Files
ilnmors-homelab/docs/adr/002-network.md
2026-03-15 04:41:02 +09:00

2.0 KiB

ADR 002 - Network

Date

  • Feb/23/2026
    • First documentation

Status

  • Accepted

Context

  • All L3 communications should be contolled by central firewall node.
  • Every firewall rule should be managed by code, not clicks.
  • Every edge node takes charge of L2 communication rules.
  • IPv4 and IPv6 dual stack should be supported for future network environment.

Consideration

Firewall

  • OPNSense/pfSense
    • vendor lock-in
    • GUI environment (WebGUI) can contain vulnerability
    • It is hard to manage configurations by IaC
  • iptables
    • Previous standard of Linux
    • IPv4 and IPv6 configuration is separated (no inet)
  • nftables
    • New standard of Linux
    • English grammar friendly
    • IPv4 and IPv6 configuration can be set on the same table (inet)

Flat network structure

  • LAN only
    • L2 communication doesn't need to pass through gateway
    • They use MAC address with ARP. Unicast communication is hard to manage.
    • It is hard to manage and apply the policy centrally

Decisions

  • Categorize all nodes in 4 roles 'client', 'server', 'user', 'wg0; vpn connections'
  • Implement role separation with VLAN tagging on L2 switch (systemd-networkd bridge)
    • VLAN 1: client (vmm, console, nas)
    • VLAN 10: server (vmm, infra, auth, app)
    • VLAN 20: user (DHCP allocated devices)
    • wg0: VPN connections
  • Manage the rules based on roles fundamentally, furthermore manage them based on ip and ports when it is needed
  • All L3 communication which needs to pass gateway should be on control of firewall (fw)
  • All nodes including firewall uses nftables (modern standard) to manage the packets based on zone concept
  • IPv6 has two track strategy
    • Client and server, wg nodes has static ULA IP, and use NAT66 for permanency
    • User nodes has GUA SLAAC IP from ISP for compatibility

Consequences

  • Firewall takes charge of L3 communications
  • Each nodes takes charge of L2 communications and communication from FW
  • All nodes can communicate under both IPv4 and IPv6
  • All policies can be managed by Code