Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
olivernyc committed Aug 7, 2018
0 parents commit 279174b
Show file tree
Hide file tree
Showing 88 changed files with 2,046 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
.DS_Store
public
6 changes: 6 additions & 0 deletions archetypes/default.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
title: "{{ replace .Name "-" " " | title }}"
date: {{ .Date }}
draft: true
---

3 changes: 3 additions & 0 deletions config.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
baseURL = "http://example.org/"
languageCode = "en-us"
title = "NYC Mesh Documentation"
7 changes: 7 additions & 0 deletions content/Hardware/_index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
layout: default
title: Hardware
---

# This is a great hardware section!
* Blah
141 changes: 141 additions & 0 deletions content/Hardware/epr6.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
---
layout: default
title: Ubiquiti EdgePoint R6
category: Hardware
---

The EP-R6 is an outdoor rooftop switch/router with 6 ports ( 5 GigE, 1 SFP ).
It supports PoE, but only Ubiquiti's 24v Passive PoE style, not any of the fancier types.

It can be configured in switch mode ( just a switch, with a management console ) or routing mode ( hub node setup, BGP, etc ).

## Reset ##
To factory reset an EP-R6, press and hold the reset button, by the ethernet plugs, for about 10 seconds until the eth4 LED begins to flash, then release the button. The device will reboot and reset.

Or, reset it via the CLI by running the following commands:
```
sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
reboot
```

## Connecting ##
The EP-R6 has a Web GUI and CLI.
The initial IP address out of the box is 192.168.1.1, the Web GUI is at https://192.168.1.1
Set you computer's local IP to something similar ( 192.168.1.5 ), and connect to switch on port _eth0_.

Although there is a Web GUI, using SSH can allow for a much more rapid workflow. If possible, use that.
Here is an example of SSHing to the EdgePoint when it is in factory default mode:
```
laptop$ ssh -o StrictHostKeyChecking=no [email protected]
Welcome to EdgeOS
...
[email protected]'s password: ubnt
Linux ubnt 3.10.14-UBNT #1 SMP Wed Nov 11 14:42:04 PST 2015 mips
Welcome to EdgeOS
ubnt@ubnt:~$
```
From here you can apply commands such as the ones below.

## Device idiosyncrasies

# Hardware NAT
If using the device as a router in NAT mode ( not router on the mesh ), the default settings will yield a very slow connection.
Hardware NAT should be enabled, which was just possible as of firmware version v1.9.7.
This page at Ubnt discusses more: https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained

To enable hardware offload on this model, perform the following commands on the CLI:
```
configure
set system offload hwnat enable
commit
save
exit
```

## Wireguard VPN
coming


## Switched Mode ##
To convert the EP-R6 to switched mode, follow these steps.
This will create a switch, move all ports to it, move the management interface IP to it.
As opposed to some documentation, it is not necessary to move some ports at a time and change the IP. This can all be applied at one time.

```
configure
delete interfaces ethernet eth0 address
set interfaces switch switch0 switch-port interface eth0
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 address 192.168.1.1/24
commit
save
exit
```

## Routed Mode ( NYCMesh Hub Node - BGP ) ##
You will need to know the following to be able to continue:
BGP ASN - Autonomous System Number within the network
Gateway Node Y/N - Are we going to be a gateway exit node
Peers ASN and IP - What are our Peer ASN and IP that we will connect with
Local Subnet - What local network will we have? One? Many?

Configuration:
The following sections below may be used in-part or in-whole depending on the need:
* Route Filters / Prefix list - Allows or denies certain ranges from the network. Good for ensuring functionality
- The current filter set for NYCMesh can be found at [Filter](/network/filter)
*

