From Hackerspace Brussels
Jump to: navigation, search

Network structure[edit]

HSBXL Network.jpg

Network nodes[edit]

Network areas[edit]

Address pools[edit]

We have the following pools allocated to us:

  • IPv4:
    • (dn42)
    • (dn42)
  • IPv6:
    • 2001:6f8:147f::/48 (SixXS) PoP has disappeared: subnet and tunnels are permanently gone
    • 2001:470:7d73::/48 (

Address allocations[edit]

The subnets are broken down in smaller blocks allocated to the following zones:

  • 2001:470:7d73::/56
  • 2001:470:7d73:0100::/56
  • Proxmox BIGLAN: 2001:470:7d73:0200::/56
  • Interconnect LAN: 2001:470:7d73:ff00::/56

We are also using the following pools internally (only on our internal gateway). This won't be announced over OSPF

  • IPv4
    • (HSBXL internal non-routable LAN)
    • (Public WiFi, non routable)
    • (Ground floor, ByteNight)
    • (downstairs neighbour, non routable)


This is the current VLAN layout. This layout is kept across sites. The VLAN numbering is divided in several groups:

  • <10: Wireless networks and legacy allocation
  • 1x, 1xx: Floor number
  • 2x: Internet uplink(s)
  • 42: Legacy flat LAN

VLAN ID Description Infos
3 Wireless Antwerpen Uplink
4 Servers LAN
6 IPv6 only net Also carries the HSBXL-v6 SSID
7 SpaceFED Not sure if it will be kept
9 WiFi public HSBXL-public SSID, Open to all
10 Ground floor network Currently unused
11 1st floor network In use.
12 2nd floor network Currently unused
13 3rd floor network Used by our donstairs neighbour: KOBALT
42 Our wired LAN
44 IPv4 only network Sparsely available. HSBXL-v4 SSID
666 Proxmox cross-site BIGLAN One broadcast domain potentially covering several physical locations


We have the following PEN from IANA:

This is based on previous work by User:TQ_Hirsh (EXPERIMENTAL)[edit] (LDAP)[edit] (LDAP Attribute type)[edit]

  1. x-hsbxl-pgpKey - PGP public key used for encrypted communications
  2. x-hsbxl-sponsorID - Sponsoring member
  3. x-hsbxl-membershipReason - Why you're becoming a member
  4. x-hsbxl-sshPubKey - SSH public key

The following entries might be included in the definitive user schema

  1. x-hsbxl-membershipStructuredComm - Structured communication for membership payments
  2. x-hsbxl-membershipAccountId - Internal identifier for membership account
  3. x-hsbxl-drinksStructuredcomm - Structured communication for drink account
  4. x-hsbxl-drinksAccountId - Internal identifier for fridge account
  5. x-hsbxl-RFID-id - Access control token ID (LDAP Object class)[edit] (SNMP)[edit]



Moving to a new place will involve rebuilding the network, nearly from scratch.

The Gate will be our core router, but it will need some small modifications and updates

Here is how it is/will be laid out

And here is how we'll divide it:

VLAN ID Bridge name (on Gate) Description Active (Y/N) IPv4 range IPv6 range Infos
Trunk Trunk lines - Only for devices understanding 802.1Q
DN42 VPN links Address pool used for DN42 VPNs
1 br-mgmt Management LAN Y 2001:6f8:147f:222::/64 Devices web interfaces: should be accessible only from wired LAN (VLAN 10, 11 and 12)
3 eth5.3 Wireless Antwerpen WAN N
4 br-srv Servers LAN Y 2001:6f8:147f:4::/64 Quiet LAN for fixed services (SIP phones, network printers,...)
5 ???? Emergency WAN N DHCP client In case there is no internet (broken VDSL), this is where you plug your source of interwebs to share in the space
6 br-v6 IPv6 only LAN Y n/a 2001:6f8:147f:6::/64 IPv6 only network segment :-)
7 br-fed SpaceFED N 2001:6f8:147f:7::/64 PROJECT :-)
8 br-wifiwpa WiFi WPA Y 2001:6f8:147f:8::/64 One subnet for all access points (SSID: hsbxl), enables AP roaming
9 br-wifiopen Open WiFi Y 2001:6f8:147f:9::/64 Locked down subnet open to everybody, including neighbours (SSID: hsbxl-public)
10 br-0 Ground floor LAN Y 2001:6f8:147f:10::/64
11 br-1 1st floor LAN Y 2001:6f8:147f:11::/64
12 br-2 2nd floor LAN Y 2001:6f8:147f:12::/64
13 br-3 3rd floor LAN Y 2001:6f8:147f:13::/64
20 wan-0 VDSL uplink Y
21 wan-1 Secondary uplink (Numericable ?) N This is a project
22 wan-2 N This is a project
42 br-lan HSBXL old LAN config (waiting for migration to multiple VLANs) Y 2001:6f8:147f:42::/64
Members VPN N PROJECT :-)
n/a n/a PA system wiring Y n/a n/a Althrough this is CAT5E cabling, those cables are used to connect the speakers to the amplifier. SOME LINES HAVE 100V ON THEM BE CAREFUL !!!

Why dividing the network like that ? Would everything in the same block be easier to manage ?[edit]

Of course it is !!

But since it's a hackerspace, people are very tempted in experimenting with stuff, and they should. :-)

Having 4 floors and the wifi in the same network will be a pain to debug in case the network go down or act funny because someone put a rogue DHCP server, announce an invalid or funky RA, made an ethernet loop, bridged two segments, use a crappy switch/hub, or is spoofing the gateway.

The worst that can happen with that setup is the wifi going down, or one floor misbehaving without interfering with the others.

Divide To Conquer, and let people play and experiment without any fear.


  • Four (soon five) Unifis are broadcasting the HSBXL and HSBXL-PUBLIC (ground floor and garden), Powered by the ToughSwitch.
  • One nanostation is our Wireless Antwerpen link, Powered by the ToughSwitch.

Interesting finding[edit]

The VDSL uplink must be on a dedicated network interface or we lose bandwidth (peak at 20 Mb/s). As it is, The VDSL modem on a dedicated VLAN on the Cisco switch is an idea to scrap. This setup must be re-tried on the toughswitch. It is possible the gate is the bottleneck due to packets ping-pong on eth0

Network/IPv6/tunnelsNetwork/Inside HSBXLNetwork/Inside HSBXL/CoreSwitch
Network/Inside HSBXL/RouterNetwork/Inside HSBXL/TOUGHSwitchNetwork/Monitoring
Network/Outside HSBXLNetwork/vps318480