labitat-ansible/documentation, branch 3x1g-bond Unnamed repository; edit this file 'description' to name the repository. space_server: add dedicated VLAN for Tor exit nodes 2021-09-06T19:06:02+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-09-06T18:13:20+00:00 6856b82bdcd61ea25cac8bc64a9114d908e6ea9e Move the Tor exit nodes to their own VLAN, and their own address space. Background for move ------------------- For the first Tor exit node, we where able to create inet6num object 2a01:4262:1ab:20::71/128. So we could assign a specific Tor abuse contact. When we added the second node it was no longer possible to create /128 inet6num objects, but only up to /64. We therefore need to move our Tor exit nodes to a dedicated address space. Connection tracking ------------------- Connection tracking is quite expensive, so it's better to only do it for Tor traffic, when we actually need it, which is only when internal clients need to access the servers. In the future conntrack could also be disabled for labicolo in general. Current stats ~~~~~~~~~~~~~ [root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack | grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l 4071 [root@space ~]# wc -l /proc/net/nf_conntrack 39138 /proc/net/nf_conntrack Currently 4071 out of 39138 connections are not Tor related. Also reading /proc/net/nf_conntrack is quite slow atm.: [root@space ~]# time cat /proc/net/nf_conntrack > /dev/null real 0m35.097s user 0m0.010s sys 0m28.114s Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Move the Tor exit nodes to their own VLAN, and
their own address space.

Background for move
-------------------

For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.

When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.

Connection tracking
-------------------

Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.

In the future conntrack could also be disabled
for labicolo in general.

Current stats
~~~~~~~~~~~~~

[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
	grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071

[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack

Currently 4071 out of 39138 connections are not Tor related.

Also reading /proc/net/nf_conntrack is quite slow atm.:

[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null

real    0m35.097s
user    0m0.010s
sys     0m28.114s

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: add labicolo ipv6 range for Esmil 2020-08-13T15:39:06+00:00 Emil Renner Berthing esmil@labitat.dk 2020-08-13T15:36:33+00:00 a5ccc4b5ee50f5fd1efeb967579fa975f769428d 






documentation: update addressplan.txt to match wiki
2020-03-11T06:13:06+00:00

Jesper Hess Nielsen
jesper@graffen.dk

2020-03-11T06:01:38+00:00

b0a2abadbfe406e38d40f557c1339cbd41b0203b












documentation: allocate colo addresses for Graffen
2020-03-07T16:26:27+00:00

Emil Renner Berthing
esmil@labitat.dk

2020-03-07T16:26:16+00:00

f9f0c4a801a5d861f7d61919a22658652be3c4c0












space_server: renumber Fiberby link
2019-05-02T18:00:55+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2019-05-02T17:39:07+00:00

9cb5a0af7f609b7195b1743e4c42613fc30d183f

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>





Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>







space_server: enable NAT64/DNS64 network
2018-12-05T18:21:39+00:00

Emil Renner Berthing
esmil@labitat.dk

2018-12-05T18:07:35+00:00

c624e52a8357da8db022831b86f2c85bb7bfed2f












documentation: addressplan: add Deni's addresses
2018-11-28T20:16:46+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2018-11-26T23:26:18+00:00

f74e8bb74c698a586499568ed578b8966c49bfc5












space_server: add Asbjorn's colo addresses and net
2018-11-28T20:16:46+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2018-11-26T23:26:17+00:00

786884832acd667376cc92d5d7d858dcf545371e












documentation: update and fix addressplan
2018-11-28T20:13:48+00:00

Emil Renner Berthing
esmil@labitat.dk

2018-11-28T19:33:41+00:00

ed9133359abca62f2be8414dca767401565ddb15

- Align addresses
- Prefix ipv4 addresses by network bits + 1 *s
- Prefix ipv6 addresses by network nibbles + 1 *s
- Fix labitat prefix
- Add spacewand and spacebrain addresses





- Align addresses
- Prefix ipv4 addresses by network bits + 1 *s
- Prefix ipv6 addresses by network nibbles + 1 *s
- Fix labitat prefix
- Add spacewand and spacebrain addresses







documentation: add initial addressplan
2018-11-24T19:02:52+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2018-11-23T20:51:20+00:00

ffda72edc80b4719476b095cb35209ff809abf5c