Resources/Network: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
(230 intermediate revisions by 43 users not shown)
Line 1: Line 1:
== Status ==
== [[Network Troubleshooting]] ==


There is an external status monitor at [http://status.noisebridge.net/cgi-bin/smokeping.cgi?target=Noisebridge status.noisebridge.net].  If something is wrong with the network at 83c, you should contact [[Admins|an admin]].
Are you having issues with the internet or local network? Check out the [[Network Troubleshooting]] page for more information on what you can do to make things better or possibly seek help.


== It's 2 AM And The Admins Are Asleep ==
== Disclaimer ==


If no admin responds within a reasonable period of time (say, an hour), take matters into your own hands and send mail to [mailto:noisebridge-discuss@lists.noisebridge.net noisebridge-discuss] with answers to the following questions:
''Please note that Noisebridge does not guarantee or provide a perfect secure experience in the space. Just like anywhere else in the world you're held responsible for your own safety and wellbeing. This also includes content you receive or transmit or provide through any mediums, such as through pen and paper, sound waves or any networks wired or wireless functioning in the space. Noisebridge is a volunteer run and operated space that provides you with infrastructure, which you use at your own risk.''


* Who are you?
== Free Public Wireless Networks ==
* What happened?
Noisebridge has two open wifi networks available for your use. In most cases if you connect to the network '''Noisebridge''' your laptop/phone/device will have the best luck getting crystal clear wifi and roam between radio channels according to which provides the most reliable and fastest connection.
* When did the problem begin?  (If you were able to find out.)
* When was the problem noticed?
* When did it get fixed?
* What did you do to fix it?  Please err on the side of too much detail rather than not enough.


Please try to observe [[Network Policies|the guidelines]] for network maintenance, but use your Most Excellent Judgment if something there doesn't seem to apply.
The wifi and internet provided is for public use. Like any public network, you should regard Noisebridge's as [[Visitor_advice#Hostile_network|potentially hostile]] and take appropriate precautions. In order to not give the impression of providing false security, Noisebridge does not run any encrypted wifi networks.


== Uplinks ==
The following networks are active:
* '''Noisebridge'''
** No password
** Uplink through Sonic.net and Monkeybrains
** 802.11gn 2.4 gHz and 802.11an 5 gHz, your wifi device decides which network is the best for it and roams accordingly
* '''Noisebridge 5g'''
** No password
** Uplink through Sonic.net and Monkeybrains
** 802.11an 5 gHz only


=== '''24Mb/5Mb''' currently via Comcast ===
== Wired network ==
* Comcast Cable (Only internet, no voice or tv service)
There are drops throughout the space. They are labeled with the corresponding number on the patch panel. Please don't destroy them (lol).
** $66.95 per month (After taxes COD at time of install is $169.21) - $3 modem rental per month
** No contract!
** Link speed is ~24Mbit down / ~5Mbit up. More testing during different times of the day would be useful.
** Wonderful quote from the service representative when asked about network filtering: "The network is filtered. Dynamic ips.'' Constantly flowing.'' Upgrading to static is possible through the business department."
** The direct line for the person who took the order is 1-925-349-3300 x644201
** Our confirmation number for this order is: 503691


=== Speakeasy DSL ===
== DNS ==
* Speakeasy DSL (On a dry pair - Ordered for the (415) 864 area)
** Service has been delivered and installed at 83c
** Modem acts as a bridge straight into Speakeasy and comes with 1 static IP, 4 more for $20 per month.
*** Currently 66.92.8.180
*** Additional IP added on Jan 26th (requires configuration on firewall) 66.92.8.123
** $105.95 per month - ($99.00 install fee, first month free, hardware included - Paid by Jake)
** Link speed: 6Mb down and 768k up
** 12 month contract (25 day trial period), $300 fee if canceled in contract but outside of stated trial period.
** 1 static ip included
** The direct line for the person (Michelle) who took the order is 1-877-240-4821
** In the future, we can upgrade the DSL to the following:
*** Kinda fast 8Mb down and 768k up. 149.95 per month. Hardware and install waved.
*** Super fast 10Mb and 1Mb up. 179.95 per month. Hardware and install waved.


=== Other uplink possibilities ===
Dynamic DNS is provided by the nat machine for DHCP clients on 172.30.0.30/22. Resolution of machines with static addresses is done by ipv4 or ipv6 mDNS and dynamic DNS entries on the nat machine from the DHCP service.
* Local wifi link (TBD - no current ETA on install)
  We need an antenna and a wifi access point that will uplink to our core switch (we need one of those too)


* Metro fiber
== Development ==
** [[User:Jof|jof]] called IPN for a rough estimate for construction of fiber to 83c. The sales representative's estimate would be between 90,000USD - 100,000USD for the initial buildout.
* See [[Network/testing]].


* Sonic.net ADSL2
==Network Devices & Services==
We're on the waiting list for 18Mb/1Mb ADSL2
* [[Music]]
  Sometime in the next year service will be available in San Francisco.
* [[Printers]]
* [[Infrastructure]]


* WiMax
= 2169 Mission =
Currently this hasn't been very seriously researched


* SFLan
== Uplinks ==
=== DSL Circuit ===
We may have line of sight to a node if we can bounce off of a local building. This hasn't been seriously researched. We may want to try to get roof access for antennas and should talk to our very quiet neighbors.
 
I was contacted by Matt Peterson about connecting.  I would be happy to do a site survey to see if you can hit the SFLAN or City wirless deployment from the Valencia Gardens development.  That could get you 40Mb/s up and down. - Tim Pozar
 
== Hardware ==
 
=== Ownership ===
 
[[User:adi|Andy]] says:
 
if hardware has been at NB


1. not on a shelf
There is a Sonic.net Fusion ADSL2+ DSL connection in the building.  The physical circuit comes in from the MPOE in the basement and runs across the roof of the basement and up the side of the building into the DJ booth (Tea Room), then over to the Wall o' Tubes. The CPE is a Motorola 2210 ADSL2+. The admin password is the serial number, written on the bottom.
2. without a sign
3. without visible use for a month


, it's fair game for repurposing.   
The addressing configuration is a little unusual. It's 75.101.62.0/24 and we've been allocated a /29 within that block: 75.101.62.88 - 75.101.62.95Note that we get to use all 8 addresses; the broadcast and network address are 75.101.62.255 and 75.101.62.0 respectively.  The gateway is 75.101.62.1.


=== Current Gear ===
The default CPE settings are not correct for our circuit configuration.  From a factory reset, do the following to configure the CPE:


* Currently [[User:Matt|Matt]] has configured a [http://www.soekris.com/net4801.htm Soekris net4801] with flashdist OpenBSD 4.4 build, no fancy GUI exists - just simple vi and a pf.conf config file. The eventual plan is to ghetto load balance between the Comcast and Speakeasy circuits.
# Configure a computer for 192.168.1.253/24.
** Passwords to both devices are in an envelope in the closet in the fishbowl. Or if you are known within the group, ping [[User:Jof|jof]]
# Connect the computer to the DSL CPE.
** I've done load balancing like this on Linux (and in fact on a Soekris net4801) if anyone's interested I could prep a CF card to do this. [[User:Ryanc|Ryanc]] 18:34, 22 April 2009 (PDT)
# Power cycle the DSL CPE.
* [[User:Ioerror|Jake]] has donated a FON [http://en.wikipedia.org/wiki/FON#La_Fonera_WiFi_Router La Fonera] router that has been liberated with a fresh DD-WRT install.
# Connect to 192.168.1.254 using your web browser.
* A Ruckus Wireless ZoneFlex 2942 access point.
# You will be prompted to set a password, use the serial number on the bottom of the DSL CPE.
** Takes an 802.1q trunk (with POE!) over a single Cat5/6 cable, and can take up to 8 802.1q tags and broadcast an SSID for each tag. -- [[User:Jof|jof]] 00:51, 4 October 2008 (PDT)
# Get into expert mode.
# Under configure->connections, set the following:  
## VPI: 0
## VCI: 35
## Protocol: Bridged Ethernet LLC/SNAP
## Bridging: on
# Under configure->DHCP server, set the following:
## DHCP Server Enabled: unchecked
# Save and reboot.


