TorresVault Documentation

User Tools

Site Tools

Trace: pihole_npm fpp
network:unifi

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

network:unifi [2026/01/23 18:12] – created nathnanetwork:unifi [2026/01/23 18:25] (current) nathna
Line 1: Line 1:
-📡 TorresVault UniFi Network+====== 📡 TorresVault UniFi Network ======
  
-This page documents the full UniFi network configuration that powers the entire TorresVault environment — including VLANs, WiFi, zones, firewall rulesswitch topologyand DNS structure. +This page documents the full UniFi network configuration powering the entire **TorresVault ecosystem**, including VLANs, WiFi, firewall zoningrouting, DNS, and switch topology.
-This serves as the official reference for configuration, troubleshooting, and future expansion.+
  
-===== Overview =====+This serves as the **official reference** for configuration, troubleshooting, and future expansion.
  
-The TorresVault network, managed by the UniFi UCG Max, connects:+----
  
-Proxmox cluster (PVE1 & PVE2)+===== Overview =====
  
-Proxmox Backup Server (PBS)+The TorresVault network, managed by the **UniFi UCG Max**, connects and coordinates:
  
-TrueNAS (Backup storage)+  * Proxmox cluster (PVE1 & PVE2) 
 +  * Proxmox Backup Server (PBS) 
 +  * TrueNAS (backup storage
 +  * Home Assistant + IoT ecosystem 
 +  * FPP Light Show network 
 +  * Pi-hole DNS (VIP 192.168.1.5) 
 +  * Local services   
 +    (NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)
  
-Home Assistant + IoT ecosystem+Routing, VLANs, firewall, DHCP, and VPN are all handled on the **UCG Max**.
  
-FPP Light Show network+----
  
-Pi-hole DNS+===== VLANs =====
  
-Local services (NPMGrafanaPrometheusNextcloudJellyfin, etc.)+^ VLAN Name            ^ VLAN ID ^ Subnet              ^ Purpose                           ^ 
 +| Default              | 1       | 192.168.1.0/24      | Main LANserversProxmox         | 
 +| stark_user           | 10      | 192.168.10.0/24     | Household WiFi                     | 
 +| stark_IOT            | 20      | 192.168.20.0/24     | Standard IoT devices               | 
 +| Guest                | 30      | 192.168.30.0/24     | Guest WiFi                         | 
 +| IOT+                 | 50      | 192.168.50.0/24     | WPA3-capable IoT devices           | 
 +| Torres Family Lights | 60      | 192.168.60.0/24     | FPP controllersmega-treematrix |
  
-Routing, VLANs, firewall, and DHCP are all handled on the UCG Max.+----
  
-===== VLANs ===== 
-VLAN Name VLAN ID Subnet Purpose 
-Default 1 192.168.1.0/24 Main user LAN, servers, Proxmox 
-stark_user 10 192.168.10.0/24 Household WiFi users 
-stark_IOT 20 192.168.20.0/24 Standard IoT devices 
-Guest 30 192.168.30.0/24 Guest WiFi 
-IOT+ 50 192.168.50.0/24 Special IoT requiring WPA3 
-Torres Family Lights 60 192.168.60.0/24 FPP show controllers, mega tree, matrix 
 ===== WiFi Networks ===== ===== WiFi Networks =====
-SSID VLAN Band Clients Notes 
-stark_IOT 20 2.4/5 GHz ~97 IoT sensors & devices 
-stark_user 10 2.4/5 GHz ~9 Household WiFi 
-stark_IOT+ 50 2.4/5 GHz ~7 IoT WPA3-capable devices 
  
-All SSIDs are broadcast on all APs.+^ SSID           ^ VLAN ^ Band       ^ Clients ^ Notes                     ^ 
 +| stark_IOT      | 20   | 2.4/5 GHz  | ~97     | IoT sensors & automations | 
 +| stark_user     | 10   | 2.4/5 GHz  | ~9      | Household WiFi            | 
 +| stark_IOT+     | 50   | 2.4/5 GHz  | ~7      | WPA3 IoT devices          |
  
-===== Zones =====+_All SSIDs broadcast across all UniFi APs._
  
-Zones simplify firewall rule groups:+----
  
-Zone VLANs / Networks +===== Zones =====
-Internal — +
-External WAN1, WAN2 +
-Gateway UCG Max +
-VPN WireGuard +
-Hotspot VLAN 30 +
-DMZ — +
-User VLAN 1, 10, 60 +
-IOT VLAN 20, 50 +
-===== Firewall Policy Summary =====+
  
-Below is the condensed rule layout (no screenshotsno clutter). +^ Zone     ^ VLANs / Networks                          ^ 
-This reflects your exact UniFi rulesetorganized logically.+| Internal | —                                         | 
 +| External | WAN1, WAN2                                | 
 +| Gateway  | UCG Max                                   | 
 +| VPN      | WireGuard                                 | 
 +| Hotspot  | VLAN 30                                   | 
 +| DMZ      | —                                         | 
 +| User     | VLAN 1, 1060                            | 
 +| IOT      | VLAN 2050                               |
  
-=== Home Assistant Rules ===+----
  
-Home Assistant lives on the IOT VLAN (20) and needs access across the network.+===== Firewall Policy Summary =====
  
-Allow Rules:+Below is the simplified rule layout (no screenshots), reflecting your exact rule logic as built inside UniFi.
  
-IOT → User (HA → Proxmox)+---
  
-IOT → User (HA → FPP 192.168.60.55)+==== Home Assistant Rules ====
  
-IOT → Internal (HA → Grafana 192.168.1.77)+**Home Assistant lives on the IoT VLAN (20)** and needs access across the entire network.
  
-IOT → User (HA → Pi-hole for DNS)+**Allow** 
 +  * IOT → User (HA → Proxmox) 
 +  * IOT → User (HA → FPP 192.168.60.55) 
 +  * IOT → Internal (HA → Grafana 192.168.1.77) 
 +  * IOT → User (HA → Pi-hole DNS
 +  * IOT → User (HA → Printer 192.168.10.185)
  
-IOT → User (HA → Printer 192.168.10.185)+**Return** 
 +  * HA → FPP (Return) 
 +  * HA → Pi-hole (Return) 
 +  * HA → Grafana (Return)
  
-Return Rules:+**Purpose:**   
 +Allow HA to control everything while keeping it isolated from general user devices.
  
-HA → FPP (Return)+---
  
-HA → Pi-hole (Return)+==== NGINX Proxy Manager (NPMRules ====
  
-HA → Grafana (Return)+**Allow** 
 +  * Internal → External (NPM → Nextcloud 192.168.1.150) 
 +  * IOT → User (NPM → Nextcloud_IOT) 
 +  * Internal → Internal (NPM → Pi-hole)
  
-Purpose: +**Return** 
-Let HA manage everything while remaining isolated from general user traffic.+  * NPM → Internal (Return) 
 +  * NPM → Nextcloud_IOT (Return)
  
-=== NPM (Reverse Proxy) Rules ===+**Purpose:**   
 +Expose only public services, keep all internal traffic local.
  
-Allow Rules:+---
  
-Internal → External (NPM → Nextcloud 192.168.1.150)+==== IoT Isolation Rules ====
  
-IOT → User (NPM → Nextcloud_IOT)+**Allow** 
 +  * IOT → Gateway (DHCP) 
 +  * IOT → Gateway (DNS) 
 +  * IOT → Pi-hole 
 +  * HA → Printer 
 +  * Printer → HA
  
-Internal → Internal (NPM → Pi-hole)+**Block** 
 +  * IOT → User 
 +  * IOT → IOT 
 +  * IOT → External
  
-Return Rules:+**Return** 
 +  * allow IOT → IOT (Return)
  
-NPM → Internal (Return)+**Purpose:**   
 +Strong segmentation with precise allowed paths for Home Assistant.
  
-NPM → Nextcloud IOT (Return)+---
  
-Purpose: +==== VPN Rules ====
-Expose only what needs to be public, everything else stays internal.+
  
-=== IoT Isolation Rules ===+WireGuard provides **trusted admin remote access**.
  
-IoT must be isolated from user devices.+**Allow** 
 +  * VPN → User 
 +  * VPN → IOT 
 +  * VPN → Gateway 
 +  * VPN → Any 
 +  * Allow all return traffic
  
-Allow Rules:+**Purpose:**   
 +Full-access VPN strictly for administrator use.
  
-IOT → Gateway (DHCP)+---
  
-IOT → Gateway (DNS)+===== Port Forward Rules (WAN → LAN=====
  
-IOT → Pi-hole+^ Forward Name       ^ WAN → LAN                    ^ Purpose               ^ 
 +| Nathan_Jump RDP    | 3389 → 192.168.1.189          | Remote desktop        | 
 +| SCP → Jellyfin     | 22 → 192.168.1.86             | Media server admin    | 
 +| TrueNAS            | 443 → 192.168.1.150           | Storage management    | 
 +| Proxmox            | 8006 → 192.168.1.150          | PVE dashboard         | 
 +| torresvault.com    | 80/443 → 192.168.1.99         | Main landing page     |
  
-HA → Printer+All other public services run through NPM → local services.
  
