# Proper service and network integration design help



## zader (Sep 17, 2021)

Machine configuration (can change If needed)

Nic1 – bridge card igb0/1

The motherboard also has 4 ports ix0/3

Ix0 – vnet on iocage using ips from 192.168.100.1 -> 192.168.100.10
Ix1 – vnet on iocage using a separate network range 172.16.100.1 -> 172.16.100.5
Ix2 – lan interface connected to a secure network that needs access to the 172.16.100.5-10 jails
Ix3 – is a single jail running openvpn, connected to the internet gateway

In short

IGB0/1 - The bridge is used to bridge and filter a hostile network with pf
IX0 - There is a RabbitMQ server on 192.168.100.2 that also needs to filter this bridge for messages.. when matched it should be able to send a copy to other jaisl in the 192.168 range.  The 192.168 range has a few jails that process the RabbitMQ messages and shovel the results into a MongoDB 192.168.100.10
IX1 - The 172.16 range is a separate network running some additional (internal) backend and the application / UI
IX2 – is plugged into the corporate network and is used only to access the UI on 172.16.100.5
IX3 – is the internet gateway that should allow it to get out for updates and ideally some way to remote administer it as there is no net access from the hostile bridge.

There are a few problems.

What is a good design / philosophy to accomplish this level of separation, security, and accessibility? (keep in mind this is a concept at this point, so changing things is possible)

what’s the best way (or iocage lan type vnets?) to have these engines talk to each other (ie. How can I allow users to make changes in the UI and have it write configuration to say the OS pf file that is filtering the bridge, or drill the database or pass credentials properly between all these resources)

What is the best way to approach the issues with IX3? a vpn could not access the host or see any of the other jails, but it would be the only port that could be enabled from the ?UI in the 172 netowrk to bring the interface up and allow remote access... otherwise it would not have any internet connection.

Can a jail even use a service like RabbitMQ to filter a bridge on a totally different nic/host?

thanks!

PS
some of my initial thoughts would be to combine the 172/192 networks?
the minimum requirements require the actual cables .. ie It must bridge the hostile network with no access to anything else .. it must have another port that can be plugged into a separate switch .. it must have a reliable remote access method on yet another network card as it needs to be cabled to a totally different network. and the corporate connection to the ui must also have its own port that would go to yet another separate switch ..

I would prefer to keep it all in 1 box, but I’m not sure how or if that can even work... or what the limitations would be etc


----------



## SirDice (Sep 20, 2021)

Do you have managed switches? I would use vlan(4) to separate the networks. Then you can bundle a number of ix ports with lagg(4) for added throughput and fault-tolerance. But this does require the use of VLANs on your switches and routers.

And create different bridges tied to different VLANs. Depending on which bridge a VM gets tied to it will be on one network or another.


----------



## zader (Sep 20, 2021)

It's for an appliance so the networks will vary from client to client.  Lag/vlans sounds like it would be a good option tho .. I'm assuming that a managed switch as a "requirement" would be fine.  

I just need to keep all the physical ports as secure as possible because of the nature of the bridge aspect. .. (It's directly interacting with a hostile air gapped network that must be completely isolated) 


thanks!


----------



## zader (Sep 20, 2021)

I should ask just incase ..

do you know of a good example / kb that could serve as somewhat of a guide to actually build something like that complex out?

thanks again


----------

