Commit 0addff22 authored by Simon Terzenbach's avatar Simon Terzenbach
Browse files

Inital commit FFKA DOCs

parent b3e51776
# NYC Mesh Docs
# FFKA Docs
## Install
......
baseurl = ""
relativeurls = true
languageCode = "en-us"
title = "NYC Mesh Docs"
languageCode = "de-de"
title = "VZFFNRMO Docs"
pluralizeListTitles = false
---
title: "Documentation"
title: "Dokumentation"
---
[Join](https://nycmesh.net/join) our community-owned network to replace your current internet connection.
[Mach mit](https://karlsruhe.freifunk.net/mitmachen/) Wir bauen ein regionales WLAN-Netzwerk in Karlsruhe und Umgebung und bieten dabei freien Internetzugang an.
Our [Slack chat](https://slack.nycmesh.net/) is a great resource to connect with our active community.
Dafür benötigen wir deine Unterstützung!
[Getting Started](/intro/gettingstarted)
[Erste Schritte](/intro/ersteschritte)
[Hardware](/hardware)
[Networking and Architecture](/networking)
[Netzwerkarchitektur](/networking)
[NYC Mesh Main Site →](https://nycmesh.net)
[Kontakt](/organisation/kontakt)
[Hauptseite →](https://karlsruhe.freifunk.net)
---
title: "Backbone"
---
This part of the Documentation gives a detailed overview into our public ASn Infrastructure.
---
title: "BGP"
---
The [Border Gateway Protocol](https://tools.ietf.org/html/rfc4271) (BGP) is an inter-Autonomous System routing protocol.
---
title: "Peering"
---
### Verein zur Förderung freier Netze Region Mittlerer Oberrhein e.V. is operateing **AS202329**
### Our peering Policy is **Yes**
Please [contact us](mailto:noc@karlsruhe.freifunk.net) to peer with our network.
Note this this is our Public ASN, not the Mesh Network itself.
This community-run public network supplies all Verein zur Förderung freier Netze Region Mittlerer Oberrhein e.V. projects with net-neutral internet connectivity to support the community. If you would like to join the Mesh Network, please visit our [Join Page](/join) make use of this network.
**Peering Policy**
* VZFFNRMO has an open peering policy.
* We have no requirements in terms of traffic, size, support/SLA, etc.
* We operate both IPv4 and IPv6. Peering via both protocols is appreciated.
**Locations**
| Building | Address | Ports |
| -------- | ----------------------------------------- | -------- |
| - - - | Lorzenstraße/Brauerstraße, Karlsruhe, BW | 1G / 10G |
More locations comming soon.
**Peering Data**
ASN: 202329
IRR AS-SET: AS-VZFFNRMO
Peering Contact: noc@karlsruhe.freifunk.net
Recommended Max Prefix IPv4: 2
Recommended Max Prefix IPv6: 12
PeerDB Page: [https://as202329.peeringdb.com](https://as202329.peeringdb.com)
As a non-profit, please consider providing as many routes as possible, including upstream or other routes.
**Peers**
We have direct peering sessions with the following networks
Thank you to those who have peered!
| ASN | Organization | Exchange |
| ------- | ---------------------------------------- | --------- |
| AS6939 | Hurricane Electric LLC | - - - |
| AS64475 | Freifunk Frankfurt am Main e.V. | - - - |
---
title: "Peering Deutsch"
---
### Verein zur Förderung freier Netze Region Mittlerer Oberrhein e.V. is operateing **AS202329**
### Our peering Policy is **Yes**
Please [contact us](mailto:noc@karlsruhe.freifunk.net) to peer with our network.
Note this this is our Public ASN, not the Mesh Network itself.
This community-run public network supplies all Verein zur Förderung freier Netze Region Mittlerer Oberrhein e.V. projects with net-neutral internet connectivity to support the community. If you would like to join the Mesh Network, please visit our [Join Page](https://karlsruhe.freifunk.net/mitmachen/) make use of this network.
**Peering Policy**
* VZFFNRMO has an open peering policy.
* We have no requirements in terms of traffic, size, support/SLA, etc.
* We operate both IPv4 and IPv6. Peering via both protocols is appreciated.
**Locations**
| Building | Address | Ports |
| -------- | ----------------------------------------- | -------- |
| - - - | Lorzenstraße/Brauerstraße, Karlsruhe, BW | 1G / 10G |
More locations comming soon.
