Network Design

Networks, subnets, port, and corresponding access rules and rights are already complex and get more complex, the more servers and services are added. Virtual Private Network add another layer on top of all that and changes all all these already hard to grasp parts. Therefore a clear design concept is needed for reference as we go one.

Note

All IP addresses in this document have been reserved for documentation and testing in RFC 5737 and RFC 4849 or for use in private networks according to RFC 1918. They will not work in the real world.

Providers

Make a list of all providers (hosting companies, co-location data-centers, friends, family members, employers or other companies who agreed to host a device on there premises for you). Decide on a abbreviation for each to use throughout the design.

You can find out the provider by using the whois command of any public IP address:

$ whois 203.0.113.54

Or for a host name:

$ whois $(dig +short roll.urown.net)

Some examples:

Provider

Short Name

Hetzner Online AG

heztner

OVH

ovh

Digital Ocean

do

Linode

linode

Rackspace

rack

Your Home

home

Your Office

office

Mothers House

mama

Locations

Make a list of all geographical or physical remote locations that have one or more servers running. Most providers have their own naming.

Some examples:

Location

Short Name

San Francisco

SFO

New York City

NYC

Toronto

TOR

Berlin

BER

London

LON

Amsterdam

AMS

Frankfurt

FRA

Singapore

SGP

Bangalore

BLR

Public IPs and Subnets

You get these normally from your provider and they are location based. Nowadays you should get an IPv6 as well or change your provider otherwise.

In the best case you get a subnet, maybe you get additional IPs for a price.

List the subnet with their net-mask, which tells you the size and number of IPs. A single IPv4 host has a net-mask of /32. A single IPv6 address has a net-mask of /128

Some examples:

Provider

Location

IPv4 Subnet

IPv6 Subnet

hetzner

SFO

203.0.113.54/32

n/a

rack

LON

198.51.100.7/32

2001:db8:48d1::/64

roller

PHO

192.0.2.14/32

2001:db8:2d07:5b57::/128

home

FRA

dynamic

2001:db8:3414::/48

office

FRA

dynamic

dynamic

mama

BER

dynamic

n/a

Private Subnets

Some locations need a private subnet, if there are multiple hosts behind a NAT router. Define one from the range private network address spaces set by by RFC 1918.

See Private Network on Wikipedia:

Private IPv4 Addresses

Network Address

Net Mask

Prefix

10.0.0.0

255.0.0.0

10/8

172.16.0.0

255.240..0.0

172.16/12

192.168.0.0

255.255.0.0.0

192.168/16

fd00::/48

n/a

fd00::/48

First we define a global private subnet out of one of the private address spaces:

$ echo 172.$((RANDOM%16+16)).0.0/24
172.27.0.0/24

Global IPv4 Subnet

Netmask

Prefix

172.27.0.0

255.255.0.0

172.27.0.0/16

Next we define /24 subnets out of our global private subnets for locations who need that:

$ echo home 172.27.$((RANDOM%255+16)).0/24
$ echo office 172.27.$((RANDOM%255+16)).0/24
$ echo mama 172.27.$((RANDOM%255+16)).0/24

Provider

Location

Local IPv4 Subnet

Netmask

Prefix

home

FRA

172.27.88.0

255.255.255.0

172.27.88.0/24

office

FRA

172.27.126.0

255.255.255.0

172.27.126.0/24

mama

BER

172.27.74.0

255.255.255.0

172.27.74.0/24

Private IPv6 Addresses

For IPv6 subnets we can use the on-line tool IPv6 private address range generator.

It will create a random global ID and subnet IDs out of the unique local address (ULA) block fd00::/8.

Global ID

c1d89eb128

Global IPv6 Subnet

Prefix

fdc1:d89e:b128::/48

fdc1:d89e:b128::/48

Repeat for every location, by providing the same global ID to generate a /64 subnet for each.

https://www.ultratools.com/tools/rangeGeneratorResult?globalId=c1d89eb128&subnetId=

Provider

Location

Subnet ID

Local IPv6 Subnet

home

FRA

13a6

fdc1:d89e:b128:13a6::/64

office

FRA

2615

fdc1:d89e:b128:2615::/64

mama

BER

41c5

fdc1:d89e:b128:41c5::/64

The VPN Subnet

To glue all our locations subnets together we need another one. The tunnel subnet connects all the VPN hosts and gateways together.

IPv4 VPN Addresses

For IPV4 Telco’s traditionally choose something out of the private 10/8 block.

This makes it easy to distinguish the virtual space from the physical locations within the 172.16/12 space:

$ echo 10.$((RANDOM%255+16)).$((RANDOM%255+16)).0/24
10.195.171.0/24

IPv6 VPN Addresses

The IPv6 address of the tunnel subnet we define an additional subnet ID.

Global ID

c1d89eb128

Subnet ID

6a04

Combined IPv4 and IPv6 together it may look like the following:

Provider

Location

IPv4 Subnet

IPv6 Subnet

n/a

Global

172.27.0.0/16

fdc1:d89e:b128::/48

home

FRA

172.27.88.0/24

fdc1:d89e:b128:13a6::/64

office

FRA

172.27.126.0/24

fdc1:d89e:b128:2615::/64

mama

BER

172.27.74.0/24

fdc1:d89e:b128:41c5::/64

VPN

Virtual

10.195.171.0/24

fdc1:d89e:b128:6a04::/64

Register a Domain

Register a domain for where all your networks and hosts reside in.

It doesn’t matter if it is the same domain where our public services are hosted or a different one. The important thing is, that all subnets, sub- domains and host-names reside under one domain-name which we fully control.

That way we can establish trust between all entities based on DNS information secured by DNSSEC. This will simplify things in many areas (e.g. trusting SSH servers keys).

Domain

Registrar

example.net

name.com

Sub-Domains for Sub-Nets

Locations with multiple hosts and IP subnets, get their own sub-domain. Standalone rented servers in data-centers don’t need sub-domains.

Subdomain

Location

IPv4 Subnet

IPv6 Subnet

.

Global

172.27.0.0/16

fdc1:d89e:b128::/48

home

FRA

172.27.88.0/24

fdc1:d89e:b128:13a6::/64

office

FRA

172.27.126.0/24

fdc1:d89e:b128:2615::/64

mama

BER

172.27.74.0/24

fdc1:d89e:b128:41c5::/64

VPN Sub-domain

The VPN sub-domain allows us to make sure, that a connection is authenticated and encrypted at a glance, without memorizing IP addresses. Since the VPN stretches throughout the planet, only is needed.

Let’s call this vpn.

Subdomain

Location

IPv4 Subnet

IPv6 Subnet

vpn

Virtual

10.195.171.0/24

fdc1:d89e:b128:6a04::/64

Host Names

Over time you will iterate trough many physical and virtual devices, providing similar services and devices changing their roles and locations, its best to avoid service names, role names, company names, real peoples (e.g. owners) names or household names for devices.

Just take a list, any list, of names or words, preferably a long one and iterate over it.

Here is a good starting point.

I leave it up to you, the reader, to guess from which list the following host names are coming from …

Host

Location

Provider

Role

dolores

SFO

hetzner

Server

maeve

LON

rack

Server

bernard

PHO

roller

Server

arnold

FRA

home

Router

hector

FRA

home

NAS

kiki

FRA

home

Wi-Fi

charlotte

FRA

home

Server

teddy

FRA

office

Router

logan

FRA

office

NAS

armistice

BER

mama

Router

DNS Records

We now have all the information needed to document our network design in DNS under the example.net domain.

Top-Level Domain

E.g. example.net (public hosts):

Here we only register the hosts who need to be accessible from the global public Internet (read: from the outside) for some reason, like servers routers and VPN gateways.

Some of these won’t get a fixed IP address, due to the providers policy. For these we need a DynDNS solution not discussed here.

Domain Name

IPv4 Address

IPv6 Address

dolores.example.net

203.0.113.54

N/A

maeve.example.net

198.51.100.7

2001:db8:48d1::1

bernard.example.net

192.0.2.14

2001:db8:2d07:5b57::0

arnold.example.net

dynamic

2001:db8:3414:6b1d::1

charlotte.example.net

dynamic

2001:db8:3414:6b1d::10

teddy.example.net

dynamic

dynamic

VPN Sub-Domain

vpn.example.net:

Domain Name

IPv4 Address

IPv6 Address

dolores.vpn.example.net

10.195.171.142

fdc1:d89e:b128:6a04::7de4

maeve.vpn.example.net

10.195.171.47

fdc1:d89e:b128:6a04::961

bernard.vpn.example.net

10.195.171.174

fdc1:d89e:b128:6a04::3354

charlotte.vpn.example.net

10.195.171.241

fdc1:d89e:b128:6a04::29ab

Location Sub-Domains

home.example.net:

Domain Name

IPv4 Address

IPv6 Address

arnold.home.example.net

172.27.88.1

fdc1:d89e:b128:13a6::1

charlotte.home.example.net

172.27.88.10

fdc1:d89e:b128:13a6::10

kiki.home.example.net

172.27.88.3

fdc1:d89e:b128:13a6::3

Sub-domain office.example.net:

Domain Name

IPv4 Address

IPv6 Address

teddy.office.example.net

172.27.126.1

fdc1:d89e:b128:2615::1

logan.office.example.net

172.27.126.10

fdc1:d89e:b128:2615::10

Sub-domain mama.example.net:

Domain Name

IPv4 Address

IPv6 Address

armistice.mama.example.net

172.27.74.1

fdc1:d89e:b128:41c5::1