Difference between revisions of "Networking"

From London Hackspace Wiki
Jump to navigation Jump to search
m (→‎IP's: Noted subnets and said no-more-ChaosVPN)
m
 
(37 intermediate revisions by 8 users not shown)
Line 1: Line 1:
This is the networking page for [[Ujima House]] the 2018-era planned location for London Hackspace.  [https://docs.google.com/spreadsheets/d/1yXoXvN4f0eSfvr0qpTlkhE1zDenRcv1D48XaBu3FVlc/edit?usp=sharing An active IT infrastructure planning document] is being worked on in Google Sheets.
+
This is the networking page for [[Ujima House]] the 2018-era location for London Hackspace.   
  
'''We want your help!''' Please reach out on the [https://kiwiirc.com/nextclient/#irc://irc.freenode.net/#london-hack-space-infrastructure LHS Infrastructure IRC channel] or post on the [https://groups.google.com/forum/#!forum/london-hack-space-infrastructure London Hackspace Infrastructure Google Group] if you'd like to get involved.  
+
'''We want your help!''' Please reach out on the [https://kiwiirc.com/nextclient/#irc://irc.libera.chat/#london-hack-space-infrastructure LHS Infrastructure IRC channel] or post on the [https://groups.google.com/forum/#!forum/london-hack-space-infrastructure London Hackspace Infrastructure Google Group] if you'd like to get involved.  
  
 
For historical comparison, please refer to [[447 Networking]].
 
For historical comparison, please refer to [[447 Networking]].
 +
 +
The infrastructure planning document used during the move is located here for reference but is largely out of date: [https://docs.google.com/spreadsheets/d/1yXoXvN4f0eSfvr0qpTlkhE1zDenRcv1D48XaBu3FVlc/edit?usp=sharing LHS Infrastructure Mega-Sheet infrastructure planning document]
 +
 
== Our ISP ==
 
== Our ISP ==
 +
The landlord-provided IP connectivity provider is a Gigabit fibre line from Onega -> Exponential-E -> OpenReach [https://www.exponential-e.com/business-internet-leased-lines Exponential-E] . For support and queries we need to go through [https://www.onega.net/ Onega] / Landlord. See below for IP address information. Currently the line is set to provide 500Mbps of symmetrical bandwidth upstream and downstream via IPV4 and IPV6. Others in the building share the line but are not heavy users.
  
* '''What is the broadband availability at the place? Is there fibre already?'''   
+
* '''What is the broadband availability at the place? Is there fibre already for our own dedicated connection?'''   
  
 
According to the [https://availability.samknows.com/broadband/broadband_checker SamKnows broadband checker], we can get BT Openreach FTTC and FTTP service but not cable-based broadband.  
 
According to the [https://availability.samknows.com/broadband/broadband_checker SamKnows broadband checker], we can get BT Openreach FTTC and FTTP service but not cable-based broadband.  
  
An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available.  Honeypot Nursery formerly occupied the proposed LHS location and is about 350 feet from the [https://availability.samknows.com/broadband/exchange/LWWEM LWWEM Wembley Exchange] but seems to actually get service from [https://availability.samknows.com/broadband/exchange/LWNWEM LWNWEM] instead.
+
An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available.  Honeypot Nursery formerly occupied the Wembley ground floor LHS space and is about 350 feet from the [https://availability.samknows.com/broadband/exchange/LWWEM LWWEM Wembley Exchange] but seems to actually get service from [https://availability.samknows.com/broadband/exchange/LWNWEM LWNWEM] instead.
  
* '''Where do the Ethernet cables pictured in photos 21 and 'ground floor cabinet' go?'''
+
== IP range ==
  
Unknown at this time - we'll need to trace where they go in our next visit.  
+
We have opted for a more flexible and expansive 10.W.X.Y IP range rather than the old [https://wiki.hamburg.ccc.de/ChaosVPN:IPRanges#Standard_Subnets ChaosVPN-compatible range] we had before.  We released our reserved block on the ChaosVPN wiki on 24 September 2018.
  
== IP's ==
+
== DNS and DHCP ==
  
We have opted for a more flexible and expansive 10.20.X.Y IP range rather than the old [https://wiki.hamburg.ccc.de/ChaosVPN:IPRanges#Standard_Subnets ChaosVPN-compatible range] we had before.
+
Currently running pfSense's DNS and DHCP implementation on [[Equipment/Norton|Norton]]
  
== DNS ==
+
== IP and VLAN documentation ==  
  
TBD -
+
IP and VLAN documentation can be found on [[Networking/VLANs|VLANs]].
 
 
== DHCP ==
 
 
 
TBD -
 
 
 
== IP Allocations ==
 
 
 
TBD -
 
  
 
== TLS ==
 
== TLS ==
  
Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation, but all TBD.
+
Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation.
  
 
There is a list of our legacy certificates here [[Networking/TLSCerts]]
 
There is a list of our legacy certificates here [[Networking/TLSCerts]]
Line 40: Line 36:
 
== WiFi ==
 
== WiFi ==
  
We have 6 Cisco 3502 access points, being provisioned for [[Ujima House]]:
+
We have a number of [https://www.cisco.com/c/en/us/support/wireless/aironet-3500i-access-point/model.html Cisco Aironet 3502i access points] setup at [[Ujima House]]:
 +
 
 +
We have 3 SSID's:
 +
* LHS Guest - network for visitors and anyone without an LDAP account
 +
* spacenet - part of the [https://spacefed.net/ SpaceFED] Federated inter-hackerspace wifi network. '''Not currently working. Radius server down and project appears dead.'''
 +
** Please setup your [[LDAP]] account to use this - this is the recommended way for members to get online, spacefed config details here: [[LDAP#Any_spacenet_config_hints.3F]]
 +
* LondonHackspace-IOT - for future plans involving sensors
  
* ap-1-kitchen
+
All networks are 2.4 and 5GHz with the access points configured to push you towards 5ghz where you will probably get a better experience due to more bandwidth being available
* ap-1-openspace
 
* ap-1-crafts
 
* ap-g-metal
 
* ap-g-wood
 
* ap-g-lobby
 
  
We have 3 SSID's:
+
All access point configuration should be backed up to the [https://github.com/londonhackspace/oxidized oxidized repository] (available to sysadmins team)
* LondonHackspace - 5ghz default network.
 
* LondonHackspace-24 - As above but 2.4ghz only
 
* spacenet - part of the [https://spacefed.net/ SpaceFED] Federated inter-hackerspace wifi network.
 
** Please setup your [[LDAP]] account to use this and accept the Hackspace SSL certificate we use.  '''Username: yourusername@hack.rs Password: •••••••••'''
 
  
 
== Layer 2 ==
 
== Layer 2 ==
 
=== Managed Building Fibre Connection ===
 
=== Managed Building Fibre Connection ===
There is a fibre provided internet connection managed by the landlord and included in our rent.  The building is being serviced by a shared 300 megabit via [https://www.onega.net/ Onega] portioned out to various tenants in the building. The actual IP connectivity provider looks to be [https://www.exponential-e.com/business-internet-leased-lines Exponential-E] but we need to go through [https://www.onega.net/ Onega] / Landlord if there are any issues/questions.
+
There is a fibre provided internet connection managed by the landlord and included in our rent.  The building is being serviced by a shared 500 megabit via [https://www.onega.net/ Onega] portioned out to various tenants in the building. The actual IP connectivity provider looks to be [https://www.exponential-e.com/business-internet-leased-lines Exponential-E] but we need to go through [https://www.onega.net/ Onega] / Landlord if there are any issues/questions.
 +
 
 +
The connectivity is set to allow everyone in the building full access to the Internet at full speed (ie if you are the only user online then you should get close to 500Mbps up and down on a speedtest site). The line is subject to fair and legal use but as long as no one abuses the connection or monopolises it then you can basically fill your boots (or SSDs). A 3.5 Gbyte Debian ISO DVD will download in approx 3 minutes. Please note that you should not download copyright materials from the web / torrent sites (movies etc.) as these are traceable by IP and it's also not a nice thing to do (unless you've paid for them legally)... more seriously that could lead to being cut off on a three strikes basis which we don't want to risk. There is no external rate shaping or packet inspection done on traffic at the ISP level unless there is any odd activity / complaints. Ben from Onega also happens to be a London Hackspace member so we should get helpful service to any reasonable requests. If / when needed the line could also be upgraded to the full Gigabit, or indeed to 10Gbps connectivity but right now the marginal cost would not be worth it given historic and current observed bandwidth levels.  
  
Our core router connecting this connection is [[Equipment/Boole|Boole]].  
+
Our core router connecting this connection is [[Equipment/Norton|Norton]] which runs pfSense CE.
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 65: Line 60:
 
! Setting !! IP Address Value !! IPv6
 
! Setting !! IP Address Value !! IPv6
 
|-
 
|-
| IP Address || 167.98.98.227 || 2a00:1d40:1843:100::2
+
| IP Address || 167.98.98.227 || 2a00:1d40:1843:100::1
 
|-
 
|-
| Subnet || 255.255.255.248 ||  2a00:1d40:1843:100::/59
+
| Subnet || 255.255.255.248 ||  2a00:1d40:1843:100::/64 externally, 2a00:1d40:1843:180::/57 internally
 
|-
 
|-
| Gateway || 167.98.98.226 || 2a00:1d40:1843:100::
+
| Gateway || <s>167.98.98.226</s> 167.98.98.225 || 2a00:1d40:1843:100::
 
|-
 
|-
 
| DNS1 || 62.244.176.176 || 2a00:1d40:ee:176::176
 
| DNS1 || 62.244.176.176 || 2a00:1d40:ee:176::176
Line 76: Line 71:
 
|}
 
|}
  
=== VDSL2 Provider ===
+
=== Network Switches ===
There is potential to use the wiring in the 3rd floor server room for VDSL circuits. Details TBD.
 
  
=== Local Network ===
+
There are currently three managed switches serving the space:
 +
* gf-coreswitch - Cisco WS-C2960S-48FPD-L located ???
 +
* gf-woodshopsw - Cisco WS-C3560-24PS located in the woodshop
 +
* gf-replacement-workshop - Cisco WS-C3560V2-24TS located in the metal shop
  
Hopefully we'll have a consistent infrastructure - similar switches for both normal and PoE ethernet, etc.  
+
All switches are currently running old firmware and don't support modern cyphers the following ssh arg is required: <code>-oKexAlgorithms=+diffie-hellman-group1-sha1</code>
 +
 
 +
All switch configuration should be backed up to the [https://github.com/londonhackspace/oxidized oxidized repository] (available to sysadmins team)
  
 
=== ToDo ===
 
=== ToDo ===
Line 88: Line 87:
  
 
== Layer 1 (Physical Wiring) ==
 
== Layer 1 (Physical Wiring) ==
 +
 +
Please note that we adhere to the TIA-568B standard of wiring in the London Hackspace connectivity. This is consistent with the existing wiring as well as historic best practices of London Hackspace.  Go with (568)B, because Bees are Better.
 +
 +
The current state of the network patching is being mapped via a [https://docs.google.com/spreadsheets/d/1-rRVlC1wekyFSl9KzApw9KUawMHdcYTQh1nqou1y_b4/edit?usp=sharing Google Sheet]
  
 
=== Ground Floor ===
 
=== Ground Floor ===
Line 100: Line 103:
  
 
=== First Floor ===
 
=== First Floor ===
 +
London Hackspace formerly rented the first floor as well as the ground floor of Ujima House. The server room used to be on the 1st floor. There is now a straight-through patch above the former server room there to the ground floor. Any mention of patch panels or cabinets on the first floor are now unrelated to London Hackspace.
 +
 
[[File:1st floor network.png|thumbnail|Rough diagram showing path of network cables above the ceiling of the 1st floor.]]
 
