TorresVault Documentation

User Tools

Site Tools

Trace: β€’ npm β€’ unifi
torresvault:network:unifi

Table of Contents

πŸ“‘ TorresVault UniFi Network

This page documents the full UniFi network configuration that powers the entire TorresVault environment β€” including VLANs, WiFi, zones, firewall rules, switch topology, and DNS structure. This serves as the official reference for configuration, troubleshooting, and future expansion.

Overview

The TorresVault network, managed by the UniFi UCG Max, connects:

Proxmox cluster (PVE1 & PVE2)

Proxmox Backup Server (PBS)

TrueNAS (Backup storage)

Home Assistant + IoT ecosystem

FPP Light Show network

Pi-hole DNS

Local services (NPM, Grafana, Prometheus, Nextcloud, Jellyfin, etc.)

Routing, VLANs, firewall, and DHCP are all handled on the UCG Max.

VLANs

VLAN Name VLAN ID Subnet Purpose Default 1 192.168.1.0/24 Main user LAN, servers, Proxmox stark_user 10 192.168.10.0/24 Household WiFi users stark_IOT 20 192.168.20.0/24 Standard IoT devices Guest 30 192.168.30.0/24 Guest WiFi IOT+ 50 192.168.50.0/24 Special IoT requiring WPA3 Torres Family Lights 60 192.168.60.0/24 FPP show controllers, mega tree, matrix

WiFi Networks

SSID VLAN Band Clients Notes stark_IOT 20 2.4/5 GHz ~97 IoT sensors & devices stark_user 10 2.4/5 GHz ~9 Household WiFi stark_IOT+ 50 2.4/5 GHz ~7 IoT WPA3-capable devices

All SSIDs are broadcast on all APs.

Zones

Zones simplify firewall rule groups:

Zone VLANs / Networks Internal β€” External WAN1, WAN2 Gateway UCG Max VPN WireGuard Hotspot VLAN 30 DMZ β€” User VLAN 1, 10, 60 IOT VLAN 20, 50

Firewall Policy Summary

Below is the condensed rule layout (no screenshots, no clutter). This reflects your exact UniFi ruleset, organized logically.

Home Assistant Rules

Home Assistant lives on the IOT VLAN (20) and needs access across the network.

Allow Rules:

IOT β†’ User (HA β†’ Proxmox)

IOT β†’ User (HA β†’ FPP 192.168.60.55)

IOT β†’ Internal (HA β†’ Grafana 192.168.1.77)

IOT β†’ User (HA β†’ Pi-hole for DNS)

IOT β†’ User (HA β†’ Printer 192.168.10.185)

Return Rules:

HA β†’ FPP (Return)

HA β†’ Pi-hole (Return)

HA β†’ Grafana (Return)

Purpose: Let HA manage everything while remaining isolated from general user traffic.

NPM (Reverse Proxy) Rules

Allow Rules:

Internal β†’ External (NPM β†’ Nextcloud 192.168.1.150)

IOT β†’ User (NPM β†’ Nextcloud_IOT)

Internal β†’ Internal (NPM β†’ Pi-hole)

Return Rules:

NPM β†’ Internal (Return)

NPM β†’ Nextcloud IOT (Return)

Purpose: Expose only what needs to be public, everything else stays internal.

IoT Isolation Rules

IoT must be isolated from user devices.

Allow Rules:

IOT β†’ Gateway (DHCP)

IOT β†’ Gateway (DNS)

IOT β†’ Pi-hole

HA β†’ Printer

Printer β†’ HA

Block Rules:

Block IOT β†’ User

Block IOT β†’ IOT

Block IOT β†’ External

Return Rules:

allow IOT β†’ IOT (Return)

Purpose: Strong segmentation with controlled exceptions.

VPN Rules

WireGuard is part of the trusted admin plane.

Rules:

Allow VPN β†’ User

Allow VPN β†’ IOT

Allow VPN β†’ Gateway

Allow VPN β†’ Any

Allow Return Traffic

Purpose: Secure remote access with full trusted privileges.

Port Forward Rules (WAN β†’ LAN)

Forward WAN β†’ LAN Purpose RDP Nathan_Jump 3389 β†’ 192.168.1.189 Remote desktop SCP β†’ Jellyfin 22 β†’ 192.168.1.86 Media server access TrueNAS 443 β†’ 192.168.1.150 Storage admin Proxmox 8006 β†’ 192.168.1.150 PVE dashboard torresvault.com 80/443 β†’ 192.168.1.99 Main landing page server Purpose: Minimal public exposure, everything else internal behind NPM.

Switch Topology

The UniFi switch stack includes:

UCG Max

USW-Lite-8-PoE

USW Flex

USW Flex 2.5G

UDB Switch

Multiple APs

Network Path Summary Ting Fiber β†’ UCG Max β†’ (Core Switches) β†’ APs / Servers / IoT / FPP

Core Layout (Simplified) UCG Max β”œβ”€β”€ Pi-hole 1 (5124) β”œβ”€β”€ Pi-hole 2 (38:de) β”œβ”€β”€ USW Flex β†’ APs β†’ Flex 2.5G β†’ Controllers β”œβ”€β”€ USW-Lite-8-POE β†’ Hallway AP β†’ UDB β†’ Proxmox / TrueNAS / NPM / Jellyfin └── UDB Switch β†’ servers, FPP network, Nextcloud, etc.

All switches trunk all VLANs.

Local DNS

All DNS is served by Pi-hole 1 & 2 with VIP: 192.168.1.5

Domain IP ha.torresvault.com 192.168.20.149 hatest.torresvault.com 192.168.20.150 in.torresvault.com 192.168.1.27 jellyfin.torresvault.com 192.168.1.86 matrix.torresvault.com 192.168.60.56 megatree.torresvault.com 192.168.60.55 monitor.torresvault.com 192.168.1.77 next.torresvault.com 192.168.1.75 npm.torresvault.com 192.168.1.99 pbs.torresvault.com 192.168.1.252

Notes

All APs use PoE

Multiple PoE switches support HA, Pi-hole, APs, and the FPP network

VLANs trunked everywhere

IoT segmentation fully enforced

WAN failover assigned (WAN1 active, WAN2 spare)

Future TorresVault 2.0 (Draft)

Replace PVE1 & PVE2 with Mini-PC nodes (lower power, more performance)

Run Kubernetes inside PVE VMs

Move select VMs β†’ K8s deployments

Expand HA integrations

Add full UPS + NUT monitoring across racks

Grafana Loki for aggregated network logs

Expand VLAN segmentation for per-room IoT

Move toward Zero Trust network model

torresvault/network/unifi.txt Β· Last modified: by nathna
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki