Operations

From Hack Manhattan Wiki
Jump to: navigation, search


Administrivia

Operations Contact List

Name Email Phone
Hack Manhattan Space VoIP Phone info@hackmanhattan.com +1-646-513-4503

Passwords

Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.

IRC

At the moment only guan, rmd6502, and jacolatern have AFRefiorstv mode on #hackmanhattan on Freenode. obscurite has fo but that's a really weird setup.

Out of House Infrastructure and Utilities

Verizon FiOs

The building pays for 150/150 Mbps at $200 monthly.

Digital Ocean

We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is 162.243.60.59. The typical username is hackmanhattan apparently. hackmanhattan.com points to a WordPress installation. wiki.hackmanhattan.com is a MediaWiki installation. ratpark.nyc is also another WordPress setup. wiki.ratpark.nyc is of course, MediaWiki. list.hackmanhattan is Postfix and Mailman, for mailing lists.

members.hackmanhattan.com, our in-house payment system, is a custom ?. For some reason list.hackmanhattan.com responds to requests to that hostname. Why?

Comodo

So we have SSL certs for every hostname currently involved except for ratpark.nyc, which keeps presenting hackmanhattan.com's instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for *.hackmanhattan.com and *.ratpark.nyc).

Google Apps

@hackmanhattan.com (and therefore not @list.hackmanhattan.com) addresses are with Google Apps.

Network Infrastructure

Static IP allocations (incomplete - online devices as of 2018-09-12)

Sorted by IP. There is no system with regards to how these IPs are assigned, it's basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI.

Assigned by DHCP:

Hostname IP address MAC address Device Maintainer Comment Location
rfid-access-building 192.168.42.157 64:cf:d9:fd:23:00 BeagleBone Black mz & Guan Building door, top right when you enter
buzzer-pi-shop 192.168.42.159 b8:27:eb:b4:da:cb RaspberryPi jay-ish & mz-ish By the shop buzzer, showing the dashboard
hydrocontroller 192.168.42.173 b8:27:eb:5e:c5:bc RaspberryPI jay On the roof?
137W14 192.168.42.197 e8:de:27:f9:cc:27 TP-LINK WR841N citybadger Harry Potter Closet
brother-printer 192.168.42.202 30:05:5c:f6:35:db Brother HL-L2380DW N/A Under the tool shelf
chromecast 192.168.43.18 48:d6:d5:39:28:f8 Chromecast (not 4K) mz Shows our space dashboard Attached to the TV by the desks
rfid-access-space 192.168.43.63 64:cf:d9:fd:42:00 BeagleBone Black mz & Guan Attachted to the back of the space door
wrtnode-webcam 192.168.43.125 66:51:7e:80:06:d6 WRTNode Guan-ish Attached to the top right of the network cubby
backup-terminal 192.168.43.129 d8:50:e6:92:f3:c0 ASUS RT-N66U formerly konstantin now mz-ish Attached to the tool shelf
voip-phone 192.168.43.165 00:0b:82:4d:a0:6c Grandstream GXP1400 N/A Under the network cubby
box0rs 192.168.43.189 f0:de:f1:03:00:0f Lenovo T410 mz In the network cubby
bricolage 192.168.43.191 98:90:96:d0:63:4a Dell Optiplex 9020 Beadsland & jay-ish On the table by the lazer hose

Static configurations:

Hostname IP address MAC address Device Maintainer Comment Location
3rdfloor 192.168.42.7 64:66:b3:fa:af:c4 TP-Link TL-WDR4300 v1 Guan-ish & mz-ish AP/switch for the 3rd floor 3rd floor, left from the office hallway door

Notes about subnets, routes and DHCP

Since bo.x0.rs provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.

Since the spec says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.

Dynamic allocations start at 192.168.42.150.

Approximate Network Hierarchy (as of 2018-09-12)

Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.

  • Router
    • Cubby 100MBit Switch
      • cnc
      • voip-phone
      • buzzer-pi-shop
      • wrtnode-webcam
      • North Switch
        • bricolage
        • hydrocontroller
      • West Switch
        • backup-terminal Access Point & Switch
          • brother-printer
        • octoprint-main
        • Big Windows Tower
    • box0rs
    • Hallway Gigabit Switch
      • rfid-access-building
      • 137W14
        •  ?
      • 3rd floor Access Point & Switch
        • Iasmin/Joey Tower
      • Secret Loft Repeater (Disabled due to misconfiguration)
        •  ?


Outdated-content.png The content of the following article/section isn't up to date.
If you have some spare time, please consult the usual suspects and help update it!

IP and DHCP Information (Old-ish)

The previous plan called for a private Class A block (10/8). After much thought, it was decided this was unreasonable.

This new plan will use a Class C subnet: 192.168.42.0/23. This gives us a theoretical maximum of 510 IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range 192.168.43.1 to 192.168.43.254. Wired and wireless machines will be able to set up static IPs in the 192.168.42.1 to 192.168.42.255 range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a /23 is a reasonable thing to do.

Information for statically assigned IPs.
Variable Value Comment
IP Address n/a Be allocated one. Typically incremental. See the allocation table.
Subnet Mask 255.255.254.0
Gateway 192.168.42.1
DNS 192.168.42.1

Machine and IP Allocation Table (Old)

IP Hostname Device Maintainer Comment (Location)
n/a n/a Alcatel I-211M-K Operations ONT and Modem for Verizon FiOs
192.168.42.1 rtr1.ratpark.net TP-Link TL-WDR4300 v1 Operations Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)
n/a n/a Netgear JGS516 Operations 16 Port Gigabit Switch
n/a n/a  ? Operations 8 Port Switch
n/a n/a  ? Operations 4 Port Switch
192.168.42.2 rtr2.ratpark.net TP-Link TL-WDR4300 v1 Operations Channel 11. (2rd Floor Hallway)
192.168.42.3 rtr3.ratpark.net TP-Link TL-WDR4300 v1 Operations Channel 6. (3rd Floor Hallway)
192.168.42.4 rtr4.ratpark.net TP-Link TL-WDR4300 v1 Operations Channel 11. (Elevator Machine Room)
surv-frontdoor.ratpark.net WRTnode Guan Yang Operates wirelessly. Can we change that? (First Floor)
surv-main.ratpark.net WRTnode Guan Yang Operates wirelessly. Can we change that? (Hack Manhattan)
wrtnode-hmdoor.ratpark.net WRTnode? Guan Yang Controls door strike. (First Floor)
octopi.ratpark.net Raspberry Pi Allows for unattended (no computer needed) printing. Username hackmanhattan. Canonical password. (Hack Manhattan)
boiler-wired.ratpark.net WRTnode Guan Yang Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)
hackmanhattan.club  ? Guan Yang Is it still in use? (Where is it?)
wr703n.ratpark.net TP-Link TL-WR703N  ? We definitely do not need this. (Hack Manhattan)
quinn.ratpark.net What is this? (Where is it?)
ai-stem.ratpark.net What is this? (Where is it?)
kiosk.ratpark.net What is this? (Where is it?)
 !?!?!? The list goes on and on.
192.168.43.0 Operations DHCP Allocation Block
192.168.43.255 Operations Broadcast

Network Diagram

Current

parent_device
|(physical port on parent_device)-(physical port on child_device)child_device

null can be used where applicable (device only has 1 port, etc.)
? can be used for incomplete data that could not be obtained due to security reasons or other.

fiosmodem
|(null)-(wan)rtr1
             |(1)-(1)jgs516 # Netgear JGS516
                     |(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal
                     |(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia
                     |(9)-(null)gxp400 # IP Phone
                     |(15)-(1)rtr2
                              |(2)-(1)rtr3 # light pink cable that gets painted over on it's way up
                                      |(2)-(null)wrtnode # boiler wrtnode
                              |(3)-(?)firstfloor # goes into box, don't want to break it open
                              |(4)-(null)null # long blue cable that goes to nothing
                              |(wan)-(5)tlsg1005d # TP-Link TL-SG1005D
                                        |(4)-(null)ds215j # Synology DS215j
                                        |(1)-(null)null # goes into gray cable that goes to nothing
                     |(16)-(1)rtr4
                              |(2)-(null)null # black cable, goes to front of building
                              |(3)-(null)gx # grandstream telephone line modem/device, need model number
                              |(4)-(null)null # short blue cable, goes to nothing

I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.

Expected

Fiber Modem
|-rtr1.ratpark.net
  |-Netgear JGS516
    |-IP Phone
    |-8 Port Switch On Laptopia
    |-Area with octopi, bigbox, and backup terminal?
  |-rtr2.ratpark.net
    |-First Floor 4 Port Switch
  |-rtr3.ratpark.net
    |-Stuff in the boiler room?
  |-rtr4.ratpark.net?
    |-Stuff in the elevator machine room?

Security and Liability

It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.

Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.

Incidents

  • 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.
  • 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.
  • 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.
  • 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.