# Home Network Infrastructure Documentation ## Overview This documentation covers the complete home network setup including IP allocation scheme, DHCP reservations, VLANs, and device inventory for a 192.168.0.0/24 network managed by OPNsense. **Network:** 192.168.0.0/24 **Router:** OPNsense at 192.168.0.1 **Last Updated:** June 1, 2026 ## Network Architecture ### Core Infrastructure - **Router/Firewall:** OPNsense (192.168.0.1) - **DNS/Ad Blocking:** AdGuard Home (192.168.0.11) - **Reverse Proxy:** Nginx Proxy Manager (192.168.0.10) - **VPN:** Tailscale integration ### IP Allocation Scheme ``` 192.168.0.1 - OPNsense Router 192.168.0.2-9 - Reserved for future infrastructure 192.168.0.10-29 - Core Services (VMs/Containers) 192.168.0.30-49 - User Computers & Laptops 192.168.0.50-69 - Mobile Devices & Tablets 192.168.0.70-79 - TVs & Media Devices 192.168.0.80-99 - Available (IoT devices migrated to VLAN 20) 192.168.0.100-119 - Network Infrastructure (APs, switches) 192.168.0.120-139 - Hypervisors & Storage 192.168.0.140-149 - Reserved for expansion 192.168.0.150-200 - DHCP Pool (Guest devices only) 192.168.0.201-254 - Future expansion ``` ### VLAN Structure | Network | Subnet | VLAN | SSID | Purpose | |---------|--------|------|------|---------| | **Main LAN** | 192.168.0.0/24 | (none) | TeePee | General devices, VMs, servers | | **IoT Devices** | 10.10.3.0/24 | 20 | IoTeePee | Smart home, bulbs, plugs, sensors | | **Security Cameras** | 10.10.2.0/24 | 30 | Cameras | IP cameras (wired, pending migration) | ### Firewall Rules - **IoT VLAN (20):** Devices can reach the internet and Home Assistant (192.168.0.15) only. All other VLAN access is blocked. - **Camera VLAN (30):** Devices can reach the internet, Home Assistant (192.168.0.15), and the Frigate/FoundryVTT VM (192.168.0.16) only. - **Main LAN:** Unrestricted access to all VLANs and the internet. ## Infrastructure - Core Services (10-29) | Hostname | Service | IP | MAC Address | Type | Status | |----------|---------|-----|-------------|------|--------| | npm | Nginx Proxy Manager | 192.168.0.10 | bc:24:11:5b:1d:a2 | Docker | ✅ Active | | adguard | AdGuard Home | 192.168.0.11 | BC:24:11:47:27:43 | LXC | ✅ Active | | vaultwarden | Vaultwarden | 192.168.0.12 | BC:24:11:A8:44:A1 | LXC | ✅ Active | | nextcloud | Nextcloud | 192.168.0.14 | 02:99:5b:4c:b3:e6 | VM | ✅ Active | | homeassistant | Home Assistant | 192.168.0.15 | 02:46:0b:d8:35:7c | VM | ✅ Active | | foundryvtt-frigate | Frigate (NVR) + FoundryVTT | 192.168.0.16 | bc:24:11:ad:cb:f6 | Pop!_OS VM | ✅ Active | | openmediavault | OpenMediaVault (NAS) | 192.168.0.17 | bc:24:11:2c:68:58 | VM | ✅ Active | | wordpress-irodori | WordPress - Irodori | 192.168.0.18 | bc:24:11:42:70:2a | VM | ✅ Active | | wordpress-dustin | WordPress - Dustin | 192.168.0.19 | bc:24:11:7e:fc:ff | VM | ✅ Active | ## User Devices - Computers (30-49) | Hostname | Device | IP | MAC Address | Notes | |----------|--------|-----|-------------|-------| | jamiepc | Jamie's PC | 192.168.0.30 | 50:eb:f6:5a:71:f2 | Primary workstation | | 3d-printer | 3D Printer (Bambu A1) | 192.168.0.32 | 10:b4:1d:d7:02:2c | Network printer | | haruka-laptop | Haruka's Laptop | 192.168.0.33 | a8:41:f4:8d:b9:5b | Laptop | | hp-printer | HP Printer | 192.168.0.34 | a8:b1:3b:01:c2:ce | Network printer | ## Mobile Devices (50-69) | Hostname | Device | IP | MAC Address | Notes | |----------|--------|-----|-------------|-------| | jamie-phone | Jamie's Mobile (S23) | 192.168.0.50 | 1a:de:e8:f1:a5:d3 | Samsung Galaxy S23 | | haruka-phone | Haruka's Mobile (S25) | 192.168.0.51 | 4e:c7:f7:bc:f1:c5 | Samsung Galaxy S25 | | samsung-tablet | Samsung Galaxy Tablet | 192.168.0.52 | ee:a1:23:9f:1e:c5 | Tablet | ## TVs & Media Devices (70-79) | Hostname | Device | IP | MAC Address | Notes | |----------|--------|-----|-------------|-------| | unknown-media | Unknown Media Device | 192.168.0.71 | a0:d0:5b:c7:13:28 | Likely TV or streaming | ## IoT Devices (VLAN 20 — 10.10.3.0/24) All smart home devices have been migrated from the main LAN (192.168.0.80-94) to the IoT network (10.10.3.0/24, VLAN 20, SSID: IoTeePee). They now receive dynamic IPs via DHCP on the IoT interface. Static IPs are no longer assigned. | Hostname | Device | MAC Address | Notes | |----------|--------|-------------|-------| | tapo-hub-h100 | Tapo Hub/Chime H100 | a8:29:48:88:84:d6 | Smart home hub | | tapo-leak-t300 | Tapo Water Leak Sensor T300 | 20:23:51:d0:b1:7d | Battery powered | | tapo-bedside-l530 | Tapo Smart Bulb L530 - Bedside | 20:23:51:08:19:76 | Smart bulb | | tapo-bedroom-l530 | Tapo Smart Bulb L530 - Bedroom | b0:19:21:17:a7:c3 | Smart bulb | | tapo-hallway-a-l530 | Tapo Smart Bulb L530 - Hallway A | f0:09:0d:b6:4a:8d | Smart bulb | | tapo-hallway-b-l530 | Tapo Smart Bulb L530 - Hallway B | 40:ae:30:67:a2:46 | Smart bulb | | tapo-porch-l530 | Tapo Smart Bulb L530 - Porch | 3c:64:cf:63:58:da | Smart bulb | | tapo-plug-a-p110 | Tapo P110 Smart Plug | 40:ae:30:50:c8:62 | Power monitoring | | tapo-plug-b-p110 | Tapo P110 Smart Plug | b0:19:21:17:a5:7e | Power monitoring | | yeelight-color4 | Yeelight Smart Bulb | 58:b6:23:41:e1:ff | Smart bulb | | reolink-kitchen | Reolink E1 Camera - Kitchen | 54:ef:33:bd:be:e0 | Security camera | | reolink-outdoor | Reolink Camera - Outdoor | e8:ca:c8:6d:b0:7f | Security camera | | TPC100 | Tuya Backyard Camera | a8:b1:3b:01:c2:ce | Backyard Camera | | TPC100 | Tuya Living Room Camera | 58-04-4F-4A-D1-E1 | Living Room Camera | | TPC120 | Tuya Garden Camera | B8-FB-B3-7A-68-81 | Garden Camera | ### Pending Camera Migration (VLAN 30 — 10.10.2.0/24) The three IP cameras (TPC100 backyard, TPC100 living room, TPC120 garden — formerly 192.168.0.92, .93, .94) will be migrated to the Camera network (10.10.2.0/24, VLAN 30) once physically reconnected. Until then, they remain on the IoT network (VLAN 20). ## Network Infrastructure (100-119) | Hostname | Device | IP | MAC Address | Notes | |----------|--------|-----|-------------|-------| | u7-lite | UniFi U7 Lite AP | 192.168.0.159 | — | Managed by UniFi OS controller; pending static DHCP reservation | ## Hypervisors & Storage (120-139) | Hostname | Device | IP | MAC Address | Notes | |----------|--------|-----|-------------|-------| | proxmox-1 | Proxmox Server 1 | 192.168.0.120 | 10:ff:e0:11:46:9f | Primary hypervisor | | proxmox-2 | Proxmox Server 2 | 192.168.0.121 | 74:d4:35:97:f4:9d | Secondary hypervisor | ## DHCP Configuration ### Current Settings - **DHCP Pool:** 192.168.0.150 - 192.168.0.200 (51 addresses) - **Purpose:** Guest devices and temporary connections - **Static Reservations:** 20 devices with confirmed MACs ### DNS Settings - **Primary DNS:** 192.168.0.11 (AdGuard Home) - **Secondary DNS:** 192.168.0.1 (OPNsense