Commit 279174b8 authored by olivernyc's avatar olivernyc
Browse files

Initial commit

parents
.DS_Store
public
---
title: "{{ replace .Name "-" " " | title }}"
date: {{ .Date }}
draft: true
---
baseURL = "http://example.org/"
languageCode = "en-us"
title = "NYC Mesh Documentation"
---
layout: default
title: Hardware
---
# This is a great hardware section!
* Blah
---
layout: default
title: Ubiquiti EdgePoint R6
category: Hardware
---
The EP-R6 is an outdoor rooftop switch/router with 6 ports ( 5 GigE, 1 SFP ).
It supports PoE, but only Ubiquiti's 24v Passive PoE style, not any of the fancier types.
It can be configured in switch mode ( just a switch, with a management console ) or routing mode ( hub node setup, BGP, etc ).
## Reset ##
To factory reset an EP-R6, press and hold the reset button, by the ethernet plugs, for about 10 seconds until the eth4 LED begins to flash, then release the button. The device will reboot and reset.
Or, reset it via the CLI by running the following commands:
```
sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
reboot
```
## Connecting ##
The EP-R6 has a Web GUI and CLI.
The initial IP address out of the box is 192.168.1.1, the Web GUI is at https://192.168.1.1
Set you computer's local IP to something similar ( 192.168.1.5 ), and connect to switch on port _eth0_.
Although there is a Web GUI, using SSH can allow for a much more rapid workflow. If possible, use that.
Here is an example of SSHing to the EdgePoint when it is in factory default mode:
```
laptop$ ssh -o StrictHostKeyChecking=no ubnt@192.168.1.1
Welcome to EdgeOS
...
ubnt@192.168.1.1's password: ubnt
Linux ubnt 3.10.14-UBNT #1 SMP Wed Nov 11 14:42:04 PST 2015 mips
Welcome to EdgeOS
ubnt@ubnt:~$
```
From here you can apply commands such as the ones below.
## Device idiosyncrasies
# Hardware NAT
If using the device as a router in NAT mode ( not router on the mesh ), the default settings will yield a very slow connection.
Hardware NAT should be enabled, which was just possible as of firmware version v1.9.7.
This page at Ubnt discusses more: https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained
To enable hardware offload on this model, perform the following commands on the CLI:
```
configure
set system offload hwnat enable
commit
save
exit
```
## Wireguard VPN
coming
## Switched Mode ##
To convert the EP-R6 to switched mode, follow these steps.
This will create a switch, move all ports to it, move the management interface IP to it.
As opposed to some documentation, it is not necessary to move some ports at a time and change the IP. This can all be applied at one time.
```
configure
delete interfaces ethernet eth0 address
set interfaces switch switch0 switch-port interface eth0
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 address 192.168.1.1/24
commit
save
exit
```
## Routed Mode ( NYCMesh Hub Node - BGP ) ##
You will need to know the following to be able to continue:
BGP ASN - Autonomous System Number within the network
Gateway Node Y/N - Are we going to be a gateway exit node
Peers ASN and IP - What are our Peer ASN and IP that we will connect with
Local Subnet - What local network will we have? One? Many?
