Table of Contents
π‘ TorresVault UniFi Network
This page documents the full UniFi network configuration powering the entire TorresVault ecosystem, including VLANs, WiFi, firewall zoning, routing, DNS, and switch topology.
This serves as the official reference for configuration, troubleshooting, and future expansion.
Overview
The TorresVault network, managed by the UniFi UCG Max, connects and coordinates:
- Proxmox cluster (PVE1 & PVE2)
- Proxmox Backup Server (PBS)
- TrueNAS (backup storage)
- Home Assistant + IoT ecosystem
- FPP Light Show network
- Pi-hole DNS (VIP 192.168.1.5)
- Local services
(NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)
Routing, VLANs, firewall, DHCP, and VPN are all handled on the UCG Max.
VLANs
| VLAN Name | VLAN ID | Subnet | Purpose |
|---|---|---|---|
| Default | 1 | 192.168.1.0/24 | Main LAN, servers, Proxmox |
| stark_user | 10 | 192.168.10.0/24 | Household WiFi |
| stark_IOT | 20 | 192.168.20.0/24 | Standard IoT devices |
| Guest | 30 | 192.168.30.0/24 | Guest WiFi |
| IOT+ | 50 | 192.168.50.0/24 | WPA3-capable IoT devices |
| Torres Family Lights | 60 | 192.168.60.0/24 | FPP controllers, mega-tree, matrix |
WiFi Networks
| SSID | VLAN | Band | Clients | Notes |
|---|---|---|---|---|
| stark_IOT | 20 | 2.4/5 GHz | ~97 | IoT sensors & automations |
| stark_user | 10 | 2.4/5 GHz | ~9 | Household WiFi |
| stark_IOT+ | 50 | 2.4/5 GHz | ~7 | WPA3 IoT devices |
_All SSIDs broadcast across all UniFi APs._
Zones
| Zone | VLANs / Networks |
|---|---|
| Internal | β |
| External | WAN1, WAN2 |
| Gateway | UCG Max |
| VPN | WireGuard |
| Hotspot | VLAN 30 |
| DMZ | β |
| User | VLAN 1, 10, 60 |
| IOT | VLAN 20, 50 |
Firewall Policy Summary
Below is the simplified rule layout (no screenshots), reflecting your exact rule logic as built inside UniFi.
β
Home Assistant Rules
Home Assistant lives on the IoT VLAN (20) and needs access across the entire network.
Allow
- IOT β User (HA β Proxmox)
- IOT β User (HA β FPP 192.168.60.55)
- IOT β Internal (HA β Grafana 192.168.1.77)
- IOT β User (HA β Pi-hole DNS)
- IOT β User (HA β Printer 192.168.10.185)
Return
- HA β FPP (Return)
- HA β Pi-hole (Return)
- HA β Grafana (Return)
Purpose: Allow HA to control everything while keeping it isolated from general user devices.
β
NGINX Proxy Manager (NPM) Rules
Allow
- Internal β External (NPM β Nextcloud 192.168.1.150)
- IOT β User (NPM β Nextcloud_IOT)
- Internal β Internal (NPM β Pi-hole)
Return
- NPM β Internal (Return)
- NPM β Nextcloud_IOT (Return)
Purpose: Expose only public services, keep all internal traffic local.
β
IoT Isolation Rules
Allow
- IOT β Gateway (DHCP)
- IOT β Gateway (DNS)
- IOT β Pi-hole
- HA β Printer
- Printer β HA
Block
- IOT β User
- IOT β IOT
- IOT β External
Return
- allow IOT β IOT (Return)
Purpose: Strong segmentation with precise allowed paths for Home Assistant.
β
VPN Rules
WireGuard provides trusted admin remote access.
Allow
- VPN β User
- VPN β IOT
- VPN β Gateway
- VPN β Any
- Allow all return traffic
Purpose: Full-access VPN strictly for administrator use.
β
Port Forward Rules (WAN β LAN)
| Forward Name | WAN β LAN | Purpose |
|---|---|---|
| Nathan_Jump RDP | 3389 β 192.168.1.189 | Remote desktop |
| SCP β Jellyfin | 22 β 192.168.1.86 | Media server admin |
| TrueNAS | 443 β 192.168.1.150 | Storage management |
| Proxmox | 8006 β 192.168.1.150 | PVE dashboard |
| torresvault.com | 80/443 β 192.168.1.99 | Main landing page |
All other public services run through NPM β local services.
Switch Topology
The UniFi switching stack includes:
- UCG Max
- USW-Lite-8-PoE
- USW Flex
- USW Flex 2.5G
- UDB Switch
- Multiple UniFi APs
Local DNS
DNS is served by Pi-hole 1 & 2 via VIP: 192.168.1.5
| Domain | IP Address |
|---|---|
| ha.torresvault.com | 192.168.20.149 |
| hatest.torresvault.com | 192.168.20.150 |
| in.torresvault.com | 192.168.1.27 |
| jellyfin.torresvault.com | 192.168.1.86 |
| matrix.torresvault.com | 192.168.60.56 |
| megatree.torresvault.com | 192.168.60.55 |
| monitor.torresvault.com | 192.168.1.77 |
| next.torresvault.com | 192.168.1.75 |
| npm.torresvault.com | 192.168.1.99 |
| pbs.torresvault.com | 192.168.1.252 |
Notes
- All APs use PoE
- Multiple PoE switches support HA, Pi-hole, APs, FPP network
- VLANs trunked across entire switch chain
- Full IoT segmentation enforced
- WAN failover enabled (WAN1 active, WAN2 backup)
Future TorresVault 2.0 (Draft)
- Replace PVE1 & PVE2 with Mini-PC nodes
- Run Kubernetes inside PVE VMs
- Move selected VMs β K8s deployments
- Expand HA integrations
- Add full UPS + NUT monitoring
- Add Loki for aggregated network logs
- Expand VLAN segmentation (per-room IoT)
- Move toward Zero Trust network model