Networkยถ
Firewallsยถ
Office firewallยถ
Weโre using an UniFi Security Gateway in our office infrastructure. This means you can configure the firewall rules via the UniFi controller.
Datacenter firewallsยถ
Thereโs no dedicated / central firewall for the servers in the datacenter.
Each server will have several iptables rules in place.
Please have a look at the Ansible firewall rule for more informations.
VPN connectivityยถ
Weโve remote user VPNโs configured on the UniFi controller. Please use the following settings to connect to our VPN:
Type |
L2TP over IPSec |
|---|---|
Server |
|
IPSec PSK |
Stored in the Enpass |
Account |
Defined in the UniFi controller under Settings > Services > RADIUS > Users |
Important
If youโre using OS X then you should have a look at the service order of the interfaces, because the DNS resolver depends on it. You might want to lookup an internal hostname to check if everything works properly.
Domainsยถ
Weโve several managed domains on our DNS severs.
These are our main domains:
Domain |
Usage |
Registrar |
|---|---|---|
confirm.ch |
Main DNS zone |
Metanet |
confirm.swiss |
Main swiss DNS zone |
Metanet |
confirm.ninja |
Main ninja DNS zone |
Namecheap |
Project domains:
Domain |
Project |
Registrar |
|---|---|---|
freaks.io |
FreaksIO |
Namecheap |
pkg.ninja |
PackageNinja |
Namecheap |
Personal domains:
Domain |
Usage |
Registrar |
|---|---|---|
barton-online.ch |
Domiโs DNS zone (for mail) |
Metanet |
thebartons.ch |
Domiโs DNS zone |
Metanet |
Main DNS zonesยถ
As mentioned before, confirm.ch is our main DNS zone and we use it for all of our DNS records.
Zone |
Description |
|---|---|
confirm.ch |
Main DNS zone, contains CNAMEโs to records in the server zones. |
pvt.confirm.ch |
Contains IP records of all private server addresses. |
pub.confirm.ch |
Contains IP records of all public server addresses. |
Private IP subnetsยถ
The private subnet design scheme is as follows:
10.U.LL.XXX
^ ^ ^
| | |
| | +-- 254 available IP's in each subnet
| +----- Location (e.g. 0=Office, 1=Datacenter)
+-------- Usage (e.g. 1=Client, 2=Server)
Client subnetsยถ
All client subnets are in 10.1.0.0/16 within the VLANโs 1 (i.e. native VLAN).
Subnet |
VLAN |
Location |
Description |
|---|---|---|---|
10.1.0.0/24 |
1 |
Office |
Client VLAN |
10.1.10.0/24 |
Domi |
Domiโs subnet |
|
10.1.254.0/24 |
VPN clients |
Server Subnetsยถ
All server subnets are in 10.2.0.0/16 within the VLANโs 2.
Subnet |
VLAN |
Location |
Description |
|---|---|---|---|
10.2.0.0/24 |
2 |
Office |
Server VLAN |
10.2.1.0/24 |
Datacenter |
Datacenter servers |
Other subnetsยถ
Subnet |
VLAN |
Location |
Description |
|---|---|---|---|
10.3.0.0/24 |
3 |
Lab |
Lab In A Box |
10.4.0.0/24 |
4 |
Streaming |
Streaming equipment, e.g. PTZ cameras |
10.8.0.0/24 |
free, e.g. for local VM & Docker subnets |
||
10.9.0.0/24 |
9 |
Office |
Guest VLAN |
217.71.252.24 |
99 |
Office / Public |
Public office IP subnetยถ
ISPยถ
The internet in the office is provided by iWay.
Our connectivity speed is
1000/1000Our customer number is
373676The OTO ID (number of the fibre connector) is
B.102.027.151.5[.1]For support have a look at the iWay customer portal and the iWay support site
Hint
DNS PTR records can be changed via iWay customer portal (Products > Edit > Reverse DNS).
Routed subnetยถ
Important
Because weโve a routed subnet, the gateway WAN port is configured with DHCP and assigns an IP address outside of this subnet:
84.254.96.223 aka gw1.pub.confirm.ch
All inbound local WAN traffic and all outbound LAN traffic is routed via this IP address. Thus VPN connectivity and such relies on this IP address.
Routed subnet:
217.71.252.24/29Configured on VLAN ID:
99
IPv4 address |
Usage |
DNS |
|---|---|---|
217.71.252.24/29 |
n/a: network ID |
|
217.71.252.25/29 |
Gateway |
|
217.71.252.26/29 |
Proxmox |
proxmox1.pub.confirm.ch |
217.71.252.27/29 |
Nameserver |
ns2.pub.confirm.ch |
217.71.252.28/29 |
Web Server |
web4.pub.confirm.ch |
217.71.252.29/29 |
FreaksIO |
freaks.io |
217.71.252.30/29 |
Development Server |
dev1.pub.confirm.ch |
217.71.252.31/29 |
n/a: broadcast |
|
Public datacenter IP addressesยถ
IPv4 address |
IPv6 address |
Usage |
DNS |
|---|---|---|---|
80.74.129.106/24 |
2A00:1128:1:1::129:106/64 |
Proxmox Server |
proxmox2.pub.confirm.ch |
80.74.129.107/24 |
2A00:1128:1:1::129:107/64 |
Proxmox Management Interface |
proxmox2-mgmt.pub.confirm.ch |
80.74.137.78/24 |
2A00:1128:1:1::137:78/64 |
Mail Server |
mail1.pub.confirm.ch |
80.74.137.80/24 |
2A00:1128:1:1::137:80/64 |
Web Server (Public Services) |
web1.pub.confirm.ch |
80.74.137.143/24 |
2A00:1128:1:1::137:143/64 |
Web Server (Private Services) |
web2.pub.confirm.ch |
80.74.137.154/24 |
2A00:1128:1:1::137:154/64 |
Web Server (Customer Services) |
web3.pub.confirm.ch |
80.74.137.161/24 |
2A00:1128:1:1::137:161/64 |
Gateway |
gw2.pub.confirm.ch |
94.126.18.242/24 |
2A00:1128:1:1::18:242/64 |
Name Server |
ns1.pub.confirm.ch |
94.126.19.225/24 |
2A00:1128:1:1::19:225/64 |
GitLab Server |
git1.pub.confirm.ch |
94.126.19.226/24 |
2A00:1128:1:1::19:226/64 |
Thaddeus |
zambellis.ch |
94.126.23.165/24 |
2A00:1128:1:1::23:165/64 |
||
94.126.23.166/24 |
2A00:1128:1:1::23:166/64 |
Calendar Server |
calendar1.pub.confirm.ch |
Hint
The IPv4 gateways are always on
.1The IPv6 gateway is always
fe80::1