[[File:1st floor network.png|thumbnail|Rough diagram showing path of network cables above the ceiling of the 1st floor.]]
 +
* The rack is a Dataracks 303 series variable depth cabinet.  [http://www.dataracks.com/datacentre-solutions/server-racks-frames-cabinets Accessories are available from Dataracks though this model is discontinued. ]
 
* Two new purple jacketed cat6 cables from the ground floor cabinet to the 1st floor server room, run in on 2018-07-10. They go up a riser in the north east corner and then run above the ceiling tiles into the server room, in cable tray for some of the way. See image.
 
* Two new purple jacketed cat6 cables from the ground floor cabinet to the 1st floor server room, run in on 2018-07-10. They go up a riser in the north east corner and then run above the ceiling tiles into the server room, in cable tray for some of the way. See image.
 
* Two new purple jacketed cat6 cables from the 1st floor server room to the third floor server room, run in on 2018-07-14, to replace poorly installed series of cables by building ISP.
 
* Two new purple jacketed cat6 cables from the 1st floor server room to the third floor server room, run in on 2018-07-14, to replace poorly installed series of cables by building ISP.
* There are a large number of network sockets spread around the 1st floor, many (all?) of which seem to be run back via bundles of grey cat5e (?) cable to the server room, also partially in cable trays above the false ceilings. Current status: Ports 1/001 to 1/048 have been terminated and tested on a patch panel in the comms room. Two ports tested faulty. More patching to do.
+
 
 
* A single grey jacketed Cat5e (?) uplink cable from the first to third floor server room. Deemed to be poor quality.
 
* A single grey jacketed Cat5e (?) uplink cable from the first to third floor server room. Deemed to be poor quality.
 
==== Server Room ====
 
A small room with some (?) ventilation. Area K on the floor plan.
 
  
 
==== Patch Panel ====
 
==== Patch Panel ====
* Previous tenants had removed their patch panel from the 1st floor comms room, work in progress to re-terminate all the wallports. Currently up to port 120 terminated and tested. 121 and 122 still to do. Some cables are missing, some are damaged, these are labelled on the patch panels.
+
* Previous tenants had removed their patch panel from the 1st floor comms room, All 1st floor wallports have been re-termianted. Currently up to port 122 on wallports terminated and tested. Some cables are missing, some are damaged, these are labelled on the patch panels.
 +
* Ceiling runs for WiFi access points and cameras on 1st floor are numbered 1/123 onwards. These will probably all require connecting to a PoE switch.
 
* Inter-floor links are terminated on a 1U patch panel at the top of the cabinet.
 
* Inter-floor links are terminated on a 1U patch panel at the top of the cabinet.
  
 
=== Third Floor ===
 
=== Third Floor ===
[[File:Ujima third floor server room.jpg|thumbnail|View inside the third floor server room]]
+
[[File:Ujima third floor server room.jpg|thumbnail|View inside the third floor server room showing legacy Meridian PBX parts]]
 
The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes.  The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT [https://en.wikipedia.org/wiki/British_telephone_socket NTE] (s?) and [https://en.wikipedia.org/wiki/Krone_LSA-PLUS krone] frames.
 
The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes.  The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT [https://en.wikipedia.org/wiki/British_telephone_socket NTE] (s?) and [https://en.wikipedia.org/wiki/Krone_LSA-PLUS krone] frames.
 
The uplink cable from the 1st floor appears here.
 
The uplink cable from the 1st floor appears here.
 +
 +
= Monitoring Services =
 +
 +
There are various monitoring service deployed to keep track of services:
 +
* Grafana has dashboard monitoring various services - [https://stats.london.hackspace.org.uk/d/OfmvriWnz/mqtt?orgId=1&search=open stats.london.hackspace.org.uk]
 +
* An MQTT dashboard for the AC Node / Door system [https://acnode-dash.london.hackspace.org.uk/ acnode-dash.london.hackspace.org.uk]
  
 
[[Category:Premises]]
 
[[Category:Premises]]
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]
 +
[[Category:Update Needed]]

Latest revision as of 17:32, 31 October 2021

This is the networking page for Ujima House the 2018-era location for London Hackspace.