-Printer → HA +----
- +
-Block Rules: +
- +
-Block IOT → User +
- +
-Block IOT → IOT +
- +
-Block IOT → External +
- +
-Return Rules: +
- +
-allow IOT → IOT (Return) +
- +
-Purpose: +
-Strong segmentation with controlled exceptions. +
- +
-=== VPN Rules === +
- +
-WireGuard is part of the trusted admin plane. +
- +
-Rules: +
- +
-Allow VPN → User +
- +
-Allow VPN → IOT +
- +
-Allow VPN → Gateway +
- +
-Allow VPN → Any +
- +
-Allow Return Traffic +
- +
-Purpose: +
-Secure remote access with full trusted privileges. +
- +
-=== Port Forward Rules (WAN → LAN) === +
-Forward WAN → LAN Purpose +
-RDP Nathan_Jump 3389 → 192.168.1.189 Remote desktop +
-SCP → Jellyfin 22 → 192.168.1.86 Media server access +
-TrueNAS 443 → 192.168.1.150 Storage admin +
-Proxmox 8006 → 192.168.1.150 PVE dashboard +
-torresvault.com 80/443 → 192.168.1.99 Main landing page server +
-Purpose: +
-Minimal public exposure, everything else internal behind NPM.+
  
 ===== Switch Topology ===== ===== Switch Topology =====
  
-The UniFi switch stack includes:+The UniFi switching stack includes:
  
-UCG Max+  * **UCG Max** 
 +  * **USW-Lite-8-PoE** 
 +  * **USW Flex** 
 +  * **USW Flex 2.5G** 
 +  * **UDB Switch** 
 +  * Multiple UniFi APs
  
-USW-Lite-8-PoE 
  
-USW Flex+----
  
-USW Flex 2.5G+===== Local DNS =====
  
-UDB Switch+DNS is served by Pi-hole 1 & 2 via VIP: **192.168.1.5**
  
-Multiple APs+^ Domain                    ^ IP Address        ^ 
 +| ha.torresvault.com        | 192.168.20.149    | 
 +| hatest.torresvault.com    | 192.168.20.150    | 
 +| in.torresvault.com        | 192.168.1.27      | 
 +| jellyfin.torresvault.com  | 192.168.1.86      | 
 +| matrix.torresvault.com    | 192.168.60.56     | 
 +| megatree.torresvault.com  | 192.168.60.55     | 
 +| monitor.torresvault.com   | 192.168.1.77      | 
 +| next.torresvault.com      | 192.168.1.75      | 
 +| npm.torresvault.com       | 192.168.1.99      | 
 +| pbs.torresvault.com       | 192.168.1.252     |
  
-Network Path Summary +----
-Ting Fiber → UCG Max → (Core Switches) → APs / Servers / IoT / FPP+
  
-Core Layout (Simplified) 
-UCG Max 
- ├── Pi-hole 1 (5124) 
- ├── Pi-hole 2 (38:de) 
- ├── USW Flex → APs → Flex 2.5G → Controllers 
- ├── USW-Lite-8-POE → Hallway AP → UDB → Proxmox / TrueNAS / NPM / Jellyfin 
- └── UDB Switch → servers, FPP network, Nextcloud, etc. 
- 
- 
-All switches trunk all VLANs. 
- 
-===== Local DNS ===== 
- 
-All DNS is served by Pi-hole 1 & 2 with VIP: 192.168.1.5 
- 
-Domain IP 
-ha.torresvault.com 192.168.20.149 
-hatest.torresvault.com 192.168.20.150 
-in.torresvault.com 192.168.1.27 
-jellyfin.torresvault.com 192.168.1.86 
-matrix.torresvault.com 192.168.60.56 
-megatree.torresvault.com 192.168.60.55 
-monitor.torresvault.com 192.168.1.77 
-next.torresvault.com 192.168.1.75 
-npm.torresvault.com 192.168.1.99 
-pbs.torresvault.com 192.168.1.252 
 ===== Notes ===== ===== Notes =====
  
-All APs use PoE+  * All APs use PoE   
 +  * Multiple PoE switches support HA, Pi-hole, APs, FPP network   
 +  * VLANs trunked across entire switch chain   
 +  * Full IoT segmentation enforced   
 +  * WAN failover enabled (WAN1 active, WAN2 backup)  
  
-Multiple PoE switches support HA, Pi-hole, APs, and the FPP network +----
- +
-VLANs trunked everywhere +
- +
-IoT segmentation fully enforced +
- +
-WAN failover assigned (WAN1 active, WAN2 spare)+
  
 ===== Future TorresVault 2.0 (Draft) ===== ===== Future TorresVault 2.0 (Draft) =====
  
-Replace PVE1 & PVE2 with Mini-PC nodes (lower power, more performance) +  * Replace PVE1 & PVE2 with Mini-PC nodes   
- +  Run Kubernetes inside PVE VMs   
-Run Kubernetes inside PVE VMs +  Move selected VMs → K8s deployments   
- +  Expand HA integrations   
-Move select VMs → K8s deployments +  Add full UPS + NUT monitoring   
- +  * Add Loki for aggregated network logs   
-Expand HA integrations +  * Expand VLAN segmentation (per-room IoT)   
- +  * Move toward Zero Trust network model  
-Add full UPS + NUT monitoring across racks +
- +
-Grafana Loki for aggregated network logs+
  
-Expand VLAN segmentation for per-room IoT 
  
-Move toward Zero Trust network model 
  
network/unifi.1769209952.txt.gz · Last modified: by nathna
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki