User:John/FreedomBox/Network architecture
Some notes about fbx network architecture.
Examples
In the following examples these configuration settings are used:
Setting | Value |
---|---|
User's internet router LAN IP | 192.168.0.1 |
User's LAN subnet mask | 255.255.255.0 |
User's LAN config web client IP | 192.168.0.37 |
User's fbx LAN DHCP IP | 192.168.0.123 |
User's fbx LAN static IP | 192.168.0.2 |
User's domain name | example.com |
User's FreedomBox name | fbx.example.com |
User's public IP address | 139.218.130.78 |
User's internet DNS resolver | 1.1.1.1 |
Use case
User wants to register their fbx on their existing domain name on their static home IP address
Prerequisites:
- user has a domain name registered (example.com)
- user has DNS hosting and nameservers configured
- user has access to do web based configuration of their DNS settings
- note: in future we might be able to do for them via API from DNS hosting services
- we could enumerate a list of supported providers (possibility for paid placement)
- note: in future we might be able to do for them via API from DNS hosting services
Out of scope:
- no IPv6 configuration yet (we can add later)
Process:
- tell user to access http://freedombox.local/ (*not* https://freedombox.local/) after pluging in power and network then booting
- if not accessible via MDNS and freedombox.local go through nmap discovery or DHCP server status to find IP host such as http://192.168.0.123 or http://10.1.1.123 etc
- note that there is no HTTP redirection from either http://freedombox.local/ or e.g. http://192.168.0.123/ those URLs will answer with the web-based configuration services directly regardless of which form is used
- actually redirecting from http://freedombox.local/ to e.g. http://192.168.0.123/ would be possible and unproblematic (the other way around would be a problem if MDNS were unreliable)
- get the user to pick an IP address, subnet mask, and gateway for their fbx on their LAN
- they will currently have a DHCP allocated address but as we can't ensure that IP will be constant/reserved (it's probably not) we want a static IP instead
- reconfigure fbx with nominated static IP address (192.168.0.2), netmask (255.255.255.0) and gateway (192.168.0.1)
- don't release the DHCP address (192.168.0.123), the server will have two IP addresses during this process
- when static IP address settings are valid/successful (we could do a HTTP redirect dance to confirm):
- add firewall rule to block port 8080 access from all addresses other than current client IP address (the rest of the configuration will need to be completed from the same client)
- this could be relaxed to blocking only gateway/router
- HTTP redirect over to the static IP address on port 8080 at e.g. http://192.168.0.2:8080/
- add firewall rule to block port 8080 access from all addresses other than current client IP address (the rest of the configuration will need to be completed from the same client)
- get the user to pick a DNS resolver service:
- their broadband router probably proxies to their ISP DNS resolvers so we could default to that, e.g. 192.168.0.1
- 1.1.1.1 and 1.0.0.1 as fall back
- 8.8.8.8 also an option
- DNS resolver is another possibility for paid placement
- ask the user to tell us thier domain name, e.g. 'example.com'
- ask user to pick a hostname at their domain, we recommend 'fbx'.
- note that what we want is one single global unambiguous well-branded hostname for this fbx and something in the form 'fbx.example.com' is ideal
- note that support for other domain aliases such as 'www.example.com' or 'blog.example.com' etc can be added later at the user's option
- tell the user to add an A record for 'fbx' for their public IP address.
- we could offer to auto-detect public IP address
- configure our local Bind9 service:
- with DNS resolver nominated above
- with an A record for 'fbx.example.com' to point to 192.168.0.2
- configure our Bind9 resolver on the LAN:
- tell user to configure broadband router DHCP server with DNS server 192.168.0.2
- tell user to configure non-DHCP hosts with DNS server 192.169.0.2
- tell user to add /etc/hosts (or equiv) for
192.168.0.2 fbx.example.com
for any LAN hosts not using our Bind9 resolver (ideally there are no such hosts)
User wants to register their fbx on a new domain name on their static home IP address
User wants to register their fbx on their existing domain name on their dynamic home IP address
User wants to register their fbx on a new domain name on their dynamic home IP address
We might use the default RDNS name as the hostname of our mail server and the hostname for our MX records.
Processes
nmap discovery
Help user discover their fbx IPv4 address using an nmap
command such as:
nmap -p 80 --open -sV 192.168.0.0/24
DHCP server status
Help user discover their fbx IPv4 address by reviewing the status of their DHCP server (often in the commodity internet router) and looking for 'freedombox' in the hostname or otherwise just trying allocated IP addresses to "see if they work".
Picking a DNS resolver
So we could go one of two ways when configuring our DNS resolvers:
- fbx -> router -> internet
- router -> fbx -> internet
The 'internet' resolvers could be one of:
- user's ISP DNS servers
- 1.1.1.1 and 1.0.0.1
- 8.8.8.8
- something else
Then we could either:
- make our fbx the DNS server on the LAN, which will defer to the router.
- make our router the DNS server on the LAN, which will defer to the fbx.
If we make the fbx the DNS server then we need to update the DHCP settings on the router to point the DNS server to our fbx.
If we make the router then DNS server then we need to update the DNS server settings on the router to point to our fbx.
Since it's six one way and half a dozen the other the way we will recommend is having the router be the primary LAN DNS server and the fbx as the DNS proxy to the internet. That means that we need to configure the DNS server on the router to be our fbx IP address (192.168.0.2 in our example). Because our fbx will defer to the actual DNS server we can offer choices (potentially paid placement) such as those listed as 'internet' DNS servers above.
HTTP redirect dance
- GET http://192.168.0.123/check
- 307 http://192.168.0.2/valid
- 307 http://192.168.0.123/valid # if we reach here our static IP is working and we can disable port 80
- 307 http://192.168.0.2:8080/