After the disastrous ISP schism
Stage 1: very safe - Close all ports - Nuke (or stop) all old VMs (exclude OPNSense) - Make DMZ - Make new basic VMs (cloning deb12 template) - Open basic ports
Stage 2: new services - IONOS VPS for mail - Some new very safe services - HE IPv6 tunnel - Own authoritative nameservers for domain zone
Stage 3*: finally - Another VPS in unknown provider for - Tor - Reverse-proxying the media library - PHP on main site with more web services from scratch, hopefully secure - More new services
arf20.com
Registrar: namecheap
Nameserver | Name | IP |
---|---|---|
NS1 | ns1.arf20.com | 2.59.235.35 2001:470:1f21:125::13 |
NS2 | ns2.arf20.com | 5.250.186.185 2001:ba0:210:d600::1 |
WAP
|
+-----+ +--------------------------+ +----------------+
ISP ===| ONT |---| DELL switch |-----| TP-Link switch |
+-----+ +--------------------------+ +----------------+
| | | |
| | | |
+---------------+ Rest of devices Living room devices
| eno1 eno2 |
| server router |
+---------------+
- 1000BASE-T
= GPON fiber
Port assignents
port | endpoint | options |
---|---|---|
g2 | ONT | VLAN access 2 |
g4 | server eno2 WAN | VLAN access 2 |
g6 | test2 | VLAN access 2 |
g3 | WAP | VLAN access 5 |
g5 | PC | VLAN access 4 |
g7 | Living R. | VLAN access 5 |
g9 | server eno1 DMZ+LAN | VLAN trunk 4, 5 |
g15 | test4 | VLAN access 4 |
g17 | test1 | VLAN access 1 |
g19 | test5 | VLAN access 5 |
g21 | iDRAC | VLAN access 4 |
g23 | printer | VLAN access 4 |
Management
name | VLAN | net | desc |
---|---|---|---|
WAN | 2 | ||
DMZ | 4 | 192.168.4.0/24 2001:470:1f21:125::/64 |
Services |
LAN | 5 | 192.168.5.0/24 | Clients |
VPN | 10.5.0.0/24 | Wireguard clients |
Service | Customer | IPProto | Ext Port | Host | Re Port |
---|---|---|---|---|---|
OpenVPN | TCP | 1195 | router | ||
WireGuard | UDP | 51820 | router | ||
DNS NS1 | TCP/UDP | 53 | misc | ||
iperf3 | TCP | 5201 | misc | ||
NNTP | TCP | 119 | misc | ||
Web | TCP | 80,443 | web | ||
Git | TCP | 9418 | web | ||
bittorrent | TCP/UDP | 8999 | nas | ||
rsync | TCP/UDP | 873 | nas | ||
IRC | TCP | 6667 | comm | ||
IRCS | TCP | 6697 | comm | ||
XMPP c2s | TCP | 5222 | comm | ||
XMPP s2s | TCP | 5269 | comm | ||
TURN STUN | TCP/UDP | 3478 | comm | ||
TURN | TCP/UDP | 5349 | comm | ||
TURN UDP relay | TCP/UDP | 49152-50176 | comm | ||
mc-waterfall-proxy | TCP | 25565 | game | 25567 | |
exo-ssh | exo | TCP | 4041 | exovps | 22 |
exo-extra | exo | TCP | 4040 | exovps | 4040 |
yero-ssh | yero | TCP | 1511 | yerovps | 22 |
yero-sql | yero | TCP | 1512 | yerovps | 3306 |
FiveM SuperioresRP | yero | TCP | 30120,40120 | yerovps |
Service | Customer | IPProto | Host | Port |
---|---|---|---|---|
DNS NS1 | TCP/UDP | misc | 53 | |
Web | TCP | web | 80,443 |
server runs Proxmox PVE.
All VMs are Debian 12 (templated) with wazuh agent
RAID attached here (with the grey stuff) (local only) - SSH - NFS - Samba SMB - MiniDLNA - FTP - qBittorrent-nox - jellyfin
vhost | webroot/proxy | Comment |
---|---|---|
default | <return 418 im a teapot> | |
default:8080 | <return nstub_status> | |
arf20.com | /var/www/arf20.com/html/ | |
www.arf20.com | <301 redirect arf20.com> | |
matrix.arf20.com | http://comm.lan:8008/_matrix | |
webmail.arf20.com | /var/www/webmail.arf20.com/html/ | SquirrelMail |
nextcloud.arf20.com | /var/www/nextcloud.arf20.com/html/ | |
grafana.arf20.com | http://localhost:3000 | |
jellyfin.arf20.com | http://nas.lan:8096 | |
git.arf20.com | /srv/git/ | |
cgit.arf20.com | fastcgi:/usr/lib/cgit/cgit.cgi | |
blog.arf20.com | /var/www/blog.arf20.com/_site/ | |
forum.arf20.com | /var/www/forum.arf20.com/html/ | |
deb.arf20.com | /d/FTPServer/software/debian/ | |
memes.arf20.com | /var/www/memes.arf20.com/, /d/FTPserver/{dcimg, dcmemes, explosionsandfire} | |
status.yero.dev | http://yerovps.lan:3001 |
SSH
iperf3
bind9 - master authoritative nameserver for arf20.com zone NS1
OpenLDAP LDAP*
Discord servers
### proxy (ARFNET-HOSTMENOW VPS) *
*TODO
DMZ IPv4s and IPv6 ends in the same way | Addr | Name | |——|——| | DMZ.1 | router.lan | | DMZ.2 | switch.lan | | DMZ.3 | wap.lan | | DMZ.4 | proxmox.lan | | DMZ.5 | idrac.lan | | DMZ.6 | nas.lan | | DMZ.7 | printer.lan | | DMZ.8 | desktop.lan | | DMZ.9 | web.lan | | DMZ.10 | wazuh.lan | | DMZ.11 | game.lan | | DMZ.12 | comm.lan | | DMZ.13 | misc.lan | | | | | | DMZ.192 | yerovps | yero.lan | | DMZ.195 | exovps | exo.lan |
Name | Type | Content | Comment |
---|---|---|---|
arf20.com | NS | ns1.arf20.com | |
arf20.com | NS | ns2.arf20.com | |
ns1 | A | 2.59.235.35 | |
ns1 | AAAA | 2001:470:1f21:125::13 | |
ns2 | A | 5.250.186.185 | |
ns2 | AAAA | 2001:ba0:210:d600::1 | |
arf20.com | A | 2.59.235.35 | |
arf20.com | AAAA | 2001:470:1f21:125::9 | |
arf20.com | MX | mail.arf20.com | |
A | 5.250.186.185 | ||
AAAA | 2001:ba0:210:d600::1 | ||
selector._domainkey | TXT | (DKIM) | DKIM for selector ‘selector’ |
_dmarc | TXT | (DMARC) | |
arf20.com | TXT | (SPF) | |
irc | CNAME | arf20.com | |
jellyfin | CNAME | arf20.com | |
matrix | CNAME | arf20.com | |
nextcloud | CNAME | arf20.com | |
turn | CNAME | arf20.com | |
webmail | CNAME | arf20.com | |
www | CNAME | arf20.com | |
xmpp | CNAME | arf20.com | |
xmppconf | CNAME | arf20.com | |
grafana | CNAME | arf20.com | |
git | CNAME | arf20.com | |
cgit | CNAME | arf20.com | |
blog | CNAME | arf20.com | |
forum | CNAME | arf20.com | |
deb | CNAME | arf20.com | |
zabbix | CNAME | arf20.com | |
memes | CNAME | arf20.com | |
news | CNAME | arf20.com | |
_acme-challenge.jellyfin | CNAME | (challenge) | |
_acme-challenge.irc | CNAME | (challenge) | |
_acme-challenge.matrix | CNAME | (challenge) | |
_acme-challenge.mail | CNAME | (challenge) | |
_acme-challenge.xmpp | CNAME | (challenge) |
Name | Type | Content | Comment |
---|---|---|---|
2001:470:1f21:125::13 | PTR | ns1.arf20.com | |
2001:470:1f21:125::9 | PTR | arf20.com |
Name | Type | Content | Comment |
---|---|---|---|
5.250.186.185 | PTR | mail.arf20.com |