Skip to content

Network

Jump to bottom Edit New page
Philip Paeps edited this page Oct 24, 2025 · 6 revisions

Dim Sum Labs network notes

This page reflects reality as of late October 2025.

DNS zones

  • dimsumlabs.com

    • Registered by Philip
    • Hidden master DNS hosted by Philip (As of September 2025)
      • Philip and Hamish can push changes
    • Public DNS by he.net
      • Pulls from Philip's hidden master

  • dimsumlabs.org (unused)

    • Registered by Philip (as of September 2025)
    • Empty zone. Forwards to dimsumlabs.com
    • Same configuration as dimsumlabs.com

  • in.dimsumlabs.com

    • Internal namespace for hosts inside the space
    • DNS on ns0.in.dimsumlabs.com jail on tofu.in.dimsumlabs.com

  • certbot.dimsumlabs.com

    • Dynamic zone for validating LetsEncrypt.org certificates
    • DNS on ns0.in.dimsumlabs.com jail on tofu.in.dimsumlabs.com

Tunnel

Go via space.dimsumlabs.com, e.g.:

ssh -J [email protected] [email protected]

Network configuration

# Notes:
#  - IPv4: 172.31.0.0/20
#          172.31.X.0              X = VLAN ID - 100
#  - IPv6: 2001:470:fbdc::/48
#          2001:470:fbdc:6X::      X = 0x0VLANID
#

IPv4 from PCCW (dynamic)
IPv6 from HE.NET (static via tunnel)

VLAN 100 "service" for furniture: 172.31.0.0/24 & 2001:470:fbdc:6064::/64
VLAN 102 "public" for WiFi: 172.31.2.0/23 & 2001:470:fbdc:6066::/64
VLAN 112 "pilates-body" for neighbour's WiFi: 172.31.12.0/23 & 2001:470:fbdc:6070::/64
VLAN 115 "netmgmt" for network management: 172.31.15.0/24 & 2001:470:fbdc:6073::/64

(The network number encodes the VLAN number.)

Infrastructure

pfSense.in.dimsumlabs.com is a pfSense 2100 appliance running pfSense+.

Configure using the web interface listening on 172.31.0.1. Philip and Nigel have access.

tofu.in.dimsumlabs.com is a single board computer from Kettop running FreeBSD.

Configuration files:

  • /etc/rc.conf: system and network configuration
  • /etc/jail.conf: jail configuration

Jails:

  • ns0.in.dimsumlabs.com: hidden master DNS for internal zones
  • unifi.in.dimsumlabs.com: Ubiquiti controller for the Wi-Fi
  • webfront.in.dimsumlabs.com: reverse proxy for web services inside the space (e.g. door)
  • certbot.in.dimsumlabs.com: acme.sh certbot for issuing/renewing LetsEncrypt.org certificates

TLS certificates for internal hosts

We run acme.sh in the certbot jail on tofu.in.dimsumlabs.com.

To issue a LetsEncrypt.org certificate for an internal service (e.g. door):

  1. Add _acme-challenge.door CNAME _acme-challenge.certbot to the dimsumlabs.com DNS
  2. Issue the certificate, as root on tofu.in.dimsumlabs.com:
# jexec certbot
# su - acme
$ acme.sh --issue -k 4096 -d door.dimsumlabs.com --dns dns_nsupdate --challenge-alias certbot.dimsumlabs.com
$ acme.sh --issue -k ec-256 -d door.dimsumlabs.com --dns dns_nsupdate --challenge-alias certbot.dimsumlabs.com
$ acme.sh --deploy --deploy-hook dimsumlabs -d door.dimsumlabs.com
$ acme.sh --deploy --deploy-hook dimsumlabs -d door.dimsumlabs.com --ecc

See the notes in /var/db/acme/README in the certbot jail for more information on the acme.sh bits. See the comments in /usr/local/etc/namedb/named.conf in the ns0 jail for more information on the DNS bits.

Add a custom footer
Add a custom sidebar
Clone this wiki locally