2025 network rewamp
The plan
---
title: Future high level core network architecture
---
graph
blix[Blix]
er-1[Edge-router 1]
er-2[Edge-router 2]
udm[Unifi Dream Machine]
sw-core["Core switch (layer 2 only)"]
net-haus("Hausmania network (routing, NAT)")
net-hack("Hackeriet network (routing, NAT)")
srv1(Server)
srv2(Server)
srv3(Server)
sw1(Switch)
sw2(Switch)
sw3(Switch)
blix-- VRRP --> er-1
blix-- VRRP --> er-2
er-1-->udm
er-2-.->udm
er-1--->sw-core
er-2-..->sw-core
udm-->net-haus
udm-->net-hack
udm<-- "All VLANs but DMZ" -->sw-core
sw-core-->srv1
sw-core-->srv2
sw-core-->srv3
sw-core-->sw1
sw-core-->sw2
sw-core-->sw3
Projects
Edgerouter for DMZ routing
Pad: https://pad.hackeriet.no/p/2025-network-dmz
Main points
- Set up 2x Edgerouters behind Blix gw
- Bind Hackeriet's linknet IP to one of the two ERs
- Use VRRP with dedicated internal keepalive network to move VIP
- Connect downstream core (pit-sw or UDM+sw-core, depending on the other project) to ERs with separate physical links
Use (R)STP to only keep one downstream link active
- Only route DMZ network
- Will not touch internal networks
- Separate link to each ER for sw management network
Unifi Dream Machine for NAT and internal routing
Pad: https://pad.hackeriet.no/p/2025-network-internal
Main points
- Put up Unifi Dream Machine and dedicated L2 core switch
- Upstream WAN address in DMZ
- Take over all NAT responsibilities from m00n
Bind separate NAT egress addresses in DMZ network
- Trunk all networks but DMZ to sw-core
- Serve as wifi controller
- Handle inter-network routing and firewalling (i.e. DMZ→hackeriet or hackeriet→haus)