Network infrastructure

Networks

NOC operates a number of networks, available as tagged VLANs on the core switches:

realfunk — realfunk management network

This network will be used by realfunk to communicate between the ground station and things like SDR or similar stuff mounted on the roof. For now this network does not need DNS or connection to any other network. There also won’t be any network services such as DHCP or recursive DNS. realfunk will probably run their own DHCP server.

svc — Services LAN

This network is intended for services that aren’t directly exposed to users (be they humans or machines); this includes services exposed through a frontend (like realraum web services) and services only meant to be consumed by another service (like a database server).

pub — Publicly-available services

This network is intended for services that can be consumed by non-NOC systems, including our HTTP(S) frontend — entrance, mqtt, …

Services in this network can restrict availability, for instance by only allowing clients connecting from our LANs, or by requiring authentication.

No RFC 1918 subnet is used on this network, only 89.106.211.64/27.

Conventions

• The DNS zone for a given network is NET.realraum.at, with the exception of pub (which uses realraum.at) and VLANs which have no realraum.at zone.
• When a network uses RFC 1918 IP space, it is the 192.168.VID.0/24 subnet; for instance, the iot network has id 33 and uses the 192.168.33.0/24 subnet.
• The gateway for a network is on the last IP for the subnet.

Routing and firewall rules

This network diagram represents networks, and the connection flows between them: an arrow from A to B means that a connection can be opened from network A to network B. In all cases, a subset of ICMP (ECHO, …) is allowed.

Note that any given system might have interfaces in several of these networks.

WiFi

Each location has a single AP, ap{0,1}.mgmt.realraum.at, which provides SSIDs for the IoT network (realstuff) and the LAN (realraum and realraum5); we use Ubiquity hardware running OpenWRT.

Physical locations

The switches have hostnames sw{0,1}.mgmt.realraum.at, and the WiFi access points are similarly ap{0,1}.mgmt.realraum.at. 0 denotes the main room, and 1 denotes the second appartment.

W2 — Room 1

r1w2 has two fiber connections: one to the main room, and one to the radio room. (We use fiber to avoid creating a ground loop between the locations.)

In r1w2, we have a rack hosting a number of devices:

• the patch panel and core switch (sw1.mgmt.realraum.at) for W2;
• the alfred virtualization server;
• miscelaneous devices:
  • RIPE ATLAS probe;
  • some Raspberry Pi belonging to members;
  • …

Note: members setting up devices that only need power and network access should do so in this rack (or even better, run a VM or a container on alfred).

W2 — realfunk

realfunk receives the VLANs trunked on a single fiber; the switch there, sw2, provides untagged ports on guests, 0xFF, and HAMNET, which are labelled on the device. Moreover, a single port (5) has the untagged guests LAN, along with tagged HAMNET packets, used by the desktop computer there.

Moreover, there is a Funkfeuer node there; it does not advertise the realraum SSIDs.

Main room

The main room has its patch panel and core switch (sw0.mgmt.realraum.at) in Cx. The patch panel has a fiber link to r2w1, and a copper link to an external antenna for our link to Funkfeuer.

The network shelf in Cx also houses some important devices:

• gw.realraum.at;
• smsgw.mgmt.realraum.at, plus its mobile phone;
• the PoE injectors for ap0.mgmt.realraum.at and sch24.r3.ffgraz.net;
• test.r3.ffgraz.net, which is a test Funkfeuer node.