**Peering Data**
ASN: 202329
IRR AS-SET: AS-VZFFNRMO
Peering Contact: noc@karlsruhe.freifunk.net
Recommended Max Prefix IPv4: 2
Recommended Max Prefix IPv6: 12
PeerDB Page: [https://as202329.peeringdb.com](https://as202329.peeringdb.com)
As a non-profit, please consider providing as many routes as possible, including upstream or other routes.
**Peers**
We have direct peering sessions with the following networks
Thank you to those who have peered!
| ASN | Organization | Exchange |
| ------- | ---------------------------------------- | --------- |
| AS6939 | Hurricane Electric LLC | - - - |
| AS64475 | Freifunk Frankfurt am Main e.V. | - - - |
---
title: "Configs"
weight: 99
---
**List of devices we use and links to standard configs and firmware**
This doc is in progress. Please add links below to the specific config instructions
**What is immediately needed is an [SXTsq VPN kiosk client config](#sxtVpn)**
We also need a simple way to log into cpe through a omnitik or edgepoint BGP config
## SXTsq
* [Kiosk client](#sxtKiosk)
* [Kiosk client + vpn?](#sxtVpn)
* [OmniTik client](#sxtClient)
* [Point-to-point](#sxtP2P)
## LiteBeams
* SN1 192.168.42.x orig config
* SN2 (WPA: nycmeshnet)
* Hub configs
* P2P
## LiteAC / LBE120 Sector
* SN and Hub
## OmniTik
* BGP/WDS
* Simple hub
## EdgePoint
* Switch
* BGP
## NanoStation NSM5
* Dan Grinkevich image (qMp/bmx6/tinc)
* Joachim’s image (LEDE/bmx6)
## TPLink TL-WR841N
---
### <a name="sxtKiosk"></a>SXTsq kiosk
The following works with a new SXTsq or a reset SXTsq. To reset an SXTsq, hold the reset button for 10 seconds while the unit is running
ssh into 192.168.88.1 and paste this-
```
/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap eap-methods=eap-ttls-mschapv2 group-ciphers=tkip,aes-ccm mode=dynamic-keys mschapv2-password=5fsOpxER mschapv2-username=anonymous@citybridge.com name=linknyc supplicant-identity=anonymous@citybridge.com tls-mode=dont-verify-certificate unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united states2" default-authentication=no disabled=no frequency=auto security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
/interface wireless connect-list
add interface=wlan1 security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
```
This script automatically connects the SXTsq to the private LinkNYC Kiosk channel. No login is required.
### <a name="sxtVpn"></a>SXTsq VPN
Lots of requests for this!
### <a name="sxtClient"></a>SXTsq Client
Assign a static IP to the computer you connect from
IP address: 192.168.88.5
subnet mask: 255.255.255.0
**Reset**
press the reset button WHILE powering on the unit by plugging in the POE cable.
Once one of the LEDs begins to flash white/blue (about 5 seconds), release reset button while it's flashing. After one minute the device will be ready
**Connect to GUI**
open your browser and connect to http://192.168.88.1/
default username: admin
default password: (leave empty)
**Name the device**
WebFig (top right button)
system > identity
`nycmesh-nnn`
nnn = node id
**Set a password**
System > password
IP > firewall
4
;;; defconf: drop all not coming from LAN
Edit this rule
- remove "In. Interface List" by clicking the upfacing arrow
- set "In. Interface" to 'Wlan1'
**Bridge**
- add new
set Protocol Mode to "none"
- hit apply and OK
IP > DHCP Server
disable by clicking the small [D] button
IP > DHCP Client
- change Interface to bridge1
- hit apply and OK
Wireless > security profiles (tab)
add new
name: nycmeshnet
uncheck wpa psk
leave wpa2 psk checked
write in wpa2 Pre-Shared-Key field: nycmeshnet
apply and ok
Wireless > wlan1
Set mode to station-bridge
Set SSID of the hub you want to connect to e.g. nycmesh-xxx
Set channel width to 20/40/80MHz XXXX
Set frequency to auto
Set security profile to nycmeshnet
(below only if you have SXT international version)
Click Advanced Mode button at top
Scroll down and set country drop down to united states
When all settings are correct and the station connects the status should change from "searching for network" to "connected to ess".
Bridge > Ports
Add new, set interface to ether1, set bridge to bridge1
Add new, set interface to wlan1, set bridge to bridge1
IP > Addresses
delete entry 192.168.88.1/24
Add new, set address to 192.168.88.1/24, set interface to bridge1
- Refresh the page and log in again.
