networking for schools - markmac99/ukmon-pitools GitHub Wiki

Connecting via a Proxy or Firewall

Name Resolution

The system needs to be able to resolve the following DNS entries:

  • gmn.uwo.ca
  • github.com
  • *.raspberrypi.org

UKMON contributors also need to be able to resolve *.amazonaws.com

Additional name resolution may be required, depending on the remote-access solution chosen.

Hardware Clock Synchronisation

The Linux operating system uses NTP on port 123 to synchronise the clock. Clock synchronisation is vital for reliable meteor detection.

RMS

RMS has no inbound connection requirements. All requests originate in the RMS software running on the Pi. The following connections are made:

  • SFTP connction every 30 minutes on port 22 to gmn.uwo.ca, a server at the University of Western Ontario, Canada.
  • HTTPS connection to github.com after each reboot, to update the RMS software.

UWO CIDRs

The university owns the 129.100.0.0/16 range.

Raspberry Pi Operating system

For security and stability, the operating system must be kept up to date by running

sudo apt-get update && sudo apt-get upgrade -y

at least monthly. This process requires access to Raspberry Pi's public APT repositories over https. It may also require access to other Debian repositories, but all connections are via https.

  • raspbian.raspberrypi.org
  • archive.raspberrypi.org

and also to the teamviewer repository if you have it installed

  • linux.teamviewer.com

UKMON tools

There are no inbound connection requirements. All connections are outbound and originate from the toolset. The following connections are made:

  • SFTP connection on port 22 to our server hosted in Amazon Web Services (AWS). The server's address is currently 3.11.55.160.
  • HTTPS connection to github.com to update the software.
  • HTTPS connection to AWS S3 storage to upload the data.

AWS uses a wide range of CIDRs for its S3 storage. The current list is shown below, but i think in practice you will need to whitelist *.s3.eu-west-1.amazonaws.com and *.s3.eu-west-2.amazonaws.com.

AWS S3 CIDRs

52.95.150.0/24 16.12.15.0/24 16.12.16.0/23 52.95.148.0/23 52.219.219.0/24 52.95.144.0/24 52.95.142.0/23 52.95.191.0/24 3.5.244.0/22 18.168.37.160/28 18.168.37.176/28 3.5.72.0/23 52.218.0.0/17 3.5.64.0/21 52.92.0.0/17 3.251.110.208/28 3.251.110.224/28

Remote Access

The system is normally run in "headless" mode without a display or keyboard attached. You can connect using SSH for many tasks such as performing operating system updates but the RMS image also comes with AnyDesk, VNC, NoMachine and Teamviewer preinstalled to provide access to the Pi's desktop environment.

We recommend using AnyDesk as it is simple, requires nothing more than HTTPS and does not require any inbound ports to be opened. Be sure to reset the AnyDesk ID as explained at the link below.

VNC support can be disabled from using raspi-config tool. The other remote-access products can be removed if not required.

See here for more information.