SL:Remote Access und SL:Topology: Unterschied zwischen den Seiten
imported>Burghardt |
imported>Burghardt (Die Seite wurde neu angelegt: „The Sensor Lab gets its own separate network. The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allo…“) |
||
Zeile 1: | Zeile 1: | ||
+ | The Sensor Lab gets its own separate network. |
||
− | == Single Hop == |
||
− | Repetition of some well known facts and a standard procedure: |
||
+ | The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allowing all necessary connections (in and out) to work in a comfortable way. |
||
− | * local computers are ''not'' reachable from the outside world as this is the definition of "local" |
||
− | * all our "normal" LANs uses subnets in several sub-ranges of <code>172.16.0.0/12</code>. E.g. Telematic uses <code>172.22.0.0/16</code> |
||
− | * the Sensor Lab's net is ''behind'' a local router <code>172.22.255.253</code>) and uses a private network <code>192.168.22.0/24</code> |
||
− | * standard protocol to access local machines from outside is [[SSH]] |
||
− | * to reach (for example) <code>tmgsim1.sl.tmg.loc</code> you need to login to a public server first and then connect to the final destination |
||
+ | == Topology == |
||
− | ''This does work only if your destination address:port is reachable from the single intermediate hop. '' |
||
+ | A <strike>small computer</strike> Virtual Machine works as a router. The allowed traffic is limited in some ways. The rules are managed by [[User:Burghardt|Udo Burghardt]]. |
||
+ | <pre>root@slgw:~# lsb_release -a; ip a | grep global |
||
+ | No LSB modules are available. |
||
+ | Distributor ID: Ubuntu |
||
+ | Description: Ubuntu 11.10 |
||
+ | Release: 11.10 |
||
+ | Codename: oneiric |
||
+ | inet 172.22.255.253/16 brd 172.22.255.255 scope global eth0 |
||
+ | inet 192.168.22.254/24 brd 192.168.22.255 scope global eth1 |
||
+ | </pre> |
||
− | === Accessing a virtual Windows Desktop from a local Windows machine === |
||
− | * <code>tmgsim4.tmg.loc</code> is running Windows 7 |
||
+ | === IP Ranges === |
||
− | Please note that this machine is ''not'' located in the Sensor Lab Network because of limitations of the available license for [[Qualnet]]. |
||
+ | We use a simple private address block of: |
||
− | ~$ host tmgsim4.tmg.loc |
||
+ | <pre> |
||
− | tmgsim4.tmg.loc has address 172.22.98.204 |
||
+ | ~# ipcalc 192.168.22.0/24 |
||
+ | Address: 192.168.22.0 11000000.10101000.00010110. 00000000 |
||
+ | Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000 |
||
+ | Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111 |
||
+ | => |
||
+ | Network: 192.168.22.0/24 11000000.10101000.00010110. 00000000 |
||
+ | HostMin: 192.168.22.1 11000000.10101000.00010110. 00000001 |
||
+ | HostMax: 192.168.22.254 11000000.10101000.00010110. 11111110 |
||
+ | Broadcast: 192.168.22.255 11000000.10101000.00010110. 11111111 |
||
+ | Hosts/Net: 254 Class C, Private Internet |
||
+ | </pre> |
||
+ | === DNS === |
||
− | Use the login server (<code>login.stud.informatik.uni-goettingen.de</code>) and establish Port Forwarding of an arbitray /unused local port (e.g. 12345) to port 3389 on that target machine using [[PuTTY]]. |
||
+ | Dedicated ranges/naming convention: |
||
+ | ;1... : former pool computers "wsxy" |
||
+ | ;31... : "normal" computers "pcxy" |
||
+ | ;60 : the server |
||
+ | ;61... : virtual guests on the server |
||
+ | ;240...: infrastructure |
||
+ | ==== Zone file ==== |
||
− | For reference: the unix command line looks like this: |
||
+ | This is an actual (static) excerpt from the bind zone file: |
||
− | ssh -L 12345:tmgsim4.tmg.loc:3389 username@login.stud.informatik.uni-goettingen.de |
||
+ | <pre> |
||
+ | $ORIGIN tmg.loc. |
||
+ | </pre> |
||
+ | <pre> |
||
+ | ; |
||
+ | ; ws - ehemalige Pool Computer |
||
+ | ; |
||
+ | ws1.sl IN A 192.168.22.1 |
||
+ | ws2.sl IN A 192.168.22.2 |
||
+ | ws3.sl IN A 192.168.22.3 |
||
+ | ws4.sl IN A 192.168.22.4 |
||
+ | ws5.sl IN A 192.168.22.5 |
||
+ | ws6.sl IN A 192.168.22.6 |
||
+ | ws7.sl IN A 192.168.22.7 |
||
+ | ws8.sl IN A 192.168.22.8 |
||
+ | ws9.sl IN A 192.168.22.9 |
||
+ | ws10.sl IN A 192.168.22.10 |
||
+ | ws11.sl IN A 192.168.22.11 |
||
+ | ws12.sl IN A 192.168.22.12 |
||
− | In [[PuTTY]] you need to go to Connections --> SSH --> Tunnels and fill Source Port with 12345 and Destination with <code>tmgsim4.tmg.loc:3389</code>. After pressing "Add" the result is one line in the "Forwarded Ports" list reading: |
||
− | L12345 tmgsim4.tmg.loc:3389 |
||
+ | ; |
||
− | Now you can connect with <code>rdesktop</code> (Linux) or "<code>Remote Desktop Connection</code>" (Windows) to |
||
+ | ; pc - Desktop PC |
||
+ | ; |
||
+ | pc01.sl IN A 192.168.22.31 |
||
+ | pc02.sl IN A 192.168.22.32 |
||
+ | pc03.sl IN A 192.168.22.33 |
||
+ | pc04.sl IN A 192.168.22.34 |
||
+ | |||
− | localhost:12345 |
||
+ | ; |
||
+ | ; tmg94 Host plus Virtual machines |
||
+ | ; |
||
+ | tmg94.sl IN A 192.168.22.60 |
||
+ | IN TXT "VM Host" |
||
+ | server.sl IN CNAME tmg94.sl |
||
+ | |||
+ | tmgsim1.sl IN A 192.168.22.61 |
||
+ | IN TXT "Windows 7" |
||
+ | tmgsim2.sl IN A 192.168.22.62 |
||
− | You will get a windows login screen. Log in with your credentials in the usual form, e.g. <code>UG-STUDENT\username</code> or <code>GWDG\username</code> |
||
+ | IN TXT "Debian Squeeze" |
||
+ | tmgsim3.sl IN A 192.168.22.63 |
||
− | Please note the number of licenses is small, so you might not be able to use Qualnet. |
||
− | <small>Successfully verified: Eduroam/WLAN --> login.stud --> rdesktop --> Qualnet. Udo, 05.10.2011 </small> |
||
+ | ; |
||
− | == Double Hop == |
||
+ | ; ps - power switch |
||
− | * http://sshmenu.sourceforge.net/articles/transparent-mulithop.html |
||
+ | ; |
||
− | Please read and adapt and document here :-) |
||
+ | ps1.sl IN A 192.168.22.241 |
||
+ | ps2.sl IN A 192.168.22.242 |
||
+ | ; |
||
+ | ; sw - Switch |
||
+ | ; |
||
+ | sw.sl IN A 192.168.22.244 |
||
+ | |||
+ | |||
+ | gw.sl IN A 192.168.22.254 |
||
+ | </pre> |
||
+ | |||
+ | ;Example: the gateway is known as: |
||
+ | ~# host gw.sl.tmg.loc |
||
+ | gw.sl.tmg.loc has address 192.168.22.254 |
||
+ | |||
+ | ;Reverse Zone:...is ''not'' prepared as it is not required. |
||
+ | |||
+ | <small> |
||
+ | ---- |
||
+ | ''Hint:'' This is the view from ''inside'' that network. From outside it looks this way: |
||
+ | ~$ host slgw.tmg.loc |
||
+ | slgw.tmg.loc has address 172.22.255.253 |
||
+ | </small> |
||
+ | |||
+ | == Service Availability == |
||
+ | === [[DHCP]] === |
||
+ | The router offers dhcp services using <code>ISC dhcpd</code>. It will deliver the usual information to the clients: address, netmask, gateway, nameservers. Event though the protocol is "dynamic" the configuration is ''static'' to be able to know exactly "who is who". Each computer will always get the same address. |
||
+ | |||
+ | The system wide configuration includes: |
||
+ | <pre> |
||
+ | subnet 192.168.22.0 netmask 255.255.255.0 { |
||
+ | # range 192.168.22.201 192.168.22.211; |
||
+ | option domain-name-servers 134.76.81.212, 134.76.81.104; |
||
+ | option domain-name "sl.tmg.loc"; |
||
+ | option routers 192.168.22.254; |
||
+ | option broadcast-address 192.168.22.255; |
||
+ | }</pre> |
||
+ | |||
+ | Additionally for ''every single'' system which should benefit from dhcp we need an entries like this: |
||
+ | |||
+ | <pre> |
||
+ | host ws1 { |
||
+ | hardware ethernet 00:13:72:8a:bc:41; |
||
+ | fixed-address ws1.sl.tmg.loc; |
||
+ | } |
||
+ | </pre> |
||
+ | |||
+ | |||
+ | You might verify the actual host definitions via |
||
+ | |||
+ | * http://gw.sl.tmg.loc/sensorlab.conf |
||
+ | |||
+ | === [[OpenAFS]] / [[Kerberos]] / [[LDAP]] === |
||
+ | Should work as expected. |
||
+ | |||
+ | === [[SSH]] === |
||
+ | * enabled in all directions (read: especially also from outside into the lab) |
||
+ | |||
+ | === [[ICMP]] === |
||
+ | * all Types enabled |
||
+ | |||
+ | === Web === |
||
+ | * Port 80 and 443 allowed |
||
== See also == |
== See also == |
||
− | * [[SL:Virtual Machines]] |
||
* [[SL:Introduction]] |
* [[SL:Introduction]] |
||
+ | * Schematic: <br /><code>/afs/informatik.uni-goettingen.de/user/s/sensorlab/documents/Documentation/sensorlab-network.dia</code> <br />bzw. "falschrum:" <br /><code>\\afs\informatik.uni-goettingen.de\user\s\sensorlab\documents\Documentation\sensorlab-network.dia</code> <br />... which is accessible only for project members |
||
== Links == |
== Links == |
||
+ | * http://gw.sl.tmg.loc/sensorlab.conf -- configuration of the Hosts |
||
− | * ... |
||
[[Category:Sensorlab]] |
[[Category:Sensorlab]] |
Version vom 23. Oktober 2012, 09:11 Uhr
The Sensor Lab gets its own separate network.
The idea is to have an isolated network with only a small chance to affect the "normal" LAN workstations while allowing all necessary connections (in and out) to work in a comfortable way.
Topology
A small computer Virtual Machine works as a router. The allowed traffic is limited in some ways. The rules are managed by Udo Burghardt.
root@slgw:~# lsb_release -a; ip a | grep global No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 11.10 Release: 11.10 Codename: oneiric inet 172.22.255.253/16 brd 172.22.255.255 scope global eth0 inet 192.168.22.254/24 brd 192.168.22.255 scope global eth1
IP Ranges
We use a simple private address block of:
~# ipcalc 192.168.22.0/24 Address: 192.168.22.0 11000000.10101000.00010110. 00000000 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111 => Network: 192.168.22.0/24 11000000.10101000.00010110. 00000000 HostMin: 192.168.22.1 11000000.10101000.00010110. 00000001 HostMax: 192.168.22.254 11000000.10101000.00010110. 11111110 Broadcast: 192.168.22.255 11000000.10101000.00010110. 11111111 Hosts/Net: 254 Class C, Private Internet
DNS
Dedicated ranges/naming convention:
- 1...
- former pool computers "wsxy"
- 31...
- "normal" computers "pcxy"
- 60
- the server
- 61...
- virtual guests on the server
- 240...
- infrastructure
Zone file
This is an actual (static) excerpt from the bind zone file:
$ORIGIN tmg.loc.
; ; ws - ehemalige Pool Computer ; ws1.sl IN A 192.168.22.1 ws2.sl IN A 192.168.22.2 ws3.sl IN A 192.168.22.3 ws4.sl IN A 192.168.22.4 ws5.sl IN A 192.168.22.5 ws6.sl IN A 192.168.22.6 ws7.sl IN A 192.168.22.7 ws8.sl IN A 192.168.22.8 ws9.sl IN A 192.168.22.9 ws10.sl IN A 192.168.22.10 ws11.sl IN A 192.168.22.11 ws12.sl IN A 192.168.22.12 ; ; pc - Desktop PC ; pc01.sl IN A 192.168.22.31 pc02.sl IN A 192.168.22.32 pc03.sl IN A 192.168.22.33 pc04.sl IN A 192.168.22.34 ; ; tmg94 Host plus Virtual machines ; tmg94.sl IN A 192.168.22.60 IN TXT "VM Host" server.sl IN CNAME tmg94.sl tmgsim1.sl IN A 192.168.22.61 IN TXT "Windows 7" tmgsim2.sl IN A 192.168.22.62 IN TXT "Debian Squeeze" tmgsim3.sl IN A 192.168.22.63 ; ; ps - power switch ; ps1.sl IN A 192.168.22.241 ps2.sl IN A 192.168.22.242 ; ; sw - Switch ; sw.sl IN A 192.168.22.244 gw.sl IN A 192.168.22.254
- Example
- the gateway is known as:
~# host gw.sl.tmg.loc gw.sl.tmg.loc has address 192.168.22.254
- Reverse Zone
- ...is not prepared as it is not required.
Hint: This is the view from inside that network. From outside it looks this way:
~$ host slgw.tmg.loc slgw.tmg.loc has address 172.22.255.253
Service Availability
DHCP
The router offers dhcp services using ISC dhcpd
. It will deliver the usual information to the clients: address, netmask, gateway, nameservers. Event though the protocol is "dynamic" the configuration is static to be able to know exactly "who is who". Each computer will always get the same address.
The system wide configuration includes:
subnet 192.168.22.0 netmask 255.255.255.0 { # range 192.168.22.201 192.168.22.211; option domain-name-servers 134.76.81.212, 134.76.81.104; option domain-name "sl.tmg.loc"; option routers 192.168.22.254; option broadcast-address 192.168.22.255; }
Additionally for every single system which should benefit from dhcp we need an entries like this:
host ws1 { hardware ethernet 00:13:72:8a:bc:41; fixed-address ws1.sl.tmg.loc; }
You might verify the actual host definitions via
OpenAFS / Kerberos / LDAP
Should work as expected.
SSH
- enabled in all directions (read: especially also from outside into the lab)
ICMP
- all Types enabled
Web
- Port 80 and 443 allowed
See also
- SL:Introduction
- Schematic:
/afs/informatik.uni-goettingen.de/user/s/sensorlab/documents/Documentation/sensorlab-network.dia
bzw. "falschrum:"\\afs\informatik.uni-goettingen.de\user\s\sensorlab\documents\Documentation\sensorlab-network.dia
... which is accessible only for project members
Links
- http://gw.sl.tmg.loc/sensorlab.conf -- configuration of the Hosts