Networking: Difference between revisions

From London Hackspace Wiki
(→‎WiFi: spacenet dead)
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
This is the networking page for [[Ujima House]] the 2018-era location for London Hackspace.   
This is the networking page for [[Ujima House]] the 2018-era location for London Hackspace.   


[https://docs.google.com/spreadsheets/d/1yXoXvN4f0eSfvr0qpTlkhE1zDenRcv1D48XaBu3FVlc/edit?usp=sharing LHS Infrastructure Mega-Sheet infrastructure planning document] is an active WIP document.
'''We want your help!''' Please reach out on the [https://kiwiirc.com/nextclient/#irc://irc.libera.chat/#london-hack-space-infrastructure LHS Infrastructure IRC channel] or post on the [https://groups.google.com/forum/#!forum/london-hack-space-infrastructure London Hackspace Infrastructure Google Group] if you'd like to get involved.  


'''We want your help!''' Please reach out on the [https://kiwiirc.com/nextclient/#irc://irc.freenode.net/#london-hack-space-infrastructure LHS Infrastructure IRC channel] or post on the [https://groups.google.com/forum/#!forum/london-hack-space-infrastructure London Hackspace Infrastructure Google Group] if you'd like to get involved.
For historical comparison, please refer to [[447 Networking]].
 
The infrastructure planning document used during the move is located here for reference but is largely out of date: [https://docs.google.com/spreadsheets/d/1yXoXvN4f0eSfvr0qpTlkhE1zDenRcv1D48XaBu3FVlc/edit?usp=sharing LHS Infrastructure Mega-Sheet infrastructure planning document]


For historical comparison, please refer to [[447 Networking]].
== Our ISP ==
== Our ISP ==
The landlord-provided IP connectivity provider is a Gigabit fibre line from Onega -> Exponential-E -> OpenReach [https://www.exponential-e.com/business-internet-leased-lines Exponential-E] . For support and queries we need to go through [https://www.onega.net/ Onega] / Landlord. See below for IP address information. Currently the line is set to provide 500Mbps of symmetrical bandwidth upstream and downstream via IPV4 and IPV6. Others in the building share the line but are not heavy users.  
The landlord-provided IP connectivity provider is a Gigabit fibre line from Onega -> Exponential-E -> OpenReach [https://www.exponential-e.com/business-internet-leased-lines Exponential-E] . For support and queries we need to go through [https://www.onega.net/ Onega] / Landlord. See below for IP address information. Currently the line is set to provide 500Mbps of symmetrical bandwidth upstream and downstream via IPV4 and IPV6. Others in the building share the line but are not heavy users.  
Line 15: Line 16:
An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available.  Honeypot Nursery formerly occupied the Wembley ground floor LHS space and is about 350 feet from the [https://availability.samknows.com/broadband/exchange/LWWEM LWWEM Wembley Exchange] but seems to actually get service from [https://availability.samknows.com/broadband/exchange/LWNWEM LWNWEM] instead.
An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available.  Honeypot Nursery formerly occupied the Wembley ground floor LHS space and is about 350 feet from the [https://availability.samknows.com/broadband/exchange/LWWEM LWWEM Wembley Exchange] but seems to actually get service from [https://availability.samknows.com/broadband/exchange/LWNWEM LWNWEM] instead.


== IP's ==
== IP range ==


We have opted for a more flexible and expansive 10.W.X.Y IP range rather than the old [https://wiki.hamburg.ccc.de/ChaosVPN:IPRanges#Standard_Subnets ChaosVPN-compatible range] we had before.  We released our reserved block on the ChaosVPN wiki on 24 September 2018.
We have opted for a more flexible and expansive 10.W.X.Y IP range rather than the old [https://wiki.hamburg.ccc.de/ChaosVPN:IPRanges#Standard_Subnets ChaosVPN-compatible range] we had before.  We released our reserved block on the ChaosVPN wiki on 24 September 2018.
Line 26: Line 27:


IP and VLAN documentation can be found on [[Networking/VLANs|VLANs]].
IP and VLAN documentation can be found on [[Networking/VLANs|VLANs]].


== TLS ==
== TLS ==


Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation, but all TBD.
Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation.


There is a list of our legacy certificates here [[Networking/TLSCerts]]
There is a list of our legacy certificates here [[Networking/TLSCerts]]
Line 36: Line 36:
== WiFi ==
== WiFi ==


We have 6 [https://www.cisco.com/c/en/us/support/wireless/aironet-3500i-access-point/model.html Cisco Aironet 3502i access points], being provisioned for [[Ujima House]]:
We have a number of [https://www.cisco.com/c/en/us/support/wireless/aironet-3500i-access-point/model.html Cisco Aironet 3502i access points] setup at [[Ujima House]]:
 
* 1f-ap1 - near the kitchen area and Tesla
* 1f-ap2 - in the desks area
* 1f-ap3 - in the classroom ceiling
 
The IOS is moderately up to date as of August 2018.


We have 3 SSID's:
We have 3 SSID's:
Line 50: Line 44:
* LondonHackspace-IOT - for future plans involving sensors
* LondonHackspace-IOT - for future plans involving sensors


All networks are 2.4 and 5GHz with the access points configured to push you towards 5ghz where you will probably get a better experience due to more bandwidth being available


All networks are 2.4 and 5GHz with the access points configured to push you towards 5ghz where you will probably get a better experience due to more bandwidth being available
All access point configuration should be backed up to the [https://github.com/londonhackspace/oxidized oxidized repository] (available to sysadmins team)


== Layer 2 ==
== Layer 2 ==
Line 59: Line 54:
The connectivity is set to allow everyone in the building full access to the Internet at full speed (ie if you are the only user online then you should get close to 500Mbps up and down on a speedtest site). The line is subject to fair and legal use but as long as no one abuses the connection or monopolises it then you can basically fill your boots (or SSDs). A 3.5 Gbyte Debian ISO DVD will download in approx 3 minutes. Please note that you should not download copyright materials from the web / torrent sites (movies etc.) as these are traceable by IP and it's also not a nice thing to do (unless you've paid for them legally)... more seriously that could lead to being cut off on a three strikes basis which we don't want to risk. There is no external rate shaping or packet inspection done on traffic at the ISP level unless there is any odd activity / complaints. Ben from Onega also happens to be a London Hackspace member so we should get helpful service to any reasonable requests. If / when needed the line could also be upgraded to the full Gigabit, or indeed to 10Gbps connectivity but right now the marginal cost would not be worth it given historic and current observed bandwidth levels.  
The connectivity is set to allow everyone in the building full access to the Internet at full speed (ie if you are the only user online then you should get close to 500Mbps up and down on a speedtest site). The line is subject to fair and legal use but as long as no one abuses the connection or monopolises it then you can basically fill your boots (or SSDs). A 3.5 Gbyte Debian ISO DVD will download in approx 3 minutes. Please note that you should not download copyright materials from the web / torrent sites (movies etc.) as these are traceable by IP and it's also not a nice thing to do (unless you've paid for them legally)... more seriously that could lead to being cut off on a three strikes basis which we don't want to risk. There is no external rate shaping or packet inspection done on traffic at the ISP level unless there is any odd activity / complaints. Ben from Onega also happens to be a London Hackspace member so we should get helpful service to any reasonable requests. If / when needed the line could also be upgraded to the full Gigabit, or indeed to 10Gbps connectivity but right now the marginal cost would not be worth it given historic and current observed bandwidth levels.  


Our core router connecting this connection is [[Equipment/Boole|Boole]].  
Our core router connecting this connection is [[Equipment/Norton|Norton]] which runs pfSense CE.


{| class="wikitable"
{| class="wikitable"
Line 76: Line 71:
|}
|}


=== VDSL2 Provider ===
=== Network Switches ===
There is potential to use the wiring in the 3rd floor server room for VDSL circuits. Details TBD.
 
=== Local Network ===


Hopefully we'll have a consistent infrastructure - similar switches for both normal and PoE ethernet, etc.
There are currently three managed switches serving the space:
* gf-coreswitch - Cisco WS-C2960S-48FPD-L located ???
* gf-woodshopsw - Cisco WS-C3560-24PS located in the woodshop
* gf-replacement-workshop - Cisco WS-C3560V2-24TS located in the metal shop


Very much '''still a work in progress'':
All switches are currently running old firmware and don't support modern cyphers the following ssh arg is required: <code>-oKexAlgorithms=+diffie-hellman-group1-sha1</code>


* GF Metal Workshop POE / 10.0.10.17
All switch configuration should be backed up to the [https://github.com/londonhackspace/oxidized oxidized repository] (available to sysadmins team)
* [[Equipment/CoreSwitch|Core Switch]]
* [[Equipment/1F-POE|1st Floor, PoE]]
* [[Equipment/1F-Floorports|1st Floor, Floor Port Switches]]


=== ToDo ===
=== ToDo ===
Line 97: Line 89:


Please note that we adhere to the TIA-568B standard of wiring in the London Hackspace connectivity. This is consistent with the existing wiring as well as historic best practices of London Hackspace.  Go with (568)B, because Bees are Better.
Please note that we adhere to the TIA-568B standard of wiring in the London Hackspace connectivity. This is consistent with the existing wiring as well as historic best practices of London Hackspace.  Go with (568)B, because Bees are Better.
The current state of the network patching is being mapped via a [https://docs.google.com/spreadsheets/d/1-rRVlC1wekyFSl9KzApw9KUawMHdcYTQh1nqou1y_b4/edit?usp=sharing Google Sheet]


=== Ground Floor ===
=== Ground Floor ===
Line 127: Line 121:
The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes.  The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT [https://en.wikipedia.org/wiki/British_telephone_socket NTE] (s?) and [https://en.wikipedia.org/wiki/Krone_LSA-PLUS krone] frames.
The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes.  The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT [https://en.wikipedia.org/wiki/British_telephone_socket NTE] (s?) and [https://en.wikipedia.org/wiki/Krone_LSA-PLUS krone] frames.
The uplink cable from the 1st floor appears here.
The uplink cable from the 1st floor appears here.
= Monitoring Services =
There are various monitoring service deployed to keep track of services:
* Grafana has dashboard monitoring various services - [https://stats.london.hackspace.org.uk/d/OfmvriWnz/mqtt?orgId=1&search=open stats.london.hackspace.org.uk]
* An MQTT dashboard for the AC Node / Door system [https://acnode-dash.london.hackspace.org.uk/ acnode-dash.london.hackspace.org.uk]


[[Category:Premises]]
[[Category:Premises]]
[[Category:Infrastructure]]
[[Category:Infrastructure]]
[[Category:Update Needed]]
[[Category:Update Needed]]

Latest revision as of 17:32, 31 October 2021

This is the networking page for Ujima House the 2018-era location for London Hackspace.

We want your help! Please reach out on the LHS Infrastructure IRC channel or post on the London Hackspace Infrastructure Google Group if you'd like to get involved.

For historical comparison, please refer to 447 Networking.

The infrastructure planning document used during the move is located here for reference but is largely out of date: LHS Infrastructure Mega-Sheet infrastructure planning document

Our ISP

The landlord-provided IP connectivity provider is a Gigabit fibre line from Onega -> Exponential-E -> OpenReach Exponential-E . For support and queries we need to go through Onega / Landlord. See below for IP address information. Currently the line is set to provide 500Mbps of symmetrical bandwidth upstream and downstream via IPV4 and IPV6. Others in the building share the line but are not heavy users.

  • What is the broadband availability at the place? Is there fibre already for our own dedicated connection?

According to the SamKnows broadband checker, we can get BT Openreach FTTC and FTTP service but not cable-based broadband.

An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available. Honeypot Nursery formerly occupied the Wembley ground floor LHS space and is about 350 feet from the LWWEM Wembley Exchange but seems to actually get service from LWNWEM instead.

IP range

We have opted for a more flexible and expansive 10.W.X.Y IP range rather than the old ChaosVPN-compatible range we had before. We released our reserved block on the ChaosVPN wiki on 24 September 2018.

DNS and DHCP

Currently running pfSense's DNS and DHCP implementation on Norton

IP and VLAN documentation

IP and VLAN documentation can be found on VLANs.

TLS

Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation.

There is a list of our legacy certificates here Networking/TLSCerts

WiFi

We have a number of Cisco Aironet 3502i access points setup at Ujima House:

We have 3 SSID's:

  • LHS Guest - network for visitors and anyone without an LDAP account
  • spacenet - part of the SpaceFED Federated inter-hackerspace wifi network. Not currently working. Radius server down and project appears dead.
  • LondonHackspace-IOT - for future plans involving sensors

All networks are 2.4 and 5GHz with the access points configured to push you towards 5ghz where you will probably get a better experience due to more bandwidth being available

All access point configuration should be backed up to the oxidized repository (available to sysadmins team)

Layer 2

Managed Building Fibre Connection

There is a fibre provided internet connection managed by the landlord and included in our rent. The building is being serviced by a shared 500 megabit via Onega portioned out to various tenants in the building. The actual IP connectivity provider looks to be Exponential-E but we need to go through Onega / Landlord if there are any issues/questions.

