forked from IT-Syndikat/its-network
143 lines
4.5 KiB
Markdown
143 lines
4.5 KiB
Markdown
# ITS NOC - Firewalling and routing application
|
|
|
|
The space is served by a pfsense (FreeBSD) router/firewall
|
|
appliance. The hardware is an interim Milselectronics VPN go owned by ITS.
|
|
|
|
Maintainers:
|
|
|
|
* tyrolyean: pfsense, apparently IPv6? whoever wants to feel responsible may
|
|
as well, catchall
|
|
|
|
# Technical
|
|
|
|
## Hardware Specs:
|
|
|
|
* CPU: Intel(R) Core(TM) i7-4770 CPU 4C8T@ 3.40GHz
|
|
* RAM: 16GiB DDR3
|
|
* NICs: 8 Ethernet Ports
|
|
|
|
## Access
|
|
|
|
Web Admin Access: <https://sozial.asozial.it-syndikat.org>
|
|
|
|
Alternative hostnames. All have public IPv6 addresses but IPv4 addressess
|
|
differ in scope:
|
|
|
|
* sozial.asozial.it-syndikat.org. (canonical, private LAN IPv4)
|
|
* public.srv.it-syndikat.org. (DynDNS, Magenta public WAN IPv4)
|
|
* sozial.it-syndikat.org. CNAME public.srv
|
|
|
|
The router may be accessed through ssh, the web interface or a RS232
|
|
interface with a root shell. ITS members with LDAP credentials in the
|
|
netadmins group can log-in. Local login is possible via `root`; password is
|
|
in vaultwarden.
|
|
|
|
## DHCP and Hostnames in DNS
|
|
|
|
Sozial runs isc-dhcp (EOL) for DHCPv4/v6 service. We configure it to send
|
|
DDNS updates registering the DHCP hostnames with luude, which also acts as
|
|
the local recursive resolver.
|
|
|
|
## Internet Access
|
|
|
|
Internet access is provided by IKB, the innsbruck communal
|
|
internet/water/energy/whatever provider via FttH.
|
|
|
|
|
|
## IP Address plan
|
|
|
|
- 10.17.0.0/16 ITS networks
|
|
- 10.17.4.0/24 SERVERS
|
|
- 10.17.5.0/24 Members OpenVPN
|
|
- 10.17.7.0/24 Wireguard to cloud servers
|
|
- 10.17.8.0/24 Georg
|
|
- 10.17.9.0/24 Members Wireguard
|
|
- 10.17.42.0/24 IOT
|
|
- 10.17.54.0/24 LAN zone
|
|
- 192.168.1.0/24 CUCO
|
|
|
|
- 2a0d:f302:e054::/48 ALWYZON Allocated prefix
|
|
- 2a0d:f302:e054:0000::/56 Space prefix
|
|
- 2a0d:f302:e054:0004::/64 Servers
|
|
- 2a0d:f302:e054:0009::/64 Members Wireguard
|
|
- 2a0d:f302:e054:0042::/64 IOT
|
|
- 2a0d:f302:e054:0050::/64 Members OpenVPN
|
|
- 2a0d:f302:e054:0054::/64 LAN
|
|
- 2a0d:f302:e054:0070::/64 Wireguard to cloud servers
|
|
- 2a0d:f302:e054:001b::/64 Matrix irc bridge identd net
|
|
- 2a0d:f302:e054:de00::/56 deneb (personal use)
|
|
- 2a0d:f302:e054:1a00::/56 lambda (personal use)
|
|
- fd69:f943:1746:52a1::/64 Management VLAN
|
|
|
|
## CUCO
|
|
|
|
The cuco net is currently IPv4 only and is meant to remain as such. It no longer
|
|
has a separate router and uses the box itself as gateway. The subnet is for
|
|
legacy reasons 192.168.1.0/24.
|
|
|
|
## OpenVPN endpoint
|
|
|
|
The router provides an openvpn endpoint to remotely access internal services.
|
|
The below is a working config for it (it requires your ldap credentials).
|
|
|
|
```
|
|
dev tun
|
|
persist-tun
|
|
persist-key
|
|
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
|
|
data-ciphers-fallback AES-256-CBC
|
|
auth SHA512
|
|
tls-client
|
|
client
|
|
resolv-retry infinite
|
|
remote public.srv.it-syndikat.org 1194 udp
|
|
nobind
|
|
auth-user-pass
|
|
remote-cert-tls server
|
|
explicit-exit-notify
|
|
verify-x509-name public.srv.it-syndikat.org name
|
|
verb 4
|
|
<ca>
|
|
-----BEGIN CERTIFICATE-----
|
|
MIICoDCCAkagAwIBAgIIOXtE3LITbUUwCgYIKoZIzj0EAwQwaDEfMB0GA1UEAxMW
|
|
SVQtU3luZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5
|
|
cm9sMRIwEAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MB4X
|
|
DTIyMDgyNTE2MzgyNVoXDTQyMDgyMDE2MzgyNVowaDEfMB0GA1UEAxMWSVQtU3lu
|
|
ZGlrYXQgT1BFTlZQTiBDQTELMAkGA1UEBhMCQVQxDjAMBgNVBAgTBVR5cm9sMRIw
|
|
EAYDVQQHEwlJbm5zYnJ1Y2sxFDASBgNVBAoTC0lULVN5bmRpa2F0MFkwEwYHKoZI
|
|
zj0CAQYIKoZIzj0DAQcDQgAEV0dyBvsF0Ilgxi1IvfEt2wfCKkhnJe7/q67LqOIj
|
|
+oIhTSIH+d45wXcgdUxoccA6M64ghQjO5cXEyjBiQRGrA6OB2TCB1jAdBgNVHQ4E
|
|
FgQUK5K+s2TNfL83DntKAN4Kq7BtP0cwgZkGA1UdIwSBkTCBjoAUK5K+s2TNfL83
|
|
DntKAN4Kq7BtP0ehbKRqMGgxHzAdBgNVBAMTFklULVN5bmRpa2F0IE9QRU5WUE4g
|
|
Q0ExCzAJBgNVBAYTAkFUMQ4wDAYDVQQIEwVUeXJvbDESMBAGA1UEBxMJSW5uc2Jy
|
|
dWNrMRQwEgYDVQQKEwtJVC1TeW5kaWthdIIIOXtE3LITbUUwDAYDVR0TBAUwAwEB
|
|
/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwQDSAAwRQIhAIr38esfLQDALb4sUBYm
|
|
lkBAZlTspWBbcKz9EyJJcIR9AiBfWwNjjiPhJbXAkzAqLgNR8Is7tl2OIL+bvzVs
|
|
vaJSSQ==
|
|
-----END CERTIFICATE-----
|
|
</ca>
|
|
setenv CLIENT_CERT 0
|
|
<tls-crypt>
|
|
#
|
|
# 2048 bit OpenVPN static key
|
|
#
|
|
-----BEGIN OpenVPN Static key V1-----
|
|
d89b85ca886b2da5ba3501bdf633e21e
|
|
58cb165c393781a75dc93dc74fb983cd
|
|
6c05a6293dce5cd93779662e28a47b99
|
|
e6f7444bb97344f4e8c8a7eeef11a500
|
|
db2d051024ccb6893f364c06652be774
|
|
1d9d1947f59546fa0d4b67d5dabd11c5
|
|
8456f6b00e733c22c19014e0228643b4
|
|
c64b7fe5a795392b58e3d7722d703547
|
|
d23c983cf028d279045fe6279af44385
|
|
37f4df856275d1be2e2e1721bf6f4518
|
|
9137e1a506f23c7f296cc74ed695ac26
|
|
ed6dd9ff9236cecd95ef7c162941f601
|
|
02890b982a1d8610945a357b83eeb323
|
|
57763041d38f98c319bbddedc9e95d1b
|
|
3f15407c9797b3fddcdecd2bfe46d5fa
|
|
a50ce157f5fe82f933651a9f19187213
|
|
-----END OpenVPN Static key V1-----
|
|
</tls-crypt>
|
|
```
|