Network documentation

This section regroups the knowledge base for our network components.

Network architecture

The network is split in several VLANs provided by the INRIA network team:

Firewalls

The firewalls are 2 OPNsense VMs deployed on the PROXMOX cluster with an High Availability configuration.

They are sharing a virtual IP on each VLAN to act as the gateway. Only one of the 2 firewalls is owning all the GW ips at the same time. The owner is called the PRIMARY

Nominal Role

name (link to the inventory)

login page

PRIMARY

pushkin

https://pushkin.internal.softwareheritage.org

BACKUP

glyptotek

https://glyptotek.internal.softwareheritage.org

Configuration backup

The configuration is automatically committed on a git repository. Each firewall regularly pushes its configuration on a dedicated branch of the repository.

The configuration is visible on the System / Configuration / Backups page of each one.

Upgrade procedure

Initial status

This is the nominal status of the firewalls:

Firewall

Status

pushkin

PRIMARY

glyptotek

BACKUP

Preparation
  • Connect to the principal (pushkin here)

  • Check the CARP status to ensure the firewall is the principal (must have the status MASTER for all the IPS)

  • Connect to the backup (glytotek here)

  • Check the CARP status to ensure the firewall is the backup (must have the status BACKUP for all the IPS)

  • Ensure the 2 firewalls are in sync:

    • On the principal, go to the High availability status and force a synchronization

    • click on the button on the right of Synchronize config to backup

../_images/sync.png
  • Switch the principal/backup to prepare the upgrade of the master (The switch is transparent from the user perspective and can be done without service interruption)

    • [1] On the principal, go to the Virtual IPS status page

    • Activate the CARP maintenance mode

    ../_images/carp_maintenance.png
    • check the status of the VIPs, they must be BACKUP on pushkin and PRIMARY on glyptotek

  • wait a few minutes to let the monitoring detect if there are connection issues, check ssh connection on several servers on different VLANs (staging, admin, …)

If everything is ok, proceed to the next section.

Upgrade the first firewall

Before starting this section, the firewall statuses should be:

Firewall

Status

pushkin

BACKUP

glyptotek

PRIMARY

If not, be sure of what you are doing and adapt the links accordingly

../_images/check_for_upgrade.png
  • follow the interface indication, one or several reboots can be necessary depending to the number of upgrade to apply

../_images/proceed_update.png
  • repeat from the Check for upgrades operation until there is no upgrades to apply

  • Switch the principal/backup to restore pushkin as the principal:

    • on the current backup (pushkin here) go to Virtual IPS status

    • [3] click on Leave Persistent CARP Maintenance Mode

    ../_images/reactivate_carp.png
    • refresh the page, the role should have changed from BACKUP to MASTER

    • check on the other firewall, if the roles is indeed BACKUP for all the IPs

  • Wait few moment to ensure everything is ok with the new version

Upgrade the second firewall

Before starting this section, the firewall statuses should be:

Firewall

Status

pushkin

PRIMARY

glyptotek

BACKUP

If not, be sure of what you are doing and adapt the links accordingly

  • Proceed to the second firewall upgrade

    • perform [1] on the backup (should be glyptotek here)

    • perform [2] on the backup (should be glyptotek here)

    • perform [3] on the backup (should be glyptotek here)