IPv4 Top 1/4 move
Objective
Moving TRIUMF Visitor WiFi and TRIUMF House WiFi to Private IP Addresses
Motivation
Free top ¼ of the TRIUMF Public IPv4 addresses block 142.90/16 so the address block 142.90.192.0/18 can be released for sale. Estimated value $300k USD.
Present State
The top ¼ of the TRIUMF public IPv4 space 142.90.192.0/18 is used by three subnets.
| Vlan | IP | Description |
|---|---|---|
| 46 | 142.90.255.0/24 | TRIUMF Visitor WiFi |
| 49 | 142.90.254.0/24 | TRIUMF House WiFi |
| 52 | 142.90.253.0/24 | VPN Service Accounts |
Plan
- Decommission vlan-52 (was only used a few times, Telus and CAEN)
- Vlan-46 Visitor WiFi move from 142.90.255.0/24 to 192.168.75.0/24
- Vlan-49 THouse WiFi move from 142.90.254.0/24 to 192.168.74.0/24
The IP’s are somewhat random. They can and probably will be changed once the network re-architecture project with Charter has progressed.
Procedure
The following configuration changes are required.
- DNS
- triumfvisitors.net
- create reverse lookup for 192.168.[74-75], use existing private.rev for now until IPAM is more clearly defined.
- DHCP
- Firewall Gateway IP Addresses designation
- Firewall NAT
DNS
servers/tgate/named/triumfvisitor.net
change 142.90.254 -> 192.168.74
change 142.90.255 -> 192.168.75
triumfvisitor.net
; triumfvisitor.net -*-zone-*-
; $Id: triumfvisitor.net 21807 2019-04-14 17:22:45Z kray $
; This file should belong to root
$ORIGIN .
$TTL 14400 ; 4 hours
triumfvisitor.net IN SOA tgate.triumf.ca. system.triumf.ca. (
2019041400 ; serial
21600 ; refresh (6 hours)
300 ; retry (5 minutes)
604800 ; expire (1 week)
43200 ; minimum (12 hours)
)
NS tgate.triumf.ca.
NS trserv.triumf.ca.
MX 10 trmail.triumf.ca.
$ORIGIN triumfvisitor.net.
;
www CNAME ccnweb.dmz.triumf.ca.
qr CNAME qr.triumf.ca.
;
$GENERATE 8-254 $ A 142.90.93.$
;
;----------------------------
; Aruba vlan-id 46 start here
; Need to reserve some static addresses, later
$GENERATE 1-250 wlan-$ A 192.168.75.$
gw-wlan A 192.168.75.254
;
;----------------------------
; Aruba vlan-id 49 start here
; Need to reserve some static addresses, later
$GENERATE 1-253 wlan-thouse$ A 192.168.74.$
gw-wlan-thouse A 192.168.74.254
private.rev
; $Id: private.rev 19599 2017-11-08 20:43:44Z advax $
; Reverse Zone file for 192.168.4/24 "private" zone
; A.Daviel Jan 2007
$ORIGIN .
$TTL 14400 ; 4 hours
168.192.in-addr.arpa IN SOA tgate.triumf.ca. system.triumf.ca. (
2017110800 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS tgate.triumf.ca.
NS trserv.triumf.ca.
$ORIGIN 4.168.192.in-addr.arpa.
; Elmo Digital Presenters
9 PTR sx.private.
10 PTR ag.private.
11 PTR sx1.private.
12 PTR sx2.private.
13 PTR trweb.private.
; Dell projectors in ISAC2 223
20 PTR ag223.private.
21 PTR proj223l.private.
22 PTR proj223m.private.
23 PTR proj223r.private.
; trnetmon for monitoring purposes
24 PTR trnetmon.private.
25 PTR andrew2.private.
; DO NOT CREATE ADDRESSES BEYOND 192.168.4.39
; 192.168.4.40 and up are used by a DHCP pool for VOIP phones
; Addresses used internally on nexapp1
; These are just in this DNS zone for convenience and the interfaces
; are not reachable from anything external to nexapp1
161 PTR nexapp1a.private.
162 PTR nexapp1b.private.
;
; Aruba TRIUMF House Guest wlan subnet
$ORIGIN 74.168.192.in-addr.arp.
$GENERATE 1-253 $ PTR wlan-thouse$.triumfvisitor.net.
254 IN PTR gw-wlan-thouse.triumfvisitor.net.
;
; Aruba TRIUMF Visitor wlan subnet
$ORIGIN 75.168.192.in-addr.arp.
$GENERATE 1-250 $ PTR wlan-$.triumfvisitor.net.
254 IN PTR gw-wlan.triumfvisitor.net.
DHCP Changes
# TRIUMF House WiFi VLAN: triumfhouse.net
subnet 192.168.74.0 netmask 255.255.255.0 {
option domain-name "triumfvisitor.net";
option domain-name-servers tgate, misdns, trserv;
option ntp-servers time1, time2, time3;
option routers 192.168.74.254;
option subnet-mask 255.255.255.0;
option time-offset -28800;
use-host-decl-names on;
default-lease-time 28800;
range 192.168.74.10 192.168.74.250;
}
# TRIUMF visitor VLAN: triumfvisitors.net
subnet 192.168.75.0 netmask 255.255.255.0 {
option domain-name "triumfvisitor.net";
option domain-name-servers tgate, misdns, trserv;
option ntp-servers time1, time2, time3;
option routers 192.168.75.254;
option subnet-mask 255.255.255.0;
option time-offset -28800;
use-host-decl-names on;
default-lease-time 28800;
range 192.168.75.10 192.168.75.250;
}IP Gateway Changes on Jfire
set interfaces reth0 unit 49 description "TRIUMF House Visitor Wi-Fi"
set interfaces reth0 unit 49 vlan-id 49
set interfaces reth0 unit 49 family inet mtu 1500
set interfaces reth0 unit 49 family inet address 142.90.254.254/24
set interfaces reth0 unit 49 family inet address 192.168.74.254/24 primary
By using primary it should be possible to keep both IP subnets working at the same time. This might allow for a smoother transition until the DHCP leases are renewed. Currently the DHCP lease is set to 8 hours (28800 seconds).
set interfaces reth0 unit 46 description "Vistor wlan"
set interfaces reth0 unit 46 vlan-id 46
set interfaces reth0 unit 46 family inet mtu 1500
set interfaces reth0 unit 46 family inet address 142.90.255.254/24
set interfaces reth0 unit 46 family inet address 192.168.75.254/24 primary
NAT Changes on Firewall
In the future (when implementing the network re-architecture) probably want to consider NATing the Visitor WiFi from a specific source-address so it can be more clearly identified. The proposed configuration below uses the IP of the egress Interface IP on the firewall. This will be either 142.90.1.2 (ORAN) 142.90.1.6 (Westgrid) 142.90.1.10 (Commodity) 142.90.1.14 (IX)
It could then be used to leverage the domain name triumfvisitor.net
show security nat source rule-set BCNET-NAT rule TriumfVisitorWiFi
match {
source-address 192.168.75.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
set security nat source rule-set BCNET-NAT rule TriumfVisitorWiFi match source-address 192.168.75.0/24
set security nat source rule-set BCNET-NAT rule TriumfVisitorWiFi match destination-address 0.0.0.0/0
set security nat source rule-set BCNET-NAT rule TriumfVisitorWiFi then source-nat interface
show security nat source rule-set BCNET-NAT rule THouseVisitorWiFi
match {
source-address 192.168.74.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
set security nat source rule-set BCNET-NAT rule THouseVisitorWiFi match source-address 192.168.74.0/24
set security nat source rule-set BCNET-NAT rule THouseVisitorWiFi match destination-address 0.0.0.0/0
set security nat source rule-set BCNET-NAT rule THouseVisitorWiFi then source-nat interface
Switching Visitor WiFi from Internal firewall and VisWiFi Zone to Wan-fw VRF and BCNET Zone.
delete interfaces reth0 unit 46 family inet address 142.90.255.254/24
deactivate security nat source rule-set BCNET-NAT rule TriumfVisitorWiFi
activate security nat source rule-set BCNET-BCNET rule TriumfVisitorWiFi
deactivate routing-instances internal-fw interface reth0.46
activate routing-instances wan-fw interface reth0.46
deactivate security zones security-zone FW-VisWiFi interfaces reth0.46
activate security zones security-zone BCNET interfaces reth0.46
------------------
delete interfaces reth0 unit 49 family inet address 142.90.254.254/24
deactivate security nat source rule-set BCNET-NAT rule THouseVisitorWiFi
activate security nat source rule-set BCNET-BCNET rule THouseVisitorWiFi
deactivate routing-instances internal-fw interface reth0.49
activate routing-instances wan-fw interface reth0.49
deactivate security zones security-zone FW-VisWiFi interfaces reth0.49
activate security zones security-zone BCNET interfaces reth0.49
ddds
fdgfdgdg
