====== 📡 TorresVault UniFi Network ======

This page documents the full UniFi network configuration powering the entire **TorresVault ecosystem**, including VLANs, WiFi, firewall zoning, routing, DNS, and switch topology.

This serves as the **official reference** for configuration, troubleshooting, and future expansion.

----

===== Overview =====

The TorresVault network, managed by the **UniFi UCG Max**, connects and coordinates:

  * Proxmox cluster (PVE1 & PVE2)
  * Proxmox Backup Server (PBS)
  * TrueNAS (backup storage)
  * Home Assistant + IoT ecosystem
  * FPP Light Show network
  * Pi-hole DNS (VIP 192.168.1.5)
  * Local services  
    (NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)

Routing, VLANs, firewall, DHCP, and VPN are all handled on the **UCG Max**.

----

===== VLANs =====

^ VLAN Name            ^ VLAN ID ^ Subnet              ^ Purpose                           ^
| Default              | 1       | 192.168.1.0/24      | Main LAN, servers, Proxmox         |
| stark_user           | 10      | 192.168.10.0/24     | Household WiFi                     |
| stark_IOT            | 20      | 192.168.20.0/24     | Standard IoT devices               |
| Guest                | 30      | 192.168.30.0/24     | Guest WiFi                         |
| IOT+                 | 50      | 192.168.50.0/24     | WPA3-capable IoT devices           |
| Torres Family Lights | 60      | 192.168.60.0/24     | FPP controllers, mega-tree, matrix |

----

===== WiFi Networks =====

^ SSID           ^ VLAN ^ Band       ^ Clients ^ Notes                     ^
| stark_IOT      | 20   | 2.4/5 GHz  | ~97     | IoT sensors & automations |
| stark_user     | 10   | 2.4/5 GHz  | ~9      | Household WiFi            |
| stark_IOT+     | 50   | 2.4/5 GHz  | ~7      | WPA3 IoT devices          |

_All SSIDs broadcast across all UniFi APs._

----

===== Zones =====

^ Zone     ^ VLANs / Networks                          ^
| Internal | —                                         |
| External | WAN1, WAN2                                |
| Gateway  | UCG Max                                   |
| VPN      | WireGuard                                 |
| Hotspot  | VLAN 30                                   |
| DMZ      | —                                         |
| User     | VLAN 1, 10, 60                            |
| IOT      | VLAN 20, 50                               |

----

===== Firewall Policy Summary =====

Below is the simplified rule layout (no screenshots), reflecting your exact rule logic as built inside UniFi.

---

==== Home Assistant Rules ====

**Home Assistant lives on the IoT VLAN (20)** and needs access across the entire network.

**Allow**
  * IOT → User (HA → Proxmox)
  * IOT → User (HA → FPP 192.168.60.55)
  * IOT → Internal (HA → Grafana 192.168.1.77)
  * IOT → User (HA → Pi-hole DNS)
  * IOT → User (HA → Printer 192.168.10.185)

**Return**
  * HA → FPP (Return)
  * HA → Pi-hole (Return)
  * HA → Grafana (Return)

**Purpose:**  
Allow HA to control everything while keeping it isolated from general user devices.

---

==== NGINX Proxy Manager (NPM) Rules ====

**Allow**
  * Internal → External (NPM → Nextcloud 192.168.1.150)
  * IOT → User (NPM → Nextcloud_IOT)
  * Internal → Internal (NPM → Pi-hole)

**Return**
  * NPM → Internal (Return)
  * NPM → Nextcloud_IOT (Return)

**Purpose:**  
Expose only public services, keep all internal traffic local.

---

==== IoT Isolation Rules ====

**Allow**
  * IOT → Gateway (DHCP)
  * IOT → Gateway (DNS)
  * IOT → Pi-hole
  * HA → Printer
  * Printer → HA

**Block**
  * IOT → User
  * IOT → IOT
  * IOT → External

**Return**
  * allow IOT → IOT (Return)

**Purpose:**  
Strong segmentation with precise allowed paths for Home Assistant.

---

==== VPN Rules ====

WireGuard provides **trusted admin remote access**.

**Allow**
  * VPN → User
  * VPN → IOT
  * VPN → Gateway
  * VPN → Any
  * Allow all return traffic

**Purpose:**  
Full-access VPN strictly for administrator use.

---

===== Port Forward Rules (WAN → LAN) =====

^ Forward Name       ^ WAN → LAN                    ^ Purpose               ^
| Nathan_Jump RDP    | 3389 → 192.168.1.189          | Remote desktop        |
| SCP → Jellyfin     | 22 → 192.168.1.86             | Media server admin    |
| TrueNAS            | 443 → 192.168.1.150           | Storage management    |
| Proxmox            | 8006 → 192.168.1.150          | PVE dashboard         |
| torresvault.com    | 80/443 → 192.168.1.99         | Main landing page     |

All other public services run through NPM → local services.

----

===== Switch Topology =====

The UniFi switching stack includes:

  * **UCG Max**
  * **USW-Lite-8-PoE**
  * **USW Flex**
  * **USW Flex 2.5G**
  * **UDB Switch**
  * Multiple UniFi APs


----

===== Local DNS =====

DNS is served by Pi-hole 1 & 2 via VIP: **192.168.1.5**

^ Domain                    ^ IP Address        ^
| ha.torresvault.com        | 192.168.20.149    |
| hatest.torresvault.com    | 192.168.20.150    |
| in.torresvault.com        | 192.168.1.27      |
| jellyfin.torresvault.com  | 192.168.1.86      |
| matrix.torresvault.com    | 192.168.60.56     |
| megatree.torresvault.com  | 192.168.60.55     |
| monitor.torresvault.com   | 192.168.1.77      |
| next.torresvault.com      | 192.168.1.75      |
| npm.torresvault.com       | 192.168.1.99      |
| pbs.torresvault.com       | 192.168.1.252     |

----

===== Notes =====

  * All APs use PoE  
  * Multiple PoE switches support HA, Pi-hole, APs, FPP network  
  * VLANs trunked across entire switch chain  
  * Full IoT segmentation enforced  
  * WAN failover enabled (WAN1 active, WAN2 backup)  

----

===== Future TorresVault 2.0 (Draft) =====

  * Replace PVE1 & PVE2 with Mini-PC nodes  
  * Run Kubernetes inside PVE VMs  
  * Move selected VMs → K8s deployments  
  * Expand HA integrations  
  * Add full UPS + NUT monitoring  
  * Add Loki for aggregated network logs  
  * Expand VLAN segmentation (per-room IoT)  
  * Move toward Zero Trust network model