fallback) ## VPN / Tailscale | IP | MAC Address | Purpose | |----|-------------|---------| | 100.65.128.1 | e0:cb:19:60:87:70 | Tailscale VLAN device | | 100.65.159.134 | bc:24:11:be:cf:af | Tailscale VLAN device (permanent) | ## Network Statistics - **Total Active Devices:** 33 - **VMs/Containers:** 10 - **User Computers:** 5 (3 PCs + 2 printers) - **Mobile Devices:** 3 (2 phones + 1 tablet) - **TVs & Media:** 3 - **Smart Home/IoT:** 15 (9 Tapo + 1 Yeelight + 2 Reolink + 3 Tuya) — all on VLAN 20 - **Network Infrastructure:** 1 (UniFi U7 Lite AP) - **Hypervisors:** 2 - **Static Assignments:** 20 devices - **DHCP Pool Size:** 51 addresses ## Known Issues ### Tapo App Issues - Some Tapo devices may show incorrect info in app after VLAN migration - **3D printer plug:** App showing wrong MAC, verify after print finishes - **Resolution:** Use OPNsense ARP table MACs as source of truth ### Devices Needing Attention - Factory reset recommended for Tapo devices showing app glitches after VLAN migration ## Maintenance Tasks ### Regular Tasks - [ ] Monthly: Review DHCP leases for new unknown devices - [ ] Quarterly: Audit static IP assignments - [ ] Quarterly: Update device firmware (routers, APs, cameras) - [ ] Yearly: Review and optimize IP allocation scheme ### Pending Tasks - [ ] Factory reset Tapo devices with app issues ## Security Considerations 1. **Network Segmentation:** VLAN 20 (IoT) and VLAN 30 (Cameras) isolate untrusted devices from the main LAN 2. **Guest Network:** DHCP pool isolated from static devices 3. **Firewall Rules:** OPNsense enforces strict inter-VLAN rules — IoT can only reach HA; Cameras can only reach HA and Frigate/FoundryVTT 4. **DNS Filtering:** AdGuard Home provides ad/tracker blocking 5. **Remote Access:** Tailscale VPN for secure remote access ## Backup Strategy ### What to Backup 1. **OPNsense Configuration:** XML backup from web interface 2. **DHCP Reservations:** CSV export (included in this repo) 3. **Network Documentation:** This README and related files 4. **AdGuard Home Config:** Settings and filter lists ## Migration Notes ## Troubleshooting ### Device Not Getting Reserved IP 1. Check MAC address in router's ARP table 2. Verify DHCP reservation exists 3. Release/renew DHCP lease on device 4. Check for MAC address conflicts ### Cannot Access Device 1. Verify device is online (ping IP) 2. Check if device changed MAC (WiFi vs Ethernet) 3. Review firewall rules in OPNsense 4. Check DNS resolution in AdGuard Home ### IoT Device Issues 1. Tapo devices: Check app vs ARP table for correct MAC 2. Battery devices (water sensor): Won't always appear in ARP 3. For offline devices: Power cycle or factory reset ## Tools & Commands ### Identify Device by MAC ```bash # Online MAC lookup curl -s "https://api.macvendors.com/5c:62:8b:8d:cb:d6" # Or use OUI lookup # First 6 characters (3 octets) identify manufacturer ``` ### Scan Network ```bash # Using nmap nmap -sn 192.168.0.0/24 # Using arp-scan (more reliable) sudo arp-scan --interface=eth0 192.168.0.0/24 ``` ### Check Current IP/MAC ```bash # View ARP table arp -a # Or on OPNsense arp -an | grep 192.168.0 ``` --- **Configuration Files:** - `dhcp-reservations.csv` - DHCP static assignments export - `Network Inventory.docx` - Human-readable network map - `opnsense-config.xml` - OPNsense configuration backup (not in repo) **Last Updated:** June 1, 2026