The Dreamwall appliance sits at 192.168.1.1 and handles:
- NAT for outbound internet access (selective)
- Port forwarding for external SSH access
- Inter-VLAN routing rules
| Service |
External Endpoint |
Internal Target |
| SSH to PVE1 |
108.31.169.90:2225 |
192.168.1.90:22 |
| SSH to PVE2 |
108.31.169.90:2226 |
192.168.1.55:22 |
- Subnet: 192.168.1.0/24
- Gateway: 192.168.1.1 (Dreamwall)
- Used by: PVE1, PVE2, AWX, Portal, Wiki.js, Gateway
- Subnet: 10.50.1.0/24
- Gateway: 10.50.1.1 (PVE1)
- Bridges: pod01net through pod20net
- Used by: DC01, DC02, student workstations
PVE1 acts as the router between the management LAN and the lab network:
vmbr0 interface: 192.168.1.90 (management)pod01net interface: 10.50.1.1 (lab gateway)- NAT/masquerade rules on PVE1 allow lab VMs to reach 10.50.x.x
- SSH (port 22) via port forwarding on Dreamwall
- WinRM (port 5985) on DC01 from PVE1 (internal only)
- HTTP/HTTPS for Wiki.js (port 80/443 on 192.168.1.50)
- Password auth should be disabled on PVE1/PVE2 SSH (key-only)
- rpcbind should be disabled on PVE1 and PVE2
- Dreamwall firewall rules need periodic review/cleanup