--- title: Network --- ## WAN ### Port forwarding ```mermaid --- config: look: handDrawn theme: neutral --- flowchart LR W8[WAN IP *8] W9[WAN IP *9] W0[WAN IP *0] montgomery("`Synology NAS _DSM Web UI, Hyper Backup Vault, Drive Server_`") plex(Plex external access) ingress50("`ingress-50 _Zoraxy_`") ingress1("`ingress-1 _Zoraxy_`") WAN1 --> W8 WAN1 --> W9 WAN1 --> W0 W8 --> montgomery W8 --> plex W8 --> qbt(qBittorrent) W9 --> gitssh(Gitea SSH) W9 --> ingress50 --> pub(Public services) W0 --> ingress1 --> per(Personal services) ``` ### Firewall rules In addition to default rules. | Name | Action | Source Zone | Destination Zone | |-------------------------- | ------ | ------------- | ---------------- | | Allow UniFi remote access | Allow | External | Gateway | ## Local network ### VLANs | Name | Subnet | Description | Isolate network | |------------ | ----------------- | ------------------------------------------------------------- | --------------- | | **Default** | _192.168.1.0/24_ | Default local network for laptops, family phones and tablets | No | | **Pub** | _192.168.50.0/24_ | An isolated VLAN for public services | No | | **Guest** | _192.168.5.0/24_ | An isolated VLAN for guest WiFi access | No | | **IoT** | _192.168.6.0/24_ | An isolated VLAN for connected home appliance | No | - Device Isolation is disabled for all networks ### Firewall zones | Name | Built in | Networks / Interfaces | |---------------- | -------- | ------------------------------------------- | | Internal | ✅ | [`Default`](#vlans) | | External | ✅ | [`Primary (WAN1)`](#wan) `Secondary (WAN2)` | | Gateway | ✅ | - | | VPN | ✅ | [`Hearthstone`](#vpn) [`VPS`](#vpn) | | Hotspot | ✅ | [`Guest`](#vlans) | | DMZ | ✅ | - | | VLAN 50 | ❌ | [`Pub`](#vlans) | | VLAN 6 | ❌ | [`IoT`](#vlans) | ### Zones access rules Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications. | Source Zone | Destination Zone | Source | Destination | Action | Description | |-------------- | ---------------- | --------------------- | --------------------------- | ------------------ | ---------------------------------------------------------------------------------- | | Internal | VLAN 50 | All | All | Allow with return | Allow all traffic from [`Default`](#vlans) network to [`Pub`](#vlans) | | Internal | VLAN 6 | All | All | Allow with return | Allow all traffic from [`Default`](#vlans) network to [`IoT`](#vlans) | | VPN | Internal | [VPS subnet](#vpn) | All | Allow only return | Allow return traffic from [`VPS`](#vpn) subnet to [`Default`](#vlans) | | VPN | Internal | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`Default`](#vlans) network | | VPN | Hotspot | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`Guest`](#vlans) network | | VPN | DMZ | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`DMZ`](#firewall-zones) zone | | VPN | VLAN 50 | All | [Hearthstone](#vpn) | Allow all | Allow [`Hearthstone`](#vpn) VPN clients access to [`Pub`](#vlans) network | | VPN | VLAN 6 (IoT) | All | [Hearthstone](#vpn) | Allow all | Block [`Hearthstone`](#vpn) VPN clients access to [`IoT`](#vlans) network | | VLAN 50 | VLAN 50 | All | All | Allow all | Allow [`Pub`](#vlans) network clients accessing each other | ## VPN There are two Wireguard servers configured: 1. **Hearthstone**. Subnet _192.168.3.0/24_. For external access to all local networks. 1. **VPS**. Subnet _192.168.4.0/24_. For accessing VPS servers as local network devices.