System/Network Overview ======================= Diagram: -------- ![Layer 1 Overview of Network](layer1_overview.png) IPAM / Device Overview: ----------------------- | Name | Location | MGMT IPv4 | MAC | Device | Notes | | ------------------- | ------------ | ------------- | ------------------- | -------------------- | ------------------------------------------------- | | `gigacube-2001` | Büro | `192.168.0.1` | `c8:ea:f8:b6:e9:50` | ZTE MF289F/Gigacube | property of Saxonia Catering/rental from Vodafone | | `gw-core01` | Büro | `10.84.1.1` | `00:1a:8c:48:b3:98` | Sophos SG125r2 | | | `sw-access01` | Büro | `10.84.1.11` | `bc:cf:4f:e3:bb:8d` | Zyxel GS1800-8HP | | | `sw-access02` | Zelt 5 | `10.84.1.12` | `bc:cf:4f:e3:ac:39` | Zyxel GS1800-8HP | | | `sw-access03` | Sozialarbeit | / | / | KTI KGS-510F | manageable but used as a dumb switch | | `hyper01` | Büro | `10.84.1.21` | `00:23:24:54:f0:fe` | Lenovo ThinkCentre ? | | | `monitoring01` | `hyper01` | `10.84.1.51` | `16:b9:13:c3:10:5e` | Proxmox Container | | | `mon-e2e-clients01` | `hyper01` | `10.84.7.30` | `ca:ac:5a:d0:b6:02` | Proxmox Container | used for end to end monitoring of the public net | | `ap-2bbf` | Zelt 4 | `10.84.1.30` | `24:de:c6:cc:2b:bf` | Aruba AP-105 | | | `ap-1a38` | Zelt 5 | `10.84.1.35` | `18:64:72:cf:1a:38` | Aruba AP-105 | | | `ap-ac7c` | Sozialarbeit | `10.84.1.31` | `24:de:c6:c3:ac:7c` | Aruba AP-105 | | | `ap-0b99` | Zelt 2 | `10.84.1.32` | `6c:f3:7f:c9:0b:99` | Aruba AP-105 | | | `ap-c5d1` | Büro | `10.84.1.33` | `ac:a3:1e:cf:c5:d1` | Aruba AP-105 | | | `ap-c495` | Zelt 3 | `10.84.1.34` | `ac:a3:1e:cf:c4:95` | Aruba AP-105 | | | `ap-8f42` | Zelt 1 | `10.84.1.36` | `d8:c7:c8:c2:8f:42` | Aruba AP-105 | | | `ap-8f39` | Zelt 5 | `10.84.1.37` | `??:??:??:??:??:??` | Aruba AP-105 | | Upstream Connectivity: ---------------------- The gigacube itself only get's an RFC1918 address from Vodafone (CGNAT - no IPv6). Our gateway (`gw-core01`) itself also nats, because there is no way to configure additional networks on the gigacube. Currently the generated traffic is directly routed into the internet - without an vpn tunnel. Therefore v4 streams get masqueraded 3 times. Cloud VMs: ---------- | VM Name | IPv4 | IPv6 | Location | Provider | Type | Description | Notes | | ---------------- | -------------- | ------------------------ | -------------------------- | -------- | ---- | ----------------------------------- | --------------------------- | | `eae-adp-jump01` | `162.55.53.85` | `2a01:4f8:c0c:1281::/64` | Germany - Nuerenberg - DC3 | Hetzner | CX11 | vpn and jump host for remote access | kvm access: `@hirnpfirsich` | Networks: --------- | Name | VLAN | v4 Space | v6 Space | Description | | ------------ | ---- | ----------------- | -------- | --------------------------------------------------------------------- | | `mgmt` | 1 | `10.84.1.0/24` | / | default network which is used for administrative and monitoring tasks | | `clients` | 2 | `10.84.4.0/22` | / | this is where the wifi clients live | | `wan` | 3 | `192.168.0.0/24` | / | created by the gigacube. wan for our gateway | | `backbone` | / | `10.84.254.0/30` | / | tunnel network between `gw-core01` and `eae-adp-jump01` | | `backoffice` | 8 | `10.84.8.0/24` | / | backoffice network for the orga | WiFi Networks: -------------- | SSID | Encryption | VLAN | Description | | ------------------------------- | ---------- | ---- | ----------- | | `GU Deutscher Platz` | / | 2 | | | `GU Deutscher Platz Backoffice` | wpa2 psk | 8 | | Remote Access / VPN: -------------------- Remote access is possible via a `eae-adp-jump01`. `gw-core01` digs a wireguard tunnel into `eae-adp-jump01` (network: `10.54.254.0/30`, wg port `51820`). This point-to-point link is used to establish an ospf adjacency between the two routers. (`gw-core01` uses `frr` as the routing daemon, `eae-adp-jump01` uses openbsds own `ospfd`). The most straight forward way to access machines inside the EAE is to use the `ProxyJump` feature of `ssh`. Take a look at the `README.md` in the root of this repo for details. In the future there maybe wg profiles for admins to directly route into the network.