https://wiki.bwcloud-os.de/api.php?action=feedcontributions&feedformat=atom&user=Admin-ulm-1bwCloud-OS - User contributions [en]2026-05-31T01:04:36ZUser contributionsMediaWiki 1.44.0https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2038Guide: Network Configuration by Region2026-04-20T08:55:01Z<p>Admin-ulm-1: /* Per Project Networks */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* Private networks need to be connected the the internal side of a private router with the external side connected to <code>public-link</code>.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 ranges and addresses will remain unchanged.<br />
** private IPv4 ranges and addresses will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2037Guide: Network Configuration by Region2026-04-20T08:50:20Z<p>Admin-ulm-1: /* Network Renumbering */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 ranges and addresses will remain unchanged.<br />
** private IPv4 ranges and addresses will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2036Guide: Network Configuration by Region2026-04-20T08:49:52Z<p>Admin-ulm-1: /* Network Renumbering */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 ranges and addresses will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2035Guide: Network Configuration by Region2026-04-20T08:42:42Z<p>Admin-ulm-1: /* Network Renumbering */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm, once Gen2 shuts down.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2034Guide: Network Configuration by Region2026-04-20T08:42:20Z<p>Admin-ulm-1: /* Network Renumbering */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm once Gen2 shuts down.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2033Guide: Network Configuration by Region2026-04-20T08:41:52Z<p>Admin-ulm-1: /* Ulm */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.<br />
<br />
=== Network Renumbering ===<br />
<br />
* The IPv4 range that Gen3 region Ulm starts with initially is only temporary and will be replaced with an IPv4 range that is currently still in-use in Gen2 region Ulm.<br />
** During that IPv4 renumbering all IPv4 '''Floating IPs''' will be removed.<br />
** Afterwards new IPv4 '''Floating IPs''' can be allocated from <code>public-link</code>.<br />
** This affects <code>virt-shared</code> and all per project networks.<br />
** IPv6 will remain unchanged.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2032Guide: Network Configuration by Region2026-04-20T08:36:38Z<p>Admin-ulm-1: /* Per Project Networks */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 range and are not shared with other projects.<br />
* A VM in a dual-stacked private network will receive a private, NAT-ed IPv4 and a public, global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2031Guide: Network Configuration by Region2026-04-20T08:35:12Z<p>Admin-ulm-1: /* Per Project Networks */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> network, it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2030Guide: Network Configuration by Region2026-04-20T08:34:12Z<p>Admin-ulm-1: /* IPv4 Ingress via Floating IPs */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a '''Floating IP''' can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2029Guide: Network Configuration by Region2026-04-20T08:33:49Z<p>Admin-ulm-1: /* IPv4 Ingress via Floating IPs */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* Optional '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity''' for that instance.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2028Guide: Network Configuration by Region2026-04-20T08:32:57Z<p>Admin-ulm-1: /* Ulm */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
* The instance internally only sees its private IPv4, but through the '''Floating IP''' external requests will arrive at its private IPv4.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2027Guide: Network Configuration by Region2026-04-20T08:28:17Z<p>Admin-ulm-1: /* Ulm */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
** A unique, private IPv4 /26 range can be allocated from the subnet pool <code>tenant-v4-16-26</code>.<br />
** A unique, public IPv6 /64 range can be allocated from the subnet pool <code>tenant-v6-48-64</code>. <br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2026Guide: Network Configuration by Region2026-04-20T08:24:27Z<p>Admin-ulm-1: /* Ulm */</p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public global IPv6 address'''<br />
** A '''private NAT-ed IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* '''IPv4 (ingress)''': Optional and possible via '''Floating IPs'''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
* Incoming requests to the '''Floating IP''' will be relayed by the router to the instance's private IPv4 and vice-versa ('''DNAT''' + '''SNAT''').<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Guide:_Network_Configuration_by_Region&diff=2025Guide: Network Configuration by Region2026-04-20T08:18:31Z<p>Admin-ulm-1: </p>
<hr />
<div><br />
This guide provides details of the VM networks in each '''[[Registration#Regions|bwCloud-OS region]]'''. It describes which networks are available by default, which can be requested, and how IPv4 and IPv6 connectivity is provided. <br />
<br />
