Differences

This shows you the differences between two versions of the page.

--- torresvault:network:unifi [2026/01/23 13:37] – created nathna
+++ torresvault:network:unifi [2026/01/23 14:53] (current) – nathna
@@ Line 1: / Line 1: @@
-===== UniFi Network =====
+📡 TorresVault UniFi Network
-Full documentation for VLANs, APs, switches, UCG Max, firewall rules, and client layout.
+This page documents the full UniFi network configuration that powers the entire TorresVault environment — including VLANs, WiFi, zones, firewall rules, switch topology, and DNS structure.
+This serves as the official reference for configuration, troubleshooting, and future expansion.
+===== Overview =====
+The TorresVault network, managed by the UniFi UCG Max, connects:
+Proxmox cluster (PVE1 & PVE2)
+Proxmox Backup Server (PBS)
+TrueNAS (Backup storage)
+Home Assistant + IoT ecosystem
+FPP Light Show network
+Pi-hole DNS
+Local services (NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)
+Routing, VLANs, firewall, and DHCP are all handled on the UCG Max.
+===== VLANs =====
+VLAN Name	VLAN ID	Subnet	Purpose
+Default	1	192.168.1.0/24	Main user LAN, servers, Proxmox
+stark_user	10	192.168.10.0/24	Household WiFi users
+stark_IOT	20	192.168.20.0/24	Standard IoT devices
+Guest	30	192.168.30.0/24	Guest WiFi
+IOT+	50	192.168.50.0/24	Special IoT requiring WPA3
+Torres Family Lights	60	192.168.60.0/24	FPP show controllers, mega tree, matrix
+===== WiFi Networks =====
+SSID	VLAN	Band	Clients	Notes
+stark_IOT	20	2.4/5 GHz	~97	IoT sensors & devices
+stark_user	10	2.4/5 GHz	~9	Household WiFi
+stark_IOT+	50	2.4/5 GHz	~7	IoT WPA3-capable devices
+All SSIDs are broadcast on all APs.
+===== Zones =====
+Zones simplify firewall rule groups:
+Zone	VLANs / Networks
+Internal	—
+External	WAN1, WAN2
+Gateway	UCG Max
+VPN	WireGuard
+Hotspot	VLAN 30
+DMZ	—
+User	VLAN 1, 10, 60
+IOT	VLAN 20, 50
+===== Firewall Policy Summary =====
+Below is the condensed rule layout (no screenshots, no clutter).
+This reflects your exact UniFi ruleset, organized logically.
+=== Home Assistant Rules ===
+Home Assistant lives on the IOT VLAN (20) and needs access across the network.
+Allow Rules:
+IOT → User (HA → Proxmox)
+IOT → User (HA → FPP 192.168.60.55)
+IOT → Internal (HA → Grafana 192.168.1.77)
+IOT → User (HA → Pi-hole for DNS)
+IOT → User (HA → Printer 192.168.10.185)
+Return Rules:
+HA → FPP (Return)
+HA → Pi-hole (Return)
+HA → Grafana (Return)
+Purpose:
+Let HA manage everything while remaining isolated from general user traffic.
+=== NPM (Reverse Proxy) Rules ===
+Allow Rules:
+Internal → External (NPM → Nextcloud 192.168.1.150)
+IOT → User (NPM → Nextcloud_IOT)
+Internal → Internal (NPM → Pi-hole)
+Return Rules:
+NPM → Internal (Return)
+NPM → Nextcloud IOT (Return)
+Purpose:
+Expose only what needs to be public, everything else stays internal.
+=== IoT Isolation Rules ===
+IoT must be isolated from user devices.
+Allow Rules:
+IOT → Gateway (DHCP)
+IOT → Gateway (DNS)
+IOT → Pi-hole
+HA → Printer
+Printer → HA
+Block Rules:
+Block IOT → User
+Block IOT → IOT
+Block IOT → External
+Return Rules:
+allow IOT → IOT (Return)
+Purpose:
+Strong segmentation with controlled exceptions.
+=== VPN Rules ===
+WireGuard is part of the trusted admin plane.
+Rules:
+Allow VPN → User
+Allow VPN → IOT
+Allow VPN → Gateway
+Allow VPN → Any
+Allow Return Traffic
+Purpose:
+Secure remote access with full trusted privileges.
+=== Port Forward Rules (WAN → LAN) ===
+Forward	WAN → LAN	Purpose
+RDP Nathan_Jump	3389 → 192.168.1.189	Remote desktop
+SCP → Jellyfin	22 → 192.168.1.86	Media server access
+TrueNAS	443 → 192.168.1.150	Storage admin
+Proxmox	8006 → 192.168.1.150	PVE dashboard
+torresvault.com	80/443 → 192.168.1.99	Main landing page server
+Purpose:
+Minimal public exposure, everything else internal behind NPM.
+===== Switch Topology =====
+The UniFi switch stack includes:
+UCG Max
+USW-Lite-8-PoE
+USW Flex
+USW Flex 2.5G
+UDB Switch
+Multiple APs
+Network Path Summary
+Ting Fiber → UCG Max → (Core Switches) → APs / Servers / IoT / FPP
+Core Layout (Simplified)
+UCG Max
+ ├── Pi-hole 1 (5124)
+ ├── Pi-hole 2 (38:de)
+ ├── USW Flex → APs → Flex 2.5G → Controllers
+ ├── USW-Lite-8-POE → Hallway AP → UDB → Proxmox / TrueNAS / NPM / Jellyfin
+ └── UDB Switch → servers, FPP network, Nextcloud, etc.
+All switches trunk all VLANs.
+===== Local DNS =====
+All DNS is served by Pi-hole 1 & 2 with VIP: 192.168.1.5
+Domain	IP
+ha.torresvault.com	192.168.20.149
+hatest.torresvault.com	192.168.20.150
+in.torresvault.com	192.168.1.27
+jellyfin.torresvault.com	192.168.1.86
+matrix.torresvault.com	192.168.60.56
+megatree.torresvault.com	192.168.60.55
+monitor.torresvault.com	192.168.1.77
+next.torresvault.com	192.168.1.75
+npm.torresvault.com	192.168.1.99
+pbs.torresvault.com	192.168.1.252
+===== Notes =====
+All APs use PoE
+Multiple PoE switches support HA, Pi-hole, APs, and the FPP network
+VLANs trunked everywhere
+IoT segmentation fully enforced
+WAN failover assigned (WAN1 active, WAN2 spare)
+===== Future TorresVault 2.0 (Draft) =====
+Replace PVE1 & PVE2 with Mini-PC nodes (lower power, more performance)
+Run Kubernetes inside PVE VMs
+Move select VMs → K8s deployments
+Expand HA integrations
+Add full UPS + NUT monitoring across racks
+Grafana Loki for aggregated network logs
+Expand VLAN segmentation for per-room IoT
+Move toward Zero Trust network model