Resources/Network: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
m (Undo revision 40259 by Finn (talk))
(210 intermediate revisions by 35 users not shown)
Line 1: Line 1:
== Status ==
[[File:AlexPeake.jpg|889px]]
== [[New Network]] ==
We are underway of getting a new network up and running in NoiseBridge<br>
Check out the [[New Network]] to see what has been done, and what needs to be done.


There is an external status monitor at [http://status.noisebridge.net/cgi-bin/smokeping.cgi?target=Noisebridge status.noisebridge.net].  If something is wrong with the network at 83c, you should contact [[Admins|an admin]]
== [[Network Troubleshooting]] ==


== It's 2 AM And The Admins Are Asleep ==
Are you having issues with the internet or local network? Check out the [[Network Troubleshooting]] page for more information on what you can do to make things better or possibly seek help.


If no admin responds within a reasonable period of time (say, an hour), take matters into your own hands and send mail to [mailto:noisebridge-discuss@lists.noisebridge.net noisebridge-discuss] with answers to the following questions:
== Disclaimer ==


* Who are you?
''Please note that Noisebridge does not guarantee or provide a perfect secure experience in the space. Just like anywhere else in the world you're held responsible for your own safety and wellbeing. This also includes content you receive or transmit or provide through any mediums, such as through pen and paper, sound waves or any networks wired or wireless functioning in the space. Noisebridge is a volunteer run and operated space that provides you with infrastructure, which you use at your own risk.''
* What happened?
* When did the problem begin?  (If you were able to find out.)
* When was the problem noticed?
* When did it get fixed?
* What did you do to fix it?  Please err on the side of too much detail rather than not enough.


Please try to observe [[Network Policies|the guidelines]] for network maintenance, but use your Most Excellent Judgment if something there doesn't seem to apply.
[[File:ShadeS.jpg|900px]]
 
''As much as anyone volunteering at the space could state that we (Noisebridge) can provide you with a secure web browsing experience, this view may not be reflected over all of its members and participants (which is the actual case). Please take our advice and services with a grain of salt and understand that the only sure secure network is one that you setup and operate yourself.''
 
''Thank you for reading, please continue now on creating interesting things.''
 
--[[User:Rubin110|rubin110]] 05:48, 25 December 2010 (UTC)
 
== Wireless networks ==
=== Free Open Unsecure Wifi ===
Noisebridge generally has two or more unencrypted open wifi access points available for your use. If you can see the "noisebridge-a" network, congratulations, you have an 802.11a-compatible card and should use this network as it is better faster and stronger than the others. If you cannot see noisebridge-a, either it is not working or you do not have an 802.11a card. You probably have an 802.11g card. Hopefully you can see the "noisebridge" network, which is the one you should use in that case. Like any public network, you should regard noisebridge's as [[Visitor_advice#Hostile_network|potentially hostile]] and take appropriate precautions.
 
The following networks are active at 2169 now:
* '''noisebridge''' - No encryption, NATted via the Sonic.net and Monkeybrains links, 802.11bg
* '''noisebridge-a''' - No encryption, NATted via the Sonic.net and Monkeybrains links, 802.11a
* '''noisebridge-tor''' - No encryption, all traffic transparently proxied through tor.
 
=== Free Encrypted Unsecure Wifi ===
There are sometimes "secure" or encrypted wireless networks running at Noisebridge for research purposes. Please do not assume that these networks are in any way safer than an open network is; they are not. 
 
Encrypted wireless only means that anything transmitted between your laptop and the wifi access point is encrypted. '''This does not guarantee security or privacy at all.''' Someone malicious could simply sit in between the Internet and the wifi access point and sniff all of your traffic after the access point unencrypts it, or they can figure out how the encryption functions and sit in on what you're transmitting, or you use an encryption method that is already broken. In any case, '''using an encrypted wifi network does not provide any useful security benefits at Noisebridge.'''
 
:NOTE: No technology 'guarantees' security or privacy. The above statement is true, and using the encrypted wifi network at Noisebridge doesn't give you more security, since the shared secret is widely known and the space is not secure. But WPA2 is a useful technology in general, and it's not practical to brute force if the [http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html key is longer than 13 random characters].  By comparison, people who use unencrypted wireless are subject to [http://www.ethicalhacker.net/content/view/182/1/ trivially easy packet sniffing over the wire].
 
In most cases you may encounter more problems trying to get "online" through one of the encrypted networks than using one of the open ones.
 
A few members of the space have gone out of their way to make the Internet run as smooth as possible; part of that is disabling these so-called secure networks [where do we call this "secure"?] to give room for the legitimate{{fact}} open ones that work a whole lot better{{fact}}.
 
You may want to see the [http://news.cnet.com/8301-31921_3-57394889-281/five-ways-to-protect-yourself-from-wi-fi-honeypots/ WiFi Pineapple Mark IV] in action to see how easy it is to honeypot a WIFI.
 
== DNS ==
 
Dynamic DNS is provided by the nat machine for DHCP clients on 172.30.0.30/22.  Resolution of machines with static addresses is done by ipv4 or ipv6 mDNS and dynamic DNS entries on the nat machine from the DHCP service.
 
== Development ==
* See [[Network/testing]].
 
==Network Devices & Services==
* [[Music]]
* [[Printers]]
* [[Infrastructure]]
 
= 2169 Mission =


== Uplinks ==
== Uplinks ==
=== DSL Circuit ===
There is a Sonic.net Fusion ADSL2+ DSL connection in the building.  The physical circuit comes in from the MPOE in the basement and runs across the roof of the basement and up the side of the building into the DJ booth (Tea Room), then over to the Wall o' Tubes.  The CPE is a Motorola 2210 ADSL2+.  The admin password is the serial number, written on the bottom. 
The addressing configuration is a little unusual. It's 75.101.62.0/24 and we've been allocated a /29 within that block: 75.101.62.88 - 75.101.62.95.  Note that we get to use all 8 addresses; the broadcast and network address are 75.101.62.255 and 75.101.62.0 respectively.  The gateway is 75.101.62.1.
The default CPE settings are not correct for our circuit configuration.  From a factory reset, do the following to configure the CPE:
# Configure a computer for 192.168.1.253/24.
# Connect the computer to the DSL CPE.
# Power cycle the DSL CPE.
# Connect to 192.168.1.254 using your web browser.
# You will be prompted to set a password, use the serial number on the bottom of the DSL CPE.
# Get into expert mode.
# Under configure->connections, set the following:
## VPI: 0
## VCI: 35
## Protocol: Bridged Ethernet LLC/SNAP
## Bridging: on
# Under configure->DHCP server, set the following:
## DHCP Server Enabled: unchecked
# Save and reboot.
[http://broadband.motorola.com/consumers/products/2210-02/downloads/2210-02-10NA-UserGuide.pdf Motorola 2210 User Guide]
=== Monkeybrains Wireless Link ===
We have a point-to-point wireless link to Monkeybrains on the roof.
=== SFBroadband / City of SF / Internet Archive ===
We have a wireless point-to-point path up to Twin Peaks that connects up to a city-owned and volunteer-run IP transit network. Currently, we're hitting the dish off of the side and have a pretty terrible connection. For now, this network path is mostly only usable as a backup path.


=== '''24Mb/5Mb''' currently via Comcast ===
There is a router in our wireless CPE hardware (st01-noisebridge-sfo) that connects up to the Noisebridge network and terminates as 172.30.0.54 on the "Inside / Internal" network. Set your default route via this IP to try the other path.
* Comcast Cable (Only internet, no voice or tv service)
** $66.95 per month (After taxes COD at time of install is $169.21) - $3 modem rental per month
** No contract!
** Link speed is ~24Mbit down / ~5Mbit up. More testing during different times of the day would be useful.
** Wonderful quote from the service representative when asked about network filtering: "The network is filtered. Dynamic ips.'' Constantly flowing.'' Upgrading to static is possible through the business department."
** The direct line for the person who took the order is 1-925-349-3300 x644201
** Our confirmation number for this order is: 503691


=== Speakeasy DSL ===
== Access Control==
* Speakeasy DSL (On a dry pair - Ordered for the (415) 864 area)
** Service has been delivered and installed at 83c
** Modem acts as a bridge straight into Speakeasy and comes with 1 static IP, 4 more for $20 per month.
*** Currently 66.92.8.180
*** Additional IP added on Jan 26th (requires configuration on firewall) 66.92.8.123
** $105.95 per month - ($99.00 install fee, first month free, hardware included - Paid by Jake)
** Link speed: 6Mb down and 768k up
** 12 month contract (25 day trial period), $300 fee if canceled in contract but outside of stated trial period.
** 1 static ip included
** The direct line for the person (Michelle) who took the order is 1-877-240-4821
** In the future, we can upgrade the DSL to the following:
*** Kinda fast 8Mb down and 768k up. 149.95 per month. Hardware and install waved.
*** Super fast 10Mb and 1Mb up. 179.95 per month. Hardware and install waved.


=== Other uplink possibilities ===
Most hardware is set to use the most guessable logins and passwords possible. If you're interested in logging in, just make some guesses as to what the login can be. Use your favorite search engine. Poke around. Hack.
* Local wifi link (TBD - no current ETA on install)
We need an antenna and a wifi access point that will uplink to our core switch (we need one of those too)


* Metro fiber
Experience the thrill of guessing a password that just works.
** [[User:Jof|jof]] called IPN for a rough estimate for construction of fiber to 83c. The sales representative's estimate would be between 90,000USD - 100,000USD for the initial buildout.
 
== Router ==
Bikeshed is our humble router. It is a Soekris running Vyatta(a Linux-based router distribution).
 
The machines currently provides
  * dhcpd
  * DNS (dnsmasq) - .noise local TLD and recursive proxy
  * Automatic loadbalancing and ailover between Sonic DSL and monkeybrains
 
Access is via SSH with keys.
 
=== Salient configuration ===
* It is configured to fail over between DSL and Monkeybrains as conditions warrant.
* It is configured with traffic shaping to prevent individual users from sucking up all the tubes.
 
If you have questions about these particular points of configuration, email rack. Nothing is particularly complicated.
 
== Address Allocations ==
The reserved address allocations are:
 
===75.101.62.88/29 from Sonic.net===
We have a range within the encompassing /24: 75.101.62.{88..95}
 
* .88 - bikeshed
* .89 - pony.noisebridge.net
* .90 - stallion.noisebridge.net
* .91 - ChaosVPN la fonera eth0.1
* .92 - minotaur.noisebridge.net
* .93 - Unallocated
* .94 - Unallocated
* .95 - Mode-S Equipment (various port-NATings)
 
===172.30.0.0/22 ("inside" network)===
====172.30.0.0 - 127 Statically-addressed things====
 
''Note: This is '''not''' a /25 subnet! The netmask is a /22.''
 
* .2 - bikeshed, soekris router (runs Vyatta Linux and iptables/netfilter)
* .3 - unicornpee.noise, Vyatta testing VM on stallion.noise
* .4 - minotaur - console server and network troubleshooting/monitoring box
* .5 - goat - Internal network testing VM on stallion
* .6 - treechopper, [http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl07288/bpl07288.pdf|HP Laserjet 5Si MX] (working, not hosed)
* .7 - OpenGear IP Power 9258 in supply closet (power1)
* .8 - switch1 - Linksys 48-port gige
* .9 - switch2 - Cisco Catalyst 2940 TWoT - DECOMISSIONED
* .10 - stallion - VM hosting server
* .11 - ChaosVPN la fonera internal interface (br-lan)
* .12 - ap3 - [http://www.ubnt.com/powerstation Powerstation 5] 802.11a (above the supply closet)
* .13 - ap2 - Cisco Aironet 1100 series (above the supply closet) - DECOMISSIONED
* .14 - ap4 - Cisco Aironet 1100 series (above the Eastern windows) - DECOMISSIONED
* .15 - switch3 - Juniper EX-2200-24P-4G (donated by [[User:Jof|jof]] and J-iNet Solutions)
* .16 - wlan1 - A Ruckus Wireless Zone Director 1000 - DECOMISSIONED
* .17 - Cisco Aironet 1220B (wbr1) - DECOMISSIONED
* .18 - Cisco Aironet 1220B (wbr2) - DECOMISSIONED
* .19 - switch5 - Cisco Catalyst 3550-12T - DECOMMISSIONED
* .20 - D-Link DIR-615 AP (ap5, in Turing) - DECOMISSIONED
* .21 - Reserving for Door-duino -- [[User:Jof|jof]]
* .26 - [[Bridge]] router [[User:Thex|thex]] ([[User talk:Thex|talk]]) 12:08, 31 December 2013 (UTC)
* .30 - [[Pony]], main sandbox server
* .31 - [[Touch_Panels|Touchpanel]] by the door
* .32 - [[Touch_Panels|Touchpanel]] by the bar
* .33 - [[Touch_Panels|Touchpanel]] by the turing
* .34 - Linux Study Group Linksys BBEFS41 Router
* .35 - Cisco IP Phone
* .36 - Red Payphone (Linksys PAP2)
* .37 - sw0tch - Cisco Catalyst 2950G-48-El [[Special:Contributions/37.221.161.234|37.221.161.234]] 17:59, 7 January 2014 (UTC)
* .41 - [[Zebra]], Rebar and jukebox, Brother print server
* .42 - [[Ass]], greeting terminal
* .43 - Cisco SIP Phone
* .44 - [[Horsy]]. media center
* .48 - [[s3]]
* .49 - [[s3]] BMC
* .50 - Unallocated
* .51 - Possibly Unallocated (originally Noise-Bot-Server; back-end computing for Noise-Bot)
* .52 - bunny (Bullion Mode-S receiver on the roof)
* .53 - ronin (white Atom works with bunny, lives in Susan the Rack)
* .54 - st01-noisebridge-sfo (sfwireless.org Ubiquiti Nanobridge M5 on the roof. Currently aimed at Twin Peaks.)
* .55 - [[HP DesignJet 650C]]
* .56 - Brother HL-2070N ( by laser cutter)
 
====172.30.0.128/25, 172.30.1.0/24, 172.30.2.0/24, 172.30.3.0/24====
* DHCP-assigned, user-access IP space
 
===172.30.4.0/24 (Tor-ified network)===


* Sonic.net ADSL2
Note that 172.30.4.1 transparently proxies TCP connections via privoxy to tor.
We're on the waiting list for 18Mb/1Mb ADSL2
  Sometime in the next year service will be available in San Francisco.


* WiMax
* .1 - "torbridge" interface on pony
Currently this hasn't been very seriously researched
* .2 - "noisebridge-tor" access point.
* .10 - .254 -- Tor-ified clients (served by DHCP)


* SFLan
===172.31.0.0/24===
We may have line of sight to a node if we can bounce off of a local building. This hasn't been seriously researched. We may want to try to get roof access for antennas and should talk to our very quiet neighbors.


I was contacted by Matt Peterson about connecting.  I would be happy to do a site survey to see if you can hit the SFLAN or City wirless deployment from the Valencia Gardens development. That could get you 40Mb/s up and down. - Tim Pozar
This is a separate NAT-ed network for Monkeybrains-only traffic. It's served by "bikeshed".


== Hardware ==
* .1 - wlan0.bikeshed.noise
* .100 - .199 -- DHCP pool for clients.


=== Ownership ===
=== 10.100.4.0/23 ChaosVPN Range ===
* Network in the ChaosVPN
** Has yet to be setup. In the future, we may join the network so that we can route to other hackerspaces
* [http://wiki.hamburg.ccc.de/index.php/ChaosVPN#ip_ranges ChaosVPN Wiki]


[[User:adi|Andy]] says:
=== IPv6 ===


if hardware has been at NB
We have IPv6 support on the DSL circuit via a tunnel provided by sonic.net.  Some details on how to get the OpenBSD-based flashrd distribution on the routers to tunnel correctly can be found on the [[Flashrd]] page.


1. not on a shelf
Note that using IPv6 in some situations can result in people knowing what model of computer you have and the network card's serial number, because of the way IPv6 stateless address configuration works. If this is a concern, tell your computer not to use IPv6. Ask around Noisebridge if you need help or want more details.
2. without a sign
3. without visible use for a month


, it's fair game for repurposing. 
==== 2001:5a8:4:5630::/60 ====


=== Current Gear ===
This is the IPv6 subnet assigned to us by sonic.  We only use the bottom /64 of this /60 so automatic address configuration works right; the other 15/16s of the address space are intentionally wasted.  r00ter hands out IPv6 router advertisements for this subnet directly.  They're directly routable, but unsolicited incoming traffic is blocked by the firewall to protect the users.  This means you can't run an IPv6 server on our IPv6 subnet, but you can connect to other machines on the IPv6 Internet just fine.  If you really need to run an IPv6 server for some reason, consider using Teredo.


* Currently [[User:Matt|Matt]] has configured a [http://www.soekris.com/net4801.htm Soekris net4801] with flashdist OpenBSD 4.4 build, no fancy GUI exists - just simple vi and a pf.conf config file.  The eventual plan is to ghetto load balance between the Comcast and Speakeasy circuits.
== OOB Management ==
** Passwords to both devices are in an envelope in the closet in the fishbowl. Or if you are known within the group, ping [[User:Jof|jof]]
** I've done load balancing like this on Linux (and in fact on a Soekris net4801) if anyone's interested I could prep a CF card to do this. [[User:Ryanc|Ryanc]] 18:34, 22 April 2009 (PDT)
* [[User:Ioerror|Jake]] has donated a FON [http://en.wikipedia.org/wiki/FON#La_Fonera_WiFi_Router La Fonera] router that has been liberated with a fresh DD-WRT install.
* A Ruckus Wireless ZoneFlex 2942 access point.
** Takes an 802.1q trunk (with POE!) over a single Cat5/6 cable, and can take up to 8 802.1q tags and broadcast an SSID for each tag. -- [[User:Jof|jof]] 00:51, 4 October 2008 (PDT)


* [[switch1]], a [http://cisco.com/en/US/products/hw/switches/ps637/tsd_products_support_eol_series_home.html Cisco 3512XL].
Everything is connected to Minotaur.


== Topology ==
{|border="1" cellspacing="0" cellpadding="5"
!Device
!Where
!Settings
|-
|bikeshed
|ops /dev/ttyUSB1
|115200
|-
|Downstairs gate panel
|/dev/ttyS2
|-
|Upstairs gate panel
|/dev/ttyS1
|}


[[Image:Noisebridge_net-2008-10-02.png|thumb|right|Older topology, does not include cisco box or ruckus AP]]
=== Dial Backup ===


* External IP is assigned via DHCP from Comcast on the Soekris box.
There is a modem connected to 415 800 6786 which you can call to talk to an mgetty process on the ops machine. This may be handy if the upstream Internet connections aren't working or you locked yourself out by accident. Please don't dial out on the modem, it costs moneyInbound calls on that circuit are free.
* Currently, the address is 24.5.85.158.
** If modifying later, beware that Comcast will now only hand out a DHCP lease requested from 00:0A:E4:32:44:6E
** Comcast does egress filtering, so r00ter can't run asymmetric routing for the DSL IPs over the Comcast linkThis manifests as being able to get out via DSL but not being able to get back in via 83c.noisebridge.net.


* Internal subnet is 172.30.0.0/24
The modem is a [http://www.usr.com/support/product-template.asp?prod=2806 US Robotics 56K Corporate Analog Modem]. If you don't have a modem in your computer, you might be able to call it using your mobile phone. Just tether your phone to your computer like you normally would, but call our modem instead of calling the number to start the tethering connection.
** Soekris box is at 172.30.0.1
** [[switch1]] is at 172.30.0.3
** [[router1]] is at 172.30.0.4 (but has problems.)
** Ruckus AP (on 12th Ethernet port PoE) 172.30.0.5


* There are some existing Ethernet segments that you can patch into. If it has a number written in black marker on the outlet, this number corresponds to the outlet on the patch panel in the fishbowl closet.
The modem has its remote access feature enabled. Read the manual for details.


== DNS ==
== IP PDU ==


Internal machines (with NAT addresses in 172.30.0.0/24) have names in the <tt>.noise</tt> pseudo-TLD.  These names are managed on the Soekris in <tt>/etc/hosts</tt> (NOT in a zone file).  After editing <tt>/etc/hosts</tt>, you can SIGHUP the dnsmasq process to trigger a reload.
There is an IP PDU (model "IP 9258") at 172.30.0.7 which can be used to power cycle some of the devices in Susan the Rack.


The /etc/hosts file is persistent now (it wasn't back when we used pfSense) so it no longer needs to be maintained on the wiki; the copy on the soekris is canonical now.
To change the state of the power ports, you'll need to telnet in and run "setpower=11000000". Each index represents a port, "1" is on and "0" is off.  Port 1 sometimes doesn't turn on unless you use the web interface, and it might take a couple requests.  Just keep clicking the apply button until it looks like power has been applied.


== Wireless networks ==
Changing some settings on the IP 9258 in the web interface may result in the power being cycled on some of the ports.  Don't change settings unless you're prepared to deal with machines spontaneously resetting.


