Skip to main content

Core Concepts

Understanding these principles is key to knowing why we're building the network this way.

The Big Picture: Why We Segment

The goal is to move from a "flat" network, where all devices can talk to each other by default, to a segmented network built on a Zero Trust philosophy. In a flat network, if a less secure device (like a phone or an IoT gadget) gets compromised, an attacker can immediately see and attempt to attack critical K3S servers.

By segmenting, we assume no device is inherently trustworthy. We build digital walls between groups of devices. Traffic can't cross these walls unless we create a specific, explicit firewall rule to allow it. This approach drastically reduces the attack surface and contains potential breaches, which is essential when self-hosting production-grade services.

VLANs : The Digital Walls for Isolation

VLANs (Virtual LANs) are the primary tool used to build these digital walls. It's helpful to think of the CRS326 switch not as one big switch, but as a box containing four completely separate, smaller virtual switches. Each VLAN (HOME_NET, K3S_CLUSTER, etc.) is one of these virtual switches.

Devices plugged into ports assigned to VLAN 10 can talk to each other at full speed, but they are fundamentally unaware that devices on VLAN 20 even exist. This is called Layer 2 Isolation. It's the most basic and powerful form of network separation, and the switch hardware (the CRS326) enforces it at wire-speed.

Router-on-a-Stick: The Guarded Gate for Control

Since the VLANs are isolated, we need a way to let some traffic pass between them in a controlled way. This is the job of the router (the Lenovo M920q). The "Router-on-a-Stick" (RoaS) model uses a single physical cable, configured as a VLAN Trunk, to connect the switch to the router.

Every packet of data that travels over this trunk cable gets a digital "passport stamp" called an 802.1Q tag. This tag tells the router which VLAN the packet came from. The router can then inspect the packet, check it against the firewall rules, and decide if it's allowed to go to its destination VLAN. If it is, the router stamps it with a new passport for the destination VLAN and sends it back to the switch. This process providescentralized control and security inspection for all cross-network communication.

Device Roles & Strengths

Each device is assigned a role that plays to its hardware strengths, ensuring optimal performance.