====== Network concept for Kraftwerk1 ====== ^ Version ^ Status ^ date ^ Author:in ^ | 0.1 | First draft | 20.12.2023 | Felix Köppel | | 0.2 | Revision | 09.01.2024-11.01.2024 | Felix Köppel | | 0.3 | Addition after measurements | 12.01.2024 & 15.01.2024 | Felix Köppel | | 0.4 | Additions | 17.01.2024 & 18.01.2024 | Felix Köppel | | 0.5 | Small additions | 24.01.2024 & 25.01.2024 | Felix Köppel | | 0.6 | Additions to firewall, switch and devices | 02.02.2024 | Felix Köppel | | 0.7 | Additions and channel allocation | 06.02.2024 | Felix Köppel, Fabio Pagotto | | 0.8 | Further additions and planning update, setting up network PVID8 | 07.03.2024 & 14.03.2024 | Felix Köppel | | 0.81 | Status update for internet subscription | 02.05.2024 | Felix Köppel | | 1.0 | Last finalisations and final version | PENDING | Egil Rüefli, Felix Köppel, Fabio Pagotto | This network concept was created by the project team of Rafisa Informatik GmbH. ===== Client: Building and housing co-operative Kraftwerk1 ===== Hardturmstrasse 134 \\ 8005 Zurich ^ Your name ^ Position ^ e-mail address ^ Phone number ^ | Andreas Engweiler | Managing Director | andreas.engweiler@kraftwerk1.ch | 044 446 40 66 | | Alex Hafner | Administration & Management | alex.hafner@kraftwerk1.ch | 044 446 40 64 | | David Müller | Client representative \\ (Müller Schnörringer Architects sia) | dm@muellerschnoerringer.ch | 044 545 10 66 | | Andreas Knecht | CEO Electrical installation company \\ (Züri Elektro AG) | andreas.knecht@zueri-elektro.ch | 044 209 92 90 | ===== Location of the property to be equipped ===== Hardturmstrasse 269 \\ 8005 Zurich ===== Project team: Rafisa Informatik GmbH ===== Bernstrasse 88\\ 8953 Dietikon ^ Your name ^ Position ^ eMail ^ Phone number ^ | Fabio Pagotto | Responsible for Firewall and LAN | f.pagotto@rafisa.ch | +41 76 306 71 51 | | Felix Köppel | Responsible for LAN, Firewall and WiFi | f.koeppel@rafisa.ch | +41 78 713 43 65 | | Egil Rüefli | Project Manager | e.rueefli@rafisa.ch | +41 78 767 84 04 | ===== VLAN and IP address concept ===== This concept specifies the VLAN IDs, VLAN names and IP addresses including the subnet mask, the DHCP lease time and the functions of the VLANs. The access authorisations of the VLANs are also specified. ==== VLAN concept & DHCP configuration concept ==== This concept contains the VLAN information and DHCP configurations. Please note that VLAN 10 cannot be used, as this VLAN may be required for the Swisscom Internet connection. VLAN 9 is reserved for the fallback Internet connection. It should also be noted that this VLAN is only designed as a "virtual cable" from the server room to the top floor and is also optional. ^ PVID ^ VLAN name ^ IP subnet ^ Subnet mask ^ Lease ^ Hosts (Range) ^ Function ^ | 1 | VLAN01_MGMT | 10.1.1.0 | 255.255.255.0 | 30 days | 154 (.100 - .254) | Management VLAN -> Management of all devices | | 2 | VLAN02_IOT-WR | 10.1.2.0 | 255.255.255.128 | 30 Days | 30 (.30 - .60) | Network only for inverters and automatic mailbox | | 3 | VLAN03_IOT-MOB | 10.1.3.0 | 255.255.255.0 | 1 Day | 250 (.3 - .253) | For mobility (Tesla etc.), e-mobile charging station | | 4 | VLAN04_IOT | 10.1.4.0 | 255.255.255.0 | 30 days | 250 (.3 - .253) | All IoT devices | | 5 | VLAN05_GAST | 10.1.5.0 | 255.255.255.0 | 1 Hour | 250 (.3 - .253) | For guests. Has content filter (parental control and more) | | 6 | VLAN06_Jugend | 10.1.6.0 | 255.255.255.0 | 1 Hour | 250 (.3 - .253) | For all minors. Has content filter (parental control) | | 7 | VLAN07_ERW | 10.1.7.0 | 255.255.255.0 | 1 Hour | 250 (.3 - .253) | For adults | | 8 | VLAN08_FAIRCUS | 10.1.8.0 | 255.255.255.0 | 1 Day | 250 (.3 - .253) | Fair Customer Network | | 9 | VLAN09_FALLBACK | - | - | - | - | Virtual cable from top floor to firewall for LTE/5G fallback | ==== Filter information ==== Parental control filter includes NSFW filters and other things that young people are not allowed to access. The additional filter in the guest network only makes mail, social media (youtube, instagram, Facebook and co.), web browsing, video platforms (Netflix and co.) available. ==== Authorisation matrix of the VLANs ==== ^ VLAN ^ 01 ^ 02 ^ 03 ^ 04 ^ 05 ^ 06 ^ 07 ^ 08 ^ 09 ^ WAN ^ | 01_MGMT | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✘ | ✔ | | 02_IOT-WR | ✘ | ✔ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | | 03_IOT-MOB | ✘ | ✘ | ✔ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | | 04_IOT | ✘ | ✘ | ✘ | ✔ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | | 05_GAST | ✘ | ✘ | ✘ | ✘ | ✔ | ✘ | ✘ | ✘ | ✘ | ✔ | | 06_JUGEND | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | ✘ | ✘ | ✘ | ✔ | | 07_ERW | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | ✘ | ✘ | ✔ | | 08_FAIRCUS | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | ✘ | ✔ | | 09_FALLBACK | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✘ | ✔ | ✘ | ===== Network plan TARGET ===== The two network diagrams are intended to illustrate our concept. The logical plan shows how the devices communicate with each other. The Layer3 plan shows the structure of the proposed VLANs. ==== Logical network plan ==== Will be added after Internet Package upgrade ==== Layer 3 network plan ==== Will be added after internet package upgrade ===== Network devices ===== ^ Quantity ^ device ^ Device manufacturer ^ Model ^ Note ^ | 1 | Modem | | | Supplied by Init7 | | 1 | Firewall | Hunsn | RS41 | | | 1 | Controller | Ubiquiti Networks | Cloud Key Gen2 Plus | | | 1 | Switch | Ubiquiti Networks | USW-24-PoE | | | 1 | Switch | Ubiquiti Networks | USW-Flex | Attic | | 1 | PoE Injector | Ubiquiti Networks | U-POE-AT | for switch top floor | | 2 | Access Point | Ubiquiti Networks | U6-Pro | Top floor / slipper bar, for ultra high density | | 4 | access point | Ubiquiti Networks | U6-Plus | all remaining rooms, for low/medium density | | 2 | access point | Ubiquiti Networks | UAP-AC-Lite | Garage (WiFi 5 Only for better device compatibility) | | 1 | Access Point | Ubnt (ubiquiti networks) | UAP | Legacy device for server room only - reuse from before rebuild | | 1 | PoE Passive Injector | Ubnt (ubiquiti networks) | 24 passive poe | Legacy device for server room only - reuse from before conversion | ===== Network components Connection information ===== In order to have a better overview of all devices, a table was created with the devices, including IP address allocation and VLAN access. ^ Device name ^ Host name ^ PVID ^ PVID Tagged ^ IP address ^ Connection type ^ Location ^ Notes ^ | U6-Pro | ap-kw1-dg | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.13 | LAN | Attic floor | | | U6-Pro | ap-kw1-pb | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.12 | LAN | Slipper bar | | | U6-Plus | ap-kw1-kr | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.11 | LAN | Creative room | | | U6-Plus | ap-kw1-jr | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.10 | LAN | Youth room | | | U6-Plus | ap-kw1-kd | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.9 | LAN | Consumer depot | | | U6-Plus | ap-kw1-gz | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.8 | LAN | Guest room | | | UAP-AC-Lite | ap-kw1-gn | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.7 | LAN | Garage (North) | (WiFi 5 Only) | | UAP-AC-Lite | ap-kw1-gs | 1 | 3, 4, 5, 6, 7, 8 | 10.1.1.6 | LAN | Garage (South) | (WiFi 5 Only) | | UAP | ap-kw1-edv | 1 | 7 | 10.1.1.5 | LAN (24passive) | IT room | LEGACY device | | USW-Flex | sw-kw1-02 | | 1, 2, 3, 4, 5, 6, 7, 8, 9 | 10.1.1.4 | LAN TRUNK | Top floor | | | USW-24-PoE | sw-kw1-01 | | 1, 2, 3, 4, 5, 6, 7, 8, 9 | 10.1.1.3 | LAN TRUNK | RK-KW1-01 | | | Cloud Key Gen2 | uck-kw1-01 | 1 | | 10.1.1.2 | LAN | RK-KW1-01 | | | devices Fair Customer | | 8 | | DHCP | LAN & WiFi | Office () | | | devices adults | | 7 | | DHCP | WiFi | | | | devices youth | | 6 | | DHCP | WiFi | | | | devices guests | | 5 | | DHCP | WiFi | | | | IoT end devices | | 4 | | DHCP | WiFi | | | | TV attic | | 4 | | DHCP | LAN | Top floor | | | Mobility devices | | 3 | | DHCP | WiFi | Garage | | ===== Terminal list: Connectivity ===== ==== List of end devices ==== The following table contains all the device types used with the possible connection options and those recommended by us (or determined in meetings). ^ Quantity ^ Brand name ^ Device name ^ Device type ^ IT functionality ^ Proposal Connection ^ Location ^ | | | | Inverter | Ethernet/WiFi | Ethernet | | | | | | E-mobile | WiFi | WiFi | Garage | ==== Terminal list: Network connection ==== ^ Device name/brand ^ Device type ^ Connection type ^ PVID ^ IP address assignment ^ Hostname ^ | | Inverter | LAN | 2 | DHCP | - | | | E-Mobile | LTE/WiFi | 3 | DHCP | - | ===== Switch Port assignment VLAN ===== Changes possible, not final yet! ==== sw-kw1-01 ==== Switch Model: USW-24-POE Ubiquiti Networks Switch 24 PoE Standard PoE budget: 95 watts. Used in total: 75 watts. ^ Port ^ patch ^ PVID (native/[tagged]/{profile}) ^ Device ^ MAC address ^ Power ^ Hostname / Note ^ | 1 | - | 1 | Management laptop | | | Management only | | 2 | - | | | | | FREE | | 3 | UG04 | | | | | | | 4 | EC07 | | | | | | | 5 | EC05 | | | | | | | 6 | EC06 | | | | | | | 7 | EC04 | | | | | | | 8 | UG02 | | | | | | | 9 | - | 1 - UCK | Cloud Key Gen2 Plus | 70:a7:41:f9:65:63 | 13 Watt | uck-kw1-01 (RK-KW1-01) | | 10 | UG03 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | UAP-AC-Lite | d8:b3:70:b6:a7:b8 | 6.5 Watt | ap-kw1-gs / Garage South (WiFi 5 Only) | | 11 | UG01 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | UAP-AC-Lite | d8:b3:70:b6:a8:16 | 6.5 Watt | ap-kw1-gn / Garage North (WiFi 5 Only) | | 12 | EG01 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Plus | d8:b3:70:e9:34:3c | 9 watts | ap-kw1-gz / guest room | | 13 | EC12 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Plus | d8:b3:70:e6:d9:40 | 9 Watt | ap-kw1-kd / consumer depot | | 14 | EG11 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Plus | d8:b3:70:e9:06:68 | 9 watts | ap-kw1-jr / Youth room | | 15 | EG02 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Plus | d8:b3:70:e9:4d:60 | 9 watts | ap-kw1-kr / creative room | | 16 | EG03 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Pro | e4:38:83:6b:47:31 | 13 Watt | ap-kw1-pb / slipper bar | | 17 | - | 1 [7, 8] - AP-EDV | UAP | 24:a4:3c:86:6c:e4 | - | ap-kw1-edv / EDP-AP. 24v Passive PoE Injector | | 18 | EG09 | | | | - | FAIR CUSTOMER | | 19 | EG08 | | | | - | PACKAGE STATION | | 20 | EG10 | | | | - | FAIR CUSTOMER | | 21 | DG01 | | | | - | RESERVE ATTIC | | 22 | DG02 | TRUNK {UPLINK} | USW-Flex Port 1 | ac:8b:a9:a5:ed:0e | - | PoE+ Injector powered, Uplink SW-KW1-02 | | 23 | - | TRUNK {UPLINK} | Firewall LAN2 | | - | Reserved - Link aggregation Firewall! - Disabled | | 24 | - | TRUNK {UPLINK} | Firewall LAN1 | | - | Main uplink to the firewall | ==== sw-kw1-02 ==== ^ Port ^ PVID (untagged/[tagged]/{profile}) ^ Device ^ MAC address ^ Power requirement ^ Device name/note ^ | 1 | TRUNK | Switch server room | d8:b3:70:5c:fd:77 | Power Input | PoE+ Injector | | 2 | 7 | indeterminate | | - | unknown | | 3 | 7 | Mains connection cabinet | | - | Connection in the cabinet | | 4 | 7 | Mains connection table | | - | Connection table | | 5 | 1 [3, 4, 5, 6, 7, 8] {AP-Uplink} | U6-Pro | e4:38:83:72:96:71 | 13 watts | ap-kw1-dg | You could set the TRUNK profile on port 4 and connect a USW-Flex Mini, which only consumes 2.5 watts, and configure it according to the requirements in order to have more Ethernet connections. ===== WiFi SSIDs, frequency bands and VLAN assignment ===== Felix has written down the WiFi SSIDs (WiFi network names), the encryption type, the VLAN allocation and the radio frequency bands here. Felix has also written down the bandwidth limitation for the network. The information is given from the client's point of view, i.e. 20/30 (up/dn) would be 20Mbit/s upload and 30Mbit/s download. Shared Key is a new technology with which you have one SSID and several passwords. Depending on the password you enter, you can access one VLAN or the other. You can store several passwords and specify which VLAN they will be sent to. ^ SSID ^ PVID ^ Frequency band ^ Encryption ^ AP group ^ Devices ^ QoS (Mbit/s) ^ Other ^ | KW1-DEBUG | 1 | 2.4GHz & 5GHz | WPA3-SAE | All | Admins & test devices | unlimited | only active during debugging | | KW1-Mobility | 3 | 2.4GHz & 5GHz | WPA2-PSK | GARAGE | Cars, end devices Mobility | 40/40 (up/dn) | Active | | KW1 | 1, 4, 5, 6, 7, 8 | 2.4GHz & 5GHz | WPA2-PSK | All | All devices | 50/50 (up/dn) | Active with shared key | | KW1-EDV | 7 | 2.4GHz | WPA2-PSK | EDV | Admins in the IT room | unlimited | Only active on AP in the EDV room! | ==== Radio settings ==== ^ |^ 2.4GHz frequency band ||^ 5GHz frequency band ||^ ^ ^ AP host name ^ AP-Group ^ Channel ^ Bandwidth ^ TX power ^ Channel ^ Bandwidth ^ TX-Power ^ More ^ | ap-kw1-edv | EDV | Auto | 20MHz | 23dBm | - | - | - | 2.4GHz only | | ap-kw1-gn | GARAGE, GN | 9 | 20MHz | 20dBm | 48 | 80MHz | 20dBm | WiFi 5 only | | ap-kw1-gs | GARAGE, GS | 5 | 20MHz | 20dBm | 64 | 80MHz | 20dBm | WiFi 5 only | | ap-kw1-kd | KD, All | 13 | 20MHz | 17dBm | 64 | 40MHz | 23dBm | | | ap-kw1-gz | GZ, All | 1 | 20MHz | 17dBm | 136 | 40MHz | 23dBm | | | ap-kw1-jr | JR, All | 5 | 20MHz | 26dbm | 136 | 40MHz | 26dBm | Relief KR | | ap-kw1-kr | KR, All | 1 | 20MHz | 26dBm | 52 | 80MHz | 26dBm | PB relief | | ap-kw1-pb | PB, All | 5 | 20MHz | 22dBm | 128 | 80MHz | 26dBm | Outdoor Mode | | ap-kw1-dg | DG, All | 5 | 20MHz | 22dBm | 128 | 80MHz | 26dBm | Outdoor Mode | ===== VPN configurations ===== Will be added later! ===== Internet connection ===== In realisation phase. Upgrade to init7 fibre 1/1 gbit/s with media converter and TV subscription - confirmed! Order is not yet finalised. Currently: Swisscom Fibre connection 40/40 mbit/s with Swisscom Internet Box Standard ==== Fallback solution ==== Mobile provider/subscription: Unknown 4G/5G modem: To be added! To be completed! ===== IPTV ===== To be added! Existing Blue TV with sports subscription ===== Documentation of the settings ===== https://wiki.rafisa.net/doku.php?id=de:intern:dokumentationen:log_unifi-cloud-key_access-point_konfigurieren