Networking/README.md

Home Network Infrastructure Documentation

Overview

This documentation covers the complete home network setup including IP allocation scheme, DHCP reservations, VLANs, and device inventory for a 192.168.0.0/24 network managed by OPNsense.

Network: 192.168.0.0/24
Router: OPNsense at 192.168.0.1
Last Updated: June 2026

Network Architecture

Core Infrastructure

• Router/Firewall: OPNsense (192.168.0.1)
• DNS/Ad Blocking: AdGuard Home (192.168.0.11)
• Reverse Proxy: Nginx Proxy Manager (192.168.0.10)
• VPN: Tailscale integration

IP Allocation Scheme

192.168.0.1         - OPNsense Router
192.168.0.2-9       - Reserved for future infrastructure
192.168.0.10-29     - Core Services (VMs/Containers)
192.168.0.30-49     - User Computers & Laptops
192.168.0.50-69     - Mobile Devices & Tablets
192.168.0.70-79     - TVs & Media Devices
192.168.0.80-99     - Temporary holding (pending IoT VLAN migration)
192.168.0.100-119   - Network Infrastructure (APs, switches)
192.168.0.120-139   - Hypervisors & Storage
192.168.0.140-149   - Reserved for expansion
192.168.0.150-200   - DHCP Pool (Guest devices only)
192.168.0.201-254   - Future expansion

VLAN Structure

Network	Subnet	VLAN	SSID	Purpose
Main LAN	192.168.0.0/24	(none)	TeePee	General devices, VMs, servers
IoT Devices	10.10.3.0/24	20	IoTeePee	Smart home, bulbs, plugs, sensors
Security Cameras	10.10.2.0/24	30	Cameras	IP cameras

Firewall Rules

• IoT VLAN (20): Devices can reach the internet and Home Assistant (192.168.0.15) only. All other VLAN access is blocked.
• Camera VLAN (30): Devices can reach the internet, Home Assistant (192.168.0.15), and the Frigate/FoundryVTT VM (192.168.0.16) only.
• Main LAN: Unrestricted access to all VLANs and the internet.

Infrastructure - Core Services (10-29)

Hostname	Service	IP	MAC Address	Type	Status
docker	Docker LXC (NPM + services)	192.168.0.10	BC:24:11:5b:1d:a2	LXC	✅ Active
adguard	AdGuard Home	192.168.0.11	BC:24:11:47:27:43	LXC	✅ Active
vaultwarden	Vaultwarden	192.168.0.12	BC:24:11:A8:44:A1	LXC	✅ Active
crafty-controller	Crafty Controller	192.168.0.13	BC:24:11:70:10:ff	LXC	✅ Active
nextcloud	Nextcloud	192.168.0.14	02:13:c9:35:9e:5d	VM	✅ Active
home-assistant	Home Assistant	192.168.0.15	02:46:0b:d8:35:7c	VM	✅ Active
foundryvtt-frigate	Frigate NVR + FoundryVTT	192.168.0.16	bc:24:11:8a:bf:4d	Pop!_OS VM	✅ Active
omv	OpenMediaVault (NAS)	192.168.0.17	bc:24:11:51:5a:a0	VM	✅ Active
irodori-wp	WordPress - Irodori	192.168.0.18	bc:24:11:42:70:2a	LXC	✅ Active
dustin-wp	WordPress - Dustin	192.168.0.19	bc:24:11:7e:fc:ff	LXC	✅ Active

User Devices - Computers (30-49)

Hostname	Device	IP	MAC Address	Notes
jamie-pc	Jamie's PC	192.168.0.30	50:EB:F6:5A:71:F2	Primary workstation
pop_os	Linux Gaming VM	192.168.0.31	bc:24:11:b2:20:b0
bambu-a1	3D Printer (Bambu A1)	192.168.0.32	10:b4:1d:d7:02:2c
harukas-laptop	Haruka's Laptop	192.168.0.33	a8:41:f4:8d:b9:5b
printer	HP Printer	192.168.0.34	a8:b1:3b:01:c2:ce

Mobile Devices (50-69)

Hostname	Device	IP	MAC Address	Notes
jamies-s23	Jamie's Phone (S23)	192.168.0.50	1a:de:e8:f1:a5:d3
harukas-s25	Haruka's Phone (S25)	192.168.0.51	4e:c7:f7:bc:f1:c5
tablet-a8	Samsung Galaxy Tablet A8	192.168.0.52	ee:a1:23:9f:1e:c5
lacey-ipad	Lacey's iPad	192.168.0.53	c6:5a:8c:6c:d6:cf

TVs & Media Devices (70-79)

Hostname	Device	IP	MAC Address	Notes
livingroom-tv	Samsung TV	192.168.0.70	a0:d0:5b:c7:13:28
samsung-soundbar	Samsung Soundbar	192.168.0.71	b0:e4:5c:9e:ad:ca	Unconfirmed MAC

Temporary Holding — Pending IoT VLAN Migration (80-99)

These devices are on the main LAN but should be migrated to VLAN 20 (10.10.3.0/24). Parked in the 80-83 range for easy identification.

