VLAN Scheme¶
VLANs represent security zones. Every VM is placed in exactly one zone based on its trust level. Firewall rules are written per-zone pair, so adding a new VM to an existing zone requires no firewall changes.
| VLAN | Name | Subnet | Trust | Purpose |
|---|---|---|---|---|
| VLAN 1 | Native | 10.42.1.0/24 |
— | Untagged bootstrap only. Nothing permanent lives here. |
| VLAN 10 | Management | 10.42.10.0/24 |
Highest | Proxmox host management interfaces, OpenWrt LAN. Proxmox UI accessible here. |
| VLAN 20 | Internal | 10.42.20.0/24 |
High | FastAPI backend, Redis job queue, MinIO object storage, Dokploy. |
| VLAN 30 | Workload | 10.42.30.0/24 |
Medium | CEA simulation worker VMs. Each server can host one or more workers. |
| VLAN 40 | DMZ | 10.42.40.0/24 |
Low | Netbird LXC container, public-facing services. |
| VLAN 100 | Backhaul | 10.42.100.0/24 |
Isolated | 10G inter-node only. Not routed through OpenWrt. MinIO replication, k3s etcd. |
Firewall rules (OpenWrt)¶
Traffic is permitted downward only. Workers can reach Internal for storage and queuing, but cannot initiate connections to Management or DMZ.
| Source | Destination | Ports | Action |
|---|---|---|---|
| Internet | DMZ | 443 (HTTPS) | ACCEPT |
| DMZ | Internal | 8000 (FastAPI) | ACCEPT |
| Internal | Workload | 6379 (Redis) | ACCEPT |
| Workload | Internal | 9000 (MinIO), 6379 (Redis) | ACCEPT |
| Workload | DMZ | any | DROP |
| Workload | Management | any | DROP |
| any | Management | any | DROP |