The following networks are active at 83c now:
{|border="1" cellspacing="0" cellpadding="5"
* '''noisebridge''' - insecure, NAT to Speakeasy via hardware described above.
!Port
* '''noisebridge-dsl''' - insecure, NAT to Comcast via standalone WRT54G.  No access to Noisebridge wired network.
!Device
|-
|1
|s2
|-
|2
|pony
|-
|3
|Power Strip with: Stallion, Sonic.net DSL Modem, and r00ter
|-
|4
|gorilla
|}


The following networks are disabled in the Ruckus AP config:
== Machine Rack ==
* '''nbsweden''' - insecure, NAT to [https://www.relakks.com/?cid=gb Relakks]. '''not yet functional.''' vlan 21.
* '''nbgermany''' - insecure, NAT to Germany via CCC. '''not yet functional.''' vlan 31.
* '''nbipv6''' - insecure, IPv6 only. '''not yet functional.''' vlan 41.
* '''nbanonymous''' - insecure, transparent [[Tor]]. '''not yet functional.''' vlan 51.
* '''nbwpa''' - "secured" (so they say) using WPA. '''not yet functional.''' vlan 61.
* '''nblocal''' - insecure, local-only.  No Internet route. '''not yet functional.''' vlan 71.


== Development ==
The rack of machines and switches is counted by U, from the bottom, starting from "1".
* See [[Network/testing]].


=== Installing Gear ===
{|border="1" cellspacing="0" cellpadding="5"
!"U"/Unit
!Device
|-
|22-24
|small stuff shelf
|-
|19-21
|EMPTY
|-
|18
|NEW switch1 (Linksys SRW2048 - 48 port gige)
|-
|16-17
|patch panel
|-
|11-15
|EMPTY
|-
|7-10
|pony
|-
|5-6
|rack support for pony
|-
|4
|EMPTY
|-
|1-3
|APC
|}


[[User:adi|Andy]] says:
== Switch Ports ==
=== switch1 ===
'''Linksys 48 port gige '''


BTW, I've noticed a bunch of networking / computing gear with fans being
This switch is all for vlan 1 (172.30.0.0/22), but it needs some reconfiguration. Would you like to fix it?
installed in the downstairs networking closet. I would highly recommend
that people not install gear with fans in that closet:


1. the wood/metal shop is very likely to cause your fans to become full
The yellow cable is the uplink to switch2
of crap and stop working, and/or short out your power supplies.


2. the building floods in that corner every spring.
===Primary switch===
'''Juniper EX2200, with POE'''


We installed a *lot* of spare Cat5 capacity between the upstairs and
VLANs:
downstairs closets specifically so that there was no need to put more
* VLAN 1: Internal network
gear downstairs.  Please just use the patch panel (label your patches or
* VLAN 10: Monkeybrains
they'll be removed!) and install gear upstairs instead.
* VLAN 20: Sonic


(Of course things like DOCSIS mean that we need *some* gear downstairs,
Interesting ports:
but it should be


1. fanless
{|border="1" cellspacing="0" cellpadding="5"
!Port
!Far end
|-
|ge-0/0/3 (VLAN 1)
|stallion eth0
|-
|ge-0/0/4 (VLAN 1)
|noise-ap-west +POE
|-
|ge-0/0/6 (VLAN 1)
|noise-ap-east +POE
|-
|ge-0/0/14 (VLAN 1)
|Minotaur eth1
|-
|ge-0/0/17.0 (VLAN 1)
|bikeshed eth1
|-
|ge-0/0/18 (VLAN 10)
|monkeybrains uplink
|-
|ge-0/0/19 (VLAN 10)
|bikeshed eth0
|-
|ge-0/0/20 (VLAN 20)
|Sonic DSL modem
|-
|ge-0/0/21 (VLAN 20)
|bikeshed eth2
|-
|ge-0/0/22 (VLAN 20)
|minotaur eth0
|-
|ge-0/0/23 (VLAN 20)
|stallion eth1
|}


2. mounted on the wall or high up in the cabinet.)
== KVM ==


There is no KVM, but there are monitors and a keyboard dedicated to the machines in the rack.  You can easily recognize it because it's covered in nail polish and you can't see the keycaps.  The delete key is in the upper-right corner of the keyboard, which is handy to know if you want to get into the BIOS of the machines.


= Other uplink possibilities =
* Metro fiber
** [[User:Jof|jof]] called IPN for a rough estimate for construction of fiber to 83c. The sales representative's estimate would be between 90,000USD - 100,000USD for the initial buildout.


=== Future Plans ===
* Sonic.net ADSL2
** We have this, woot.


Matt Peterson says:
* WiMax
** Currently this hasn't been very seriously researched


  In brief my suggestion is plug in both upstreams (Speakeasy ADSL and Comcast Cable) to the soekris,
* SFLan
run a trunk to the switches I donated and use the Cisco AP to beacon out 3  SSID's "noisebridge",
   
"noisebridge-dsl", "noisebridge-cable".  Each of these would map out to the various outbound ISP's
''We may have line of sight to a node if we can bounce off of a local building. This hasn't been seriously researched. We may want to try to get roof access for antennas and should talk to our very quiet neighbors.''
(some folks may want quicker flickr uploads or faster  firefox downloads or whatever), with the
generic SSID combined both connections (shunt ssh, sip and other latency stuff over the larger
outbound, the rest down the other  connection).  A shell script would monitor outages, reload pf
rules as needed if a connection goes down.  I got as far as making pf do the dual ISP network,
however I never setup the trunk on the switches or Cisco AP (though the equipment is floating
around the space).


==Network Devices & Services==
''I was contacted by Matt Peterson about connecting.  I would be happy to do a site survey to see if you can hit the SFLAN or City wirless deployment from the Valencia Gardens development.  That could get you 40Mb/s up and down. - Tim Pozar''
* [[Music]]
* [[Printers]]
* [[Infrastructure]]

Revision as of 05:01, 25 February 2014

File:AlexPeake.jpg

New Network

We are underway of getting a new network up and running in NoiseBridge
Check out the New Network to see what has been done, and what needs to be done.

Network Troubleshooting

Are you having issues with the internet or local network? Check out the Network Troubleshooting page for more information on what you can do to make things better or possibly seek help.

Disclaimer

Please note that Noisebridge does not guarantee or provide a perfect secure experience in the space. Just like anywhere else in the world you're held responsible for your own safety and wellbeing. This also includes content you receive or transmit or provide through any mediums, such as through pen and paper, sound waves or any networks wired or wireless functioning in the space. Noisebridge is a volunteer run and operated space that provides you with infrastructure, which you use at your own risk.

File:ShadeS.jpg

As much as anyone volunteering at the space could state that we (Noisebridge) can provide you with a secure web browsing experience, this view may not be reflected over all of its members and participants (which is the actual case). Please take our advice and services with a grain of salt and understand that the only sure secure network is one that you setup and operate yourself.

Thank you for reading, please continue now on creating interesting things.

--rubin110 05:48, 25 December 2010 (UTC)

Wireless networks

Free Open Unsecure Wifi

Noisebridge generally has two or more unencrypted open wifi access points available for your use. If you can see the "noisebridge-a" network, congratulations, you have an 802.11a-compatible card and should use this network as it is better faster and stronger than the others. If you cannot see noisebridge-a, either it is not working or you do not have an 802.11a card. You probably have an 802.11g card. Hopefully you can see the "noisebridge" network, which is the one you should use in that case. Like any public network, you should regard noisebridge's as potentially hostile and take appropriate precautions.

The following networks are active at 2169 now:

  • noisebridge - No encryption, NATted via the Sonic.net and Monkeybrains links, 802.11bg
  • noisebridge-a - No encryption, NATted via the Sonic.net and Monkeybrains links, 802.11a
  • noisebridge-tor - No encryption, all traffic transparently proxied through tor.

Free Encrypted Unsecure Wifi

There are sometimes "secure" or encrypted wireless networks running at Noisebridge for research purposes. Please do not assume that these networks are in any way safer than an open network is; they are not.

Encrypted wireless only means that anything transmitted between your laptop and the wifi access point is encrypted. This does not guarantee security or privacy at all. Someone malicious could simply sit in between the Internet and the wifi access point and sniff all of your traffic after the access point unencrypts it, or they can figure out how the encryption functions and sit in on what you're transmitting, or you use an encryption method that is already broken. In any case, using an encrypted wifi network does not provide any useful security benefits at Noisebridge.

NOTE: No technology 'guarantees' security or privacy. The above statement is true, and using the encrypted wifi network at Noisebridge doesn't give you more security, since the shared secret is widely known and the space is not secure. But WPA2 is a useful technology in general, and it's not practical to brute force if the key is longer than 13 random characters. By comparison, people who use unencrypted wireless are subject to trivially easy packet sniffing over the wire.

In most cases you may encounter more problems trying to get "online" through one of the encrypted networks than using one of the open ones.

A few members of the space have gone out of their way to make the Internet run as smooth as possible; part of that is disabling these so-called secure networks [where do we call this "secure"?] to give room for the legitimate[citation needed] open ones that work a whole lot better[citation needed].

You may want to see the WiFi Pineapple Mark IV in action to see how easy it is to honeypot a WIFI.

DNS

Dynamic DNS is provided by the nat machine for DHCP clients on 172.30.0.30/22. Resolution of machines with static addresses is done by ipv4 or ipv6 mDNS and dynamic DNS entries on the nat machine from the DHCP service.

Development

Network Devices & Services

2169 Mission

Uplinks

DSL Circuit

There is a Sonic.net Fusion ADSL2+ DSL connection in the building. The physical circuit comes in from the MPOE in the basement and runs across the roof of the basement and up the side of the building into the DJ booth (Tea Room), then over to the Wall o' Tubes. The CPE is a Motorola 2210 ADSL2+. The admin password is the serial number, written on the bottom.

The addressing configuration is a little unusual. It's 75.101.62.0/24 and we've been allocated a /29 within that block: 75.101.62.88 - 75.101.62.95. Note that we get to use all 8 addresses; the broadcast and network address are 75.101.62.255 and 75.101.62.0 respectively. The gateway is 75.101.62.1.

The default CPE settings are not correct for our circuit configuration. From a factory reset, do the following to configure the CPE:

  1. Configure a computer for 192.168.1.253/24.
  2. Connect the computer to the DSL CPE.
  3. Power cycle the DSL CPE.
  4. Connect to 192.168.1.254 using your web browser.
  5. You will be prompted to set a password, use the serial number on the bottom of the DSL CPE.
  6. Get into expert mode.
  7. Under configure->connections, set the following:
    1. VPI: 0
    2. VCI: 35
    3. Protocol: Bridged Ethernet LLC/SNAP
    4. Bridging: on
  8. Under configure->DHCP server, set the following:
    1. DHCP Server Enabled: unchecked
  9. Save and reboot.

Motorola 2210 User Guide

Monkeybrains Wireless Link

We have a point-to-point wireless link to Monkeybrains on the roof.

SFBroadband / City of SF / Internet Archive

We have a wireless point-to-point path up to Twin Peaks that connects up to a city-owned and volunteer-run IP transit network. Currently, we're hitting the dish off of the side and have a pretty terrible connection. For now, this network path is mostly only usable as a backup path.

There is a router in our wireless CPE hardware (st01-noisebridge-sfo) that connects up to the Noisebridge network and terminates as 172.30.0.54 on the "Inside / Internal" network. Set your default route via this IP to try the other path.

Access Control

Most hardware is set to use the most guessable logins and passwords possible. If you're interested in logging in, just make some guesses as to what the login can be. Use your favorite search engine. Poke around. Hack.

Experience the thrill of guessing a password that just works.

Router

Bikeshed is our humble router. It is a Soekris running Vyatta(a Linux-based router distribution).

The machines currently provides

  * dhcpd
  * DNS (dnsmasq) - .noise local TLD and recursive proxy
  * Automatic loadbalancing and ailover between Sonic DSL and monkeybrains

Access is via SSH with keys.

Salient configuration

  • It is configured to fail over between DSL and Monkeybrains as conditions warrant.
  • It is configured with traffic shaping to prevent individual users from sucking up all the tubes.

If you have questions about these particular points of configuration, email rack. Nothing is particularly complicated.

Address Allocations

The reserved address allocations are:

75.101.62.88/29 from Sonic.net

We have a range within the encompassing /24: 75.101.62.{88..95}

  • .88 - bikeshed
  • .89 - pony.noisebridge.net
  • .90 - stallion.noisebridge.net
  • .91 - ChaosVPN la fonera eth0.1
  • .92 - minotaur.noisebridge.net
  • .93 - Unallocated
  • .94 - Unallocated
  • .95 - Mode-S Equipment (various port-NATings)

172.30.0.0/22 ("inside" network)

172.30.0.0 - 127 Statically-addressed things

Note: This is not a /25 subnet! The netmask is a /22.

  • .2 - bikeshed, soekris router (runs Vyatta Linux and iptables/netfilter)
  • .3 - unicornpee.noise, Vyatta testing VM on stallion.noise
  • .4 - minotaur - console server and network troubleshooting/monitoring box
  • .5 - goat - Internal network testing VM on stallion
  • .6 - treechopper, Laserjet 5Si MX (working, not hosed)
  • .7 - OpenGear IP Power 9258 in supply closet (power1)
  • .8 - switch1 - Linksys 48-port gige
  • .9 - switch2 - Cisco Catalyst 2940 TWoT - DECOMISSIONED
  • .10 - stallion - VM hosting server
  • .11 - ChaosVPN la fonera internal interface (br-lan)
  • .12 - ap3 - Powerstation 5 802.11a (above the supply closet)
  • .13 - ap2 - Cisco Aironet 1100 series (above the supply closet) - DECOMISSIONED
  • .14 - ap4 - Cisco Aironet 1100 series (above the Eastern windows) - DECOMISSIONED
  • .15 - switch3 - Juniper EX-2200-24P-4G (donated by jof and J-iNet Solutions)
  • .16 - wlan1 - A Ruckus Wireless Zone Director 1000 - DECOMISSIONED
  • .17 - Cisco Aironet 1220B (wbr1) - DECOMISSIONED
  • .18 - Cisco Aironet 1220B (wbr2) - DECOMISSIONED
  • .19 - switch5 - Cisco Catalyst 3550-12T - DECOMMISSIONED
  • .20 - D-Link DIR-615 AP (ap5, in Turing) - DECOMISSIONED
  • .21 - Reserving for Door-duino -- jof
  • .26 - Bridge router thex (talk) 12:08, 31 December 2013 (UTC)
  • .30 - Pony, main sandbox server
  • .31 - Touchpanel by the door
  • .32 - Touchpanel by the bar
  • .33 - Touchpanel by the turing
  • .34 - Linux Study Group Linksys BBEFS41 Router
  • .35 - Cisco IP Phone
  • .36 - Red Payphone (Linksys PAP2)
  • .37 - sw0tch - Cisco Catalyst 2950G-48-El 37.221.161.234 17:59, 7 January 2014 (UTC)
  • .41 - Zebra, Rebar and jukebox, Brother print server
  • .42 - Ass, greeting terminal
  • .43 - Cisco SIP Phone
  • .44 - Horsy. media center
  • .48 - s3
  • .49 - s3 BMC
  • .50 - Unallocated
  • .51 - Possibly Unallocated (originally Noise-Bot-Server; back-end computing for Noise-Bot)
  • .52 - bunny (Bullion Mode-S receiver on the roof)
  • .53 - ronin (white Atom works with bunny, lives in Susan the Rack)
  • .54 - st01-noisebridge-sfo (sfwireless.org Ubiquiti Nanobridge M5 on the roof. Currently aimed at Twin Peaks.)
  • .55 - HP DesignJet 650C
  • .56 - Brother HL-2070N ( by laser cutter)

172.30.0.128/25, 172.30.1.0/24, 172.30.2.0/24, 172.30.3.0/24

  • DHCP-assigned, user-access IP space

172.30.4.0/24 (Tor-ified network)

Note that 172.30.4.1 transparently proxies TCP connections via privoxy to tor.