While core networking concepts are consistent across regions, available networks, IP address ranges, and access methods may differ. Please refer to the section for your specific region.<br />
<br />
<br />
__TOC__<br />
<br />
== Freiburg ==<br />
*Information for this region will be provided soon.*<br />
<br />
== Karlsruhe ==<br />
The Karlsruhe region provides a '''default routed network''', as well as additional networks that can be assigned to projects upon request.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>default-network</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network.<br />
<br />
* IPv6: Direct public connectivity<br />
* IPv4 (egress): Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
* This Network is shared between all projects<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider-network</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned, a Floating IP can be associated with an instance to provide IPv4 ingress connectivity.<br />
<br />
=== Seperated Networks ===<br />
If you require a seperated Broadcast Domain you can request one via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
The network will:<br />
<br />
* receive a separate private IPv4 Subnet<br />
* receive a separate public IPv6 Subnet<br />
* have a separated Broadcast Domain only accessible by authorized projects<br />
* always use up at least one public IPv4 used for the virtual Router<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Karlsruhe region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
<br />
After the transition period:<br />
<br />
* All IP addresses (Routers and Floating IPs) from <code>provider-network</code> will be migrated to a new IPv4 Subnet. <br />
* This migration will be performed by administrators; no user action is required.<br />
* During the Migration all Floating IPs will be redistributed and some minor connection interruptions will happen.<br />
<br />
<br />
== Mannheim ==<br />
<br />
The Mannheim region provides a '''default routed network''', as well as '''additional networks''' that can be assigned to projects '''upon request'''. Both IPv6 and IPv4 connectivity options are available, depending on the selected network.<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>routed_default_net</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
📌 '''Note:''' This network extends the legacy IPv6-only network in the Mannheim region, which did not provide IPv4 connectivity. ''Before requesting an IPv4 address via a support ticket, please ensure that the combined connectivity is not already sufficient for your use case.''<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' are allocated from the external network <code>provider_default_net</code>.<br />
* They can be assigned to projects upon request via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are also flat external networks available, such as <code>provider_interim_net</code> .<br />
* They can be assigned to projects via a '''[https://bw-support.scc.kit.edu/ support ticket]'''.<br />
<br />
Instances connected directly to this type of network receive:<br />
<br />
* A '''public IPv4 address'''<br />
* A '''public IPv6 address'''<br />
<br />
This enables dual-stack public connectivity (IPv4 and IPv6) without the need for Floating IPs.<br />
<br />
=== Migration from Gen2 to Gen3 ===<br />
<br />
The Mannheim region is currently operating two environments in parallel:<br />
<br />
* Gen2 (legacy cloud)<br />
* Gen3 (current bwCloud-OS environment)<br />
<br />
This setup allows users to migrate their instances and data from Gen2 to Gen3.<br />
<br />
* The coexistence period will last until 31. August 2026.<br />
* During this period, <code>provider_interim_net</code> is used as the flat external network.<br />
<br />
After the transition period:<br />
<br />
* All dual-stack IP addresses from <code>provider_interim_net</code> will be migrated to <code>provider_default_net</code>. This migration will be performed by administrators; no user action is required.<br />
* Projects requiring a flat external network will be assigned <code>provider_default_net</code>.<br />
<br />
📌 '''Note:''' We do not recommend allocating Floating IPs from the <code>provider_interim_net</code>, because they will be lost after the transition period. Instead, request and associate them from <code>provider_default_net</code>.<br />
<br />
<br />
== Ulm ==<br />
<br />
=== Default Network ===<br />
<br />
* All projects have access to the default network <code>virt-shared</code>.<br />
* Instances connected to this network receive:<br />
** A '''public IPv6 address'''<br />
** A '''private IPv4 address'''<br />
<br />
This is a '''routed network''' using an OpenStack router connected to an external provider network:<br />
<br />
* '''IPv6''': Direct public connectivity<br />
* '''IPv4 (egress)''': Provided via '''SNAT''' through the router<br />
* IPv4 (ingress): Not available by default (see [[Guide: Network Configuration by Region#IPv4 Ingress via Floating IPs|'''IPv4 Ingress via Floating IPs''']])<br />
<br />
=== IPv4 Ingress via Floating IPs ===<br />
<br />
* '''Floating IPs''' can allocated from the external network <code>public-link</code> quota permitting.<br />
* Once assigned to a project, a Floating IP can be associated with an instance to provide '''IPv4 ingress connectivity'''.<br />
<br />
=== Flat External Networks ===<br />
<br />
* There are no flat networks available to users in region Ulm.<br />
<br />
=== Per Project Networks ===<br />
<br />
* If a project with multiple VMs wishes to use a separate network instead of relying on the <code>virt-shared</code> it is possible to allocate a private network.<br />
* Private networks have the same properties and limitations as the shared <code>virt-shared</code> network, but receive a smaller private IPv4 and are not shared with other projects.<br />
* A VM in a dual-stacked private network receives a private, NAT-ed IPv4 and a public global IPv6 address.<br />
* Optional '''Floating IPs''' from <code>public-link</code> can be used for IPv4 ingress, just like with the default <code>virt-shared</code> network.<br />
* The only meaningful advantage of a per project network is that is not shared with VMs from other projects.</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2019Blocked and Allowed Ports2026-03-31T12:36:02Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Freiburg ==<br />
TODO: add<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
|-<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 143 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 993 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9000 - 10999 || 3CX RTP, with explicit allow list<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 25 || SMTP, with explicit allow list<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 389 || LDAP, with explicit allow list<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 53 || DNS, with explicit allow list<br />
|-<br />
| UDP || 123 || NTP, with explicit allow list<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3478 || STUN, with explicit allow list<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2018Blocked and Allowed Ports2026-03-31T12:35:27Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Freiburg ==<br />
TODO: add<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
|-<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 143 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 993 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9000 - 10999 || 3CX RTP, with explicit allow list<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 53 || SMTP, with explicit allow list<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 389 || LDAP, with explicit allow list<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 53 || DNS, with explicit allow list<br />
|-<br />
| UDP || 123 || NTP, with explicit allow list<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3478 || STUN, with explicit allow list<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2017Blocked and Allowed Ports2026-03-31T12:22:27Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Freiburg ==<br />
TODO: add<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
|-<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 143 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 993 || IMAP, with explicit allow list<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9000 - 10999 || 3CX RTP, with explicit allow list<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2016Blocked and Allowed Ports2026-03-31T12:17:40Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Freiburg ==<br />
TODO: add<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
|-<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 143 || IMAP, with allow list<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 993 || IMAP, with allow list<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2015Blocked and Allowed Ports2026-03-31T12:13:54Z<p>Admin-ulm-1: </p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Freiburg ==<br />
TODO: add<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
|-<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2014Blocked and Allowed Ports2026-03-31T12:08:13Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2013Blocked and Allowed Ports2026-03-31T12:06:42Z<p>Admin-ulm-1: /* Region Ulm */</p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm, the following ports are blocked by the Uni border firewall:<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
| TCP, UDP || 49152 || MS-RPC, allow incoming only established<br />
|-<br />
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&diff=2012Blocked and Allowed Ports2026-03-31T12:04:06Z<p>Admin-ulm-1: </p>
<hr />
<div>== General ==<br />
The '''data centers of the universities''' of the bwCloud-OS operating sites '''block''' certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the '''central network infrastructure'''.<br />
<br />
Some of the '''public IP ranges''' of the bwCloud-OS regions are part of the '''BelWü address space'''. These addresses are logically '''outside''' the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.<br />
<br />
== Effects of the Packet Firewall for Users ==<br />
The most important effect for users is that the '''network runs more reliably and securely'''. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.<br />
<br />
However, there are a number of '''limitations''' to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be '''reported to the university IT'''. The corresponding service will then be enabled on the packet firewall.<br />
<br />
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.<br />
<br />
== Region Mannheim ==<br />
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.<br />
<br />
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP (open) || 22 || ssh || SSH Server || in/outbound<br />
|-<br />
| TCP (open) || 80 || http || Web Server || in/outbound<br />
|-<br />
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound<br />
|-<br />
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound<br />
|-<br />
| TCP (open) || 587 || submission || Message Submission || in/outbound<br />
|-<br />
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound<br />
|-<br />
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound<br />
|-<br />
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound<br />
|}<br />
<br />
<br />
The following ports are blocked in the range above 1023:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| TCP || 1433,1434 || MS-SQL || MS Office || inbound<br />
|-<br />
| TCP || 1501 || TSM || Backup || inbound<br />
|-<br />
| TCP || 1900 || SSDP || Service Discovery || inbound<br />
|-<br />
| UDP,TCP || 2049 || NFS || Filesystem || inbound<br />
|-<br />
| TCP || 2967 || Symantec || Symantec || inbound<br />
|-<br />
| UDP || 3283 || Apple || Apple Remote Desktop || inbound<br />
|-<br />
| TCP || 3306 || mysql || MySQL || inbound<br />
|-<br />
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound<br />
|-<br />
| UDP || 3702 || Printer || WS-Discovery || inbound<br />
|-<br />
| UDP,TCP || 4045 || lockd || Filesystem || inbound<br />
|-<br />
| TCP || 4369 || EPMD || PortMapper || inbound<br />
|-<br />
| TCP || 5000 || UPnP || Universal Plug and Play || inbound<br />
|-<br />
| UDP || 5353 || mdns || Multicast DNS || inbound<br />
|-<br />
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound<br />
|-<br />
| TCP || 5985 || WinRM || WinRM || inbound<br />
|-<br />
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound<br />
|-<br />
| TCP || 8080 || www-alt || Alternative WWW Port || inbound<br />
|-<br />
| TCP || 9075 || nx-os || Cisco Nexus || inbound<br />
|-<br />
| UDP || 11211 || memcached || Memcached || inbound<br />
|-<br />
| TCP || 27017 || MongoDB || MongoDB || inbound<br />
|-<br />
| UDP || 32100 || IoT || IoT || outbound<br />
|-<br />
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound<br />
|}<br />
<br />
== Region Karlsruhe ==<br />
In the bwCloud-OS Karlsruhe network, the following ports are blocked:<br />
<br />
{| class="wikitable"<br />
! Transport !! Port !! Protocol !! Description !! Blocking<br />
|-<br />
| UDP, TCP || 111 || RPC Portmapper || Portmapper Security || inbound/outbound<br />
|}<br />
== Region Ulm ==<br />
In the bwCloud-OS Region Ulm, the following ports are blocked by the Uni border firewall:<br />
{| class="wikitable"<br />
! Transport !! Port Range !! Description / Reason<br />
|-<br />
| TCP, UDP || 0 - 19 || lower protocols, like chargen, etc. used for DDoS<br />
|-<br />
| TCP, UDP || 23 || telnet<br />
|-<br />
| TCP, UDP || 42 || WINS<br />
|-<br />
| TCP, UDP || 67 - 69 || DHCP, tftp<br />
|-<br />
| TCP, UDP || 111 || rpc<br />
|-<br />
| TCP, UDP || 119 || nntp<br />
|-<br />
| TCP, UDP || 135 || loc-srv<br />
|-<br />
| TCP, UDP || 137 - 139 || SMB<br />
|-<br />
| TCP, UDP || 161 - 162 || SNMP<br />
|-<br />
| TCP, UDP || 427 || SLP, Service Location Protocol<br />
|-<br />
| TCP, UDP || 445 || ms-ds<br />
|-<br />
| TCP, UDP || 512 - 515 || exec, login, who, syslog, shell, printer<br />
|-<br />
| TCP, UDP || 520 - 521 || rip, ripng<br />
|-<br />
| TCP, UDP || 548 || AFP, Apple File Protocol<br />
|-<br />
| TCP, UDP || 623 || IPMI<br />
|-<br />
| TCP, UDP || 631 || cups<br />
|-<br />
| TCP, UDP || 1900 || SSDP<br />
|-<br />
| TCP, UDP || 2049 || nfsd<br />
|-<br />
| TCP, UDP || 3306 || MySQL<br />
|-<br />
| TCP, UDP || 3389 || RDP<br />
|-<br />
| TCP, UDP || 4045 || nfs lockd<br />
|-<br />
| TCP, UDP || 4369 || Erlang Port Mapper Daemon (EPMD)<br />
|-<br />
| TCP, UDP || 5432 || Postgres<br />
|-<br />
| TCP, UDP || 6443 || Kubernetes<br />
|-<br />
| TCP, UDP || 9100 || raw printer queues<br />
|-<br />
|-<br />
| TCP || 110 || POP<br />
|-<br />
| TCP || 873 || rsync - maybe make a Server ACL like FTP<br />
|-<br />
| TCP || 995 || POPS<br />
|-<br />
| TCP || 1801 || Microsoft Message Queuing Service, CVE-2023-21554<br />
|-<br />
| TCP || 5800 || VNC<br />
|-<br />
| TCP || 5900 || VNC<br />
|-<br />
| TCP || 5901 || VNC, sic may be more...<br />
|-<br />
| TCP || 6000 || X-Server<br />
|-<br />
| TCP || 6379 || REDIS<br />
|-<br />
| TCP || 9401 || Veeam Backup, CVE-2023-27532<br />
|-<br />
| TCP || 27017 || MongoDB<br />
|-<br />
|-<br />
| UDP || 177 || XDMCP, X Display Manager ...<br />
|-<br />
| UDP || 389 || LDAP, UDP-based Amplification Attacks<br />
|-<br />
| UDP || 1434 || MS-SQL<br />
|-<br />
| UDP || 3283 || Apple Remote Desktop<br />
|-<br />
| UDP || 3702 || WS-Discovery<br />
|-<br />
| UDP || 5093 || SPSS License Server<br />
|-<br />
| UDP || 5353 || mDNS, UDP-based Amplification Attacks<br />
|-<br />
|}</div>Admin-ulm-1