Skip to content

Vijfpas network implementation (implementation track)

This document captures the current implemented network baseline as it exists in UniFi, Terraform, and the live VM stack.

Keep the future environment/tier architecture in concepts.md and architecture.md. Keep only current implementation facts here.

1. Current naming split

The current implementation is partly on the target environment/tier naming model.

Implemented baseline:

  • UniFi and Terraform network objects use canonical <environment>-<tier> names
  • active workbench, backuprepo, and intca VMs use the target machine-name model
  • active service FQDNs are factual current-live names; the shared-platform service estate now uses canonical pfm service names and the older shared *.infra-* forward aliases are retired

Remaining naming gaps:

  • the shared-platform network tiers now use the controller names pfm-svc, pfm-core, pfm-egress, and pfm-bck
  • the old internal forward aliases postgresql-platform.*, keycloak-platform.*, shared rabbitmq-platform.infra-core, pgbackrest.infra-bck, k8s-platform.infra-svc, and traefik-platform.infra-svc are retired; the retired placeholder k8s-platform.pfm-svc and traefik-platform.pfm-svc names were also removed when the unused K3s cluster was cleared
  • the offline root CA VM is now rootca-offline

Use controller names for VLAN/subnet objects. Use guest/DNS names only when referring to actual live FQDNs.

2. Current configured network segments

Controller name Current role in implementation VLAN ID Subnet Gateway DHCP Status
nfr-ilom hardware management only 10 10.0.10.0/24 10.0.10.1 off live
nfr-mgmt substrate and infra management only 20 10.0.20.0/24 10.0.20.1 on live
nfr-corosync Proxmox Corosync/knet traffic 21 10.0.21.0/24 10.0.21.1 off live
prd-admin production admin-source network; guest FQDNs use admin-prd.vijfpas.be 22 10.0.22.0/24 10.0.22.1 on live
dev-admin development/admin-source network; active guest FQDNs use dev-admin.vijfpas.be 23 10.0.23.0/24 10.0.23.1 on live
acc-admin acceptance admin-source network 24 10.0.24.0/24 10.0.24.1 on live; no current VM attached
acc-dmz acceptance public ingress segment 25 10.0.25.0/24 10.0.25.1 on live; no current VM attached
acc-svc acceptance service/API segment 26 10.0.26.0/24 10.0.26.1 on live; no current VM attached
acc-core acceptance internal workload and backend segment 27 10.0.27.0/24 10.0.27.1 on live; no current VM attached
acc-egress acceptance outbound-exception segment 28 10.0.28.0/24 10.0.28.1 on live; no current VM attached
acc-bck acceptance backup-repository segment 48 10.0.48.0/24 10.0.48.1 off live in UniFi; no current VM attached
prd-dmz current public-facing workload segment 30 10.0.30.0/24 10.0.30.1 on live
prd-svc current service/API segment 31 10.0.31.0/24 10.0.31.1 on live
dev-core current internal workload and backend segment 32 10.0.32.0/24 10.0.32.1 on live
dev-egress current outbound-exception service segment 33 10.0.33.0/24 10.0.33.1 on live
prd-egress production outbound-exception segment 34 10.0.34.0/24 10.0.34.1 on live; no current VM attached
prd-core production internal workload and backend segment 35 10.0.35.0/24 10.0.35.1 on live and now used by postgresql-prim-prd-core and postgresql-sec-prd-core
dev-dmz development public ingress segment 36 10.0.36.0/24 10.0.36.1 on live; no current VM attached
dev-svc development service/API segment 37 10.0.37.0/24 10.0.37.1 on live and now used by gitlab-dev-svc
dev-bck development backup-repository segment 47 10.0.47.0/24 10.0.47.1 off live and now used by backuprepo-dev-bck
nfr-cephpub Ceph public/client traffic 40 10.0.40.0/24 10.0.40.1 off live
nfr-cephclu Ceph cluster/replication traffic 41 10.0.41.0/24 10.0.41.1 off live
infra-admin trusted infra operator-source tier 42 10.0.42.0/24 10.0.42.1 on live in UniFi and now used by the substrate and trust workbenches
pfm-svc live shared-platform control/API tier 43 10.0.43.0/24 10.0.43.1 off live and now used by gitlab-pfm-svc, keycloak.pfm-svc, and the live k8s-pfm cluster
pfm-core live shared-platform backend/data tier 44 10.0.44.0/24 10.0.44.1 off live and now used by postgresql-prim-pfm-core, postgresql-sec-pfm-core, gitaly-pfm-core, and rabbitmq.pfm-core
pfm-egress live shared-platform mirror/proxy/scanner tier 45 10.0.45.0/24 10.0.45.1 off live and now used by nexus-pfm-egress
pfm-bck live shared-platform backup-repository segment 46 10.0.46.0/24 10.0.46.1 off live and now used by backuprepo-pfm-bck

3. Current VM and service placement

VM / service Current network placement Notes
workbench-substrate-nfr-admin infra-admin (10.0.42.167) active substrate workbench/admin source; preferred SSH alias workbench-substrate.nfr-admin.vijfpas.be
workbench-trust-nfr-admin infra-admin (10.0.42.168) active trust workbench/admin source; preferred SSH alias workbench-trust.nfr-admin.vijfpas.be
workbench-delivery-dev-admin dev-admin (10.0.23.170) active delivery-plane dev workbench; preferred SSH alias workbench-delivery.dev-admin.vijfpas.be
workbench-runtime-dev-admin dev-admin (10.0.23.171) active runtime-plane dev workbench; preferred SSH alias workbench-runtime.dev-admin.vijfpas.be
workbench-data-dev-admin dev-admin (10.0.23.172) active data-plane dev workbench; preferred SSH alias workbench-data.dev-admin.vijfpas.be
postgresql-prim-dev-core dev-core (10.0.32.130) workload-only NIC; canonical node alias postgresql-prim.dev-core.vijfpas.be
postgresql-sec-dev-core dev-core (10.0.32.133) workload-only NIC; live replacement secondary on proxmox-e; canonical node alias postgresql-sec.dev-core.vijfpas.be
postgresql-prim-pfm-core pfm-core (10.0.44.130) workload-only NIC; canonical node alias postgresql-prim.pfm-core.vijfpas.be
postgresql-sec-pfm-core pfm-core (10.0.44.131) workload-only NIC; canonical node alias postgresql-sec.pfm-core.vijfpas.be
postgresql-prim-prd-core prd-core (10.0.35.130) workload-only NIC; canonical node alias postgresql-prim.prd-core.vijfpas.be
postgresql-sec-prd-core prd-core (10.0.35.131) workload-only NIC; canonical node alias postgresql-sec.prd-core.vijfpas.be
backuprepo-dev-bck dev-bck (10.0.47.156) generic backup-repository host; PostgreSQL service alias pgbackrest.dev-bck.vijfpas.be
backuprepo-pfm-bck pfm-bck (10.0.46.156) generic backup-repository host; canonical host FQDN backuprepo.pfm-bck.vijfpas.be; active PostgreSQL repo-service alias pgbackrest.pfm-bck.vijfpas.be
backuprepo-prd-bck prd-bck (10.0.49.156) generic backup-repository host; canonical host FQDN backuprepo.prd-bck.vijfpas.be; PostgreSQL service alias pgbackrest.prd-bck.vijfpas.be
nexus-pfm-egress pfm-egress (10.0.45.132) single service/egress NIC
gitlab-dev-svc dev-svc (10.0.37.146) single service/workload NIC; canonical service alias gitlab.dev-svc.vijfpas.be
gitlab-pfm-svc pfm-svc (10.0.43.146) single service/workload NIC; canonical service alias gitlab.pfm-svc.vijfpas.be
homeassistant-prd-svc prd-svc (10.0.31.146) dedicated internal Home Assistant VM with internal TLS on homeassistant.prd-svc.vijfpas.be
rancher-server01-pfm-svc pfm-svc (10.0.43.176) dedicated Rancher local-cluster control-plane node; current bootstrap server
rancher-server02-pfm-svc pfm-svc (10.0.43.177) dedicated Rancher local-cluster control-plane node
rancher-server03-pfm-svc pfm-svc (10.0.43.178) dedicated Rancher local-cluster control-plane node
rancher-k8s.pfm-svc.vijfpas.be pfm-svc (10.0.43.179) dedicated Rancher local-cluster API VIP
rancher.pfm-svc.vijfpas.be pfm-svc (10.0.43.180) current live Rancher UI/API alias on the dedicated Rancher ingress VIP; traefik-rancher.pfm-svc.vijfpas.be points at the same ingress address
taiga.pfm-svc.vijfpas.be pfm-svc (10.0.43.160) current live internal Taiga ingress alias on the shared Traefik VIP
gitaly-dev-core dev-core (10.0.32.147) single workload NIC + local repo disk; canonical RPC alias gitaly.dev-core.vijfpas.be
gitaly-pfm-core pfm-core (10.0.44.147) single workload NIC + local repo disk; canonical RPC alias gitaly.pfm-core.vijfpas.be
intca-nfr-admin infra-admin (10.0.42.134) guest search domain nfr-admin.vijfpas.be; admin-only exception
rootca-offline no network isolated root CA VM; metadata-only naming is converged

4. Current Proxmox host network baseline

Current host-side bridge model used by the VM stack:

  • vmbr0 carries the control-plane and admin-source VLANs:
  • 20 (nfr-mgmt, native/untagged guest attachment)
  • 21 (nfr-corosync)
  • 22 (prd-admin)
  • 23 (dev-admin)
  • 24 (acc-admin)
  • vmbr1 carries the workload VLANs on active nodes proxmox-a, proxmox-b, proxmox-c, proxmox-d, and proxmox-e:
  • 25 (acc-dmz)
  • 26 (acc-svc)
  • 27 (acc-core)
  • 28 (acc-egress)
  • 30 (prd-dmz)
  • 31 (prd-svc)
  • 32 (dev-core)
  • 33 (dev-egress)
  • 34 (prd-egress)
  • 35 (prd-core)
  • 36 (dev-dmz)
  • 37 (dev-svc)
  • 43 (pfm-svc)
  • 44 (pfm-core)
  • 45 (pfm-egress)
  • 46 (pfm-bck)
  • 47 (dev-bck)
  • 48 (acc-bck)
  • 49 (prd-bck)
  • proxmox-d is back in the active bridge baseline and now carries the same vmbr0 and vmbr1 VLAN allow-lists as the other active nodes.
  • infra-admin / VLAN 42 is now carried on vmbr0 on active nodes proxmox-a, proxmox-b, proxmox-c, proxmox-d, and proxmox-e.
  • pfm-svc, pfm-core, and pfm-egress / VLANs 43, 44, and 45 are now carried on vmbr1 on active nodes proxmox-a, proxmox-b, proxmox-c, proxmox-d, and proxmox-e.
  • pfm-bck / VLAN 46 and dev-bck / VLAN 47 are now carried on the adopted backup-host nodes and their matching workload trunks.
  • acc-bck / VLAN 48 and prd-bck / VLAN 49 are now also carried on the active workload trunks so later backup-tier VMs do not strand on a missing VLAN allow-list.
  • infra-admin is now represented in the live VM stack by the substrate and trust workbenches.
  • pfm-svc, pfm-core, and pfm-egress are now represented in the live VM stack by the shared-platform estates gitlab-pfm-svc, the shared PostgreSQL pair, gitaly-pfm-core, nexus-pfm-egress, rabbitmq.pfm-core, and keycloak.pfm-svc.
  • after moving the substrate workbench to infra-admin, UniFi must still allow infra-admin -> nfr-mgmt tcp/8006 so Terraform and direct Proxmox API access keep working from workbench-substrate.nfr-admin.vijfpas.be

Current UniFi Proxmox uplink port-profile baseline:

  • pve-admin-trunk
  • native / untagged: 20 (nfr-mgmt)
  • tagged: 21, 22, 23, 24, 42
  • pve-workload-trunk
  • tagged: 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 37, 43, 44, 45, 46, 47, 48, 49

Operational reminder:

  • when a new VM VLAN is added to vmbr0 or vmbr1, update both the Proxmox bridge allow-list and the matching UniFi port profile; otherwise the guest can be configured correctly and still be unreachable end to end

Current VM stack behavior:

  • managed service VMs default to workload/service NICs only
  • routine SSH for PostgreSQL, Nexus, GitLab, and Gitaly lands on their workload/service IPs
  • intca-nfr-admin remains the current documented single-NIC admin exception
  • nfr-mgmt guests on vmbr0 should attach untagged because VLAN 20 is native there
  • infra-admin guests on vmbr0 should attach with explicit guest tag 42
  • PTRs for 10.0.42.167/168 and 10.0.23.170-172 now point to the short per-node workbench FQDNs

5. Current DNS baseline

Current service and admin records actively referenced by the VM stack:

