# πΊοΈ ΰΉΰΈΰΈΰΈΰΈ±ΰΈ Network Architecture & Container Services (LCBP3-DMS)
ΰΉΰΈΰΈΰΈΰΈ±ΰΈΰΈΰΈ΅ΰΉΰΉΰΈͺΰΈΰΈΰΈΰΈ²ΰΈ£ΰΉΰΈΰΉΰΈΰΈͺΰΉΰΈ§ΰΈΰΉΰΈΰΈ£ΰΈ·ΰΈΰΈΰΉΰΈ²ΰΈ’ (VLANs), ΰΈΰΈ²ΰΈ£ΰΉΰΈΰΈ·ΰΉΰΈΰΈ‘ΰΈΰΉΰΈ Firewall (ACLs) ΰΉΰΈ₯ΰΈ°ΰΈΰΈΰΈΰΈ²ΰΈΰΈΰΈΰΈ Server ΰΈΰΈ±ΰΉΰΈΰΈͺΰΈΰΈΰΈΰΈ±ΰΈ§ (QNAP: Application, ASUSTOR: Infrastructure)
---
## 1. ΰΈ ΰΈ²ΰΈΰΈ£ΰΈ§ΰΈ‘ΰΈΰΈ²ΰΈ£ΰΉΰΈΰΉΰΈΰΈΰΈΰΈΰΈ²ΰΈ Server
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LCBP3-DMS INFRASTRUCTURE β
ββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββ€
β QNAP TS-473A β ASUSTOR AS5403T β
β (Application & Database) β (Infrastructure & Backup) β
ββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββ€
β β Application Runtime β β File Storage (NFS/SMB) β
β β API / Web (NestJS, Next.js) β β Backup Target (Restic/Borg) β
β β Database (MariaDB Primary) β β Docker Infra (Registry, Portainer) β
β β High CPU / RAM usage β β Monitoring (Prometheus, Grafana) β
β β Worker / Queue (Redis) β β Log Aggregation (Loki) β
β β API Gateway (NPM) β β Uptime Monitoring (Uptime Kuma) β
β β ΰΉΰΈ‘ΰΉΰΉΰΈΰΉΰΈ backup ΰΈ£ΰΈ°ΰΈ’ΰΈ°ΰΈ’ΰΈ²ΰΈ§ β β ΰΉΰΈ‘ΰΉΰΈ£ΰΈ±ΰΈ App logic ΰΈ«ΰΈΰΈ±ΰΈ β
ββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββ€
β Container: Container Station β Container: Portainer β
β IP: 192.168.10.8 β IP: 192.168.10.9 β
β Storage: 4TBΓ4 RAID5 + 1TB SSD β Storage: 6TBΓ3 RAID5 + 1TB SSD β
ββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## 2. Data Flow Diagram
```mermaid
flowchart TB
subgraph Internet["π Internet"]
User[("π€ User")]
end
subgraph QNAP["πΎ QNAP TS-473A (App Server)"]
NPM["π² NPM
(Reverse Proxy)"]
Frontend["π± Next.js
(Frontend)"]
Backend["βοΈ NestJS
(Backend API)"]
DB["ποΈ MariaDB"]
Redis["π¦ Redis"]
ES["π Elasticsearch"]
end
subgraph ASUSTOR["πΎ ASUSTOR AS5403T (Infra Server)"]
Portainer["π³ Portainer"]
Registry["π¦ Registry"]
Prometheus["π Prometheus"]
Grafana["π Grafana"]
Uptime["β±οΈ Uptime Kuma"]
Backup["πΎ Restic/Borg"]
NFS["π NFS Storage"]
end
User -->|HTTPS 443| NPM
NPM --> Frontend
NPM --> Backend
Frontend --> Backend
Backend --> DB
Backend --> Redis
Backend --> ES
DB -.->|Scheduled Backup| Backup
Backup --> NFS
Portainer -.->|Manage| QNAP
Prometheus -.->|Collect Metrics| Backend
Prometheus -.->|Collect Metrics| DB
Uptime -.->|Health Check| NPM
```
---
## 3. Docker Management View
```mermaid
flowchart TB
subgraph Portainer["π³ Portainer (ASUSTOR - Central Management)"]
direction TB
subgraph LocalStack["π¦ Local Infra Stack"]
Registry["Docker Registry"]
Prometheus["Prometheus"]
Grafana["Grafana"]
Uptime["Uptime Kuma"]
Backup["Restic/Borg"]
Loki["Loki (Logs)"]
ClamAV["ClamAV"]
end
subgraph RemoteStack["π Remote: QNAP App Stack"]
Frontend["Next.js"]
Backend["NestJS"]
MariaDB["MariaDB"]
Redis["Redis"]
ES["Elasticsearch"]
NPM["NPM"]
Gitea["Gitea"]
N8N["n8n"]
PMA["phpMyAdmin"]
end
end
```
---
## 4. Security Zones Diagram
```mermaid
flowchart TB
subgraph PublicZone["π PUBLIC ZONE"]
direction LR
NPM["NPM (Reverse Proxy)"]
SSL["SSL/TLS Termination"]
end
subgraph AppZone["π± APPLICATION ZONE (QNAP)"]
direction LR
Frontend["Next.js"]
Backend["NestJS"]
N8N["n8n"]
Gitea["Gitea"]
end
subgraph DataZone["πΎ DATA ZONE (QNAP - Internal Only)"]
direction LR
MariaDB["MariaDB"]
Redis["Redis"]
ES["Elasticsearch"]
end
subgraph InfraZone["π οΈ INFRASTRUCTURE ZONE (ASUSTOR)"]
direction LR
Backup["Backup Services"]
Registry["Docker Registry"]
Monitoring["Prometheus + Grafana"]
Logs["Loki / Syslog"]
end
PublicZone -->|HTTPS Only| AppZone
AppZone -->|Internal API| DataZone
DataZone -.->|Backup| InfraZone
AppZone -.->|Metrics| InfraZone
```
---
## 5. ΰΉΰΈΰΈΰΈΰΈ±ΰΈΰΈΰΈ²ΰΈ£ΰΉΰΈΰΈ·ΰΉΰΈΰΈ‘ΰΈΰΉΰΈΰΉΰΈΰΈ£ΰΈ·ΰΈΰΈΰΉΰΈ²ΰΈ’ (Network Flow)
```mermaid
graph TD
direction TB
subgraph Flow1["ΰΈΰΈ²ΰΈ£ΰΉΰΈΰΈ·ΰΉΰΈΰΈ‘ΰΈΰΉΰΈΰΈΰΈ²ΰΈΰΈ ΰΈ²ΰΈ’ΰΈΰΈΰΈ (Public WAN)"]
User["ΰΈΰΈΉΰΉΰΉΰΈΰΉΰΈΰΈ²ΰΈΰΈ ΰΈ²ΰΈ’ΰΈΰΈΰΈ (Internet)"]
end
subgraph Router["Router (ER7206) - Gateway"]
User -- "Port 80/443 (HTTPS/HTTP)" --> ER7206
ER7206["Port Forwarding
TCP 80 β 192.168.10.8:80
TCP 443 β 192.168.10.8:443"]
end
subgraph VLANs["ΰΉΰΈΰΈ£ΰΈ·ΰΈΰΈΰΉΰΈ²ΰΈ’ΰΈ ΰΈ²ΰΈ’ΰΉΰΈ (VLANs & Firewall Rules)"]
direction LR
subgraph VLAN10["VLAN 10: Servers
192.168.10.x"]
QNAP["QNAP NAS
(192.168.10.8)"]
ASUSTOR["ASUSTOR NAS
(192.168.10.9)"]
end
subgraph VLAN20["VLAN 20: MGMT
192.168.20.x"]
AdminPC["Admin PC / Switches"]
end
subgraph VLAN30["VLAN 30: USER
192.168.30.x"]
OfficePC["PC ΰΈΰΈΰΈ±ΰΈΰΈΰΈ²ΰΈ/Wi-Fi"]
end
subgraph VLAN70["VLAN 70: GUEST
192.168.70.x"]
GuestPC["Guest Wi-Fi"]
end
subgraph Firewall["Firewall ACLs (OC200/ER7206)"]
direction TB
rule1["Rule 1: DENY
Guest (VLAN 70) β All VLANs"]
rule2["Rule 2: DENY
Server (VLAN 10) β User (VLAN 30)"]
rule3["Rule 3: ALLOW
User (VLAN 30) β QNAP
Ports: 443, 80"]
rule4["Rule 4: ALLOW
MGMT (VLAN 20) β All"]
end
GuestPC -.x|rule1| QNAP
QNAP -.x|rule2| OfficePC
OfficePC -- "https://lcbp3.np-dms.work" -->|rule3| QNAP
AdminPC -->|rule4| QNAP
AdminPC -->|rule4| ASUSTOR
end
ER7206 --> QNAP
subgraph DockerQNAP["Docker 'lcbp3' (QNAP - Applications)"]
direction TB
subgraph PublicServices["Services ΰΈΰΈ΅ΰΉ NPM ΰΉΰΈΰΈ΄ΰΈΰΈͺΰΈΉΰΉΰΈ ΰΈ²ΰΈ’ΰΈΰΈΰΈ"]
direction LR
NPM["NPM (Nginx Proxy Manager)"]
FrontendC["frontend:3000"]
BackendC["backend:3000"]
GiteaC["gitea:3000"]
PMAC["pma:80"]
N8NC["n8n:5678"]
end
subgraph InternalServices["Internal Services (Backend Only)"]
direction LR
DBC["mariadb:3306"]
CacheC["cache:6379"]
SearchC["search:9200"]
end
NPM -- "lcbp3.np-dms.work" --> FrontendC
NPM -- "backend.np-dms.work" --> BackendC
NPM -- "git.np-dms.work" --> GiteaC
NPM -- "pma.np-dms.work" --> PMAC
NPM -- "n8n.np-dms.work" --> N8NC
BackendC -- "lcbp3 Network" --> DBC
BackendC -- "lcbp3 Network" --> CacheC
BackendC -- "lcbp3 Network" --> SearchC
end
subgraph DockerASUSTOR["Docker 'lcbp3' (ASUSTOR - Infrastructure)"]
direction TB
subgraph InfraServices["Infrastructure Services"]
direction LR
PortainerC["portainer:9443"]
RegistryC["registry:5000"]
PrometheusC["prometheus:9090"]
GrafanaC["grafana:3000"]
UptimeC["uptime-kuma:3001"]
end
subgraph BackupServices["Backup & Storage"]
direction LR
ResticC["restic/borg"]
NFSC["NFS Share"]
end
PortainerC -.->|"Remote Endpoint"| NPM
PrometheusC -.->|"Scrape Metrics"| BackendC
ResticC --> NFSC
end
QNAP --> NPM
ASUSTOR --> PortainerC
DBC -.->|"Scheduled Backup"| ResticC
```
---
## 6. ΰΈͺΰΈ£ΰΈΈΰΈΰΈΰΈ²ΰΈ£ΰΈΰΈ±ΰΉΰΈΰΈΰΉΰΈ² Firewall ACLs (ΰΈͺΰΈ³ΰΈ«ΰΈ£ΰΈ±ΰΈ Omada OC200)
ΰΈΰΈ΅ΰΉΰΈΰΈ·ΰΈΰΈ£ΰΈ²ΰΈ’ΰΈΰΈ²ΰΈ£ΰΈΰΈ (Rules) ΰΈΰΈ΅ΰΉΰΈΰΈΈΰΈΰΈΰΉΰΈΰΈΰΈͺΰΈ£ΰΉΰΈ²ΰΈΰΉΰΈ **Settings > Network Security > ACL** (ΰΉΰΈ£ΰΈ΅ΰΈ’ΰΈΰΈ₯ΰΈ³ΰΈΰΈ±ΰΈΰΈΰΈ²ΰΈΰΈΰΈΰΈ₯ΰΈΰΈ₯ΰΉΰΈ²ΰΈ):
| ΰΈ₯ΰΈ³ΰΈΰΈ±ΰΈ | Name | Policy | Source | Destination | Ports |
| :---- | :--------------------- | :-------- | :---------------- | :------------------------ | :----------------------------------- |
| **1** | Isolate-Guests | **Deny** | Network β VLAN 70 | Network β VLAN 10, 20, 30 | All |
| **2** | Isolate-Servers | **Deny** | Network β VLAN 10 | Network β VLAN 30 (USER) | All |
| **3** | Block-User-to-Mgmt | **Deny** | Network β VLAN 30 | Network β VLAN 20 (MGMT) | All |
| **4** | Allow-User-to-Services | **Allow** | Network β VLAN 30 | IP β QNAP (192.168.10.8) | Port Group β Web (443, 80, 81, 2222) |
| **5** | Allow-MGMT-to-All | **Allow** | Network β VLAN 20 | Any | All |
| **6** | Allow-Server-Internal | **Allow** | IP β 192.168.10.8 | IP β 192.168.10.9 | All (QNAP β ASUSTOR) |
| **7** | (Default) | Deny | Any | Any | All |
---
## 7. ΰΈͺΰΈ£ΰΈΈΰΈΰΈΰΈ²ΰΈ£ΰΈΰΈ±ΰΉΰΈΰΈΰΉΰΈ² Port Forwarding (ΰΈͺΰΈ³ΰΈ«ΰΈ£ΰΈ±ΰΈ Omada ER7206)
ΰΈΰΈ΅ΰΉΰΈΰΈ·ΰΈΰΈ£ΰΈ²ΰΈ’ΰΈΰΈ²ΰΈ£ΰΈΰΈΰΈΰΈ΅ΰΉΰΈΰΈΈΰΈΰΈΰΉΰΈΰΈΰΈͺΰΈ£ΰΉΰΈ²ΰΈΰΉΰΈ **Settings > Transmission > Port Forwarding**:
| Name | External Port | Internal IP | Internal Port | Protocol |
| :-------------- | :------------ | :----------- | :------------ | :------- |
| Allow-NPM-HTTPS | 443 | 192.168.10.8 | 443 | TCP |
| Allow-NPM-HTTP | 80 | 192.168.10.8 | 80 | TCP |
> **ΰΈ«ΰΈ‘ΰΈ²ΰΈ’ΰΉΰΈ«ΰΈΰΈΈ**: Port forwarding ΰΉΰΈΰΈΰΈ΅ΰΉ QNAP (NPM) ΰΉΰΈΰΉΰΈ²ΰΈΰΈ±ΰΉΰΈ, ASUSTOR ΰΉΰΈ‘ΰΉΰΈΰΈ§ΰΈ£ΰΉΰΈΰΈ΄ΰΈΰΈ£ΰΈ±ΰΈ traffic ΰΈΰΈ²ΰΈΰΈ ΰΈ²ΰΈ’ΰΈΰΈΰΈ
---
## 8. Container Service Distribution
### QNAP (192.168.10.8) - Application Services
| Container | Port | Domain | Network |
| :------------ | :--- | :------------------ | :------ |
| npm | 81 | npm.np-dms.work | lcbp3 |
| frontend | 3000 | lcbp3.np-dms.work | lcbp3 |
| backend | 3000 | backend.np-dms.work | lcbp3 |
| mariadb | 3306 | (internal) | lcbp3 |
| cache (redis) | 6379 | (internal) | lcbp3 |
| search (es) | 9200 | (internal) | lcbp3 |
| gitea | 3000 | git.np-dms.work | lcbp3 |
| n8n | 5678 | n8n.np-dms.work | lcbp3 |
| pma | 80 | pma.np-dms.work | lcbp3 |
### ASUSTOR (192.168.10.9) - Infrastructure Services
| Container | Port | Domain | Network |
| :------------ | :--- | :--------------------- | :------ |
| portainer | 9443 | portainer.np-dms.work | lcbp3 |
| prometheus | 9090 | prometheus.np-dms.work | lcbp3 |
| grafana | 3000 | grafana.np-dms.work | lcbp3 |
| uptime-kuma | 3001 | uptime.np-dms.work | lcbp3 |
| registry | 5000 | registry.np-dms.work | lcbp3 |
| node-exporter | 9100 | (internal) | lcbp3 |
| cadvisor | 8080 | (internal) | lcbp3 |
| loki | 3100 | (internal) | lcbp3 |
| restic/borg | N/A | (scheduled job) | host |
---
## 9. Backup Flow
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BACKUP STRATEGY β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β QNAP (Source) ASUSTOR (Target) β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β MariaDB β ββββ Daily 2AM βββββΆ β /volume1/backup/db/ β β
β β (mysqldump) β β (Restic Repository) β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β Redis RDB β ββββ Daily 3AM βββββΆ β /volume1/backup/ β β
β β + AOF β β redis/ β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β App Config β ββββ Weekly ββββββββΆ β /volume1/backup/ β β
β β + Volumes β Sunday 4AM β config/ β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β
β Retention Policy: β
β β’ Daily: 7 days β
β β’ Weekly: 4 weeks β
β β’ Monthly: 6 months β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
> π **ΰΈ«ΰΈ‘ΰΈ²ΰΈ’ΰΉΰΈ«ΰΈΰΈΈ**: ΰΉΰΈΰΈΰΈͺΰΈ²ΰΈ£ΰΈΰΈ΅ΰΉΰΈΰΉΰΈ²ΰΈΰΈΰΈ΄ΰΈΰΈΰΈ²ΰΈ Architecture Document **v1.8.0** - Last updated: 2026-01-28