# Frostwall Protocol - IP Hierarchy Reference **Purpose:** Quick reference for the three-tier IP architecture **Last Updated:** 2026-02-17 **Status:** Ready for implementation --- ## The Three-Tier IP Hierarchy ### Layer 1: Scrubbing Center IP (Public-Facing) **What it is:** The IP address visible to the world - what players connect to **Command Center Scrubbing IP:** - `63.143.34.217` **Purpose:** - Advertised in DNS records - Absorbs DDoS attacks - Routes to GRE tunnels - What players see in connection strings **Example:** - Player connects to `play.firefrostgaming.com` → DNS resolves to `63.143.34.217` - Traffic enters Command Center, gets scrubbed/filtered - Forwarded through GRE tunnel to appropriate backend server --- ### Layer 2: Backend Alias IP (Hidden Server Address) **What it is:** The real physical IP address of the game server nodes **TX1 Dallas Backend IPs:** - IP Block: `38.68.14.24/29` - Usable range: `38.68.14.25 - 38.68.14.30` - Gateway: `38.68.14.25` - Individual servers: - Reclamation: `38.68.14.27` - Stoneblock 4: `38.68.14.26` - Society Sunlit Valley: `38.68.14.28` - Vanilla 1.21.11: `38.68.14.29` - All The Mons: `38.68.14.30` - FoundryVTT: `38.68.14.26` (port 30000) **NC1 Charlotte Backend IP:** - Shared IP: `216.239.104.130` - All servers use unique ports on this IP: - The Ember Project: `:25565` - Minecolonies Create & Conquer: `:25566` - All The Mods 10: `:25569` - EMC Subterra Tech: `:25571` - Homestead: `:25572` - Hytale: `:5520` **Purpose:** - Never publicly disclosed - Protected by Iron Wall firewall - Only accessible via GRE tunnel from Command Center - Hidden from DDoS attackers --- ### Layer 3: Binding Truth IP (Internal Service Binding) **What it is:** The IP address services actually bind to internally **For all Minecraft servers:** - Bind to: `0.0.0.0` or leave `server-ip=` blank in `server.properties` - This allows the service to listen on all interfaces - GRE tunnel routing handles the rest **Purpose:** - Internal service configuration - Never exposed outside the server - Allows flexibility for routing changes --- ## GRE Tunnel IP Addressing ### Command Center (Hub) Tunnel IPs **TX1 Tunnel:** - Interface: `gre-tx1` - Tunnel IP: `10.0.1.1/30` - Remote endpoint: `10.0.1.2` (TX1) **NC1 Tunnel:** - Interface: `gre-nc1` - Tunnel IP: `10.0.2.1/30` - Remote endpoint: `10.0.2.2` (NC1) ### TX1 (Spoke) Tunnel IP - Interface: `gre-hub` - Tunnel IP: `10.0.1.2/30` - Remote endpoint: `10.0.1.1` (Command Center) ### NC1 (Spoke) Tunnel IP - Interface: `gre-hub` - Tunnel IP: `10.0.2.2/30` - Remote endpoint: `10.0.2.1` (Command Center) --- ## Complete Service Mapping Table | Service | Scrubbing IP (Public) | Backend IP (Hidden) | Tunnel IP | Binding IP | Node | |---------|----------------------|---------------------|-----------|-----------|------| | **TX1 Dallas Servers** | | Reclamation | 63.143.34.217:25565 | 38.68.14.27:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 | | Stoneblock 4 | 63.143.34.217:25566 | 38.68.14.26:25566 | 10.0.1.2:25566 | 0.0.0.0:25566 | TX1 | | Society Sunlit Valley | 63.143.34.217:25567 | 38.68.14.28:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 | | Vanilla 1.21.11 | 63.143.34.217:25568 | 38.68.14.29:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 | | All The Mons | 63.143.34.217:25569 | 38.68.14.30:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 | | FoundryVTT | 63.143.34.217:30000 | 38.68.14.26:30000 | 10.0.1.2:30000 | 0.0.0.0:30000 | TX1 | | **NC1 Charlotte Servers** | | The Ember Project | 63.143.34.217:25570 | 216.239.104.130:25565 | 10.0.2.2:25565 | 0.0.0.0:25565 | NC1 | | Minecolonies Create & Conquer | 63.143.34.217:25571 | 216.239.104.130:25566 | 10.0.2.2:25566 | 0.0.0.0:25566 | NC1 | | All The Mods 10 | 63.143.34.217:25572 | 216.239.104.130:25569 | 10.0.2.2:25569 | 0.0.0.0:25569 | NC1 | | EMC Subterra Tech | 63.143.34.217:25573 | 216.239.104.130:25571 | 10.0.2.2:25571 | 0.0.0.0:25571 | NC1 | | Homestead | 63.143.34.217:25574 | 216.239.104.130:25572 | 10.0.2.2:25572 | 0.0.0.0:25572 | NC1 | | Hytale | 63.143.34.217:5520 | 216.239.104.130:5520 | 10.0.2.2:5520 | 0.0.0.0:5520 | NC1 | **Note:** Public port assignments above are examples - adjust based on your actual port allocation strategy. --- ## Traffic Flow Diagram ``` Player connects to: play.firefrostgaming.com (Reclamation) | v DNS Resolution | v 63.143.34.217:25565 ← Layer 1: Scrubbing Center IP (Public) | v Command Center receives connection | v DDoS filtering / scrubbing | v NAT forwarding via GRE tunnel | v 10.0.1.2:25565 ← Tunnel IP (TX1 endpoint) | v 38.68.14.27:25565 ← Layer 2: Backend Alias IP (Hidden) | v Minecraft server bound to 0.0.0.0:25565 ← Layer 3: Binding Truth | v Player connected to game server ``` --- ## DNS Configuration **All game servers point to Command Center:** ``` # A Records play.firefrostgaming.com A 63.143.34.217 reclamation.firefrostgaming.com A 63.143.34.217 stoneblock.firefrostgaming.com A 63.143.34.217 society.firefrostgaming.com A 63.143.34.217 vanilla.firefrostgaming.com A 63.143.34.217 allthemons.firefrostgaming.com A 63.143.34.217 foundry.firefrostgaming.com A 63.143.34.217 ember.firefrostgaming.com A 63.143.34.217 minecolonies.firefrostgaming.com A 63.143.34.217 atm10.firefrostgaming.com A 63.143.34.217 subterra.firefrostgaming.com A 63.143.34.217 homestead.firefrostgaming.com A 63.143.34.217 hytale.firefrostgaming.com A 63.143.34.217 # SRV Records (optional, for Minecraft auto-discovery) _minecraft._tcp.reclamation.firefrostgaming.com SRV 0 5 25565 63.143.34.217 ``` --- ## Management Access **Michael's Management IP:** `[TO BE FILLED IN]` **SSH Access Rules:** - Command Center: Allow from management IP only - TX1: Allow from management IP only - NC1: Allow from management IP only **Emergency Access:** - If management IP changes, access servers via console in provider's control panel - Update UFW rules immediately - Test new management IP before removing old one --- ## Security Summary **What's Protected:** ✅ Real server IPs hidden from public ✅ DDoS attacks absorbed at Command Center ✅ Game traffic separated from email/web traffic ✅ Iron Wall firewall on all nodes ✅ Encrypted GRE tunnels **What's Exposed:** ⚠️ Command Center IP (63.143.34.217) - intentionally public, DDoS hardened ⚠️ Management IP whitelisted for SSH **What's Locked Down:** 🔒 Direct connections to TX1/NC1 game ports blocked 🔒 All traffic must route through Command Center 🔒 GRE tunnel traffic only from authorized endpoints 🔒 SSH only from management IP --- ## Quick Commands Reference **Check tunnel status:** ```bash ip tunnel show ip addr show gre-tx1 ip addr show gre-nc1 ``` **Test tunnel connectivity:** ```bash ping 10.0.1.2 # TX1 ping 10.0.2.2 # NC1 ``` **View NAT rules:** ```bash iptables -t nat -L -n -v ``` **Check UFW rules:** ```bash ufw status verbose ``` **Monitor tunnel health:** ```bash tail -f /var/log/frostwall-monitor.log ``` --- **Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️ --- **Document Status:** REFERENCE GUIDE **Update When:** IP assignments change, servers added/removed, DNS records modified