X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=doc%2FNetwork.mdwn;h=2b54929e99901f3a257dc6c3fb09d70a81b26f8d;hb=e58964cf6e2891f088d8d17e175778e5984ccdf2;hp=9410317912ee087779db0094434b820ad183688e;hpb=c6d49679a2b57a6129e576c8bd32e257f2130b7b;p=noc.git

diff --git a/doc/Network.mdwn b/doc/Network.mdwn
index 9410317..2b54929 100644
--- a/doc/Network.mdwn
+++ b/doc/Network.mdwn
@@ -7,12 +7,12 @@ switches (one in each half of the hackerspace).  These networks are:
 
 | Network    | VLAN id | Extra subnets    |
 |------------|---------|------------------|
-| Management |      23 | --               |
+| Management |      32 | --               |
 | IoT        |      33 | --               |
 | Services   |      34 | --               |
-| Public     |      36 | 89.106.211.32/27 |
+| Public     |      36 | 89.106.211.64/27 |
 | Guests     |     127 | --               |
-| Members    |     128 | 89.106.211.64/27 |
+| Members    |     128 | 89.106.211.32/27 |
 | `0xFF`     |     255 | --               |
 
 
@@ -21,16 +21,27 @@ switches (one in each half of the hackerspace).  These networks are:
 We use a number of conventions to make things more consistent:
 
 - The DNS zone for a given network is `NET.realraum.at`, with the exception
-  of the public services network (which has `realraum.at`);
+  of the public services network (which uses `realraum.at`) and of the Funkfeuer
+  VLAN (which has no `realraum.at` zone).
 - Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
 - The gateway for a network is on the last IP for the subnet.
 
 
+### Routing and firewall rules
+
+This network diagram represents networks, and the connection flows between them:
+an arrow from A to B means that a connection can be opened from network A to
+network B.  In all cases, a subset of ICMP (ECHO, ...) is allowed.
+
+Note that any given system might have interfaces in several of these networks.
+
+[[!img Network/overview.svg alt="r³ network overview"]]
+
 
 ## WiFi
 
 Each location has a single AP, `ap{0,1}.mgmt.realraum.at`, which provides SSIDs
-for the management VLAN (`realstuff`) and the LAN (`realraum` and `realraum5`);
+for the IoT network (`realstuff`) and the LAN (`realraum` and `realraum5`);
 we use Ubiquity hardware running OpenWRT.
 
 
@@ -49,6 +60,7 @@ r1w2 has two fiber connections: one to the main room, and one to the radio room.
 (We use fiber to avoid creating a ground loop between the locations.)
 
 In r1w2, we have a rack hosting a number of devices:
+
 - the patch panel and core switch (`sw1.mgmt.realraum.at`) for W2;
 - the `alfred` virtualization server;
 - miscelaneous devices:
@@ -77,6 +89,7 @@ Cx. The patch panel has a fiber link to r2w1, and a copper link to an external
 antenna for our link to Funkfeuer.
 
 The network shelf in Cx also houses some important devices:
+
 - `gw.realraum.at`;
 - `smsgw.mgmt.realraum.at`, plus its mobile phone;
 - the PoE injectors for `ap0.mgmt.realraum.at` and `sch24.r3.ffgraz.net`;