OZM Network Architecture Plan

Overview

The OZM network is designed to be segmented, secure, and manageable. We prioritize physical and logical separation (VLANs) to enforce our "Legal FPGA" governance model. The architecture supports the local-first "Nullfeld" philosophy while allowing for controlled external access where necessary.

VLAN Topology

We propose a 5-Part VLAN structure for the primary OZM rack:

  1. VLAN 10: CORE (Management & Infrastructure)

    • Purpose: Switch management, Router interface, DNS/DHCP servers (Pi-hole/AdGuard), Critical uplinks.
    • Access: Strictly limited to Admin devices. No direct internet access for clients.
    • Devices: Managed Switches, Router (e.g., UniFi/MikroTik), NAS (Admin interface).

  2. VLAN 20: COMPUTE (AI & heavy lifting)

    • Purpose: The "Engine Room". High-bandwidth internal traffic.
    • Devices: Raspberry Pi Clusters, Jetson Orin nodes, specialized AI accelerators.
    • Access: Can talk to CORE (limited ports) and IoT. Isolated from Guest WiFi.

  3. VLAN 30: IoT / ESP (The "Nervous System")

    • Purpose: Connecting sensors, actuators, and microcontrollers.
    • Devices: ESP32s, Arduino nodes, LED controllers, Environmental sensors.
    • Security: Strictly no internet access. Local MQTT only.

  4. VLAN 40: KRÜMEL WIFI (The "Playground")

    • Purpose: User/Guest interaction.
    • Devices: Tablets, Phones, Laptops of visitors/crew.
    • Access: Internet (filtered/monitored), specific portals to COMPUTE services (e.g., Web UIs). Client Isolation enabled.

  5. VLAN 50: ADMIN / DEV

    • Purpose: Development and maintenance access.
    • Devices: Crew laptops, Dev workstations.
    • Access: Full access to all VLANs (gatekept via firewall rules).

IP Addressing Strategy

We will use the 10.10.x.x private range to avoid conflicts with common home routers (192.168.x.x).

Subnetting (Class A Private)

  • Base: 10.10.0.0/16 (Entire OZM Site)
VLAN Name Subnet (CIDR) Range Gateway Note
10 CORE 10.10.10.0/24 10.10.10.1 - .254 .1 Infrastructure
20 COMPUTE 10.10.20.0/24 10.10.20.1 - .254 .1 AI Nodes
30 IoT 10.10.30.0/24 10.10.30.1 - .254 .1 Sensors/ESPs
40 KRÜMEL 10.10.40.0/23 10.10.40.1 - .41.254 .1 Larger range for guests (510 hosts)
50 ADMIN 10.10.50.0/28 10.10.50.1 - .14 .1 Small, specific group

(Note: We use /24 generally for simplicity, but /23 for guest WiFi to accommodate many ephemeral devices. Admin is /28 to limit scope.)

Hardware Requirements

  • Router/Firewall: Must support VLAN tagging (802.1Q) and inter-VLAN routing rules.
    • Recommendation: UniFi Dream Machine Pro / SE or MikroTik RB5009.
  • Switch: Managed PoE Switch.
    • Recommendation: UniFi Switch Pro 24 PoE or similar.
  • Access Points: VLAN-aware APs.
    • Recommendation: UniFi U6 Pro / Enterprise.

Governance & Security Rules

  1. Deny by Default: Inter-VLAN traffic is blocked unless explicitly allowed.
  2. mDNS Reflector: Required to discovering services (like AirPlay/Chromecast) across VLANs if needed (careful with scope).
  3. Port Security: Unused physical ports on switches should be disabled or assigned to a "Dead" VLAN (e.g., 666).