- 1 Network structure
- 2 WiFi
- 3 PEN/OID
- 4 OLD AND OUTDATED: WILL BE DELETED SOON
- in.hsbxl.be - Network inside HSBXL
- out.hsbxl.be - Network segment for off-site events or migration periods
We have the following pools allocated to us:
- 172.22.33.0/24 (dn42)
- 172.23.187.0/24 (dn42)
- 188.8.131.52 (gate.hsbxl.be (Wireless Antwerpen))
- 184.108.40.206 (vps318480.hsbxl.be (OVH))
2001:6f8:147f::/48 (SixXS)PoP has disappeared: subnet and tunnels are permanently gone
- 2001:470:7d73::/48 (TunnelBroker.net)
- 2001:470:1f14:cc0::2 (gate.hsbxl.be (TunnelBroker.net))
- 2001:41d0:302:2100::1d46 (vps318480.hsbxl.be (OVH))
IPv4 public address policy
The following ports/protocols will NOT be forwarded from the internet to a client inside the network. Negociation is not possible.
- TCP: 22, 23, 25, 53, 80, 111, 137, 138, 139, 179, 443, 389, 587, 631, 636
- UDP: 53, 111, 137, 138, 139, 500, 631, 1337, 1812, 1813, 4500
- Protocols: 41, 50, 51
- TCP 22: Used for network device access from outside
- TCP 23: Banned for security reason
- TCP 80, 443: We have a better solution than stupid port forwarding: a reverse proxy is configured to connect to your web service. You can ask as many hosts as you like, they will be forwarded as required. You don't even need to worry about SSL: we do SSL off-loading for you.
- TCP/UDP 53: Used for our DNS. Just ask if you need a subdomain
- TCP/UDP 111, 137, 137, 139: Those file sharing protocols are banned for security reason.
- UDP 500, 4500: Used for IPSEc
- UDP 1812, 1813: RADIUS authentication
The subnets are broken down in smaller blocks allocated to the following zones:
- in.hsbxl.be: 2001:470:7d73::/56
- out.hsbxl.be: 2001:470:7d73:0100::/56
- Proxmox BIGLAN: 2001:470:7d73:0200::/56 172.23.187.128/25
- Interconnect LAN: 2001:470:7d73:ff00::/56
We are also using the following pools internally (only on our internal gateway). This won't be announced over OSPF
- 192.168.222.0/24 (HSBXL internal non-routable LAN)
- 192.168.9.0/24 (Public WiFi, non routable)
- 192.168.10.0/24 (Ground floor, ByteNight)
- 192.168.11.0/24 (1st floor, non routable)
- 192.168.13.0/24 (downstairs neighbour, non routable)
This is the current VLAN layout. This layout is kept across sites. The VLAN numbering is divided in several groups:
- <10: Wireless networks and legacy allocation
- 1x, 1xx: Floor number
- 2x: Internet uplink(s)
- 42: Legacy flat LAN
|3||Wireless Antwerpen Uplink|
|6||IPv6 only net||Also carries the HSBXL-v6 SSID|
|7||SpaceFED||Not sure if it will be kept|
|8||WiFi WPA||HSBXL SSID|
|9||WiFi public||HSBXL-public SSID, Open to all|
|10||Ground floor network||Currently unused|
|11||1st floor network||In use.|
|12||2nd floor network||Currently unused|
|13||3rd floor network||Used by our donstairs neighbour: KOBALT|
|42||Our wired LAN|
|44||IPv4 only network||Sparsely available. HSBXL-v4 SSID|
|666||Proxmox cross-site BIGLAN||One broadcast domain potentially covering several physical locations|
- 3 Unifis access points are broadcasting the HSBXL, HSBXLv6 and HSBXL-PUBLIC SSIDs, Powered by the ToughSwitch.
- One nanostation is our Wireless Antwerpen link, Powered by the ToughSwitch.
We have the following PEN from IANA: 220.127.116.11.4.1.43666.
OLD AND OUTDATED: WILL BE DELETED SOON
Moving to a new place will involve rebuilding the network, nearly from scratch.
The Gate will be our core router, but it will need some small modifications and updates
Here is how it is/will be laid out
And here is how we'll divide it:
|VLAN ID||Bridge name (on Gate)||Description||Active (Y/N)||IPv4 range||IPv6 range||Infos|
|Trunk||Trunk lines - Only for devices understanding 802.1Q|
|DN42 VPN links||172.22.33.0/27||Address pool used for DN42 VPNs|
|21||wan-1||Secondary uplink (Numericable ?)||N||This is a project|
|22||wan-2||N||This is a project|
|Members VPN||N||172.22.33.64/27||PROJECT :-)|
Why dividing the network like that ? Would everything in the same block be easier to manage ?
Of course it is !!
But since it's a hackerspace, people are very tempted in experimenting with stuff, and they should. :-)
Having 4 floors and the wifi in the same network will be a pain to debug in case the network go down or act funny because someone put a rogue DHCP server, announce an invalid or funky RA, made an ethernet loop, bridged two segments, use a crappy switch/hub, or is spoofing the gateway.
The worst that can happen with that setup is the wifi going down, or one floor misbehaving without interfering with the others.
Divide To Conquer, and let people play and experiment without any fear.