1 # Network infrastructure
5 NOC operates a number of networks, available as tagged VLANs on the core
6 switches (one in each half of the hackerspace). These networks are:
8 | Network | VLAN id | Extra subnets |
9 |------------|---------|------------------|
10 | Management | 32 | -- |
12 | Services | 34 | -- |
13 | Public | 36 | 89.106.211.64/27 |
15 | Members | 128 | 89.106.211.32/27 |
21 We use a number of conventions to make things more consistent:
23 - The DNS zone for a given network is `NET.realraum.at`, with the exception
24 of the public services network (which uses `realraum.at`) and of the Funkfeuer
25 VLAN (which has no `realraum.at` zone).
26 - Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
27 for instance, the IoT network has id 33 and uses the 192.168.33.0/24 subnet.
28 - The gateway for a network is on the last IP for the subnet.
31 ### Routing and firewall rules
33 This network diagram represents networks, and the connection flows between them:
34 an arrow from A to B means that a connection can be opened from network A to
35 network B. In all cases, a subset of ICMP (ECHO, ...) is allowed.
37 Note that any given system might have interfaces in several of these networks.
39 [[!img Network/overview.svg alt="r³ network overview"]]
44 Each location has a single AP, `ap{0,1}.mgmt.realraum.at`, which provides SSIDs
45 for the IoT network (`realstuff`) and the LAN (`realraum` and `realraum5`);
46 we use Ubiquity hardware running OpenWRT.
51 The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access
52 points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and
53 `1` denotes the second appartment.
60 r1w2 has two fiber connections: one to the main room, and one to the radio room.
61 (We use fiber to avoid creating a ground loop between the locations.)
63 In r1w2, we have a rack hosting a number of devices:
65 - the patch panel and core switch (`sw1.mgmt.realraum.at`) for W2;
66 - the `alfred` virtualization server;
67 - miscelaneous devices:
69 - some Raspberry Pi belonging to members;
72 **Note:** members setting up devices that only need power and network access
73 should do so in this rack (or even better, run a VM or a container
79 realfunk receives the `0xFF` and LAN VLANs trunked on a single fiber;
80 the switch there, `sw2.mgmt.realraum.at`, provides untagged ports on either VLAN.
82 Moreover, there is a Funkfeuer node there; it *does not* advertise the realraum
88 The main room has its patch panel and core switch (`sw0.mgmt.realraum.at`) in
89 Cx. The patch panel has a fiber link to r2w1, and a copper link to an external
90 antenna for our link to Funkfeuer.
92 The network shelf in Cx also houses some important devices:
95 - `smsgw.mgmt.realraum.at`, plus its mobile phone;
96 - the PoE injectors for `ap0.mgmt.realraum.at` and `sch24.r3.ffgraz.net`;
97 - `test.r3.ffgraz.net`, which is a test Funkfeuer node.