# **🗚ïļ āđāļœāļ™āļœāļąāļ‡ Network Architecture & Firewall (LCBP3-DMS)** āđāļœāļ™āļœāļąāļ‡āļ™āļĩāđ‰āđāļŠāļ”āļ‡āļāļēāļĢāđāļšāđˆāļ‡āļŠāđˆāļ§āļ™āđ€āļ„āļĢāļ·āļ­āļ‚āđˆāļēāļĒ (VLANs) āđāļĨāļ°āļāļŽ Firewall (ACLs) āļŠāļģāļŦāļĢāļąāļš TP-Link Omada (ER7206/OC200) āđ€āļžāļ·āđˆāļ­āļĢāļąāļāļĐāļēāļ„āļ§āļēāļĄāļ›āļĨāļ­āļ”āļ āļąāļĒāļ‚āļ­āļ‡ QNAP NAS āđāļĨāļ° Docker Services ## **1\. āđāļœāļ™āļœāļąāļ‡āļāļēāļĢāđ€āļŠāļ·āđˆāļ­āļĄāļ•āđˆāļ­ (Connection Flow Diagram)** graph TD direction TB subgraph Flow1 \[\āļāļēāļĢāđ€āļŠāļ·āđˆāļ­āļĄāļ•āđˆāļ­āļˆāļēāļāļ āļēāļĒāļ™āļ­āļ (Public WAN)\\] User\[āļœāļđāđ‰āđƒāļŠāđ‰āļ‡āļēāļ™āļ āļēāļĒāļ™āļ­āļ (Internet)\] end subgraph Router \[\Router (ER7206)\ \- Gateway\] User \-- "Port 80/443 (HTTPS/HTTP)" \--\> ER7206 ER7206(\Port Forwarding\\
TCP 80 \-\> 192.168.10.100:80\
TCP 443 \-\> 192.168.10.100:443) end subgraph VLANs \[\āđ€āļ„āļĢāļ·āļ­āļ‚āđˆāļēāļĒāļ āļēāļĒāđƒāļ™ (VLANs & Firewall Rules)\\] direction LR subgraph VLAN10 \[\VLAN 10: Servers (DMZ)\\
192.168.10.x\] QNAP\[\QNAP NAS (192.168.10.100)\\] end subgraph VLAN20 \[\VLAN 20: Office\\
192.168.20.x\] OfficePC\[PC āļžāļ™āļąāļāļ‡āļēāļ™/Wi-Fi\] end subgraph VLAN30 \[\VLAN 30: Guests\\
192.168.30.x\] GuestPC\[Guest Wi-Fi\] end subgraph Firewall \[\Firewall ACLs (āļ„āļ§āļšāļ„āļļāļĄāđ‚āļ”āļĒ OC200)\\] direction TB rule1(\Rule 1: DENY\\
Guest (VLAN 30\) \-\> All VLANs) rule2(\Rule 2: DENY\\
Server (VLAN 10\) \-\> Office (VLAN 20)) rule3(\Rule 3: ALLOW\\
Office (VLAN 20\) \-\> QNAP (192.168.10.100)\
Ports: 443, 80, 81, 2222\) end %% \--- āđāļŠāļ”āļ‡āļœāļĨ Firewall Rules \--- GuestPC \-.x|rule1| QNAP QNAP \-.x|rule2| OfficePC OfficePC \-- "\[https://lcbp3.np-dms.work\](https://lcbp3.np-dms.work)" \--\>|rule3| QNAP end %% \--- āđ€āļŠāļ·āđˆāļ­āļĄāļ•āđˆāļ­ Router āļāļąāļš QNAP \--- ER7206 \--\> QNAP subgraph Docker \[\Docker Network 'lcbp3' (āļ āļēāļĒāđƒāļ™ QNAP)\\] direction TB subgraph PublicServices \[Services āļ—āļĩāđˆ NPM āđ€āļ›āļīāļ”āļŠāļđāđˆāļ āļēāļĒāļ™āļ­āļ\] direction LR NPM\[\NPM (Nginx Proxy Manager)\\
āļĢāļąāļšāļāļēāļĢāļˆāļĢāļēāļˆāļĢāļˆāļēāļ QNAP\] Frontend(frontend:3000) Backend(backend:3000) Gitea(gitea:3000) PMA(pma:80) N8N(n8n:5678) end subgraph InternalServices \[Internal Services (Backend āđ€āļĢāļĩāļĒāļāđƒāļŠāđ‰āđ€āļ—āđˆāļēāļ™āļąāđ‰āļ™)\] direction LR DB(mariadb:3306) Cache(cache:6379) Search(search:9200) end %% \--- āļāļēāļĢāđ€āļŠāļ·āđˆāļ­āļĄāļ•āđˆāļ­āļ āļēāļĒāđƒāļ™ Docker \--- NPM \-- "lcbp3.np-dms.work" \--\> Frontend NPM \-- "backend.np-dms.work" \--\> Backend NPM \-- "git.np-dms.work" \--\> Gitea NPM \-- "pma.np-dms.work" \--\> PMA NPM \-- "n8n.np-dms.work" \--\> N8N Backend \-- "lcbp3 Network" \--\> DB Backend \-- "lcbp3 Network" \--\> Cache Backend \-- "lcbp3 Network" \--\> Search end %% \--- āđ€āļŠāļ·āđˆāļ­āļĄāļ•āđˆāļ­ QNAP āļāļąāļš Docker \--- QNAP \--\> NPM %% \--- Styling \--- classDef default fill:\#f9f9f9,stroke:\#333,stroke-width:2px; classDef router fill:\#e6f7ff,stroke:\#0056b3,stroke-width:2px; classDef vlan fill:\#fffbe6,stroke:\#d46b08,stroke-width:2px; classDef docker fill:\#e6ffed,stroke:\#096dd9,stroke-width:2px; classDef internal fill:\#f0f0f0,stroke:\#595959,stroke-width:2px,stroke-dasharray: 5 5; classDef fw fill:\#fff0f0,stroke:\#d9363e,stroke-width:2px,stroke-dasharray: 3 3; class Router,ER7206 router; class VLANs,VLAN10,VLAN20,VLAN30 vlan; class Docker,PublicServices,InternalServices docker; class DB,Cache,Search internal; class Firewall,rule1,rule2,rule3 fw; ## **2\. āļŠāļĢāļļāļ›āļāļēāļĢāļ•āļąāđ‰āļ‡āļ„āđˆāļē Firewall ACLs (āļŠāļģāļŦāļĢāļąāļš Omada OC200)** āļ™āļĩāđˆāļ„āļ·āļ­āļĢāļēāļĒāļāļēāļĢāļāļŽ (Rules) āļ—āļĩāđˆāļ„āļļāļ“āļ•āđ‰āļ­āļ‡āļŠāļĢāđ‰āļēāļ‡āđƒāļ™ Settings \> Network Security \> ACL (āđ€āļĢāļĩāļĒāļ‡āļĨāļģāļ”āļąāļšāļˆāļēāļāļšāļ™āļĨāļ‡āļĨāđˆāļēāļ‡): | āļĨāļģāļ”āļąāļš | Name | Policy | Source | Destination | Ports | | :---- | :---- | :---- | :---- | :---- | :---- | | **1** | Isolate-Guests | **Deny** | Network \-\> VLAN 30 (Guests) | Network \-\> VLAN 1, 10, 20 | All | | **2** | Isolate-Servers | **Deny** | Network \-\> VLAN 10 (Servers) | Network \-\> VLAN 20 (Office) | All | | **3** | Block-Office-to-Mgmt | **Deny** | Network \-\> VLAN 20 (Office) | Network \-\> VLAN 1 (Mgmt) | All | | **4** | Allow-Office-to-Services | **Allow** | Network \-\> VLAN 20 (Office) | IP Group \-\> QNAP\_Services (192.168.10.100) | Port Group \-\> Web\_Services (443, 80, 81, 2222\) | | **5** | (Default) | Allow | Any | Any | All | ## **3\. āļŠāļĢāļļāļ›āļāļēāļĢāļ•āļąāđ‰āļ‡āļ„āđˆāļē Port Forwarding (āļŠāļģāļŦāļĢāļąāļš Omada ER7206)** āļ™āļĩāđˆāļ„āļ·āļ­āļĢāļēāļĒāļāļēāļĢāļāļŽāļ—āļĩāđˆāļ„āļļāļ“āļ•āđ‰āļ­āļ‡āļŠāļĢāđ‰āļēāļ‡āđƒāļ™ Settings \> Transmission \> Port Forwarding: | Name | External Port | Internal IP | Internal Port | Protocol | | :---- | :---- | :---- | :---- | :---- | | Allow-NPM-HTTPS | 443 | 192.168.10.100 | 443 | TCP | | Allow-NPM-HTTP | 80 | 192.168.10.100 | 80 | TCP |