This is an old revision of the document!
Table of Contents
Base Infrastructure
Overview
The space needs infrastructure to be operational.
One key basic needs of every human beeing besides a room, power, water and Mate is of cause Internet
When we had the go to move into the room there was already a Internet connectionand we are allowed to use it.
The three parties in the building should be segmented from each other.
The resulting infrastructure description should be generic and the concept usable by other Hackerspaces or even smaller companies.
Current/Old Environment
Description of the setup when we started
+------------------+
| |
| Fritzbox |
| |
+------------------+
|
|
+------------------+
| |
| QNAP |
| |
| +---------+
| | pfSense |
| | VM |
+------------------+
|
|
+------------------+
| |
| Netgear Switch |
| |
+------------------+
Fritzbox is connected to one port of a Qnap.
The Qnap hosts a pfSense VM which is dual homed on both available NICs
The internal Network is behind the pfSense.
The equipment is in the base, but shouldn't be there in the future to separate the three flats in the building
Everything was connected to the Switch somehow. There is at least one network connection to the other flats. Ther are more switches and Access Points.
New Environment
The WAN port of the Fritzbox is unusable, because it is only usable for DSL. We have FTTB
Every party will get one port on the Fritzbox.
The fritzbox must stay at the base. It will be a shared environment, but it cannot be avoided for now.
The Qnap needs to be moved to the top floor.
New highlevel layout
+------------+
| Fritzbox |
+-+----+----++
| | |
+------------------+ | +---------------------+
| | |
3rd floor | 2nd+floor| 1st+floor |
| | |
+----------+---------+ +-------+------+ +--------+-----------+
| QNAP | | WLAN Router | | Proxmox Server |
| 192.168.1.31 | | 192.168.1.20 | | 192.168.1.11 |
| +---------------+ | NAT | | +---------------+
| | 192.168.1.30 | +--------------+ | | 192.168.1.10 |
| | +------+ | | | +------+ |
| | pfSense VM | | | pfSense VM |
| | +------+ | | | +------+ |
| |192.168.30.0/24| | | |
+------------+-------+ +----+----+--+-------+
| | |
| +------------+ +---------------+
+--------+-------+ | |
| Netgear Switch | 192.168.10.0/24| |192.168.11.0/24
| | | |
+----------------+ +---------+------+ +-------+------+
| Virtual Switch | | Switch |
+-------+--+-----+ +-----+---+----+
| | | |
+----+ +----+ +-----+ +-----+
| | | |
+----------+--+ +-----+-------+ +----+-----+ +-----+----+
| auth VM | | chat VM | | AP | | Freifunk |
|192.168.10.11| |192.168.10.12| | | | |
+-------------+ +-------------+ +----------+ +----------+
House segments
Fritzbox
192.168.1.0/24
This is the shared network and it belongs to the building itself.
The Fritzbox itself is managed by trinitor
Be biggest challenge will the the fight for port forwarding.
A shared webserver in the shared network as a reverse proxy could solve the 80/443 fight.
Will be done when we have the need.
Every floor can have 10 static IPs in the shared network
1st floor = 192.168.1.10 - 19
2nd floor = 192.168.1.20 - 29
3rd floor = 192.168.1.30 - 39
There is also a DHCP range, but it is more for emergency use.
/dev/base Structure
Our /dev/base port will be connected to a Proxmox server = our virtual environment.
This port will be dedicated to a VM where we have a firewall running. In this case a pfSense.
The firewall VM will have three virtual NICs.
1. WAN = Fritzbox = Internet
2. virtual switch = Server = vSwitch with no physical NICs attached. All VMs will be connected to the vSwitch. The traffic will stay inside the host.
3. physical switch = the /dev/base internal network
The firewall will protect the /dev/base infrastructure from the Internet and the other parties in the building.
The VMs are in a segmented VLAN to have them also controlled in a better way.
IP addresses
| IP | Hostname | Comment |
|---|---|---|
| External | ||
| 192.168.1.1 | router | fritzbox |
| Firewall | ||
| 192.168.1.10 | fw01 | WAN = fritzbox connection |
| 192.168.10.1 | fw01 | virtual switch |
| 192.168.11.1 | fw01 | physical switch |
| Hardware | ||
| 192.168.11.2 | switch01 | |
| 192.168.11.3 | accesspoint01 | radius AP |
| 192.168.11.4 | accesspoint01 | freifunk AP |
| 192.168.11.10 | virt01 | proxmox server |
| Virtual Machines | ||
| 192.168.10.11 | auth01 | UCS |
| 192.168.10.12 | chat01 | rocket chat |
Virtualisation
There are some options (ESXi, XenServer, oVirt, …), but the simplest one seems to be Proxmox.
An old Dell Notebook with an additional USB NIC will be used for now.
Network
| Interface | Comment |
|---|---|
| Network Cards | |
| eno1 | internal NIC - connected to the /dev/base switch |
| enx9410… | wireless (unused) |
| enx9ceb… | USB NIC - connected to the Fritzbox |
| Bridges (virtual switches) | |
| vmbr0 | Internal Bridge, eno1, 192.168.11.10 |
| vmbr1 | External Bridge, enx9ceb, 192.168.1.11 |
| vmbr2 | Server Bridge, no NIC connected, no IP assigned |
Other settings
vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=10"
grub-mkconfig -o /boot/grub/grub.cfg
Management:
https://192.168.11.10:8006
Firewall
pfsense installed inside a VM
Default settings
Network Setup
| Proxmox Bridge | Proxmox device name | Internal device name | Interface Name | IP |
|---|---|---|---|---|
| vmbr1 | net0 | em0 | WAN | 192.168.1.10/24 |
| vmbr0 | net1 | em1 | LAN | 192.168.11.1/24 |
| vmbr2 | net2 | em2 | SERVER | 192.168.10.1/24 |
DHCP
enabled for LAN and SERVER
192.168.10.100-199
192.168.11.100-199
Firewall Rules
NAT
disabled on pfsense. The House Network is routed, so we could share resources (printers?)
Static routes are configured on the fritzbox for this reason
Management:
https://192.168.10.1
https://192.168.11.1
Auth
- Univention Corporate Server (UCS) 4.2
- Create new UCS domain
- Oganization Name: devbase.org
- FQDN: auth01.devbase.org
- LDAP base: dc=devbase,dc=org
- Components
- Active Directory compatible Domain Controller (Samba)
- Radius
- Reboot
- Mode: Server only
Structure:
- Members and Guests can have accounts
- admins have two accounts, one for normal usage and and dedicated admin account (prefix “admin-”)
Groups:
- delegate
- devbase_delegate_rocketchat_access
- members: devbase_role_members, devbase_role_guest
- devbase_delegate_wiki_members
- members: devbase_role_members
- devbase_delegate_wiki_orgas
- devbase_role_orgas
- devbase_delegate_wireless_access
- members: devbase_role_members
- Radius: allow access enabled
- roles
- devbase_role_admins
- member of: Administrators, Domain Admins, Enterprise Admins, Schema Admins, DC Backup Hosts, Group Policy Creator Owners
- members: admin-trinitor
- Policy:cn=default-umc-all
- devbase_role_guests
- devbase_role_members
- members: trinitor
- devbase_role_orgas
- members: trinitor
Management:
https://192.168.10.11
Wireless
The Access Point will broadcast three SSIDs.
| /dev/base PSK | WPA2/AES Personal | fallback |
| /dev/base | WPA2/AES Enterprise | member network |
| /dev/guest | WPA2/AES Personal | guest only |
For not both share the same subnet and are not segmented.
Advantage: might be easier to change the password, implement radius
Longterm there should be a Freifunk for guests
Segmenting the guest network means we have to use VLANs in Proxmox, pfsense, switch, and access point.
Without VLANs we can just take the cable from the AP and plug it into the Fritzbox.
With VLANs we have no easy fallback in case theres an issue with the Proxmox server
Access Point Config
| SSID | /dev/base |
| Version | WPA2 |
| Encryption | AES |
| Radius Server IP | 192.168.10.11 |
| Radius Port | 1812 |
| Radius Password | xxx |
| Group Key Update Period | 0 |
UCS Config
vi /etc/freeradius/clients.conf
client 192.168.11.3 {
secret=***
shortname=ap01
}
univention-radius-check-access –username=trinitor
Chat (Rocket Chat)
- Install Ubuntu 16.04 LTS
- apt-get update ; apt-get dist-upgrade ; reboot
- snap install rocketchat-server
- systemctl enable snap.rocketchat-server.rocketchat-server.service
- systemctl status snap.rocketchat-server.rocketchat-server.service
Login:
http://192.168.10.12:3000/
Chat (Matrix)
- Install Ubuntu 16.04 LTS
- apt update && sudo apt upgrade
- add-apt-repository https://matrix.org/packages/debian/
- wget https://matrix.org/packages/debian/repo-key.asc -O key
- apt-key add - < key
- apt update
- apt install matrix-synapse python-matrix-synapse-ldap3
- Server Name: matrix.devbase.org
- cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 34 | head -1
- vi /etc/matrix-synapse/homeserver.yaml
- registration_shared_secret: your_random_string
- systemctl enable matrix-synapse.service
- systemctl start matrix-synapse.service
- register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml https://localhost:8448
- name root
- set password
- make admin = yes
Public DNS Recort for federation SRV matrix_tcp.devbase.org
VPN
nextcloud
Wiki
the wiki could also be hosted internally. No external server required, Data not stored somewhere
