Network Architecture¶
This document describes the lab's intended network topology, VLAN segmentation, and inter-VLAN firewall policy. The network diagram is auto-generated from inventory and regenerates on every push.
Looking for the current, as-built state?
For a live, scanned snapshot of what is actually on the wire — physical topology, device inventory, DNS path, and the enforced firewall matrix — see Current Network (live) and Firewall (live posture), plus the 2026-06-03 observations.
Network Diagram¶
{% include "network-diagram.md" %}
If the include doesn't render, see network-diagram.md directly.
VLANs¶
| VLAN | Name | CIDR | Gateway | Purpose |
|---|---|---|---|---|
| 1 | GenPop | 192.168.1.0/24 | 192.168.1.1 | Household devices, default LAN |
| 2 | Personal Devices | 192.168.3.0/24 | 192.168.3.1 | Personal trusted devices |
| 3 | Appliances | 192.168.5.0/24 | 192.168.5.1 | Household appliances |
| 4 | Servers | 192.168.6.0/24 | 192.168.6.1 | Proxmox, NAS, infra-services, Saltbox |
| 5 | IoT | 192.168.7.0/24 | 192.168.7.1 | IoT devices, no egress to servers |
| 6 | Security | 192.168.8.0/24 | 192.168.8.1 | Cameras and NVR, isolated |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Infrastructure management plane |
| — | Unifi VPN | 192.168.2.0/24 | 192.168.2.1 | Legacy Unifi VPN pool |
WiFi SSID Mapping¶
| SSID | Security | VLAN | Purpose |
|---|---|---|---|
| The LAN Before Time | WPA2-PSK | 1 (GenPop) | Guests only |
| IsThisTheKrustyKrab | WPA2-EAP | 2 (Personal) | Personal trusted devices |
| HotSignalsInYourArea | WPA2-EAP | 5 (IoT) | IoT devices |
| Rebellious Amish Family | WPA2-EAP | 3 (Appliances) | Appliances and printers |
Inter-VLAN Firewall Policy¶
See firewall-policy.md for the full rule set.
Summary: Default-deny between VLANs with named exceptions. Servers VLAN is reachable from trusted VLANs. IoT and Security VLANs are isolated. Management VLAN has full access.
Tailscale Overlay¶
The lab uses Tailscale SaaS for remote access and inter-site connectivity.
ACLs are managed as code in infra/tailscale/acl.json and synced via
GitHub Action on push.
| Node | Tailscale IP | Role |
|---|---|---|
| infra-services | — | Server infrastructure |
| saltierpoop | — | Media stack |
| whrrr | 100.71.93.130 | NAS |
| recordurbate | 100.85.192.18 | Customer-app metrics host (Ansible-managed VM) |
| ubuncap | 100.127.229.145 | Ansible-managed VM; customer-app containers |
| poopcastle (HAOS) | — | Exit node |
DNS¶
Live design: DNS is served by AdGuard Home on infra-services
(192.168.6.17:53), with Unbound as the upstream recursive resolver. Internal
service names (*.infra.realemail.app) resolve via AdGuard rewrites; inventory
*.lab.local names are imported from dns-rewrites.yaml.
Authoritative DNS (2026-06-19)
AdGuard on 192.168.6.17 is the lab resolver. UDM WAN and all VLAN DHCP
point here. PiHole LXC 104 (blocktopus) is retired; AdGuard is the live
path. See AdGuard.
Historical baseline (2026-06-03 scan): clients used the UDM gateway as
resolver; WAN1 DNS pointed at 192.168.6.80 (PiHole) — not AdGuard. That
snapshot is preserved in network-live §3a.
PiHole on LXC 104 (blocktopus, 192.168.6.80) is historical. Do not add new
DNS rewrites there; update inventory and render AdGuard rewrites instead.
Key Dependencies¶
UDM-SE (192.168.1.1)
└── All VLAN routing and firewall
└── DHCP for all VLANs
└── DNS option 6 → AdGuard (192.168.6.17)
infra-services (192.168.6.17)
└── Traefik (reverse proxy)
└── Prometheus / Grafana / Alertmanager
└── AdGuard Home + Unbound (DNS)
└── Komodo, ARA, Homepage
saltierpoop (192.168.6.243)
└── Plex, Sonarr, Radarr (Saltbox)
└── Authentik server (SSO)
└── Traefik (public ingress)