nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/ansible/archive/documentation/contracts/Networking.md

70 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## ✅ **Point 3 Networking FINAL**
### **Role**
* Defines how all homelab components (control, compute, storage, users) connect and communicate
* Baseline: single-site, flat LAN for all core infra, with best-practice VLANs and segmentation as future upgrades
---
### **Baseline LAN**
* Primary LAN: `10.0.0.0/24` (gateway: `10.0.0.2`)
* DHCP range: `10.0.0.5010.0.0.150`
* Static infra: `.2.10` (infra), `.10.14` (Proxmox), `.200+` (homelab), `.249` (Synology), `.250` (TerraMaster)
* Key static IPs:
* Watchtower: `10.0.0.200`
* Proxmox hosts: `10.0.0.10.14`
* Synology: `10.0.0.249`
* TerraMaster: `10.0.0.250`
* All core infra and homelab services live in the "main" VLAN
* IoT is segregated; guest WiFi VLAN exists but is unused
---
### **Service exposure & remote access**
* Most services are reverse-proxied via Traefik and exposed to the internet
* Tailscale is used for network ingress, not direct service exposure
* Operator remote access: Omada VPN, Tailscale, VS Code Tunnel; SSH/terminal access can be added as needed
* Management UIs (Proxmox, Watchtower, NAS) are not intentionally public, but most services are proxied
---
### **Interconnection & segmentation**
* Watchtower can reach all Proxmox hosts, Synology, and TerraMaster directly (no firewall blocks)
* Homelab is entirely in the "main" VLAN; IoT is isolated; guest VLAN is unused
* Segmentation exists for IoT, but not for homelab/infra yet; setup should be reviewed periodically
---
### **Future VLAN model (intent)**
* Follow best practices for small networks:
* mgmt: hypervisors, switches, Watchtower
* workloads: Swarm worker VMs, app traffic
* storage: NAS traffic
* users/guests: client devices
* All VLANs must be isolated except via explicit firewall rules
* Review and update segmentation as needs evolve
---
### **Operational constraints / "never do this"**
* Never bridge production and lab VLANs
* Never expose management VLAN or core infra directly to the internet
* Never allow IoT VLAN to reach core infra or management
* Never mix guest and production traffic without a firewall
* All changes to VLANs, firewall, or router config must be deliberate and documented
---
### **Further considerations**
* Exact VLAN IDs, IP ranges, DHCP/DNS, and firewall rules will live in a separate, detailed networking doc (to be referenced here)
* Networking is single-site only; future multi-site/remote backup will require explicit design
* Router/firewall implementation details (e.g., Omada, OPNsense, UniFi) will be documented separately; this contract is vendor-neutral
* Review this contract and underlying network setup at least annually or after major infra changes
Reference in New Issue View Git Blame Copy Permalink