https://wiki.hackmanhattan.com/api.php?action=feedcontributions&user=Mz&feedformat=atomHack Manhattan Wiki - User contributions [en]2024-03-28T21:35:54ZUser contributionsMediaWiki 1.40.1https://wiki.hackmanhattan.com/index.php?title=Meeting_2020-03-31&diff=7497Meeting 2020-03-312020-03-27T02:36:23Z<p>Mz: Just adding a placeholder for something I know I'm proposing anyway, it's just too long to finish in one night</p>
<hr />
<div>==Consensus Agenda==<br />
<br />
=== T-shirt pricing ===<br />
<br />
T-shirts will be sold for $20, payment by PayPal only, other payment methods on case-by-case basis<br />
<br />
=== Shway and Chaz's Birthday and HM Summer Combo Party ===<br />
<br />
We will have this party on July 29th or an adjacent weekend. Possibly renting Secret Loft. Any expenses to be proposed later.<br />
<br />
=== Proposal to unschedule Thursday public nights ===<br />
As proposed in the conversation on the members slack channel. The idea is that reducing our public nights to once a week would alleviate some of the stress faced by the current membership in having to host/be responsible for guests.<br />
<br />
=== There should be no phone in the space ===<br />
<br />
HM or members would have to start paying for the service soon. It's not that much money, a few dollars per month. But if members don't want to receive phone calls, then its only use would be on average one outgoing call per month, and it's another physical object that takes up space and needs to be maintained (or at least someone needs to know how it works).<br />
<br />
=== Deputy treasurers ===<br />
<br />
Add Rule 12 to the rules:<br />
<br />
The board may appoint and remove one or more members as deputy treasurers, and the members may remove the same or disqualify members from such appointments. If deputy treasurers are appointed, the treasurer and deputy treasurers serve together as the Treasury Expert Group under such rules and procedures as may be prescribed by the board from time to time. The board may grant deputy treasurers signing authority over the corporation's bank accounts, and other similar powers.<br />
<br />
=== Terminating membership and banning banning mz from HM ===<br />
<br />
mz accused several members of racism, sexism and transphobia and subsequently lobbied for their banning. mz does not understand jokes. It led to the insinuation that he is a Maoist dictator and HR when he was still part of the board. He yelled at people if he felt members severely overstepped boundaries, even during an open house incident in which he accused a member of making racist jokes targeting a member that had previously mentioned that he was targeted by such jokes before. His board membership prevented a "diversity of thought" on the board leading to problematic relationship between the board and the membership. He does not accept explanations for repeated missteps. This situation needs to be resolved. mz hereby proposes the termination of mz's membership and subsequent permanent banning from the space.<br />
<br />
* being a dick by wasting meeting time trying to get himself banned --[[User:Guan|Guan]] ([[User talk:Guan|talk]]) 16:54, 3 March 2020 (UTC)<br />
<br />
=== Terminating membership of and banning Charlie from the space ===<br />
<br />
Charlie has been problematic since he joined the space. There was an attempt to terminate his membership and it failed prior. This time, we want to illustrate that there was a pattern of and unwillingness to change his behavior. In one very recent incident, he used a racial epithet recently in a conversation. Couple this with the complaints from the prior attempt, it establishes a pattern of behavior. His past behavior is included when considering this proposal. His behavior is antithetical to the community we wish to foster and have thus far been unable to reign his behavior in. <br />
<br />
Additionally, On Saturday, March 7, I came into the space in the afternoon and looked outside on our porch and saw one of the foam insulation pieces laying on the ground on our porch outside the window and immediately was wondering how it got there. Later examination showed that it had a break, and that break was caused by a strong gust of wind that caused the form to sway in the wind, eventually snapping and falling forward. The foam insulation stack was secured only at the bottom with a piece of wood propped up against an AC unit which we do not own, putting stress on the metal but the top portion was not secured in any way. This is very unsafe. At that point, I and another member of the space brought them back into the space and I stowed them in the garbage closet in the hallway since it was the only place to put them that was not a lot of effort. He has yet to apologize for this and instead acted as if he was being harassed, which is his MO when it comes to this.<br />
<br />
Charlie has shown that he does not respect the space, its members, and will continue to be a danger to the very existence of Hack Manhattan in its current form. Given the most recent incident of him storing his project in an unsafe manner, this ban will be permanent. The board does not believe that Charlie can change at this point. Trying to claim he's being harassed when somebody is angry at him for threatening the very existence of the space is a behavior we cannot tolerate.<br />
<br />
=== Implement and adopt a CoC (Code of Conduct) ===<br />
<br />
"Be 3Xc3LL3n7 t0 3aCh 0Th3r" as a hacker "one rule"/mantra just doesn't work. It didn't work at Noisebridge, it doesn't work at maker/hacker cons. A CoC Creation Committee needs to get down and work on a CoC and reporting mechanism to be established either by this meeting or the next. A CoC Committee that handles reports and any related administrivia needs to be established, and it can be comprised of the creation committee and/or the board for now.<br />
<br />
* HacDC which we were originally modeled after has an [https://wiki.hacdc.org/index.php?title=Anti-Harassment_Policy Anti-Harrassment Policy] which is based on example policy from [https://geekfeminism.wikia.org/wiki/Conference_anti-harassment Geek Feminism]. They also have a [http://wiki.hacdc.org/index.php/NormsOfHacDC Norms document] which includes [http://wiki.hacdc.org/index.php/NormsOfHacDC#Expectations Expectations] and [http://wiki.hacdc.org/index.php/NormsOfHacDC#Disruption Disruption] sections, although it doesn't look like it was voted upon. <br />
* [https://doubleunion.org/policies/ Double Union Policies/Code of Conduct]. One thing they were mindful of were [http://www.cwsworkshop.org/PARC_site_B/dr-culture.html white supremacy culture traps].<br />
* Noisebridge stilll tries to operate under their One Rule (TM), but they also have [https://www.noisebridge.net/wiki/Community_Standards Community Standards] and an [https://www.noisebridge.net/wiki/Anti-Harassment_Policy anti-harassment policy]. Some sections to consider in their documentation are some bits and pieces from their General Guidelines, but especially their Requests to Leave, copied below:<br />
** '''Requests to Leave'''<br />
*** If someone is acting in a way incompatible with our community standards, '''you are empowered to ask them to leave Noisebridge immediately'''.<br />
*** (This emphasis is mine) '''You are under no obligation to do ask someone to leave, and absolutely should not confront someone who you think poses a physical danger to you. Please ask for help if you feel you need or want help.'''<br />
*** If someone asks you to leave Noisebridge, you should immediately leave, whether or not you think their request was legitimate or in good faith.<br />
*** If someone asks you to leave, you should not return until the conflict has been resolved, hopefully through mediation.<br />
<br />
=== Remove Javier V. from membership, optionally also ban him from the space altogether ===<br />
<br />
mz is proposing to remove Javier V. from the Hack Manhattan membership. A detailed explanation as to why is forthcoming. Get ready to read a lot, my current draft is 1.5k words long. <br />
<br />
== New Business ==<br />
<br />
=== Formerly on Consensus Agenda ===<br />
<br />
=== Sponsored Members Induction ===<br />
For each prospective member, please confirm no later than Thursday before the meeting:<br />
<br />
* Has the member visited 3 times at the regular Tuesday and Thursday open nights?<br />
* Has the member received the briefing? When, and who was the briefer?<br />
* Has the member's bio and photo been circulated on the members list? (not just blabber)<br />
<br />
<br />
==Member Reports==<br />
=== Board Reports===<br />
====President's Report====<br />
<br />
<br />
====Treasurer's Report====<br />
<br />
====Secretary's Report====<br />
<br />
<br />
====Directors-at-Large's Report====<br />
<br />
Robby: No report.<br />
<br />
===Member and Project Reports===<br />
<br />
<br />
<br />
=== Results ===<br />
<br />
==Meeting Meta==<br />
* Called to order at<br />
* The meeting was adjourned at<br />
* Minutes taken and submitted by<br />
* Proxies: <br />
[[Category:Meetings]]</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Meeting_2020-03-31&diff=7472Meeting 2020-03-312020-03-03T03:48:16Z<p>Mz: /* Consensus Agenda */</p>
<hr />
<div>==Consensus Agenda==<br />
<br />
=== T-shirt pricing ===<br />
<br />
T-shirts will be sold for $20, payment by PayPal only, other payment methods on case-by-case basis<br />
<br />
=== Shway's Birthday and HM Summer Combo Party ===<br />
<br />
We will have this party on July 29th or an adjacent weekend. Possibly renting Secret Loft. Any expenses to be proposed later.<br />
<br />
=== Terminating membership and banning banning mz from HM ===<br />
<br />
mz accused several members of racism, sexism and transphobia and subsequently lobbied for their banning. mz does not understand jokes. It led to the insinuation that he is a Maoist dictator and HR when he was still part of the board. He yelled at people if he felt members severely overstepped boundaries, even during an open house incident in which he accused a member of making racist jokes targeting a member that had previously mentioned that he was targeted by such jokes before. His board membership prevented a "diversity of thought" on the board leading to problematic relationship between the board and the membership. He does not accept explanations for repeated missteps. This situation needs to be resolved. mz hereby proposes the termination of mz's membership and subsequent permanent banning from the space.<br />
<br />
== New Business ==<br />
<br />
=== Formerly on Consensus Agenda ===<br />
<br />
=== Sponsored Members Induction ===<br />
For each prospective member, please confirm no later than Thursday before the meeting:<br />
<br />
* Has the member visited 3 times at the regular Tuesday and Thursday open nights?<br />
* Has the member received the briefing? When, and who was the briefer?<br />
* Has the member's bio and photo been circulated on the members list? (not just blabber)<br />
<br />
<br />
==Member Reports==<br />
=== Board Reports===<br />
====President's Report====<br />
<br />
<br />
====Treasurer's Report====<br />
<br />
====Secretary's Report====<br />
<br />
<br />
====Directors-at-Large's Report====<br />
<br />
===Member and Project Reports===<br />
<br />
<br />
<br />
=== Results ===<br />
<br />
==Meeting Meta==<br />
* Called to order at<br />
* The meeting was adjourned at<br />
* Minutes taken and submitted by<br />
* Proxies: <br />
[[Category:Meetings]]</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Meeting_2020-01-07&diff=7436Meeting 2020-01-072020-01-03T18:36:04Z<p>Mz: </p>
<hr />
<div>==Consensus Agenda==<br />
<br />
* Buy a Cricut EasyPress, 9x9 inches for $129, or 12x10inches for $179 (+ taxes and potentially shipping)<br />
<br />
== New Business ==<br />
<br />
=== Formerly on Consensus Agenda ===<br />
<br />
=== Sponsored Members Induction ===<br />
For each prospective member, please confirm no later than Thursday before the meeting:<br />
<br />
* Has the member visited 3 times at the regular Tuesday and Thursday open nights?<br />
* Has the member received the briefing? When, and who was the briefer?<br />
* Has the member's bio and photo been circulated on the members list? (not just blabber)<br />
<br />
<br />
==Member Reports==<br />
=== Board Reports===<br />
====President's Report====<br />
<br />
<br />
====Treasurer's Report====<br />
<br />
====Secretary's Report====<br />
<br />
<br />
====Directors-at-Large's Report====<br />
<br />
===Member and Project Reports===<br />
<br />
<br />
<br />
=== Results ===<br />
<br />
==Meeting Meta==<br />
* Called to order at<br />
* The meeting was adjourned at<br />
* Minutes taken and submitted by<br />
* Proxies: <br />
[[Category:Meetings]]</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=7389Network Operations2019-10-30T22:35:42Z<p>Mz: </p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the 3D printer t<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashb<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
==== Not integrated in our normal network ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| || 192.168.88.1 || 64:d1:54:ad:12:04 || MikroTik SXTsq 5 ac || N/A (yet) || For potential LinkNYC uplink || Mounted on the satellite dish on the rooftop<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Network Hierarchy (as of 2019-08-09) ===<br />
<br />
<nowiki>---<br />
network:<br />
- name: foo<br />
type: router<br />
children:<br />
- name: verizon<br />
type: uplink<br />
interface: em0<br />
- name: 24-port-switch<br />
type: unmanaged-switch<br />
interface: em1<br />
vlans:<br />
- name: NYC Mesh<br />
vid: 68<br />
- name: NYC Mesh Clients<br />
vid: 99<br />
children:<br />
- name: box0rs<br />
type: server<br />
- name: cnc<br />
type: device<br />
- name: rfid-access-space<br />
type: device<br />
- name: buzzer-pi-shop<br />
type: device<br />
- name: voip-space<br />
type: voip-phone<br />
- name: voip-teletron8000<br />
type: voip-ata<br />
- name: wrtnode-webcam<br />
type: device<br />
- name: north-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-basement<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan west<br />
wpa2: true<br />
- ssid: hackmanhattan west 5Ghz<br />
wpa2: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: west-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-west<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: octoprint-main<br />
type: device<br />
- name: brother-printer<br />
type: printer<br />
- name: bricolage<br />
type: server<br />
- name: hallway-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-south<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: ap-3rdfloor<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: rfid-access-building<br />
type: device<br />
- name: elevator-shed<br />
type: unmanaged-poe-switch<br />
poe: 48V @ 1.25A<br />
children:<br />
- name: mesh-hub<br />
type: ap-switch<br />
poe: 18W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-back<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: ap-mesh-hybrid<br />
type: ap-switch<br />
poe: 24V @ 3A - ~18W<br />
wireless:<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-front<br />
vlan: 99<br />
cryppto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
children:<br />
- name: mesh-east<br />
type: ap<br />
poe: 10.5W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-east<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: mesh-west<br />
type: ap<br />
poe: 10.5W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-west<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: mesh-uplink<br />
type: wireless-client<br />
poe: 7W<br />
wireless:<br />
- ssid: LinkNYC Private<br />
crypto: true<br />
type: uplink<br />
- name: voip-elevator<br />
type: voip-ata<br />
- type: unused<br />
interface: em2<br />
- name: emergency<br />
type: static<br />
interface: em3</nowiki><br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User_talk:RSizykh&diff=7358User talk:RSizykh2019-10-11T02:15:16Z<p>Mz: Welcome!</p>
<hr />
<div>'''Welcome to ''Hack Manhattan Wiki''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:Mz|Mz]] ([[User talk:Mz|talk]]) 02:15, 11 October 2019 (UTC)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:RSizykh&diff=7356User:RSizykh2019-10-11T02:13:09Z<p>Mz: Creating user page for new user.</p>
<hr />
<div>Enjoy woodworking, cooking, and general messing around with mechanical instruments and tools. Would like to learn to weld, use a lathe and other machining tools and instruments, and make tools. Can teach sharpening techniques if anyone is interested. Firmly believe that a grilled cheese with ham is not a grilled cheese but a melt.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=7189Network Operations2019-08-09T16:32:19Z<p>Mz: /* Approximate Network Hierarchy (as of 2018-04-25) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.<s>17</s>19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.<s>19</s>17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
==== Not integrated in our normal network ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| || 192.168.88.1 || 64:d1:54:ad:12:04 || MikroTik SXTsq 5 ac || N/A (yet) || For potential LinkNYC uplink || Mounted on the satellite dish on the rooftop<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Network Hierarchy (as of 2019-08-09) ===<br />
<br />
<nowiki>---<br />
network:<br />
- name: foo<br />
type: router<br />
children:<br />
- name: verizon<br />
type: uplink<br />
interface: em0<br />
- name: 24-port-switch<br />
type: unmanaged-switch<br />
interface: em1<br />
vlans:<br />
- name: NYC Mesh<br />
vid: 68<br />
- name: NYC Mesh Clients<br />
vid: 99<br />
children:<br />
- name: box0rs<br />
type: server<br />
- name: cnc<br />
type: device<br />
- name: rfid-access-space<br />
type: device<br />
- name: buzzer-pi-shop<br />
type: device<br />
- name: voip-space<br />
type: voip-phone<br />
- name: voip-teletron8000<br />
type: voip-ata<br />
- name: wrtnode-webcam<br />
type: device<br />
- name: north-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-basement<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan west<br />
wpa2: true<br />
- ssid: hackmanhattan west 5Ghz<br />
wpa2: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: west-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-west<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: octoprint-main<br />
type: device<br />
- name: brother-printer<br />
type: printer<br />
- name: bricolage<br />
type: server<br />
- name: hallway-switch<br />
type: unmanaged-switch<br />
children:<br />
- name: ap-south<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: ap-3rdfloor<br />
type: ap-switch<br />
wireless:<br />
- ssid: hackmanhattan<br />
crypto: false<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-inside<br />
vlan: 99<br />
crypto: true<br />
- name: rfid-access-building<br />
type: device<br />
- name: elevator-shed<br />
type: unmanaged-poe-switch<br />
poe: 48V @ 1.25A<br />
children:<br />
- name: mesh-hub<br />
type: ap-switch<br />
poe: 18W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-back<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: ap-mesh-hybrid<br />
type: ap-switch<br />
poe: 24V @ 3A - ~18W<br />
wireless:<br />
- ssid: hackmanhattan west<br />
crypto: true<br />
- ssid: hackmanhattan west 5Ghz<br />
crypto: true<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-front<br />
vlan: 99<br />
cryppto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
children:<br />
- name: mesh-east<br />
type: ap<br />
poe: 10.5W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-east<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: mesh-west<br />
type: ap<br />
poe: 10.5W<br />
wireless:<br />
- ssid: -NYC Mesh Community WiFi-<br />
vlan: 99<br />
crypto: false<br />
- ssid: nycmesh-3664-west<br />
vlan: 99<br />
crypto: true<br />
- ssid: nycmesh-wds<br />
vlan: 68<br />
crypto: true<br />
- name: mesh-uplink<br />
type: wireless-client<br />
poe: 7W<br />
wireless:<br />
- ssid: LinkNYC Private<br />
crypto: true<br />
type: uplink<br />
- name: voip-elevator<br />
type: voip-ata<br />
- type: unused<br />
interface: em2<br />
- name: emergency<br />
type: static<br />
interface: em3</nowiki><br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User_talk:Davisallen&diff=7107User talk:Davisallen2019-07-31T22:05:36Z<p>Mz: Welcome!</p>
<hr />
<div>'''Welcome to ''Hack Manhattan Wiki''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:Mz|Mz]] ([[User talk:Mz|talk]]) 22:05, 31 July 2019 (UTC)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Davisallen&diff=7106User:Davisallen2019-07-31T22:03:29Z<p>Mz: Creating user page for new user.</p>
<hr />
<div>I'm a game designer and programmer interested in civics and civic tech. While most of my interests at the moment fall on the software side of things, I'm an occasional tinkerer and homebrewer - I just generally enjoy making fun things with fun people. Generally speaking, as a human, I enjoy learning new things.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Bo.x0.rs&diff=7044Bo.x0.rs2019-07-08T19:43:47Z<p>Mz: </p>
<hr />
<div>[[File:Box0rs-logo.svg|right|300px]] bo.x0.rs is Hack Manhattan's in-house minimalist '''hackerspace-tinker-tolerant bullshit cloud''' running on a kindly donated ThinkPad T410, so far without backups.<br />
<br />
Why: ease communal development of space projects (ex: hmbot dev deployment), trying out Linux software, run space related services like VPN, [[Camera|space webcam]] proxied (for security and logs), dropboxes for members (nextCloud?), etc. Some of the architecture decisions are inspired by [https://www.qubes-os.org/ Qubes OS]<br />
<br />
For work in progress, see the [https://ghom.niij.org/eaon/bo.x0.rs git repository].<br />
<br />
== Implementation ==<br />
<br />
Status: the management container does not exist yet, functionally speaking. Unpriviliged containers and some of the planned services are operational though - kindly assembled by manual labour. No IPv6 setup yet.<br />
<br />
=== Host ===<br />
<br />
<pre>Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz<br />
MemTotal: 8028864 kB <br />
/dev/sda: 111.8 GiB (SSD)<br />
/dev/sdb: 931.5 GiB (USB HDD)<br />
Ethernet: f0:de:f1:03:00:0f (Wake-on-LAN enabled)</pre><br />
<br />
=== Host Network ===<br />
<br />
There is a bridge setup letting guest containers get DHCP addresses (IPv4 & IPv6). Additionally there are:<br />
<br />
* <code>10.8.0.0/24</code> - OpenVPN addresses, bridged and routed via <code>192.168.42.103</code>. Can reach everything in the space and vice versa.<br />
* <code>10.133.7.0/24</code> - isolated. Can be reached, but can't reach anything on the HM network itself. Exception: may use Tor via SOCKS on <code>10.133.7.1:9050</code> for system updates. For very elite projects.<br />
* <code>10.0.59.1/24</code> - torified. Transparent proxying via Tor. Can be reached, but will route all traffic via Tor. For paranoid projects that need internet.<br />
* <code>10.0.93.0/24</code> - virtual network routed via <code>192.168.42.100</code>. Depricated.<br />
<br />
=== Current containers ===<br />
<br />
* '''web''' <code>192.168.42.104</code> & <code>2001:470:8b1c:0:216:3eff:fe10:ff03</code><br />
** Hosts [https://space.bo.x0.rs/sousveillance/ Sousveillance]<br />
** Proxies the [[Camera|camera]]<br />
** Proxies '''clickycloud''', '''minio''' and '''git''' for use from outside the space<br />
* '''vpn''' <code>192.168.42.103</code> & <code>10.8.0.1</code> & <code>2001:470:8b1c:0:216:3eff:fe10:ff02</code><br />
** OpenVPN for access to the space network (and its regular internet connection) from afar.<br />
*** Currently no automatic user-making process. Bug [[User:mz|mz]] for an account.<br />
* '''management''' <code>192.168.42.101</code> & <code>2001:470:8b1c:0:216:3eff:fe10:ff01</code><br />
** Still in development<br />
* '''hmbot''' <code>10.0.93.5</code><br />
** Defunct<br />
* '''clickycloud''' <code>192.168.42.105</code> & <code>2001:470:8b1c:0:216:3eff:fe10:ff05</code><br />
** Hosts https://cloud.bo.x0.rs/, [https://nextcloud.com/ Nextcloud] based digital storage for HM members/bo.x0.rs users.<br />
*** Meant for: personal digital storage, shared group folders (for projects, photos etc.)<br />
*** Soon: User accounts (and their passwords) are shared with the '''management''' container<br />
*** Current: if you want access, send your desired username to [[User:mz|mz]] (Slack, E-Mail, whatever you prefer)<br />
* '''minio''' <code>192.168.42.107</code> & <code>2001:470:8b1c:0:216:3eff:fe10:ff89</code><br />
** Hosts https://minio.bo.x0.rs/ a [https://github.com/minio/minio minio instance] accessible from the rest of the Internet.<br />
** Mainly used for Octoprint webcam shots that are shown on <code>#3dprint-status</code> on Slack<br />
* '''dns''' <code>192.168.42.106</code> & <code>2001:470:8b1c:0:216:3eff:fe5e:1fa9</code><br />
** A Bind9 host that provides internal name records for '''*.bo.x0.rs'''.<br />
** Hosts [https://en.wikipedia.org/wiki/Hesiod_(name_service) Hesiod] style records for convenient access to communal networked infrastructure (logging in with your own usernames and keys rather than sharing a password)<br />
* '''git''' <code>192.168.42.109</code> & <code>2001:470:8b1c:0:216:3eff:fe5e:201a</code><br />
** Hosts a [https://gitea.io/ Gitea] instance at https://git.bo.x0.rs/<br />
* '''teletron8000''' <code>192.168.42.108</code> & <code>2001:470:8b1c:0:216:3eff:fe5e:e2ee</code><br />
** Hosts Figment/Maker Faire Phone games locally!<br />
<br />
== "Specification" ==<br />
<br />
=== Management Container ===<br />
<br />
* Pull SSH keys and username from https://wiki.hackmanhattan.com/index.php?title=User:$username/ssh&action=raw pages on the wiki, where <code>$username</code> is filtered by a whitelist only editable on the host (kind of inspired by [https://www.noisebridge.net/wiki/Resources/Pony Noisebridge's pony] (RIP) but less permissive)<br />
** Probably TOFU, manually approve changes pulled from the wiki? In case the Wiki gets compromised<br />
* User passwords are expired on account creation so that on first login via SSH key users are forced to set their own password<br />
* Users are allowed to create new minimal Debian stretch containers and can choose from different network setups (default: IPv6 on)<br />
** Static IPv4 allocation<br />
** NAT<br />
** Static IPv4 allocation + Tor (IPv6 outgoing off)<br />
** Tor (IPv6 outgoing off)<br />
** Isolated (incoming IPv6 on, outgoing off)<br />
* Users can remove or expire containers they put in place<br />
* The management container can reach every container on the network but does not see them in the file system, mainly to enable users to bounce into isolated containers via ssh (see ProxyCommand)<br />
* <code>$HOME</code> on management container could be a tmpfs with exceptions (<code>~/.ssh/</code> and <code>~/$(who).ovpn</code> come to mind)<br />
* Users can't give new mknod priviliges to containers, host admins must intervene<br />
* Provide simple how-to via motd<br />
* When creating a new user container, tool waits for configuration dump by the host and displays access information<br />
<br />
==== Maybe ====<br />
<br />
* Container types other than Debian stable (for example OpenWRT or any VNC enabled $distro) may be provided if someone puts in the respective work<br />
* Automatically mount broken container rootfs into user <code>$HOME</code>: go fix (it) yourself - the exception to the rule of management container not seeing user files? (Problem with that though: file permissions)<br />
<br />
=== User container ===<br />
<br />
* User created containers are automatically started at boot. If a container fails to boot a certain amount of times, the autostart flag is removed and access ceases until host admins intervene.<br />
* All users with root access can expire containers, getting them automatically discarded. <code>$ date -d "next Monday" +%s > ~root/discard</code><br />
* User containers are allowed to nest containers (making it possible for people to use Docker if they really want to)<br />
<br />
==== Maybe ====<br />
<br />
* Make all containers reachable via name.bo.x0.rs?<br />
<br />
=== Host ===<br />
<br />
* Runs Debian stretch with the latest backports kernel, backports LXC and LXCFS and systemd (to make systemd based unprivileged containers work - no real root for you).<br />
* Is full disk encrypted, password is shared with the HM board<br />
* Containers are located on a zfs mount. Minimise hard disk space waste etc.<br />
* The host has an inotifywait process that checks for new configuration arrivals and puts the new unprivileged containers in place, generates new SSH host keys, adds the users' SSH keys to root@, creates a summary file in the users home on the management container<br />
* Runs a daily systemd-timer at 4am to check for expiration of containers<br />
<br />
==== Maybe ====<br />
<br />
* Have a container that acts as provider for network booting (for public terminals, raspberry pi etc.)<br />
<br />
{{DISPLAYTITLE:bo.x0.rs}}</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User_talk:Clyde1997&diff=7040User talk:Clyde19972019-07-05T22:03:39Z<p>Mz: Welcome!</p>
<hr />
<div>'''Welcome to ''Hack Manhattan Wiki''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:Mz|Mz]] ([[User talk:Mz|talk]]) 22:03, 5 July 2019 (UTC)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Clyde1997&diff=7039User:Clyde19972019-07-05T22:01:32Z<p>Mz: Creating user page for new user.</p>
<hr />
<div>My name is Clyde. I like to work on experimental technologies and human advancements. I work as a courier and a clerk at a day job. I struggle to find something to do at night, so here I am now. I am into sustainable living, making people more aware of current living situations on earth itself, not just in their homes or their cities. I hope to bring people together to see the benefits from taking care of our world, not just our country or city or home. My ultimate goal is to help people understand that there are second chances in life, and not to be close-minded.<br />
<br />
At Hack Manhattan I would like to work on projects in electronics, textiles, fabrication, and science experiments.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=New_Member_Briefings&diff=7010New Member Briefings2019-05-09T00:15:24Z<p>Mz: /* Approved briefers */</p>
<hr />
<div>__TOC__<br />
<br />
&nbsp;<br />
<br />
= Welcome to Hack Manhattan! - Important Info, Please Read =<br />
<br />
If you are a new member, you will have just completed [[MembershipInfo|the application process]]. Welcome! This page gives a lot of useful information and directions, please read it all. This is also the content of the briefing for new members.<br />
<br />
As a new member, please familiarize yourself with the following:<br />
<br />
* The [[Bylaws]] of Hack Manhattan<br />
* The [[Rules]] of Hack Manhattan<br />
* Our [[Anti-Harassment_Policy]]<br />
* The [[MIBS_Rules|Procedures we use for Meetings]]<br />
* How to get involved with [[Recruitment|recruiting]] more members so that we can pay the rent!<br />
* Our [[Meeting 2013-03-26#Space use policy| space use policy]] if you plan to host events.<br />
* '''Use good judgment at all times.'''<br />
** Don't commit crimes at the space.<br />
<br />
== To the briefer ==<br />
<br />
* Remember to send a short bio and photo to the members list. Ideally this happens '''during the briefing'''; ask a few biographical questions and write up a bio if the prospective member does not have one ready.<br />
* Ordinarily memberships can be approved one week after the bio goes out. The member may ask on Slack about the status of the membership after one week.<br />
* Emphasize:<br />
** Do-ocracy, not fee-for-service<br />
** The safety rules<br />
** If the member wants to resign the membership, the most important thing is to notify us. Nothing else matters. No reason has to be given, no explanations are necessary, ''just tell us.'' (Practical details like keys, removal of personal effects and dues payments are not urgent and can be sorted out later.)<br />
* Despite what it says below, Slack is probably a better way to ask questions and consult members.<br />
<br />
== Organizational ==<br />
* Activities are member-driven at Hack Manhattan. We are a 'do-ocracy'. No-one will do it for you, but others may help if you encourage them! Post your ideas and get help on [https://list.hackmanhattan.com/listinfo/blabber our mailing list]<br />
* Hack Manhattan is run by and for the membership as a whole, so usually the best way to address any issue is first to ask the members for their opinion on the mailing list.<br />
* You are encouraged to attend and vote at our [[Business Meetings|monthly business meetings]], held on the last Tuesday of every month. Some things can be decided with a brief consultation on Slack, the Blabber list or the members mailing list, but bigger decisions should be approved at a business meeting.<br />
* The members are all responsible for creating the atmosphere and environment in the space. <br />
* If you would like to take a class or teach a class, or indeed have anything you'd like to contribute or ask of the community, get involved and ask on [https://list.hackmanhattan.com/listinfo/blabber our mailing list]<br />
* Events are listed at [http://www.meetup.com/hackmanhattan/ our Meetup page]. Meetup currently does not allow co-sponsoring of events, so please add your event to our Meetup calendar too, if you have your own Meetup group already.<br />
* There is a members-only mailing list for sensitive matters. Only post to it if it's something that should be kept secret, in the spirit of transparency and because membership of the members list is mandatory. Most things go on Blabber.<br />
* Post to Blabber by sending a regular email to blabber@list.hackmanhattan.com.<br />
* If you ever want to resign your membership, the most important thing is to '''tell us'''. If you inform us, we will refund membership dues accidentally paid. Don't forget to return your keys and remove your things from the space. Don't just stop paying—we reserve the right to come after you for dues until you have informed us that you are leaving.<br />
<br />
== Safety ==<br />
<br />
* If you would like to use any of the power tools in the workshop, before you do so please print and sign the liability waiver ([[File:HM_Release.pdf]]) and give it to a Board member. <br />
* If you don't know how to use a tool, please ask a knowledgeable member first so that you can be trained to safely use it. Be safe when using equipment: eye, ear, hand protection, and tie back long hair.<br />
* Only one splitter or surge protector per outlet. Do not “daisy chain” them.<br />
* In general, if you have concerns about any kind of wrongdoing at Hack Manhattan, please contact the board (at board(at)hackmanhattan.com), or any individual board member, or discuss on the members list. If you are unsure and don't want to do those things, consult with another member. Use your judgment and proceed in the manner you feel comfortable. Call 911 if you're observing a crime in progress. But we do ask you to contact us first if something is not serious or not urgent. In any situation in which you would otherwise have called 311, for example, please contact us first.<br />
* Non-members are generally allowed to visit and use the space whenever a member is present and willing to host. You can open the street door by pressing one of the 'door' buttons on the intercom either near the right window or next to the coat rack. <br />
* If you feel uncomfortable with a visitor, or you are closing up or you don't want to be alone with them, or you simply don't want the trouble, you can always ask visitors to leave. If they refuse or you feel unsafe in any way, it's always okay to just get up and leave. Try to contact the board, or another member, but don't worry about anything in the space (and if it's that bad, don't worry about your own stuff either: just go!). Remember that there are often also others in the building who may be able to help<br />
* You are a host, not a bouncer. Your personal safety and comfort comes first.<br />
<br />
== Practical things ==<br />
<br />
* You should receive 1 RFID key-fob or card, which opens both the street level door, and the East (smaller) door to the main space. The space door needs to be pulled before the electric strike plate disengages enough to allow for pushing it into the space <br />
* Lending out your RFID token to a non-member is not acceptable, and may put your own membership at risk. (Bringing guests is of course fine)<br />
* Please make sure all doors are locked behind you (make sure the twist lock on the space door-knob is locked) if you are the last person out of the space, close the windows and turn off the lights/AC/soldering irons/computers.<br />
* Make sure you know where the light switches are.<br />
* If there is an item that you think the space should have, or it is missing, ask on an appropriate channel on Slack.<br />
* Beverages are provided on the honor system; please contribute to the donations box above the fridge if you take one. Same goes for plastic filament (has its own box).<br />
* If you use the roof, be aware that it is a communal space with other tenants in the building. Please don't put undue pressure on the roof membrane, and ask a Board member if you have a project you'd like to do up there.<br />
* We do welcome donations of equipment, but there is now very limited space to store large pieces or boxes of stuff. Please check with other members or the Board if you are thinking of making a permanent donation.<br />
<br />
== Storage and member items ==<br />
<br />
* Members may to store a limited amount of project material on the shelves underneath Brain Bats. Please take a clear plastic box for your storage, label it with your name (label makers are available on the center shelves) and avoid using cardboard boxes for storage. Items on the shelving units near the window are for communal use.<br />
* If you leave a project in the space, please label it with your name. If you do not do this, it may be either cleared away, hacked, thrown out or disassembled for parts!<br />
* We cannot be held responsible for any packages sent to the hackerspace. If someone does accept a package, you will usually find it somewhere near the central shelving area.<br />
<br />
== Garbage and cleanup ==<br />
<br />
* Leave the space cleaner than you found it, we have no cleaning staff. If you can spare some time to help with housekeeping chores, it would be appreciated. Brooms and cleaning supplies can be found in the restroom.<br />
* We try to keep the center tables clear for everyone to work at. Please clear your stuff off when you leave.<br />
* Recycling (metal/glass/plastic) is collected in clear plastic bags. Please flatten any empty cardboard boxes you have and stack with any other cardboard. <br />
* Regular trash cans (white bags) should be emptied when full and collected with other white bags in a black bag for disposal on the curb on Tuesday or Thursday after 6 p.m. If you are in the space at these times, please do put out any black or clear bags of waste, to prevent the space getting stinky / overrun with rodents.<br />
** Cardboard only on Tuesdays. Plastic recycling both days.<br />
<br />
=== Resources ===<br />
* Our wiki is a great source of information for the community, and we encourage you to contribute to it. Members should [[Special:RequestAccount|sign up for a wiki account]] if you didn't already do so as part of the payment procedure. (Note: When it asks for your name, that will be your username, so it may be easier to pick something you would normally use as a username, without spaces.)<br />
<br />
= Approved briefers =<br />
<br />
* Board members<br />
* JC aka <code>jackolantern</code> on Slack<br />
* [[User:citybadger|Stephen]]<br />
* Michael Semko<br />
<br />
= Other materials =<br />
<br />
* [[Membership agreement]] (draft)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=7006Network Operations2019-05-02T12:46:06Z<p>Mz: /* Network Infrastructure */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
==== Not integrated in our normal network ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| || 192.168.88.1 || 64:d1:54:ad:12:04 || MikroTik SXTsq 5 ac || N/A (yet) || For potential LinkNYC uplink || Mounted on the satellite dish on the rooftop<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-04-25) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. Non-permanent infrastructure and WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** box0rs<br />
** '''West Switch'''<br />
*** bricolage<br />
*** brother-printer<br />
*** octoprint-main<br />
*** ''Windows Tower'' (not a hostname)<br />
*** '''West Access Point'''<br />
**** '''foo''' (Experimental router to replace our current one)<br />
***** '''ap-foo'''<br />
** '''Network Cubby 24 Port Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** rfid-access-space<br />
*** voip-teletron8000<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
*** '''North Switch'''<br />
**** '''Basement''' (NAT, not our responsibility)<br />
*** '''Hallway Switch'''<br />
**** rfid-access-building<br />
**** '''137W14''' (NAT, not our responsibility)<br />
**** '''3rdfloor Access Point & Switch'''<br />
*** '''ap-elevator-shaft Access Point & Switch'''<br />
**** MikroTik SXTsq 5 ac (WAN port)<br />
**** voip-elevator<br />
***** ''Elevator line''<br />
***** ''Rooftop elevator shaft shed line''<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6990Network Operations2019-04-25T22:10:01Z<p>Mz: /* Approximate Network Hierarchy (as of 2018-03-21) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-04-25) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. Non-permanent infrastructure and WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** box0rs<br />
** '''West Switch'''<br />
*** bricolage<br />
*** brother-printer<br />
*** octoprint-main<br />
*** ''Windows Tower'' (not a hostname)<br />
*** '''West Access Point'''<br />
**** '''foo''' (Experimental router to replace our current one)<br />
***** '''ap-foo'''<br />
** '''Network Cubby 24 Port Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** rfid-access-space<br />
*** voip-teletron8000<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
*** '''North Switch'''<br />
**** '''Basement''' (NAT, not our responsibility)<br />
*** '''Hallway Switch'''<br />
**** rfid-access-building<br />
**** '''137W14''' (NAT, not our responsibility)<br />
**** '''3rdfloor Access Point & Switch'''<br />
*** '''ap-elevator-shaft Access Point & Switch'''<br />
**** voip-elevator<br />
***** ''Elevator line''<br />
***** ''Rooftop elevator shaft shed line''<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6989Network Operations2019-04-25T19:51:13Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://git.bo.x0.rs/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6988Network Operations2019-04-25T19:26:31Z<p>Mz: </p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|-<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6987Network Operations2019-04-25T19:26:10Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
| -<br />
| voip-elevator || 192.168.42.31 || 00:0b:82:47:26:30 || Grandstream HT701 || [[User:Guan|Guan]] || || Elevator shaft shed on the roof<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Meeting_2019-04-30&diff=6986Meeting 2019-04-302019-04-25T16:14:59Z<p>Mz: /* Sponsored Members Induction */</p>
<hr />
<div>==Consensus Agenda==<br />
<br />
== New Business ==<br />
<br />
=== Formerly on Consensus Agenda ===<br />
<br />
=== Sponsored Members Induction ===<br />
For each prospective member, please confirm no later than Thursday before the meeting:<br />
<br />
* Has the member visited 3 times at the regular Tuesday and Thursday open nights?<br />
* Has the member received the briefing? When, and who was the briefer?<br />
* Has the member's bio and photo been circulated on the members list? (not just blabber)<br />
<br />
Patrick, visited a lot but always outside of open nights due to prior engagements on both Tuesday and Thursday evening, briefed by mz on 2019-04-24, bio and photo circulated<br />
<br />
==Member Reports==<br />
=== Board Reports===<br />
====President's Report====<br />
<br />
<br />
====Treasurer's Report====<br />
<br />
====Secretary's Report====<br />
No report<br />
<br />
====Directors-at-Large's Report====<br />
<br />
===Member and Project Reports===<br />
<br />
<br />
<br />
=== Results ===<br />
<br />
==Meeting Meta==<br />
* Called to order at <br />
* The meeting was adjourned at <br />
* Minutes taken and submitted by <br />
<br />
[[Category:Meetings]]</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6967Network Operations2019-04-23T21:15:57Z<p>Mz: /* Static configurations */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| ap-elevator-shaft || 192.168.42.6 || 64:66:b3:c6:f1:d4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the rooftop || Inside the elevator maintenance shed <br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6946Network Operations2019-04-17T12:40:03Z<p>Mz: Accidentally swapped IPs</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-04-17) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Bricodash/Extra:Calendar&diff=6913Bricodash/Extra:Calendar2019-04-08T20:50:54Z<p>Mz: </p>
<hr />
<div>''See also:'' [[Bricodash/Extra:Repos]]<br />
<br />
= What is This? =<br />
<br />
Items entered below will be parsed for inclusion in the [[Bricodash#Community_Calendar|Bricodash Community Calendar]].<br />
<br />
Events listings follow the following syntax: <code>* &lt;Human-Readable Date/Time&gt; :: &lt;Event Title&gt; :: &lt;Emoji&gt;</code><br />
<br />
The final field is optional, and may either be a small number of emoji to appear at the end of the event listing, or else the relative path to an image already pre-loaded on the Bricodash server.<br />
<br />
Optionally, the first field may begin with a "#", in which case the entire event line is treated as a comment&mdash;and thus ignored. This can be used to leave reminders for recurring events that have a different date each year, such as annual conventions where dates are only announced in the lead-up to the event.<br />
<br />
=Extra Community Calendar Items=<br />
<br />
* Apr 10 at 6:30 pm :: Tuning in: Inclusivity in (digital) Media (NY Times)<br />
<br />
* Mar 23 at 2 pm :: Ghost in the Shell (Museum of Arts & Design) :: 📽️<br />
* Mar 28 at 6:30 pm :: Hackers (Museum of Arts & Design) :: 📽️<br />
* Mar 30 at 2 pm :: Tetsuo II: Body Hammer (Museum of Arts & Design) :: 📽️<br />
* Apr 6 at 2 pm :: The Fifth Element (Museum of Arts & Design) :: 📽️<br />
* Apr 13 at 2 pm :: The Mind's Eye and Beyond the Mind's Eye (Museum of Arts & Design) :: 📽️<br />
* Apr 18 at 6:30 pm :: Strange Days (Museum of Arts & Design) :: 📽️<br />
* Apr 9 at 6:36 pm :: SpaceX Falcon Heavy launch (rescheduled) :: 🚀<br />
* Apr 7 at 1 pm :: Just for Fun / April Crafts Day (Penn South) :: 🎨<br />
* Apr 19 at 8 pm :: NYCResistor Interactive Show (87 Third Ave, Brooklyn) :: 🌞<br />
* Apr 12 at 12 pm :: Theorizing the Web (Museum of the Moving Image, Queens) :: 👩🏫<br />
* Apr 13 at 2 pm :: Theorizing the Web (Museum of the Moving Image, Queens) :: 👩🏫<br />
<br />
* #Oct 4 :: First Day of NY Comic Con <img class="logo" src="img/flickr_nalends_super_pop.png"> / Anime Expo (Javits Center)<br />
* #Oct 7 :: Last Day of NY Comic Con <img class="logo" src="img/flickr_nalends_super_pop.png"> / Anime Expo (Javits Center)<br />
<br />
* #Oct 7 :: Doctor Who Series 11 Premier :: img/tardis.png<br />
<br />
* #Oct 5 at 8 am :: PyGotham (Pennsylvania Hotel)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Bo.x0.rs&diff=6879Bo.x0.rs2019-04-04T02:14:38Z<p>Mz: /* Current containers */</p>
<hr />
<div>[[File:Box0rs-logo.svg|right|300px]] bo.x0.rs is Hack Manhattan's in-house minimalist '''hackerspace-tinker-tolerant bullshit cloud''' running on a kindly donated ThinkPad T410, so far without backups.<br />
<br />
Why: ease communal development of space projects (ex: hmbot dev deployment), trying out Linux software, run space related services like VPN, [[Camera|space webcam]] proxied (for security and logs), dropboxes for members (nextCloud?), etc. Some of the architecture decisions are inspired by [https://www.qubes-os.org/ Qubes OS]<br />
<br />
For work in progress, see the [https://ghom.niij.org/eaon/bo.x0.rs git repository].<br />
<br />
== Implementation ==<br />
<br />
Status: the management container does not exist yet, functionally speaking. Unpriviliged containers and some of the planned services are operational though - kindly assembled by manual labour. No IPv6 setup yet.<br />
<br />
=== Host ===<br />
<br />
<pre>Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz<br />
MemTotal: 8028864 kB <br />
/dev/sda: 111.8 GiB (SSD)<br />
/dev/sdb: 931.5 GiB (USB HDD)<br />
Ethernet: f0:de:f1:03:00:0f (Wake-on-LAN not functional due to BIOS bug)</pre><br />
<br />
=== Host Network ===<br />
<br />
There is a bridge setup letting guest containers get DHCP addresses (IPv4 & IPv6). Additionally there are:<br />
<br />
* <code>10.8.0.0/24</code> - OpenVPN addresses, bridged and routed via <code>192.168.42.103</code>. Can reach everything in the space and vice versa.<br />
* <code>10.133.7.0/24</code> - isolated. Can be reached, but can't reach anything on the HM network itself. Exception: may use Tor via SOCKS on <code>10.133.7.1:9050</code> for system updates. For very elite projects.<br />
* <code>10.0.59.1/24</code> - torified. Transparent proxying via Tor. Can be reached, but will route all traffic via Tor. For paranoid projects that need internet.<br />
* <code>10.0.93.0/24</code> - virtual network routed via <code>192.168.42.100</code>. Depricated.<br />
<br />
=== Current containers ===<br />
<br />
* '''web''' <code>192.168.42.104</code><br />
** Hosts [https://space.bo.x0.rs/sousveillance/ Sousveillance]<br />
** Proxies the [[Camera|camera]]<br />
** Proxies '''clickycloud''' for use from outside the space<br />
* '''vpn''' <code>192.168.42.103</code> & <code>10.8.0.1</code><br />
** OpenVPN for access to the space network (and its regular internet connection) from afar.<br />
*** Currently no automatic user-making process. Bug [[User:mz|mz]] for an account.<br />
* '''management''' <code>192.168.42.101</code><br />
** Still in development<br />
* '''hmbot''' <code>10.0.93.5</code><br />
** Defunct<br />
* '''clickycloud''' <code>192.168.42.105</code><br />
** Hosts https://cloud.bo.x0.rs/, [https://nextcloud.com/ Nextcloud] based digital storage for HM members/bo.x0.rs users.<br />
*** Meant for: personal digital storage, shared group folders (for projects, photos etc.)<br />
*** Soon: User accounts (and their passwords) are shared with the '''management''' container<br />
*** Current: if you want access, send your desired username to [[User:mz|mz]] (Slack, E-Mail, whatever you prefer)<br />
* '''minio''' <code>192.168.42.107</code><br />
** Hosts https://minio.bo.x0.rs/ a [https://github.com/minio/minio minio instance] accessible from the rest of the Internet.<br />
** Mainly used for Octoprint webcam shots that are shown on <code>#3dprint-status</code> on Slack<br />
* '''dns''' <code>192.168.42.106</code><br />
** A Bind9 host that provides internal name records for '''*.bo.x0.rs'''.<br />
** Hosts [https://en.wikipedia.org/wiki/Hesiod_(name_service) Hesiod] style records for convenient access to communal networked infrastructure (logging in with your own usernames and keys rather than sharing a password)<br />
* '''git''' <code>10.0.93.9</code><br />
** Not set up yet, but intended to host a [https://gitea.io/ Gitea] instance<br />
* '''teletron8000''' <code>192.168.42.108</code><br />
** Hosts Figment/Maker Faire Phone games locally!<br />
<br />
== "Specification" ==<br />
<br />
=== Management Container ===<br />
<br />
* Pull SSH keys and username from https://wiki.hackmanhattan.com/index.php?title=User:$username/ssh&action=raw pages on the wiki, where <code>$username</code> is filtered by a whitelist only editable on the host (kind of inspired by [https://www.noisebridge.net/wiki/Resources/Pony Noisebridge's pony] (RIP) but less permissive)<br />
** Probably TOFU, manually approve changes pulled from the wiki? In case the Wiki gets compromised<br />
* User passwords are expired on account creation so that on first login via SSH key users are forced to set their own password<br />
* Users are allowed to create new minimal Debian stretch containers and can choose from different network setups (default: IPv6 on)<br />
** Static IPv4 allocation<br />
** NAT<br />
** Static IPv4 allocation + Tor (IPv6 outgoing off)<br />
** Tor (IPv6 outgoing off)<br />
** Isolated (incoming IPv6 on, outgoing off)<br />
* Users can remove or expire containers they put in place<br />
* The management container can reach every container on the network but does not see them in the file system, mainly to enable users to bounce into isolated containers via ssh (see ProxyCommand)<br />
* <code>$HOME</code> on management container could be a tmpfs with exceptions (<code>~/.ssh/</code> and <code>~/$(who).ovpn</code> come to mind)<br />
* Users can't give new mknod priviliges to containers, host admins must intervene<br />
* Provide simple how-to via motd<br />
* When creating a new user container, tool waits for configuration dump by the host and displays access information<br />
<br />
==== Maybe ====<br />
<br />
* Container types other than Debian stable (for example OpenWRT or any VNC enabled $distro) may be provided if someone puts in the respective work<br />
* Automatically mount broken container rootfs into user <code>$HOME</code>: go fix (it) yourself - the exception to the rule of management container not seeing user files? (Problem with that though: file permissions)<br />
<br />
=== User container ===<br />
<br />
* User created containers are automatically started at boot. If a container fails to boot a certain amount of times, the autostart flag is removed and access ceases until host admins intervene.<br />
* All users with root access can expire containers, getting them automatically discarded. <code>$ date -d "next Monday" +%s > ~root/discard</code><br />
* User containers are allowed to nest containers (making it possible for people to use Docker if they really want to)<br />
<br />
==== Maybe ====<br />
<br />
* Make all containers reachable via name.bo.x0.rs?<br />
<br />
=== Host ===<br />
<br />
* Runs Debian stretch with the latest backports kernel, backports LXC and LXCFS and systemd (to make systemd based unprivileged containers work - no real root for you).<br />
* Is full disk encrypted, password is shared with the HM board<br />
* Containers are located on a zfs mount. Minimise hard disk space waste etc.<br />
* The host has an inotifywait process that checks for new configuration arrivals and puts the new unprivileged containers in place, generates new SSH host keys, adds the users' SSH keys to root@, creates a summary file in the users home on the management container<br />
* Runs a daily systemd-timer at 4am to check for expiration of containers<br />
<br />
==== Maybe ====<br />
<br />
* Have a container that acts as provider for network booting (for public terminals, raspberry pi etc.)<br />
<br />
{{DISPLAYTITLE:bo.x0.rs}}</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Bo.x0.rs&diff=6878Bo.x0.rs2019-04-04T02:07:00Z<p>Mz: /* Host Network */</p>
<hr />
<div>[[File:Box0rs-logo.svg|right|300px]] bo.x0.rs is Hack Manhattan's in-house minimalist '''hackerspace-tinker-tolerant bullshit cloud''' running on a kindly donated ThinkPad T410, so far without backups.<br />
<br />
Why: ease communal development of space projects (ex: hmbot dev deployment), trying out Linux software, run space related services like VPN, [[Camera|space webcam]] proxied (for security and logs), dropboxes for members (nextCloud?), etc. Some of the architecture decisions are inspired by [https://www.qubes-os.org/ Qubes OS]<br />
<br />
For work in progress, see the [https://ghom.niij.org/eaon/bo.x0.rs git repository].<br />
<br />
== Implementation ==<br />
<br />
Status: the management container does not exist yet, functionally speaking. Unpriviliged containers and some of the planned services are operational though - kindly assembled by manual labour. No IPv6 setup yet.<br />
<br />
=== Host ===<br />
<br />
<pre>Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz<br />
MemTotal: 8028864 kB <br />
/dev/sda: 111.8 GiB (SSD)<br />
/dev/sdb: 931.5 GiB (USB HDD)<br />
Ethernet: f0:de:f1:03:00:0f (Wake-on-LAN not functional due to BIOS bug)</pre><br />
<br />
=== Host Network ===<br />
<br />
There is a bridge setup letting guest containers get DHCP addresses (IPv4 & IPv6). Additionally there are:<br />
<br />
* <code>10.8.0.0/24</code> - OpenVPN addresses, bridged and routed via <code>192.168.42.103</code>. Can reach everything in the space and vice versa.<br />
* <code>10.133.7.0/24</code> - isolated. Can be reached, but can't reach anything on the HM network itself. Exception: may use Tor via SOCKS on <code>10.133.7.1:9050</code> for system updates. For very elite projects.<br />
* <code>10.0.59.1/24</code> - torified. Transparent proxying via Tor. Can be reached, but will route all traffic via Tor. For paranoid projects that need internet.<br />
* <code>10.0.93.0/24</code> - virtual network routed via <code>192.168.42.100</code>. Depricated.<br />
<br />
=== Current containers ===<br />
<br />
* '''web''' <code>10.0.93.4</code><br />
** Hosts [https://space.bo.x0.rs/sousveillance/ Sousveillance]<br />
** Proxies the [[Camera|camera]]<br />
** Proxies '''clickycloud''' for use from outside the space<br />
* '''vpn''' <code>10.0.93.3</code> & <code>10.8.0.1</code><br />
** OpenVPN for access to the space network (and its regular internet connection) from afar.<br />
*** Currently no automatic user-making process. Bug [[User:mz|mz]] for an account.<br />
* '''management''' <code>10.0.93.2</code><br />
** Doesn't do anything yet<br />
* '''hmbot''' <code>10.0.93.5</code><br />
** Doesn't do anything yet<br />
* '''clickycloud''' <code>10.0.93.6</code><br />
** Hosts https://cloud.bo.x0.rs/, [https://nextcloud.com/ Nextcloud] based digital storage for HM members/bo.x0.rs users.<br />
*** Meant for: personal digital storage, shared group folders (for projects, photos etc.)<br />
*** Soon: User accounts (and their passwords) are shared with the '''management''' container<br />
*** Current: if you want access, send your desired username to [[User:mz|mz]] (Slack, E-Mail, whatever you prefer)<br />
* '''minio'''<br />
** Hosts https://minio.bo.x0.rs/ a [https://github.com/minio/minio minio instance] accessible from the rest of the Internet.<br />
** Mainly used for Octoprint webcam shots that are shown on <code>#3dprint-status</code> on Slack<br />
* '''dns''' <code>10.0.93.8</code><br />
** A Bind9 host that provides internal name records for '''*.bo.x0.rs'''.<br />
** Hosts [https://en.wikipedia.org/wiki/Hesiod_(name_service) Hesiod] style records for convenient access to communal networked infrastructure (logging in with your own usernames and keys rather than sharing a password)<br />
* '''git''' <code>10.0.93.9</code><br />
** Not set up yet, but intended to host a [https://gogs.io/ Gogs] instance<br />
<br />
<br />
== "Specification" ==<br />
<br />
=== Management Container ===<br />
<br />
* Pull SSH keys and username from https://wiki.hackmanhattan.com/index.php?title=User:$username/ssh&action=raw pages on the wiki, where <code>$username</code> is filtered by a whitelist only editable on the host (kind of inspired by [https://www.noisebridge.net/wiki/Resources/Pony Noisebridge's pony] (RIP) but less permissive)<br />
** Probably TOFU, manually approve changes pulled from the wiki? In case the Wiki gets compromised<br />
* User passwords are expired on account creation so that on first login via SSH key users are forced to set their own password<br />
* Users are allowed to create new minimal Debian stretch containers and can choose from different network setups (default: IPv6 on)<br />
** Static IPv4 allocation<br />
** NAT<br />
** Static IPv4 allocation + Tor (IPv6 outgoing off)<br />
** Tor (IPv6 outgoing off)<br />
** Isolated (incoming IPv6 on, outgoing off)<br />
* Users can remove or expire containers they put in place<br />
* The management container can reach every container on the network but does not see them in the file system, mainly to enable users to bounce into isolated containers via ssh (see ProxyCommand)<br />
* <code>$HOME</code> on management container could be a tmpfs with exceptions (<code>~/.ssh/</code> and <code>~/$(who).ovpn</code> come to mind)<br />
* Users can't give new mknod priviliges to containers, host admins must intervene<br />
* Provide simple how-to via motd<br />
* When creating a new user container, tool waits for configuration dump by the host and displays access information<br />
<br />
==== Maybe ====<br />
<br />
* Container types other than Debian stable (for example OpenWRT or any VNC enabled $distro) may be provided if someone puts in the respective work<br />
* Automatically mount broken container rootfs into user <code>$HOME</code>: go fix (it) yourself - the exception to the rule of management container not seeing user files? (Problem with that though: file permissions)<br />
<br />
=== User container ===<br />
<br />
* User created containers are automatically started at boot. If a container fails to boot a certain amount of times, the autostart flag is removed and access ceases until host admins intervene.<br />
* All users with root access can expire containers, getting them automatically discarded. <code>$ date -d "next Monday" +%s > ~root/discard</code><br />
* User containers are allowed to nest containers (making it possible for people to use Docker if they really want to)<br />
<br />
==== Maybe ====<br />
<br />
* Make all containers reachable via name.bo.x0.rs?<br />
<br />
=== Host ===<br />
<br />
* Runs Debian stretch with the latest backports kernel, backports LXC and LXCFS and systemd (to make systemd based unprivileged containers work - no real root for you).<br />
* Is full disk encrypted, password is shared with the HM board<br />
* Containers are located on a zfs mount. Minimise hard disk space waste etc.<br />
* The host has an inotifywait process that checks for new configuration arrivals and puts the new unprivileged containers in place, generates new SSH host keys, adds the users' SSH keys to root@, creates a summary file in the users home on the management container<br />
* Runs a daily systemd-timer at 4am to check for expiration of containers<br />
<br />
==== Maybe ====<br />
<br />
* Have a container that acts as provider for network booting (for public terminals, raspberry pi etc.)<br />
<br />
{{DISPLAYTITLE:bo.x0.rs}}</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6873Network Operations2019-04-03T11:14:45Z<p>Mz: /* Static configurations */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 64:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || || Hanging by the cubby power strip<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6872Network Operations2019-04-03T02:52:00Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6869Network Operations2019-04-01T23:46:52Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| hydrocontroller ⁂ || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6865Network Operations2019-03-30T00:34:33Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:38:84:a2 || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish || || By the 3D printer table<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| octoprint-main ⁂ || 192.168.42.19 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6864Network Operations2019-03-30T00:12:54Z<p>Mz: /* Approximate Network Hierarchy (as of 2018-03-21) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam<br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''South Cisco Switch'''<br />
**** rfid-access-space<br />
**** voip-grandstream<br />
***** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
***** ''teletron8000 line 2'' (Desk - Get Human)<br />
** '''West Access Point & Switch'''<br />
*** '''West Green Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
**** brother-printer<br />
*** octoprint-main<br />
*** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6863Network Operations2019-03-29T21:38:58Z<p>Mz: /* Approximate Network Hierarchy (as of 2018-03-21) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''West Access Point & Switch'''<br />
***** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6862Network Operations2019-03-29T21:32:53Z<p>Mz: /* Static configurations */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 30:b5:c2:b2:76:3a || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6861Network Operations2019-03-29T21:09:27Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|-<br />
| teletron8000 ⁂|| 192.168.42.108 || 00:16:3e:5e:e2:ee || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 64:66:b3:fa:af:c4 || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6860Network Operations2019-03-29T21:07:25Z<p>Mz: /* Static configurations */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| ap-west || 192.168.42.2 || 64:66:b3:fa:af:c4 || TP-Link Archer C7 || [[User:mz|mz]]-ish || AP/switch for WPA2-PSK || mounted on the left side of the tool shelf<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6552Network Operations2019-03-22T23:55:52Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.18 || b8:27:eb:5e:c5:bc || RaspberryPi || [[User:Mugenity|jay]] || || On the roof<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.21 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.42.22 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.42.100 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 ⁂|| 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6551Network Operations2019-03-21T20:17:33Z<p>Mz: /* Assigned by DHCP */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IPv4 address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| space.hackmanhattan.com || 192.168.42.1 || 64:70:02:77:ec:e0 || TP-Link TL-WDR4300 v1 || [[User:mz|mz]]-ish & [[User:Guan|Guan]]-ish & [[User:Beadsland|Beadsland]]-ish || || Network cubby<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| bricolage || 192.168.42.50 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|- <br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 ⁂|| 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6550Network Operations2019-03-21T18:26:48Z<p>Mz: /* Static IP allocations (incomplete - online devices as of 2019-03-20) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (as of 2019-03-21) ===<br />
<br />
Sorted by IP.<br />
<br />
'''⁂''': [[Bo.x0.rs|Hesiod]] enabled. i.e. if you have a hesiod dns record set (ask [[User:mz|mz]]) you can log into all these machines with centralised credentials.<br />
<br />
==== Assigned by DHCP ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konsgn]] now [[User:mz|mz]]-ish || Remove <code>maxlength</code> from the password before logging in || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop ⁂ || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] ⁂ || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || [[User:Guan|Guan]] || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || [[User:Guan|Guan]] & [[User:mz|mz]] || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] ⁂ || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|- <br />
| bricolage || 192.168.43.191 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|}<br />
<br />
Note: there used to be no system with regards to how these IPs are assigned, it was basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI. New devices ought to be assigned to up to 192.168.42.150<br />
<br />
==== Static configurations ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 ⁂|| 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6549Network Operations2019-03-21T18:08:18Z<p>Mz: /* Static IP allocations (incomplete - online devices as of 2019-03-20) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (incomplete - online devices as of 2019-03-20) ===<br />
<br />
Sorted by IP. There is no system with regards to how these IPs are assigned, it's basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI.<br />
<br />
Assigned by DHCP:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konstantin]] now [[User:mz|mz]]-ish || || Attached to the tool shelf<br />
|-<br />
| 137W14 || 192.168.42.10 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.15 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.42.16 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| buzzer-pi-shop || 192.168.42.17 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| voip-phone || 192.168.42.30 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || N/A || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || N/A || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|- <br />
| bricolage || 192.168.43.191 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|}<br />
<br />
Static configurations:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 || 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6548Network Operations2019-03-21T17:20:37Z<p>Mz: /* Approximate Network Hierarchy (definitely outdated as of 2018-03-20) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (incomplete - online devices as of 2019-03-20) ===<br />
<br />
Sorted by IP. There is no system with regards to how these IPs are assigned, it's basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI.<br />
<br />
Assigned by DHCP:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konstantin]] now [[User:mz|mz]]-ish || || Attached to the tool shelf<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || N/A || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| buzzer-pi-shop || 192.168.42.159 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| 137W14 || 192.168.42.197 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.202 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.43.18 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.43.165 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || N/A || || Under the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|- <br />
| bricolage || 192.168.43.191 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|}<br />
<br />
Static configurations:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 || 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (as of 2018-03-21) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''South Green Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
** '''South Cisco Switch'''<br />
*** rfid-access-space<br />
*** voip-grandstream<br />
**** ''teletron8000 line 1'' (Microwave - Dungeon)<br />
**** ''teletron8000 line 2'' (Desk - Get Human)<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6547Network Operations2019-03-21T17:14:09Z<p>Mz: /* Static IP allocations (incomplete - online devices as of 2019-03-21) */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (incomplete - online devices as of 2019-03-20) ===<br />
<br />
Sorted by IP. There is no system with regards to how these IPs are assigned, it's basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI.<br />
<br />
Assigned by DHCP:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| backup-terminal || 192.168.42.5 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konstantin]] now [[User:mz|mz]]-ish || || Attached to the tool shelf<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] || 192.168.42.20 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || N/A || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| buzzer-pi-shop || 192.168.42.159 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| 137W14 || 192.168.42.197 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.202 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.43.18 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| voip-phone || 192.168.43.165 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || N/A || || Under the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|- <br />
| bricolage || 192.168.43.191 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|}<br />
<br />
Static configurations:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|-<br />
| teletron8000 || 10.0.93.12 || || [[Bo.x0.rs|box0rs]] || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || asterisk server hosting the phone project || <br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (definitely outdated as of 2018-03-20) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''Cubby 100MBit Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Network_Operations&diff=6546Network Operations2019-03-20T13:16:48Z<p>Mz: /* Network Infrastructure */</p>
<hr />
<div>[[Category:Administration]]<br />
<br />
== Administrivia ==<br />
=== Operations Contact List ===<br />
{| class="wikitable"<br />
! Name !! Email !! Phone<br />
|-<br />
| Hack Manhattan Space VoIP Phone || info@hackmanhattan.com || +1-646-513-4503<br />
|}<br />
<br />
=== Passwords ===<br />
Every board member should have access to most of the relevant passwords. Some passwords for financial accounts are only held by a couple of board members.<br />
<br />
=== IRC ===<br />
At the moment only <tt>guan</tt>, <tt>rmd6502</tt>, and <tt>jacolatern</tt> have <tt>AFRefiorstv</tt> mode on <tt>#hackmanhattan</tt> on Freenode. <tt>obscurite</tt> has <tt>fo</tt> but that's a really weird setup.<br />
<br />
== Out of House Infrastructure and Utilities ==<br />
=== Verizon FiOs ===<br />
The building pays for 150/150 Mbps at $200 monthly.<br />
<br />
=== Digital Ocean ===<br />
We have a virtual machine with Digital Ocean. Backups are done with ? (I can't hear Guan over all this noise and heard something along the lines of dupe or rsync or something with two machines). This machine runs our website, wiki, building website, building wiki, and mailing lists. This is accomplished with a traditional LAMP stack (Apache, MySQL/MariaDB, PHP). We accomplish having multiple websites on the same host with Nginx. The machine's IP is <tt>162.243.60.59</tt>. The typical username is <tt>hackmanhattan</tt> apparently. <tt>hackmanhattan.com</tt> points to a WordPress installation. <tt>wiki.hackmanhattan.com</tt> is a MediaWiki installation. <tt>ratpark.nyc</tt> is also another WordPress setup. <tt>wiki.ratpark.nyc</tt> is of course, MediaWiki. <tt>list.hackmanhattan</tt> is Postfix and Mailman, for mailing lists.<br />
<br />
<tt>members.hackmanhattan.com</tt>, our in-house payment system, is a custom ?. For some reason <tt>list.hackmanhattan.com</tt> responds to requests to that hostname. Why?<br />
<br />
=== Comodo ===<br />
<br />
So we have SSL certs for every hostname currently involved except for <tt>ratpark.nyc</tt>, which keeps presenting <tt>hackmanhattan.com</tt>'s instead. They're issued by Comodo. I would've thought we'd have had wildcard card certs for both major domains but apparently this is not the case (for <tt>*.hackmanhattan.com</tt> and <tt>*.ratpark.nyc</tt>). <br />
<br />
=== Google Apps ===<br />
<tt>@hackmanhattan.com</tt> (and therefore not <tt>@list.hackmanhattan.com</tt>) addresses are with Google Apps.<br />
<br />
== Network Infrastructure ==<br />
<br />
=== Static IP allocations (incomplete - online devices as of 2019-03-20) ===<br />
<br />
Sorted by IP. There is no system with regards to how these IPs are assigned, it's basically just whatever DHCP first gave these machines made permanent through OpenWRT's LuCI.<br />
<br />
Assigned by DHCP:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-building] || 192.168.42.157 || 64:cf:d9:fd:23:00 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || Also hosts the door camera || Building door, top right when you enter<br />
|-<br />
| buzzer-pi-shop || 192.168.42.159 || b8:27:eb:b4:da:cb || RaspberryPi || [[User:Mugenity|jay]]-ish & [[User:mz|mz]]-ish & [[User:beadsland|beadsland]]-ish || || By the shop buzzer, showing the dashboard<br />
|-<br />
| hydrocontroller || 192.168.42.173 || b8:27:eb:5e:c5:bc || RaspberryPI || [[User:Mugenity|jay]] || || On the roof?<br />
|-<br />
| 137W14 || 192.168.42.197 || e8:de:27:f9:cc:27 || TP-LINK WR841N || [[User:citybadger|citybadger]] || || Harry Potter Closet<br />
|-<br />
| brother-printer || 192.168.42.202 || 30:05:5c:f6:35:db || Brother HL-L2380DW || N/A || || Under the tool shelf<br />
|-<br />
| chromecast || 192.168.43.18 || 48:d6:d5:39:28:f8 || Chromecast (not 4K) || [[User:mz|mz]] || Shows our space dashboard || Attached to the TV by the desks<br />
|-<br />
| [https://github.com/hackmanhattan/125KHz-door rfid-access-space] || 192.168.43.82 || 64:cf:d9:fd:42:93 || BeagleBone Black || [[User:mz|mz]] & [[User:Guan|Guan]] || || Attachted to the back of the space door<br />
|-<br />
| [[Camera|wrtnode-webcam]] || 192.168.43.125 || 66:51:7e:80:06:d6 || WRTNode || [[User:Guan|Guan]]-ish || || Attached to the top right of the network cubby<br />
|- <br />
| backup-terminal || 192.168.43.129 || d8:50:e6:92:f3:c0 || ASUS RT-N66U || formerly [[User:konstantin|konstantin]] now [[User:mz|mz]]-ish || || Attached to the tool shelf<br />
|-<br />
| voip-phone || 192.168.43.165 || 00:0b:82:4d:a0:6c || Grandstream GXP1400 || N/A || || Under the network cubby<br />
|- <br />
| voip-grandstream || 192.168.42.33 || 00:0b:82:ad:e8:21 || Grandstream HT814 || N/A || Phone gateway for teletron8000 || In the network cubby<br />
|- <br />
| [[Bo.x0.rs|box0rs]] || 192.168.43.189 || f0:de:f1:03:00:0f || Lenovo T410 || [[User:mz|mz]] || || In the network cubby<br />
|- <br />
| bricolage || 192.168.43.191 || 98:90:96:d0:63:4a || Dell Optiplex 9020 || [[User:Beadsland|Beadsland]] & [[User:Mugenity|jay]]-ish || || On the shelf by the window<br />
