From: Christian Pointner Date: Sat, 7 Jul 2018 20:03:33 +0000 (+0200) Subject: Merge pull request #25 from realraum/vlans X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=e620b221b7faf3f35442ff2f9fcc025f78489650;hp=7d0320a01a3be8ebb0b88649deff58a52486a006;p=noc.git Merge pull request #25 from realraum/vlans Document the new network plan --- diff --git a/doc/Makefile b/doc/Makefile index e91e3c6..4927b59 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -1,6 +1,6 @@ -.PHONY: default clean serve +.PHONY: default clean serve diagram -default: favicon.ico +default: diagram favicon.ico ikiwiki --refresh --setup ikiwiki.setup clean: @@ -9,6 +9,9 @@ clean: serve: default @cd dest; python -m SimpleHTTPServer +diagram: + $(MAKE) -C Network/ + favicon.ico: convert assets/logo.png -define icon:auto-resize=64,48,32,16 \ -fill 'rgb(118,20,7)' -opaque white \ diff --git a/doc/Network.mdwn b/doc/Network.mdwn index 24255eb..65640e1 100644 --- a/doc/Network.mdwn +++ b/doc/Network.mdwn @@ -1,37 +1,88 @@ # Network infrastructure -## VLANs +## Networks -NOC runs 2 core switches (one in each room), carrying a bunch of VLANs: -- 33 is the management VLAN (192.168.33.0/24); -- 127 is the LAN (192.168.127.0/24); -- 255 (`0xFF`) is our Funkfeuer VLAN. +NOC operates a number of networks, available as tagged VLANs on the core +switches (one in each half of the hackerspace). These networks are: -The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access -points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and -`1` denotes Wöhnung 2. +| name | VLAN id | DNS | CIDR | Comment | +|----------|---------|-----|------------------------------------|--------------------------------------| +| mgmt | 32 | y | 192.168.32.0/24 | Management network | +| iot | 33 | y | 192.168.33.0/24 | IoT devices, room infrastructure | +| svc | 34 | y | 192.168.34.0/24 | Services LAN, see below | +| pub | 36 | y | 89.106.211.64/27 | Publicly-available services | +| [HAMNET] | 44 | n | 44.0.0.0/8 | Amateur Radio Digital Communications | +| guests | 127 | y | 192.168.127.0/24 | Exposed through the “realraum” SSIDs | +| members | 128 | y | 89.106.211.32/27, 192.168.128.0/24 | Accessed with per-member credentials | +| `0xFF` | 255 | n | 10.12.240.240/28 | Funkfeuer VLAN | + +[HAMNET]: https://wiki.oevsv.at/index.php/Kategorie:Digitaler_Backbone + + +### `svc` -- Services LAN + +This network is intended for services that aren't directly exposed to users +(be they humans or machines); this includes services exposed through a frontend +(like realraum web services) and services only meant to be consumed by another +service (like a database server). + + +### `pub` -- Publicly-available services + +This network is intended for services that can be consumed by non-NOC systems, +including our HTTP(S) frontend -- `entrance`, `mqtt`, ... + +Services in this network can restrict availability, for instance by only +allowing clients connecting from our LANs, or by requiring authentication. + +No RFC 1918 subnet is used on this network, only `89.106.211.64/27`. + + +### Conventions + +We use a number of conventions to make things more consistent: + +- The DNS zone for a given network is `NET.realraum.at`, with the exception of + `pub` (which uses `realraum.at`) and VLANs which have no `realraum.at` zone. +- When a network uses RFC 1918 IP space, it is the 192.168.VID.0/24 subnet; + for instance, the `iot` network has id 33 and uses the 192.168.33.0/24 subnet. +- The gateway for a network is on the last IP for the subnet. + + +### Routing and firewall rules + +This network diagram represents networks, and the connection flows between them: +an arrow from A to B means that a connection can be opened from network A to +network B. In all cases, a subset of ICMP (ECHO, ...) is allowed. + +Note that any given system might have interfaces in several of these networks. + +[[!img Network/overview.svg alt="r³ network overview"]] ## WiFi Each location has a single AP, `ap{0,1}.mgmt.realraum.at`, which provides SSIDs -for the management VLAN (`realstuff`) and the LAN (`realraum` and `realraum5`); +for