X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=doc%2FNetwork.mdwn;h=a28f8d563427df873c2ef5fefb5495ad59f422fb;hb=cf9d81f0db44169cd388f2aba1033ebd86a0554a;hp=c60ffc70933a290e7ae86dddf2fb73359fc9f226;hpb=ac7ea37466c87e30083b2ef1fd4de6c76b325b54;p=noc.git

diff --git a/doc/Network.mdwn b/doc/Network.mdwn
index c60ffc7..a28f8d5 100644
--- a/doc/Network.mdwn
+++ b/doc/Network.mdwn
@@ -1,26 +1,58 @@
 # Network infrastructure
 
-## VLANs
+## Networks
 
-NOC runs 2 core switches (one in each room), carrying a bunch of VLANs:
-- 33 is the management VLAN (192.168.33.0/24);
-- 127 is the LAN (192.168.127.0/24);
-- 255 (`0xFF`) is our Funkfeuer VLAN.
+NOC operates a number of networks, available as tagged VLANs on the core
+switches (one in each half of the hackerspace).  These networks are:
 
-The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access
-points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and
-`1` denotes WÃ¶hnung 2.
+| Network    | VLAN id | Extra subnets    |
+|------------|---------|------------------|
+| Management |      32 | --               |
+| IoT        |      33 | --               |
+| Services   |      34 | --               |
+| Public     |      36 | 89.106.211.64/27 |
+| Guests     |     127 | --               |
+| Members    |     128 | 89.106.211.32/27 |
+| `0xFF`     |     255 | --               |
+
+
+### Conventions
+
+We use a number of conventions to make things more consistent:
+
+- The DNS zone for a given network is `NET.realraum.at`, with the exception
+  of the public services network (which uses `realraum.at`) and of the Funkfeuer
+  VLAN (which has no `realraum.at` zone).
+- Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
+  for instance, the IoT network has id 33 and uses the 192.168.33.0/24 subnet.
+- The gateway for a network is on the last IP for the subnet.
+
+
+### Routing and firewall rules
+
+This network diagram represents networks, and the connection flows between them:
+an arrow from A to B means that a connection can be opened from network A to
+network B.  In all cases, a subset of ICMP (ECHO, ...) is allowed.
+
+Note that any given system might have interfaces in several of these networks.
+
+[[!img Network/overview.svg alt="rÂ³ network overview"]]
 
 
 ## WiFi
 
 Each location has a single AP, `ap{0,1}.mgmt.realraum.at`, which provides SSIDs
-for the management VLAN (`realstuff`) and the LAN (`realraum` and `realraum5`);
+for the IoT network (`realstuff`) and the LAN (`realraum` and `realraum5`);
 we use Ubiquity hardware running OpenWRT.
 
 
 ## Physical locations
 
+The switches have hostnames `sw{0,1}.mgmt.realraum.at`, and the WiFi access
+points are similarly `ap{0,1}.mgmt.realraum.at`. `0` denotes the main room, and
+`1` denotes WÃ¶hnung 2.
+
+
 ### WÃ¶hnung 2
 
 #### Raum 1
@@ -29,6 +61,7 @@ r1w2 has two fiber connections: one to the main room, and one to the radio room.
 (We use fiber to avoid creating a ground loop between the locations.)
 
 In r1w2, we have a rack hosting a number of devices:
+
 - the patch panel and core switch (`sw1.mgmt.realraum.at`) for W2;
 - the `alfred` virtualization server;
 - miscelaneous devices:
@@ -57,6 +90,7 @@ Cx. The patch panel has a fiber link to r2w1, and a copper link to an external
 antenna for our link to Funkfeuer.
 
 The network shelf in Cx also houses some important devices:
+
 - `gw.realraum.at`;
 - `smsgw.mgmt.realraum.at`, plus its mobile phone;
 - the PoE injectors for `ap0.mgmt.realraum.at` and `sch24.r3.ffgraz.net`;