|}<br />
<br />
Static configurations:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Hostname !! IP address !! MAC address !! Device !! Maintainer !! Comment !! Location<br />
|-<br />
| 3rdfloor || 192.168.42.7 || 64:66:b3:fa:af:c4 || TP-Link TL-WDR4300 v1 || [[User:Guan|Guan]]-ish & [[User:mz|mz]]-ish || AP/switch for the 3rd floor || 3rd floor, left from the office hallway door<br />
|}<br />
<br />
=== Notes about subnets, routes and DHCP ===<br />
<br />
Since [[bo.x0.rs]] provides its own 10.133.7.0, 10.8.0.0, 10.0.59.0, and 10.0.93.0 subnets, it essentially acts as a second router. Hence, we send out classless static routes via DHCP to make sure none of the clients run into problems and the containers can identify which device is talking to them. This also means static routes are set on the router, plus the necessary DHCP-options may be found in LuCI: Network -> Interfaces -> lan -> DHCP -> Advanced -> DHCP Options.<br />
<br />
Since the [https://tools.ietf.org/html/rfc3442 spec] says to ignore the default route packet if classless static route options are seen, we include the default route in the static routes we send out.<br />
<br />
'''Dynamic allocations''' start at 192.168.42.150.<br />
<br />
=== Approximate Network Hierarchy (definitely outdated as of 2018-03-20) ===<br />
<br />
Bold entries provide wired or wireless network connectivity to other physical devices. WiFi devices not listed.<br />
<br />
* '''Router'''<br />
** '''Cubby 100MBit Switch'''<br />
*** cnc<br />
*** voip-phone<br />
*** buzzer-pi-shop<br />
*** wrtnode-webcam <br />
*** '''North Switch'''<br />
**** bricolage<br />
**** hydrocontroller<br />
*** '''West Switch'''<br />
**** '''backup-terminal Access Point & Switch'''<br />
***** brother-printer<br />
**** octoprint-main<br />
**** Big Windows Tower<br />
** box0rs<br />
** '''Hallway Gigabit Switch'''<br />
*** rfid-access-building<br />
*** '''137W14'''<br />
**** ?<br />
*** '''3rd floor Access Point & Switch'''<br />
**** Iasmin/Joey Tower<br />
*** '''Secret Loft Repeater''' (Disabled due to misconfiguration)<br />
**** ?<br />
<br />
<br />
{{Template:Outdated}}<br />
<br />
=== IP and DHCP Information (Old-ish) ===<br />
<br />
The previous plan called for a private Class A block (<tt>10/8</tt>). After much thought, it was decided this was unreasonable.<br />
<br />
This new plan will use a Class C subnet: <tt>192.168.42.0/23</tt>. This gives us a theoretical maximum of <tt>510</tt> IPs. The main router also handle DHCP requests for both wired and wireless clients, assigning IPs from the range <tt>192.168.43.1</tt> to <tt>192.168.43.254</tt>. Wired and wireless machines will be able to set up static IPs in the <tt>192.168.42.1</tt> to <tt>192.168.42.255</tt> range. Sure, one could set up VLANs, but since we don't intend on complicating our setup, a <tt>/23</tt> is a reasonable thing to do.<br />
<br />
{| class="wikitable"<br />
|+ style="text-align: left;" | Information for statically assigned IPs.<br />
|-<br />
! Variable !! Value !! Comment<br />
|-<br />
| IP Address || <tt>n/a</tt> || Be allocated one. Typically incremental. See the allocation table.<br />
|-<br />
| Subnet Mask || 255.255.254.0 || <br />
|-<br />
| Gateway || 192.168.42.1 || <br />
|-<br />
| DNS || 192.168.42.1 || <br />
|}<br />
<br />
=== Machine and IP Allocation Table (Old) ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! IP !! Hostname !! Device !! Maintainer !! Comment (Location)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Alcatel I-211M-K || Operations || ONT and Modem for Verizon FiOs<br />
|-<br />
| 192.168.42.1 || rtr1.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Main router. Also does DNS, DHCP. Channel 1. Nonstandard port for external connections. Nonstandard password. (Hack Manhattan)<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || Netgear JGS516 || Operations || 16 Port Gigabit Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 8 Port Switch<br />
|-<br />
| <tt>n/a</tt> || <tt>n/a</tt> || ? || Operations || 4 Port Switch<br />
|-<br />
| 192.168.42.2 || rtr2.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (2rd Floor Hallway)<br />
|-<br />
| 192.168.42.3 || rtr3.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 6. (3rd Floor Hallway)<br />
|-<br />
| 192.168.42.4 || rtr4.ratpark.net || TP-Link TL-WDR4300 v1 || Operations || Channel 11. (Elevator Machine Room)<br />
|-<br />
| || surv-frontdoor.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (First Floor)<br />
|-<br />
| || surv-main.ratpark.net || WRTnode || Guan Yang || Operates wirelessly. Can we change that? (Hack Manhattan)<br />
|-<br />
| || wrtnode-hmdoor.ratpark.net || WRTnode? || Guan Yang || Controls door strike. (First Floor)<br />
|-<br />
| || octopi.ratpark.net || Raspberry Pi || || Allows for unattended (no computer needed) printing. Username <tt>hackmanhattan</tt>. Canonical password. (Hack Manhattan)<br />
|-<br />
| || boiler-wired.ratpark.net || WRTnode || Guan Yang || Boiler controller and sensor. Is it still in use? (Where in the 3rd floor is the boiler?)<br />
|-<br />
| || hackmanhattan.club || ? || Guan Yang || Is it still in use? (Where is it?)<br />
|-<br />
| || wr703n.ratpark.net || TP-Link TL-WR703N || ? || We definitely do not need this. (Hack Manhattan)<br />
|-<br />
| || quinn.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || ai-stem.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || kiosk.ratpark.net || || || What is this? (Where is it?)<br />
|-<br />
| || !?!?!? || || || The list goes on and on.<br />
|-<br />
| 192.168.43.0 || || || Operations || DHCP Allocation Block<br />
|-<br />
| 192.168.43.255 || || || Operations || Broadcast<br />
|}<br />
<br />
=== Network Diagram ===<br />
==== Current ====<br />
<nowiki><br />
parent_device<br />
|(physical port on parent_device)-(physical port on child_device)child_device<br />
<br />
null can be used where applicable (device only has 1 port, etc.)<br />
? can be used for incomplete data that could not be obtained due to security reasons or other.<br />
<br />
fiosmodem<br />
|(null)-(wan)rtr1<br />
|(1)-(1)jgs516 # Netgear JGS516<br />
|(7)-(null)big-box # Octopi, Big-Box, and Backup_Terminal<br />
|(8)-(8)teg580g # Treadnet TEG-580g 8 port switch on Laptopia<br />
|(9)-(null)gxp400 # IP Phone<br />
|(15)-(1)rtr2<br />
|(2)-(1)rtr3 # light pink cable that gets painted over on it's way up<br />
|(2)-(null)wrtnode # boiler wrtnode<br />
|(3)-(?)firstfloor # goes into box, don't want to break it open<br />
|(4)-(null)null # long blue cable that goes to nothing<br />
|(wan)-(5)tlsg1005d # TP-Link TL-SG1005D<br />
|(4)-(null)ds215j # Synology DS215j<br />
|(1)-(null)null # goes into gray cable that goes to nothing<br />
|(16)-(1)rtr4<br />
|(2)-(null)null # black cable, goes to front of building<br />
|(3)-(null)gx # grandstream telephone line modem/device, need model number<br />
|(4)-(null)null # short blue cable, goes to nothing<br />
</nowiki><br />
<br />
I'm not going to use proprietary diagramming tools or bother writing some script to graph this. Text is enough and more than sufficient for our purposes.<br />
<br />
==== Expected ====<br />
<nowiki><br />
Fiber Modem<br />
|-rtr1.ratpark.net<br />
|-Netgear JGS516<br />
|-IP Phone<br />
|-8 Port Switch On Laptopia<br />
|-Area with octopi, bigbox, and backup terminal?<br />
|-rtr2.ratpark.net<br />
|-First Floor 4 Port Switch<br />
|-rtr3.ratpark.net<br />
|-Stuff in the boiler room?<br />
|-rtr4.ratpark.net?<br />
|-Stuff in the elevator machine room?<br />
</nowiki><br />
<br />
== Security and Liability ==<br />
It would be in our best interests to not homebrew hardware and instead use known commercial hardware. Ubiquiti comes to mind. They have the Unifi series of cameras, the UVC-Micro, UVC, UVC-Dome, and the UVC-Pro. One would use their appliance, which they provide free access to the packages for so you don't need to buy their hardware appliance and instead deploy it on your own machine.<br />
<br />
Given that the UVC and the UVC-Micro run for ~100 each, it'd be great to cover the first floor, space, machine area, and roof with them. A separate webcam would be used for the public space webcam, and access to the appliance would be limited to the board and trusted members of the space. For about 400 dollars, we can cover the four spaces and we're not locked into some crappy online "cloud"-based DVR system.<br />
<br />
== Incidents ==<br />
<br />
* 2016-05-31: The space VoIP phone was reported to have no networking. A troubleshooting monkey was dispatched, and it was found that if one plugs said phone in the inappropriate holes, it will not work. RESOLVED.<br />
* 2016-05-23: Since our wrtnodes that run our streams operate within that band, our space stream was no longer accessible (but the front door still was?). This has been rectified by having it connect as a client to a different access point. Resolved.<br />
* 2016-05-23: Whilst performing hotfixes to rectify the 2016-05-23 network problem, one of our volunteer monkeys disabled the wireless interfaces on our space access point, and they are currently still down. Whack the main space stream once this is fixed. UNRESOLVED.<br />
* 2016-05-23: A building community member reported failure to obtain a DHCP lease on all over our access points' 2.4 GHz networks, which is extremely odd since they're all on the same VLAN and on the same hardware as their 5GHz radio interfaces. Regardless, volunteers attempted to look at the problem, which was magically gone by 2016-05-27. Unable to reproduce. Resolved.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Mz&diff=6529User:Mz2019-02-25T23:57:38Z<p>Mz: </p>
<hr />
<div>[[File:Mz.jpg|264px|right]]<br />
<br />
Founding member of [https://metalab.at/ Metalab] ([https://en.wikipedia.org/wiki/Metalab also on Wikipedia]) which is sort-of-kind-of helped start the popularisation of the concept of hackerspaces in 2007. Lived in Berlin for a while and found friends at [https://berlin.ccc.de/ Chaos Computer Club Berlin]. I checked out [https://www.noisebridge.net/ Noisebridge] for a while in 2009 (and again in 2014) and also got to be "artist in residence" at NYC Resistor in 2008. In 2013/2014 I spent a lot of time at [http://fubarlabs.org/ FUBAR Labs] in New Jersey, but by now I hang out at HM quite a lot.<br />
<br />
In this whole hacker community thing I'm kind of known for also being involved in the art world. I co-founded the [http://graffitiresearchlab.com/ Graffiti Research Lab] [https://graffitiresearchlab.at/ offshot in Vienna], and occasionally build installations for artists/designers using rapid prototyping tools, microcontrollers and/or software. I also dealt with my fair share of administrative tasks, having helped distribute city of Vienna's grant money in a self-organised fashion as part of the [https://en.wikipedia.org/wiki/Netznetz NetzNetz] coordination team and dealing with social, bureaucratic and technical (hacker)space issues as part of the Metalab board (2011/2012) or as the co-founder of a 1000m^2 art "off-space" in Vienna (2010).<br />
<br />
Oh yeah, and I initiated [https://en.wikipedia.org/wiki/CryptoParty CryptoParties] back at home.<br />
<br />
[https://niij.org/ website // contact info] (<code>$ gpg --keyserver keys.riseup.net --recv-keys AF47B827FB08B11CBC761B875DE83E90EFFCDDF9</code> although OpenPGP is the worst please don't send me encrypted email)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=File:Mz.jpg&diff=6528File:Mz.jpg2019-02-25T23:55:54Z<p>Mz: Mz uploaded a new version of File:Mz.jpg</p>
<hr />
<div></div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Mz&diff=6527User:Mz2019-02-25T23:55:20Z<p>Mz: </p>
<hr />
<div>[[File:Mz.jpg|200px|right]]<br />
<br />
Founding member of [https://metalab.at/ Metalab] ([https://en.wikipedia.org/wiki/Metalab also on Wikipedia]) which is sort-of-kind-of helped start the popularisation of the concept of hackerspaces in 2007. Lived in Berlin for a while and found friends at [https://berlin.ccc.de/ Chaos Computer Club Berlin]. I checked out [https://www.noisebridge.net/ Noisebridge] for a while in 2009 (and again in 2014) and also got to be "artist in residence" at NYC Resistor in 2008. In 2013/2014 I spent a lot of time at [http://fubarlabs.org/ FUBAR Labs] in New Jersey, but by now I hang out at HM quite a lot.<br />
<br />
In this whole hacker community thing I'm kind of known for also being involved in the art world. I co-founded the [http://graffitiresearchlab.com/ Graffiti Research Lab] [https://graffitiresearchlab.at/ offshot in Vienna], and occasionally build installations for artists/designers using rapid prototyping tools, microcontrollers and/or software. I also dealt with my fair share of administrative tasks, having helped distribute city of Vienna's grant money in a self-organised fashion as part of the [https://en.wikipedia.org/wiki/Netznetz NetzNetz] coordination team and dealing with social, bureaucratic and technical (hacker)space issues as part of the Metalab board (2011/2012) or as the co-founder of a 1000m^2 art "off-space" in Vienna (2010).<br />
<br />
Oh yeah, and I initiated [https://en.wikipedia.org/wiki/CryptoParty CryptoParties] back at home.<br />
<br />
[https://niij.org/ website // contact info] (<code>$ gpg --keyserver keys.riseup.net --recv-keys AF47B827FB08B11CBC761B875DE83E90EFFCDDF9</code> although OpenPGP is the worst please don't send me encrypted email)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Meeting_2019-02-26&diff=6520Meeting 2019-02-262019-02-25T17:57:54Z<p>Mz: /* Director At Large */</p>
<hr />
<div>==Consensus Agenda==<br />
<br />
== New Business ==<br />
<br />
=== Formerly on Consensus Agenda ===<br />
<br />
=== Sponsored Members Induction ===<br />
For each prospective member, please confirm no later than Thursday before the meeting:<br />
<br />
* Has the member visited 3 times at the regular Tuesday and Thursday open nights?<br />
* Has the member received the briefing? When, and who was the briefer?<br />
* Has the member's bio and photo been circulated on the members list? (not just blabber)<br />
<br />
<br />
==Member Reports==<br />
=== Board Reports===<br />
====President's Report====<br />
====Treasurer's Report====<br />
====Secretary's Report====<br />
<br />
====Directors-at-Large's Report====<br />
<br />
===Member and Project Reports===<br />
<br />
== Elections ==<br />
===President===<br />
<br />
===Treasurer===<br />
<br />
<br />
===Secretary===<br />
<br />
<br />
===Director At Large===<br />
* [[User:mz|mz]]<br />
<br />
=== Results ===<br />
<br />
==Meeting Meta==<br />
* Called to order at <br />
* The meeting was adjourned at <br />
* Minutes taken and submitted by <br />
<br />
[[Category:Meetings]]</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Mz&diff=6519User:Mz2019-02-25T17:57:41Z<p>Mz: </p>
<hr />
<div>[[File:Mz.jpg|200px|right]]<br />
<br />
Founding member of [https://metalab.at/ Metalab] ([https://en.wikipedia.org/wiki/Metalab also on Wikipedia]) which is sort-of-kind-of helped start the popularisation of the concept of hackerspaces in 2007. Lived in Berlin for a while and found friends at [https://berlin.ccc.de/ Chaos Computer Club Berlin]. I checked out [https://www.noisebridge.net/ Noisebridge] for a while in 2009 (and again in 2014) and also got to be "artist in residence" at NYC Resistor in 2008. In 2013/2014 I spent a lot of time at [http://fubarlabs.org/ FUBAR Labs] in New Jersey, but by now I hang out at HM quite a lot.<br />
<br />
In this whole hacker community thing I'm kind of known for also being involved in the art world. I co-founded the [http://graffitiresearchlab.com/ Graffiti Research Lab] [http://graffitiresearchlab.at/ offshot in Vienna], and occasionally build installations for artists/designers using rapid prototyping tools, microcontrollers and/or software. I also dealt with my fair share of administrative tasks, having helped distribute city of Vienna's grant money in a self-organised fashion as part of the [https://en.wikipedia.org/wiki/Netznetz NetzNetz] coordination team and dealing with (hacker)space drama as part of the Metalab board (2011/2012) or as the co-founder of 1000m^2 art "off-space" in Vienna (2010).<br />
<br />
Oh yeah, and I initiated CryptoParties back at home.<br />
<br />
[https://niij.org/ website // contact info] (<code>$ gpg --keyserver keys.riseup.net --recv-keys AF47B827FB08B11CBC761B875DE83E90EFFCDDF9</code> although OpenPGP is the worst please don't send me encrypted email)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User_talk:Fattminer&diff=6405User talk:Fattminer2018-09-24T23:04:31Z<p>Mz: Welcome!</p>
<hr />
<div>'''Welcome to ''Hack Manhattan Wiki''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:Mz|Mz]] ([[User talk:Mz|talk]]) 23:04, 24 September 2018 (UTC)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Fattminer&diff=6404User:Fattminer2018-09-24T23:04:31Z<p>Mz: Creating user page for new user.</p>
<hr />
<div>Matthew Finer – Bio<br />
<br />
-Age: 23<br />
-Birthplace: Manhattan<br />
-Current Residence: Harrison, NY<br />
-Education: High School, 1 semester of college at Rochester Institute of Technology<br />
-Specialty: FDM 3D printing<br />
<br />
3D printing and product design are my specialties. I'm also very proficient in computer hardware diagnosis/systems design. Always trying to learn, if I can learn or help someone else to learn something new I'm happy to do so. Approachable, just come and talk to me, I'm a nervous guy but I do love to talk to people.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User_talk:Cryptogoth&diff=6403User talk:Cryptogoth2018-09-24T17:10:09Z<p>Mz: Welcome!</p>
<hr />
<div>'''Welcome to ''Hack Manhattan Wiki''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:Mz|Mz]] ([[User talk:Mz|talk]]) 17:10, 24 September 2018 (UTC)</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=User:Cryptogoth&diff=6402User:Cryptogoth2018-09-24T17:10:09Z<p>Mz: Creating user page for new user.</p>
<hr />
<div>Hi I'm a new member. I'm part of a hacker house / arcology in Bushwick, and I'd love to join the Hack Manhattan community.<br />
I'm interested in distributed systems like Ethereum and scuttlebutt, especially for computational living and real estate projects.<br />
I'm currently working on a decentralize resource-sharing Ethereum contract at http://github.com/invisible-college/democracy<br />
In past lives, I've worked on quantum computers, a programming competition for real-time strategy game-playing AIs, and a teaching technique called mob programming.</div>Mzhttps://wiki.hackmanhattan.com/index.php?title=Bo.x0.rs&diff=6401Bo.x0.rs2018-09-22T22:22:38Z<p>Mz: </p>
<hr />
<div>[[File:Box0rs-logo.svg|right|300px]] bo.x0.rs is Hack Manhattan's in-house minimalist '''hackerspace-tinker-tolerant bullshit cloud''' running on a kindly donated ThinkPad T410, so far without backups.<br />
<br />
Why: ease communal development of space projects (ex: hmbot dev deployment), trying out Linux software, run space related services like VPN, [[Camera|space webcam]] proxied (for security and logs), dropboxes for members (nextCloud?), etc. Some of the architecture decisions are inspired by [https://www.qubes-os.org/ Qubes OS]<br />
<br />
For work in progress, see the [https://ghom.niij.org/eaon/bo.x0.rs git repository].<br />
<br />
== Implementation ==<br />
<br />
Status: the management container does not exist yet, functionally speaking. Unpriviliged containers and some of the planned services are operational though - kindly assembled by manual labour. No IPv6 setup yet.<br />
<br />
=== Host ===<br />
<br />
<pre>Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz<br />
MemTotal: 8028864 kB <br />
/dev/sda: 111.8 GiB (SSD)<br />
/dev/sdb: 931.5 GiB (USB HDD)<br />
Ethernet: f0:de:f1:03:00:0f (Wake-on-LAN not functional due to BIOS bug)</pre><br />
<br />
=== Host Network ===<br />
<br />
* <code>10.0.93.0/24</code> - bridged and normally routed. Reached by everything in the space, reaches everything in the space. "Do what thou wilt shall be the whole of the law"<br />
* <code>10.8.0.0/24</code> - OpenVPN addresses, bridged and routed. Can reach everything in the space and vice versa.<br />
* <code>10.133.7.0/24</code> - isolated. Can be reached, but can't reach anything on the HM network itself. Exception: may use Tor via SOCKS on <code>10.133.7.1:9050</code> for system updates. For very elite projects.<br />
* <code>10.0.59.1/24</code> - torified. Transparent proxying via Tor. Can be reached, but will route all traffic via Tor. For paranoid projects that need internet.<br />
<br />
=== Current containers ===<br />
<br />
* '''web''' <code>10.0.93.4</code><br />
** Hosts [https://space.bo.x0.rs/sousveillance/ Sousveillance]<br />
** Proxies the [[Camera|camera]]<br />
** Proxies '''clickycloud''' for use from outside the space<br />
* '''vpn''' <code>10.0.93.3</code> & <code>10.8.0.1</code><br />
** OpenVPN for access to the space network (and its regular internet connection) from afar.<br />
*** Currently no automatic user-making process. Bug [[User:mz|mz]] for an account.<br />
* '''management''' <code>10.0.93.2</code><br />
** Doesn't do anything yet<br />
* '''hmbot''' <code>10.0.93.5</code><br />
** Doesn't do anything yet<br />
* '''clickycloud''' <code>10.0.93.6</code><br />
** Hosts https://cloud.bo.x0.rs/, [https://nextcloud.com/ Nextcloud] based digital storage for HM members/bo.x0.rs users.<br />
*** Meant for: personal digital storage, shared group folders (for projects, photos etc.)<br />
*** Soon: User accounts (and their passwords) are shared with the '''management''' container<br />
*** Current: if you want access, send your desired username to [[User:mz|mz]] (Slack, E-Mail, whatever you prefer)<br />
* '''minio'''<br />
** Hosts https://minio.bo.x0.rs/ a [https://github.com/minio/minio minio instance] accessible from the rest of the Internet.<br />
** Mainly used for Octoprint webcam shots that are shown on <code>#3dprint-status</code> on Slack<br />
* '''dns''' <code>10.0.93.8</code><br />
** A Bind9 host that provides internal name records for '''*.bo.x0.rs'''.<br />
** Hosts [https://en.wikipedia.org/wiki/Hesiod_(name_service) Hesiod] style records for convenient access to communal networked infrastructure (logging in with your own usernames and keys rather than sharing a password)<br />
* '''git''' <code>10.0.93.9</code><br />
** Not set up yet, but intended to host a [https://gogs.io/ Gogs] instance<br />
<br />
<br />
== "Specification" ==<br />
<br />
=== Management Container ===<br />
<br />
* Pull SSH keys and username from https://wiki.hackmanhattan.com/index.php?title=User:$username/ssh&action=raw pages on the wiki, where <code>$username</code> is filtered by a whitelist only editable on the host (kind of inspired by [https://www.noisebridge.net/wiki/Resources/Pony Noisebridge's pony] (RIP) but less permissive)<br />
** Probably TOFU, manually approve changes pulled from the wiki? In case the Wiki gets compromised<br />
* User passwords are expired on account creation so that on first login via SSH key users are forced to set their own password<br />
* Users are allowed to create new minimal Debian stretch containers and can choose from different network setups (default: IPv6 on)<br />
** Static IPv4 allocation<br />
** NAT<br />
** Static IPv4 allocation + Tor (IPv6 outgoing off)<br />
** Tor (IPv6 outgoing off)<br />
** Isolated (incoming IPv6 on, outgoing off)<br />
* Users can remove or expire containers they put in place<br />
* The management container can reach every container on the network but does not see them in the file system, mainly to enable users to bounce into isolated containers via ssh (see ProxyCommand)<br />
* <code>$HOME</code> on management container could be a tmpfs with exceptions (<code>~/.ssh/</code> and <code>~/$(who).ovpn</code> come to mind)<br />
* Users can't give new mknod priviliges to containers, host admins must intervene<br />
* Provide simple how-to via motd<br />
* When creating a new user container, tool waits for configuration dump by the host and displays access information<br />
<br />
==== Maybe ====<br />
<br />
* Container types other than Debian stable (for example OpenWRT or any VNC enabled $distro) may be provided if someone puts in the respective work<br />
* Automatically mount broken container rootfs into user <code>$HOME</code>: go fix (it) yourself - the exception to the rule of management container not seeing user files? (Problem with that though: file permissions)<br />
<br />
=== User container ===<br />
<br />
* User created containers are automatically started at boot. If a container fails to boot a certain amount of times, the autostart flag is removed and access ceases until host admins intervene.<br />
* All users with root access can expire containers, getting them automatically discarded. <code>$ date -d "next Monday" +%s > ~root/discard</code><br />
* User containers are allowed to nest containers (making it possible for people to use Docker if they really want to)<br />
<br />
==== Maybe ====<br />
<br />
* Make all containers reachable via name.bo.x0.rs?<br />
<br />
=== Host ===<br />
<br />
* Runs Debian stretch with the latest backports kernel, backports LXC and LXCFS and systemd (to make systemd based unprivileged containers work - no real root for you).<br />
* Is full disk encrypted, password is shared with the HM board<br />
* Containers are located on a zfs mount. Minimise hard disk space waste etc.<br />
* The host has an inotifywait process that checks for new configuration arrivals and puts the new unprivileged containers in place, generates new SSH host keys, adds the users' SSH keys to root@, creates a summary file in the users home on the management container<br />
* Runs a daily systemd-timer at 4am to check for expiration of containers<br />
<br />
==== Maybe ====<br />
<br />
* Have a container that acts as provider for network booting (for public terminals, raspberry pi etc.)<br />
<br />
{{DISPLAYTITLE:bo.x0.rs}}</div>Mz