yevi.org/www.yevi.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 12 Activity
www.yevi.org/docs/homelab/network.md
yehor 359d62df58
All checks were successful
Build release image / build (push) Successful in 1m40s
Details
Add network documentation
2025-05-21 18:30:06 +03:00

85 lines
4.9 KiB
Markdown
Raw Blame History

---
title: Network
---
## WAN
### Port forwarding
```mermaid
---
config:
look: handDrawn
theme: neutral
---
flowchart LR
W8[WAN IP *8]
W9[WAN IP *9]
W0[WAN IP *0]
montgomery("`Synology NAS
_DSM Web UI, Hyper Backup Vault, Drive Server_`")
plex(Plex external access)
ingress50("`ingress-50
_Zoraxy_`")
ingress1("`ingress-1
_Zoraxy_`")
WAN1 --> W8
WAN1 --> W9
WAN1 --> W0
W8 --> montgomery
W8 --> plex
W8 --> qbt(qBittorrent)
W9 --> gitssh(Gitea SSH)
W9 --> ingress50 --> pub(Public services)
W0 --> ingress1 --> per(Personal services)
```
### Firewall rules
In addition to default rules.
| Name | Action | Source Zone | Destination Zone |
|-------------------------- | ------ | ------------- | ---------------- |
| Allow UniFi remote access | Allow | External | Gateway |
## Local network
### VLANs
| Name | Subnet | Description | Isolate network |
|------------ | ----------------- | ------------------------------------------------------------- | --------------- |
| **Default** | _192.168.1.0/24_ | Default local network for laptops, family phones and tablets | No |
| **Pub** | _192.168.50.0/24_ | An isolated VLAN for public services | No |
| **Guest** | _192.168.5.0/24_ | An isolated VLAN for guest WiFi access | No |
| **IoT** | _192.168.6.0/24_ | An isolated VLAN for connected home appliance | No |
- Device Isolation is disabled for all networks
### Firewall zones
| Name | Built in | Networks / Interfaces |
|---------------- | -------- | ------------------------------------------- |
| Internal | ✅ | [`Default`](#vlans) |
| External | ✅ | [`Primary (WAN1)`](#wan) `Secondary (WAN2)` |
| Gateway | ✅ | - |
| VPN | ✅ | [`Hearthstone`](#vpn) [`VPS`](#vpn) |
| Hotspot | ✅ | [`Guest`](#vlans) |
| DMZ | ✅ | - |
| VLAN 50 | ❌ | [`Pub`](#vlans) |
| VLAN 6 | ❌ | [`IoT`](#vlans) |
### Zones access rules
Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.
| Source Zone | Destination Zone | Source | Destination | Action | Description |
|-------------- | ---------------- | --------------------- | --------------------------- | ------------------ | ---------------------------------------------------------------------------------- |
| Internal | VLAN 50 | All | All | Allow with return | Allow all traffic from [`Default`](#vlans) network to [`Pub`](#vlans) |
| Internal | VLAN 6 | All | All | Allow with return | Allow all traffic from [`Default`](#vlans) network to [`IoT`](#vlans) |
| VPN | Internal | [VPS subnet](#vpn) | All | Allow only return | Allow return traffic from [`VPS`](#vpn) subnet to [`Default`](#vlans) |
| VPN | Internal | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`Default`](#vlans) network |
| VPN | Hotspot | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`Guest`](#vlans) network |
| VPN | DMZ | [VPS subnet](#vpn) | All | Block | Block [`VPS`](#vpn) VPN clients from accessing the [`DMZ`](#firewall-zones) zone |
| VPN | VLAN 50 | All | [Hearthstone](#vpn) | Allow all | Allow [`Hearthstone`](#vpn) VPN clients access to [`Pub`](#vlans) network |
| VPN | VLAN 6 (IoT) | All | [Hearthstone](#vpn) | Allow all | Block [`Hearthstone`](#vpn) VPN clients access to [`IoT`](#vlans) network |
| VLAN 50 | VLAN 50 | All | All | Allow all | Allow [`Pub`](#vlans) network clients accessing each other |
## VPN
There are two Wireguard servers configured:
1. **Hearthstone**. Subnet _192.168.3.0/24_. For external access to all local networks.
1. **VPS**. Subnet _192.168.4.0/24_. For accessing VPS servers as local network devices.
Reference in New Issue View Git Blame Copy Permalink