Network Architecture¶
This document describes the lab's network topology, VLAN segmentation, and inter-VLAN firewall policy. The network diagram is auto-generated from inventory and regenerates on every push.
Network Diagram¶
{% include "network-diagram.md" %}
If the include doesn't render, see network-diagram.md directly.
VLANs¶
| VLAN | Name | CIDR | Gateway | Purpose |
|---|---|---|---|---|
| 1 | GenPop | 192.168.1.0/24 | 192.168.1.1 | Household devices, default LAN |
| 2 | Personal Devices | 192.168.3.0/24 | 192.168.3.1 | Personal trusted devices |
| 3 | Appliances | 192.168.5.0/24 | 192.168.5.1 | Household appliances |
| 4 | Servers | 192.168.6.0/24 | 192.168.6.1 | Proxmox, NAS, infra-services, Saltbox |
| 5 | IoT | 192.168.7.0/24 | 192.168.7.1 | IoT devices, no egress to servers |
| 6 | Security | 192.168.8.0/24 | 192.168.8.1 | Cameras and NVR, isolated |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Infrastructure management plane |
| — | Unifi VPN | 192.168.2.0/24 | 192.168.2.1 | Legacy Unifi VPN pool |
WiFi SSID Mapping¶
| SSID | Security | VLAN | Notes |
|---|---|---|---|
| The LAN Before Time | WPA2-PSK | 1 (GenPop) | Open household network |
| IsThisTheKrustyKrab | WPA2-EAP | 2 (Personal) | Trusted personal devices |
| Rebellious Amish Family | WPA2-EAP | TBD | Owner to decide: IoT or Appliances |
| HotSignalsInYourArea | WPA2-EAP | TBD | Owner to decide: IoT |
Inter-VLAN Firewall Policy¶
See firewall-policy.md for the full rule set.
Summary: Default-deny between VLANs with named exceptions. Servers VLAN is reachable from trusted VLANs. IoT and Security VLANs are isolated. Management VLAN has full access.
Tailscale Overlay¶
The lab uses Tailscale SaaS for remote access and inter-site connectivity.
ACLs are managed as code in infra/tailscale/acl.json and synced via
GitHub Action on push.
| Node | Tailscale IP | Role |
|---|---|---|
| infra-services | — | Server infrastructure |
| saltierpoop | — | Media stack |
| whrrr | 100.71.93.130 | NAS |
| recordurbate | 100.85.192.18 | Customer-app host |
| ubuncap | 100.127.229.145 | Customer-app host |
| poopcastle (HAOS) | — | Exit node |
DNS¶
DNS is served by AdGuard Home on infra-services (192.168.6.17:53),
with Unbound as the upstream recursive resolver.
Internal service names (*.infra.realemail.app) resolve to 192.168.6.17
via UDM DNS policy table entries. AdGuard Home also serves DNS rewrites
generated from inventory for direct hostname resolution.
PiHole on LXC 104 (blocktopus, 192.168.6.80) is the legacy DNS server
and will be decommissioned after AdGuard cutover is verified.
Key Dependencies¶
UDM-SE (192.168.1.1)
└── All VLAN routing and firewall
└── DHCP for all VLANs
└── DNS option 6 → AdGuard (192.168.6.17)
infra-services (192.168.6.17)
└── Traefik (reverse proxy)
└── Prometheus / Grafana / Alertmanager
└── AdGuard Home + Unbound (DNS)
└── Komodo, ARA, Homepage
saltierpoop (192.168.6.243)
└── Plex, Sonarr, Radarr (Saltbox)
└── Authentik (SSO)
└── Traefik (public ingress)