Current Network — Live Snapshot¶

Baseline capture: 2026-06-03 (read-only UniFi API scan of UDM SE) Last doc update: 2026-06-19 (DNS cutover progress — see §3)

DNS cutover in progress

AdGuard is deployed on 192.168.6.17 and resolving. UDM WAN + all-VLAN DHCP still need owner confirmation at 192.168.6.17. PiHole (192.168.6.80) remains in parallel until soak completes. See AdGuard service page and Phase 7 §8.

Source (baseline): uv run python -m scripts.labctl unifi dump Controller: UDM SE — UniFi Network 10.4.57 (just updated from 10.4.46; gateway uptime was ~6 minutes at capture, i.e. a reboot had just occurred)

This document is the as-built picture of the network at capture time. It is hand-authored from a live scan, not generated from inventory, so where inventory or the older device-VLAN mapping disagree, this document reflects reality. For the intended/design view see network.md; for firewall posture see firewall-live.md.

Regenerate the underlying data anytime with uv run python -m scripts.labctl unifi dump > snapshot.json. The zones, firewall-policies, networks, clients, and devices subcommands pull individual slices.

1. Physical topology¶

How the wired backbone and access points are actually cabled, from the UniFi device table (uplink MAC + port).

graph TD
    ISP["ISP — Cable"]
    MODEM["Cable Modem (UCI)<br/>192.168.100.1<br/>d0:21:f9:05:8f:21"]
    UDM["UDM SE (Gateway)<br/>WAN1 98.167.204.33 / eth8<br/>60:22:32:26:2f:89"]
    WAN2["WAN2 / eth9<br/>(enabled, link DOWN — failover)"]
    SW["USW Pro Max 16 PoE<br/>192.168.1.58<br/>28:70:4e:32:67:6d"]
    FLEX["USW Flex Mini<br/>192.168.1.95"]
    APH["Hallway AP — U7 Pro<br/>192.168.1.110 · 20 clients"]
    APD["Dining AP — AC Pro<br/>192.168.1.34 · 7 clients"]
    WIRED["Wired endpoints<br/>(servers, cameras, IoT, printers)"]
    WIFI["Wi-Fi clients<br/>(4 SSIDs → VLANs)"]

    ISP --> MODEM --> UDM
    WAN2 -.-> UDM
    UDM -->|port 11| SW
    SW -->|port 2| FLEX
    SW -->|port 13| APH
    SW -->|port 14| APD
    SW --> WIRED
    FLEX --> WIRED
    APH --> WIFI
    APD --> WIFI

Device	Model	Mgmt IP	Uplink →	Clients
UDM SE	UDMPROSE	`98.167.204.33` (WAN)	Cable modem (port 1 / eth8)	41
USW Pro Max 16 PoE	USPM16P	`192.168.1.58`	UDM port 11	20
USW Flex Mini	USMINI	`192.168.1.95`	Pro Max port 2	1
Hallway AP (U7 Pro)	U7PRO	`192.168.1.110`	Pro Max port 13	20
Dining AP (AC Pro)	U7PG2	`192.168.1.34`	Pro Max port 14	7
Cable Modem	UCI	`192.168.100.1`	— (WAN)	1

Dual-WAN: WAN1 (eth8, weighted) is up; WAN2 (eth9, failover-only) is enabled but the link is down — expected if no second ISP is connected.

2. Layer-3 / VLAN topology¶

Every routed network on the UDM SE and the firewall zone it belongs to (zones drive the inter-VLAN policy — see firewall-live.md).

graph TD
    UDM["UDM SE<br/>inter-VLAN router + DHCP"]

    subgraph EXTERNAL["Zone: External"]
        W1["WAN1 / Internet 1<br/>98.167.204.33"]
        W2["WAN2 / Internet 2 (down)"]
    end

    subgraph INTERNAL["Zone: Internal (trusted)"]
        V1["VLAN 1 · GenPop<br/>192.168.1.0/24"]
        V2["VLAN 2 · Personal<br/>192.168.3.0/24"]
        V4["VLAN 4 · Servers<br/>192.168.6.0/24"]
        V10["VLAN 10 · Management<br/>192.168.10.0/24"]
    end

    subgraph IOTZ["Zone: IoT (untrusted)"]
        V5["VLAN 5 · IoT<br/>192.168.7.0/24"]
        V3["VLAN 3 · Appliances<br/>192.168.5.0/24"]
    end

    subgraph SECZ["Zone: Security"]
        V6["VLAN 6 · Security/Cameras<br/>192.168.8.0/24"]
    end

    subgraph VPNZ["Zone: Vpn"]
        VPN["VPN Server pool<br/>192.168.2.0/24"]
    end

    UDM --- W1
    UDM -.- W2
    UDM --- V1 & V2 & V4 & V10
    UDM --- V5 & V3
    UDM --- V6
    UDM --- VPN

VLAN	Name	Subnet	Gateway	DHCP pool	Zone	DHCP-handed DNS
1	GenPop	192.168.1.0/24	.1	.6–.254	Internal	gateway (`dhcpd_dns` off)
2	Personal	192.168.3.0/24	.1	.6–.254	Internal	gateway
3	Appliances	192.168.5.0/24	.1	.6–.254	IoT	gateway
4	Servers	192.168.6.0/24	.1	.6–.254	Internal	gateway
5	IoT	192.168.7.0/24	.1	.6–.254	IoT	gateway
6	Security	192.168.8.0/24	.1	.6–.254	Security	gateway
10	Management	192.168.10.0/24	.1	.10–.100	Internal	gateway
—	VPN Server	192.168.2.0/24	.1	—	Vpn	—

Note: Appliances (VLAN 3) is grouped into the IoT firewall zone, not the Internal zone — so appliances are treated as untrusted for inter-VLAN purposes.

Wi-Fi SSID → VLAN (live)¶

SSID	Security	Network → VLAN
The LAN Before Time	WPA2-PSK	GenPop → 1
IsThisTheKrustyKrab	WPA2-EAP	Personal → 2
Rebellious Amish Family	WPA2-EAP	Appliances → 3
HotSignalsInYourArea	WPA2-EAP	IoT → 5

3. DNS resolution path¶

3a. Baseline at capture (2026-06-03)¶

This was the actual resolver chain at the June scan. It differed from the design in network.md.

graph LR
    C["Any client<br/>(all VLANs)"]
    GW["VLAN gateway<br/>192.168.x.1 (UDM)"]
    PIHOLE["Blocktopus / PiHole<br/>192.168.6.80<br/>(WAN1 manual DNS)"]
    UP["Upstream / Internet"]
    ADG["AdGuard Home<br/>192.168.6.17<br/>(NOT in DHCP/DNS path)"]

    C -->|"DHCP hands out gateway as DNS"| GW
    GW -->|"forwards to WAN DNS"| PIHOLE
    PIHOLE --> UP
    ADG -.->|"documented target,<br/>not used at scan time"| C

Per-VLAN DHCP DNS was disabled (dhcpd_dns_enabled: false) on every network — clients received the UDM gateway as DNS.
WAN1 manual DNS was 192.168.6.80 (Blocktopus / legacy PiHole). IPv6 DNS also pointed at Blocktopus.
AdGuard on 192.168.6.17 was deployed in repo but not in the path. See observation O1.

3b. Target and current cutover (2026-06-19)¶

Target: all VLANs (and UDM WAN upstream) use AdGuard at 192.168.6.17.

graph LR
    C["Clients (all VLANs)"]
    ADG["AdGuard + Unbound<br/>192.168.6.17:53<br/>infra-services"]
    UB["Root DNS"]
    RW["Rewrites<br/>*.lab.local<br/>*.infra.realemail.app"]

    C -->|"DHCP DNS or direct query"| ADG
    ADG --> RW
    ADG --> UB

Item	Status (2026-06-19)
AdGuard + Unbound running	Yes
Rewrites + infra wildcard	Yes
UFW LAN → :53 on infra-services	Yes
Tailscale prefer-main (Servers VLAN)	Yes — same-L2 DNS to `.17` works
UDM WAN1 DNS → `.17`	Owner action — confirm in UI
Per-VLAN DHCP DNS → `.17`	Owner action — most VLANs; Servers may use `.17` or gateway
IPv6 DNS on UDM	Not configured (AdGuard IPv4 only)
PiHole decom (LXC 104)	After 48h parallel soak

Servers VLAN note: infra-services advertises 192.168.6.0/24 on Tailscale. Without prefer-main routing, replies to same-subnet clients go out tailscale0 and DNS times out. Fix is in the Ansible tailscale role — see AdGuard — Servers VLAN caveat.

Verify from any VLAN:

dig @192.168.6.17 google.com +short

Verify from Servers VLAN (e.g. saltierpoop): same command must succeed before PiHole is turned off.

4. Live device inventory (by VLAN)¶

48 clients were associated at capture. Entries marked (no lease) were associated at L2 but had no IPv4 in stat/sta at scan time.

VLAN 4 — Servers (192.168.6.0/24)¶

IP	Name	Conn
192.168.6.17	infra-services	wired
192.168.6.71	Proxbox (prox)	wired
192.168.6.80	Blocktopus (PiHole)	wired
192.168.6.98	Whrrr — Recordurbate VM	wired
192.168.6.100	Whrrr — Ubuncap VM	wired
192.168.6.199	Proxbox — pulse	wired
192.168.6.214	Whrrr — LAN2	wired
192.168.6.215	Whrrr — LAN1 (primary)	wired
192.168.6.222	octoprint	wired
192.168.6.227	Proxbox — HAOS (poopcastle)	wired
192.168.6.243	saltierpoop	wired
(no lease)	harbor-registry	wired
(no lease)	Whrrr — LAN3	wired
(no lease)	Proxbox — influxdb	wired

VLAN 2 — Personal (192.168.3.0/24)¶

IP	Name	Conn
192.168.3.17	CaptainKangapoo (PC)	wired
192.168.3.37	Apple MBP M4 (Ben)	Wi-Fi (KrustyKrab)
192.168.3.60	OnePlus 8 Pro	Wi-Fi (KrustyKrab)
192.168.3.85	Samsung	Wi-Fi (LAN Before Time)
192.168.3.107	LM-L06YF9KDC1 (MacBook)	Wi-Fi (LAN Before Time)
192.168.3.169	iPhone	Wi-Fi (KrustyKrab)
192.168.3.240	LM-L06YF9KDC1 (wired NIC)	wired
(no lease)	Fiio R7	Wi-Fi

VLAN 5 — IoT (192.168.7.0/24)¶

IP	Name	Conn
192.168.7.22	Xiaomi H3 Air Purifier	Wi-Fi
192.168.7.93	Govee Lamp (Bedside)	Wi-Fi
192.168.7.106	Apple TV 4K (Bedroom)	wired
192.168.7.107	Aqara Doorbell G4	Wi-Fi
192.168.7.124	Apple HomePod (Kitchen)	Wi-Fi
192.168.7.145	Petlibro Cat Feeder #2	Wi-Fi
192.168.7.156	Neakasa M1 Litter Box	Wi-Fi
192.168.7.159	Blueair DustMagnet 5415i	Wi-Fi
192.168.7.168	Google Nest Mini (Living Room)	Wi-Fi
192.168.7.169	Molly & Cody Smart Feeder (Tuya)	Wi-Fi
192.168.7.184	Yale Lock (Front Door)	Wi-Fi
192.168.7.212	roborock-vacuum-a288	Wi-Fi
192.168.7.241	ecobee (BooBEE)	Wi-Fi
(no lease)	SLZB-06M Zigbee coordinator	wired
(no lease)	ChargePoint Charger	Wi-Fi

VLAN 3 — Appliances (192.168.5.0/24)¶

IP	Name	Conn
192.168.5.39	Fellow Aiden (coffee brewer)	Wi-Fi
192.168.5.59	Prusa LayerSlut (3D printer)	Wi-Fi
192.168.5.71	Rheem EcoNet (water heater)	Wi-Fi
192.168.5.187	Rollo Label Printer	Wi-Fi
192.168.5.239	GE Appliance (GEMODULE)	Wi-Fi
192.168.5.247	Bosch Dishwasher	Wi-Fi

VLAN 6 — Security (192.168.8.0/24)¶

IP	Name	Conn
192.168.8.11	G5 Flex (rack monitor)	wired
192.168.8.76	G4 Pro	wired
192.168.8.173	G4 Pro	wired

VLAN 1 — GenPop (192.168.1.0/24)¶

IP	Name	Conn
192.168.1.34	Dining AP (infra)	wired
192.168.1.58	USW Pro Max 16 (infra)	wired
192.168.1.95	USW Flex Mini (infra)	wired
192.168.1.110	Hallway AP (infra)	wired
192.168.1.82	Aqara Hub M2 (drift — should be IoT)	Wi-Fi
(no lease)	SamsungPrinter (pending move)	Wi-Fi

VLAN 10 — Management (192.168.10.0/24)¶

No clients — reserved for admin / out-of-band.

5. WAN exposure (port forwards)¶

Service	WAN port	→ Internal target
HTTP	80	192.168.6.243:80 (saltierpoop)
HTTP_Too	8080	192.168.6.243:8080
HTTPS	443	192.168.6.243:443

No SMB/445 forward is present (consistent with the Phase 0 hotfix).

6. Drift & anomalies¶

A reboot/firmware-update had just occurred at capture, and several items differ from inventory/design. These are catalogued — with evidence and suggested checks — in Network Observations (2026-06-03).