Difference between revisions of "Hackerspace Network Planning: Bubbly Dynamics"
Jump to navigation
Jump to search
(Updating IP assignment to what we actually get) |
m (Bot: Cosmetic changes) |
||
Line 1: | Line 1: | ||
− | = Background = | + | = Background = |
− | We're taking advantage of our building's shared internet access, which puts a limit on our network design. In particular, we will be double-nat-ed. | + | We're taking advantage of our building's shared internet access, which puts a limit on our network design. In particular, we will be double-nat-ed. |
This isn't an ideal situation, but isn't necessarily something we can't work around. | This isn't an ideal situation, but isn't necessarily something we can't work around. | ||
− | = Network Layout = | + | = Network Layout = |
− | For now, we'll refrain from setting up network segmentation internally. | + | For now, we'll refrain from setting up network segmentation internally. |
<pre>┌────────────────────────────┐ | <pre>┌────────────────────────────┐ | ||
Line 56: | Line 56: | ||
└─────────────────────┘</pre> | └─────────────────────┘</pre> | ||
− | = Hardware considerations = | + | = Hardware considerations = |
− | * Booting up the old pfsense box seemed to not go well. We'll need to derack it and see what's up with it. | + | * Booting up the old pfsense box seemed to not go well. We'll need to derack it and see what's up with it. |
− | * We'll need to permanently mount the switch that's at the front of the space to prevent interruption of traffic for other tenants. | + | * We'll need to permanently mount the switch that's at the front of the space to prevent interruption of traffic for other tenants. |
** ''What do we need to do to finally get rid of this design? How hard is it going to be to pull a new home-run for us and stop depending on that splice? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ** ''What do we need to do to finally get rid of this design? How hard is it going to be to pull a new home-run for us and stop depending on that splice? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ||
** ''Can we hard-wire that switch in, both electrically and network-wise? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ** ''Can we hard-wire that switch in, both electrically and network-wise? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ||
** ''How do we make sure no one disturbs that switch? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ** ''How do we make sure no one disturbs that switch? [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ||
− | * We will need to run a line from the front of the space near the door to the back of the space, where the cabinet is. | + | * We will need to run a line from the front of the space near the door to the back of the space, where the cabinet is. |
** ''Do we want to protect this in conduit? There's nothing that mandates that we do so, but it's an important link [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ** ''Do we want to protect this in conduit? There's nothing that mandates that we do so, but it's an important link [[User:Cswingler|cswingler]] ([[User talk:Cswingler|talk]]) 20:20, 6 June 2016 (CDT)'' | ||
− | * Hard network drops throughout the rest of the space should be considered. | + | * Hard network drops throughout the rest of the space should be considered. |
* We should probably get some internal monitoring stuff back online. | * We should probably get some internal monitoring stuff back online. | ||
− | = Network Routing Considerations = | + | = Network Routing Considerations = |
The double-NAT setup does prevent us from having a publicly-routable IP address. Ways to work around this include: | The double-NAT setup does prevent us from having a publicly-routable IP address. Ways to work around this include: |
Revision as of 22:18, 27 February 2017
Background
We're taking advantage of our building's shared internet access, which puts a limit on our network design. In particular, we will be double-nat-ed.
This isn't an ideal situation, but isn't necessarily something we can't work around.
Network Layout
For now, we'll refrain from setting up network segmentation internally.
┌────────────────────────────┐ │ │ │ │ │ │ │ SSH:C Network │ │ 172.16.24.0/20 │ │ │ │ │ │ │ └────────────────────────────┘ │ │ │ │ ┌─────────────────┐ │ SSH:C ROUTER │ │LAN: 172.16.24.1 │ │ WAN: 10.1.10.x │ │ │ └─────────────────┘ │ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ │ │ Building Network │ │ 192.168.2.0/24 │ │ │ │ │ │ │ └────────────────────────────┘ │ │ │ ┌────────────────────┐ │ BUILDING ROUTER │ └────────────────────┘ │ │ │ ┌─────────────────────┐ │ INTERNET │ └─────────────────────┘
Hardware considerations
- Booting up the old pfsense box seemed to not go well. We'll need to derack it and see what's up with it.
- We'll need to permanently mount the switch that's at the front of the space to prevent interruption of traffic for other tenants.
- What do we need to do to finally get rid of this design? How hard is it going to be to pull a new home-run for us and stop depending on that splice? cswingler (talk) 20:20, 6 June 2016 (CDT)
- Can we hard-wire that switch in, both electrically and network-wise? cswingler (talk) 20:20, 6 June 2016 (CDT)
- How do we make sure no one disturbs that switch? cswingler (talk) 20:20, 6 June 2016 (CDT)
- We will need to run a line from the front of the space near the door to the back of the space, where the cabinet is.
- Hard network drops throughout the rest of the space should be considered.
- We should probably get some internal monitoring stuff back online.
Network Routing Considerations
The double-NAT setup does prevent us from having a publicly-routable IP address. Ways to work around this include:
- Setting up an AWS VPC gateway that we permanently leave online (this isn't particularly cheap, but it's not that expensive)
- Use an AWS EC2 instance with an Elastic IP and an OpenVPN point-to-point route (this is a little cheaper)
- Ask our landlord to get some more public IP space and route one of them to us (this is probably the cheapest and the most reliable)
- Or pony up for our own network link.