Project Overview
- Institution: CINEL — Centro de Formação Profissional da Indústria Electrónica, Energia, Telecomunicações e Tecnologias da Informação (Lisbon)
- Program: CET — Técnico Especialista de Gestão de Redes e Sistemas Informáticos (EQF Level 5)
- Date: January 2020 · Two-person team
The Assignment
Build a complete, working two-site corporate network: 8 servers, 5 firewalls and 6 virtual routers, virtualized to run on a single classroom PC, connected to physical Cisco and Huawei routers shared with 15 other teams over a common training-center WAN.
There was no partial credit for slideware: 15 of the 20 points came from live functionality, verified in a 1–1.5 hour defense where every requirement was exercised against the running VMs — no time to rebuild anything that didn’t work.
Architecture
Training-center WAN (10.2.0.0/16)
│
┌──────────────┴──────────────┐
│ Cisco (IOS) Huawei (VRP)│ Physical edge routers in
│ └── VRRP virtual IP ──│ active/backup failover
└──────────────┬──────────────┘
│ OSPF backbone ── Kronix (project-wide
┌──────────────┴──────────────┐ DNS + NTP)
West OSPF area East OSPF area
3 × VyOS routers 3 × VyOS routers
│ │
Firewalls Tijolo · Calhau Firewalls Brick · Brack · Stone
├─ Green: Samba 4 AD DC, ├─ Green: Windows Server PDC
│ Windows Server Core RODC │ (AD DS/DNS/DHCP/Exchange),
├─ Orange DMZ: Nginx/Apache │ FreeNAS iSCSI storage
│ web tier + Moodle └─ Green: Bareos backups +
└─ Blue: VoIP server Zabbix monitoring
Network & Routing
- Dual-vendor WAN edge: a physical Cisco router (IOS) and Huawei router (VRP) configured as a single virtual gateway via VRRP — on master failure, the backup takes over existing connections between the internal network and the center’s WAN
- Six VyOS routers (Debian-based) forming two internal areas, with OSPF across 3 areas spanning both the virtual and physical routers
- Egress policy enforced at the edge: only a defined subset of host addresses in the team’s range could reach the center network and Internet
Security & Segmentation
- Five open-source firewall appliances segmenting each site into Green (trusted), Orange (DMZ) and Blue (VoIP) zones, with SSH administration restricted to public-key authentication only
- Enforced DNS resolution chains — clients could only resolve through the Windows DC, which forwarded through the firewalls to the project DNS and out to the WAN; direct resolution was blocked
- Identity-, group- and time-based content policies: social media limited to specific departments and time windows, remote-access tools allowed only for IT during working hours, webmail blocked for selected groups, category and TLD blocking on the DMZ firewall
- VPN mesh: IPsec site-to-site links between the firewalls, plus OpenVPN road-warrior access from the WAN authenticated against Active Directory through RADIUS — restricted to the IT group within defined hours, with all client traffic forced through the firewall’s egress rules
Windows Infrastructure (East site)
- Windows Server 2012/2016 Primary Domain Controller running AD DS, primary DNS, DHCP and Exchange 2013/2016, with webmail (OWA) reachable over HTTPS from outside
- Country- and department-based OU structure with ~25 Group Policy Objects: folder redirection to network storage, mapped drives with per-user quotas, printer deployment at logon, assigned software installation, per-department enforced wallpapers, command-line lockdown with IT exemptions, and browser policies
- Read-Only Domain Controller on Windows Server Core simulating a branch office in the other site: slave DNS, DHCP, NTP sync, authentication scoped to a single OU, and nightly AD schema/SYSVOL backups
- FreeNAS storage server: ZFS RAID 5 pool exposed over iSCSI and mounted by the domain controller to host Exchange mail stores and redirected home folders
Linux Infrastructure (West site)
- Samba 4 Active Directory domain controller (Windows 2008 R2 forest level) managing Windows clients with GPOs — drive mappings, hidden shares with group ACLs, per-department policies and software deployment
- Samba shares on Linux software RAID 5 with per-user quotas and usage warnings; CUPS print services for domain clients
- Postfix/Dovecot mail hosting multiple domains with cross-domain and external routing, RoundCube webmail reachable from the WAN, and Rspamd + ClamAV spam/antivirus filtering
- SSH hardened to key-pair authentication and restricted to defined time windows
DMZ Web Tier
- Nginx reverse proxy in round-robin over two Apache virtual hosts — plain HTTP in on one port, SSL/TLS out on another
- Additional basic-auth and TLS-protected sites served by both Apache and Nginx, and a Moodle CMS behind TLS
- All services published through the project’s “external” DNS and validated from a test client on the WAN
Backup, Monitoring & Core Services
- Bareos backup server on RAID 6 with a hot spare, running per-system full/incremental/differential schedules: AD database and SYSVOL, Exchange stores and home folders, Samba/Postfix/Dovecot configuration and logs, web server logs and virtual hosts, VoIP call records
- Zabbix monitoring of every server, firewall and router — physical and virtual — via agents and SNMP: CPU, memory and swap paging, interface bandwidth, OSPF LSA exchange between neighbors, VRRP state transitions, and hardware temperature on the physical routers
- Central project DNS/NTP server providing name resolution and time sync for the entire network
- VoIP server in the Blue zone supporting softphone calls between users in different zones — including calls to another team’s network across the shared WAN
Why It Still Matters
This was my first end-to-end build of an enterprise-shaped environment: routing, segmentation, identity, mail, storage, backup and monitoring all had to interoperate — and survive a live demonstration. What carried into my professional work wasn’t the specific stack — outside of Zabbix in my first roles, I haven’t worked with network equipment or open-source firewalls professionally — but the foundations underneath it: understanding how these systems fit together, and the troubleshooting discipline the project demanded: reading documentation, hunting error messages in logs, forming hypotheses, gathering evidence, and thinking critically about failure modes.
Built as a two-person team from a brief authored by CINEL’s instructors; every specification above was validated during the final defense.