Example Parameters:
ASN: 65012
Gateway: N
Peer ASN: 65010
Peer IP: 10.180.14.1
Local Subnet: 10.70.50.0/24
```
configure
## Filters ##
set policy prefix-list nycmeshprefixes rule 10 prefix 10.0.0.0/8
set policy prefix-list nycmeshprefixes rule 10 ge 22
set policy prefix-list nycmeshprefixes rule 10 le 32
set policy prefix-list nycmeshprefixes rule 10 action permit
set policy prefix-list nycmeshprefixes rule 20 prefix 172.16.0.0/12
set policy prefix-list nycmeshprefixes rule 20 ge 24
set policy prefix-list nycmeshprefixes rule 20 le 32
set policy prefix-list nycmeshprefixes rule 20 action permit
set policy prefix-list defaultroute rule 10 prefix 0.0.0.0/0
set policy prefix-list defaultroute rule 10 action permit
set policy route-map nycmeshroutes rule 10 action permit
set policy route-map nycmeshroutes rule 10 match ip address prefix-list nycmeshprefixes
# BGP Config
set protocols bgp 65012
set protocols bgp 65012 neighbor 10.180.14.1 remote-as 65010
set protocols bgp 65012 neighbor 10.180.14.1 soft-reconfiguration inbound
set protocols bgp 65012 neighbor 10.180.14.1 nexthop-self
set protocols bgp 65012 neighbor 10.180.14.1 route-map import nycmeshroutes
set protocols bgp 65012 neighbor 10.180.14.1 route-map export nycmeshroutes
# BGP Network Config
set protocols bgp 65012 network 10.70.50.0/24
set protocols static route 10.70.50.0/24 blackhole
# Save and Reset BGP
commit
save
clear ip bgp all
```







6 changes: 6 additions & 0 deletions content/Hardware/litebeamac.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
layout: default
title: Ubiquiti Litebeam AC
category: Hardware
---
Also a radio
7 changes: 7 additions & 0 deletions content/Hardware/mikrotikomnitik.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
layout: default
title: MikroTik OmniTik
category: Hardware
---

This is a potential replacement for the ubnt EP-R6 we have been using. It comes with five Gigabit Ethernet ports and an omni antenna. It would be ideal for hub nodes. There is also a model without POE for some reason. Avoid that one.
9 changes: 9 additions & 0 deletions content/Hardware/mikrotikpowerboxpro.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
layout: default
title: MikroTik Powerbox Pro
category: Hardware
---

The PowerBox Pro is an outdoor five gigabit ethernet port router with PoE output on four ports. Since the device has a waterproof outdoor case, you can mount it on a tower, or in other outdoor locations.

It also supports passive PoE input and passive or 802.3af/at PoE output. Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to the unit. Less power adapters and cables to worry about! It can power 802.3at and af mode B compatible devices, if 48-57 input voltage is used.
127 changes: 127 additions & 0 deletions content/Hardware/nsm5.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
---
layout: default
title: Ubiquiti Nanostation M5
category: Hardware
---

The NanoStation M5 is a workhorse of mesh networks. There are two versions XM (pre 2016) and XW. It is 802.11n and 10/100 ethernet, so not the fastest on the block, but it has good support from OpenWRT. It also has two ethernet ports usually set up as WAN and LAN. Recent versions require downgrading AirOS before you flash.

NanoStation NSM5 installs

**Hardware**

The simplest install is to use an existing vertical pipe and the two plastic ties that are included with the router. Also a thick PVC pipe can be attached to a railing using clamps.

![roof install](/img/nsm5/roof-87.jpg)

If you need to aim the router up or down you can use a [nanobracket](https://www.streakwave.com/itemdesc.asp?ic=NBU001).

![nanobracket](/img/nsm5/nanobracket.jpg)

The [Ubiquiti window/wall mount](http://www.amazon.com/Ubiquiti-Networks-NanoStation-Window-Mount/dp/B004EHUR8U) is a versatile mount that comes with a suction cup for windows or a screw mount for walls. The parts are reversible so the NSM5 can face either way and it also has vertical and horizontal adjustment to point in almost any direction.

![window/wall install](/img/nsm5/ubiquiti-window-wall-mount.jpg)

The [Ubiquiti universal antenna mount](http://www.amazon.com/gp/product/B006J1WSGI/) can be used on rooftops or walls, where a very strong mount is needed.

![universal antenna mount](/img/nsm5/ubiquiti-universal-mount.jpg)

**Window**

Outside:
On the outside of the window it is best to use a Ubiquiti wall/window mount. The suction cup is not recommended for long-term installs.

![window outside](/img/nsm5/window-cup-outside.jpg)

Inside:
It is often more convenient to install inside the window. You will lose about 2db of signal but that is usually ok.

Velcro is the easiest way to install a NanoStation if it will be facing the same direction as the window. Use more velcro than in the picture (this install slipped down the window after six months!)

![velcro](/img/nsm5/velcro.jpg)![velcro](/img/nsm5/window-velcro-off.jpg)

![window velcro](/img/nsm5/window-velcro-on.jpg)

A Ubiquiti suction cup mount can be used if you need to point the router at an angle. The suction cup will fail eventually (usually on very hot or very cold days), so do not use this for long-term installs.

![window/wall install](/img/nsm5/window-cup-inside.jpg)

**Rooftop**

Often rooftops have an existing unused pipe or abandoned antenna pole that can be used.

![pipe](/img/nsm5/pipe.jpg)

A Ubiquiti bracket is good if you have a drillable surface such as brick or cement.

![bracket](/img/nsm5/bracket-200.jpg)

**Wall**

A simple wall mount can be made using a small, thin piece of wood and the two plastic ties that come with the router. This will not give you much choice in direction.

![window/wall install](/img/nsm5/wall.jpg)
[source](https://www.telcoantennas.com.au/site/how-extend-wifi-coverage-using-ubiquiti-nanostation)

![window/wall install](/img/nsm5/wall-201.jpg)

The Ubiquiti window/wall mount comes with both a suction cup for windows and a screw mount for walls. Use this screw mount on a wall so you can point the router in the best direction.

![window/wall install](/img/nsm5/windowwall2.jpg)![window/wall install](/img/nsm5/windowwall.jpg)

**Tree**

Sometimes a tree is the best place for your NanoStation.

![tree](/img/nsm5/tree.jpg)

**Ethernet**

Outdoor routers use "power over ethernet" (POE). A small adapter is used to add power to the ethernet. This means you only need to run one ethernet cable to the device.

The most important thing about the cable and is that it is "outdoor" cable. Otherwise the plastic will decay in the weather. We use Cat 5e. A cable run must be less than 100m (300 feet), or the signal and voltage drop will be too much.

There are two ethernet ports on the NanoStation and these are a source of confusion. Like most outdoor routers they get their power over the ethernet cable. They come with an adapter that adds 24V of power to the cable. Be careful plugging live cables into ports that are not expecting a voltage.

Here are two ways to wire your NSM5:

**Setup 1 (client)**

You are connecting to a remote gateway that is providing your internet. You plug the ethernet cable into the "main" (LAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the WAN of an indoor router.

(Sometimes people are close enough to the NSM5 that they don't bother with the indoor router.)

**Setup 2 (gateway)**

You are sharing your existing internet with your neighbors. You plug the ethernet into the "secondary" (WAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the LAN of your existing indoor router.

**Powering two from one adapter**

If you need to install two NanoStations you can simply run a cable from the spare ethernet port to the other NSM5. If the POE is plugged into the secondary port (gateway setup) then the "main" will act as passthrough to the second NSM5.

To turn on passthrough from main to secondary you need to do this [(source)](https://wiki.openwrt.org/toh/ubiquiti/nanostationm5)-

```
# older nanostation XM (pre-2015)
echo 8 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio8/direction
echo 1 > /sys/class/gpio/gpio8/value
# disable with echo 0 > /sys/class/gpio/gpio8/value
```

```
# nanostation XW (2015-)
echo 2 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio2/direction
echo 1 > /sys/class/gpio/gpio2/value
# disable with echo 0 > /sys/class/gpio/gpio2/value
```

I've found this setting doesn't stick after reboot, so you need to add it to /etc/rc.local (local startup)-
[http://admin.qmp/cgi-bin/luci/admin/system/startup](http://admin.qmp/cgi-bin/luci/admin/system/startup)

**LAN vs WAN confusion**

On the NSM5 the **"main" port is LAN** and the **secondary is "WAN"**. This is the most confusing thing about the router and mixing this up is the cause of most problems. **Always connect WAN on one router to LAN on another!**

If you connect LAN to LAN it will be unstable as each LAN port usually has a DHCP server and both ports will be trying to assign an IP address to the other. Also don't connect WAN to WAN as this makes no sense. This is by far the biggest problem with people setting up routers and it is so simple to avoid.
65 changes: 65 additions & 0 deletions content/Hardware/sxtsqg5acd.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
layout: default
title: Mikrotik SXTsq G-5acD
category: Hardware
---

The SXTSQ 5acD ( sxtsq ) is a small client access antenna that is 802.11 standards compliant antenna ( and also nstream mikrotik if available ).
The device was released in early 2018 and is capable of gigabit-level speeds with 80Mhz wide 802.11ac wifi connections.


# Uses
* LinkNYC Kiosk connection
* Hub node connection ( for standard 802.11ac hubs )


# Device idiosyncrasies

## License
Mikrotik software usually requires a license, though all Mikrotik devices come with an internal license, which varies with the model.
This antenna comes with a "Level 3" license which technically only allows it to function as a CPE, not an AP. Therefore this device can not be used as a base station.

## US vs International version
On the positive side, it is a great CPE and can connect to DFS channels ( international version ) and other intersting features such as EAP TTLS authentication.
As a precaution, this antenna has a US version and an International version. The US version is locked to "united states3" channels which are the non-DFS range.
The international version also has US settings, but it has two additional "united states" channel selections all for valid legal US channels. To function on LinkNYC and other DFS networks, the international version is required, but be sure to put it in "united states2" mode before using it.


# Reset
To factory reset an SXTsq, hold down the RouterBOOT reset button (located behind the front panel) during boot time until LED light starts flashing, then release the button to reset RouterOS configuration (total 5 seconds).


# Connecting
The initial IP address out of the box is 192.168.88.1, so set you computer’s local IP to something similar ( 192.168.88.5 ). The username is admin and there is no password.


# Configuration lines

## LinkNYC Kiosk connection ( encrypted )
LinkNYC kiosks have both an unencrypted and encrypted network available. They function similarly and have the same internet available.
The encrypted version is using a fancy feature which is marketed as "passpoint" ( an authentication tech that cable internet provider are trying to leverage that allows you to roam across an area with a login ).
The encrypted network is more secure because no traffic can be sniffed between the kiosk and your CPE. Additionally there is no captive portal, which is a major positive.

The bottom line of passpoint is that it's EAP ( Enterprise Authentication Protocol ) TTLS ( Tunnelled TLS ) which is fancy for saying a login and password.
To cover all these technical details, there are auto-config profiles that can be deployed to devices such as a phone. Once you login t othe unencrypted network, a captive portal prompts you to click a button, and if your device is supported, download a profile and reconnect to the encryted network.
Today, only iPhones are supported with the auto-config feature, which is no fun. However, it's technically possible to connect with any capable device if you have the connection profile.
My taking the profile from an iPhone, we can extract the pieces needed to connect a standard antenna such as the sxtsq.

After powering on an sxtsq, configure it as a CPE with routing, NAT, and DHCP on the internal port.
Then, to configure the radio, apply the following lines on the CLI:
( This can be performed graphically, but it may be faster to paste these lines. )

```
/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap eap-methods=eap-ttls-mschapv2 group-ciphers=tkip,aes-ccm mode=dynamic-keys mschapv2-password=5fsOpxER [email protected] name=linknyc [email protected] tls-mode=dont-verify-certificate unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united states2" default-authentication=no disabled=no frequency=auto security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
/interface wireless connect-list
add interface=wlan1 security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11
```

Be sure to shutdown the antenna properly the first time to ensure the config is saved. This is not required, but Mikrotik antennas are especially sensitive to being powered off with no proper shutdown.


12 changes: 12 additions & 0 deletions content/Hardware/tplink.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
layout: default
title: TP-Link Router
category: Hardware
---

# When setting up this router, do the following:
* Turn the guest network on.
* Set the guest SSID to exactly "-NYC Mesh Community WiFi-" (including the dashes).

Any other SSID you set up can be named whatever the new member wants (eg "nycmesh my cat's name").

Loading

0 comments on commit 279174b

Please sign in to comment.