2bd96ee8c7
Created comprehensive documentation for Frostwall Protocol rebuild: deployment-plan.md (500+ lines): - Complete 7-phase implementation guide - GRE tunnel configuration for Command Center ↔ TX1/NC1 - Iron Wall UFW firewall rules - NAT/port forwarding setup - Self-healing tunnel monitoring with auto-recovery - DNS configuration - Testing and verification procedures - Rollback plan - Performance considerations ip-hierarchy.md (400+ lines): - Three-tier IP architecture explained - Complete service mapping table (all 11 game servers) - GRE tunnel IP addressing - Traffic flow diagrams - DNS configuration reference - Security summary - Quick command reference troubleshooting.md (450+ lines): - Quick diagnostics checklist - Common problems with step-by-step solutions: - Tunnel won't come up - Can't ping tunnel IP - Port forwarding not working - Tunnel breaks after reboot - Self-healing monitor issues - High latency/packet loss - UFW blocking traffic - Emergency recovery procedures - Common error messages decoded - Health check commands This documentation enables rebuilding the Frostwall Protocol from scratch with proper IP hierarchy, DDoS protection, and self-healing capabilities. Unblocks: Mailcow deployment, AI stack, all Tier 2+ infrastructure Task: Frostwall Protocol (Tier 1, Critical) FFG-STD-002 compliant
7.4 KiB
7.4 KiB
Frostwall Protocol - IP Hierarchy Reference
Purpose: Quick reference for the three-tier IP architecture
Last Updated: 2026-02-17
Status: Ready for implementation
The Three-Tier IP Hierarchy
Layer 1: Scrubbing Center IP (Public-Facing)
What it is: The IP address visible to the world - what players connect to
Command Center Scrubbing IP:
63.143.34.217
Purpose:
- Advertised in DNS records
- Absorbs DDoS attacks
- Routes to GRE tunnels
- What players see in connection strings
Example:
- Player connects to
play.firefrostgaming.com→ DNS resolves to63.143.34.217 - Traffic enters Command Center, gets scrubbed/filtered
- Forwarded through GRE tunnel to appropriate backend server
Layer 2: Backend Alias IP (Hidden Server Address)
What it is: The real physical IP address of the game server nodes
TX1 Dallas Backend IPs:
- IP Block:
38.68.14.24/29 - Usable range:
38.68.14.25 - 38.68.14.30 - Gateway:
38.68.14.25 - Individual servers:
- Reclamation:
38.68.14.27 - Stoneblock 4:
38.68.14.26 - Society Sunlit Valley:
38.68.14.28 - Vanilla 1.21.11:
38.68.14.29 - All The Mons:
38.68.14.30 - FoundryVTT:
38.68.14.26(port 30000)
- Reclamation:
NC1 Charlotte Backend IP:
- Shared IP:
216.239.104.130 - All servers use unique ports on this IP:
- The Ember Project:
:25565 - Minecolonies Create & Conquer:
:25566 - All The Mods 10:
:25569 - EMC Subterra Tech:
:25571 - Homestead:
:25572 - Hytale:
:5520
- The Ember Project:
Purpose:
- Never publicly disclosed
- Protected by Iron Wall firewall
- Only accessible via GRE tunnel from Command Center
- Hidden from DDoS attackers
Layer 3: Binding Truth IP (Internal Service Binding)
What it is: The IP address services actually bind to internally
For all Minecraft servers:
- Bind to:
0.0.0.0or leaveserver-ip=blank inserver.properties - This allows the service to listen on all interfaces
- GRE tunnel routing handles the rest
Purpose:
- Internal service configuration
- Never exposed outside the server
- Allows flexibility for routing changes
GRE Tunnel IP Addressing
Command Center (Hub) Tunnel IPs
TX1 Tunnel:
- Interface:
gre-tx1 - Tunnel IP:
10.0.1.1/30 - Remote endpoint:
10.0.1.2(TX1)
NC1 Tunnel:
- Interface:
gre-nc1 - Tunnel IP:
10.0.2.1/30 - Remote endpoint:
10.0.2.2(NC1)
TX1 (Spoke) Tunnel IP
- Interface:
gre-hub - Tunnel IP:
10.0.1.2/30 - Remote endpoint:
10.0.1.1(Command Center)
NC1 (Spoke) Tunnel IP
- Interface:
gre-hub - Tunnel IP:
10.0.2.2/30 - Remote endpoint:
10.0.2.1(Command Center)
Complete Service Mapping Table
| Service | Scrubbing IP (Public) | Backend IP (Hidden) | Tunnel IP | Binding IP | Node |
|---|---|---|---|---|---|
| TX1 Dallas Servers | |||||
| Reclamation | 63.143.34.217:25565 | 38.68.14.27:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| Stoneblock 4 | 63.143.34.217:25566 | 38.68.14.26:25566 | 10.0.1.2:25566 | 0.0.0.0:25566 | TX1 |
| Society Sunlit Valley | 63.143.34.217:25567 | 38.68.14.28:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| Vanilla 1.21.11 | 63.143.34.217:25568 | 38.68.14.29:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| All The Mons | 63.143.34.217:25569 | 38.68.14.30:25565 | 10.0.1.2:25565 | 0.0.0.0:25565 | TX1 |
| FoundryVTT | 63.143.34.217:30000 | 38.68.14.26:30000 | 10.0.1.2:30000 | 0.0.0.0:30000 | TX1 |
| NC1 Charlotte Servers | |||||
| The Ember Project | 63.143.34.217:25570 | 216.239.104.130:25565 | 10.0.2.2:25565 | 0.0.0.0:25565 | NC1 |
| Minecolonies Create & Conquer | 63.143.34.217:25571 | 216.239.104.130:25566 | 10.0.2.2:25566 | 0.0.0.0:25566 | NC1 |
| All The Mods 10 | 63.143.34.217:25572 | 216.239.104.130:25569 | 10.0.2.2:25569 | 0.0.0.0:25569 | NC1 |
| EMC Subterra Tech | 63.143.34.217:25573 | 216.239.104.130:25571 | 10.0.2.2:25571 | 0.0.0.0:25571 | NC1 |
| Homestead | 63.143.34.217:25574 | 216.239.104.130:25572 | 10.0.2.2:25572 | 0.0.0.0:25572 | NC1 |
| Hytale | 63.143.34.217:5520 | 216.239.104.130:5520 | 10.0.2.2:5520 | 0.0.0.0:5520 | NC1 |
Note: Public port assignments above are examples - adjust based on your actual port allocation strategy.
Traffic Flow Diagram
Player connects to: play.firefrostgaming.com (Reclamation)
|
v
DNS Resolution
|
v
63.143.34.217:25565 ← Layer 1: Scrubbing Center IP (Public)
|
v
Command Center receives connection
|
v
DDoS filtering / scrubbing
|
v
NAT forwarding via GRE tunnel
|
v
10.0.1.2:25565 ← Tunnel IP (TX1 endpoint)
|
v
38.68.14.27:25565 ← Layer 2: Backend Alias IP (Hidden)
|
v
Minecraft server bound to 0.0.0.0:25565 ← Layer 3: Binding Truth
|
v
Player connected to game server
DNS Configuration
All game servers point to Command Center:
# A Records
play.firefrostgaming.com A 63.143.34.217
reclamation.firefrostgaming.com A 63.143.34.217
stoneblock.firefrostgaming.com A 63.143.34.217
society.firefrostgaming.com A 63.143.34.217
vanilla.firefrostgaming.com A 63.143.34.217
allthemons.firefrostgaming.com A 63.143.34.217
foundry.firefrostgaming.com A 63.143.34.217
ember.firefrostgaming.com A 63.143.34.217
minecolonies.firefrostgaming.com A 63.143.34.217
atm10.firefrostgaming.com A 63.143.34.217
subterra.firefrostgaming.com A 63.143.34.217
homestead.firefrostgaming.com A 63.143.34.217
hytale.firefrostgaming.com A 63.143.34.217
# SRV Records (optional, for Minecraft auto-discovery)
_minecraft._tcp.reclamation.firefrostgaming.com SRV 0 5 25565 63.143.34.217
Management Access
Michael's Management IP: [TO BE FILLED IN]
SSH Access Rules:
- Command Center: Allow from management IP only
- TX1: Allow from management IP only
- NC1: Allow from management IP only
Emergency Access:
- If management IP changes, access servers via console in provider's control panel
- Update UFW rules immediately
- Test new management IP before removing old one
Security Summary
What's Protected: ✅ Real server IPs hidden from public ✅ DDoS attacks absorbed at Command Center ✅ Game traffic separated from email/web traffic ✅ Iron Wall firewall on all nodes ✅ Encrypted GRE tunnels
What's Exposed: ⚠️ Command Center IP (63.143.34.217) - intentionally public, DDoS hardened ⚠️ Management IP whitelisted for SSH
What's Locked Down: 🔒 Direct connections to TX1/NC1 game ports blocked 🔒 All traffic must route through Command Center 🔒 GRE tunnel traffic only from authorized endpoints 🔒 SSH only from management IP
Quick Commands Reference
Check tunnel status:
ip tunnel show
ip addr show gre-tx1
ip addr show gre-nc1
Test tunnel connectivity:
ping 10.0.1.2 # TX1
ping 10.0.2.2 # NC1
View NAT rules:
iptables -t nat -L -n -v
Check UFW rules:
ufw status verbose
Monitor tunnel health:
tail -f /var/log/frostwall-monitor.log
Fire + Frost + Foundation = Where Love Builds Legacy 💙🔥❄️
Document Status: REFERENCE GUIDE
Update When: IP assignments change, servers added/removed, DNS records modified