Hostname	IP	MAC Address	Notes
tuya-unknown-a	192.168.0.80	c4:82:e1:b4:fd:a3	Tuya device — identity unknown
tuya-unknown-b	192.168.0.81	18:de:50:eb:27:30	Tuya device — identity unknown
tuya-unknown-c	192.168.0.82	c4:82:e1:b4:f6:1d	Tuya device — identity unknown
tuya-unknown-d	192.168.0.83	b8:06:0d:96:d9:a4	Tuya device — identity unknown

Network Infrastructure (100-119)

Hostname	Device	IP	MAC Address	Notes
unifi-os	UniFi OS Server	192.168.0.100	bc:24:11:8f:4d:4d
u7-lite	UniFi U7 Lite AP	192.168.0.159	—	Pending static reservation

Hypervisors & Storage (120-139)

Hostname	Device	IP	MAC Address	Notes
proxmox-1	Proxmox Server 1	192.168.0.120	10:ff:e0:11:46:9f	Primary hypervisor
proxmox-2	Proxmox Server 2	192.168.0.121	74:d4:35:97:f4:9d	Secondary hypervisor

IoT Devices (VLAN 20 — 10.10.3.0/24)

All smart home devices are on the IoT network (SSID: IoTeePee). IPs are reserved via Kea DHCP on the IoT interface.

Hostname	Device	IP	MAC Address	Notes
tapo-plug-a-p110	Tapo P110 Smart Plug A	10.10.3.2	40:ae:30:50:c8:62
tapo-bedside-l530	Tapo Smart Bulb L530 - Bedside	10.10.3.3	20:23:51:08:19:76
tapo-hub-h100	Tapo Hub/Chime H100	10.10.3.4	a8:29:48:88:84:d6	Leak sensor connected directly to hub (no IP)
tapo-plug-b-p110	Tapo P110 Smart Plug B	10.10.3.6	40:ae:30:50:ce:78
tapo-porch-l530	Tapo Smart Bulb L530 - Porch	10.10.3.8	3c:64:cf:63:58:da
tapo-hallway-b-l530	Tapo Smart Bulb L530 - Hallway B	10.10.3.9	40:ae:30:67:a2:46
yeelight-color4	Yeelight Smart Bulb	10.10.3.10	58:b6:23:41:e1:ff
tapo-hallway-a-l530	Tapo Smart Bulb L530 - Hallway A	10.10.3.13	f0:09:0d:b6:4a:8d
tapo-bedroom-l530	Tapo Smart Bulb L530 - Bedroom	10.10.3.36	b0:19:21:17:a7:c3

No IP — hub-connected:

• Tapo Water Leak Sensor T300 (MAC: 20:23:51:d0:b1:7d) — wired to hub, no WiFi

Security Cameras (VLAN 30 — 10.10.2.0/24)

Hostname	Device	IP	MAC Address	Notes
camera-garden	Tuya Camera - Garden	10.10.2.2	b8:fb:b3:7a:68:81
camera-backyard	Tuya Camera - Backyard	10.10.2.3	a8:b1:3b:01:c2:ce
camera-living-room	Tuya Camera - Living Room	10.10.2.4	58:04:4f:4a:d1:e1
camera-kitchen	Reolink Camera - Kitchen	10.10.2.8	54:ef:33:bd:be:e0
camera-driveway	Reolink Camera - Driveway	10.10.2.9	e8:ca:c8:6d:b0:7f

DHCP Configuration

Current Settings

• LAN DHCP Pool: 192.168.0.150 - 192.168.0.200 (guest/unknown devices)
• IoT DHCP Pool: 10.10.3.0/24 (dynamic for non-reserved devices)
• Camera DHCP Pool: 10.10.2.0/24 (dynamic for non-reserved devices)

DNS Settings

• Primary DNS: 192.168.0.11 (AdGuard Home)
• Secondary DNS: 192.168.0.1 (OPNsense fallback)

VPN / Tailscale

IP	MAC Address	Purpose
100.65.128.1	e0:cb:19:60:87:70	Tailscale VLAN device
100.65.159.134	bc:24:11:be:cf:af	Tailscale VLAN device (permanent)

Known Issues / Pending

• u7-lite: MAC address not yet confirmed — reservation at .159 has no MAC
• Samsung Soundbar (.71): MAC unconfirmed
• Tuya devices (.80-.83): On main LAN, need factory reset and migration to VLAN 20
• Tapo app glitches: Some devices may show incorrect info after VLAN migration — use OPNsense ARP table as source of truth

Maintenance Tasks

• Identify and migrate tuya-unknown-a through -d to IoT VLAN 20
• Confirm UniFi U7 Lite MAC and update reservation
• Confirm Samsung Soundbar MAC
• Monthly: Review DHCP leases for unknown devices
• Quarterly: Audit static IP assignments and firmware

Security Considerations

1. Network Segmentation: VLAN 20 (IoT) and VLAN 30 (Cameras) isolate untrusted devices
2. Guest Network: DHCP pool isolated from static devices
3. Firewall Rules: OPNsense enforces strict inter-VLAN rules
4. DNS Filtering: AdGuard Home with ad/tracker blocking
5. Remote Access: Tailscale VPN + Cloudflare Tunnel

Backup Strategy

1. OPNsense Configuration: XML backup from web interface
2. DHCP Reservations: CSV exports (reservations_lan.csv, reservations_iot.csv, reservations_cameras.csv)
3. Network Documentation: This README

Tools & Commands

# Verify subnet IDs before running import script
curl -s -u "apikey:apisecret" -k https://192.168.0.1/api/kea/dhcpv4/searchSubnet

# Scan network
nmap -sn 192.168.0.0/24
nmap -sn 10.10.3.0/24
nmap -sn 10.10.2.0/24

# Check ARP table
arp -a

Configuration Files

• reservations_lan.csv — Main LAN (192.168.0.0/24) DHCP reservations
• reservations_iot.csv — IoT VLAN (10.10.3.0/24) DHCP reservations
• reservations_cameras.csv — Camera VLAN (10.10.2.0/24) DHCP reservations
• import_reservations.sh — Bulk import script for OPNsense Kea DHCP API
• opnsense-config.xml — OPNsense configuration backup (not in repo)

---

Last Updated: June 2026