Public-Private Network Architecture

# Public-Private Network Architecture ## Core Concept "The internet is public, but we have our own router and it becomes private at our network." This fundamental concept explains how the RAT network infrastructure transitions from the public internet to a secure private network that we control. ## How Public/Private Boundary Works ### Public Internet Side (WAN) **Entry Point: FTMA Building** ``` [ISP] → [Cisco Internet Switches in FTMA] → [Fiber to IDF Room] ``` - **ISP Connection:** Internet Service Provider delivers public internet - **Public IP addresses:** Assigned by ISP, routable on the internet - **No control:** This traffic is on the public internet until it reaches our equipment ### The Boundary: Ubiquiti Router in IDF Room **Hypothesis:** The Ubiquiti Router is where public becomes private ``` [Public WAN] → [Ubiquiti Router] → [Private LAN] ↓ NAT/Firewall (Translation happens here) ``` **What happens at the router:** 1. **NAT (Network Address Translation):** Converts public IP to private IPs 2. **Firewall rules:** Controls what traffic can enter/exit the private network 3. **DHCP server:** Assigns private IP addresses (192.168.x.x or 10.x.x.x) 4. **Routing decisions:** Determines how to reach different network segments ### Private Network Side (LAN) **Everything downstream from the Ubiquiti Router is private:** ``` [Ubiquiti Router] ↓ ├─→ [Cisco 3850 Switches] → IDF Room equipment ├─→ [Dante Network] → Audio endpoints └─→ [10G Fiber to Machine Room] → NAS, computers, SSL console ``` - **Private IP address space:** Not routable on public internet - **Full control:** We configure switches, VLANs, routing, firewall rules - **Internal routing:** Traffic between IDF Room and Machine Room stays private - **Security:** External access requires VPN or explicit firewall rules ## Network Segments (Hypothesis) Based on equipment and typical network design: ### Segment 1: WAN (Public) - **IP Range:** Single public IP or small subnet from ISP - **Location:** Cisco Internet Switches in FTMA Building - **Access:** Public internet ### Segment 2: Management Network (Private) - **IP Range:** 192.168.1.0/24 (example - needs verification) - **Location:** Switch management interfaces across all locations - **Purpose:** Administer switches, router, network equipment - **Access:** Restricted to IT staff ### Segment 3: General Infrastructure (Private) - **IP Range:** 192.168.10.0/24 (example - needs verification) - **Location:** IDF Room and Machine Room - **Devices:** Computers, NAS, general workstations - **Access:** All authenticated users ### Segment 4: Dante Audio Network (Private, Isolated) - **IP Range:** 169.254.x.x (Dante default) or custom subnet - **Location:** Dedicated Ubiquiti Dante switch - **Purpose:** Low-latency audio routing - **Access:** Audio endpoints only (not routed to general network) ### Segment 5: High-Speed Production (Private) - **IP Range:** 10.0.0.0/24 (example - needs verification) - **Location:** Machine Room 10G equipment - **Devices:** NAS, high-speed workstations, video equipment - **Purpose:** High-bandwidth media production workflows - **Access:** Production staff ## Why This Matters ### Security - **Public side:** Exposed to internet threats - **Private side:** Protected by firewall, not directly accessible from internet - **VPN required:** Remote access needs secure VPN connection through router ### Connectivity "We can connect anywhere we want to in our IDF room" - because it's all on our private network - IDF Room equipment can reach Machine Room equipment - Private routing between locations - No internet bandwidth limits for internal traffic ### Control - **IP addressing:** We assign IP addresses as needed - **VLANs:** Can create isolated networks for different purposes - **QoS:** Prioritize Dante audio traffic, video production traffic, etc. - **Firewall rules:** Control what services are accessible from outside ## Questions to Answer ### 1. Where EXACTLY is the boundary? **Current hypothesis:** Ubiquiti Router in IDF Room **Need to verify:** - Router configuration - review WAN and LAN interface settings - IP address assignments - document public IP vs private IP schemes - Firewall rules - what's allowed in/out? - NAT configuration - how is translation happening? **Verification steps:** ```bash # From router (if SSH/console access available) show ip interface brief # See WAN vs LAN interfaces show ip route # See routing table show running-config # Full configuration # From any internal device ip addr show # Check assigned private IP ip route show # See default gateway (should be router) traceroute 8.8.8.8 # See path to internet (router should be hop 1) ``` ### 2. Are there multiple WAN connections? - Single ISP or redundant connections? - Load balancing or failover? - Different ISPs for different purposes? ### 3. What VLANs exist? - Are network segments implemented as VLANs on Cisco switches? - How do VLANs map to physical locations? - Inter-VLAN routing handled by Cisco switches or Ubiquiti Router? ### 4. Is Dante network completely isolated? - Does Dante switch connect to any other switches? - Can devices on general network access Dante endpoints? - Or is it air-gapped for maximum audio reliability? ## Documentation Needed - [ ] Router configuration export - [ ] IP address assignment table for all segments - [ ] VLAN configuration on all Cisco switches - [ ] Firewall rules documentation - [ ] Network diagram with IP ranges labeled - [ ] Routing table from router - [ ] Dante network isolation verification ## Real-World Analogy Think of it like a house: - **Public street (Internet):** Anyone can drive by, see your address - **Property line (Router/Firewall):** Boundary of your control - **Private driveway/yard (Private network):** Your space, your rules - **Rooms in house (Network segments):** Different purposes, controlled access - **Locked doors (VLANs/Firewalls):** Not everyone can access every room The ISP delivers internet to your "property line" (router). Everything behind that is yours to configure and control. The router is the gatekeeper - it decides what traffic comes in and goes out. ## Next Steps 1. **Access Ubiquiti Router:** - Document login credentials location - Export full configuration - Review WAN/LAN interface settings 2. **Verify IP Address Schemes:** - Check DHCP ranges on router - Document static IP assignments - Create network map with IP ranges 3. **Review Cisco Switch Configs:** - VLAN configuration on all three Cisco 3850 switches - Inter-switch links (trunks) - Inter-VLAN routing settings 4. **Test Connectivity:** - Trace route from various network segments - Verify isolation between networks (if intended) - Test firewall rules (inbound/outbound access) 5. **Document Dante Network:** - Confirm isolation or integration with main network - Document Dante IP addressing - Verify audio-specific QoS settings