1.0.0 Release IaaS
This commit is contained in:
63
docs/adr/002-network.md
Normal file
63
docs/adr/002-network.md
Normal file
@@ -0,0 +1,63 @@
|
||||
# ADR 002 - Network
|
||||
|
||||
## Date
|
||||
|
||||
- Feb/23/2026
|
||||
- First documentation
|
||||
|
||||
|
||||
## Status
|
||||
|
||||
- Accepted
|
||||
|
||||
## Context
|
||||
|
||||
- All L3 communications should be contolled by central firewall node.
|
||||
- Every firewall rule should be managed by code, not clicks.
|
||||
- Every edge node takes charge of L2 communication rules.
|
||||
- IPv4 and IPv6 dual stack should be supported for future network environment.
|
||||
|
||||
## Consideration
|
||||
|
||||
### Firewall
|
||||
|
||||
- OPNSense/pfSense
|
||||
- vendor lock-in
|
||||
- GUI environment \(WebGUI\) can contain vulnerability
|
||||
- It is hard to manage configurations by IaC
|
||||
- iptables
|
||||
- Previous standard of Linux
|
||||
- IPv4 and IPv6 configuration is separated \(no inet\)
|
||||
- nftables
|
||||
- New standard of Linux
|
||||
- English grammar friendly
|
||||
- IPv4 and IPv6 configuration can be set on the same table \(inet\)
|
||||
|
||||
### Flat network structure
|
||||
- LAN only
|
||||
- L2 communication doesn't need to pass through gateway
|
||||
- They use MAC address with ARP. Unicast communication is hard to manage.
|
||||
- It is hard to manage and apply the policy centrally
|
||||
|
||||
## Decisions
|
||||
|
||||
- Categorize all nodes in 4 roles 'client', 'server', 'user', 'wg0; vpn connections'
|
||||
- Implement role separation with VLAN tagging on L2 switch (systemd-networkd bridge)
|
||||
- VLAN 1: client (vmm, console, nas)
|
||||
- VLAN 10: server (vmm, infra, auth, app)
|
||||
- VLAN 20: user (DHCP allocated devices)
|
||||
- wg0: VPN connections
|
||||
- Manage the rules based on roles fundamentally, furthermore manage them based on ip and ports when it is needed
|
||||
- All L3 communication which needs to pass gateway should be on control of firewall \(fw\)
|
||||
- All nodes including firewall uses nftables \(modern standard\) to manage the packets based on zone concept
|
||||
- IPv6 has two track strategy
|
||||
- Client and server, wg nodes has static ULA IP, and use NAT66 for permanency
|
||||
- User nodes has GUA SLAAC IP from ISP for compatibility
|
||||
|
||||
|
||||
## Consequences
|
||||
|
||||
- Firewall takes charge of L3 communications
|
||||
- Each nodes takes charge of L2 communications and communication from FW
|
||||
- All nodes can communicate under both IPv4 and IPv6
|
||||
- All policies can be managed by Code
|
||||
Reference in New Issue
Block a user