Update network documentation: OPNsense router, VLANs, IoT migration, UniFi AP, firewall rules

2026-06-01 17:33:34 +12:00
parent 9eda033bc5
commit b06315c63e
1 changed files with 55 additions and 36 deletions
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ This documentation covers the complete home network setup including IP allocatio
 **Network:** 192.168.0.0/24  
 **Router:** OPNsense at 192.168.0.1  
-**Last Updated:** December 27, 2025
+**Last Updated:** June 1, 2026
 ## Network Architecture
@@ -25,14 +25,28 @@ This documentation covers the complete home network setup including IP allocatio
 192.168.0.30-49     - User Computers & Laptops
 192.168.0.50-69     - Mobile Devices & Tablets
 192.168.0.70-79     - TVs & Media Devices
-192.168.0.80-99     - Smart Home IoT
+192.168.0.80-99     - Available (IoT devices migrated to VLAN 20)
-192.168.0.100-119   - Network Infrastructure (APs, switches, extenders)
+192.168.0.100-119   - Network Infrastructure (APs, switches)
 192.168.0.120-139   - Hypervisors & Storage
 192.168.0.140-149   - Reserved for expansion
 192.168.0.150-200   - DHCP Pool (Guest devices only)
 192.168.0.201-254   - Future expansion
 ```
 ### VLAN Structure
 | Network | Subnet | VLAN | SSID | Purpose |
 |---------|--------|------|------|---------|
 | **Main LAN** | 192.168.0.0/24 | (none) | — | General devices, VMs, servers |
 | **IoT Devices** | 10.10.3.0/24 | 20 | IoTeePee | Smart home, bulbs, plugs, sensors |
 | **Security Cameras** | 10.10.2.0/24 | 30 | — | IP cameras (wired, pending migration) |
 ### Firewall Rules
 - **IoT VLAN (20):** Devices can reach the internet and Home Assistant (192.168.0.15) only. All other VLAN access is blocked.
 - **Camera VLAN (30):** Devices can reach the internet, Home Assistant (192.168.0.15), and the Frigate/FoundryVTT VM (192.168.0.16) only.
 - **Main LAN:** Unrestricted access to all VLANs and the internet.
 ## Infrastructure - Core Services (10-29)
 | Hostname | Service | IP | MAC Address | Type | Status |
@@ -42,7 +56,7 @@ This documentation covers the complete home network setup including IP allocatio
 | vaultwarden | Vaultwarden | 192.168.0.12 | BC:24:11:A8:44:A1 | LXC | ✅ Active |
 | nextcloud | Nextcloud | 192.168.0.14 | 02:99:5b:4c:b3:e6 | VM | ✅ Active |
 | homeassistant | Home Assistant | 192.168.0.15 | 02:46:0b:d8:35:7c | VM | ✅ Active |
-| foundryvtt | FoundryVTT | 192.168.0.16 | bc:24:11:ad:cb:f6 | VM | ✅ Active |
+| foundryvtt-frigate | Frigate (NVR) + FoundryVTT | 192.168.0.16 | bc:24:11:ad:cb:f6 | Pop!_OS VM | ✅ Active |
 | openmediavault | OpenMediaVault (NAS) | 192.168.0.17 | bc:24:11:2c:68:58 | VM | ✅ Active |
 | wordpress-irodori | WordPress - Irodori | 192.168.0.18 | bc:24:11:42:70:2a | VM | ✅ Active |
 | wordpress-dustin | WordPress - Dustin | 192.168.0.19 | bc:24:11:7e:fc:ff | VM | ✅ Active |
@@ -70,32 +84,37 @@ This documentation covers the complete home network setup including IP allocatio
 |----------|--------|-----|-------------|-------|
 | unknown-media | Unknown Media Device | 192.168.0.71 | a0:d0:5b:c7:13:28 | Likely TV or streaming |
-## Smart Home / IoT (80-99)
+## IoT Devices (VLAN 20 — 10.10.3.0/24)
-| Hostname | Device | IP | MAC Address | Notes |
+All smart home devices have been migrated from the main LAN (192.168.0.80-94) to the IoT network (10.10.3.0/24, VLAN 20, SSID: IoTeePee). They now receive dynamic IPs via DHCP on the IoT interface. Static IPs are no longer assigned.
-|----------|--------|-----|-------------|-------|
+
-| tapo-hub-h100 | Tapo Hub/Chime H100 | 192.168.0.80 | a8:29:48:88:84:d6 | Smart home hub |
+| Hostname | Device | MAC Address | Notes |
-| tapo-leak-t300 | Tapo Water Leak Sensor T300 | 192.168.0.81 | 20:23:51:d0:b1:7d | Battery powered |
+|----------|--------|-------------|-------|
-| tapo-bedside-l530 | Tapo Smart Bulb L530 - Bedside | 192.168.0.82 | 20:23:51:08:19:76 | Smart bulb |
+| tapo-hub-h100 | Tapo Hub/Chime H100 | a8:29:48:88:84:d6 | Smart home hub |
-| tapo-bedroom-l530 | Tapo Smart Bulb L530 - Bedroom | 192.168.0.83 | b0:19:21:17:a7:c3 | Smart bulb |
+| tapo-leak-t300 | Tapo Water Leak Sensor T300 | 20:23:51:d0:b1:7d | Battery powered |
-| tapo-hallway-a-l530 | Tapo Smart Bulb L530 - Hallway A | 192.168.0.84 | f0:09:0d:b6:4a:8d | Smart bulb |
+| tapo-bedside-l530 | Tapo Smart Bulb L530 - Bedside | 20:23:51:08:19:76 | Smart bulb |
-| tapo-hallway-b-l530 | Tapo Smart Bulb L530 - Hallway B | 192.168.0.85 | 40:ae:30:67:a2:46 | Smart bulb |
+| tapo-bedroom-l530 | Tapo Smart Bulb L530 - Bedroom | b0:19:21:17:a7:c3 | Smart bulb |
-| tapo-porch-l530 | Tapo Smart Bulb L530 - Porch | 192.168.0.86 | 3c:64:cf:63:58:da | Smart bulb |
+| tapo-hallway-a-l530 | Tapo Smart Bulb L530 - Hallway A | f0:09:0d:b6:4a:8d | Smart bulb |
-| tapo-plug-a-p110 | Tapo P110 Smart Plug | 192.168.0.87 | 40:ae:30:50:c8:62 | Power monitoring |
+| tapo-hallway-b-l530 | Tapo Smart Bulb L530 - Hallway B | 40:ae:30:67:a2:46 | Smart bulb |
-| tapo-plug-b-p110 | Tapo P110 Smart Plug | 192.168.0.88 | b0:19:21:17:a5:7e | Power monitoring |
+| tapo-porch-l530 | Tapo Smart Bulb L530 - Porch | 3c:64:cf:63:58:da | Smart bulb |
-| yeelight-color4 | Yeelight Smart Bulb | 192.168.0.89 | 58:b6:23:41:e1:ff | Smart bulb |
+| tapo-plug-a-p110 | Tapo P110 Smart Plug | 40:ae:30:50:c8:62 | Power monitoring |
-| reolink-kitchen | Reolink E1 Camera - Kitchen | 192.168.0.90 | 54:ef:33:bd:be:e0 | Security camera |
+| tapo-plug-b-p110 | Tapo P110 Smart Plug | b0:19:21:17:a5:7e | Power monitoring |
-| reolink-outdoor | Reolink Camera - Outdoor | 192.168.0.91 | e8:ca:c8:6d:b0:7f | Security camera |
+| yeelight-color4 | Yeelight Smart Bulb | 58:b6:23:41:e1:ff | Smart bulb |
-| TPC100 | Tuya Device - Unknown | 192.168.0.92 | a8:b1:3b:01:c2:ce | Backyard Camera |
+| reolink-kitchen | Reolink E1 Camera - Kitchen | 54:ef:33:bd:be:e0 | Security camera |
-| TPC100 | Tuya Device - Unknown | 192.168.0.93 | 58-04-4F-4A-D1-E1 | Living Room Camera |
+| reolink-outdoor | Reolink Camera - Outdoor | e8:ca:c8:6d:b0:7f | Security camera |
-| TPC120 | Tuya Device - Unknown | 192.168.0.94 | B8-FB-B3-7A-68-81 | Garden Camera |
+| TPC100 | Tuya Backyard Camera | a8:b1:3b:01:c2:ce | Backyard Camera |
 | TPC100 | Tuya Living Room Camera | 58-04-4F-4A-D1-E1 | Living Room Camera |
 | TPC120 | Tuya Garden Camera | B8-FB-B3-7A-68-81 | Garden Camera |
 ### Pending Camera Migration (VLAN 30 — 10.10.2.0/24)
 The three IP cameras (TPC100 backyard, TPC100 living room, TPC120 garden — formerly 192.168.0.92, .93, .94) will be migrated to the Camera network (10.10.2.0/24, VLAN 30) once physically reconnected. Until then, they remain on the IoT network (VLAN 20).
 ## Network Infrastructure (100-119)
 | Hostname | Device | IP | MAC Address | Notes |
 |----------|--------|-----|-------------|-------|
-| tplink-ax55 | TP-Link AX55 Router/AP | 192.168.0.1 | 40:ae:30:f8:27:f0 | WiFi Access Point |
+| u7-lite | UniFi U7 Lite AP | 192.168.0.159 | — | Managed by UniFi OS controller; pending static DHCP reservation |
 | tplink-re450 | TP-Link RE450 Range Extender | 192.168.0.101 | 5c:62:8b:8d:cb:d6 | WiFi Extender |
 ## Hypervisors & Storage (120-139)
@@ -109,7 +128,7 @@ This documentation covers the complete home network setup including IP allocatio
 ### Current Settings
 - **DHCP Pool:** 192.168.0.150 - 192.168.0.200 (51 addresses)
 - **Purpose:** Guest devices and temporary connections
- **Static Reservations:** 33 devices with confirmed MACs
+- **Static Reservations:** 20 devices with confirmed MACs
 ### DNS Settings
 - **Primary DNS:** 192.168.0.11 (AdGuard Home)
@@ -124,26 +143,26 @@ This documentation covers the complete home network setup including IP allocatio
 ## Network Statistics
- **Total Active Devices:** 35
+- **Total Active Devices:** 33
 - **VMs/Containers:** 10
 - **User Computers:** 5 (3 PCs + 2 printers)
 - **Mobile Devices:** 3 (2 phones + 1 tablet)
 - **TVs & Media:** 3
- **Smart Home/IoT:** 13 (9 Tapo + 1 Yeelight + 2 Reolink + 1 Tuya)
+- **Smart Home/IoT:** 15 (9 Tapo + 1 Yeelight + 2 Reolink + 3 Tuya) — all on VLAN 20
- **Network Infrastructure:** 2 (AP + Extender)
+- **Network Infrastructure:** 1 (UniFi U7 Lite AP)
 - **Hypervisors:** 2
- **Static Assignments:** 33 devices
+- **Static Assignments:** 20 devices
 - **DHCP Pool Size:** 51 addresses
 ## Known Issues
 ### Tapo App Issues
- **Bedroom light** (192.168.0.83): Showing incorrect info in app
+- Some Tapo devices may show incorrect info in app after VLAN migration
- **3D printer plug** (192.168.0.88): App showing wrong MAC, verify after print finishes
+- **3D printer plug:** App showing wrong MAC, verify after print finishes
- **Resolution:** Use ARP table MACs as source of truth
+- **Resolution:** Use OPNsense ARP table MACs as source of truth
 ### Devices Needing Attention
- Factory reset recommended for Tapo devices showing app glitches after migration
+- Factory reset recommended for Tapo devices showing app glitches after VLAN migration
 ## Maintenance Tasks
@@ -158,9 +177,9 @@ This documentation covers the complete home network setup including IP allocatio
 ## Security Considerations
-1. **Network Segmentation:** Consider VLANs for IoT devices
+1. **Network Segmentation:** VLAN 20 (IoT) and VLAN 30 (Cameras) isolate untrusted devices from the main LAN
 2. **Guest Network:** DHCP pool isolated from static devices
-3. **Firewall Rules:** OPNsense manages inter-VLAN traffic
+3. **Firewall Rules:** OPNsense enforces strict inter-VLAN rules — IoT can only reach HA; Cameras can only reach HA and Frigate/FoundryVTT
 4. **DNS Filtering:** AdGuard Home provides ad/tracker blocking
 5. **Remote Access:** Tailscale VPN for secure remote access
@@ -229,4 +248,4 @@ arp -an | grep 192.168.0
 - `Network Inventory.docx` - Human-readable network map
 - `opnsense-config.xml` - OPNsense configuration backup (not in repo)
-**Last Updated:** December 28, 2025
+**Last Updated:** June 1, 2026