Network

From Hackerspace Brussels
Jump to: navigation, search

Network structure[edit]

HSBXL Network.jpg

Network nodes[edit]

Network areas[edit]

Network services[edit]

Address pools[edit]

We have the following pools allocated to us:

  • IPv4:
    • 172.22.33.0/24 (dn42)
    • 172.23.187.0/24 (dn42)
    • 185.18.150.22 (gate.hsbxl.be (Wireless Antwerpen))
    • 137.74.167.169 (vps318480.hsbxl.be (OVH))
  • IPv6:
    • 2001:6f8:147f::/48 (SixXS) PoP has disappeared: subnet and tunnels are permanently gone
    • 2001:470:7d73::/48 (TunnelBroker.net)
    • 2001:470:1f14:cc0::2 (gate.hsbxl.be (TunnelBroker.net))
    • 2001:41d0:302:2100::1d46 (vps318480.hsbxl.be (OVH))

IPv4 public address policy[edit]

The following ports/protocols will NOT be forwarded from the internet to a client inside the network. Negociation is not possible.

  • TCP: 22, 23, 25, 53, 80, 111, 137, 138, 139, 179, 443, 389, 587, 631, 636
  • UDP: 53, 111, 137, 138, 139, 500, 631, 1337, 1812, 1813, 4500
  • Protocols: 41, 50, 51

Reasons:

  • TCP 22: Used for network device access from outside
  • TCP 23: Banned for security reason
  • TCP 80, 443: We have a better solution than stupid port forwarding: a reverse proxy is configured to connect to your web service. You can ask as many hosts as you like, they will be forwarded as required. You don't even need to worry about SSL: we do SSL off-loading for you.
  • TCP/UDP 53: Used for our DNS. Just ask if you need a subdomain
  • TCP/UDP 111, 137, 137, 139: Those file sharing protocols are banned for security reason.
  • UDP 500, 4500: Used for IPSEc
  • UDP 1812, 1813: RADIUS authentication

Address allocations[edit]

The subnets are broken down in smaller blocks allocated to the following zones:

  • in.hsbxl.be: 2001:470:7d73::/56
  • out.hsbxl.be: 2001:470:7d73:0100::/56
  • Proxmox BIGLAN: 2001:470:7d73:0200::/56 172.23.187.128/25
  • Interconnect LAN: 2001:470:7d73:ff00::/56

We are also using the following pools internally (only on our internal gateway). This won't be announced over OSPF

  • IPv4
    • 192.168.222.0/24 (HSBXL internal non-routable LAN)
    • 192.168.9.0/24 (Public WiFi, non routable)
    • 192.168.10.0/24 (Ground floor, ByteNight)
    • 192.168.11.0/24 (1st floor, non routable)
    • 192.168.13.0/24 (downstairs neighbour, non routable)

VLANs[edit]

This is the current VLAN layout. This layout is kept across sites. The VLAN numbering is divided in several groups:

  • <10: Wireless networks and legacy allocation
  • 1x, 1xx: Floor number
  • 2x: Internet uplink(s)
  • 42: Legacy flat LAN


VLAN ID Description Infos
3 Wireless Antwerpen Uplink
4 Servers LAN
6 IPv6 only net Also carries the HSBXL-v6 SSID
7 SpaceFED Not sure if it will be kept
8 WiFi WPA HSBXL SSID
9 WiFi public HSBXL-public SSID, Open to all
10 Ground floor network Currently unused
11 1st floor network In use.
12 2nd floor network Currently unused
13 3rd floor network Used by our donstairs neighbour: KOBALT
42 Our wired LAN
44 IPv4 only network Sparsely available. HSBXL-v4 SSID
666 Proxmox cross-site BIGLAN One broadcast domain potentially covering several physical locations

WiFi[edit]

  • 3 Unifis access points are broadcasting the HSBXL, HSBXLv6 and HSBXL-PUBLIC SSIDs, Powered by the ToughSwitch.
  • One nanostation is our Wireless Antwerpen link, Powered by the ToughSwitch.

PEN/OID[edit]

We have the following PEN from IANA: 1.3.6.1.4.1.43666.

OLD AND OUTDATED: WILL BE DELETED SOON[edit]

Moving to a new place will involve rebuilding the network, nearly from scratch.

The Gate will be our core router, but it will need some small modifications and updates

Here is how it is/will be laid out


And here is how we'll divide it:

VLAN ID Bridge name (on Gate) Description Active (Y/N) IPv4 range IPv6 range Infos
Trunk Trunk lines - Only for devices understanding 802.1Q
DN42 VPN links 172.22.33.0/27 Address pool used for DN42 VPNs
20 wan-0 VDSL uplink Y
21 wan-1 Secondary uplink (Numericable ?) N This is a project
22 wan-2 N This is a project
Members VPN N 172.22.33.64/27 PROJECT :-)

Why dividing the network like that ? Would everything in the same block be easier to manage ?[edit]

Of course it is !!

But since it's a hackerspace, people are very tempted in experimenting with stuff, and they should. :-)

Having 4 floors and the wifi in the same network will be a pain to debug in case the network go down or act funny because someone put a rogue DHCP server, announce an invalid or funky RA, made an ethernet loop, bridged two segments, use a crappy switch/hub, or is spoofing the gateway.

The worst that can happen with that setup is the wifi going down, or one floor misbehaving without interfering with the others.

Divide To Conquer, and let people play and experiment without any fear.


Network/FarPointNetwork/IPv6
Network/IPv6/tunnelsNetwork/Inside HSBXLNetwork/Inside HSBXL/CoreSwitch
Network/Inside HSBXL/RouterNetwork/Inside HSBXL/SidekickNetwork/Inside HSBXL/TOUGHSwitch
Network/LdapNetwork/MailNetwork/Monitoring
Network/Outside HSBXLNetwork/vps318480