Main Page/Network infrastructure
Some thoughts I had based some of the discussion on the mailing list. I thought I should write down what I had seen thus far. This is editable by anyone, so feel free to change/fix/modify however you see fit. The Google Doc at the bottom of the page has this all roughly drawn out, and can also be edited.
The basic logic is this: 1u server acting as main firewall (running PFSense, since it offers flexibility with an easy to use web interface), with single connection to a managed switch (this implies VLAN support is included on switch, something like a Cisco would be perfect). Managed switch has numerous ports, with at least one port assigned to each VLAN:
VLAN1 - Unused master VLAN, for network admin troubleshooting only (Some Switches give VLAN1 access to other vlan's in some fashion/certain situations, so a better structure/habit would be to not use vlan1 if at all possible)
VLAN2 - Default LAN, unsecured Wifi, unfettered access to internet (Runs DHCP with/Nat) Suggest Suggest 10.2.1.x Range
VLAN10 - WAN1, attached to internet
VLAN11 - WAN2, attached to backup internet if available
VLAN20 - 'Bordertown' lawless unsecured network for testing security/vulnerable machines, limited access to web (Runs DHCP with/Nat) 10.20.1.x range
VLAN25? - DMZ A publicly available range of IP's ( 1 or 2) with full inbound services from WAN, which can be used to test publicly available servers/services on dedicated External->Internal NAT without affecting LVL1 Infrastructure - Suggest 10.25.1.x range
VLAN30 - LVL1 Infrastructure, where the internal LVL1 servers, equipment will be. Secured from both LAN and Bordertown networks, and has inbound services from WAN - No DHCP serving in this range, dedicated External->Internal NAT - Suggest 192.168.1.0 range
VLAN31 - LVL1 Infrastructure, where the internal LVL1 routers/Infrastructure devices will be. Secured from all other networks, and NO inbound services from ANYWHERE - No DHCP serving in this range - Suggest 172.16.0.x range - This prevents a scenario where any VLAN30 server were to get compromized, that the core networking infrastructure would be isolated and could not be compromised.
The port connected to firewall has VLAN Trunking enabled, so that the router can create a virtual interface for each VLAN and do its firewalling thing.
Servers can either be physically plugged into ports assigned to VLAN30, or be virtual on a single host, with trunking enabled so servers can be placed on any available network.
This will get around having to figure out how to cram 5+ nics into a single router box, plus have 4+ separate switches (although the diagram shows a separate switch for each VLAN, thit is not needed). Let the switch handle most of the traffic! Plus this will be an awesome demonstration on what VLANs can do.
- lvl1 IRC channel on Freenode:
