|
|
| (3 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| Some thoughts I had based some of the discussion on the mailing list. I thought I should write down what I had seen thus far. This is editable by anyone, so feel free to change/fix/modify however you see fit. The Google Doc at the bottom of the page has this all roughly drawn out, and can also be edited.
| | This was old info, please see http://wiki.lvl1.org/Network instead. |
| | |
| The basic logic is this:
| |
| 1u server acting as main firewall (running PFSense, since it offers flexibility with an easy to use web interface), with single connection to a managed switch (this implies VLAN support is included on switch, something like a Cisco would be perfect).
| |
| Managed switch has numerous ports, with at least one port assigned to each VLAN:
| |
| | |
| VLAN1 - Unused master VLAN, for network admin troubleshooting only (Some Switches give VLAN1 access to other vlan's in some fashion/certain situations, so a better structure/habit would be to not use vlan1 if at all possible)
| |
| | |
| VLAN2 - Default LAN, unsecured Wifi, unfettered access to internet (Runs DHCP with/Nat) Suggest Suggest 10.2.1.x Range
| |
| | |
| VLAN10 - WAN1, attached to internet
| |
| | |
| VLAN11 - WAN2, attached to backup internet if available
| |
| | |
| VLAN20 - 'Bordertown' lawless unsecured network for testing security/vulnerable machines, limited access to web (Runs DHCP with/Nat) 10.20.1.x range
| |
| | |
| VLAN25? - DMZ A publicly available range of IP's ( 1 or 2) with full inbound services from WAN, which can be used to test publicly available servers/services on dedicated External->Internal NAT without affecting LVL1 Infrastructure - Suggest 10.25.1.x range
| |
| | |
| VLAN30 - LVL1 Infrastructure, where the internal LVL1 servers, equipment will be. Secured from both LAN and Bordertown networks, and has inbound services from WAN - No DHCP serving in this range, dedicated External->Internal NAT - Suggest 192.168.1.0 range
| |
| | |
| VLAN31 - LVL1 Infrastructure, where the internal LVL1 routers/Infrastructure devices will be. Secured from all other networks, and NO inbound services from ANYWHERE - No DHCP serving in this range - Suggest 172.16.0.x range - This prevents a scenario where any VLAN30 server were to get compromized, that the core networking infrastructure would be isolated and could not be compromised.
| |
| | |
| The port connected to firewall has VLAN Trunking enabled, so that the router can create a virtual interface for each VLAN and do its firewalling thing.
| |
| | |
| Servers can either be physically plugged into ports assigned to VLAN30, or be virtual on a single host, with trunking enabled so servers can be placed on any available network.
| |
| | |
| This will get around having to figure out how to cram 5+ nics into a single router box, plus have 4+ separate switches (although the diagram shows a separate switch for each VLAN, thit is not needed). Let the switch handle most of the traffic! Plus this will be an awesome demonstration on what VLANs can do.
| |
| | |
| https://docs.google.com/drawings/edit?id=1FUTczM_kD1f7YNd-aFeV5x9kdD6ZJHOh5U72SOuVWRo&hl=en&authkey=CLn7sZIG
| |
| | |
| | |
| [[#lvl1 irc channel on Freenode]]
| |
This was old info, please see http://wiki.lvl1.org/Network instead.