jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add AdGuard DNS setup with automatic failover documentation

Browse Source 
- docs/16-ADGUARD-VLAN-PLAN.md: Implementation plan for AdGuard on VLANs
- docs/17-DNS-ADGUARD-FAILOVER.md: Complete DNS architecture with:
  - Dual AdGuard setup (MikroTik primary, Unraid secondary)
  - Automatic failover via Netwatch monitoring
  - NAT redirect rules for all VLANs
  - Sync configuration between instances
- docs/wip/CONSOLE-PORT-ETHER5.md: WIP plan for dedicated console port

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Kaloyan Danchev
2026-01-31 17:22:18 +02:00
parent 70fa8c0654
commit 4b766145b4
3 changed files with 989 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
docs/wip/CONSOLE-PORT-ETHER5.md Normal file
View File

@@ -0,0 +1,110 @@
# WIP: Dedicated Console Port on ether5
**Status:** Pending consideration
**Created:** 2026-01-31
**Purpose:** Emergency management access independent of VLAN configuration
---
## Rationale
If VLAN or bridge configuration breaks, having a dedicated port with static IP provides guaranteed router access without relying on the main network setup.
---
## Current State
| Port | Current Use | PVID |
|------|-------------|------|
| ether5 | Unraid eth2 (bond member) | 10 |
---
## Proposed Configuration
### Remove ether5 from Bridge
```routeros
# Backup first
/system backup save name=pre-console-port
# Remove from bridge
/interface bridge port remove [find interface=ether5]
```
### Assign Static IP
```routeros
# Isolated subnet - not used by any VLAN
/ip address add address=192.168.99.1/24 interface=ether5 comment="Console Port - Emergency Access"
```
### Firewall Rule
```routeros
# Allow all management traffic from console port
/ip firewall filter add chain=input action=accept in-interface=ether5 \
comment="Console Port - Allow All" place-before=0
```
---
## Access Instructions
1. Connect laptop directly to **ether5** (rightmost port on hAP ax³)
2. Configure laptop with static IP:
- IP: `192.168.99.2`
- Netmask: `255.255.255.0`
- Gateway: `192.168.99.1`
3. Access router:
- **WinBox:** 192.168.99.1:8291
- **SSH:** `ssh -p 2222 xtrm@192.168.99.1`
- **WebFig:** http://192.168.99.1
---
## Impact Assessment
### Pros
- Always-available management access
- Independent of bridge/VLAN state
- Works even if filtering misconfigured
### Cons
- Loses one port from bridge (ether5)
- Unraid bonding reduced to single link (ether4 only)
- Physical security concern (anyone plugging in gets router access)
---
## Alternatives
### Option A: Use ether5 (Current Proposal)
- Simple, dedicated port
- Sacrifices Unraid bond member
### Option B: Use ether2 (CAP XL ac port)
- CAP currently on ether2
- Would need to move CAP to switch port
- More complex but preserves Unraid bond
### Option C: Separate VLAN for Management
- Keep ether5 in bridge
- Create untagged management VLAN on ether5
- More complex but keeps port in bridge
---
## Decision
- [ ] Implement Option A (ether5 dedicated)
- [ ] Implement Option B (move CAP)
- [ ] Implement Option C (management VLAN)
- [ ] Defer - not needed
---
**Notes:**
- Consider physical labeling of port if implemented
- Document in network map
- Keep emergency access instructions printed/offline