firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
fc8a1a9b28d351fdecfbe1b63eca3a6cf01ac114
firefrost-operations-manual/docs/tasks/frostwall-protocol/ip-hierarchy.md
Claude 2bd96ee8c7 docs: Complete Frostwall Protocol deployment documentation 
Created comprehensive documentation for Frostwall Protocol rebuild:

deployment-plan.md (500+ lines):
- Complete 7-phase implementation guide
- GRE tunnel configuration for Command Center ↔ TX1/NC1
- Iron Wall UFW firewall rules
- NAT/port forwarding setup
- Self-healing tunnel monitoring with auto-recovery
- DNS configuration
- Testing and verification procedures
- Rollback plan
- Performance considerations

ip-hierarchy.md (400+ lines):
- Three-tier IP architecture explained
- Complete service mapping table (all 11 game servers)
- GRE tunnel IP addressing
- Traffic flow diagrams
- DNS configuration reference
- Security summary
- Quick command reference

troubleshooting.md (450+ lines):
- Quick diagnostics checklist
- Common problems with step-by-step solutions:
  - Tunnel won't come up
  - Can't ping tunnel IP
  - Port forwarding not working
  - Tunnel breaks after reboot
  - Self-healing monitor issues
  - High latency/packet loss
  - UFW blocking traffic
- Emergency recovery procedures
- Common error messages decoded
- Health check commands

This documentation enables rebuilding the Frostwall Protocol from scratch
with proper IP hierarchy, DDoS protection, and self-healing capabilities.

Unblocks: Mailcow deployment, AI stack, all Tier 2+ infrastructure

Task: Frostwall Protocol (Tier 1, Critical)
FFG-STD-002 compliant
2026-02-17 15:01:35 +00:00

269 lines
7.4 KiB
Markdown
Raw Blame History

# Frostwall Protocol - IP Hierarchy Reference
**Purpose:** Quick reference for the three-tier IP architecture
**Last Updated:** 2026-02-17
**Status:** Ready for implementation
---
## The Three-Tier IP Hierarchy
### Layer 1: Scrubbing Center IP (Public-Facing)
**What it is:** The IP address visible to the world - what players connect to
**Command Center Scrubbing IP:**
- `63.143.34.217`
**Purpose:**
- Advertised in DNS records
- Absorbs DDoS attacks
- Routes to GRE tunnels
- What players see in connection strings
**Example:**
- Player connects to `play.firefrostgaming.com` → DNS resolves to `63.143.34.217`
- Traffic enters Command Center, gets scrubbed/filtered
- Forwarded through GRE tunnel to appropriate backend server
---
### Layer 2: Backend Alias IP (Hidden Server Address)
**What it is:** The real physical IP address of the game server nodes
**TX1 Dallas Backend IPs:**
- IP Block: `38.68.14.24/29`
- Usable range: `38.68.14.25 - 38.68.14.30`
- Gateway: `38.68.14.25`
- Individual servers:
- Reclamation: `38.68.14.27`
- Stoneblock 4: `38.68.14.26`
- Society Sunlit Valley: `38.68.14.28`
- Vanilla 1.21.11: `38.68.14.29`
- All The Mons: `38.68.14.30`
- FoundryVTT: `38.68.14.26` (port 30000)
**NC1 Charlotte Backend IP:**
- Shared IP: `216.239.104.130`
- All servers use unique ports on this IP:
- The Ember Project: `:25565`
- Minecolonies Create & Conquer: `:25566`
- All The Mods 10: `:25569`
- EMC Subterra Tech: `:25571`
- Homestead: `:25572`
- Hytale: `:5520`
**Purpose:**
- Never publicly disclosed
- Protected by Iron Wall firewall
- Only accessible via GRE tunnel from Command Center
- Hidden from DDoS attackers
---
### Layer 3: Binding Truth IP (Internal Service Binding)
**What it is:** The IP address services actually bind to internally
**For all Minecraft servers:**
- Bind to: `0.0.0.0` or leave `server-ip=` blank in `server.properties`
- This allows the service to listen on all interfaces
- GRE tunnel routing handles the rest
**Purpose:**
- Internal service configuration
- Never exposed outside the server
- Allows flexibility for routing changes
---
## GRE Tunnel IP Addressing
### Command Center (Hub) Tunnel IPs
**TX1 Tunnel:**
- Interface: `gre-tx1`
- Tunnel IP: `10.0.1.1/30`
- Remote endpoint: `10.0.1.2` (TX1)
**NC1 Tunnel:**
- Interface: `gre-nc1`
- Tunnel IP: `10.0.2.1/30`
- Remote endpoint: `10.0.2.2` (NC1)
### TX1 (Spoke) Tunnel IP
- Interface: `gre-hub`
- Tunnel IP: `10.0.1.2/30`
- Remote endpoint: `10.0.1.1` (Command Center)
### NC1 (Spoke) Tunnel IP
- Interface: `gre-hub`
- Tunnel IP: `10.0.2.2/30`
- Remote endpoint: `10.0.2.1` (Command Center)
---
## Complete Service Mapping Table
| Service | Scrubbing IP (Public) | Backend IP (Hidden) | Tunnel IP | Binding IP | Node |
|---------|----------------------|---------------------|-----------|-----------|------|
| **TX1 Dallas Servers** |
| Reclamation | 63.143.34.217:25565 | 38.68.14.27:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| Stoneblock 4 | 63.143.34.217:25566 | 38.68.14.26:25566 | 10.0.1.2:25566 | 0.0.0.0:25566 | TX1 |
| Society Sunlit Valley | 63.143.34.217:25567 | 38.68.14.28:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| Vanilla 1.21.11 | 63.143.34.217:25568 | 38.68.14.29:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| All The Mons | 63.143.34.217:25569 | 38.68.14.30:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| FoundryVTT | 63.143.34.217:30000 | 38.68.14.26:30000 | 10.0.1.2:30000 | 0.0.0.0:30000 | TX1 |
| **NC1 Charlotte Servers** |
| The Ember Project | 63.143.34.217:25570 | 216.239.104.130:25565 | 10.0.2.2:25565 | 0.0.0.0:25565 | NC1 |
| Minecolonies Create & Conquer | 63.143.34.217:25571 | 216.239.104.130:25566 | 10.0.2.2:25566 | 0.0.0.0:25566 | NC1 |
| All The Mods 10 | 63.143.34.217:25572 | 216.239.104.130:25569 | 10.0.2.2:25569 | 0.0.0.0:25569 | NC1 |
| EMC Subterra Tech | 63.143.34.217:25573 | 216.239.104.130:25571 | 10.0.2.2:25571 | 0.0.0.0:25571 | NC1 |
| Homestead | 63.143.34.217:25574 | 216.239.104.130:25572 | 10.0.2.2:25572 | 0.0.0.0:25572 | NC1 |
| Hytale | 63.143.34.217:5520 | 216.239.104.130:5520 | 10.0.2.2:5520 | 0.0.0.0:5520 | NC1 |
**Note:** Public port assignments above are examples - adjust based on your actual port allocation strategy.
---
## Traffic Flow Diagram
```
Player connects to: play.firefrostgaming.com (Reclamation)
|
v
DNS Resolution
|
v
63.143.34.217:25565 ← Layer 1: Scrubbing Center IP (Public)
|
v
Command Center receives connection
|
v
DDoS filtering / scrubbing
|
v
NAT forwarding via GRE tunnel
|
v
10.0.1.2:25565 ← Tunnel IP (TX1 endpoint)
|
v
38.68.14.27:25565 ← Layer 2: Backend Alias IP (Hidden)
|
v
Minecraft server bound to 0.0.0.0:25565 ← Layer 3: Binding Truth
|
v
Player connected to game server
```
---
## DNS Configuration
**All game servers point to Command Center:**
```
# A Records
play.firefrostgaming.com A 63.143.34.217
reclamation.firefrostgaming.com A 63.143.34.217
stoneblock.firefrostgaming.com A 63.143.34.217
society.firefrostgaming.com A 63.143.34.217
vanilla.firefrostgaming.com A 63.143.34.217
allthemons.firefrostgaming.com A 63.143.34.217
foundry.firefrostgaming.com A 63.143.34.217
ember.firefrostgaming.com A 63.143.34.217
minecolonies.firefrostgaming.com A 63.143.34.217
atm10.firefrostgaming.com A 63.143.34.217
subterra.firefrostgaming.com A 63.143.34.217
homestead.firefrostgaming.com A 63.143.34.217
hytale.firefrostgaming.com A 63.143.34.217
# SRV Records (optional, for Minecraft auto-discovery)
_minecraft._tcp.reclamation.firefrostgaming.com SRV 0 5 25565 63.143.34.217
```
---
## Management Access
**Michael's Management IP:** `[TO BE FILLED IN]`
**SSH Access Rules:**
- Command Center: Allow from management IP only
- TX1: Allow from management IP only
- NC1: Allow from management IP only
**Emergency Access:**
- If management IP changes, access servers via console in provider's control panel
- Update UFW rules immediately
- Test new management IP before removing old one
---
## Security Summary
**What's Protected:**
✅ Real server IPs hidden from public
✅ DDoS attacks absorbed at Command Center
✅ Game traffic separated from email/web traffic
✅ Iron Wall firewall on all nodes
✅ Encrypted GRE tunnels
**What's Exposed:**
⚠️ Command Center IP (63.143.34.217) - intentionally public, DDoS hardened
⚠️ Management IP whitelisted for SSH
**What's Locked Down:**
🔒 Direct connections to TX1/NC1 game ports blocked
🔒 All traffic must route through Command Center
🔒 GRE tunnel traffic only from authorized endpoints
🔒 SSH only from management IP
---
## Quick Commands Reference
**Check tunnel status:**
```bash
ip tunnel show
ip addr show gre-tx1
ip addr show gre-nc1
```
**Test tunnel connectivity:**
```bash
ping 10.0.1.2 # TX1
ping 10.0.2.2 # NC1
```
**View NAT rules:**
```bash
iptables -t nat -L -n -v
```
**Check UFW rules:**
```bash
ufw status verbose
```
**Monitor tunnel health:**
```bash
tail -f /var/log/frostwall-monitor.log
```
---
**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️
---
**Document Status:** REFERENCE GUIDE
**Update When:** IP assignments change, servers added/removed, DNS records modified
Reference in New Issue View Git Blame Copy Permalink