yevi.org/www.yevi.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 12 Activity
www.yevi.org/docs/homelab/network.md
yehor 359d62df58
All checks were successful
Build release image / build (push) Successful in 1m40s
Details
Add network documentation
2025-05-21 18:30:06 +03:00

4.9 KiB
Raw Blame History

title
Network

WAN

Port forwarding

---
config:
  look: handDrawn
  theme: neutral
---
flowchart LR
    W8[WAN IP *8]
    W9[WAN IP *9]
    W0[WAN IP *0]
    montgomery("`Synology NAS
    _DSM Web UI, Hyper Backup Vault, Drive Server_`")
    plex(Plex external access)
    ingress50("`ingress-50
    _Zoraxy_`")
    ingress1("`ingress-1
    _Zoraxy_`")
    WAN1 --> W8
    WAN1 --> W9
    WAN1 --> W0
    W8 --> montgomery
    W8 --> plex
    W8 --> qbt(qBittorrent)
    W9 --> gitssh(Gitea SSH)
    W9 --> ingress50 --> pub(Public services)
    W0 --> ingress1 --> per(Personal services)

Firewall rules

In addition to default rules.

Name Action Source Zone Destination Zone
Allow UniFi remote access Allow External Gateway

Local network

VLANs

Name Subnet Description Isolate network
Default 192.168.1.0/24 Default local network for laptops, family phones and tablets No
Pub 192.168.50.0/24 An isolated VLAN for public services No
Guest 192.168.5.0/24 An isolated VLAN for guest WiFi access No
IoT 192.168.6.0/24 An isolated VLAN for connected home appliance No
  • Device Isolation is disabled for all networks

Firewall zones

Name Built in Networks / Interfaces
Internal Default
External Primary (WAN1) Secondary (WAN2)
Gateway -
VPN Hearthstone VPS
Hotspot Guest
DMZ -
VLAN 50 Pub
VLAN 6 IoT

Zones access rules

Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.

Source Zone Destination Zone Source Destination Action Description
Internal VLAN 50 All All Allow with return Allow all traffic from Default network to Pub
Internal VLAN 6 All All Allow with return Allow all traffic from Default network to IoT
VPN Internal VPS subnet All Allow only return Allow return traffic from VPS subnet to Default
VPN Internal VPS subnet All Block Block VPS VPN clients from accessing the Default network
VPN Hotspot VPS subnet All Block Block VPS VPN clients from accessing the Guest network
VPN DMZ VPS subnet All Block Block VPS VPN clients from accessing the DMZ zone
VPN VLAN 50 All Hearthstone Allow all Allow Hearthstone VPN clients access to Pub network
VPN VLAN 6 (IoT) All Hearthstone Allow all Block Hearthstone VPN clients access to IoT network
VLAN 50 VLAN 50 All All Allow all Allow Pub network clients accessing each other

VPN

There are two Wireguard servers configured:

  1. Hearthstone. Subnet 192.168.3.0/24. For external access to all local networks.
  2. VPS. Subnet 192.168.4.0/24. For accessing VPS servers as local network devices.