the IoT network (`realstuff`) and the LAN (`realraum` and `realraum5`); we use Ubiquity hardware running OpenWRT. -Moreover, realfunk has an Archer C7 acting as a VLAN-capable switch -and as a Funkfeuer node; it does **not** provide the realraum SSIDs. - ## Physical locations -### Wöhnung 2 +The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access +points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and +`1` denotes the second appartment. + -#### Raum 1 +### W2 + +#### Room 1 r1w2 has two fiber connections: one to the main room, and one to the radio room. (We use fiber to avoid creating a ground loop between the locations.) In r1w2, we have a rack hosting a number of devices: + - the patch panel and core switch (`sw1.mgmt.realraum.at`) for W2; - the `alfred` virtualization server; - miscelaneous devices: @@ -42,13 +93,16 @@ In r1w2, we have a rack hosting a number of devices: **Note:** members setting up devices that only need power and network access should do so in this rack (or even better, run a VM or a container on `alfred`). - + #### realfunk -realfunk receives the `0xFF` and LAN VLANs trunked on a single fiber; +realfunk receives the `0xFF` and `guests` VLANs trunked on a single fiber; the switch there, `sw2.mgmt.realraum.at`, provides untagged ports on either VLAN. +Moreover, there is a Funkfeuer node there; it *does not* advertise the realraum +SSIDs. + ### Main room @@ -57,6 +111,7 @@ Cx. The patch panel has a fiber link to r2w1, and a copper link to an external antenna for our link to Funkfeuer. The network shelf in Cx also houses some important devices: + - `gw.realraum.at`; - `smsgw.mgmt.realraum.at`, plus its mobile phone; - the PoE injectors for `ap0.mgmt.realraum.at` and `sch24.r3.ffgraz.net`; diff --git a/doc/Network/.gitignore b/doc/Network/.gitignore new file mode 100644 index 0000000..664db10 --- /dev/null +++ b/doc/Network/.gitignore @@ -0,0 +1,2 @@ +*.png +*.svg diff --git a/doc/Network/Makefile b/doc/Network/Makefile new file mode 100644 index 0000000..fd0d37c --- /dev/null +++ b/doc/Network/Makefile @@ -0,0 +1,8 @@ +DIAGRAMS:=overview +FORMATS:=svg png + +.PHONY: default +default: $(foreach diagram,$(DIAGRAMS),$(foreach ext,$(FORMATS),$(diagram).$(ext))) + +$(foreach ext,$(FORMATS),%.$(ext)): %.dot + $(foreach ext,$(FORMATS),circo -T$(ext) $^ -o $*.$(ext);) diff --git a/doc/Network/overview.dot b/doc/Network/overview.dot new file mode 100644 index 0000000..b090dd8 --- /dev/null +++ b/doc/Network/overview.dot @@ -0,0 +1,24 @@ +digraph network { + label="r³ network overview"; + graph [ bgcolor="#ff000000" fontname="Liberation Sans" fontcolor="#c0c0c0" ]; + node [ shape=none fontname="Liberation Sans" fontcolor="#c0c0c0" ]; + edge [fontname="Liberation Sans" + fontcolor="#c0c0c0" color="#c0c0c0" + ]; + + public [ label="Public (36)\n89.106.211.64/27" ] + inet [ label="Internet" ] + guests [ label="Guests (127)" ] + members [ label="Members (128)\n89.106.211.32/27" ] + mgmt [ label="Management (32)" ] + iot [ label="IoT (33)" ] + svc [ label="Services (34)" ] + + public -> inet [ dir=both ]; + + guests -> inet [ label="NAT, tc" ]; + members -> inet [ dir=both label="NAT || firewall" ]; + guests -> members [ dir=both label="firewall" ]; + + {svc mgmt iot guests members} -> public; +} diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup index 77340ec..ffdf475 100644 --- a/doc/ikiwiki.setup +++ b/doc/ikiwiki.setup @@ -1,3 +1,4 @@ +# -*- mode: yaml -*- # IkiWiki::Setup::Yaml - YAML formatted setup file # # Setup file for ikiwiki. @@ -32,6 +33,7 @@ add_plugins: - map - pagetemplate - sidebar +- typography # plugins to disable disable_plugins: @@ -71,4 +73,4 @@ hardlink: '0' usedirs: '0' # Do not try to compile dest/ -exclude: ^dest \ No newline at end of file +exclude: ^dest diff --git a/doc/local.css b/doc/local.css index e5d32bf..d1d9764 100644 --- a/doc/local.css +++ b/doc/local.css @@ -257,10 +257,9 @@ p>code, dd>code, li>code { } #content table th { - background: #fafafa; padding: 0.1em 0.5em; border-bottom: solid 1px #aaaaaa; - color: #555555; + color: #d33682; } #content table td {