📡 TorresVault UniFi Network

This page documents the full UniFi network configuration powering the entire TorresVault ecosystem, including VLANs, WiFi, firewall zoning, routing, DNS, and switch topology.

This serves as the official reference for configuration, troubleshooting, and future expansion.

The TorresVault network, managed by the UniFi UCG Max, connects and coordinates:

• Proxmox cluster (PVE1 & PVE2)
• Proxmox Backup Server (PBS)
• TrueNAS (backup storage)
• Home Assistant + IoT ecosystem
• FPP Light Show network
• Pi-hole DNS (VIP 192.168.1.5)
• Local services

(NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)

Routing, VLANs, firewall, DHCP, and VPN are all handled on the UCG Max.

_All SSIDs broadcast across all UniFi APs._

Below is the simplified rule layout (no screenshots), reflecting your exact rule logic as built inside UniFi.

—

Home Assistant lives on the IoT VLAN (20) and needs access across the entire network.

Allow

• IOT → User (HA → Proxmox)
• IOT → User (HA → FPP 192.168.60.55)
• IOT → Internal (HA → Grafana 192.168.1.77)
• IOT → User (HA → Pi-hole DNS)
• IOT → User (HA → Printer 192.168.10.185)

Return

• HA → FPP (Return)
• HA → Pi-hole (Return)
• HA → Grafana (Return)

Purpose: Allow HA to control everything while keeping it isolated from general user devices.

—

Allow

• Internal → External (NPM → Nextcloud 192.168.1.150)
• IOT → User (NPM → Nextcloud_IOT)
• Internal → Internal (NPM → Pi-hole)

Return

• NPM → Internal (Return)
• NPM → Nextcloud_IOT (Return)

Purpose: Expose only public services, keep all internal traffic local.

—

Allow

• IOT → Gateway (DHCP)
• IOT → Gateway (DNS)
• IOT → Pi-hole
• HA → Printer
• Printer → HA

Block

• IOT → User
• IOT → IOT
• IOT → External

Return

• allow IOT → IOT (Return)

Purpose: Strong segmentation with precise allowed paths for Home Assistant.

—

WireGuard provides trusted admin remote access.

Allow

• VPN → User
• VPN → IOT
• VPN → Gateway
• VPN → Any
• Allow all return traffic

Purpose: Full-access VPN strictly for administrator use.

—

All other public services run through NPM → local services.

The UniFi switching stack includes:

• UCG Max
• USW-Lite-8-PoE
• USW Flex
• USW Flex 2.5G
• UDB Switch
• Multiple UniFi APs

DNS is served by Pi-hole 1 & 2 via VIP: 192.168.1.5

• All APs use PoE
• Multiple PoE switches support HA, Pi-hole, APs, FPP network
• VLANs trunked across entire switch chain
• Full IoT segmentation enforced
• WAN failover enabled (WAN1 active, WAN2 backup)

• Replace PVE1 & PVE2 with Mini-PC nodes
• Run Kubernetes inside PVE VMs
• Move selected VMs → K8s deployments
• Expand HA integrations
• Add full UPS + NUT monitoring
• Add Loki for aggregated network logs
• Expand VLAN segmentation (per-room IoT)
• Move toward Zero Trust network model