Meeting (to be) held on 2007/08/14 at 19:00 in Mary Campbell Room
- Update on main servers and any new services installed/updated.
- Progress with ISS to get authentication against their servers?
It was found that the ecs radius servers have a network port in the dmz and thus firewall rules are no longer required to allow us to authenticate our users with the ecs radius servers. jay-dmz is now authorized for use by both vpn and auth while wren-dmz still only responds to vpn due to the key not being updated on it to allow a connection from auth. John Winn has been contacted about this issue.
VPN also no longer works since the change which is an issue Dave Tarrant is attempting to sort out.
Since this update however auth now has a splash screen page which can authenticate both sown users (stored in a shadow file with unix encryption on auth) and ecs users (radius) successfully :) Sown users are firstname.lastname@example.org (or just username) and ecs users are email@example.com.
- Update on progress with Campus nodes
A copy of dhcp3 was compiled to fit on the campus nodes and this was successfully installed onto the 128mb flash card of sown zepler hense the nice event based scripts can be run when users connect, see sown[at]home for why this turned out to be a waste of time.
- Flash news
- An experimental Fon
- Joining the nodes
Whilst fiddling around the dhcp3-server it was decided to see if we could get it working on a fon node running the openWRT image we are attempting to get on the rest of the nodes. Simple answer was NO, too many dependancies. However we did find that dnsmasq, the sort-of makeshift but working dhcp server which comes with openWRT (and debian for that matter) also has an event handler and there are plenty of binaries for this which include it. We also managed to get bash on the fon node and the script which works on sown-zepler/bluesocket can now be adapted to run on the sown[at]home nodes with dnsmasq. dnsmasq will now also be used on the main nodes to keep down the level of complication for future updates.
Trails have also been going on to find out how to connect the nodes 10.13.X.0/24 ip ranges and it was found that pptp over ssh works better than expected see pptp-ssh. There are however still trials which need to be done in how to get the nodes to re-establish the connection if it is lost. It was also decided at the meeting that xxxx.sown.org.uk should be used as the pptp server as ROOT access is required to the server by the nodes to set the tunnels up. Dave Tarrant will email the relavent parties to get port 22 allowed to this server from external.
Newer trials today revealed that OpenVPN does work rather nicely and doesn't require root login by the nodes on auth.sown.org.uk which is much prefered. openvpn will also reestablish connections. To make routing easier and firewall configs easy onlt a single tap/tun interface will be created on auth.sown.org.uk which has been assigned 10.13.128.0/20 thus all the nodes which connect to the vpn should get a low end ip 128.1 - 129-255 and we can start assigning the nodes /26's from within this /20. This means the routes all all neatly aggregated for RIP and the entire network is nicely connected.
IP Address Allocation
- How do we split the network up
- What about IPv6
Nick suspects that we no longer have a physical link to the ipv6 router so it needs to go onto our VLAN.
Core Network + VPN Clients: 10.13.0.0/24 Core Nodes Subnets: 10.13.1.0 - 10.13.127.0 sown[at]home connections: 10.13.128.0 - 10.13.129.254 sown[at]home subnets: 10.13.130.0 - 10.13.254.0 all as /26s (4 per /24)
Uplink: 2001:630:d0:f001::X to ECS Core Network: 2001:630:d0:fa00::X Core Network VPN Clients: 2001:630:d0:fa00::/64 Core Nodes subnets: 2001:630:d0:faXX::/64 (255) sown[at]home connections: 2001:630:d0:fb00::X sown[at]home subnets: 2001:630:d0:fbXX::/64 (255)
- Next meeting 21/08/2007 B32 Demo Room 7pm Meeting_-_21/08/2007