Edge & Traffic Policy
This document describes the design and behavior of the network edge, including WAN connectivity, routing strategy, firewall posture, and traffic shaping.
The goal is consistent latency and predictable behavior under load, not maximum aggregate throughput.
Design principles: see Lab Philosophy.
Edge Router
The network edge is implemented using a single router:
- Platform: MikroTik RB5009UG+S+
- OS: RouterOS v7.20.6
- Role: WAN termination, routing, firewalling, QoS
All VLANs are terminated on the edge router using a router-on-a-stick model. Switches operate strictly at Layer 2.
WAN Connectivity
Two independent WAN connections are in use:
Spectrum (Primary)
- Interface:
ether1-WAN-Spectrum - Medium: DOCSIS cable
- Provisioned speed: ~1 Gbps down / 40 Mbps up
- Addressing: Dynamic IPv4
AT&T (Secondary)
- Interface:
ether2-WAN-ATT - Medium: VDSL2
- Provisioned speed: ~100 Mbps down / 20 Mbps up
- Addressing: Static IPv4 (business service)
Both links are active and shaped independently.
Routing Strategy
The network primarily uses static routing.
Selective dynamic behavior is introduced via an internal control project
(wanctl) that adjusts policy routing and traffic steering based on
measured conditions.
This approach allows adaptive behavior without introducing a fully dynamic routing protocol or distributed control plane.
At present, wanctl is treated as an internal implementation detail and is
not fully documented.
VLAN Overview
| VLAN | Name | Purpose | Network Policy Summary |
|---|---|---|---|
| 99 | Mgmt | Infrastructure management | Restricted, no WAN access |
| 110 | Trusted | Users and servers | WAN allowed, inter-VLAN controlled |
| 120 | IoT | Embedded and consumer gear | WAN allowed, no lateral access |
| 130 | Camera | Video sources | No WAN, ZoneMinder-only access |
Firewall Philosophy
The firewall is designed around explicit trust boundaries:
- Default deny on inbound traffic from WAN
- Default allow outbound traffic, with exceptions
- Inter-VLAN isolation enforced at the router
Additional restrictions apply to sensitive segments:
- Camera networks have no WAN egress.
- Camera devices are permitted to communicate only with the dedicated ZoneMinder VM on the trusted network.
- All other inter-VLAN and outbound access is explicitly denied.
- Management networks are tightly limited in scope and access.
Rules favor clarity and auditability over compactness.
Traffic Shaping & QoS
Traffic shaping is a first-class component of the network design.
- Algorithm: CAKE
- Mode: diffserv4
- Deployment: Dual WAN, independent shapers per link
- Shaping rate: ~90% of provisioned bandwidth per circuit
Latency-sensitive traffic such as VoIP, gaming, and video calls is prioritized to remain responsive even during sustained load or backup activity.
Shaping parameters are actively managed and adjusted by the control plane rather than remaining static.
Known Dependencies
The network design assumes the availability of the following services:
-
ZoneMinder VM
Required for all camera network traffic. Camera devices are permitted to communicate only with this system and have no WAN access. -
DHCP
Addressing is provided centrally. Loss of DHCP impacts connectivity across multiple VLANs. -
DNS
Required for WAN-bound traffic and internal service resolution.
Failure of these services may result in partial or total loss of functionality by design.
Design Notes
- Latency consistency is favored over peak throughput
- Dynamic behavior is constrained and observable
- Failure modes are predictable and easy to reason about
- The edge remains the single point of policy enforcement
This document applies to all current and future network-connected systems unless explicitly stated otherwise.
Firewall and NAT rules are reviewed periodically to ensure documented policy and actual enforcement remain aligned.
Related Documentation
- wanctl Control Plane — Adaptive WAN routing and traffic steering
- Switching & VLAN Fabric — Layer 2/3 segmentation