We want your help! Please reach out on the LHS Infrastructure IRC channel or post on the London Hackspace Infrastructure Google Group if you'd like to get involved.

For historical comparison, please refer to 447 Networking.

The infrastructure planning document used during the move is located here for reference but is largely out of date: LHS Infrastructure Mega-Sheet infrastructure planning document

Our ISP

The landlord-provided IP connectivity provider is a Gigabit fibre line from Onega -> Exponential-E -> OpenReach Exponential-E . For support and queries we need to go through Onega / Landlord. See below for IP address information. Currently the line is set to provide 500Mbps of symmetrical bandwidth upstream and downstream via IPV4 and IPV6. Others in the building share the line but are not heavy users.

  • What is the broadband availability at the place? Is there fibre already for our own dedicated connection?

According to the SamKnows broadband checker, we can get BT Openreach FTTC and FTTP service but not cable-based broadband.

An example check with BT using the address for "Honeypot Nursery, Ujima House, 388 High Road, Wembley, HA9 6AR" we see BT Infinity 2 (76Mbit/19Mbit up) is available. Honeypot Nursery formerly occupied the Wembley ground floor LHS space and is about 350 feet from the LWWEM Wembley Exchange but seems to actually get service from LWNWEM instead.

IP range

We have opted for a more flexible and expansive 10.W.X.Y IP range rather than the old ChaosVPN-compatible range we had before. We released our reserved block on the ChaosVPN wiki on 24 September 2018.

DNS and DHCP

Currently running pfSense's DNS and DHCP implementation on Norton

IP and VLAN documentation

IP and VLAN documentation can be found on VLANs.

TLS

Ideally we've migrated everything to LetsEncrypt unless we're doing internal network / infrastructure SSL trust/validation.

There is a list of our legacy certificates here Networking/TLSCerts

WiFi

We have a number of Cisco Aironet 3502i access points setup at Ujima House:

We have 3 SSID's:

  • LHS Guest - network for visitors and anyone without an LDAP account
  • spacenet - part of the SpaceFED Federated inter-hackerspace wifi network. Not currently working. Radius server down and project appears dead.
  • LondonHackspace-IOT - for future plans involving sensors

All networks are 2.4 and 5GHz with the access points configured to push you towards 5ghz where you will probably get a better experience due to more bandwidth being available

All access point configuration should be backed up to the oxidized repository (available to sysadmins team)

Layer 2

Managed Building Fibre Connection

There is a fibre provided internet connection managed by the landlord and included in our rent. The building is being serviced by a shared 500 megabit via Onega portioned out to various tenants in the building. The actual IP connectivity provider looks to be Exponential-E but we need to go through Onega / Landlord if there are any issues/questions.

The connectivity is set to allow everyone in the building full access to the Internet at full speed (ie if you are the only user online then you should get close to 500Mbps up and down on a speedtest site). The line is subject to fair and legal use but as long as no one abuses the connection or monopolises it then you can basically fill your boots (or SSDs). A 3.5 Gbyte Debian ISO DVD will download in approx 3 minutes. Please note that you should not download copyright materials from the web / torrent sites (movies etc.) as these are traceable by IP and it's also not a nice thing to do (unless you've paid for them legally)... more seriously that could lead to being cut off on a three strikes basis which we don't want to risk. There is no external rate shaping or packet inspection done on traffic at the ISP level unless there is any odd activity / complaints. Ben from Onega also happens to be a London Hackspace member so we should get helpful service to any reasonable requests. If / when needed the line could also be upgraded to the full Gigabit, or indeed to 10Gbps connectivity but right now the marginal cost would not be worth it given historic and current observed bandwidth levels.

Our core router connecting this connection is Norton which runs pfSense CE.

