X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=doc%2FNetwork.mdwn;h=b822a582c266e9cb759c150f7de184c34bc748de;hb=ad4589a18ab5669989f3ebb1b10898afc1e6c42b;hp=ced1937ab7e88427a907d923c656380b2a4537ad;hpb=6f38d747407e51ba8819026e2fffeba8fc259180;p=noc.git

diff --git a/doc/Network.mdwn b/doc/Network.mdwn
index ced1937..b822a58 100644
--- a/doc/Network.mdwn
+++ b/doc/Network.mdwn
@@ -1,11 +1,19 @@
 # Network infrastructure
 
-## VLANs
+## Networks
 
-NOC runs 2 core switches (one in each room), carrying a bunch of VLANs:
-- 33 is the management VLAN (192.168.33.0/24);
-- 127 is the LAN (192.168.127.0/24);
-- 255 (`0xFF`) is our Funkfeuer VLAN.
+NOC operates a number of networks, available as tagged VLANs on the core
+switches (one in each half of the hackerspace).  These networks are:
+
+| Network    | VLAN id | Extra subnets    |
+|------------|---------|------------------|
+| Management |      23 | --               |
+| IoT        |      33 | --               |
+| Services   |      34 | --               |
+| Public     |      36 | 89.106.211.64/27 |
+| Guests     |     127 | --               |
+| Members    |     128 | 89.106.211.32/27 |
+| `0xFF`     |     255 | --               |
 
 
 ### Conventions
@@ -13,16 +21,27 @@ NOC runs 2 core switches (one in each room), carrying a bunch of VLANs:
 We use a number of conventions to make things more consistent:
 
 - The DNS zone for a given network is `NET.realraum.at`, with the exception
-  of the public services network (which has `realraum.at`);
+  of the public services network (which uses `realraum.at`) and of the Funkfeuer
+  VLAN (which has no `realraum.at` zone).
 - Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
 - The gateway for a network is on the last IP for the subnet.
 
 
+### Routing and firewall rules
+
+This network diagram represents networks, and the connection flows between them:
+an arrow from A to B means that a connection can be opened from network A to
+network B.  In all cases, a subset of ICMP (ECHO, ...) is allowed.
+
+Note that any given system might have interfaces in several of these networks.
+
+[[!img Network/overview.svg alt="r³ network overview"]]
+
 
 ## WiFi
 
 Each location has a single AP, `ap{0,1}.mgmt.realraum.at`, which provides SSIDs
-for the management VLAN (`realstuff`) and the LAN (`realraum` and `realraum5`);
+for the IoT network (`realstuff`) and the LAN (`realraum` and `realraum5`);
 we use Ubiquity hardware running OpenWRT.