Difference between revisions of "Deprecated Network"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Pew
(Created page with "=== Network === {| class="wikitable" !DNS !Global IPv4 !Purpose |- | security.ece.vt.edu | 128.173.88.161 | Milton's IP until luug IPs got routed behind router.ece.vt.edu |- |...")
 
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
=== Network ===
+
=== IPs ===
 
{| class="wikitable"
 
{| class="wikitable"
 
!DNS
 
!DNS
Line 18: Line 18:
 
|-
 
|-
 
|}
 
|}
 +
 +
=== ECE Server Closet ===
 +
==== Limitations ====
 +
We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations:
 +
* All adjustments to ECE DNS must be made through [mailto:rbrand7@vt.edu Brandon Russell]
 +
* IP addresses are difficult to claim, because they must be forwarded through the NAT
 +
* IPv6 is not supported behind the Whittemore NAT
 +
 +
Consequently, We must:
 +
* Use an IPv6 tunnel if we want access to IPv6 addresses
 +
* Keep all internal services (like NFS) on an internal network
 +
<!--* Only one MAC address may appear on the port at a time (port security)
 +
* There is no prefix delegation for IPv6, so each address must be individually requested via NDP.
 +
 +
This means we must:
 +
* Use ARP proxying or 1-to-1 NAT for IPv4
 +
* Use an NDP proxy for IPv6-->
 +
 +
==== Desired Setup ====
 +
This is what I'm hoping to migrate us to:
 +
* OpenWrt ([https://github.com/sbyx/odhcpd odhcpd] has built-in NDP proxying) or pfSense Router
 +
** Partial: pfSense provides NATing on [[Infrastructure:Cyberdelia|cyberdelia]]
 +
* An internal network smaller than a /8 (room for expansion)
 +
** Done: 10.99.0.0/16
 +
* IPsec (point-to-point and road warrior for users)
 +
** Can be done through openWRT or pfSense
 +
* Each VM host has a bridged ethernet port with a global IPv4 address and performs NAT to its VMs. Additional IPv4s are assigned as VMs as needed (e.g. milton and acidburn probably need their own)
 +
** Done on [[Infrastructure:Cyberdelia|cyberdelia]]
 +
* All internal IPv4 addresses are static leases assigned by [[Infrastructure:temp88191|the router]] or set statically '''and documented somewhere'''; hypervisors do not have their own networks unnecessarily like wood currently does.
 +
** Internal network on [[Infrastructure:Cyberdelia|cyberdelia]] has static IPs or long-term leases.
 +
** Cyberdelia still has too many internal networks, most of which are unnecessary.
 +
* Each device has a global IPv6 address
 +
** Currently provided through tunnel
 +
 +
 +
=== CVL setup (deprecated) ===
 +
 +
Hardware:
 +
* "luugtemp" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu router
 +
* 8-port Gigabit unmanaged switch
 +
* 48-port 100 Mbps managed switch (attached to sunway)
 +
 +
Port security evasion:
 +
* A bash script named "Nat" which presumably does 1-to-1 NAT
 +
* NDP proxying via https://npd6.github.io/npd6/
 +
** This is broken an misconfigured. It doesn't properly add routes.
 +
 +
IPs / networks:
 +
* temp88191 is 10.0.0.1/8 and 128.173.88.191. It provides DHCP on our internal interface
 +
* Sunway has static IPs setup (10.0.97.10 to 10.0.97.28)
 +
* Rackable servers: joey (10.0.4.10) and phantomphreak (10.0.4.11)
 +
* cyberdelia's IPv4 is luug0.ece.vt.edu
 +
** Port 9001 <-> 10.0.1.3 (cerealkiller)
 +
** Port 9030 <-> 10.0.1.3 (cerealkiller)
 +
* wood's IPv4 is luug1.ece.vt.edu
 +
* milton's IPv4 is luug2.ece.vt.edu
 +
* luug3.ece.vt.edu is (in theory) used by westinghouse (sunway's head node)
 +
* acidburn's IPv4 is luug.ece.vt.edu
 +
* acidburn has iodine configured as a DNS tunnel (10.152.78.1/27)
 +
* Other tenants of our router: mjh.ece.vt.edu and mirror.ece.vt.edu
 +
* 10.99.0.2/24 appears to be statically assigned to wood's guests.
 +
 +
Cyberdelia VMs - assigned 10.0.1.1/24 (not actually a separate subnet):
 +
* dhcp-host=52:54:00:14:df:c2,10.0.1.1 # "mail" (not yet configured)
 +
* dhcp-host=52:54:00:68:81:33,10.0.1.2 # crashoverride 2.0
 +
* dhcp-host=52:54:00:40:9a:55,10.0.1.3 # Cerealkiller 2.0
 +
 +
[[Category:Deprecated]]

Latest revision as of 19:33, 27 January 2019

IPs

DNS Global IPv4 Purpose
security.ece.vt.edu 128.173.88.161 Milton's IP until luug IPs got routed behind router.ece.vt.edu
cvl05.ece.vt.edu 128.173.88.145 Snapfeed's IP, reclaimed by bmckagen
dog.ece.vt.edu 128.173.88.131 We have a Sun box labeled "dog.ece.vt.edu" but the IP appears to be in use now for VMware ESXi.

ECE Server Closet

Limitations

We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations:

  • All adjustments to ECE DNS must be made through Brandon Russell
  • IP addresses are difficult to claim, because they must be forwarded through the NAT
  • IPv6 is not supported behind the Whittemore NAT

Consequently, We must:

  • Use an IPv6 tunnel if we want access to IPv6 addresses
  • Keep all internal services (like NFS) on an internal network

Desired Setup

This is what I'm hoping to migrate us to:

  • OpenWrt (odhcpd has built-in NDP proxying) or pfSense Router
  • An internal network smaller than a /8 (room for expansion)
    • Done: 10.99.0.0/16
  • IPsec (point-to-point and road warrior for users)
    • Can be done through openWRT or pfSense
  • Each VM host has a bridged ethernet port with a global IPv4 address and performs NAT to its VMs. Additional IPv4s are assigned as VMs as needed (e.g. milton and acidburn probably need their own)
  • All internal IPv4 addresses are static leases assigned by the router or set statically and documented somewhere; hypervisors do not have their own networks unnecessarily like wood currently does.
    • Internal network on cyberdelia has static IPs or long-term leases.
    • Cyberdelia still has too many internal networks, most of which are unnecessary.
  • Each device has a global IPv6 address
    • Currently provided through tunnel


CVL setup (deprecated)

Hardware:

  • "luugtemp" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu router
  • 8-port Gigabit unmanaged switch
  • 48-port 100 Mbps managed switch (attached to sunway)

Port security evasion:

  • A bash script named "Nat" which presumably does 1-to-1 NAT
  • NDP proxying via https://npd6.github.io/npd6/
    • This is broken an misconfigured. It doesn't properly add routes.

IPs / networks:

  • temp88191 is 10.0.0.1/8 and 128.173.88.191. It provides DHCP on our internal interface
  • Sunway has static IPs setup (10.0.97.10 to 10.0.97.28)
  • Rackable servers: joey (10.0.4.10) and phantomphreak (10.0.4.11)
  • cyberdelia's IPv4 is luug0.ece.vt.edu
    • Port 9001 <-> 10.0.1.3 (cerealkiller)
    • Port 9030 <-> 10.0.1.3 (cerealkiller)
  • wood's IPv4 is luug1.ece.vt.edu
  • milton's IPv4 is luug2.ece.vt.edu
  • luug3.ece.vt.edu is (in theory) used by westinghouse (sunway's head node)
  • acidburn's IPv4 is luug.ece.vt.edu
  • acidburn has iodine configured as a DNS tunnel (10.152.78.1/27)
  • Other tenants of our router: mjh.ece.vt.edu and mirror.ece.vt.edu
  • 10.99.0.2/24 appears to be statically assigned to wood's guests.

Cyberdelia VMs - assigned 10.0.1.1/24 (not actually a separate subnet):

  • dhcp-host=52:54:00:14:df:c2,10.0.1.1 # "mail" (not yet configured)
  • dhcp-host=52:54:00:68:81:33,10.0.1.2 # crashoverride 2.0
  • dhcp-host=52:54:00:40:9a:55,10.0.1.3 # Cerealkiller 2.0