- 1 Administrivia
- 2 Out of House Infrastructure and Utilities
- 3 Network Infrastructure
- 4 Security and Liability
- 5 Incidents
Operations Contact List
|Hack Manhattan Space VoIP Phonefirstname.lastname@example.org||+1-646-513-4503|
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.
At the moment only guan, rmd6502, and jacolatern have AFRefiorstv mode on #hackmanhattan on Freenode. obscurite has fo but that's a really weird setup.
Out of House Infrastructure and Utilities
The building pays for 150/150 Mbps at $200 monthly.
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is 220.127.116.11. The typical username is hackmanhattan apparently. hackmanhattan.com points to a WordPress installation. wiki.hackmanhattan.com is a MediaWiki installation. ratpark.nyc is also another WordPress setup. wiki.ratpark.nyc is of course, MediaWiki. list.hackmanhattan is Postfix and Mailman, for mailing lists.
members.hackmanhattan.com, our in-house payment system, is a custom ?. For some reason list.hackmanhattan.com responds to requests to that hostname. Why?
So we have SSL certs for every hostname currently involved except for ratpark.nyc, which keeps presenting hackmanhattan.com's instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for *.hackmanhattan.com and *.ratpark.nyc).
@hackmanhattan.com (and therefore not @list.hackmanhattan.com) addresses are with Google Apps.
IP and DHCP Information
The previous plan called for a private Class A block (10/8). After much thought, it was decided this was unreasonable.
This new plan will use a Class C subnet: 192.168.42.0/23. This gives us a theoretical maximum of 510 IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range 192.168.43.1 to 192.168.43.254. Wired and wireless machines will be able to set up static IPs in the 192.168.42.1 to 192.168.42.255 range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a /23 is a reasonable thing to do.
|IP Address||n/a||Be allocated one. Typically incremental. See the allocation table.|
Machine and IP Allocation Table
|n/a||n/a||Alcatel I-211M-K||Operations||ONT and Modem for Verizon FiOs|
|192.168.42.1||rtr1.ratpark.net||TP-Link TL-WDR4300 v1||Operations||Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)|
|n/a||n/a||Netgear JGS516||Operations||16 Port Gigabit Switch|
|n/a||n/a||?||Operations||8 Port Switch|
|n/a||n/a||?||Operations||4 Port Switch|
|192.168.42.2||rtr2.ratpark.net||TP-Link TL-WDR4300 v1||Operations||Channel 11. (2rd Floor Hallway)|
|192.168.42.3||rtr3.ratpark.net||TP-Link TL-WDR4300 v1||Operations||Channel 6. (3rd Floor Hallway)|
|192.168.42.4||rtr4.ratpark.net||TP-Link TL-WDR4300 v1||Operations||Channel 11. (Elevator Machine Room)|
|surv-frontdoor.ratpark.net||WRTnode||Guan Yang||Operates wirelessly. Can we change that? (First Floor)|
|surv-main.ratpark.net||WRTnode||Guan Yang||Operates wirelessly. Can we change that? (Hack Manhattan)|
|wrtnode-hmdoor.ratpark.net||WRTnode?||Guan Yang||Controls door strike. (First Floor)|
|octopi.ratpark.net||Raspberry Pi||Allows for unattended (no computer needed) printing. Username hackmanhattan. Canonical password. (Hack Manhattan)|
|boiler-wired.ratpark.net||WRTnode||Guan Yang||Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)|
|hackmanhattan.club||?||Guan Yang||Is it still in use? (Where is it?)|
|wr703n.ratpark.net||TP-Link TL-WR703N||?||We definitely do not need this. (Hack Manhattan)|
|quinn.ratpark.net||What is this? (Where is it?)|
|ai-stem.ratpark.net||What is this? (Where is it?)|
|kiosk.ratpark.net||What is this? (Where is it?)|
|!?!?!?||The list goes on and on.|
|192.168.43.0||Operations||DHCP Allocation Block|
parent_device |(physical port on parent_device)-(physical port on child_device)child_device null can be used where applicable (device only has 1 port, etc.) ? can be used for incomplete data that could not be obtained due to security reasons or other. fiosmodem |(null)-(wan)rtr1 |(1)-(1)jgs516 # Netgear JGS516 |(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal |(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia |(9)-(null)gxp400 # IP Phone |(15)-(1)rtr2 |(2)-(1)rtr3 # light pink cable that gets painted over on it's way up |(2)-(null)wrtnode # boiler wrtnode |(3)-(?)firstfloor # goes into box, don't want to break it open |(4)-(null)null # long blue cable that goes to nothing |(wan)-(5)tlsg1005d # TP-Link TL-SG1005D |(4)-(null)ds215j # Synology DS215j |(1)-(null)null # goes into gray cable that goes to nothing |(16)-(1)rtr4 |(2)-(null)null # black cable, goes to front of building |(3)-(null)gx # grandstream telephone line modem/device, need model number |(4)-(null)null # short blue cable, goes to nothing
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.
Fiber Modem |-rtr1.ratpark.net |-Netgear JGS516 |-IP Phone |-8 Port Switch On Laptopia |-Area with octopi, bigbox, and backup terminal? |-rtr2.ratpark.net |-First Floor 4 Port Switch |-rtr3.ratpark.net |-Stuff in the boiler room? |-rtr4.ratpark.net? |-Stuff in the elevator machine room?
Security and Liability
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.
- 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.
- 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.
- 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.
- 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.