Name Type Target Notes
workbench-substrate.nfr-admin.vijfpas.be A 10.0.42.167 canonical substrate SSH/admin FQDN
workbench-trust.nfr-admin.vijfpas.be A 10.0.42.168 canonical trust SSH/admin FQDN
workbench-delivery.dev-admin.vijfpas.be A 10.0.23.170 canonical delivery SSH/admin FQDN
workbench-runtime.dev-admin.vijfpas.be A 10.0.23.171 canonical runtime SSH/admin FQDN
workbench-data.dev-admin.vijfpas.be A 10.0.23.172 canonical data SSH/admin FQDN
postgresql.dev-core.vijfpas.be A 10.0.32.130 current live canonical dev PostgreSQL writer alias
postgresql-prim.dev-core.vijfpas.be A 10.0.32.130 current live canonical per-node primary PostgreSQL FQDN for dev
postgresql-sec.dev-core.vijfpas.be A 10.0.32.133 current live canonical per-node secondary PostgreSQL FQDN for dev
postgresql.pfm-core.vijfpas.be A 10.0.44.130 current live canonical shared-platform PostgreSQL writer alias
postgresql-prim.pfm-core.vijfpas.be A 10.0.44.130 current live canonical per-node primary PostgreSQL FQDN for the shared-platform estate
postgresql-sec.pfm-core.vijfpas.be A 10.0.44.131 current live canonical per-node secondary PostgreSQL FQDN for the shared-platform estate
postgresql.prd-core.vijfpas.be A 10.0.35.130 current live canonical production PostgreSQL writer alias
postgresql-prim.prd-core.vijfpas.be A 10.0.35.130 current live canonical per-node primary PostgreSQL FQDN for prd
postgresql-sec.prd-core.vijfpas.be A 10.0.35.131 current live canonical per-node secondary PostgreSQL FQDN for prd
valkey.prd-core.vijfpas.be A 10.0.35.143 current live canonical production Valkey client VIP
valkey-n01.prd-core.vijfpas.be A 10.0.35.140 current live canonical production Valkey node alias for n01
valkey-n02.prd-core.vijfpas.be A 10.0.35.141 current live canonical production Valkey node alias for n02
valkey-n03.prd-core.vijfpas.be A 10.0.35.142 current live canonical production Valkey node alias for n03
cephrgw.prd-core.vijfpas.be A 10.0.35.146 current live canonical production object-storage service alias
cephrgw01.prd-core.vijfpas.be A 10.0.35.144 current live canonical production object-storage node alias for n01
cephrgw02.prd-core.vijfpas.be A 10.0.35.145 current live canonical production object-storage node alias for n02
intca.nfr-admin.vijfpas.be A 10.0.42.134 canonical admin FQDN for intermediate CA
gitlab.dev-svc.vijfpas.be A 10.0.37.146 canonical GitLab-dev service name
gitlab.pfm-svc.vijfpas.be A 10.0.43.146 active canonical shared-platform GitLab service alias
gitaly.dev-core.vijfpas.be A 10.0.32.147 canonical Gitaly endpoint
gitaly.pfm-core.vijfpas.be A 10.0.44.147 active canonical shared-platform Gitaly alias
nexus.pfm-egress.vijfpas.be A 10.0.45.132 active canonical shared-platform Nexus service alias
rabbitmq.dev-core.vijfpas.be A 10.0.32.148 canonical dev RabbitMQ alias
rabbitmq-n01.dev-core.vijfpas.be A 10.0.32.148 canonical RabbitMQ node alias for n01
rabbitmq-n02.dev-core.vijfpas.be A 10.0.32.149 canonical RabbitMQ node alias for n02
rabbitmq-n03.dev-core.vijfpas.be A 10.0.32.150 canonical RabbitMQ node alias for n03
backuprepo.dev-bck.vijfpas.be A 10.0.47.156 canonical backup-repository host FQDN
backuprepo.pfm-bck.vijfpas.be A 10.0.46.156 active canonical shared-platform backup/export alias
backuprepo.prd-bck.vijfpas.be A 10.0.49.156 canonical production backup-repository host FQDN
pgbackrest.dev-bck.vijfpas.be A 10.0.47.156 PostgreSQL repo-host service alias
pgbackrest.pfm-bck.vijfpas.be A 10.0.46.156 current live canonical shared-platform PostgreSQL repo-host service alias
pgbackrest.prd-bck.vijfpas.be A 10.0.49.156 current live canonical production PostgreSQL repo-host service alias
openbao-n01.nfr-mgmt.vijfpas.be A 10.0.20.140 live OpenBao node alias
openbao-n02.nfr-mgmt.vijfpas.be A 10.0.20.141 live OpenBao node alias
openbao-n03.nfr-mgmt.vijfpas.be A 10.0.20.142 live OpenBao node alias
openbao.nfr-mgmt.vijfpas.be A 10.0.20.143 live OpenBao service alias on the current VIP
ingress01.prd-dmz.vijfpas.be A 10.0.30.140 current live production ingress-edge node alias
ingress02.prd-dmz.vijfpas.be A 10.0.30.141 current live production ingress-edge node alias
ingress.prd-dmz.vijfpas.be A 10.0.30.142 current live production ingress-edge VIP
pki.prd-dmz.vijfpas.be A 10.0.30.142 current live HTTP publication endpoint for CA certificates and CRLs on the production ingress-edge VIP
nextcloud.prd-dmz.vijfpas.be A 10.0.30.142 current live public Nextcloud hostname on the production ingress-edge VIP
nextcloud.vijfpas.com CNAME datix.synology.me current live external Nextcloud hostname; public tcp/443 lands on the prd-dmz ingress VIP
docs.vijfpas.com CNAME datix.synology.me current live external docs hostname; public tcp/80 and tcp/443 land on the prd-dmz ingress VIP
homeassistant.vijfpas.com CNAME datix.synology.me current live external Home Assistant hostname; public tcp/80 and tcp/443 land on the prd-dmz ingress VIP
sso.vijfpas.com CNAME datix.synology.me current live external Keycloak/OIDC hostname; public tcp/443 lands on the prd-dmz ingress VIP
homeassistant.prd-svc.vijfpas.be A 10.0.31.146 current live internal Home Assistant hostname on the dedicated prd-svc VM
k8s-server01.prd-svc.vijfpas.be A 10.0.31.150 current live production K3s control-plane node alias
k8s-server02.prd-svc.vijfpas.be A 10.0.31.151 current live production K3s control-plane node alias
k8s-server03.prd-svc.vijfpas.be A 10.0.31.152 current live production K3s control-plane node alias
k8s-worker01.prd-svc.vijfpas.be A 10.0.31.153 current live production K3s worker node alias
k8s-worker02.prd-svc.vijfpas.be A 10.0.31.154 current live production K3s worker node alias
k8s.prd-svc.vijfpas.be A 10.0.31.155 current live production K3s API VIP
traefik.prd-svc.vijfpas.be A 10.0.31.160 current live internal production Traefik ingress alias
rancher-server01.pfm-svc.vijfpas.be A 10.0.43.176 current live Rancher local-cluster control-plane node alias
rancher-server02.pfm-svc.vijfpas.be A 10.0.43.177 current live Rancher local-cluster control-plane node alias
rancher-server03.pfm-svc.vijfpas.be A 10.0.43.178 current live Rancher local-cluster control-plane node alias
rancher-k8s.pfm-svc.vijfpas.be A 10.0.43.179 current live Rancher local-cluster API VIP
traefik-rancher.pfm-svc.vijfpas.be A 10.0.43.180 current live dedicated Rancher ingress alias
rancher.pfm-svc.vijfpas.be A 10.0.43.180 current live Rancher UI/API alias on the dedicated Rancher ingress VIP
taiga.pfm-svc.vijfpas.be A 10.0.43.160 current live internal Taiga hostname on the shared pfm Traefik VIP
keycloak.pfm-svc.vijfpas.be A 10.0.43.145 canonical shared-platform Keycloak service alias
keycloak-n01.pfm-svc.vijfpas.be A 10.0.43.143 canonical Keycloak node alias for n01
keycloak-n02.pfm-svc.vijfpas.be A 10.0.43.144 canonical Keycloak node alias for n02
keycloak.prd-svc.vijfpas.be A 10.0.31.145 current live production Keycloak service alias
wiki.pfm-svc.vijfpas.be A 10.0.43.160 current live internal Wiki.js ingress alias on the shared-platform Traefik VIP
vaultwarden.pfm-svc.vijfpas.be A 10.0.43.160 current live internal Vaultwarden ingress alias on the shared-platform Traefik VIP
rabbitmq.pfm-core.vijfpas.be A 10.0.44.148 canonical shared-platform RabbitMQ alias
rabbitmq-n01.pfm-core.vijfpas.be A 10.0.44.148 canonical RabbitMQ node alias for n01
rabbitmq-n02.pfm-core.vijfpas.be A 10.0.44.149 canonical RabbitMQ node alias for n02
rabbitmq-n03.pfm-core.vijfpas.be A 10.0.44.150 canonical RabbitMQ node alias for n03
The older platform-postgresql.dev-core.vijfpas.be, platform-postgresql.core.vijfpas.be, postgresql.<environment>-core, postgresql-prim/sec.<environment>-core, nexus.core-egress.vijfpas.be, platform-gitlab.*, and platform-gitaly.* local DNS aliases were removed after the current cutovers. The old internal forward aliases postgresql-platform.*, keycloak-platform.*, shared rabbitmq-platform.infra-core, pgbackrest.infra-bck, k8s-platform.infra-svc, and traefik-platform.infra-svc are now also retired. The retired placeholder k8s-platform.pfm-svc and traefik-platform.pfm-svc records were deleted on March 30, 2026 when the unused first K3s cluster was cleared. PTRs for the plain PostgreSQL and RabbitMQ node aliases are now aligned to the canonical per-node FQDNs.
The legacy platform-dev-prd.admin-prd.vijfpas.be and platform-dev-nonprd.admin-nonprd.vijfpas.be admin records are not part of the current admin-source baseline and should not be reintroduced.
backuprepo.dev-bck.vijfpas.be and backuprepo.pfm-bck.vijfpas.be are the current host-level repo FQDNs. pgbackrest.<environment>-bck.vijfpas.be remains published as the PostgreSQL-facing service alias on the same hosts. The local /etc/hosts mappings remain only as a bootstrap overlap.
Current UniFi local DNS management is confirmed on the default site static-DNS API path. Use infra-live/unifi-platform/scripts/manage_unifi_dns.sh for read-safe list, create/no-op upsert, and exact-match delete-exact; do not use blind delete/recreate by name.
Those managed UniFi DNS and firewall export scripts now read controller credentials from OpenBao by default through /srv/repos/vijfpas/scripts/load-openbao-controller-env.py; keep --env-file only as an explicit break-glass fallback.
The public vijfpas.com records above are managed outside UniFi local DNS; current public resolution lands on the edge by CNAME to datix.synology.me, then public NAT forwards tcp/443 to the prd-dmz ingress VIP.
homeassistant.vijfpas.com and docs.vijfpas.com now follow the same model; public NAT forwards both tcp/80 and tcp/443 to the prd-dmz ingress VIP so cert-manager can complete http-01 validation.
The additive pfm overlap aliases above were published live on March 29, 2026 and are now retired. The remaining DNS follow-on is only broader service-node PTR normalization where shared aliases are still intentionally used.