Configuration:
The following sections below may be used in-part or in-whole depending on the need:
* Route Filters / Prefix list - Allows or denies certain ranges from the network. Good for ensuring functionality
- The current filter set for NYCMesh can be found at [Filter](/network/filter)
*
Example Parameters:
ASN: 65012
Gateway: N
Peer ASN: 65010
Peer IP: 10.180.14.1
Local Subnet: 10.70.50.0/24
```
configure
## Filters ##
set policy prefix-list nycmeshprefixes rule 10 prefix 10.0.0.0/8
set policy prefix-list nycmeshprefixes rule 10 ge 22
set policy prefix-list nycmeshprefixes rule 10 le 32
set policy prefix-list nycmeshprefixes rule 10 action permit
set policy prefix-list nycmeshprefixes rule 20 prefix 172.16.0.0/12
set policy prefix-list nycmeshprefixes rule 20 ge 24
set policy prefix-list nycmeshprefixes rule 20 le 32
set policy prefix-list nycmeshprefixes rule 20 action permit
set policy prefix-list defaultroute rule 10 prefix 0.0.0.0/0
set policy prefix-list defaultroute rule 10 action permit
set policy route-map nycmeshroutes rule 10 action permit
set policy route-map nycmeshroutes rule 10 match ip address prefix-list nycmeshprefixes
# BGP Config
set protocols bgp 65012
set protocols bgp 65012 neighbor 10.180.14.1 remote-as 65010
set protocols bgp 65012 neighbor 10.180.14.1 soft-reconfiguration inbound
set protocols bgp 65012 neighbor 10.180.14.1 nexthop-self
set protocols bgp 65012 neighbor 10.180.14.1 route-map import nycmeshroutes
set protocols bgp 65012 neighbor 10.180.14.1 route-map export nycmeshroutes
# BGP Network Config
set protocols bgp 65012 network 10.70.50.0/24
set protocols static route 10.70.50.0/24 blackhole
# Save and Reset BGP
commit
save
clear ip bgp all
```
---
layout: default
title: Ubiquiti Litebeam AC
category: Hardware
---
Also a radio
---
layout: default
title: MikroTik OmniTik
category: Hardware
---
This is a potential replacement for the ubnt EP-R6 we have been using. It comes with five Gigabit Ethernet ports and an omni antenna. It would be ideal for hub nodes. There is also a model without POE for some reason. Avoid that one.
---
layout: default
title: MikroTik Powerbox Pro
category: Hardware
---
The PowerBox Pro is an outdoor five gigabit ethernet port router with PoE output on four ports. Since the device has a waterproof outdoor case, you can mount it on a tower, or in other outdoor locations.
It also supports passive PoE input and passive or 802.3af/at PoE output. Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to the unit. Less power adapters and cables to worry about! It can power 802.3at and af mode B compatible devices, if 48-57 input voltage is used.
\ No newline at end of file
---
layout: default
title: Ubiquiti Nanostation M5
category: Hardware
---
The NanoStation M5 is a workhorse of mesh networks. There are two versions XM (pre 2016) and XW. It is 802.11n and 10/100 ethernet, so not the fastest on the block, but it has good support from OpenWRT. It also has two ethernet ports usually set up as WAN and LAN. Recent versions require downgrading AirOS before you flash.
NanoStation NSM5 installs
**Hardware**
The simplest install is to use an existing vertical pipe and the two plastic ties that are included with the router. Also a thick PVC pipe can be attached to a railing using clamps.
![roof install](/img/nsm5/roof-87.jpg)
If you need to aim the router up or down you can use a [nanobracket](https://www.streakwave.com/itemdesc.asp?ic=NBU001).
![nanobracket](/img/nsm5/nanobracket.jpg)
The [Ubiquiti window/wall mount](http://www.amazon.com/Ubiquiti-Networks-NanoStation-Window-Mount/dp/B004EHUR8U) is a versatile mount that comes with a suction cup for windows or a screw mount for walls. The parts are reversible so the NSM5 can face either way and it also has vertical and horizontal adjustment to point in almost any direction.
![window/wall install](/img/nsm5/ubiquiti-window-wall-mount.jpg)
The [Ubiquiti universal antenna mount](http://www.amazon.com/gp/product/B006J1WSGI/) can be used on rooftops or walls, where a very strong mount is needed.
![universal antenna mount](/img/nsm5/ubiquiti-universal-mount.jpg)
**Window**
Outside:
On the outside of the window it is best to use a Ubiquiti wall/window mount. The suction cup is not recommended for long-term installs.
![window outside](/img/nsm5/window-cup-outside.jpg)
Inside:
It is often more convenient to install inside the window. You will lose about 2db of signal but that is usually ok.
Velcro is the easiest way to install a NanoStation if it will be facing the same direction as the window. Use more velcro than in the picture (this install slipped down the window after six months!)
![velcro](/img/nsm5/velcro.jpg)![velcro](/img/nsm5/window-velcro-off.jpg)
![window velcro](/img/nsm5/window-velcro-on.jpg)
A Ubiquiti suction cup mount can be used if you need to point the router at an angle. The suction cup will fail eventually (usually on very hot or very cold days), so do not use this for long-term installs.
![window/wall install](/img/nsm5/window-cup-inside.jpg)
**Rooftop**
Often rooftops have an existing unused pipe or abandoned antenna pole that can be used.
![pipe](/img/nsm5/pipe.jpg)
A Ubiquiti bracket is good if you have a drillable surface such as brick or cement.
![bracket](/img/nsm5/bracket-200.jpg)
**Wall**
A simple wall mount can be made using a small, thin piece of wood and the two plastic ties that come with the router. This will not give you much choice in direction.
![window/wall install](/img/nsm5/wall.jpg)
[source](https://www.telcoantennas.com.au/site/how-extend-wifi-coverage-using-ubiquiti-nanostation)
![window/wall install](/img/nsm5/wall-201.jpg)
The Ubiquiti window/wall mount comes with both a suction cup for windows and a screw mount for walls. Use this screw mount on a wall so you can point the router in the best direction.
![window/wall install](/img/nsm5/windowwall2.jpg)![window/wall install](/img/nsm5/windowwall.jpg)
**Tree**
Sometimes a tree is the best place for your NanoStation.
![tree](/img/nsm5/tree.jpg)
**Ethernet**
Outdoor routers use "power over ethernet" (POE). A small adapter is used to add power to the ethernet. This means you only need to run one ethernet cable to the device.
The most important thing about the cable and is that it is "outdoor" cable. Otherwise the plastic will decay in the weather. We use Cat 5e. A cable run must be less than 100m (300 feet), or the signal and voltage drop will be too much.
There are two ethernet ports on the NanoStation and these are a source of confusion. Like most outdoor routers they get their power over the ethernet cable. They come with an adapter that adds 24V of power to the cable. Be careful plugging live cables into ports that are not expecting a voltage.
Here are two ways to wire your NSM5:
**Setup 1 (client)**
You are connecting to a remote gateway that is providing your internet. You plug the ethernet cable into the "main" (LAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the WAN of an indoor router.
(Sometimes people are close enough to the NSM5 that they don't bother with the indoor router.)
**Setup 2 (gateway)**
You are sharing your existing internet with your neighbors. You plug the ethernet into the "secondary" (WAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the LAN of your existing indoor router.
**Powering two from one adapter**
If you need to install two NanoStations you can simply run a cable from the spare ethernet port to the other NSM5. If the POE is plugged into the secondary port (gateway setup) then the "main" will act as passthrough to the second NSM5.
To turn on passthrough from main to secondary you need to do this [(source)](https://wiki.openwrt.org/toh/ubiquiti/nanostationm5)-
```
# older nanostation XM (pre-2015)
echo 8 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio8/direction
echo 1 > /sys/class/gpio/gpio8/value
# disable with echo 0 > /sys/class/gpio/gpio8/value
```
```
# nanostation XW (2015-)
echo 2 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio2/direction
echo 1 > /sys/class/gpio/gpio2/value
# disable with echo 0 > /sys/class/gpio/gpio2/value
```
I've found this setting doesn't stick after reboot, so you need to add it to /etc/rc.local (local startup)-
[http://admin.qmp/cgi-bin/luci/admin/system/startup](http://admin.qmp/cgi-bin/luci/admin/system/startup)
**LAN vs WAN confusion**
On the NSM5 the **"main" port is LAN** and the **secondary is "WAN"**. This is the most confusing thing about the router and mixing this up is the cause of most problems. **Always connect WAN on one router to LAN on another!**
If you connect LAN to LAN it will be unstable as each LAN port usually has a DHCP server and both ports will be trying to assign an IP address to the other. Also don't connect WAN to WAN as this makes no sense. This is by far the biggest problem with people setting up routers and it is so simple to avoid.
---
layout: default
title: Mikrotik SXTsq G-5acD
category: Hardware
---
The SXTSQ 5acD ( sxtsq ) is a small client access antenna that is 802.11 standards compliant antenna ( and also nstream mikrotik if available ).
The device was released in early 2018 and is capable of gigabit-level speeds with 80Mhz wide 802.11ac wifi connections.
# Uses
* LinkNYC Kiosk connection
* Hub node connection ( for standard 802.11ac hubs )
# Device idiosyncrasies
## License
Mikrotik software usually requires a license, though all Mikrotik devices come with an internal license, which varies with the model.
This antenna comes with a "Level 3" license which technically only allows it to function as a CPE, not an AP. Therefore this device can not be used as a base station.
## US vs International version
On the positive side, it is a great CPE and can connect to DFS channels ( international version ) and other intersting features such as EAP TTLS authentication.
As a precaution, this antenna has a US version and an International version. The US version is locked to "united states3" channels which are the non-DFS range.
The international version also has US settings, but it has two additional "united states" channel selections all for valid legal US channels. To function on LinkNYC and other DFS networks, the international version is required, but be sure to put it in "united states2" mode before using it.
# Reset
To factory reset an SXTsq, hold down the RouterBOOT reset button (located behind the front panel) during boot time until LED light starts flashing, then release the button to reset RouterOS configuration (total 5 seconds).
# Connecting
The initial IP address out of the box is 192.168.88.1, so set you computer’s local IP to something similar ( 192.168.88.5 ). The username is admin and there is no password.
# Configuration lines
## LinkNYC Kiosk connection ( encrypted )
LinkNYC kiosks have both an unencrypted and encrypted network available. They function similarly and have the same internet available.
The encrypted version is using a fancy feature which is marketed as "passpoint" ( an authentication tech that cable internet provider are trying to leverage that allows you to roam across an area with a login ).
The encrypted network is more secure because no traffic can be sniffed between the kiosk and your CPE. Additionally there is no captive portal, which is a major positive.
The bottom line of passpoint is that it's EAP ( Enterprise Authentication Protocol ) TTLS ( Tunnelled TLS ) which is fancy for saying a login and password.
To cover all these technical details, there are auto-config profiles that can be deployed to devices such as a phone. Once you login t othe unencrypted network, a captive portal prompts you to click a button, and if your device is supported, download a profile and reconnect to the encryted network.
Today, only iPhones are supported with the auto-config feature, which is no fun. However, it's technically possible to connect with any capable device if you have the connection profile.
My taking the profile from an iPhone, we can extract the pieces needed to connect a standard antenna such as the sxtsq.
After powering on an sxtsq, configure it as a CPE with routing, NAT, and DHCP on the internal port.
Then, to configure the radio, apply the following lines on the CLI:
( This can be performed graphically, but it may be faster to paste these lines. )
```
/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap eap-methods=eap-ttls-mschapv2 group-ciphers=tkip,aes-ccm mode=dynamic-keys mschapv2-password=5fsOpxER mschapv2-username=anonymous@citybridge.com name=linknyc supplicant-identity=anonymous@citybridge.com tls-mode=dont-verify-certificate unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united states2" default-authentication=no disabled=no frequency=auto security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
/interface wireless connect-list
add interface=wlan1 security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
```
Be sure to shutdown the antenna properly the first time to ensure the config is saved. This is not required, but Mikrotik antennas are especially sensitive to being powered off with no proper shutdown.
---
layout: default
title: TP-Link Router
category: Hardware
---
# When setting up this router, do the following:
* Turn the guest network on.
* Set the guest SSID to exactly "-NYC Mesh Community WiFi-" (including the dashes).
Any other SSID you set up can be named whatever the new member wants (eg "nycmesh my cat's name").
---
title: Installer Overview
layout: default
category: Installers
wip: true
---
Installers are people who help new users join our mesh, typically by installing wireless equipment on their roof.
### Installer Resources
- Slack chat: [#install](https://nycmesh.slack.com/app_redirect?channel=install) - [Join our Slack](http://slack.nycmesh.net/)
- [Training Presentation](https://drive.google.com/open?id=1tIi4QSxitKx6un9pPfzCNJnribGZKAK1y9t8FtPl0gg) - Primary resource
- [Installer Shopping List](https://nycmesh.slack.com/archives/G0FS2EVSQ/p1522292807000071)
- [How to Import NYC Mesh Node Data to Google Earth](https://nycmesh.slack.com/files/U51M5UP6F/F5VEK2UCR/nycmesh-google-earth-kml-howto.m4v)
- [Install Calendar](https://goo.gl/1tGsjZ)
- [CPE Install Guide](https://nycmesh.net/cpe)
- [Site Survey Form](https://goo.gl/forms/nq1UXX3UHPaGAZLy1)
---
layout: default
title: Networking
---
The NYC Mesh network is following a newe arc
---
layout: default
title: ARP
category: Networking
wip: true
---
### ARP
Arp is a fun tool
Learn more about
```
arp -a
```
Hah.
[Basics](/networking/basics)
---
layout: default
title: Basics
category: Networking
wip: true
---
This is a section on the basics of networking
# Basic Stuff
run these commands
```
$ stop services
$ start services
```
Ya..
---
layout: default
title: BGP
category: Networking
---
The [Border Gateway Protocol](https://tools.ietf.org/html/rfc4271) (BGP) is an inter-Autonomous System routing protocol.
## Use within NYC Mesh
BGP is used externally at internet exchange points to connect with other networks, and internally to peer between members (using private ASNs). BGP is a popular dynamic routing protocol as it is relatively simple to configure, scales well and enjoys support across multiple hardware and software vendors.
## How it works
An Autonomous System (AS) is any entity, usually a network with some opaque internal topology, that is in possession of a unique identifier called an Autonomous System Number (ASN). The process of connecting two Autonomous Systems is called peering, and it requires BGP speakers from each AS to know the ASN and IP address of their neighbors in advance (how this information is exchanged is not specified by the protocol).
Once the relevant identifying information is known, two neighboring Autonomous Systems can establish a session during which they exchange information about which IP subnets (prefixes) they know how to reach. A message between BGP speakers about reachability (or withdrawal thereof) is called an advertisement and can describe prefixes originating from an AS itself or from some other AS.
As reachability information about a prefix propagates through a network of interconnected Autonomous Systems, each appends its ASN to an attribute list called the "AS path". The AS path can then used by each BGP speaker to prevent routing loops from forming and to determine the shortest path to the destination prefix in the event that more than one is known.
## Filters
BGP implementations include powerful tools for modifiying imported and exported routes. Filters are commonly used within the mesh to do things like setting a route's local preference, tagging or interpreting communities or preventing the accidental announcement of bogus routes.
## Local preference
If two routes to a particular destination prefix are known, a decision must be made about which route to select. BGP's [tie breaking algorithm](https://tools.ietf.org/html/rfc4271#section-9.1.2.2) usually bases the decision on an AS path length comparison, however it is possible to override this behavior by changing the route's local preference attribute. Its value (a 32-bit unsigned integer) should be increased from the default (100) to indicate that a particular route is preferred regardless of its relative AS path length.
## Communities
[BGP communities](https://tools.ietf.org/html/rfc1997) can be used to classify routes that are imported or exported by an AS. Some definitions generally agreed upon by BGP speakers within the mesh are listed below. They are primarily used for interpreting the "quality" of various routes to the internet.
|Community|Meaning|Suggested interpretation|
|---|---|---|
|65000:1001|Internet connected by NYC Mesh|Set local preference to 130|
|65000:1005|Internet connected by a fast, neutral 3rd party|Set local preference to 110|
|65000:1002|Internet connected by a fast, non-neutral 3rd party|Set local preference to 100|
|65000:1003|Internet connected by a slow, non-neutral 3rd party|Set local preference to 90|
|65000:1004|Internet connected by a slow, NATed or possibly compromised 3rd party|Set local preference to 80|
## Prefix lists
IPv4 and IPv6 prefix lists that BGP speakers within the mesh commonly filter on (for import and export) are listed below:
### IPv4
|Prefix (Bird notation)|Action|
|---|---|
|199.167.59.0/24{24,32}|Allow|
|10.0.0.0/8{22,32}|Allow|
|0.0.0.0/0|Allow|
|All others|Deny|
### IPv6
|Prefix (Bird notation)|Action|
|---|---|
|2620:12d:400d::/48{48,64}|Allow|
|fdff:1508:6410::/48{64,128}|Allow|
|::/0|Allow|
|All others|Deny|
## How to get an ASN or IP allocation
Currently the mesh uses a spreadsheet to keep track of allocated resources. The process will be automated soon, but in the mean time please contact an existing member via [Slack](https://slack.nycmesh.net) or [email](mailto:contact@nycmesh.net) to have them help you acquire an ASN and IPv4 and/or IPv6 resources.
## Examples
Some configuration examples for BGP implementations known to be in use within NYC Mesh today are listed below in no particular order.
### [Bird](http://bird.network.cz)
Bird is an open source routing daemon with support for a number of different routing protocols including BGP.
```
log stderr all;
router id 10.70.x.1;
function is_mesh_prefix_v4 () {
return net ~ [
199.167.59.0/24{24,32},
10.0.0.0/8{22,32},
0.0.0.0/0
];
}
function is_mesh_prefix_v6 {
return net ~ [
2620:12d:400d::/48{48,64},
fdff:1508:6410::/48{64,128},
::/0
];
}
function set_local_pref () {
if (65000,1001) ~ bgp_community then bgp_local_pref = 130;
if (65000,1002) ~ bgp_community then bgp_local_pref = 110;
if (65000,1003) ~ bgp_community then bgp_local_pref = 100;
if (65000,1004) ~ bgp_community then bgp_local_pref = 90;
if (65000,1005) ~ bgp_community then bgp_local_pref = 80;
}
filter is_not_deviceroute {
if source = RTS_DEVICE then reject;
accept;
}
filter mesh_import_v4 {
if ! is_mesh_prefix_v4() then reject;
set_local_pref();
accept;
}
filter mesh_export_v4 {
if ! is_mesh_prefix_v4() then reject;
if ifname = "eth0" then bgp_community.add((65000,1005));
accept;
}
filter mesh_import_v6 {
if ! is_mesh_prefix_v6() then reject;
set_local_pref();
accept;
}
filter mesh_export_v6 {
if ! is_mesh_prefix_v6() then reject;
if ifname = "eth0" then bgp_community.add((65000,1005));
accept;
}
protocol device {
scan time 10;
}
protocol direct {
ipv4;
interface "br0" "eth0";
}
protocol kernel {
scan time 10;
ipv4 {
export filter is_not_deviceroute;
};
}
protocol kernel {
scan time 10;
ipv6 {
export filter is_not_deviceroute;
};
}
template bgp meshpeer {
local 10.70.x.1 as 65xxx;
hold time 15;
keepalive time 5;
ipv4 {
next hop self;
import filter mesh_import_v4;
export filter mesh_export_v4;
};
ipv6 {
next hop self;
import filter mesh_import_v6;
export filter mesh_export_v6;
};
}
protocol bgp n1234 from meshpeer {
neighbor 10.70.x.y as 65yyy;
}
```
### [UBNT/EdgeOS](https://www.ubnt.com/products/#edgemax)
UBNT's EdgeOS was forked from Vyatta, which in turn borrows from [Quagga](https://www.nongnu.org/quagga/).
```
protocols {
bgp 65xxx {
neighbor 10.70.x.y {
description n1234
nexthop-self