**Lookup routable address for device**
IP > Addresses
- You should see an address marked D for dynamic, this can be used to access your radio even from behind your home router
Update (2 step process)
1. system > packages
- enable ipv6
- update / reboot
2. system > routerboard > update
### <a name="sxtP2P"></a>SXTsq Point-to-Point
?
---
title: "Ubiquiti EdgePoint R6"
---
The EP-R6 is an outdoor rooftop switch/router with 6 ports (5 GigE, 1 SFP). It supports PoE, but only Ubiquiti's 24v Passive PoE style, not any of the fancier types.
It can be configured in switch mode (just a switch, with a management console) or routing mode (hub node setup, BGP, etc).
![Ubiquity EdgePoint R6 Front View](/img/hardware/ubiquity_edgepointr6_front.png)
![Ubiquity EdgePoint R6 Ports](/img/hardware/ubiquity_edgepointr6_ports.png)
Device specs are available at [store.ubnt.com](https://store.ubnt.com/products/edgepoint-r6).
## Reset ##
To factory reset an EP-R6, press and hold the reset button, by the ethernet plugs, for about 10 seconds until the eth4 LED begins to flash, then release the button. The device will reboot and reset.
Or, reset it via the CLI by running the following commands:
```
sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
reboot
```
## Connecting ##
The EP-R6 has a Web GUI and CLI.
The initial IP address out of the box is 192.168.1.1, the Web GUI is at https://192.168.1.1
Set you computer's local IP to something similar ( 192.168.1.5 ), and connect to switch on port _eth0_.
Although there is a Web GUI, using SSH can allow for a much more rapid workflow. If possible, use that.
Here is an example of SSHing to the EdgePoint when it is in factory default mode:
```
laptop$ ssh -o StrictHostKeyChecking=no ubnt@192.168.1.1
Welcome to EdgeOS
...
ubnt@192.168.1.1's password: ubnt
Linux ubnt 3.10.14-UBNT #1 SMP Wed Nov 11 14:42:04 PST 2015 mips
Welcome to EdgeOS
ubnt@ubnt:~$
```
From here you can apply commands such as the ones below.
## Device idiosyncrasies
# Hardware NAT
If using the device as a router in NAT mode ( not router on the mesh ), the default settings will yield a very slow connection.
Hardware NAT should be enabled, which was just possible as of firmware version v1.9.7.
This page at Ubnt discusses more: https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained
To enable hardware offload on this model, perform the following commands on the CLI:
```
configure
set system offload hwnat enable
commit
save
exit
```
## Wireguard VPN
coming
## Switched Mode ##
To convert the EP-R6 to switched mode, follow these steps.
This will create a switch, move all ports to it, move the management interface IP to it.
As opposed to some documentation, it is not necessary to move some ports at a time and change the IP. This can all be applied at one time.
```
configure
delete interfaces ethernet eth0 address
set interfaces switch switch0 switch-port interface eth0
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 address 192.168.1.1/24
commit
save
exit
```
## Routed Mode ( NYCMesh Hub Node - BGP ) ##
You will need to know the following to be able to continue:
BGP ASN - Autonomous System Number within the network
Gateway Node Y/N - Are we going to be a gateway exit node
Peers ASN and IP - What are our Peer ASN and IP that we will connect with
Local Subnet - What local network will we have? One? Many?
Configuration:
The following sections below may be used in-part or in-whole depending on the need:
* Route Filters / Prefix list - Allows or denies certain ranges from the network. Good for ensuring functionality
- The current filter set for NYCMesh can be found at [Filter](/network/filter)
*
Example Parameters:
ASN: 65012
Gateway: N
Peer ASN: 65010
Peer IP: 10.180.14.1
Local Subnet: 10.70.50.0/24
```
configure
## Filters ##
set policy prefix-list nycmeshprefixes rule 10 prefix 10.0.0.0/8
set policy prefix-list nycmeshprefixes rule 10 ge 22
set policy prefix-list nycmeshprefixes rule 10 le 32
set policy prefix-list nycmeshprefixes rule 10 action permit
set policy prefix-list nycmeshprefixes rule 20 prefix 172.16.0.0/12
set policy prefix-list nycmeshprefixes rule 20 ge 24
set policy prefix-list nycmeshprefixes rule 20 le 32
set policy prefix-list nycmeshprefixes rule 20 action permit
set policy prefix-list defaultroute rule 10 prefix 0.0.0.0/0
set policy prefix-list defaultroute rule 10 action permit
set policy route-map nycmeshroutes rule 10 action permit
set policy route-map nycmeshroutes rule 10 match ip address prefix-list nycmeshprefixes
# BGP Config
set protocols bgp 65012
set protocols bgp 65012 neighbor 10.180.14.1 remote-as 65010
set protocols bgp 65012 neighbor 10.180.14.1 soft-reconfiguration inbound
set protocols bgp 65012 neighbor 10.180.14.1 nexthop-self
set protocols bgp 65012 neighbor 10.180.14.1 route-map import nycmeshroutes
set protocols bgp 65012 neighbor 10.180.14.1 route-map export nycmeshroutes
# BGP Network Config
set protocols bgp 65012 network 10.70.50.0/24
set protocols static route 10.70.50.0/24 blackhole
# Save and Reset BGP
commit
save
clear ip bgp all
```
---
title: "Ethernet"
---
There are two standards for ethernet cables. We use T-568B. (oO-gB-bG-brBR)
![window/wall install](/img/ethernet/T-568B.gif)
[source](https://www.siongboon.com/projects/2006-03-06_serial_communication/)
A straight cable will work as long as both ends are the same configuration, but to stop confusion we are sticking to the standard T-568B, which is the most common one in this country.
In 100base-T (100Mbps most ethernet), orange is data transmit (pins 1 & 2) and green is receive (pins 3 & 6) pins 4,5,7,8 are not used for data.
In 1000Base-T (gigabit ethernet) all pins are used for data. If pins 4,5,7 & 8 are not connected the speed falls back to 100Mbps.
4,5,7,8 are used for power over ethernet (POE). Pins 4 & 5 are negative and 7 & 8 are positive.
If you plug POE into the "secondary" WAN port of a NanoStation, the main port will have live POE! This POE passthrough is great if you want to power a second NanoStation, but if you plug a live POE cable into an adapter or some device that does not expect POE it can break. We also turn on POE passthrough for both ports in some [installs](../nsm5-install/).
On a roof it is tempting to plug from a powered ethernet port into your laptop to configure the router. Usually the cheaper devices survive this accident because they don't use the POE pins. Apple's $30 thunderbolt ethernet adapters and other gigabit adapters will blow up. $9 USB 100Base-T adapters are a better bet if you think you will make this mistake. If you have a test cable with 4,5,7,8 disconnected you will be safe.
Ubiquiti POE is 24V DC, **half the voltage of standard 48V DC POE.** If you use standard POE you need to use a [Ubiquiti 8023af-adapter](https://www.ubnt.com/accessories/instant-8023af-adapters/)
Ethernet cables need to be shorter than 100m (300'). Longer than that you will have data loss and the POE voltage will drop too low.
---
title: "Ubiquiti LiteAP Sector"
---
The confusingly named LiteAP (LAP-120) is a very good, cheap 120' sector antenna. 120' means you need three to get a full 360'. It used to be called a LiteBeam 5AC AP LBE-5AC-16-120, and is still named that on parts of their website.
We use it as a sector antenna for most hub and supernode installs. As with all Ubiquiti gear you need to flash it with the latest firmware first.
The AC in the name is not 802.11ac, it is Ubiquiti's own protocol. These devices can only connect to other Ubiquiti "AC" devices like the LiteBeam we mount on everyone's roof.
![Ubiquity LiteAP](/img/hardware/ubiquity_liteap.png)
Device specs are available at [store.ubnt.com](https://store.ubnt.com/collections/wireless/products/litebeam-5ac-ap).
The default IP is https://192.168.1.20/ with name:ubnt pwd:ubnt
---
title: "Ubiquiti LiteBeam AC"
---
The LiteBeamAC is a very good, cheap directional router. We use it for most rooftop installs. As with all Ubiquiti gear you need to flash it with the latest firmware first. Often they ship with old beta firmware, and the latest firmware usually gets you faster speeds.
The AC in the name is not 802.11ac, it is Ubiquiti's own protocol. These devices can only connect to other Ubiquiti "AC" devices.
![Ubiquity LiteBeam 5AC Gen2](/img/hardware/ubiquity_litebeam5acgen2.png)
Device specs are available at [store.ubnt.com](https://store.ubnt.com/collections/all/products/litebeam-5ac-gen2).
There are two versions- gen1 and gen2. By default they are on two different sets of channels which causes much confusion. The gen1 cannot use the DFS channels unless you unlock it with a code on the System tab. Once you unlock a gen1 it has the same channels as the gen2. We have the unlock code for "NYCMesh". Ask us if you need to connect a gen1 to one of our hubs or supernodes.
Gen2 comes with a more sturdy mount (though less range) and also a management 2.4Ghz radio. The new mount has no movement clockwise so the only way to get the level bubble in the middle is with a straight mount! The management radio is very handy as you don't need to know the IP of the device. The management radio is on a timer so it will go off after about 5 minutes.
LiteBeams are very directional so use the built-in alignment tool to get the strongest signal. We like to get better than -65db. Very close to the supernodes you can get -45db.
The default IP is https://192.168.1.20/ with name:ubnt pwd:ubnt
For Supernode1 we assign IP addresses in the 192.168.42.xxx range
[Install instructions are in these docs](../../installs/cpe)
---
title: "MikroTik OmniTik 5ac"
---
The Omnitik 5ac is an outdoor switch/router with a built-in 5Ghz 802.11ac access point, omnidirectional antenna, and 5 gigabit ethernet ports.
_Please be sure to see [MikroTik Specifics](/hardware/mikrotikspecifics) for extra info about Mikrotik devices, how to connect, etc._
![MikroTik OmniTik PoE 5ac Front View](/img/hardware/mikrotik_omnitik5poeac_front.jpg)
The PoE version accepts 12-57V passive PoE on port 1 and can be configured to provide PoE out to ports 2-5.
![MikroTik OmniTik PoE 5ac Ports](/img/hardware/mikrotik_omnitik5poeac_ports.jpg)
Device specs are available at [mikrotik.com](https://mikrotik.com/product/rbomnitikpg_5hacd).
## Uses
* Hub node routing or AP ( for standard 802.11ac hubs )
* Rooftop installations for multi-tenant houses
* Providing public access via the omnidirectional antenna
## Configurations
### Omnitik config v3.2
As discussed in the [MikroTik Specifics](/hardware/mikrotikspecifics) page, these devices need a script to be generated and loaded onto the device rather than a saved config file.
The below is a template script which needs some variables filled in.
This script _only_ works on the OmniTik 5ac PoE model
<details>
<summary>Expand for `nycmesh-omnitik-v3.2.rsc` example</summary>
Version 3.2 Changelog:
* Separation of Public vs Tenant subnet
* Fixed BGP sync missed config parameter
* Startup delay ( ref Mikrotik forums )
* Tada sound effect
* Better firewall rules
```
:global nodenumber 1111
:global bgpasn 61111
:global ipprefix "10.70.111"
:global iptenantsrange 10.70.111.5-10.70.111.119
:global iptenantsgw 10.70.111.1
:global ippublicrange 10.70.111.130-10.70.111.180
:global ippublicgw 10.70.111.129
:global dns 10.10.10.10,1.1.1.1
/delay 15
:for j from=1 to=4 step=1 do={
:for i from=2000 to=50 step=-400 do={
:beep frequency=$i length=11ms;
:delay 11ms;
}
:for i from=800 to=2000 step=400 do={
:beep frequency=$i length=11ms;
:delay 11ms;
}
}
:foreach x in=[/interface wireless find] do={ /interface wireless reset-configuration $x }
:for t from=1200 to=350 step=-50 do={
:beep frequency=$t length=33ms;
:delay 33ms;
}
:beep frequency=500 length=100ms
/ip address add address=192.168.88.1/24 interface=ether3 network=192.168.88.0
:beep frequency=600 length=100ms
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
:beep frequency=700 length=100ms
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=nycmeshnet supplicant-identity=nycmesh \
wpa-pre-shared-key=nycmeshnet wpa2-pre-shared-key=nycmeshnet
:beep frequency=800 length=100ms
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=nycmeshnet ssid=("nycmesh-" . $nodenumber . "-omni") wireless-protocol=802.11 wps-mode=disabled
add disabled=no master-interface=wlan1 name=wlan2 ssid="-NYC Mesh Community WiFi-" wps-mode=disabled
:beep frequency=900 length=100ms
/interface bridge
add auto-mac=yes name=publicaccess
add auto-mac=yes name=tenants
:beep frequency=1000 length=100ms
/ip address
add address=($ipprefix . ".1/25") interface=tenants network=($ipprefix . ".0")
add address=($ipprefix . ".129/26") interface=publicaccess network=($ipprefix . ".128")