* [[switch1]], a [http://www.cisco.com/en/US/products/hw/switches/ps5213/tsd_products_support_series_home.html Cisco 2940-8TF].
[http://broadband.motorola.com/consumers/products/2210-02/downloads/2210-02-10NA-UserGuide.pdf Motorola 2210 User Guide]


* [[switch2]], a [http://cisco.com/en/US/products/hw/switches/ps637/tsd_products_support_eol_series_home.html Cisco 3512XL].
=== Monkeybrains Wireless Link ===
We have a point-to-point wireless link to Monkeybrains on the roof. It comes down through the Dirty Shop skylight and runs in to the server closet.


== Topology ==
=== SFBroadband / City of SF / Internet Archive ===


[[Image:Noisebridge_net-2008-10-02.png|thumb|right|Older topology, does not include cisco box or ruckus AP]]
We have a wireless point-to-point path up to Twin Peaks that connects up to a city-owned and volunteer-run IP transit network. Currently, we're hitting the dish off of the side and have a pretty terrible connection. For now, this network path is mostly only usable as a backup path.


* External IP is assigned via DHCP from Comcast on the Soekris box.
There is a router in our wireless CPE hardware (st01-noisebridge-sfo) that connects up to the Noisebridge network and terminates as 172.30.0.54 on the "Inside / Internal" network. Set your default route via this IP to try the other path.
* Currently, the address is 24.5.85.158.
** If modifying later, beware that Comcast will now only hand out a DHCP lease requested from 00:0A:E4:32:44:6E
** Comcast does egress filtering, so r00ter can't run asymmetric routing for the DSL IPs over the Comcast link. This manifests as being able to get out via DSL but not being able to get back in via 83c.noisebridge.net.


* Internal subnet is 172.30.0.0/24
== Access Control==
** Soekris box is at 172.30.0.1
** [[switch1]] is at 172.30.0.3
** [[router1]] is at 172.30.0.4 (but has problems.)
** Ruckus AP (on 12th Ethernet port PoE) 172.30.0.5


* There are some existing Ethernet segments that you can patch into. If it has a number written in black marker on the outlet, this number corresponds to the outlet on the patch panel in the fishbowl closet.
Most hardware is set to use the most guessable logins and passwords possible. If you're interested in logging in, just make some guesses as to what the login can be. Use your favorite search engine. Poke around. Hack.


== DNS ==
Experience the thrill of guessing a password that just works.


Internal machines (with NAT addresses in 172.30.0.0/24) have names in the <tt>.noise</tt> pseudo-TLD.  These names are managed on the Soekris in <tt>/etc/hosts</tt> (NOT in a zone file).  After editing <tt>/etc/hosts</tt>, you can SIGHUP the dnsmasq process to trigger a reload.
== Router ==
Bikeshed is our humble router. It is a Soekris running Vyatta(a Linux-based router distribution).


The /etc/hosts file is persistent now (it wasn't back when we used pfSense) so it no longer needs to be maintained on the wiki; the copy on the soekris is canonical now.
The machines currently provides
  * dhcpd
  * DNS (dnsmasq) - .noise local TLD and recursive proxy
  * Automatic loadbalancing and ailover between Sonic DSL and monkeybrains


== Wireless networks ==
Access is via SSH with keys.


The following networks are active at 83c now:
=== Salient configuration ===
* '''noisebridge''' - insecure, NAT to Speakeasy via hardware described above.
* It is configured to fail over between DSL and Monkeybrains as conditions warrant.
* '''noisebridge-dsl''' - insecure, NAT to Comcast via standalone WRT54G.  No access to Noisebridge wired network.
* It is configured with traffic shaping to prevent individual users from sucking up all the tubes.


The following networks are disabled in the Ruckus AP config:
If you have questions about these particular points of configuration, email rack. Nothing is particularly complicated.
* '''nbsweden''' - insecure, NAT to [https://www.relakks.com/?cid=gb Relakks]. '''not yet functional.''' vlan 21.
* '''nbgermany''' - insecure, NAT to Germany via CCC. '''not yet functional.''' vlan 31.
* '''nbipv6''' - insecure, IPv6 only. '''not yet functional.''' vlan 41.
* '''nbanonymous''' - insecure, transparent [[Tor]]. '''not yet functional.''' vlan 51.
* '''nbwpa''' - "secured" (so they say) using WPA. '''not yet functional.''' vlan 61.
* '''nblocal''' - insecure, local-only.  No Internet route. '''not yet functional.''' vlan 71.


== Development ==
== Address Allocations ==
* See [[Network/testing]].
The reserved address allocations are:


=== Installing Gear ===
===75.101.62.88/29 from Sonic.net===
We have a range within the encompassing /24: 75.101.62.{88..95}


[[User:adi|Andy]] says:
* .88 - biketrailer
* .89 - pony.noisebridge.net
* .90 - stallion.noisebridge.net
* .91 - ChaosVPN la fonera eth0.1
* .92 - minotaur.noisebridge.net
* .93 - Unallocated
* .94 - Unallocated
* .95 - Mode-S Equipment (various port-NATings)


BTW, I've noticed a bunch of networking / computing gear with fans being
===10.20.0.0/22 ("inside" network)===
installed in the downstairs networking closet. I would highly recommend
====10.20.0.0 - 100 Statically-addressed things====
that people not install gear with fans in that closet:


1. the wood/metal shop is very likely to cause your fans to become full
''Note: This is '''not''' a /24 subnet! The netmask is a /23.''
of crap and stop working, and/or short out your power supplies.


2. the building floods in that corner every spring.
* .0.2 - biketrailer
* .0.3 - pony
* .0.4 - minotaur - console server and network troubleshooting/monitoring box
* .0.5 - roof switch
* .0.8 - Primary switch - Netgear GS724Tv2
* .0.11 - West AP, DHCP mapped
* .0.12 - Crutch AP, DHCP mapped
* .0.22 - [[Pegasus]]
* .0.52 - bunny (Bullion Mode-S receiver on the roof)
* .0.53 - ronin (white Atom works with bunny, lives in Susan the Rack)
* .0.54 - st01-noisebridge-sfo (sfwireless.org Ubiquiti Nanobridge M5 on the roof. Currently aimed at Twin Peaks.)


We installed a *lot* of spare Cat5 capacity between the upstairs and
====10.20.0.101 - 1.254====
downstairs closets specifically so that there was no need to put more
* DHCP-assigned, user-access IP space
gear downstairs. Please just use the patch panel (label your patches or
they'll be removed!) and install gear upstairs instead.


(Of course things like DOCSIS mean that we need *some* gear downstairs,
=== IPv6 ===
but it should be


1. fanless
Note: This is not currently implemented. The addresses are correct, though. Someday...


2. mounted on the wall or high up in the cabinet.)
We have IPv6 support on the DSL circuit via a tunnel provided by sonic.net.  The tunnel address is 2001:05a8:0:1::0ac6/127 , if it needs to be reconfigurated.


==== 2001:5a8:4:5630::/60 ====


This is the IPv6 subnet assigned to us by sonic. We configure the first /64 in this /60 so that autoconfiguration works. biketrailer hands out IPv6 router advertisements for this subnet directly, and your machine will SLAAC its way to ipv6 goodness.  They're directly routable, but unsolicited incoming traffic is blocked by the firewall to protect the users.  This means you can't run an IPv6 server on our IPv6 subnet, but you can connect to other machines on the IPv6 Internet just fine.


=== Future Plans ===
== Machine Rack ==


Matt Peterson says:
The rack of machines and switches is counted by U, from the top, starting from "1".


