.48/28 (mask 255.255.255.240), 206.220.193.64/29 (mask 255.255.255.248) as well as 2604:4280:1:c0de::/64, you must reserve IPs here before using them. You'll need to plug into the new VOI-Static switch, currently a Cisco in the 'top' rack.

IP DNS Use Contact used by? reason for public IP and notes
206.220.193.65 TBD VOI router VOI all machines required by network design
206.220.193.66
Fwd:
Rev:
Fwd:
Rev:
206.220.193.68
Fwd:
Rev:
206.220.193.69
Fwd:
Rev:
Richard's Server rjr point work at gmail development server, potentially Starbound server
206.220.193.70
Fwd:
Rev:
206.220.196.49
Fwd: h49-skullspace.winnipeg.voinetworks.net.
Rev: h49-skullspace.winnipeg.voinetworks.net.
VOI Mikrotik RB750? router VOI Networks now required by network design
206.220.196.50
Fwd:
Rev:
Sksp Main Router it@skullspace.ca
206.220.196.51 2604:4280:1:c0de::53
Fwd: ns1.skullspace.ca (Pending)
Rev: ns1.skullspace.ca (Pending)
2604:4280:1:c0de::80 - Relay/Proxy v6 to v4 for www.skullspace.ca (testing)
2604:4280:1:c0de::81 - Relay/Proxy v6 to v4 for wiki.skullspace.ca (testing)
SKSP DNS it@skullspace.ca 2014-10-08 Skullspace Primary DNS Server
206.220.196.52
Fwd: <several>
Rev: mail.nepharia.org
Vobster Nepharia Services mak@kolybabi.com and dave@ysarro.com 2012-02-17 Runs DNS, SMTP/IMAP, OpenVPN, Asterisk, SSH & IRC, and HTTP for Nepharia and its associated domains.
206.220.196.53
Fwd: <several>
Rev: mail.skullspace.ca
Vobster SkullSpace Services mak@kolybabi.com and dave@ysarro.com 2012-02-17 Runs DNS, SMTP/IMAP, SSH & IRC, and HTTP for SkullSpace.
206.220.196.54
Fwd: ctf.skullspace.ca
Rev: ctf.skullspace.ca
Vobster CTF Services mak@kolybabi.com and dave@ysarro.com 2013-04-09
206.220.196.55
Fwd:
Rev:
Edwin Amsler edwinguy at gmail dot calm 2015-02-23
206.220.196.56
Fwd:
Rev:
Colin / Jeremy FreeBSD server phoul@insecure-complexity.com 2013-10-01
206.220.196.57
Fwd:
Rev:
206.220.196.58 2604:4280:1:c0de::314
Fwd: intarweb.ca
Rev:
Sean's server. sean _at_ tinfoilhat _dot_ ca 2013-09-27 L2TP etc.
206.220.196.59
Fwd:
Rev:
206.220.196.60
Fwd:
Rev:
Colin's project server CStanners @ gmail Occasional IPv6, VPN services and testing
206.220.196.61
Fwd:
Rev:
Ben's server ben@benbergman.ca 2012-12-18 http/ssh/vpn/other
206.220.196.62
Fwd: dangerzone.skullspace.ca
Rev: dangerzone.skullspace.ca
The Danger Zone ctfadmin@ 2012-06-01 The home of the SkullSpace Teaching CTF.

Access

All members currently have full access to all devices. Later it may be a good idea to have different full-access passwords for all devices restricted to NetOps and by request, and the read-only password being publically known among our members.