Internal Network
Network topology
todo: create network topology diagram
Network segments
Overview
For performance and security reasons, the internal network is segmented into the logical domains listed below.
| VLAN | Name | Network | Subdomain |
| 10 | SRV | 10.10.10.0/24 | srv.fablab.local |
| 11 | LAN | 10.10.11.0/24 | lan.fablab.local |
| 13 | GUEST | 10.10.13.0/24 | guest.fablab.local |
| - | VPN | 10.10.23.0/24 | vpn.fablab.local |
| 69 | ATELIER | 10.10.69.0/24 | atelier.fablab.local |
| 88 | DMZ | 10.10.88.0/24 | dmz.fablab.local |
| 99 | MGMT | 10.10.99.0/24 | mgmt.fablab.local |
Network segmentation is implemented via VLANs on the switch (layer 2: separation of collision domains) and separate IP subnets (layer 3: separation of broadcast domains)
Service Network (VLAN 10: "SRV")
| Hosts: | Internal services such as file servers, printers etc |
| Connection: | Physical link to specific VLAN port |
| Access: | Clients (from LAN & WLAN segment) are granted access to services through firewall based on ruleset |
flz-dns-01 10.10.10.10 flz-pos-01 10.10.10.11 flz-nas-01 10.10.10.12 flz-rpi-01 10.10.10.13 flz-pr-01 10.10.10.14
Client LAN (VLAN 11: "LAN")
| Hosts: | Wired and wireless network clients, i.e. shared workstations, access switches, notebooks etc |
| Connection: | Access switches located across the FabLab or wireless connection to SSID "FabLab" |
| Access: | Anyone with physical access to FabLab and/or the wireless key |
flz-cl-xx 10.10.11.100 - 199
Guest WLAN (VLAN 13: "GUEST")
| Hosts: | External wireless network clients, i.e. visitor notebooks, smartphones |
| Connection: | Over the air: 2.4 and 5 GHz |
| Access: | Anyone in close proximity to FabLab |
| Restrictions: | Only allowed to connect to the internet, but no internal services |
flz-gl-xx 10.10.13.100 - 199
VPN (VLAN -)
| Hosts: | Admin access to FabLab network infrastructure |
| Connection: | OpenVPN connection to fireewall |
| Access: | Anyone with an OpenVPN profile and password |
| Restrictions: | Network and systems admins only |
flz-gl-xx 10.10.13.100 - 199
Ateliergemeinschaft (VLAN 69: "ATELIER")
| Hosts: | Ateliergemeinschaft in the former location of FabLab |
| Connection: | Physical link through wall behind the rack |
| Access: | Anyone with physical access to the Ateliergemeinschaft |
| Status: | Not yet implemented |
tbd
Demilitarized Zone (VLAN 88: "DMZ")
| Hosts: | Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc |
| Connection: | Physical link to specific VLAN port |
| Access: | Internet and intranet access based on firewall ruleset |
flz-lqf-01 10.10.88.10
Management Network (VLAN 99: "MGMT")
| Hosts: | Network equipment, server out-of-band management interfaces, serial console servers etc |
| Connection: | Physical link to specific VLAN port |
| Access: | Network and systems admins only |
flz-fw-01 10.10.99.1 flz-fw-02 10.10.99.2 flz-sw-01 10.10.99.11 flz-sw-02 10.10.99.12 flz-ap-01 10.10.99.21
General network config
The gateway (i.e. the firewall) is always located at IP 10.10.x.1, and is currently also acting as the central DHCP, DNS and NTP server, as well as an Avahi (bonjour) proxy.
The various subnets are within the private 10/8 range defined by RFC 1918. The local supernet is 10.10/16, subnetted into various /24 networks.
The third octet of the address always corresponds to the VLAN ID of the respective network.
DHCP settings
| Range: | 10.10.[VLAN].100 - 199 |
| Subnet mask: | 255.255.255.0 |
| Gateway: | 10.10.[VLAN].1 |
| DNS: | 10.10.[VLAN].1 |
| NTP: | 10.10.[VLAN].1 |
| Domain: | fablab.local (to make DNS entries unter .fablab.local directly accessible because Windows does not seem to properly respect domain search lists provided by DHCP) |
DHCP service is provided on LAN, WLAN and GUEST (the latter getting assigned external nameservers)
DNS
The central DNS server, providing forward and reverse name resolution for the various internal networks is implemented using ISC bind running on the local firewall. In order to make things a bit easier, the internal domain fablab.local has DNS aliases (CNAMEs) pointing to the various servers, e.g. fablabnas.fablab.local is actually a DNS CNAME pointing to flz-nas-01.srv.fablab.local, the 'real' name of the NAS device. This way, clients can simply reach all services by using their hostnames (e.g. 'ping fablabnas')