📡 TorresVault UniFi Network This page documents the full UniFi network configuration that powers the entire TorresVault environment — including VLANs, WiFi, zones, firewall rules, switch topology, and DNS structure. This serves as the official reference for configuration, troubleshooting, and future expansion. ===== Overview ===== The TorresVault network, managed by the UniFi UCG Max, connects: Proxmox cluster (PVE1 & PVE2) Proxmox Backup Server (PBS) TrueNAS (Backup storage) Home Assistant + IoT ecosystem FPP Light Show network Pi-hole DNS Local services (NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.) Routing, VLANs, firewall, and DHCP are all handled on the UCG Max. ===== VLANs ===== VLAN Name VLAN ID Subnet Purpose Default 1 192.168.1.0/24 Main user LAN, servers, Proxmox stark_user 10 192.168.10.0/24 Household WiFi users stark_IOT 20 192.168.20.0/24 Standard IoT devices Guest 30 192.168.30.0/24 Guest WiFi IOT+ 50 192.168.50.0/24 Special IoT requiring WPA3 Torres Family Lights 60 192.168.60.0/24 FPP show controllers, mega tree, matrix ===== WiFi Networks ===== SSID VLAN Band Clients Notes stark_IOT 20 2.4/5 GHz ~97 IoT sensors & devices stark_user 10 2.4/5 GHz ~9 Household WiFi stark_IOT+ 50 2.4/5 GHz ~7 IoT WPA3-capable devices All SSIDs are broadcast on all APs. ===== Zones ===== Zones simplify firewall rule groups: Zone VLANs / Networks Internal — External WAN1, WAN2 Gateway UCG Max VPN WireGuard Hotspot VLAN 30 DMZ — User VLAN 1, 10, 60 IOT VLAN 20, 50 ===== Firewall Policy Summary ===== Below is the condensed rule layout (no screenshots, no clutter). This reflects your exact UniFi ruleset, organized logically. === Home Assistant Rules === Home Assistant lives on the IOT VLAN (20) and needs access across the network. Allow Rules: IOT → User (HA → Proxmox) IOT → User (HA → FPP 192.168.60.55) IOT → Internal (HA → Grafana 192.168.1.77) IOT → User (HA → Pi-hole for DNS) IOT → User (HA → Printer 192.168.10.185) Return Rules: HA → FPP (Return) HA → Pi-hole (Return) HA → Grafana (Return) Purpose: Let HA manage everything while remaining isolated from general user traffic. === NPM (Reverse Proxy) Rules === Allow Rules: Internal → External (NPM → Nextcloud 192.168.1.150) IOT → User (NPM → Nextcloud_IOT) Internal → Internal (NPM → Pi-hole) Return Rules: NPM → Internal (Return) NPM → Nextcloud IOT (Return) Purpose: Expose only what needs to be public, everything else stays internal. === IoT Isolation Rules === IoT must be isolated from user devices. Allow Rules: IOT → Gateway (DHCP) IOT → Gateway (DNS) IOT → Pi-hole HA → Printer Printer → HA Block Rules: Block IOT → User Block IOT → IOT Block IOT → External Return Rules: allow IOT → IOT (Return) Purpose: Strong segmentation with controlled exceptions. === VPN Rules === WireGuard is part of the trusted admin plane. Rules: Allow VPN → User Allow VPN → IOT Allow VPN → Gateway Allow VPN → Any Allow Return Traffic Purpose: Secure remote access with full trusted privileges. === Port Forward Rules (WAN → LAN) === Forward WAN → LAN Purpose RDP Nathan_Jump 3389 → 192.168.1.189 Remote desktop SCP → Jellyfin 22 → 192.168.1.86 Media server access TrueNAS 443 → 192.168.1.150 Storage admin Proxmox 8006 → 192.168.1.150 PVE dashboard torresvault.com 80/443 → 192.168.1.99 Main landing page server Purpose: Minimal public exposure, everything else internal behind NPM. ===== Switch Topology ===== The UniFi switch stack includes: UCG Max USW-Lite-8-PoE USW Flex USW Flex 2.5G UDB Switch Multiple APs Network Path Summary Ting Fiber → UCG Max → (Core Switches) → APs / Servers / IoT / FPP Core Layout (Simplified) UCG Max ├── Pi-hole 1 (5124) ├── Pi-hole 2 (38:de) ├── USW Flex → APs → Flex 2.5G → Controllers ├── USW-Lite-8-POE → Hallway AP → UDB → Proxmox / TrueNAS / NPM / Jellyfin └── UDB Switch → servers, FPP network, Nextcloud, etc. All switches trunk all VLANs. ===== Local DNS ===== All DNS is served by Pi-hole 1 & 2 with VIP: 192.168.1.5 Domain IP ha.torresvault.com 192.168.20.149 hatest.torresvault.com 192.168.20.150 in.torresvault.com 192.168.1.27 jellyfin.torresvault.com 192.168.1.86 matrix.torresvault.com 192.168.60.56 megatree.torresvault.com 192.168.60.55 monitor.torresvault.com 192.168.1.77 next.torresvault.com 192.168.1.75 npm.torresvault.com 192.168.1.99 pbs.torresvault.com 192.168.1.252 ===== Notes ===== All APs use PoE Multiple PoE switches support HA, Pi-hole, APs, and the FPP network VLANs trunked everywhere IoT segmentation fully enforced WAN failover assigned (WAN1 active, WAN2 spare) ===== Future TorresVault 2.0 (Draft) ===== Replace PVE1 & PVE2 with Mini-PC nodes (lower power, more performance) Run Kubernetes inside PVE VMs Move select VMs → K8s deployments Expand HA integrations Add full UPS + NUT monitoring across racks Grafana Loki for aggregated network logs Expand VLAN segmentation for per-room IoT Move toward Zero Trust network model