SL:Remote Access und SL:Topology: Unterschied zwischen den Seiten

Aus Doc-Wiki
(Unterschied zwischen Seiten)
Zur Navigation springen Zur Suche springen
imported>Burghardt
 
imported>Burghardt
(Die Seite wurde neu angelegt: „The Sensor Lab gets its own separate network. The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allo…“)
 
Zeile 1: Zeile 1:
  +
The Sensor Lab gets its own separate network.
== Single Hop ==
  
Repetition of some well known facts and a standard procedure:
  
   
  +
The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allowing all necessary connections (in and out) to work in a comfortable way.
* local computers are ''not'' reachable from the outside world as this is the definition of "local"
  
* all our "normal" LANs uses subnets in several sub-ranges of <code>172.16.0.0/12</code>. E.g. Telematic uses <code>172.22.0.0/16</code>
  
* the Sensor Lab's net is ''behind'' a local router <code>172.22.255.253</code>) and uses a private network <code>192.168.22.0/24</code>
 
* standard protocol to access local machines from outside is [[SSH]]
  
* to reach (for example) <code>tmgsim1.sl.tmg.loc</code> you need to login to a public server first and then connect to the final destination
 
   
  +
== Topology ==
''This does work only if your destination address:port is reachable from the single intermediate hop. ''
 
  +
A <strike>small computer</strike> Virtual Machine works as a router. The allowed traffic is limited in some ways. The rules are managed by [[User:Burghardt|Udo Burghardt]].
  +
<pre>root@slgw:~# lsb_release -a; ip a | grep global
  +
No LSB modules are available.
  +
Distributor ID: Ubuntu
  +
Description: Ubuntu 11.10
  +
Release: 11.10
  +
Codename: oneiric
  +
inet 172.22.255.253/16 brd 172.22.255.255 scope global eth0
  +
inet 192.168.22.254/24 brd 192.168.22.255 scope global eth1
  +
</pre>
   
=== Accessing a virtual Windows Desktop from a local Windows machine ===
  
* <code>tmgsim4.tmg.loc</code> is running Windows 7
  
   
  +
=== IP Ranges ===
Please note that this machine is ''not'' located in the Sensor Lab Network because of limitations of the available license for [[Qualnet]].
  
  +
We use a simple private address block of:
~$ host tmgsim4.tmg.loc
  
  +
<pre>
tmgsim4.tmg.loc has address 172.22.98.204
  
  +
~# ipcalc 192.168.22.0/24
  +
Address: 192.168.22.0 11000000.10101000.00010110. 00000000
  +
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
  +
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
  +
=>
  +
Network: 192.168.22.0/24 11000000.10101000.00010110. 00000000
  +
HostMin: 192.168.22.1 11000000.10101000.00010110. 00000001
  +
HostMax: 192.168.22.254 11000000.10101000.00010110. 11111110
  +
Broadcast: 192.168.22.255 11000000.10101000.00010110. 11111111
  +
Hosts/Net: 254 Class C, Private Internet
  +
</pre>
   
  +
=== DNS ===
Use the login server (<code>login.stud.informatik.uni-goettingen.de</code>) and establish Port Forwarding of an arbitray /unused local port (e.g. 12345) to port 3389 on that target machine using [[PuTTY]].
 
  +
Dedicated ranges/naming convention:
  +
;1... : former pool computers "wsxy"
  +
;31... : "normal" computers "pcxy"
  +
;60 : the server
  +
;61... : virtual guests on the server
  +
;240...: infrastructure
   
  +
==== Zone file ====
For reference: the unix command line looks like this:
  
  +
This is an actual (static) excerpt from the bind zone file:
ssh -L 12345:tmgsim4.tmg.loc:3389 username@login.stud.informatik.uni-goettingen.de
  
  +
<pre>
  +
$ORIGIN tmg.loc.
  +
</pre>
  +
<pre>
  +
;
  +
; ws - ehemalige Pool Computer
  +
;
  +
ws1.sl IN A 192.168.22.1
  +
ws2.sl IN A 192.168.22.2
  +
ws3.sl IN A 192.168.22.3
  +
ws4.sl IN A 192.168.22.4
  +
ws5.sl IN A 192.168.22.5
  +
ws6.sl IN A 192.168.22.6
  +
ws7.sl IN A 192.168.22.7
  +
ws8.sl IN A 192.168.22.8
  +
ws9.sl IN A 192.168.22.9
  +
ws10.sl IN A 192.168.22.10
  +
ws11.sl IN A 192.168.22.11
  +
ws12.sl IN A 192.168.22.12
   
In [[PuTTY]] you need to go to Connections --> SSH --> Tunnels and fill Source Port with 12345 and Destination with <code>tmgsim4.tmg.loc:3389</code>. After pressing "Add" the result is one line in the "Forwarded Ports" list reading:
  
L12345 tmgsim4.tmg.loc:3389
  
   
  +
;
Now you can connect with <code>rdesktop</code> (Linux) or "<code>Remote Desktop Connection</code>" (Windows) to
  
  +
; pc - Desktop PC
  +
;
  +
pc01.sl IN A 192.168.22.31
  +
pc02.sl IN A 192.168.22.32
  +
pc03.sl IN A 192.168.22.33
  +
pc04.sl IN A 192.168.22.34
   
  +
localhost:12345
  
  +
;
  +
; tmg94 Host plus Virtual machines
  +
;
  +
tmg94.sl IN A 192.168.22.60
  +
IN TXT "VM Host"
  +
server.sl IN CNAME tmg94.sl
  +
  +
tmgsim1.sl IN A 192.168.22.61
  +
IN TXT "Windows 7"
   
  +
tmgsim2.sl IN A 192.168.22.62
You will get a windows login screen. Log in with your credentials in the usual form, e.g. <code>UG-STUDENT\username</code> or <code>GWDG\username</code>
  
  +
IN TXT "Debian Squeeze"
   
  +
tmgsim3.sl IN A 192.168.22.63
Please note the number of licenses is small, so you might not be able to use Qualnet.
 
   
<small>Successfully verified: Eduroam/WLAN --> login.stud --> rdesktop --> Qualnet. Udo, 05.10.2011 </small>
  
   
  +
;
== Double Hop ==
  
  +
; ps - power switch
* http://sshmenu.sourceforge.net/articles/transparent-mulithop.html
 
  +
;
Please read and adapt and document here :-)
  
  +
ps1.sl IN A 192.168.22.241
  +
ps2.sl IN A 192.168.22.242
   
  +
;
  +
; sw - Switch
  +
;
  +
sw.sl IN A 192.168.22.244
  +
  +
  +
gw.sl IN A 192.168.22.254
  +
</pre>
  +
  +
;Example: the gateway is known as:
  +
~# host gw.sl.tmg.loc
  +
gw.sl.tmg.loc has address 192.168.22.254
  +
  +
;Reverse Zone:...is ''not'' prepared as it is not required.
  +
  +
<small>
  +
----
  +
''Hint:'' This is the view from ''inside'' that network. From outside it looks this way:
  +
~$ host slgw.tmg.loc
  +
slgw.tmg.loc has address 172.22.255.253
  +
</small>
  +
  +
== Service Availability ==
  +
=== [[DHCP]] ===
  +
The router offers dhcp services using <code>ISC dhcpd</code>. It will deliver the usual information to the clients: address, netmask, gateway, nameservers. Event though the protocol is "dynamic" the configuration is ''static'' to be able to know exactly "who is who". Each computer will always get the same address.
  +
  +
The system wide configuration includes:
  +
<pre>
  +
subnet 192.168.22.0 netmask 255.255.255.0 {
  +
# range 192.168.22.201 192.168.22.211;
  +
option domain-name-servers 134.76.81.212, 134.76.81.104;
  +
option domain-name "sl.tmg.loc";
  +
option routers 192.168.22.254;
  +
option broadcast-address 192.168.22.255;
  +
}</pre>
  +
  +
Additionally for ''every single'' system which should benefit from dhcp we need an entries like this:
  +
  +
<pre>
  +
host ws1 {
  +
hardware ethernet 00:13:72:8a:bc:41;
  +
fixed-address ws1.sl.tmg.loc;
  +
}
  +
</pre>
  +
  +
  +
You might verify the actual host definitions via
  +
  +
* http://gw.sl.tmg.loc/sensorlab.conf
  +
  +
=== [[OpenAFS]] / [[Kerberos]] / [[LDAP]] ===
  +
Should work as expected.
  +
  +
=== [[SSH]] ===
  +
* enabled in all directions (read: especially also from outside into the lab)
  +
  +
=== [[ICMP]] ===
  +
* all Types enabled
  +
  +
=== Web ===
  +
* Port 80 and 443 allowed
   
 
== See also ==
  
== See also ==
* [[SL:Virtual Machines]]
  
 
* [[SL:Introduction]]
  
* [[SL:Introduction]]
  +
* Schematic: <br /><code>/afs/informatik.uni-goettingen.de/user/s/sensorlab/documents/Documentation/sensorlab-network.dia</code> <br />bzw. "falschrum:" <br /><code>\\afs\informatik.uni-goettingen.de\user\s\sensorlab\documents\Documentation\sensorlab-network.dia</code> <br />... which is accessible only for project members
   
 
== Links ==
  
== Links ==
  +
* http://gw.sl.tmg.loc/sensorlab.conf -- configuration of the Hosts
* ...
  
   
 
[[Category:Sensorlab]]
  
[[Category:Sensorlab]]

Version vom 23. Oktober 2012, 09:11 Uhr

The Sensor Lab gets its own separate network.

The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allowing all necessary connections (in and out) to work in a comfortable way.

Topology

A small computer Virtual Machine works as a router. The allowed traffic is limited in some ways. The rules are managed by Udo Burghardt. 

root@slgw:~# lsb_release -a; ip a | grep global
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 11.10
Release:        11.10
Codename:       oneiric
    inet 172.22.255.253/16 brd 172.22.255.255 scope global eth0
    inet 192.168.22.254/24 brd 192.168.22.255 scope global eth1


IP Ranges

We use a simple private address block of: 

~# ipcalc 192.168.22.0/24
Address:   192.168.22.0         11000000.10101000.00010110. 00000000
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.22.0/24      11000000.10101000.00010110. 00000000
HostMin:   192.168.22.1         11000000.10101000.00010110. 00000001
HostMax:   192.168.22.254       11000000.10101000.00010110. 11111110
Broadcast: 192.168.22.255       11000000.10101000.00010110. 11111111
Hosts/Net: 254                   Class C, Private Internet

DNS

Dedicated ranges/naming convention:

1...
former pool computers "wsxy"
31...
"normal" computers "pcxy"
60
the server
61...
virtual guests on the server
240...
infrastructure

Zone file

This is an actual (static) excerpt from the bind zone file: 

$ORIGIN tmg.loc.

;
; ws - ehemalige Pool Computer
;
ws1.sl         IN      A               192.168.22.1
ws2.sl         IN      A               192.168.22.2
ws3.sl         IN      A               192.168.22.3
ws4.sl         IN      A               192.168.22.4
ws5.sl         IN      A               192.168.22.5
ws6.sl         IN      A               192.168.22.6
ws7.sl         IN      A               192.168.22.7
ws8.sl         IN      A               192.168.22.8
ws9.sl         IN      A               192.168.22.9
ws10.sl         IN      A               192.168.22.10
ws11.sl         IN      A               192.168.22.11
ws12.sl         IN      A               192.168.22.12


;
; pc - Desktop PC
;
pc01.sl         IN      A               192.168.22.31
pc02.sl         IN      A               192.168.22.32
pc03.sl         IN      A               192.168.22.33
pc04.sl         IN      A               192.168.22.34

                
;
; tmg94 Host plus Virtual machines
;
tmg94.sl        IN      A               192.168.22.60
                IN      TXT             "VM Host"
server.sl       IN      CNAME           tmg94.sl
                
tmgsim1.sl      IN      A               192.168.22.61
                IN      TXT             "Windows 7"

tmgsim2.sl      IN      A               192.168.22.62
                IN      TXT             "Debian Squeeze"

tmgsim3.sl      IN      A               192.168.22.63


;
; ps - power switch
;
ps1.sl          IN      A               192.168.22.241
ps2.sl          IN      A               192.168.22.242

;
; sw - Switch
;
sw.sl           IN      A               192.168.22.244


gw.sl           IN      A               192.168.22.254
Example
the gateway is known as:
~# host gw.sl.tmg.loc
gw.sl.tmg.loc has address 192.168.22.254
Reverse Zone
...is not prepared as it is not required.

Hint: This is the view from inside that network. From outside it looks this way: 

~$ host slgw.tmg.loc
slgw.tmg.loc has address 172.22.255.253

Service Availability

DHCP

The router offers dhcp services using ISC dhcpd. It will deliver the usual information to the clients: address, netmask, gateway, nameservers. Event though the protocol is "dynamic" the configuration is static to be able to know exactly "who is who". Each computer will always get the same address.

The system wide configuration includes: 

subnet 192.168.22.0 netmask 255.255.255.0 {
#  range 192.168.22.201 192.168.22.211;
   option domain-name-servers 134.76.81.212, 134.76.81.104;
   option domain-name "sl.tmg.loc";
   option routers 192.168.22.254; 
   option broadcast-address 192.168.22.255;
}

Additionally for every single system which should benefit from dhcp we need an entries like this: 

host ws1 {
        hardware ethernet 00:13:72:8a:bc:41;
        fixed-address ws1.sl.tmg.loc;
}


You might verify the actual host definitions via

OpenAFS / Kerberos / LDAP

Should work as expected.

SSH

  • enabled in all directions (read: especially also from outside into the lab)

ICMP

  • all Types enabled

Web

  • Port 80 and 443 allowed

See also

  • SL:Introduction
  • Schematic:
    /afs/informatik.uni-goettingen.de/user/s/sensorlab/documents/Documentation/sensorlab-network.dia
    bzw. "falschrum:"
    \\afs\informatik.uni-goettingen.de\user\s\sensorlab\documents\Documentation\sensorlab-network.dia
    ... which is accessible only for project members

Links

Abgerufen von „https://doc.informatik.uni-goettingen.de/wiki/index.php?title=SL:Remote_Access&oldid=549