6. Current firewall and routing baseline

Current implemented guardrails:

  • the intended platform policy is still deny-by-default for protected east-west and controlled egress, but the latest live controller snapshot should be treated as authoritative over older assumptions about which baseline block rules are currently enabled
  • nfr-mgmt is substrate-only
  • infra-admin, prd-admin, and dev-admin are the current admin-source networks in active use
  • service VMs are reached on workload/service IPs from approved admin-source hosts
  • postgresql-* uses dev-core
  • the current shared PostgreSQL pair uses pfm-core
  • gitlab-dev-svc uses dev-svc and gitaly-dev-core uses dev-core
  • gitlab-pfm-svc uses pfm-svc and gitaly-pfm-core uses pfm-core
  • nexus-pfm-egress uses pfm-egress
  • backuprepo-dev-bck uses dev-bck, backuprepo-pfm-bck uses pfm-bck, and backuprepo-prd-bck uses prd-bck
  • explicit dev-core -> dev-bck tcp/8432, pfm-core -> pfm-bck tcp/8432, and prd-core -> prd-bck tcp/8432 rules are now required for PostgreSQL backup/archive traffic
  • current live east-west rule authoring is mostly NETWORK -> NETWORK inside the Internal zone with source ports left at ANY
  • allow-infra-admin-to-dev-admin-ssh is now the active nfr-admin -> dev-admin tcp/22 rule for workbench bootstrap and maintenance
  • current live multi-port service flows use UniFi port-groups:
  • ssh-https-proxmox: 22, 443, 8006
  • http-https: 80, 443
  • dns_ntp: 53, 123
  • pgbackrest-ssh: 8432, 22
  • postgresql-gitaly: 5432, 8075
  • openbao-api-cluster: 8200, 8201
  • ceph-rbd-client: 3300, 6789, 6800-7300
  • current live exceptions to the network-object pattern are:
  • the two approved admin PCs in allow-mgmt-from-MyPCs / allow-mgmt-return-to-MyPCs
  • explicit gateway and public NTP IP allow-lists
  • the disabled broad IP-based guardrails block-10net-egress-default-v2 and block-dmz-egress-default
  • some current custom rule object names still say infra-* even when their attached networks are already pfm-*
  • the live OpenBao backup export path is now an explicit internal exception:
  • nfr-mgmt -> pfm-bck tcp/22 for encrypted raft snapshot export to backuprepo.pfm-bck

Current named UniFi rules that are part of this baseline:

Rule name Purpose Status
allow-ntp-egress-from-mgmt allow approved NTP egress from the current internal management/admin-source networks to the explicit external NTP allow-list enabled
allow-mgmt-bootstrap-package-web temporary bootstrap package egress from nfr-mgmt only enabled only when needed
block-10net-egress-default-v2 older broad 10.0.0.0/8 IP-based default egress deny currently disabled
allow-mgmt-from-MyPCs admin access from approved source IPs to nfr-mgmt, prd-admin, dev-admin enabled
allow-mgmt-return-to-MyPCs respond-only return-path allow from management/admin networks back to the two approved PCs enabled
block-mgmt-corosync-from-internal block broad internal access to nfr-mgmt, prd-admin, dev-admin, nfr-corosync enabled
block-mgmt-corosync-from-vpn block broad VPN access to nfr-mgmt, prd-admin, dev-admin, nfr-corosync enabled
allow-nfr-admin-to-pfm-svc-admin shared platform admin path from nfr-admin to pfm-svc for 22, 443, and 6443 enabled
allow-nfr-admin-to-pfm-core-ssh shared platform SSH admin path from nfr-admin to pfm-core for 22 enabled
allow-nfr-admin-to-pfm-egress-admin shared platform admin path from nfr-admin to pfm-egress for 22 and 443 enabled
allow-nfr-admin-to-pfm-bck-ssh shared platform backup-host SSH path from nfr-admin to pfm-bck for 22 enabled
allow-nfr-mgmt-to-pfm-bck-ssh OpenBao encrypted backup export path from nfr-mgmt to pfm-bck for 22 enabled
allow-nfr-admin-to-dev-svc-admin cross-environment admin path from nfr-admin to dev-svc for 22 and 443 enabled
allow-nfr-admin-to-dev-svc-k8s-api substrate admin path from nfr-admin to the k8s.dev-svc.vijfpas.be API on 6443 enabled
allow-nfr-admin-to-dev-core-ssh cross-environment SSH admin path from nfr-admin to dev-core for 22 enabled
allow-nfr-admin-to-dev-egress-admin cross-environment admin path from nfr-admin to dev-egress for 22 and 443 enabled
allow-nfr-admin-to-dev-bck-ssh cross-environment backup-host SSH path from nfr-admin to dev-bck for 22 enabled
allow-dev-admin-to-pfm-egress-https shared Nexus/package path from dev-admin to pfm-egress for 443 enabled
allow-dev-svc-to-pfm-egress-https shared Nexus/package path from dev-svc to pfm-egress for 443 enabled
allow-dev-core-to-pfm-egress-https shared Nexus/package path from dev-core to pfm-egress for 443 enabled
allow-pfm-svc-to-cephpub Ceph client access rule for the first ceph-csi RBD wave from the live pfm-svc tier enabled
allow-dev-svc-to-cephpub development K3s storage path from dev-svc to nfr-cephpub for 3300, 6789, and 6800-7300 via the ceph-rbd-client port-group enabled
allow-nfr-admin-to-prd-dmz-ssh substrate admin SSH path from nfr-admin to the future prd-dmz ingress-edge nodes for 22 enabled
allow-prd-dmz-to-pfm-egress-https future prd-dmz ingress-edge Nexus/package path to pfm-egress for 443 enabled
allow-prd-dmz-to-prd-svc-web future prd-dmz reverse-proxy path to internal prd-svc Traefik for 80 and 443 via the http-https port-group enabled
allow-prd-dmz-ntp-egress future prd-dmz ingress-edge NTP egress path to the approved external NTP allow-list for udp/123 enabled
allow-default-to-prd-dmz-http allow the UniFi Default network to reach the published prd-dmz PKI endpoint on 80 enabled
allow-default-to-prd-dmz-https allow the UniFi Default network to reach published prd-dmz services on 443 enabled
allow-default-to-pfm-svc-https allow the UniFi Default network to reach internal shared-platform HTTPS services on pfm-svc, including the live Wiki.js and Vaultwarden baselines on the Traefik VIP enabled
allow-pfm-svc-to-pfm-core-rabbitmq shared-platform workload path from pfm-svc to pfm-core for RabbitMQ on 5672; currently required by the live Taiga deployment enabled
allow-default-to-dev-dmz-https allow the UniFi Default network to reach published dev-dmz services on 443 enabled
allow-default-to-acc-dmz-https allow the UniFi Default network to reach published acc-dmz services on 443 enabled
allow-default-to-prd-svc-https allow the UniFi Default network to reach the internal Home Assistant HTTPS baseline on prd-svc enabled
allow-nfr-admin-to-prd-core-ssh substrate admin SSH path from nfr-admin to prd-core for 22 enabled
allow-prd-core-to-pfm-egress-https production package/bootstrap path from prd-core to pfm-egress for 443 enabled
allow-nfr-admin-to-prd-bck-ssh substrate admin SSH path from nfr-admin to prd-bck for 22 enabled
allow-prd-core-to-prd-bck-pgbackrest production PostgreSQL backup/archive path from prd-core to prd-bck for 8432 enabled
allow-prd-bck-to-pfm-egress-https production backup-host Nexus/package path from prd-bck to pfm-egress for 443 enabled
allow-nfr-admin-to-prd-svc-admin substrate admin path from nfr-admin to prd-svc for 22, 443, and 6443 enabled
allow-prd-svc-to-pfm-egress-https production K3s bootstrap/package path from prd-svc to pfm-egress for 443 enabled
allow-prd-svc-to-prd-bck-ssh production Home Assistant backup-export path from prd-svc to prd-bck for 22 enabled
allow-prd-svc-to-prd-core-postgresql production workload path from prd-svc to prd-core for PostgreSQL on 5432 enabled
allow-prd-svc-to-prd-core-valkey production workload path from prd-svc to prd-core for Valkey on 6379 enabled
allow-prd-core-to-cephpub production object-storage path from prd-core to nfr-cephpub for 3300, 6789, and 6800-7300 via the ceph-rbd-client port-group enabled
allow-prd-svc-to-prd-core-cephrgw-https production workload path from prd-svc to prd-core for RGW HTTPS on 443 enabled
allow-prd-svc-to-cephpub production K3s storage path from prd-svc to nfr-cephpub for 3300, 6789, and 6800-7300 via the ceph-rbd-client port-group enabled
allow-nfr-admin-to-nfr-mgmt-openbao-api substrate admin path from nfr-admin to the live OpenBao API on nfr-mgmt for 8200 enabled
allow-nfr-mgmt-to-pfm-egress-https live OpenBao package/bootstrap path from nfr-mgmt to pfm-egress for 443 enabled
allow-nfr-mgmt-to-pfm-svc-https live OpenBao OIDC discovery path from nfr-mgmt to keycloak.pfm-svc.vijfpas.be on 443 enabled
allow-nfr-mgmt-to-dev-svc-https live OpenBao GitLab JWT discovery path from nfr-mgmt to gitlab.dev-svc.vijfpas.be on 443 enabled
allow-nfr-mgmt-to-dev-svc-k8s-api live OpenBao Kubernetes auth path from nfr-mgmt to the k8s.dev-svc.vijfpas.be API on 6443 enabled
allow-nfr-mgmt-to-pfm-svc-k8s-api live OpenBao Kubernetes auth path from nfr-mgmt to the k8s.pfm-svc.vijfpas.be API on 6443 enabled
allow-nfr-mgmt-to-prd-svc-k8s-api live OpenBao Kubernetes auth path from nfr-mgmt to the k8s.prd-svc.vijfpas.be API on 6443 enabled
allow-pfm-svc-to-dev-svc-k8s-api live Rancher downstream import path from the dedicated pfm management cluster to the k8s.dev-svc.vijfpas.be API on 6443 enabled
allow-pfm-svc-to-prd-svc-k8s-api live Rancher downstream import path from the dedicated pfm management cluster to the k8s.prd-svc.vijfpas.be API on 6443 enabled
allow-dev-svc-to-pfm-svc-https live Rancher downstream agent path from dev-svc back to rancher.pfm-svc.vijfpas.be on 443 enabled
allow-prd-svc-to-pfm-svc-https live Rancher downstream agent path from prd-svc back to rancher.pfm-svc.vijfpas.be on 443 enabled
allow-dev-core-to-dev-svc-https live Gitaly callback path from dev-core to gitlab.dev-svc.vijfpas.be on 443; required for repository pre-receive authorization and hook execution enabled
allow-dev-admin-to-nfr-mgmt-openbao-api live dev-admin human/controller access path to openbao.nfr-mgmt.vijfpas.be on 8200 enabled
allow-nfr-mgmt-to-nfr-mgmt-openbao-cluster live intra-cluster OpenBao API and Raft path on nfr-mgmt for 8200 and 8201 via the openbao-api-cluster port-group enabled

Operational note:

  • current SSH from the active workbenches to PostgreSQL, Nexus, GitLab, and other shared platform nodes now depends on the enabled nfr-admin -> pfm-* and nfr-admin -> dev-* admin allow rules
  • wiki.pfm-svc.vijfpas.be is now published internally on the shared Traefik VIP 10.0.43.160; the current client allow path is Default -> pfm-svc tcp/443
  • vaultwarden.pfm-svc.vijfpas.be is now published internally on the shared Traefik VIP 10.0.43.160; the current client allow path is Default -> pfm-svc tcp/443
  • taiga.pfm-svc.vijfpas.be is now published internally on the shared Traefik VIP 10.0.43.160; the current client and dependency paths are:
  • Default -> pfm-svc tcp/443
  • pfm-svc -> pfm-core tcp/5672
  • homeassistant.prd-svc.vijfpas.be is now published internally on the dedicated prd-svc VM 10.0.31.146; the current client and backup paths are:
  • Default -> prd-svc tcp/443
  • prd-svc -> prd-bck tcp/22
  • dev-admin -> pfm-egress tcp/443, dev-svc -> pfm-egress tcp/443, and dev-core -> pfm-egress tcp/443 are now enabled so gitlab-dev-svc, gitaly-dev-core, and rabbitmq-dev can consume the shared nexus.pfm-egress path
  • dev-core -> dev-svc tcp/443 is now enabled so gitaly-dev-core can complete GitLab internal API callbacks for pre-receive authorization and hook execution on tenant repositories such as tenants/vijfpas/shop-webshop
  • the pfm-svc -> cephpub path is kept in place for the upcoming clean K3s redeploy and its first ceph-csi RBD wave
  • the prd-dmz ingress paths are now in place for the live Nextcloud edge pair and public app hostname:
  • nfr-admin -> prd-dmz tcp/22
  • prd-dmz -> pfm-egress tcp/443
  • prd-dmz -> prd-svc tcp/80,443
  • prd-dmz -> approved external NTP udp/123
  • the UniFi Default network now has explicit additive publication paths to the current prd-dmz PKI endpoint and all current *-dmz HTTPS services:
  • Default -> prd-dmz tcp/80
  • Default -> prd-dmz tcp/443
  • Default -> dev-dmz tcp/443
  • Default -> acc-dmz tcp/443
  • prd-dmz -> dns tcp/53,udp/53 is currently satisfied by UniFi's built-in Dmz -> Gateway Allow DNS rule; no custom duplicate rule was added
  • pki.prd-dmz.vijfpas.be is now live on the ingress VIP and publishes the root/intermediate CA certs plus CRLs over HTTP for revocation-aware clients such as Windows Schannel
  • the prd-bck bootstrap paths are now in place for the live production pgBackRest repo host:
  • nfr-admin -> prd-bck tcp/22
  • prd-bck -> pfm-egress tcp/443
  • prd-core -> prd-bck tcp/8432
  • the production PostgreSQL prerequisite paths are now in place for the live prd pair:
  • nfr-admin -> prd-core tcp/22
  • prd-core -> pfm-egress tcp/443
  • the production prd-svc service-dependency paths are now in place for the live prd Keycloak and current Nextcloud/application stack:
  • prd-svc -> prd-core tcp/5432
  • prd-svc -> prd-core tcp/6379
  • prd-svc -> prd-core tcp/443
  • prd-core -> prd-bck tcp/8432
  • the current Rancher downstream-management paths are now in place for the live dev, pfm, and prd imports:
  • pfm-svc -> dev-svc tcp/6443
  • pfm-svc -> prd-svc tcp/6443
  • dev-svc -> pfm-svc tcp/443
  • prd-svc -> pfm-svc tcp/443
  • the production RGW service paths are now in place for the live cephrgw.prd-core pair:
  • prd-core -> nfr-cephpub tcp/3300,6789,6800-7300
  • prd-core -> pfm-egress tcp/443
  • the production K3s prerequisite paths are now in place for the live prd cluster:
  • nfr-admin -> prd-svc tcp/22,443,6443
  • prd-svc -> pfm-egress tcp/443
  • prd-svc -> prd-core tcp/6379
  • prd-svc -> nfr-cephpub tcp/3300,6789,6800-7300
  • the OpenBao cluster paths are now in place for the live nfr-mgmt cluster:
  • nfr-admin -> nfr-mgmt tcp/8200
  • nfr-mgmt -> pfm-egress tcp/443
  • nfr-mgmt -> pfm-svc tcp/443
  • nfr-mgmt -> dev-svc tcp/443
  • nfr-mgmt -> dev-svc tcp/6443
  • nfr-mgmt -> pfm-svc tcp/6443
  • nfr-mgmt -> prd-svc tcp/6443
  • nfr-mgmt -> nfr-mgmt tcp/8200,8201
  • the retired shared-platform *.infra-* DNS aliases no longer need firewall or client-path consideration

7. Current bootstrap package path

Current package/bootstrap model:

  • Nexus is the current internal package and artifact broker
  • PostgreSQL, GitLab, Gitaly, and planned K3s bootstrap should use Nexus-served Debian packages and artifacts
  • current live dev package consumers gitlab-dev-svc, gitaly-dev-core, and rabbitmq-dev now use the shared nexus.pfm-egress.vijfpas.be path
  • temporary direct egress is still documented only for controlled bootstrap windows from nfr-mgmt

Use real protocol checks with timeouts when validating this path:

  • SSH: ssh -o BatchMode=yes -o ConnectTimeout=8 <user>@<ip> true
  • HTTPS/API: curl --max-time 8 https://<target>:<port>/...