# Home Network Infrastructure Documentation

## Overview

This documentation covers the complete home network setup including IP allocation scheme, DHCP reservations, VLANs, and device inventory for a 192.168.0.0/24 network managed by OPNsense.

**Network:** 192.168.0.0/24  
**Router:** OPNsense at 192.168.0.1  
**Last Updated:** June 2026

## Network Architecture

### Core Infrastructure
- **Router/Firewall:** OPNsense (192.168.0.1)
- **DNS/Ad Blocking:** AdGuard Home (192.168.0.11)
- **Reverse Proxy:** Nginx Proxy Manager (192.168.0.10)
- **VPN:** Tailscale integration

### IP Allocation Scheme

```
192.168.0.1         - OPNsense Router
192.168.0.2-9       - Reserved for future infrastructure
192.168.0.10-29     - Core Services (VMs/Containers)
192.168.0.30-49     - User Computers & Laptops
192.168.0.50-69     - Mobile Devices & Tablets
192.168.0.70-79     - TVs & Media Devices
192.168.0.80-99     - Temporary holding (pending IoT VLAN migration)
192.168.0.100-119   - Network Infrastructure (APs, switches)
192.168.0.120-139   - Hypervisors & Storage
192.168.0.140-149   - Reserved for expansion
192.168.0.150-200   - DHCP Pool (Guest devices only)
192.168.0.201-254   - Future expansion
```

### VLAN Structure

| Network | Subnet | VLAN | SSID | Purpose |
|---------|--------|------|------|---------|
| **Main LAN** | 192.168.0.0/24 | (none) | TeePee | General devices, VMs, servers |
| **IoT Devices** | 10.10.3.0/24 | 20 | IoTeePee | Smart home, bulbs, plugs, sensors |
| **Security Cameras** | 10.10.2.0/24 | 30 | Cameras | IP cameras |

### Firewall Rules

- **IoT VLAN (20):** Devices can reach the internet and Home Assistant (192.168.0.15) only. All other VLAN access is blocked.
- **Camera VLAN (30):** Devices can reach the internet, Home Assistant (192.168.0.15), and the Frigate/FoundryVTT VM (192.168.0.16) only.
- **Main LAN:** Unrestricted access to all VLANs and the internet.

## Infrastructure - Core Services (10-29)

| Hostname | Service | IP | MAC Address | Type | Status |
|----------|---------|-----|-------------|------|--------|
| docker | Docker LXC (NPM + services) | 192.168.0.10 | BC:24:11:5b:1d:a2 | LXC | ✅ Active |
| adguard | AdGuard Home | 192.168.0.11 | BC:24:11:47:27:43 | LXC | ✅ Active |
| vaultwarden | Vaultwarden | 192.168.0.12 | BC:24:11:A8:44:A1 | LXC | ✅ Active |
| crafty-controller | Crafty Controller | 192.168.0.13 | BC:24:11:70:10:ff | LXC | ✅ Active |
| nextcloud | Nextcloud | 192.168.0.14 | 02:13:c9:35:9e:5d | VM | ✅ Active |
| home-assistant | Home Assistant | 192.168.0.15 | 02:46:0b:d8:35:7c | VM | ✅ Active |
| foundryvtt-frigate | Frigate NVR + FoundryVTT | 192.168.0.16 | bc:24:11:8a:bf:4d | Pop!_OS VM | ✅ Active |
| omv | OpenMediaVault (NAS) | 192.168.0.17 | bc:24:11:51:5a:a0 | VM | ✅ Active |
| irodori-wp | WordPress - Irodori | 192.168.0.18 | bc:24:11:42:70:2a | LXC | ✅ Active |
| dustin-wp | WordPress - Dustin | 192.168.0.19 | bc:24:11:7e:fc:ff | LXC | ✅ Active |

## User Devices - Computers (30-49)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| jamie-pc | Jamie's PC | 192.168.0.30 | 50:EB:F6:5A:71:F2 | Primary workstation |
| pop_os | Linux Gaming VM | 192.168.0.31 | bc:24:11:b2:20:b0 | |
| bambu-a1 | 3D Printer (Bambu A1) | 192.168.0.32 | 10:b4:1d:d7:02:2c | |
| harukas-laptop | Haruka's Laptop | 192.168.0.33 | a8:41:f4:8d:b9:5b | |
| printer | HP Printer | 192.168.0.34 | a8:b1:3b:01:c2:ce | |

## Mobile Devices (50-69)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| jamies-s23 | Jamie's Phone (S23) | 192.168.0.50 | 1a:de:e8:f1:a5:d3 | |
| harukas-s25 | Haruka's Phone (S25) | 192.168.0.51 | 4e:c7:f7:bc:f1:c5 | |
| tablet-a8 | Samsung Galaxy Tablet A8 | 192.168.0.52 | ee:a1:23:9f:1e:c5 | |
| lacey-ipad | Lacey's iPad | 192.168.0.53 | c6:5a:8c:6c:d6:cf | |

## TVs & Media Devices (70-79)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| livingroom-tv | Samsung TV | 192.168.0.70 | a0:d0:5b:c7:13:28 | |
| samsung-soundbar | Samsung Soundbar | 192.168.0.71 | b0:e4:5c:9e:ad:ca | Unconfirmed MAC |

## Temporary Holding — Pending IoT VLAN Migration (80-99)

These devices are on the main LAN but should be migrated to VLAN 20 (10.10.3.0/24). Parked in the 80-83 range for easy identification.

| Hostname | IP | MAC Address | Notes |
|----------|----|-------------|-------|
| tuya-unknown-a | 192.168.0.80 | c4:82:e1:b4:fd:a3 | Tuya device — identity unknown |
| tuya-unknown-b | 192.168.0.81 | 18:de:50:eb:27:30 | Tuya device — identity unknown |
| tuya-unknown-c | 192.168.0.82 | c4:82:e1:b4:f6:1d | Tuya device — identity unknown |
| tuya-unknown-d | 192.168.0.83 | b8:06:0d:96:d9:a4 | Tuya device — identity unknown |

## Network Infrastructure (100-119)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| unifi-os | UniFi OS Server | 192.168.0.100 | bc:24:11:8f:4d:4d | |
| u7-lite | UniFi U7 Lite AP | 192.168.0.159 | — | Pending static reservation |

## Hypervisors & Storage (120-139)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| proxmox-1 | Proxmox Server 1 | 192.168.0.120 | 10:ff:e0:11:46:9f | Primary hypervisor |
| proxmox-2 | Proxmox Server 2 | 192.168.0.121 | 74:d4:35:97:f4:9d | Secondary hypervisor |

## IoT Devices (VLAN 20 — 10.10.3.0/24)

All smart home devices are on the IoT network (SSID: IoTeePee). IPs are reserved via Kea DHCP on the IoT interface.

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| tapo-plug-a-p110 | Tapo P110 Smart Plug A | 10.10.3.2 | 40:ae:30:50:c8:62 | |
| tapo-bedside-l530 | Tapo Smart Bulb L530 - Bedside | 10.10.3.3 | 20:23:51:08:19:76 | |
| tapo-hub-h100 | Tapo Hub/Chime H100 | 10.10.3.4 | a8:29:48:88:84:d6 | Leak sensor connected directly to hub (no IP) |
| tapo-plug-b-p110 | Tapo P110 Smart Plug B | 10.10.3.6 | 40:ae:30:50:ce:78 | |
| tapo-porch-l530 | Tapo Smart Bulb L530 - Porch | 10.10.3.8 | 3c:64:cf:63:58:da | |
| tapo-hallway-b-l530 | Tapo Smart Bulb L530 - Hallway B | 10.10.3.9 | 40:ae:30:67:a2:46 | |
| yeelight-color4 | Yeelight Smart Bulb | 10.10.3.10 | 58:b6:23:41:e1:ff | |
| tapo-hallway-a-l530 | Tapo Smart Bulb L530 - Hallway A | 10.10.3.13 | f0:09:0d:b6:4a:8d | |
| tapo-bedroom-l530 | Tapo Smart Bulb L530 - Bedroom | 10.10.3.36 | b0:19:21:17:a7:c3 | |

**No IP — hub-connected:**
- Tapo Water Leak Sensor T300 (MAC: 20:23:51:d0:b1:7d) — wired to hub, no WiFi

## Security Cameras (VLAN 30 — 10.10.2.0/24)

| Hostname | Device | IP | MAC Address | Notes |
|----------|--------|-----|-------------|-------|
| camera-garden | Tuya Camera - Garden | 10.10.2.2 | b8:fb:b3:7a:68:81 | |
| camera-backyard | Tuya Camera - Backyard | 10.10.2.3 | a8:b1:3b:01:c2:ce | |
| camera-living-room | Tuya Camera - Living Room | 10.10.2.4 | 58:04:4f:4a:d1:e1 | |
| camera-kitchen | Reolink Camera - Kitchen | 10.10.2.8 | 54:ef:33:bd:be:e0 | |
| camera-driveway | Reolink Camera - Driveway | 10.10.2.9 | e8:ca:c8:6d:b0:7f | |

## DHCP Configuration

### Current Settings
- **LAN DHCP Pool:** 192.168.0.150 - 192.168.0.200 (guest/unknown devices)
- **IoT DHCP Pool:** 10.10.3.0/24 (dynamic for non-reserved devices)
- **Camera DHCP Pool:** 10.10.2.0/24 (dynamic for non-reserved devices)

### DNS Settings
- **Primary DNS:** 192.168.0.11 (AdGuard Home)
- **Secondary DNS:** 192.168.0.1 (OPNsense fallback)

## VPN / Tailscale

| IP | MAC Address | Purpose |
|----|-------------|---------|
| 100.65.128.1 | e0:cb:19:60:87:70 | Tailscale VLAN device |
| 100.65.159.134 | bc:24:11:be:cf:af | Tailscale VLAN device (permanent) |

## Known Issues / Pending

- **u7-lite:** MAC address not yet confirmed — reservation at .159 has no MAC
- **Samsung Soundbar (.71):** MAC unconfirmed
- **Tuya devices (.80-.83):** On main LAN, need factory reset and migration to VLAN 20
- **Tapo app glitches:** Some devices may show incorrect info after VLAN migration — use OPNsense ARP table as source of truth

## Maintenance Tasks

- [ ] Identify and migrate tuya-unknown-a through -d to IoT VLAN 20
- [ ] Confirm UniFi U7 Lite MAC and update reservation
- [ ] Confirm Samsung Soundbar MAC
- [ ] Monthly: Review DHCP leases for unknown devices
- [ ] Quarterly: Audit static IP assignments and firmware

## Security Considerations

1. **Network Segmentation:** VLAN 20 (IoT) and VLAN 30 (Cameras) isolate untrusted devices
2. **Guest Network:** DHCP pool isolated from static devices
3. **Firewall Rules:** OPNsense enforces strict inter-VLAN rules
4. **DNS Filtering:** AdGuard Home with ad/tracker blocking
5. **Remote Access:** Tailscale VPN + Cloudflare Tunnel

## Backup Strategy

1. **OPNsense Configuration:** XML backup from web interface
2. **DHCP Reservations:** CSV exports (reservations_lan.csv, reservations_iot.csv, reservations_cameras.csv)
3. **Network Documentation:** This README

## Tools & Commands

```bash
# Verify subnet IDs before running import script
curl -s -u "apikey:apisecret" -k https://192.168.0.1/api/kea/dhcpv4/searchSubnet

# Scan network
nmap -sn 192.168.0.0/24
nmap -sn 10.10.3.0/24
nmap -sn 10.10.2.0/24

# Check ARP table
arp -a
```

## Configuration Files

- `reservations_lan.csv` — Main LAN (192.168.0.0/24) DHCP reservations
- `reservations_iot.csv` — IoT VLAN (10.10.3.0/24) DHCP reservations
- `reservations_cameras.csv` — Camera VLAN (10.10.2.0/24) DHCP reservations
- `import_reservations.sh` — Bulk import script for OPNsense Kea DHCP API
- `opnsense-config.xml` — OPNsense configuration backup (not in repo)

---
**Last Updated:** June 2026