NOC operates a number of networks, available as tagged VLANs on the core
switches (one in each half of the hackerspace). These networks are:
-| Network | VLAN id | Extra subnets |
-|------------|---------|------------------|
-| Management | 32 | -- |
-| IoT | 33 | -- |
-| Services | 34 | -- |
-| Public | 36 | 89.106.211.64/27 |
-| Guests | 127 | -- |
-| Members | 128 | 89.106.211.32/27 |
-| `0xFF` | 255 | -- |
+| name | VLAN id | Extra subnets | Comment |
+|----------|---------|------------------|--------------------------------------|
+| mgmt | 32 | -- | Management network |
+| iot | 33 | -- | IoT devices, room infrastructure |
+| svc | 34 | -- | Services LAN, see below |
+| pub | 36 | 89.106.211.64/27 | Publicly-available services |
+| [HAMNET] | 44 | 44.0.0.0/8 | Amateur Radio Digital Communications |
+| guests | 127 | -- | Exposed through the “realraum” SSIDs |
+| members | 128 | 89.106.211.32/27 | Accessed with per-member credentials |
+| `0xFF` | 255 | -- | Funkfeuer VLAN |
+
+[HAMNET]: https://wiki.oevsv.at/index.php/Kategorie:Digitaler_Backbone
+
+
+### `svc` -- Services LAN
+
+This network is intended for services that aren't directly exposed to users
+(be they humans or machines); this includes services exposed through a frontend
+(like realraum web services) and services only meant to be consumed by another
+service (like a database server).
+
+
+### `pub` -- Publicly-available services
+
+This network is intended for services that can be consumed by non-NOC systems,
+including our HTTP(S) frontend -- `entrance`, `mqtt`, ...
+
+Services in this network can restrict availability, for instance by only
+allowing clients connecting from our LANs, or by requiring authentication.
+
+No RFC 1918 subnet is used on this network, only `89.106.211.64/27`.
### Conventions
We use a number of conventions to make things more consistent:
- The DNS zone for a given network is `NET.realraum.at`, with the exception
- of the public services network (which uses `realraum.at`) and of the Funkfeuer
- VLAN (which has no `realraum.at` zone).
+ of `pub` (which uses `realraum.at`) and of the Funkfeuer VLAN (which has no
+ `realraum.at` zone).
- Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
+ for instance, the `iot` network has id 33 and uses the 192.168.33.0/24 subnet.
- The gateway for a network is on the last IP for the subnet.
The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access
points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and
-`1` denotes Wöhnung 2.
+`1` denotes the second appartment.
-### Wöhnung 2
+### W2
-#### Raum 1
+#### Room 1
r1w2 has two fiber connections: one to the main room, and one to the radio room.
(We use fiber to avoid creating a ground loop between the locations.)
#### realfunk
-realfunk receives the `0xFF` and LAN VLANs trunked on a single fiber;
+realfunk receives the `0xFF` and `guests` VLANs trunked on a single fiber;
the switch there, `sw2.mgmt.realraum.at`, provides untagged ports on either VLAN.
Moreover, there is a Funkfeuer node there; it *does not* advertise the realraum
projects / noc.git / blobdiff