Skip to content

Network Architecture Overview

Networks & Subnets

Network Name Subnet Access Description
public-services Dynamic (Default) Internet + Public Exposed services (via Proxies).
internal-services 10.150.0.0/16 Internet Backend services & Databases.
kali-network 10.151.0.0/16 Internet Isolated Kali Linux environment.

Service Connectivity Diagram

graph TB
    subgraph Host["Host Machine (127.0.0.1)"]
        Browser
    end

    subgraph PublicNet["public-services (Dynamic)"]
        n8nProxy["n8n-proxy"]
        OllamaProxy["ollama-proxy"]
        VulnApp["vulnerable-app"]
        PentestWeb["pentest-webapp"]
    end

    subgraph InternalNet["internal-services (10.150.0.0/16)"]
        Postgres
        Qdrant
        Minio
        Vault["credential-vault"]
        n8nInt["n8n (eth0: 10.150.0.250)"]
    end

    subgraph KaliNet["kali-network (10.151.0.0/16)"]
        Kali["kali"]
        n8nKali["n8n (eth1)"]
    end

    %% Routing & Access
    Browser -->|"HTTPS (443)"| n8nProxy

    n8nProxy --> n8nInt
    OllamaProxy --> Ollama["Ollama (CPU/GPU)"]

    %% n8n Dual Homing
    n8nInt --- n8nKali

    %% SSH Access
    n8nKali -->|"SSH (22)"| Kali

    %% Isolation Enforcement
    Kali -.->|"BLOCKED (Not Listening)"| n8nKali
    Kali -.->|"BLOCKED (FW/Binding)"| Host
    Kali -->|"Internet Access"| Internet((Internet))

Key Isolation Mechanics

  1. n8n Dual-Homing:

    • n8n is connected to both internal-services and kali-network.
    • Crucial Config: N8N_LISTEN_ADDRESS=10.150.0.250.
    • Result: n8n only listens for web traffic on its internal-services interface. The interface on kali-network is used outbound for SSH only.

  2. Kali Isolation:

    • kali is only on kali-network.
    • It cannot reach postgres, qdrant, or vault because they are on the disjoint internal-services network.
    • It can reach n8n's IP on kali-network, but n8n refuses connections on port 5678 on that interface.
    • It can access the internet (apt-get, git, etc.) via the Docker gateway.

  3. Host Protection:

    • Public ports (443, 8000, etc.) are bound to 127.0.0.1.
    • Kali cannot access these services by targeting the Host Gateway IP (e.g., 10.151.0.1), effectively preventing it from attacking the hosting infrastructure itself.