Internal Network: Unterschied zwischen den Versionen

Network topology

Network segments

The internal network is segmented into the following logical domains, implemented via VLANs on the switch and separate IP subnets:

Network details

Service Network (VLAN 10: "SRV")

Hosts: Internal services such as file servers, printers etc Connection: Physical link to specific VLAN port Access: Clients are granted access to services through firewall based on ruleset

flz-dns-01     10.10.10.10
flz-pos-01     10.10.10.11
flz-nas-01     10.10.10.12

Client LAN (VLAN 11: "LAN")

Hosts: Wired network clients, i.e. shared workstations, access switches etc Connection: Access switches located across the FabLab Access: Anyone with physical access to FabLab

flz-cl-xx      10.10.11.100 - 199

Wireless LAN (VLAN 12: "WLAN")

Hosts: Wireless network clients, i.e. notebooks, smartphones etc Connection: Over the air Access: Anyone with the proper WiFi key in close proximity to FabLab

flz-wl-xx    10.10.12.100 - 199

Guest WLAN (VLAN 13: "GUEST")

Hosts: External wireless network clients, i.e. visitor notebooks, smartphones Connection: Over the air Access: Anyone with the FabLab WiFi key in close proximity to FabLab Restrictions: Is only allowed to connect to the internet, but no internal services

flz-gl-xx    10.10.13.100 - 199

Ateliergemeinschaft (VLAN 69: "ATELIER")

Hosts: Ateliergemeinschaft in the former location of FabLab Connection: Physical link through wall behind the rack Access: Anyone with physical access to the Ateliergemeinschaft

tbd

Demilitarized Zone (VLAN 88: "DMZ")

Hosts: Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc Connection: Physical link to specific VLAN port Access: Internet and intranet access based on firewall ruleset

tbd

Management Network (VLAN 99: "MGMT")

Hosts: Network equipment, server out-of-band management interfaces, serial console servers etc Connection: Physical link to specific VLAN port Access: Network and systems admins only

flz-fw-01     10.10.99.1
flz-fw-02     10.10.99.2
flz-sw-01     10.10.99.11
flz-sw-02     10.10.99.12
flz-ap-01     10.10.99.21

General network config

The gateway (i.e. the firewall) is always located at IP 10.10.x.1, and is currently also acting as the central DHCP, DNS and NTP server, as well as an Avahi (bonjour) proxy.

The various subnets are within the private 10/8 range defined by RFC 1918. The local supernet is 10.10/16, subnetted into various /24 networks.

The third octet of the address always corresponds to the VLAN ID of the respective network.

DHCP settings

Range: 10.10.[VLAN].100 - 199 Subnet mask: 255.255.255.0 Gateway: 10.10.[VLAN].1 DNS: 10.10.[VLAN].1 NTP: 10.10.[VLAN].1 Domain: fablab.local (in order to make DNS entries unter .fablab.local directly accessible because Windows does not seem to properly respect domain search lists provided by DHCP) DHCP service is provided on LAN, WLAN and GUEST (the latter getting assigned external nameservers)

DNS

The central DNS server, providing forward and reverse name resolution for the various internal networks is implemented using ISC bind running on the local firewall. In order to make things a bit easier, the internal domain fablab.local has DNS aliases (CNAMEs) pointing to the various servers, e.g. fablabnas.fablab.local is actually a DNS CNAME pointing to flz-nas-01.srv.fablab.local, the 'real' name of the NAS device. This way, clients can simply reach all services by using their hostnames (e.g. 'ping fablabnas')