In brief my suggestion is plug in both upstreams (Speakeasy ADSL and Comcast Cable) to the soekris,
{|border="1" cellspacing="0" cellpadding="5"
run a trunk to the switches I donated and use the Cisco AP to beacon out 3  SSID's "noisebridge",
!"U"/Unit
"noisebridge-dsl", "noisebridge-cable".  Each of these would map out to the various outbound ISP's
!Device
(some folks may want quicker flickr uploads or faster  firefox downloads or whatever), with the
|-
generic SSID combined both connections (shunt ssh, sip and other latency stuff over the larger
|1-2
outbound, the rest down the other  connection).  A shell script would monitor outages, reload pf
|patch panel
rules as needed if a connection goes down.  I got as far as making pf do the dual ISP network,
|-
however I never setup the trunk on the switches or Cisco AP (though the equipment is floating
|3
around the space).
|Netgear G724Tv2 switch
 
|-
==Network Devices & Services==
|5
* [[Music]]
|Shelf with Bikeshed and POE injectors
* [[Printers]]
|-
* [[Infrastructure]]
|7
|Minotaur
|-
|Bottom
|APC UPS
|}

Revision as of 01:40, 8 June 2015

Network Troubleshooting

Are you having issues with the internet or local network? Check out the Network Troubleshooting page for more information on what you can do to make things better or possibly seek help.

Disclaimer

Please note that Noisebridge does not guarantee or provide a perfect secure experience in the space. Just like anywhere else in the world you're held responsible for your own safety and wellbeing. This also includes content you receive or transmit or provide through any mediums, such as through pen and paper, sound waves or any networks wired or wireless functioning in the space. Noisebridge is a volunteer run and operated space that provides you with infrastructure, which you use at your own risk.

Free Public Wireless Networks

Noisebridge has two open wifi networks available for your use. In most cases if you connect to the network Noisebridge your laptop/phone/device will have the best luck getting crystal clear wifi and roam between radio channels according to which provides the most reliable and fastest connection.

The wifi and internet provided is for public use. Like any public network, you should regard Noisebridge's as potentially hostile and take appropriate precautions. In order to not give the impression of providing false security, Noisebridge does not run any encrypted wifi networks.

The following networks are active:

  • Noisebridge
    • No password
    • Uplink through Sonic.net and Monkeybrains
    • 802.11gn 2.4 gHz and 802.11an 5 gHz, your wifi device decides which network is the best for it and roams accordingly
  • Noisebridge 5g
    • No password
    • Uplink through Sonic.net and Monkeybrains
    • 802.11an 5 gHz only

Wired network

There are drops throughout the space. They are labeled with the corresponding number on the patch panel. Please don't destroy them (lol).

DNS

Dynamic DNS is provided by the nat machine for DHCP clients on 172.30.0.30/22. Resolution of machines with static addresses is done by ipv4 or ipv6 mDNS and dynamic DNS entries on the nat machine from the DHCP service.

Development

Network Devices & Services

2169 Mission

Uplinks

DSL Circuit

There is a Sonic.net Fusion ADSL2+ DSL connection in the building. The physical circuit comes in from the MPOE in the basement and runs across the roof of the basement and up the side of the building into the DJ booth (Tea Room), then over to the Wall o' Tubes. The CPE is a Motorola 2210 ADSL2+. The admin password is the serial number, written on the bottom.

The addressing configuration is a little unusual. It's 75.101.62.0/24 and we've been allocated a /29 within that block: 75.101.62.88 - 75.101.62.95. Note that we get to use all 8 addresses; the broadcast and network address are 75.101.62.255 and 75.101.62.0 respectively. The gateway is 75.101.62.1.

The default CPE settings are not correct for our circuit configuration. From a factory reset, do the following to configure the CPE:

  1. Configure a computer for 192.168.1.253/24.
  2. Connect the computer to the DSL CPE.
  3. Power cycle the DSL CPE.
  4. Connect to 192.168.1.254 using your web browser.
  5. You will be prompted to set a password, use the serial number on the bottom of the DSL CPE.
  6. Get into expert mode.
  7. Under configure->connections, set the following:
    1. VPI: 0
    2. VCI: 35
    3. Protocol: Bridged Ethernet LLC/SNAP
    4. Bridging: on
  8. Under configure->DHCP server, set the following:
    1. DHCP Server Enabled: unchecked
  9. Save and reboot.

Motorola 2210 User Guide

Monkeybrains Wireless Link

We have a point-to-point wireless link to Monkeybrains on the roof. It comes down through the Dirty Shop skylight and runs in to the server closet.

SFBroadband / City of SF / Internet Archive

We have a wireless point-to-point path up to Twin Peaks that connects up to a city-owned and volunteer-run IP transit network. Currently, we're hitting the dish off of the side and have a pretty terrible connection. For now, this network path is mostly only usable as a backup path.

There is a router in our wireless CPE hardware (st01-noisebridge-sfo) that connects up to the Noisebridge network and terminates as 172.30.0.54 on the "Inside / Internal" network. Set your default route via this IP to try the other path.

Access Control

Most hardware is set to use the most guessable logins and passwords possible. If you're interested in logging in, just make some guesses as to what the login can be. Use your favorite search engine. Poke around. Hack.

Experience the thrill of guessing a password that just works.

Router

Bikeshed is our humble router. It is a Soekris running Vyatta(a Linux-based router distribution).

The machines currently provides

  * dhcpd
  * DNS (dnsmasq) - .noise local TLD and recursive proxy
  * Automatic loadbalancing and ailover between Sonic DSL and monkeybrains

Access is via SSH with keys.

Salient configuration

  • It is configured to fail over between DSL and Monkeybrains as conditions warrant.
  • It is configured with traffic shaping to prevent individual users from sucking up all the tubes.

If you have questions about these particular points of configuration, email rack. Nothing is particularly complicated.

Address Allocations

The reserved address allocations are:

75.101.62.88/29 from Sonic.net

We have a range within the encompassing /24: 75.101.62.{88..95}

  • .88 - biketrailer
  • .89 - pony.noisebridge.net
  • .90 - stallion.noisebridge.net
  • .91 - ChaosVPN la fonera eth0.1
  • .92 - minotaur.noisebridge.net
  • .93 - Unallocated
  • .94 - Unallocated
  • .95 - Mode-S Equipment (various port-NATings)

10.20.0.0/22 ("inside" network)

10.20.0.0 - 100 Statically-addressed things

Note: This is not a /24 subnet! The netmask is a /23.

  • .0.2 - biketrailer
  • .0.3 - pony
  • .0.4 - minotaur - console server and network troubleshooting/monitoring box
  • .0.5 - roof switch
  • .0.8 - Primary switch - Netgear GS724Tv2
  • .0.11 - West AP, DHCP mapped
  • .0.12 - Crutch AP, DHCP mapped
  • .0.22 - Pegasus
  • .0.52 - bunny (Bullion Mode-S receiver on the roof)
  • .0.53 - ronin (white Atom works with bunny, lives in Susan the Rack)
  • .0.54 - st01-noisebridge-sfo (sfwireless.org Ubiquiti Nanobridge M5 on the roof. Currently aimed at Twin Peaks.)

10.20.0.101 - 1.254

  • DHCP-assigned, user-access IP space

IPv6

Note: This is not currently implemented. The addresses are correct, though. Someday...

We have IPv6 support on the DSL circuit via a tunnel provided by sonic.net. The tunnel address is 2001:05a8:0:1::0ac6/127 , if it needs to be reconfigurated.

2001:5a8:4:5630::/60

This is the IPv6 subnet assigned to us by sonic. We configure the first /64 in this /60 so that autoconfiguration works. biketrailer hands out IPv6 router advertisements for this subnet directly, and your machine will SLAAC its way to ipv6 goodness. They're directly routable, but unsolicited incoming traffic is blocked by the firewall to protect the users. This means you can't run an IPv6 server on our IPv6 subnet, but you can connect to other machines on the IPv6 Internet just fine.

Machine Rack

The rack of machines and switches is counted by U, from the top, starting from "1".

"U"/Unit Device
1-2 patch panel
3 Netgear G724Tv2 switch
5 Shelf with Bikeshed and POE injectors
7 Minotaur
Bottom APC UPS