Difference between revisions of "Hackerspace Network Planning: Bubbly Dynamics"

From sshcWiki
Jump to navigation Jump to search
(thoughts, designs, i am sitting in my back yard by a fire)
(Updating IP assignment to what we actually get)
Line 38: Line 38:
 
│                            │
 
│                            │
 
│      Building Network      │
 
│      Building Network      │
      10.1.10.0/24      
+
      192.168.2.0/24      
 
│                            │
 
│                            │
 
│                            │
 
│                            │

Revision as of 19:09, 8 June 2016

Background

We're taking advantage of our building's shared internet access, which puts a limit on our network design. In particular, we will be double-nat-ed.

This isn't an ideal situation, but isn't necessarily something we can't work around.

Network Layout

For now, we'll refrain from setting up network segmentation internally.

┌────────────────────────────┐
│                            │
│                            │
│                            │
│       SSH:C Network        │
│       172.16.24.0/20       │
│                            │
│                            │
│                            │
└────────────────────────────┘
               │
               │
               │
               │
      ┌─────────────────┐
      │  SSH:C ROUTER   │
      │LAN: 172.16.24.1 │
      │ WAN: 10.1.10.x  │
      │                 │
      └─────────────────┘
               │
               │
               │
               │
               │
┌────────────────────────────┐
│                            │
│                            │
│                            │
│      Building Network      │
│       192.168.2.0/24       │
│                            │
│                            │
│                            │
└────────────────────────────┘
               │
               │
               │
    ┌────────────────────┐
    │  BUILDING ROUTER   │
    └────────────────────┘
               │
               │
               │
    ┌─────────────────────┐
    │      INTERNET       │
    └─────────────────────┘

Hardware considerations

  • Booting up the old pfsense box seemed to not go well. We'll need to derack it and see what's up with it.
  • We'll need to permanently mount the switch that's at the front of the space to prevent interruption of traffic for other tenants.
    • What do we need to do to finally get rid of this design? How hard is it going to be to pull a new home-run for us and stop depending on that splice? cswingler (talk) 20:20, 6 June 2016 (CDT)
    • Can we hard-wire that switch in, both electrically and network-wise? cswingler (talk) 20:20, 6 June 2016 (CDT)
    • How do we make sure no one disturbs that switch? cswingler (talk) 20:20, 6 June 2016 (CDT)
  • We will need to run a line from the front of the space near the door to the back of the space, where the cabinet is.
    • Do we want to protect this in conduit? There's nothing that mandates that we do so, but it's an important link cswingler (talk) 20:20, 6 June 2016 (CDT)
  • Hard network drops throughout the rest of the space should be considered.
  • We should probably get some internal monitoring stuff back online.

Network Routing Considerations

The double-NAT setup does prevent us from having a publicly-routable IP address. Ways to work around this include:

  • Setting up an AWS VPC gateway that we permanently leave online (this isn't particularly cheap, but it's not that expensive)
  • Use an AWS EC2 instance with an Elastic IP and an OpenVPN point-to-point route (this is a little cheaper)
  • Ask our landlord to get some more public IP space and route one of them to us (this is probably the cheapest and the most reliable)
  • Or pony up for our own network link.