# ITS NOC - Firewalling and routing application

The space is served by a pfsense (FreeBSD) router/firewall
appliance. The hardware is an interim Milselectronics VPN go owned by ITS.

Maintainers:

* tyrolyean: pfsense, apparently IPv6? whoever wants to feel responsible may
             as well, catchall

# Technical

## Hardware Specs:

* CPU: Intel(R) Core(TM) i7-4770 CPU 4C8T@ 3.40GHz
* RAM: 16GiB DDR3
* NICs: 8 Ethernet Ports

## Access

Web Admin Access: <https://sozial.asozial.it-syndikat.org>

Alternative hostnames. All have public IPv6 addresses but IPv4 addressess
differ in scope:

* sozial.asozial.it-syndikat.org. (canonical, private LAN IPv4)
* public.srv.it-syndikat.org. (DynDNS, Magenta public WAN IPv4)
* sozial.it-syndikat.org. CNAME public.srv

The router may be accessed through ssh, the web interface or a RS232
interface with a root shell. ITS members with LDAP credentials in the
netadmins group can log-in. Local login is possible via `root`; password is
in vaultwarden.

## DHCP and Hostnames in DNS

Sozial runs isc-dhcp (EOL) for DHCPv4/v6 service. We configure it to send
DDNS updates registering the DHCP hostnames with luude, which also acts as
the local recursive resolver.

## Internet Access

Internet access is provided by IKB, the innsbruck communal
internet/water/energy/whatever provider via FttH.


## IP Address plan

- 10.17.0.0/16 ITS networks
    - 10.17.4.0/24 SERVERS
    - 10.17.5.0/24 Members OpenVPN
    - 10.17.7.0/24 Wireguard to cloud servers
    - 10.17.8.0/24 Georg
    - 10.17.9.0/24 Members Wireguard
    - 10.17.42.0/24 IOT
    - 10.17.54.0/24 LAN zone
- 192.168.1.0/24  CUCO

-  2a0d:f302:e054::/48 ALWYZON Allocated prefix
    - 2a0d:f302:e054:0000::/56 Space prefix
        - 2a0d:f302:e054:0004::/64 Servers
        - 2a0d:f302:e054:0009::/64 Members Wireguard
        - 2a0d:f302:e054:0042::/64 IOT
        - 2a0d:f302:e054:0050::/64 Members OpenVPN
        - 2a0d:f302:e054:0054::/64 LAN
        - 2a0d:f302:e054:0070::/64 Wireguard to cloud servers
        - 2a0d:f302:e054:001b::/64 Matrix irc bridge identd net
    - 2a0d:f302:e054:de00::/56 deneb (personal use)
    - 2a0d:f302:e054:1a00::/56 lambda (personal use)
- fd69:f943:1746:52a1::/64 Management VLAN

## CUCO

The cuco net is currently IPv4 only and is meant to remain as such. It no longer
has a separate router and uses the box itself as gateway. The subnet is for
legacy reasons 192.168.1.0/24.

## OpenVPN endpoint

The router provides an openvpn endpoint to remotely access internal services.
The below is a working config for it (it requires your ldap credentials).

```
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote public.srv.it-syndikat.org 1194 udp
nobind
auth-user-pass
remote-cert-tls server
explicit-exit-notify
verify-x509-name public.srv.it-syndikat.org name
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIICoDCCAkagAwIBAgIIOXtE3LITbUUwCgYIKoZIzj0EAwQwaDEfMB0GA1UEAxMW
SVQtU3luZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5
cm9sMRIwEAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MB4X
DTIyMDgyNTE2MzgyNVoXDTQyMDgyMDE2MzgyNVowaDEfMB0GA1UEAxMWSVQtU3lu
ZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5cm9sMRIw
EAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEV0dyBvsF0Ilgxi1IvfEt2wfCKkhnJe7/q67LqOIj
+oIhTSIH+d45wXcgdUxoccA6M64ghQjO5cXEyjBiQRGrA6OB2TCB1jAdBgNVHQ4E
FgQUK5K+s2TNfL83DntKAN4Kq7BtP0cwgZkGA1UdIwSBkTCBjoAUK5K+s2TNfL83
DntKAN4Kq7BtP0ehbKRqMGgxHzAdBgNVBAMTFklULVN5bmRpa2F0IE9QRU5WUE4g
Q0ExCzAJBgNVBAYTAkFUMQ4wDAYDVQQIEwVUeXJvbDESMBAGA1UEBxMJSW5uc2Jy
dWNrMRQwEgYDVQQKEwtJVC1TeW5kaWthdIIIOXtE3LITbUUwDAYDVR0TBAUwAwEB
/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwQDSAAwRQIhAIr38esfLQDALb4sUBYm
lkBAZlTspWBbcKz9EyJJcIR9AiBfWwNjjiPhJbXAkzAqLgNR8Is7tl2OIL+bvzVs
vaJSSQ==
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d89b85ca886b2da5ba3501bdf633e21e
58cb165c393781a75dc93dc74fb983cd
6c05a6293dce5cd93779662e28a47b99
e6f7444bb97344f4e8c8a7eeef11a500
db2d051024ccb6893f364c06652be774
1d9d1947f59546fa0d4b67d5dabd11c5
8456f6b00e733c22c19014e0228643b4
c64b7fe5a795392b58e3d7722d703547
d23c983cf028d279045fe6279af44385
37f4df856275d1be2e2e1721bf6f4518
9137e1a506f23c7f296cc74ed695ac26
ed6dd9ff9236cecd95ef7c162941f601
02890b982a1d8610945a357b83eeb323
57763041d38f98c319bbddedc9e95d1b
3f15407c9797b3fddcdecd2bfe46d5fa
a50ce157f5fe82f933651a9f19187213
-----END OpenVPN Static key V1-----
</tls-crypt>
```