  • .1 - "torbridge" interface on pony
  • .2 - "noisebridge-tor" access point.
  • .10 - .254 -- Tor-ified clients (served by DHCP)

172.31.0.0/24

This is a separate NAT-ed network for Monkeybrains-only traffic. It's served by "bikeshed".

  • .1 - wlan0.bikeshed.noise
  • .100 - .199 -- DHCP pool for clients.

10.100.4.0/23 ChaosVPN Range

  • Network in the ChaosVPN
    • Has yet to be setup. In the future, we may join the network so that we can route to other hackerspaces
  • ChaosVPN Wiki

IPv6

We have IPv6 support on the DSL circuit via a tunnel provided by sonic.net. Some details on how to get the OpenBSD-based flashrd distribution on the routers to tunnel correctly can be found on the Flashrd page.

Note that using IPv6 in some situations can result in people knowing what model of computer you have and the network card's serial number, because of the way IPv6 stateless address configuration works. If this is a concern, tell your computer not to use IPv6. Ask around Noisebridge if you need help or want more details.

2001:5a8:4:5630::/60

This is the IPv6 subnet assigned to us by sonic. We only use the bottom /64 of this /60 so automatic address configuration works right; the other 15/16s of the address space are intentionally wasted. r00ter hands out IPv6 router advertisements for this subnet directly. They're directly routable, but unsolicited incoming traffic is blocked by the firewall to protect the users. This means you can't run an IPv6 server on our IPv6 subnet, but you can connect to other machines on the IPv6 Internet just fine. If you really need to run an IPv6 server for some reason, consider using Teredo.

OOB Management

Everything is connected to Minotaur.

Device Where Settings
bikeshed ops /dev/ttyUSB1 115200
Downstairs gate panel /dev/ttyS2
Upstairs gate panel /dev/ttyS1

Dial Backup

There is a modem connected to 415 800 6786 which you can call to talk to an mgetty process on the ops machine. This may be handy if the upstream Internet connections aren't working or you locked yourself out by accident. Please don't dial out on the modem, it costs money. Inbound calls on that circuit are free.

The modem is a US Robotics 56K Corporate Analog Modem. If you don't have a modem in your computer, you might be able to call it using your mobile phone. Just tether your phone to your computer like you normally would, but call our modem instead of calling the number to start the tethering connection.

The modem has its remote access feature enabled. Read the manual for details.

IP PDU

There is an IP PDU (model "IP 9258") at 172.30.0.7 which can be used to power cycle some of the devices in Susan the Rack.

To change the state of the power ports, you'll need to telnet in and run "setpower=11000000". Each index represents a port, "1" is on and "0" is off. Port 1 sometimes doesn't turn on unless you use the web interface, and it might take a couple requests. Just keep clicking the apply button until it looks like power has been applied.

Changing some settings on the IP 9258 in the web interface may result in the power being cycled on some of the ports. Don't change settings unless you're prepared to deal with machines spontaneously resetting.

Port Device
1 s2
2 pony
3 Power Strip with: Stallion, Sonic.net DSL Modem, and r00ter
4 gorilla

Machine Rack

The rack of machines and switches is counted by U, from the bottom, starting from "1".

"U"/Unit Device
22-24 small stuff shelf
19-21 EMPTY
18 NEW switch1 (Linksys SRW2048 - 48 port gige)
16-17 patch panel
11-15 EMPTY
7-10 pony
5-6 rack support for pony
4 EMPTY
1-3 APC

Switch Ports

switch1

Linksys 48 port gige

This switch is all for vlan 1 (172.30.0.0/22), but it needs some reconfiguration. Would you like to fix it?

The yellow cable is the uplink to switch2

Primary switch

Juniper EX2200, with POE

VLANs:

  • VLAN 1: Internal network
  • VLAN 10: Monkeybrains
  • VLAN 20: Sonic

Interesting ports:

Port Far end
ge-0/0/3 (VLAN 1) stallion eth0
ge-0/0/4 (VLAN 1) noise-ap-west +POE
ge-0/0/6 (VLAN 1) noise-ap-east +POE
ge-0/0/14 (VLAN 1) Minotaur eth1
ge-0/0/17.0 (VLAN 1) bikeshed eth1
ge-0/0/18 (VLAN 10) monkeybrains uplink
ge-0/0/19 (VLAN 10) bikeshed eth0
ge-0/0/20 (VLAN 20) Sonic DSL modem
ge-0/0/21 (VLAN 20) bikeshed eth2
ge-0/0/22 (VLAN 20) minotaur eth0
ge-0/0/23 (VLAN 20) stallion eth1

KVM

There is no KVM, but there are monitors and a keyboard dedicated to the machines in the rack. You can easily recognize it because it's covered in nail polish and you can't see the keycaps. The delete key is in the upper-right corner of the keyboard, which is handy to know if you want to get into the BIOS of the machines.

Other uplink possibilities

  • Metro fiber
    • jof called IPN for a rough estimate for construction of fiber to 83c. The sales representative's estimate would be between 90,000USD - 100,000USD for the initial buildout.
  • Sonic.net ADSL2
    • We have this, woot.
  • WiMax
    • Currently this hasn't been very seriously researched
  • SFLan

We may have line of sight to a node if we can bounce off of a local building. This hasn't been seriously researched. We may want to try to get roof access for antennas and should talk to our very quiet neighbors.

I was contacted by Matt Peterson about connecting. I would be happy to do a site survey to see if you can hit the SFLAN or City wirless deployment from the Valencia Gardens development. That could get you 40Mb/s up and down. - Tim Pozar