IT-Syndikat/its-network
27
0
Fork 1
Code Issues1 Pull requests Projects Releases Packages Wiki Activity Actions
its-network/docs/space/router.md
Wachtl Enterprises LLC 8e49058e40 Replace magenta with IKB as issue pointed out 
Signed-off-by: Wachtl Enterprises LLC <tyrolyean@escpe.net>
2025-03-23 22:26:09 +01:00

4.5 KiB
Raw Permalink Blame History

ITS NOC - Firewalling and routing application

The space is served by a pfsense (FreeBSD) router/firewall appliance. The hardware is an interim Milselectronics VPN go owned by ITS.

Maintainers:

  • tyrolyean: pfsense, apparently IPv6? whoever wants to feel responsible may as well, catchall

Technical

Hardware Specs:

  • CPU: Intel(R) Core(TM) i7-4770 CPU 4C8T@ 3.40GHz
  • RAM: 16GiB DDR3
  • NICs: 8 Ethernet Ports

Access

Web Admin Access: https://sozial.asozial.it-syndikat.org

Alternative hostnames. All have public IPv6 addresses but IPv4 addressess differ in scope:

  • sozial.asozial.it-syndikat.org. (canonical, private LAN IPv4)
  • public.srv.it-syndikat.org. (DynDNS, IKB public WAN IPv4)
  • sozial.it-syndikat.org. CNAME public.srv

The router may be accessed through ssh, the web interface or a RS232 interface with a root shell. ITS members with LDAP credentials in the netadmins group can log-in. Local login is possible via root; password is in vaultwarden.

DHCP and Hostnames in DNS

Sozial runs isc-dhcp (EOL) for DHCPv4/v6 service. We configure it to send DDNS updates registering the DHCP hostnames with luude, which also acts as the local recursive resolver.

Internet Access

Internet access is provided by IKB, the innsbruck communal internet/water/energy/whatever provider via FttH.

IP Address plan

  • 10.17.0.0/16 ITS networks

    • 10.17.4.0/24 SERVERS
    • 10.17.5.0/24 Members OpenVPN
    • 10.17.7.0/24 Wireguard to cloud servers
    • 10.17.8.0/24 Georg
    • 10.17.9.0/24 Members Wireguard
    • 10.17.42.0/24 IOT
    • 10.17.54.0/24 LAN zone

  • 192.168.1.0/24 CUCO

  • 2a0d:f302:e054::/48 ALWYZON Allocated prefix

    • 2a0d:f302:e054:0000::/56 Space prefix
      • 2a0d:f302:e054:0004::/64 Servers
      • 2a0d:f302:e054:0009::/64 Members Wireguard
      • 2a0d:f302:e054:0042::/64 IOT
      • 2a0d:f302:e054:0050::/64 Members OpenVPN
      • 2a0d:f302:e054:0054::/64 LAN
      • 2a0d:f302:e054:0070::/64 Wireguard to cloud servers
      • 2a0d:f302:e054:001b::/64 Matrix irc bridge identd net
    • 2a0d:f302:e054:de00::/56 deneb (personal use)
    • 2a0d:f302:e054:1a00::/56 lambda (personal use)

  • fd69:f943:1746:52a1::/64 Management VLAN

CUCO

The cuco net is currently IPv4 only and is meant to remain as such. It no longer has a separate router and uses the box itself as gateway. The subnet is for legacy reasons 192.168.1.0/24.

OpenVPN endpoint

The router provides an openvpn endpoint to remotely access internal services. The below is a working config for it (it requires your ldap credentials).

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote public.srv.it-syndikat.org 1194 udp
nobind
auth-user-pass
remote-cert-tls server
explicit-exit-notify
verify-x509-name public.srv.it-syndikat.org name
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIICoDCCAkagAwIBAgIIOXtE3LITbUUwCgYIKoZIzj0EAwQwaDEfMB0GA1UEAxMW
SVQtU3luZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5
cm9sMRIwEAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MB4X
DTIyMDgyNTE2MzgyNVoXDTQyMDgyMDE2MzgyNVowaDEfMB0GA1UEAxMWSVQtU3lu
ZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5cm9sMRIw
EAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEV0dyBvsF0Ilgxi1IvfEt2wfCKkhnJe7/q67LqOIj
+oIhTSIH+d45wXcgdUxoccA6M64ghQjO5cXEyjBiQRGrA6OB2TCB1jAdBgNVHQ4E
FgQUK5K+s2TNfL83DntKAN4Kq7BtP0cwgZkGA1UdIwSBkTCBjoAUK5K+s2TNfL83
DntKAN4Kq7BtP0ehbKRqMGgxHzAdBgNVBAMTFklULVN5bmRpa2F0IE9QRU5WUE4g
Q0ExCzAJBgNVBAYTAkFUMQ4wDAYDVQQIEwVUeXJvbDESMBAGA1UEBxMJSW5uc2Jy
dWNrMRQwEgYDVQQKEwtJVC1TeW5kaWthdIIIOXtE3LITbUUwDAYDVR0TBAUwAwEB
/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwQDSAAwRQIhAIr38esfLQDALb4sUBYm
lkBAZlTspWBbcKz9EyJJcIR9AiBfWwNjjiPhJbXAkzAqLgNR8Is7tl2OIL+bvzVs
vaJSSQ==
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d89b85ca886b2da5ba3501bdf633e21e
58cb165c393781a75dc93dc74fb983cd
6c05a6293dce5cd93779662e28a47b99
e6f7444bb97344f4e8c8a7eeef11a500
db2d051024ccb6893f364c06652be774
1d9d1947f59546fa0d4b67d5dabd11c5
8456f6b00e733c22c19014e0228643b4
c64b7fe5a795392b58e3d7722d703547
d23c983cf028d279045fe6279af44385
37f4df856275d1be2e2e1721bf6f4518
9137e1a506f23c7f296cc74ed695ac26
ed6dd9ff9236cecd95ef7c162941f601
02890b982a1d8610945a357b83eeb323
57763041d38f98c319bbddedc9e95d1b
3f15407c9797b3fddcdecd2bfe46d5fa
a50ce157f5fe82f933651a9f19187213
-----END OpenVPN Static key V1-----
</tls-crypt>