The connectivity is set to allow everyone in the building full access to the Internet at full speed (ie if you are the only user online then you should get close to 500Mbps up and down on a speedtest site). The line is subject to fair and legal use but as long as no one abuses the connection or monopolises it then you can basically fill your boots (or SSDs). A 3.5 Gbyte Debian ISO DVD will download in approx 3 minutes. Please note that you should not download copyright materials from the web / torrent sites (movies etc.) as these are traceable by IP and it's also not a nice thing to do (unless you've paid for them legally)... more seriously that could lead to being cut off on a three strikes basis which we don't want to risk. There is no external rate shaping or packet inspection done on traffic at the ISP level unless there is any odd activity / complaints. Ben from Onega also happens to be a London Hackspace member so we should get helpful service to any reasonable requests. If / when needed the line could also be upgraded to the full Gigabit, or indeed to 10Gbps connectivity but right now the marginal cost would not be worth it given historic and current observed bandwidth levels.

Our core router connecting this connection is Norton which runs pfSense CE.

Setting IP Address Value IPv6
IP Address 167.98.98.227 2a00:1d40:1843:100::1
Subnet 255.255.255.248 2a00:1d40:1843:100::/64 externally, 2a00:1d40:1843:180::/57 internally
Gateway 167.98.98.226 167.98.98.225 2a00:1d40:1843:100::
DNS1 62.244.176.176 2a00:1d40:ee:176::176
DNS2 62.244.177.177 2a00:1d40:ee:177::177

Network Switches

There are currently three managed switches serving the space:

  • gf-coreswitch - Cisco WS-C2960S-48FPD-L located ???
  • gf-woodshopsw - Cisco WS-C3560-24PS located in the woodshop
  • gf-replacement-workshop - Cisco WS-C3560V2-24TS located in the metal shop

All switches are currently running old firmware and don't support modern cyphers the following ssh arg is required: -oKexAlgorithms=+diffie-hellman-group1-sha1

All switch configuration should be backed up to the oxidized repository (available to sysadmins team)

ToDo

See Networking Todo.

Layer 1 (Physical Wiring)

Please note that we adhere to the TIA-568B standard of wiring in the London Hackspace connectivity. This is consistent with the existing wiring as well as historic best practices of London Hackspace. Go with (568)B, because Bees are Better.

The current state of the network patching is being mapped via a Google Sheet

Ground Floor

In the woodworking room, there's a comms cabinet with patch panels for several wallports. The CNC room - former nursery - had almost no networking, and very few power outlets. A wallport has been installed on the ceiling, having re-routed two network sockets from the kitchen area above. The remainder of the sockets in the patch panels are fair game. We will need a network switch in that cabinet, because the existing one there is probably unsuitable due to it's use by Brent Council.

Two ports have been rerouted from the 1st floor kitchen where they're unlikely to be needed, to the ceiling in the corner of the ground floor CNC room - where we require some networking.

Patch Panel

The Ground floor patch panel in the woodworking room is shared responsibility. Due to one room on the ground floor being used by Brent Council - they have their own networking equipment and run from the 3rd floor comms room. Two new purple jacketed cat6 cables to 1st floor comms room.

First Floor

London Hackspace formerly rented the first floor as well as the ground floor of Ujima House. The server room used to be on the 1st floor. There is now a straight-through patch above the former server room there to the ground floor. Any mention of patch panels or cabinets on the first floor are now unrelated to London Hackspace.

Rough diagram showing path of network cables above the ceiling of the 1st floor.
  • The rack is a Dataracks 303 series variable depth cabinet. Accessories are available from Dataracks though this model is discontinued.
  • Two new purple jacketed cat6 cables from the ground floor cabinet to the 1st floor server room, run in on 2018-07-10. They go up a riser in the north east corner and then run above the ceiling tiles into the server room, in cable tray for some of the way. See image.
  • Two new purple jacketed cat6 cables from the 1st floor server room to the third floor server room, run in on 2018-07-14, to replace poorly installed series of cables by building ISP.
  • A single grey jacketed Cat5e (?) uplink cable from the first to third floor server room. Deemed to be poor quality.

Patch Panel

  • Previous tenants had removed their patch panel from the 1st floor comms room, All 1st floor wallports have been re-termianted. Currently up to port 122 on wallports terminated and tested. Some cables are missing, some are damaged, these are labelled on the patch panels.
  • Ceiling runs for WiFi access points and cameras on 1st floor are numbered 1/123 onwards. These will probably all require connecting to a PoE switch.
  • Inter-floor links are terminated on a 1U patch panel at the top of the cabinet.

Third Floor

View inside the third floor server room showing legacy Meridian PBX parts

The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes. The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT NTE (s?) and krone frames. The uplink cable from the 1st floor appears here.

Monitoring Services

There are various monitoring service deployed to keep track of services: