Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Network Evolution Plan (VLANs and Ingress Separation)

Purpose

Define the next phases for segmentation and ingress separation so the current flat LAN can evolve without disruptive renumbering.

Phase Targets

  • Keep the existing LAN (10.0.0.0/24) stable during transition.
  • Introduce clear trust boundaries: Clients, Servers, Management, DMZ, IoT, Guest, Lab.
  • Reserve address space and VIP ranges now to simplify later MetalLB/kube-vip usage.
  • Separate public and internal ingress paths, with split-horizon DNS.

VLANs and Subnets (Proposed)

VLANNameSubnetPurposeTypical Residents
10LAN10.0.0.0/24Default user networkPCs, phones, TVs
20SERVER10.0.20.0/24App workloads, cluster nodesTalos/K8s nodes, storage
30MGMT10.0.30.0/24Out-of-band + adminIPMI/BMC, switch/AP management
40DMZ10.0.40.0/24Public-facing edge onlyPublic ingress VIPs / edge svc
50IOT10.0.50.0/24Untrusted devicesCameras, smart devices
60GUEST10.0.60.0/24Visitor accessGuest Wi-Fi clients
70LAB10.0.70.0/24ExperimentsTest gear, ephemeral nodes

DHCP and Gateway Plan (Examples)

Assuming router-on-a-stick (trunk to switch):

VLANGatewayDHCP ScopeNotes
1010.0.0.110.0.0.10–250Keep current allocations
2010.0.20.110.0.20.50–250Reserve low IPs for VIPs/statics
3010.0.30.1none or limitedPrefer static/reservations
4010.0.40.1none or limitedDMZ should be explicit
5010.0.50.110.0.50.50–250Tight egress rules
6010.0.60.110.0.60.50–250Internet only
7010.0.70.1optionalLab isolation

Default Inter-VLAN Policy (Allow Only What Is Needed)

  • LAN (10) → Internal ingress/services (20): allow service ports.
  • LAN (10) → MGMT (30): deny, except specific admin workstation or VPN admin group.
  • VPN/Admin → MGMT (30): allow.
  • DMZ (40) → Servers (20): allow only public ingress backends.
  • IOT (50) → anywhere: deny by default, allow minimal egress if needed.
  • GUEST (60) → internal: deny (internet only).

Ingress Separation Model

  • Public Ingress: Internet-reachable hostnames only; prefer placement in DMZ (VLAN 40) when available.
  • Internal Ingress: LAN/VPN-only hostnames; placed in SERVER (VLAN 20) or LAN (VLAN 10) during early phase.
  • Start with both ingress controllers in VLAN 20 (simpler); move Public Ingress VIPs to VLAN 40 when DMZ exists.

VIP Reservations (Examples)

  • Internal ingress VIPs: 10.0.20.10–10.0.20.19
  • Public ingress VIPs: 10.0.40.10–10.0.40.19
  • Gateways: .1, network services: .2–.9

DNS Expectations (Split-Horizon)

  • Use the unified namespace *.risu.tech (per Exposure Policy and Split-Horizon ADR).
  • Internal-only names resolve to internal VIPs (e.g., wiki.risu.tech10.0.20.10 on LAN/VPN).
  • Public names resolve externally only when intentionally exposed (e.g., status.risu.tech).
  • Internal resolvers must not return public IPs for internal-only names.

Diagram (Ingress and Trust Zones)

flowchart TD
  Internet((Internet)) --> WAN[WAN]
  WAN --> Edge["Router/Firewall: OpenWRT now, dedicated later (policy gate)"]

  subgraph VLAN10[LAN 10 - 10.0.0.0/24]
    Clients[LAN Clients]
  end

  subgraph VLAN20[SERVER 20 - 10.0.20.0/24]
    Nodes[K8s/Talos Nodes]
    IntIngress[Internal Ingress VIPs]
    Services[Internal Services]
  end

  subgraph VLAN30[MGMT 30 - 10.0.30.0/24]
    IPMI[IPMI/BMC]
    NetMgmt[Switch/AP Mgmt]
  end

  subgraph VLAN40[DMZ 40 - 10.0.40.0/24]
    PubIngress[Public Ingress VIPs]
  end

  Edge --> VLAN10
  Edge --> VLAN20
  Edge --> VLAN30
  Edge --> VLAN40

  Clients --> IntIngress --> Services
  Internet -.->|Allowed 80/443 only via firewall/NAT| PubIngress --> Services

Migration Steps (Incremental)

  1. Current (flat): keep everything on 10.0.0.0/24, single DHCP (done).
  2. Add managed switch: trunk to router, keep most devices untagged on VLAN 10.
  3. Move servers to VLAN 20; keep clients on VLAN 10.
  4. Move management to VLAN 30 (static/reserved IPs).
  5. Add DMZ VLAN 40 for public ingress VIPs; expose only 80/443 as needed.