Device-to-VLAN Mapping¶
Date: 2026-05-15 (validated via Unifi API scan) Source: Live Unifi client scan (47 devices) Purpose: Assign every device on the network to its correct VLAN.
Servers — VLAN 4 (192.168.6.0/24)¶
Infrastructure hosts, hypervisors, NAS, VMs, and LXCs.
| IP | Name | Connection | VLAN | Status |
|---|---|---|---|---|
| 192.168.6.71 | Proxbox (prox) | wired | Servers | Verified |
| 192.168.6.17 | infra-services | wired | Servers | Verified |
| 192.168.6.243 | saltierpoop | wired | Servers | Verified |
| 192.168.6.215 | Whrrr LAN1 (Primary) | wired | Servers | Verified |
| 192.168.6.214 | Whrrr LAN2 | wired | Servers | Verified |
| 192.168.6.216 | Whrrr LAN3 | wired | Servers | Verified |
| 192.168.6.100 | Ubuncap (VM on Whrrr) | wired | Servers | Verified |
| 192.168.6.98 | Recordurbate (VM on Whrrr) | wired | Servers | Verified |
| 192.168.6.227 | HAOS (poopcastle) | wired | Servers | Verified |
| 192.168.6.199 | Proxbox - pulse | wired | Servers | Verified |
| 192.168.6.132 | InfluxDB (LXC 111) | wired | Servers | Verified — pending future consolidation |
| 192.168.6.80 | Blocktopus (PiHole) | wired | Servers | Verified — decom after AdGuard cutover |
| 192.168.6.222 | OctoPrint (Proxmox LXC) | wired | Servers | Verified |
| 192.168.6.107 | nfs-monitoring (Proxmox LXC) | wired | Servers | New — add to inventory |
Security — VLAN 6 (192.168.8.0/24)¶
Cameras only. All correct.
| IP | Name | Connection | VLAN | Status |
|---|---|---|---|---|
| 192.168.8.10 | G5 Flex (rack cam) | wired | Security | Verified |
| 192.168.8.76 | G4 Pro (front door) | wired | Security | Verified |
| 192.168.8.173 | G4 Pro (carport) | wired | Security | Verified |
Personal Devices — VLAN 2 (192.168.3.0/24)¶
Trusted personal devices.
| IP | Name | Connection | VLAN | Status |
|---|---|---|---|---|
| 192.168.3.37 | Apple MBP M4 (Ben) | IsThisTheKrustyKrab | Personal | Verified |
| 192.168.3.169 | iPhone | IsThisTheKrustyKrab | Personal | Verified |
| 192.168.3.60 | OnePlus 8 Pro | IsThisTheKrustyKrab | Personal | Moved — verified |
| 192.168.3.16 | CaptainKangapoo (PC) | wired | Personal | Moved — verified |
| 192.168.3.107 | MacBook (LM-L06YF9KDC1) WiFi | The LAN Before Time | Personal | Moved — verified |
| 192.168.3.240 | MacBook (LM-L06YF9KDC1) wired | wired | Personal | Moved — verified (second NIC) |
| 192.168.3.44 | Fiio R7 (DAC/streamer) | The LAN Before Time | Personal | Verified — see Fiio override section below |
| 192.168.3.85 | Samsung Odyssey Arc 2 | The LAN Before Time | Personal | Moved — verified |
Fiio R7 — UDM client override¶
The Fiio connects to The LAN Before Time (SSID default network: GenPop,
192.168.1.0/24) but is not on GenPop for routing or firewall purposes.
| Field | Value |
|---|---|
| MAC | 40:ed:98:11:16:d5 |
| SSID | The LAN Before Time |
| Effective network | Personal Devices (VLAN 2) — UDM per-client network override |
| Fixed IP | 192.168.3.44 — UDM DHCP reservation / override |
Why: Keeps the Fiio on a stable Personal IP for AirPlay while using the LAN
Before Time SSID (owner preference). Live UniFi stat/sta shows network: Personal
Devices, vlan: 2.
Do not remove the network override or fixed IP without planning — without
override, the Fiio falls back to GenPop .1.x and loses same-VLAN reachability
from KrustyKrab clients unless a Personal → GenPop firewall rule is added.
AirPlay (2026-06-18): Same VLAN as KrustyKrab phones — not a ZBF issue. If discovery fails, check iOS Local Network for Music and multicast settings on KrustyKrab. Fiio AirPlay remains open / low priority vs Phase 7R core work.
IoT — VLAN 5 (192.168.7.0/24)¶
Note: If IoT DHCP DNS points at AdGuard (192.168.6.17) without an
IoT → 192.168.6.17:53 allow, cloud-only gadgets (e.g. Roborock) go offline.
See Roborock / IoT runbook.
| IP | Name | Connection | VLAN | Status |
|---|---|---|---|---|
| 192.168.7.132 | SLZB-06M Zigbee coordinator | wired | IoT | Verified |
| 192.168.7.93 | Govee Lamp (Bedside) | The LAN Before Time | IoT | Verified |
| 192.168.7.106 | Apple TV 4K (Bedroom) | wired | IoT | Verified — mDNS proxy enabled for AirPlay |
| 192.168.7.107 | Aqara Doorbell G4 | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.81 | Aqara Hub M2 | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.145 | Petlibro Cat Feeder #2 | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.167 | Molly & Cody Smart Feeder (Tuya) | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.156 | Neakasa M1 Litter Box | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.184 | Yale Lock (Front Door) | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.212 | Roborock Vacuum (24:9e:7d:7c:51:ea) |
The LAN Before Time | IoT | Moved — verified — connectivity runbook |
| 192.168.7.22 | Xiaomi H3 Air Purifier | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.159 | Blueair DustMagnet 5415i | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.241 | ecobee Thermostat (BooBEE) | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.217 | ChargePoint Charger | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.168 | Google Nest Mini (Living Room) | The LAN Before Time | IoT | Moved — verified |
| 192.168.7.124 | Apple HomePod (Kitchen) | The LAN Before Time | IoT | Verified — AirPlay stream still broken (2026-06-18); needs Personal → IoT Allow |
Offline — not seen in scan¶
| Device | Last Known IP | Target VLAN | Notes |
|---|---|---|---|
| Fellow Aiden (coffee brewer) | 192.168.1.40 | IoT | Likely powered off. Assign to IoT when reconnected. |
Appliances — VLAN 3 (192.168.5.0/24)¶
Major household appliances and printers.
| IP | Name | Connection | VLAN | Status |
|---|---|---|---|---|
| 192.168.5.247 | Bosch Dishwasher | The LAN Before Time | Appliances | Moved — verified |
| 192.168.5.239 | GE Appliance (GEMODULE) | The LAN Before Time | Appliances | Moved — verified |
| 192.168.5.71 | Rheem EcoNet (water heater) | The LAN Before Time | Appliances | Moved — verified |
| 192.168.5.59 | Prusa LayerSlut (3D printer) | The LAN Before Time | Appliances | Moved — verified |
| 192.168.5.187 | Rollo Label Printer | The LAN Before Time | Appliances | Moved — verified |
Still needs move¶
| IP | Name | MAC | Connection | Current VLAN | Target VLAN |
|---|---|---|---|---|---|
| 192.168.1.35 | Samsung Printer | 30:cd:a7:19:c0:cf | The LAN Before Time | GenPop | Appliances |
GenPop — VLAN 1 (192.168.1.0/24)¶
After all validated moves, GenPop contains only the Samsung Printer (pending move) and transient guest devices. Once the Samsung Printer is moved, GenPop is guests-only as intended.
Management — VLAN 10 (192.168.10.0/24)¶
No clients. Reserved for admin workstations and out-of-band management.
Summary¶
| Metric | Count |
|---|---|
| Devices verified on correct VLAN | 45 |
| Still needs move | 1 (Samsung Printer) |
| Offline / not seen | 1 (Fellow Aiden) |
| New device (add to inventory) | 1 (nfs-monitoring) |
Post-Move Requirements¶
Firewall policy additions¶
Personal → Appliances (Internal → IoT) — applied as ZBF policy. Source Zone: Internal, Source: Network Personal, Dest Zone: IoT, Dest: Network Appliances, Action: Allow. Status: Applied and verified in UDM.
mDNS reflector¶
HomePod and Apple TV are on IoT (VLAN 5) but need AirPlay/HomeKit discovery from Personal (VLAN 2). Status: UDM Gateway mDNS Proxy enabled.
WiFi SSID mapping¶
SSID-to-VLAN mapping verified via API (2026-05-15):
| SSID | Security | Network | VLAN | Status |
|---|---|---|---|---|
| The LAN Before Time | WPA2-PSK | GenPop | 1 | Correct |
| IsThisTheKrustyKrab | WPA2-EAP | Personal Devices | 2 | Correct |
| HotSignalsInYourArea | WPA2-EAP | IoT | 5 | Correct |
| Rebellious Amish Family | WPA2-EAP | Appliances | 3 | Correct |
ZBF cleanup¶
Auto-migrated firewall rules (IDs 30000+) have a lock icon in the UDM UI, indicating they are built-in or system-managed policies that cannot be deleted through the normal policy editor. These include redundant "return" rules and catch-all policies from the pre-ZBF migration. The lock means UniFi considers them part of the base ZBF configuration.
Status: These locked rules are functionally harmless — the custom ZBF policies (IDs 10000+) take precedence. No further action needed unless UniFi provides a way to clean them up in a future firmware update.