ADR-007: retire VLAN-99 WireGuard for the NetBird mesh (ADR-016)
This commit is contained in:
parent
ff796c64ca
commit
5a32dd46d3
1 changed files with 17 additions and 15 deletions
|
|
@ -47,7 +47,7 @@ ISP
|
|||
| 30 | `lan` | `10.30.0.0/24` | Trusted home devices. DHCP. Access to selected `srv` services via OPNsense. |
|
||||
| 40 | `iot` | `10.40.0.0/24` | Smart home, cameras, printers. DHCP. Internet egress only + HA exception. |
|
||||
| 50 | `guest` | `10.50.0.0/24` | Guest WiFi. DHCP. Internet only, fully isolated. |
|
||||
| 99 | `vpn` | `10.99.0.0/24` | WireGuard peers. `askari` (Hetzner) + road-warrior clients. |
|
||||
| 99 | `vpn` | _(retired)_ | **Replaced by the NetBird mesh (ADR-016).** Remote access for `ubongo`, `askari`, and road-warrior clients rides a self-hosted NetBird overlay, not an OPNsense WireGuard subnet. `10.99.0.0/24` is freed. |
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -102,13 +102,14 @@ Assigned infrastructure addresses:
|
|||
| `10.50.0.1` | OPNsense gateway |
|
||||
| `10.50.0.100`–`.249` | DHCP pool |
|
||||
|
||||
### VLAN 99 — vpn (10.99.0.0/24) — WireGuard
|
||||
### VLAN 99 — vpn — retired
|
||||
|
||||
| Address | Host |
|
||||
|---|---|
|
||||
| `10.99.0.1` | OPNsense (WireGuard endpoint) |
|
||||
| `10.99.0.2` | `askari` (Hetzner VPS) |
|
||||
| `10.99.0.10`+ | Road-warrior clients |
|
||||
The OPNsense WireGuard VPN (`10.99.0.0/24`) is **replaced by the NetBird mesh**
|
||||
(ADR-016). Remote access for `ubongo`, `askari`, and road-warrior clients rides a
|
||||
self-hosted NetBird overlay — data plane peer-to-peer WireGuard, control plane
|
||||
NetBird self-hosted on `askari`. NetBird manages its own overlay addressing
|
||||
(default `100.64.0.0/10`); no boma VLAN/subnet is allocated for it, and
|
||||
`10.99.0.0/24` is freed.
|
||||
|
||||
### Corosync ring (172.16.0.0/24) — not on managed switch
|
||||
|
||||
|
|
@ -132,8 +133,8 @@ Assigned infrastructure addresses:
|
|||
| `iot` | internet | allow egress only |
|
||||
| `iot` | `srv` (HA IP only) | allow on integration ports |
|
||||
| `guest` | internet | allow, isolated from all internal |
|
||||
| `vpn` | `srv` (metrics ports) | allow (monitoring) |
|
||||
| `vpn` | `mgmt` | allow (administration from askari) |
|
||||
| mesh peers | `srv` (metrics ports) | allow (monitoring) — enforced by NetBird ACLs, not OPNsense (ADR-016) |
|
||||
| mesh peers | `mgmt` | allow (administration) — enforced by NetBird ACLs (ADR-016) |
|
||||
|
||||
**Home Assistant ↔ IoT**: HA VM at `10.20.0.13` can reach IoT VLAN on required
|
||||
ports. OPNsense Avahi (mDNS reflector) bridges `srv` ↔ `iot` for device discovery.
|
||||
|
|
@ -176,11 +177,12 @@ All other queries go upstream (e.g., `1.1.1.1`, `9.9.9.9`).
|
|||
|
||||
## External monitoring — askari
|
||||
|
||||
`askari` (Hetzner VPS) connects via WireGuard to OPNsense (`10.99.0.1`).
|
||||
Its peer address is `10.99.0.2`. OPNsense routes `10.99.0.0/24` into the VPN
|
||||
tunnel and allows `askari` narrow access to `srv` metrics endpoints and `mgmt`
|
||||
for administration.
|
||||
`askari` (Hetzner VPS) is a peer on the **NetBird mesh** (ADR-016) and also **hosts
|
||||
the self-hosted NetBird coordinator** (management/signal/relay). It reaches `srv`
|
||||
metrics endpoints and `mgmt` for administration over the mesh, scoped by NetBird
|
||||
ACLs — no OPNsense WireGuard tunnel and no `10.99.0.0/24` routing.
|
||||
|
||||
`askari` is provisioned and managed independently of the Proxmox cluster — it
|
||||
must be reachable even when the homelab is down (its entire purpose).
|
||||
`askari` is provisioned and managed independently of the Proxmox cluster — it must
|
||||
be reachable even when the homelab is down (its entire purpose), which is also why
|
||||
the mesh coordinator lives here: an off-site control plane survives a homelab outage.
|
||||
FQDN: `askari.baobab.band`.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue