New Network Configuration

Chris · January 12, 2012, 8:29am

over the last couple of months, there have been a few issues related
to the network, along with a few requests for additional features to
be added.

the primary issue is that our network is very flat and very open, and
a few essential services are being provided by some fairly low end
hardware.

the secondary issue is that our network is configured like a large
home network: it's flat and there is very little separation between
devices that perform different tasks. this means that one glitch
basically affects everything. this is why most large networks use
subnets.

i spent the evening making some changes that will hopefully alleviate
some of our woes.

in the past week i have identified three critical problems:

1) the wireless network (hivenet) can be unreliable, and we tend to
troubleshoot problems with in a manner that's consistent with our home
networks: we unplug things and reset things until it works again.

2) the lab subnet (hacklab) does not play nicely with some hacking
tools that are developed and tested by targeting consumer network
hardware. the purpose of the hacklab is to keep experiments and
demonstrations off of hivenet.

3) the telephone is a pretty important method for guests of the hive
to gain entry to the space and the adapter that connects it to google
voice doesn't handle arbitrary reboots of the entire network.

tl;dr: hivenet is vulnerable to shenanigans, hacklab makes shens fail,
shens make the telephone fail.

to resolve these issues i have made the following changes:

1) i moved hivenet to a separate network from the wired LAN and
connected it directly to the internet. if there is an issue with
internet access on hivenet, you can pull the power for the access
point (the blue linksys box located above the bar) just like you do
with your router at home. if you hit the reset switch on the back, it
will also reboot the router, but it will not wipe out the
configuration. hivenet and the wired network are no longer connected
to each other, so if you are having wifi troubles, there is no reason
to reboot the black firewall box on the top of the server cabinet.

2) i swapped the hardware between hivenet and hacklab: hivenet is now
using the openWRT router with host isolation and hacklab is now
running the factory linksys firmware and 128bit WEP for folks who want
to crack it. hivenet is still using the big antenna, so the signal
strength should be the same as it ever was.

3) i tested the memory on the firewall box and installed pfsense.
pfsense has way more features than IPCop (like IPV6 support) and
hopefully i will be rolling some of them out soon. devices like the
spy camera, telephone, and door switch should not be affected by the
random rebooting of the hivenet router. the internal network is also
connected directly to the internet, and the usual remote access tools
should work.

tl:dr: hivenet is less crashy and more user-serviceable; hacklab is
your neighbors' wifi; the wired network got a major upgrade.

separating the network has created at least one issue which is how to
connect to the network printer. the solution will depend on how we
actually use the network printer.

which devices to people print from the most? do we use laptops with
wifi connections, or the linux desktops on the wired network? i can
add an encrypted access point to the wired network for people to use
their laptops, or i can plug the printer into the wireless network
instead. either way is a slight reduction in convenience, but should
make the network safer for the hive's infrastructure.

since i basically rebuilt the whole network, i am sure i missed a lot
of things. if your device has stopped working, please let me know and
i will do what i can to fix it.

Paul · January 12, 2012, 3:12pm

Typically we use the wireless network to access several items on the wired network:

Other computers connected to the wired network (SSH into them to do remote work so you can sit and talk with others while working on a computer in another room)
The LaserJet 5si is directly connected to the wired network and whenever we need to print documents we print directly to it, usually off wireless
The Hivestore fileserver is connected to the wired network, since we do not have stellar internet (only 3 mb/s down) it is used as a cache for larger downloads like Linux Distro images. It is nice to be able to connect to this from your laptop.
Troubleshooting the webcam. When trying to figure out why the webcam is not working it is nice to be able to remote directly into the webcam and see if it is serving up images.
Is it still possible to access internal network devices from the wireless network? If not, I would strongly request that we change the network so that we CAN access these devices.

Currently we only have one or two computers on the wired network that will reliably turn on to a usable desktop environment (The laser cutter computer, and… maybe the one on the electronics bench?) Then we have two reliable computers on the wireless network (Cart computer && Glassy).

Craig · January 12, 2012, 3:21pm

I have an extra linksys I can bring in if we want to do an encrypted wifi for members to access internal resources.

Jon_Neal1 · January 12, 2012, 3:56pm

Just a small addendum to your list of computers Paul, the computer in the computer in the makerbot/laser cutter room works and is on the wired network.

Jon

blundar · January 12, 2012, 5:19pm

At one of the shops I work for, printing happens to a Dell 3000CN with
a jetdirect-style ethernet interface.

PC -> simple consumer firewall -> OpenWRT router acting as a wireless
CLIENT -> Industrial grade access point -> wired network -> printer.

It works perfectly, you just have to specify the IP manually.

-D

Craig · January 12, 2012, 5:24pm

There is more setup there. We would have to start punching holes in
the firewall with reverse nat for this to work. Or use a VPN. Just
dropping a wifi for members should be an easy fix and is common in
corporate environments to have both a guest network and an internal
wifi as well. I'm down for whatever Chris feels like setting up tho.

blundar · January 12, 2012, 5:34pm

Ya, 1-1 NAT or a port forward on a single port (9100) would do it.
Whatever Chris feels like doing.
-D

hodapp_test · January 15, 2012, 8:36pm

glassy's reliability is debatable. It hard crashes regularly, and the
wireless quits working fairly often.

However, at the moment, it's the only machine that can talk to the
glass block display in the bathroom, and the Ethernet ports there
aren't connected.

Craig · January 15, 2012, 9:00pm

Fyi, I dropped off an extra wifi Linksys. It will need to be reset but could be useful for the internal network. Router is in the makerbot room.

Chris · January 16, 2012, 1:03am

I have another nic to put in hivestor so it can sit on both networks for file serving purposes. i haven’t done it in linux before, but i can probably also set up a print queue on hivestor to print to the printer. since you can ssh to it, this will also serve as a gateway to the internal network until i can get the encrypted wifi set up.

cjdavis · January 16, 2012, 1:07am

How difficult would it be to make the files on hivestor read only on the public network, and rw on the private?

Chris · January 16, 2012, 1:24am

i haven't gotten too deep into samba permissions, but i'm pretty sure
they're based on the permissions that you authenticate with, so i
think we just have to enable read only access to guests.

Jon_Neal1 · January 16, 2012, 2:25am

Can we move the cable modem over with the rest of the networking equipment? The cable line is run in the same hooks as the ethernet so it will be very easy to move it. If no one wants to do this then I will help.

Also, can we not destroy any more ceiling tiles in the process of moving this stuff? It would have also been nice had all of the debris that fell down from doing that had actually been cleaned up off of the floor and not gotten all over the sewing equipment. Let’s at least try to keep the hive clean and respectable.

Jon

Craig · January 16, 2012, 2:26am

Or you could setup Apache to have a sir that is visible publicly although I think hivstor is probably best left internal

Craig · January 16, 2012, 2:28am

Sorry I was responding to the samba question. But yes to Jon on both things

Chris · January 16, 2012, 2:32am

the ceiling tiles seem to explode if you look at them funny.

Jon_Neal1 · January 16, 2012, 2:34am

Well just don’t try and cut them apart with a knife if you’re not going to be gentle with them, they aren’t meant to be forcefully cut with pocket knives. You could have at least cleaned up all of the dust that was there. That shit was everywhere.

Jon

Chris · January 16, 2012, 2:51am

i didn't cut anything. the hole in the side was there from before, i
just re-used it. the tile broke in two apparently of its own accord.

i should have cleaned up the aftermath. that was my mistake.

Jon_Neal1 · January 16, 2012, 2:57am

Alright, didn’t mean to rag on you. Just getting a bit tired of the perpetual dirtiness of the hive.

If the cable modem gets unplugged for a few minutes while getting moved is anything going to need to be restarted/set back up when it is plugged back in?

Jon

Chris · January 16, 2012, 3:00am

is the coax cable long enough to move the modem?