Setting IP Address Value IPv6
IP Address 167.98.98.227 2a00:1d40:1843:100::1
Subnet 255.255.255.248 2a00:1d40:1843:100::/64 externally, 2a00:1d40:1843:180::/57 internally
Gateway 167.98.98.226 167.98.98.225 2a00:1d40:1843:100::
DNS1 62.244.176.176 2a00:1d40:ee:176::176
DNS2 62.244.177.177 2a00:1d40:ee:177::177

Network Switches

There are currently three managed switches serving the space:

  • gf-coreswitch - Cisco WS-C2960S-48FPD-L located ???
  • gf-woodshopsw - Cisco WS-C3560-24PS located in the woodshop
  • gf-replacement-workshop - Cisco WS-C3560V2-24TS located in the metal shop

All switches are currently running old firmware and don't support modern cyphers the following ssh arg is required: -oKexAlgorithms=+diffie-hellman-group1-sha1

All switch configuration should be backed up to the oxidized repository (available to sysadmins team)

ToDo

See Networking Todo.

Layer 1 (Physical Wiring)

Please note that we adhere to the TIA-568B standard of wiring in the London Hackspace connectivity. This is consistent with the existing wiring as well as historic best practices of London Hackspace. Go with (568)B, because Bees are Better.

The current state of the network patching is being mapped via a Google Sheet

Ground Floor

In the woodworking room, there's a comms cabinet with patch panels for several wallports. The CNC room - former nursery - had almost no networking, and very few power outlets. A wallport has been installed on the ceiling, having re-routed two network sockets from the kitchen area above. The remainder of the sockets in the patch panels are fair game. We will need a network switch in that cabinet, because the existing one there is probably unsuitable due to it's use by Brent Council.

Two ports have been rerouted from the 1st floor kitchen where they're unlikely to be needed, to the ceiling in the corner of the ground floor CNC room - where we require some networking.

Patch Panel

The Ground floor patch panel in the woodworking room is shared responsibility. Due to one room on the ground floor being used by Brent Council - they have their own networking equipment and run from the 3rd floor comms room. Two new purple jacketed cat6 cables to 1st floor comms room.

First Floor

London Hackspace formerly rented the first floor as well as the ground floor of Ujima House. The server room used to be on the 1st floor. There is now a straight-through patch above the former server room there to the ground floor. Any mention of patch panels or cabinets on the first floor are now unrelated to London Hackspace.

Rough diagram showing path of network cables above the ceiling of the 1st floor.
  • The rack is a Dataracks 303 series variable depth cabinet. Accessories are available from Dataracks though this model is discontinued.
  • Two new purple jacketed cat6 cables from the ground floor cabinet to the 1st floor server room, run in on 2018-07-10. They go up a riser in the north east corner and then run above the ceiling tiles into the server room, in cable tray for some of the way. See image.
  • Two new purple jacketed cat6 cables from the 1st floor server room to the third floor server room, run in on 2018-07-14, to replace poorly installed series of cables by building ISP.
  • A single grey jacketed Cat5e (?) uplink cable from the first to third floor server room. Deemed to be poor quality.

Patch Panel

  • Previous tenants had removed their patch panel from the 1st floor comms room, All 1st floor wallports have been re-termianted. Currently up to port 122 on wallports terminated and tested. Some cables are missing, some are damaged, these are labelled on the patch panels.
  • Ceiling runs for WiFi access points and cameras on 1st floor are numbered 1/123 onwards. These will probably all require connecting to a PoE switch.
  • Inter-floor links are terminated on a 1U patch panel at the top of the cabinet.

Third Floor

View inside the third floor server room showing legacy Meridian PBX parts

The third floor is not ours and we (London Hackspace) do not have easy access to it for many changes. The server room on the third floor is the external demarcation point for the building - the building's existing internet connection is available here along with BT NTE (s?) and krone frames. The uplink cable from the 1st floor appears here.

Monitoring Services

There are various monitoring service deployed to keep track of services: