jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructure docs: archive VLAN migration, update IPs to VLAN 10
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kaloyan Danchev
2026-02-06 12:45:16 +02:00
parent 81f2f03400
commit ec9659d0cb
34 changed files with 1145 additions and 631 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
CLAUDE.md
View File

@@ -49,12 +49,16 @@ infrastructure/
└── docs/
├── 01-NETWORK-MAP.md # Network topology
├── 02-SERVICES-CRITICAL.md # P0/P1 services (DNS, Auth, Proxy)
├── 02-PORT-UTILIZATION.md # Device port assignments
├── 03-SERVICES-OTHER.md # Non-critical services
├── 03-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping
├── 04-HARDWARE-INVENTORY.md # Hardware list
├── 06-CHANGELOG.md # Change history
├── archive/ # Completed phase docs
├── 05-PORT-UTILIZATION.md # Device port assignments
├── 06-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping
├── 07-WIFI-CAPSMAN-CONFIG.md # WiFi and CAPsMAN settings
├── 08-DNS-ARCHITECTURE.md # DNS failover architecture
├── 09-TAILSCALE-VPN.md # Tailscale VPN setup
├── CHANGELOG.md # Change history
├── archive/ # Completed/legacy docs
│ └── vlan-migration/ # VLAN migration project artifacts
├── incidents/ # Incident reports
└── wip/ # Work in progress
```
@@ -93,7 +97,7 @@ cd /tmp && \
git push
```
### Changelog Format (docs/06-CHANGELOG.md)
### Changelog Format (docs/CHANGELOG.md)
```markdown
## YYYY-MM-DD
- [PHASE X] Task description - COMPLETED/FIXED/ISSUE

47
README.md
View File

@@ -1,6 +1,6 @@
# XTRM Home Lab Infrastructure
**Domain:** xtrm-lab.org
**Domain:** xtrm-lab.org
**Repository:** https://git.xtrm-lab.org/jazzymc/infrastructure
---
@@ -22,15 +22,20 @@
```
docs/
├── 01-NETWORK-MAP.md # Network topology, IPs, Docker networks
├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up
├── 03-SERVICES-OTHER.md # All other services
├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials
├── 00-CHANGELOG.md # Major events only
├── wip/ # Planned changes & ideas
│ ├── UPGRADE-2026-HARDWARE.md
│ └── GITOPS-CONTAINERS.md
── archive/ # Legacy docs (read-only)
├── 01-NETWORK-MAP.md # Network topology, IPs, Docker networks
├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up
├── 03-SERVICES-OTHER.md # All other services
├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials
├── 05-PORT-UTILIZATION.md # Device port assignments
├── 06-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping
├── 07-WIFI-CAPSMAN-CONFIG.md # WiFi and CAPsMAN settings
├── 08-DNS-ARCHITECTURE.md # DNS failover architecture
── 09-TAILSCALE-VPN.md # Tailscale VPN setup
├── CHANGELOG.md # Change history
├── archive/ # Completed/legacy docs
│ └── vlan-migration/ # VLAN migration project artifacts
├── incidents/ # Incident reports
└── wip/ # Work in progress
```
---
@@ -39,11 +44,11 @@ docs/
| Device | IP | Role |
|--------|-----|------|
| HAP1 | 192.168.31.1 | Router, DNS, WiFi Controller |
| XTRM-U | 192.168.31.2 | Production Server (Unraid) |
| CSS1 | 192.168.31.9 | Distribution Switch |
| ZX1 | 192.168.31.7 | Core Switch (2.5G) |
| CAP | 192.168.31.6 | Wireless Access Point |
| HAP1 | 192.168.10.1 | Router, DNS, WiFi Controller |
| XTRM-U | 192.168.10.20 | Production Server (Unraid) |
| CSS1 | 192.168.10.3 | Distribution Switch |
| ZX1 | 192.168.10.4 | Core Switch (2.5G) |
| CAP | 192.168.10.6 | Wireless Access Point |
---
@@ -51,26 +56,26 @@ docs/
```bash
# Unraid
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
# MikroTik Router
ssh -i ~/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1
```
---
## Emergency Recovery
1. **DNS down?**Clients fallback to 192.168.31.4 (secondary)
2. **Internet down?** → Check HAP1 at 192.168.31.1
3. **Services down?** → Check Unraid at 192.168.31.2
1. **DNS down?**Automatic failover to 192.168.10.10 (secondary), see `08-DNS-ARCHITECTURE.md`
2. **Internet down?** → Check HAP1 at 192.168.10.1
3. **Services down?** → Check Unraid at 192.168.10.20
4. **Full outage?** → See `02-SERVICES-CRITICAL.md` startup order
---
## Change Management
- **Major changes:** Document in `00-CHANGELOG.md`
- **Major changes:** Document in `CHANGELOG.md`
- **Minor changes:** Git commit messages only
- **Planned work:** Create doc in `wip/` folder

118
docs/00-CHANGELOG.md
View File

@@ -1,118 +0,0 @@
# Infrastructure Changelog
**Purpose:** Major infrastructure events only. Minor changes are in git commit messages.
---
## 2026-01
### 2026-01-25
- **[INCIDENT]** DNS outage after MikroTik restart - multiple root causes fixed:
- NAT rules blocking AdGuard outbound DNS (added exception rules)
- DHCP pushing wrong DNS (8.8.8.8 → 192.168.31.1)
- NAT redirect pointing to wrong IP/port (172.17.0.5:5355 → 192.168.31.4:53)
- Asymmetric routing (added srcnat masquerade for DNS redirect)
- **[SERVICE]** Removed MikroTik AdGuard Home container (storage/overlay errors)
- **[SERVICE]** Removed MikroTik Tailscale container (root directory missing)
- **[SERVICE]** Removed Pi-hole/Unbound leftovers from MikroTik (veth, mounts, envs)
- **[NETWORK]** Consolidated DNS architecture: MikroTik → Unraid AdGuard (192.168.31.4) only
- **[DOCS]** Created incident reports in docs/incidents/
- **[DOCS]** Restructured documentation - consolidated into 5 core docs + archive
- **[NETBOX]** Added shelf devices for rack organization (U9, U7, U3)
### 2026-01-24
- **[NETBOX]** Standardized device names to NetBox convention (HAP1, CSS1, ZX1)
- **[DOCS]** Created NETWORK-PHYSICAL-MAP.md with complete port maps
### 2026-01-23
- **[SERVICE]** Deployed Diode network discovery stack
- **[SERVICE]** Removed Slurp'it (replaced by Diode + NetDisco)
- **[SERVICE]** Consolidated NetBox Redis to shared instance
- **[SERVICE]** Removed redundant DNS services (Unbound, DoH-Server, stunnel-dot)
### 2026-01-22
- **[SERVICE]** Migrated NetBox to shared PostgreSQL 17
- **[SERVICE]** Deployed AdGuard Home on MikroTik (primary DNS)
- **[SERVICE]** Deployed AdGuard Home on Unraid (secondary DNS)
- **[SERVICE]** Removed Pi-hole (replaced by AdGuard Home)
- **[DOCS]** Created INFRASTRUCTURE-DIAGRAM.md
### 2026-01-21
- **[BACKUP]** Configured Rclone sync to Google Drive
### 2026-01-19
- **[SERVICE]** Deployed NetBox IPAM/DCIM
- **[SERVICE]** Deployed NetDisco network discovery
- **[NETWORK]** Enabled SNMP on all MikroTik devices
### 2026-01-18
- **[SERVICE]** Deployed Gitea git server
- **[SERVICE]** Deployed Woodpecker CI
- **[NETWORK]** Configured CAPsMAN on HAP1
- **[WIRELESS]** CAP added to CAPsMAN management
### 2026-01-17
- **[SERVICE]** Deployed Portainer CE
---
## Format Guide
```markdown
### YYYY-MM-DD
- **[CATEGORY]** Brief description
Categories:
- [DEVICE] - Hardware added/removed/changed
- [SERVICE] - Container/service deployed/removed
- [NETWORK] - Network topology/config changes
- [WIRELESS] - WiFi/CAPsMAN changes
- [BACKUP] - Backup configuration
- [DOCS] - Major documentation changes
- [INCIDENT] - Outages and fixes
```
---
## Previous History
For detailed history before 2026-01-17, see archived changelogs:
- `archive/06-CHANGELOG.md`
- `archive/07-CHANGELOG.md`
- `archive/00-CHANGELOG.md`
## 2026-01-25
- [PHASE DNS] MikroTik AdGuard Home container installed - COMPLETED
- Container: adguardhome v0.107.71 on veth-adguard (172.17.0.2/24)
- Upstreams: 192.168.31.4 (Unraid AdGuard), 8.8.8.8, 1.1.1.1
- TLS enabled with Let's Encrypt cert for dns.xtrm-lab.org
- DoT on port 853, DoH on port 8443 (external)
- LAN DNS redirect updated to use MikroTik AdGuard
- Old docker-bridge removed (routing conflict)
- Web UI at http://192.168.31.1:3000
- [ISSUE] Container failed after restart with 'could not load config json'
- Fix: Removed and recreated container, added mountlists, restarted
- AdGuard config preserved (on separate mount)
- Documented fix in 09-MIKROTIK-ADGUARD-DOT-DOH.md
- [CONTAINERS] Created container bridge (containers-br) for shared networking
- Both AdGuard and Tailscale containers now use the same bridge
- Added NAT masquerade for container outbound traffic
- [SERVICE] Tailscale container installed and running
- Image: tailscale/tailscale:latest
- IP: 172.17.0.3/24 on veth-tailscale
- State persisted to usb1/tailscale/state
- Userspace mode enabled
## 2026-01-25 (VLAN Implementation)
- [VLAN] Created VLAN interfaces on bridge:
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)
- [VLAN] DHCP servers configured for all VLANs
- [VLAN] Inter-VLAN firewall rules created
- [VLAN] WiFi SSIDs created: Home-Trusted, Home-IoT, Home-Guest
- [STATUS] VLAN filtering NOT yet enabled (Phase 1 complete)
- [NOTE] Legacy 192.168.31.0/24 still active for transition

76
docs/01-NETWORK-MAP.md
View File

@@ -1,6 +1,6 @@
# Network Map - xtrm-lab.org
**Last Updated:** 2026-02-02
**Last Updated:** 2026-02-06
**Domain:** xtrm-lab.org
**WAN IP:** 62.73.120.142
@@ -27,19 +27,19 @@ flowchart TB
end
subgraph Rack19["19&quot; Rack (3U)"]
HAP1["HAP1 | hAP ax³<br/>192.168.31.1"]
HAP1["HAP1 | hAP ax³<br/>192.168.10.1"]
PP1["PP1 | 24-port"]
CSS1["CSS1 | CSS326-24G-2S+<br/>192.168.31.9"]
CSS1["CSS1 | CSS326-24G-2S+<br/>192.168.10.3"]
end
subgraph Rack10["10&quot; Rack (9U)"]
ZX1["ZX1 | ZX-SWTGW218AS<br/>192.168.31.22"]
ZX1["ZX1 | ZX-SWTGW218AS<br/>192.168.10.4"]
PP2["PP2 | 12-port"]
XTRMU["XTRM-U<br/>192.168.31.2"]
XTRMU["XTRM-U<br/>192.168.10.20"]
end
subgraph Wireless["WiFi"]
CAP["CAP | cAP XL ac<br/>192.168.31.6"]
CAP["CAP | cAP XL ac<br/>192.168.10.6"]
end
ISP -->|"ether1 WAN"| HAP1
@@ -63,17 +63,17 @@ flowchart TB
|---|--------|-------|-----|-------|
| U9 | Shelf + ISP Gateway | Vivacom ONT | 62.73.120.2 | WAN |
| U8 | PP2 | 10" 12-port Cat6a | - | Patch panel |
| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.31.22 | 8x2.5G + 2x10G SFP+ |
| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.10.4 | 8x2.5G + 2x10G SFP+ |
| U6 | (empty) | - | - | Reserved for XTRM-N1 |
| U1-U4 | XTRM-U | NAS Server | 192.168.31.2 | 4x 2.5GbE bond |
| U1-U4 | XTRM-U | NAS Server | 192.168.10.20 | 4x 2.5GbE bond |
#### 19" Rack (3U)
| U | Device | Model | IP | Notes |
|---|--------|-------|-----|-------|
| U3 | Shelf + HAP1 | hAP ax³ | 192.168.31.1 | Router + WiFi controller |
| U3 | Shelf + HAP1 | hAP ax³ | 192.168.10.1 | Router + WiFi controller |
| U2.5 | PP1 | 19" 24-port Cat6a | - | Room connections |
| U1 | CSS1 | CSS326-24G-2S+ | 192.168.31.9 | 24x1G + 2x10G SFP+ |
| U1 | CSS1 | CSS326-24G-2S+ | 192.168.10.3 | 24x1G + 2x10G SFP+ |
### HAP ax³ Port Assignments
@@ -99,33 +99,29 @@ flowchart TB
## IP Address Allocation
### Network: 192.168.31.0/24
### VLAN Summary
#### Infrastructure Devices
| VLAN | Subnet | Gateway | Purpose |
|------|--------|---------|---------|
| 10 | 192.168.10.0/24 | 192.168.10.1 | Management |
| 20 | 192.168.20.0/24 | 192.168.20.1 | Trusted |
| 25 | 192.168.25.0/24 | 192.168.25.1 | Kids |
| 30 | 192.168.30.0/24 | 192.168.30.1 | IoT |
| 40 | 192.168.1.0/24 | 192.168.1.1 | CatchAll |
| IP | Device | Type | MAC |
|----|--------|------|-----|
| 192.168.31.1 | HAP1 \| hAP ax³ | Router | 78:9A:18:2C:A5:48 |
| 192.168.31.2 | XTRM-U | Server | A8:B8:E0:02:B6:15 |
| 192.168.31.6 | CAP \| cAP XL ac | Access Point | 18:FD:74:54:3D:BC |
| 192.168.31.22 | ZX1 \| ZX-SWTGW218AS | Switch | 1C:2A:A3:1E:78:67 |
| 192.168.31.9 | CSS1 \| CSS326-24G-2S+ | Switch | F4:1E:57:C9:BD:09 |
### VLAN 10 - Infrastructure Devices
#### Containers (br0 Macvlan)
| IP | Device | Type |
|----|--------|------|
| 192.168.10.1 | HAP1 \| hAP ax³ | Router |
| 192.168.10.3 | CSS1 \| CSS326-24G-2S+ | Switch |
| 192.168.10.4 | ZX1 \| ZX-SWTGW218AS | Switch |
| 192.168.10.6 | CAP \| cAP XL ac | Access Point |
| 192.168.10.10 | AdGuard Home (Unraid macvlan) | DNS Secondary |
| 192.168.10.20 | XTRM-U | Server |
| 192.168.10.200 | NanoKVM | Remote KVM |
| IP | Container | Purpose |
|----|-----------|---------|
| 192.168.31.4 | AdGuard Home | DNS Secondary |
| 192.168.31.5 | Unbound | Recursive DNS (stopped) |
| 192.168.31.12 | TimeMachine | macOS backups |
#### DHCP Ranges
| Range | Purpose |
|-------|---------|
| 192.168.31.10-99 | Reserved (static) |
| 192.168.31.100-200 | DHCP Pool |
| 192.168.31.201-254 | Reserved |
For complete device-to-VLAN mapping, see `06-VLAN-DEVICE-ASSIGNMENT.md`.
---
@@ -133,12 +129,12 @@ flowchart TB
### HAP1 (MikroTik Router)
**Network:** 172.17.0.0/16 (bridge)
**Network:** 172.17.0.0/24 (veth)
| Container | IP | Purpose |
|-----------|-----|---------|
| AdGuard Home | 172.17.0.5 | DNS Primary (DoH/DoT/DoQ) |
| Tailscale | 172.17.0.4 | VPN mesh |
| AdGuard Home | 172.17.0.2 | DNS Primary (DoH/DoT/DoQ) |
| Tailscale | 172.17.0.3 | VPN mesh |
### XTRM-U (Unraid Server)
@@ -264,8 +260,8 @@ flowchart TB
| External Port | Destination | Service |
|---------------|-------------|---------|
| 853 | 172.17.0.5:853 | AdGuard DoT |
| 8853 | 172.17.0.5:8853 | AdGuard DoQ |
| 853 | 172.17.0.2:853 | AdGuard DoT |
| 8853 | 172.17.0.2:8853 | AdGuard DoQ |
---
@@ -279,11 +275,11 @@ flowchart TB
end
subgraph HAP1["HAP1 (Primary)"]
AGH1["AdGuard Home<br/>172.17.0.5"]
AGH1["AdGuard Home<br/>172.17.0.2"]
end
subgraph XTRMU["XTRM-U (Secondary)"]
AGH2["AdGuard Home<br/>192.168.31.4"]
AGH2["AdGuard Home<br/>192.168.10.10"]
end
subgraph Sync["Sync"]

6
docs/03-SERVICES-OTHER.md
View File

@@ -64,7 +64,7 @@ Non-critical services that enhance functionality but don't affect core network o
| diode-auth | 172.18.0.74 | Token service |
| diode-agent | host | Network scanner |
**Discovery:** 192.168.31.0/24 every 30 minutes
**Discovery:** 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 every 30 minutes
### Unimus
@@ -182,7 +182,7 @@ Non-critical services that enhance functionality but don't affect core network o
| Network | IP |
|---------|-----|
| br0 macvlan | 192.168.31.12 |
| br0 macvlan | 192.168.10.12 |
**Purpose:** macOS Time Machine backup target
@@ -219,7 +219,7 @@ Non-critical services that enhance functionality but don't affect core network o
| Host | IP |
|------|-----|
| HAP1 | 172.17.0.4 |
| HAP1 | 172.17.0.3 |
**Purpose:** Mesh VPN for remote access

248
docs/03-VLAN-DEVICE-ASSIGNMENT.md
View File

@@ -1,248 +0,0 @@
# VLAN Device Assignment Map
**Last Updated:** 2026-02-01
**Purpose:** Complete inventory of all network devices with VLAN assignments
---
## VLAN Summary
| VLAN | Name | Subnet | Gateway | Purpose | Comment |
|------|------|--------|---------|---------|---------|
| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated |
| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Admin access only |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | Full network access |
| 25 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Kids Devices| Full network access |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | Internet + limited local |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Isolated, NVR access only |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | Service hosts |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | Internet only |
---
## VLAN 10 - Management (Infrastructure)
| Current IP | Target IP | MAC Address | Device | Notes | Comment |
|------------|-----------|-------------|--------|-------|---------|
| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs |
| 192.168.31.4 | 192.168.10.10| 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS |
| 192.168.31.6 | 192.168.10.2| 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed |
| 192.168.31.9 | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution |
| 192.168.31.22 | 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack |
| 192.168.31.2 | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS |
| 192.168.31.20 | 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative |
| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT |
| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access |
---
## VLAN 20 - Trusted (Family Devices)
| Current IP | Target IP | MAC Address | Device | Owner | Comment |
|------------|-----------|-------------|--------|-------|---------|
| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop |
| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone |
| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | |
| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless |
| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | |
| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | |
| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock |
| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom |
| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet |
---
## VLAN 25 - Trusted (Kids Devices)
| Current IP | Target IP | MAC Address | Device | Owner | Comment |
|------------|-----------|-------------|--------|-------|---------|
| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | |
| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | |
| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | |
| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet |
---
## VLAN 30 - IoT (Smart Home)
| Current IP | Target IP | MAC Address | Device | Location | Comment |
|------------|-----------|-------------|--------|----------|---------|
| 192.168.31.139 | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room| GREE Electric|
| 192.168.31.100 | 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) |
| 192.168.31.118 | 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) |
| 192.168.31.134 | 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming |
| 192.168.31.104 | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access |
| 192.168.31.105 | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app |
| 192.168.31.116 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app |
| 192.168.31.117 | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom| Home Connect app |
| 192.168.31.106 | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
| 192.168.31.113 | 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP |
| 192.168.31.149 | 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
| 192.168.31.106 | 192.168.30.34 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
| 192.168.31.113 | 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP |
| 192.168.31.149 | 192.168.30.38| D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | Smart Device |
| 192.168.31.101 | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app |
| - | 192.168.30.50 | FC:D5:D9:EB:6A:82 | Settop Box (LAN) | Living Room | CSS326 Port 23 |
| - | 192.168.30.51 | 08:FB:EA:61:9D:3A | Settop Box (WiFi) | Living Room | XTRM2 2.4GHz |
---
## VLAN 35 - Cameras (Security)
| Current IP | Target IP | MAC Address | Device | Location | Comment |
|------------|-----------|-------------|--------|----------|---------|
| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered |
---
## VLAN 40 - Servers (Services)
| Current IP | Target IP | MAC Address | Device | Purpose | Comment |
|------------|-----------|-------------|--------|---------|---------|
| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection |
---
## VLAN 50 - Guest (Isolated)
| Current IP | Target IP | MAC Address | Device | Notes | Comment |
|------------|-----------|-------------|--------|-------|---------|
| 192.168.31.15 | 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. |
| 192.168.31.142 | 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC |
| 192.168.31.109 | 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI |
| 192.168.31.110 | 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .109 |
| DHCP Pool | 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only |
---
## Identified Unknown Devices (Moved to Guest)
| Current IP | MAC Address | Vendor (OUI) | Likely Device | Assigned VLAN | Comment |
|------------|-------------|--------------|---------------|---------------|---------|
| 192.168.31.15 | AC:87:A3:77:8F:BD | Apple Inc. | iPhone/iPad/Mac | 50 (Guest) | Unknown owner |
| 192.168.31.142 | 22:4C:7F:1D:85:8E | Locally Administered | Phone/Laptop | 50 (Guest) | Random MAC (privacy) |
| 192.168.31.109 | D0:C9:07:92:1A:8E | Private (IEEE) | Unknown | 50 (Guest) | Hidden vendor |
| 192.168.31.110 | D0:C9:07:8C:C9:46 | Private (IEEE) | Unknown | 50 (Guest) | Same vendor as .109 |
---
## MAC Address Quick Reference
### By VLAN (for switch port assignment)
**VLAN 10 - Mgmt:**
```
78:9A:18:2C:A5:48 HAP1
A8:B8:E0:02:B6:15 XTRM-U
18:FD:74:54:3D:BC CAP XL ac
F4:1E:57:C9:BD:09 CSS326
1C:2A:A3:1E:78:67 ZX1
48:DA:35:6F:BE:50 NanoKVM
```
**VLAN 20 - Trusted:**
```
82:6D:FB:D9:E0:47 Nora MacBook
AA:ED:8B:2A:40:F1 Kaloyan S25
F2:B8:14:61:C8:27 Dancho iPhone
82:EC:EF:B5:F2:AF Kaloyan MacBook WiFi
90:91:64:70:0D:86 Kimi Notebook
2A:2B:BA:86:D4:AF Kimi iPhone
08:92:04:C6:07:C5 Kaloyan MacBook LAN
1C:83:41:32:F3:AF Kaloyan Game PC
A4:D1:D2:7B:52:BE Compusbg iPad
```
**VLAN 30 - IoT:**
```
B0:37:95:79:AF:9B LG TV (LAN)
DC:03:98:6B:5A:3A LG TV (WiFi)
D0:E7:82:F7:65:DD Chromecast
B0:4A:39:3F:9A:14 Roborock Vacuum
94:27:70:1E:0C:EE Bosch Oven
C8:5C:CC:52:EA:53 Xiaomi Air Purifier
C8:D7:78:D6:DC:FC Bosch Washer
C8:D7:78:40:65:40 Bosch Dishwasher
50:2C:C6:7A:55:39 GREE Appliance
18:DE:50:5B:C8:A6 Tuya Device 1
38:1F:8D:04:6F:E4 Tuya Smart Gateway (JMWZG1)
D4:AD:FC:BE:13:B0 Intellirocks Device
FC:D5:D9:EB:6A:82 Settop Box (LAN)
08:FB:EA:61:9D:3A Settop Box (WiFi)
```
**VLAN 35 - Cameras:**
```
48:9E:9D:0E:16:F7 Reolink Doorbell
```
**VLAN 40 - Servers:**
```
64:4E:D7:D8:43:3E HP LaserJet
```
**VLAN 50 - Guest:**
```
AC:87:A3:77:8F:BD Apple Device (unknown)
22:4C:7F:1D:85:8E Random MAC device
D0:C9:07:92:1A:8E Private Vendor 1
D0:C9:07:8C:C9:46 Private Vendor 2
```
---
## Device Count Summary
| VLAN | Device Count | Comment |
|------|--------------|---------|
| 10 - Mgmt | 9 | Infrastructure only |
| 20 - Trusted | 9 | Family devices |
| 25 - Kids | 4 | Kids devices (subset of 20) |
| 30 - IoT | 11 | Smart home devices |
| 35 - Cameras | 1 | Security |
| 40 - Servers | 1 | Services |
| 50 - Guest | 4 | Unknown/unidentified devices |
| **Total** | **35** | All devices categorized |
---
## OUI Lookup Reference
| OUI Prefix | Vendor | Type |
|------------|--------|------|
| B0:37:95 | LG Electronics | TV/Displays (LAN) |
| DC:03:98 | LG Innotek | TV/Displays (WiFi) |
| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances |
| 18:DE:50 | Tuya Smart Inc. | IoT Platform |
| 38:1F:8D | Xiaomi | Smart Home Devices |
| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices |
| AC:87:A3 | Apple Inc. | Consumer Electronics |
| D0:C9:07 | Private (IEEE hidden) | Unknown |
| 22:xx:xx | Locally Administered | Random/Private MAC |
---
## Next Steps
| Step | Action | Comment |
|------|--------|---------|
| 1 | ✅ Identify unknown devices | Completed via OUI lookup |
| 2 | Decide WiFi strategy | Single SSID vs Multiple SSIDs |
| 3 | Configure switch ports | VLAN tagging on CSS326 |
| 4 | Test VLAN routing | Before full activation |
| 5 | Update firewall rules | Inter-VLAN traffic control |
---
## Quick Assignment Table (Identified Devices)
| VLAN | IP | Comment |
|------|----|---------|
| 30 (IoT) | 192.168.31.139 | GREE Air Conditioner |
| 30 (IoT) | 192.168.31.106 | Tuya Smart Device #1 |
| 30 (IoT) | 192.168.31.113 | Tuya Smart Gateway (JMWZG1) |
| 30 (IoT) | 192.168.31.149 | Shenzhen Intellirocks Smart Device |
| 50 (Guest) | 192.168.31.15 | Apple device (unknown owner) |
| 50 (Guest) | 192.168.31.142 | Privacy MAC device |
| 50 (Guest) | 192.168.31.109 | Private vendor device |
| 50 (Guest) | 192.168.31.110 | Private vendor device |

6
docs/04-HARDWARE-INVENTORY.md
View File

@@ -36,12 +36,12 @@
|----------|-------|
| **Role** | Distribution Switch |
| **Location** | 19" Rack U1 |
| **IP** | 192.168.10.9 |
| **IP** | 192.168.10.3 |
| **MAC** | F4:1E:57:C9:BD:09 |
| **OS** | SwOS 2.16 |
| **Serial** | - |
| **Docs** | https://help.mikrotik.com/docs/spaces/UM/pages/17498168/CSS326-24G-2S+RM |
| **Web UI** | http://192.168.10.9 |
| **Web UI** | http://192.168.10.3 |
**Ports:** 24x 1G RJ45, 2x 10G SFP+
- SFP1: 10G DAC to ZX1
@@ -55,7 +55,7 @@
|----------|-------|
| **Role** | Core Switch (2.5GbE) |
| **Location** | 10" Rack U7 (on shelf) |
| **IP** | 192.168.10.7 |
| **IP** | 192.168.10.4 |
| **MAC** | 1C:2A:A3:1E:78:67 |
| **Serial** | - |

8
docs/02-PORT-UTILIZATION.md → docs/05-PORT-UTILIZATION.md
View File

@@ -1,11 +1,11 @@
# Device Port Utilization
**Last Updated:** 2026-01-25
**Last Updated:** 2026-02-06
**Legend:** 🟢 Connected | ⚪ Enabled/No Link | 🔘 Disabled | 🩷 High Speed (≥2.5G)
---
## HAP1 | MikroTik hAP ax³ (192.168.31.1)
## HAP1 | MikroTik hAP ax³ (192.168.10.1)
```
┌─────────────────────────────────────────────────────────┐
@@ -29,7 +29,7 @@ Connections:
---
## CSS1 | MikroTik CSS326-24G-2S+ (192.168.31.9)
## CSS1 | MikroTik CSS326-24G-2S+ (192.168.10.3)
```
┌───────────────────────────────────────────────────────────────────────────┐
@@ -68,7 +68,7 @@ Port Details:
---
## ZX1 | ZX-SWTGW218AS (192.168.31.22)
## ZX1 | ZX-SWTGW218AS (192.168.10.4)
```
┌─────────────────────────────────────────────────────────┐

175
docs/06-CHANGELOG.md
View File

@@ -1,175 +0,0 @@
# Infrastructure Changelog
## 2026-02-01
### WIP Documentation
- [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching
- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching
- Scripts created on Mac at ~/scripts/
## 2026-01-31
### Docker Cleanup
- [DOCKER] Removed 18 unused images (~4.9 GB reclaimed)
- [DOCKER] Removed 12 dangling images (old builds, untagged)
- [DOCKER] Removed Slurpit stack images (warehouse, portal, scanner, scraper)
- [DOCKER] Removed unused MongoDB 8 and MariaDB 11 images
- [DOCKER] Removed 35 orphaned volumes (~1.15 GB reclaimed)
- [DOCKER] Removed 28 anonymous dangling volumes
- [DOCKER] Removed 6 nextcloud_aio_* volumes (from old AIO install)
- [DOCKER] Removed orphaned redis-data volume
- [DOCKER] **Total reclaimed: ~6 GB**
### Kept (Stopped Containers)
- open-webui, ollama (AI stack - for future use)
- pgAdmin4 (database management)
- diode-hydra-migrate, diode-auth-bootstrap (one-time migration jobs)
## 2026-01-27
### VLAN Filtering Rolled Back
- [VLAN] Enabled VLAN filtering - caused connectivity issues
- [VLAN] ZX1 switch unreachable after activation (no management IP responding)
- [VLAN] CSS326 traffic routing through ZX1 (not direct eth3 link)
- [VLAN] **Rolled back** - VLAN filtering disabled
- [CONFIG] Added eth4 (ZX1) to all VLAN tagged lists for future use
- [STATUS] Network back to Legacy mode (192.168.31.0/24)
- [TODO] Need physical access to ZX1 to configure VLAN trunking
### Issues Identified
- ZX1 switch not responding on documented IP 192.168.31.22
- ZX1 may need VLAN trunk configuration before re-enabling filtering
- All CSS326 traffic goes via ZX1→HAP1, not direct CSS326→HAP1 link (STP?)
# Infrastructure Changelog
## 2026-02-01
### WIP Documentation
- [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching
- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching
- Scripts created on Mac at ~/scripts/
## 2026-01-26
### VLAN Filtering Activated ✅
- [VLAN] **VLAN filtering enabled on MikroTik bridge - SUCCESSFUL**
- [VLAN] Internet connectivity verified (ping 1.1.1.1, google.com)
- [VLAN] DNS resolution working through AdGuard
- [VLAN] All previous fixes (DHCP DNS, firewall, NAT masquerade) working correctly
- [STATUS] Network segmentation now ACTIVE
### Local AI Stack Deployed
- [AI] Deployed Ollama container with Intel GPU passthrough
- [AI] Deployed Open WebUI at http://192.168.31.2:3080
- [AI] Installed qwen2.5-coder:7b base model
- [AI] Created custom `unraid-assistant` model with infrastructure knowledge:
- Network topology (all VLANs, IPs, gateways)
- 45+ Docker containers (names, ports, purposes)
- RouterOS 7 commands and patterns
- Traefik labels and Authentik middleware
- All external URLs (xtrm-lab.org)
- [AI] Created `/usr/local/bin/ai` terminal helper command
- [AI] Stopped non-critical containers for RAM: karakeep, unimus, homarr, netdisco-*
### VLAN Activation Attempt & Fixes
- [VLAN] Configured CSS326 switch VLANs via SwOS web interface
- [VLAN] Enabled VLAN filtering on MikroTik - caused internet outage
- [VLAN] Rolled back VLAN filtering to restore connectivity
- [VLAN] **ROOT CAUSE IDENTIFIED:** Multiple configuration issues
### Issues Fixed
- [FIX] DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1
- VLAN 20: 192.168.20.1, VLAN 25: 192.168.25.1, etc.
- [FIX] Added DNS redirect rules for all VLANs (src-address-list=all-vlans)
- [FIX] Added all VLAN interfaces to LAN firewall interface list
- [FIX] Added NAT masquerade rules for VLAN traffic to AdGuard container
- [BACKUP] MikroTik config saved before activation attempt
### Current Status
- MikroTik: Fully configured, fixes applied, ready for activation
- CSS326: VLANs configured, port assignments done
- VLAN Filtering: OFF (ready to enable when convenient)
- Next: Enable VLAN filtering + force DHCP renewal on devices
## 2026-01-25 (Update 3)
### VLAN Phase 1 Complete
- [VLAN] Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry
- [VLAN] Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc
- [VLAN] Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs
- [VLAN] Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally
- [VLAN] Added VLAN 50 (Guest) leases - 7 unknown devices
- [VLAN] Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS)
- [VLAN] Total devices configured: 44
### Device Discovery
- [NETWORK] Discovered XTRM-Ally gaming device → assigned to Kids VLAN
- [NETWORK] Discovered Dancho Windows device → assigned to Kids VLAN
- [NETWORK] Discovered 2x lwip0 IoT devices → assigned to IoT VLAN
- [NETWORK] Discovered 3x unknown devices → assigned to Guest VLAN
### Documentation Updates
- [DOCS] Updated 03-VLAN-DEVICE-ASSIGNMENT.md - complete device inventory (44 devices)
- [DOCS] Updated 11-VLAN-IMPLEMENTATION.md - Phase 1 complete status
- [DOCS] All VLANs now documented: 10, 20, 25, 30, 35, 40, 50
### Next Steps
- CSS326 switch VLAN configuration via SwOS
- Enable VLAN filtering on MikroTik bridge
- Test connectivity
## 2026-01-25
### VLAN Implementation (Prepared)
- [VLAN] Created 6 VLANs on MikroTik bridge (10, 20, 30, 35, 40, 50)
- [VLAN] Configured IP addresses for all VLAN interfaces
- [VLAN] Created DHCP servers and pools for each VLAN
- [VLAN] Added static DHCP leases mapping MACs to VLAN IPs
- [VLAN] Configured bridge VLAN table with tagged/untagged ports
- [VLAN] Set WiFi ports PVID=20 (Trusted VLAN default)
- [VLAN] Added inter-VLAN firewall rules (active)
- [VLAN] VLAN filtering NOT YET ENABLED (pending CSS326 switch config)
- [DOCS] Added docs/11-VLAN-IMPLEMENTATION.md
- [SCRIPTS] Added scripts/mikrotik-vlan-setup.rsc
- [SCRIPTS] Added scripts/mikrotik-vlan-enable.rsc
### MikroTik Containers
- [CONTAINER] AdGuard Home container running on MikroTik
- [CONTAINER] Tailscale container configured (inactive)
- [CONTAINER] Container bridge (containers-br) with NAT
### DNS Configuration
- [DNS] AdGuard Home as primary DNS (172.17.0.2)
- [DNS] DNS redirect rules for all clients
- [DNS] DoT/DoH upstream configured in AdGuard
## Previous Changes
See git history for earlier changes.
## 2026-01-25 (Update 2)
### DNS Configuration
- [DNS] Updated both AdGuard instances to use Quad9 DoH
- [DNS] MikroTik AdGuard: upstream=https://dns.quad9.net/dns-query
- [DNS] Unraid AdGuard: upstream=https://dns.quad9.net/dns-query
- [DNS] Bootstrap DNS: 9.9.9.9, 149.112.112.112
### Containers
- [CONTAINER] Fixed Tailscale container authentication
- [CONTAINER] Tailscale DNS changed from 8.8.8.8 to 172.17.0.1,1.1.1.1 (fallback)
- [CONTAINER] Tailscale route fixed: 100.64.0.0/10 → 172.17.0.3
### Documentation
- [DOCS] Created 02-PORT-UTILIZATION.md with ASCII port diagrams
- [DOCS] Updated 09-MIKROTIK-ADGUARD-DOT-DOH.md with Quad9 DoH config
### Network
- [NETWORK] Enabled CSS326 SFP1 port - 10G backbone link to ZX1 now active
### Documentation Fix
- [DOCS] Fixed ZX1 switch IP: 192.168.31.22 (was incorrectly documented as .7)

206
docs/06-VLAN-DEVICE-ASSIGNMENT.md Normal file
View File

@@ -0,0 +1,206 @@
# VLAN Device Assignment Map
**Last Updated:** 2026-02-06
**Purpose:** Complete inventory of all network devices with VLAN assignments
---
## VLAN Summary
| VLAN | Name | Subnet | Gateway | Purpose |
|------|------|--------|---------|---------|
| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi |
---
## VLAN 10 - Management (Infrastructure)
| IP | MAC Address | Device | Notes | Comment |
|----|-------------|--------|-------|---------|
| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS |
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution |
| 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS |
| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative |
| 172.17.0.2 | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT |
| 172.17.0.3 | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access |
---
## VLAN 20 - Trusted (Family Devices)
| IP | MAC Address | Device | Owner | Comment |
|----|-------------|--------|-------|---------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone |
| 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless |
| 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | |
| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet |
---
## VLAN 25 - Kids (Kids Devices)
| IP | MAC Address | Device | Owner | Comment |
|----|-------------|--------|-------|---------|
| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | |
| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | |
| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | |
| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet |
---
## VLAN 30 - IoT (Smart Home)
| IP | MAC Address | Device | Location | Comment |
|----|-------------|--------|----------|---------|
| 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room | GREE Electric |
| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) |
| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) |
| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming |
| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access |
| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app |
| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app |
| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom | Home Connect app |
| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
| 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP |
| 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app |
| 192.168.30.50 | FC:D5:D9:EB:6A:82 | Settop Box (LAN) | Living Room | CSS326 Port 23 |
| 192.168.30.51 | 08:FB:EA:61:9D:3A | Settop Box (WiFi) | Living Room | XTRM2 2.4GHz |
---
## VLAN 35 - Cameras (Security)
| IP | MAC Address | Device | Location | Comment |
|----|-------------|--------|----------|---------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered |
---
## VLAN 40 - Servers (Services)
| IP | MAC Address | Device | Purpose | Comment |
|----|-------------|--------|---------|---------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection |
---
## VLAN 50 - Guest (Isolated)
| IP | MAC Address | Device | Notes | Comment |
|----|-------------|--------|-------|---------|
| 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. |
| 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC |
| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI |
| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .12 |
| 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only |
---
## MAC Address Quick Reference
### By VLAN (for switch port assignment)
**VLAN 10 - Mgmt:**
```
78:9A:18:2C:A5:48 HAP1
A8:B8:E0:02:B6:15 XTRM-U
18:FD:74:54:3D:BC CAP XL ac
F4:1E:57:C9:BD:09 CSS326
1C:2A:A3:1E:78:67 ZX1
48:DA:35:6F:BE:50 NanoKVM
```
**VLAN 20 - Trusted:**
```
82:6D:FB:D9:E0:47 Nora MacBook
AA:ED:8B:2A:40:F1 Kaloyan S25
F2:B8:14:61:C8:27 Dancho iPhone
82:EC:EF:B5:F2:AF Kaloyan MacBook WiFi
90:91:64:70:0D:86 Kimi Notebook
2A:2B:BA:86:D4:AF Kimi iPhone
08:92:04:C6:07:C5 Kaloyan MacBook LAN
1C:83:41:32:F3:AF Kaloyan Game PC
A4:D1:D2:7B:52:BE Compusbg iPad
```
**VLAN 30 - IoT:**
```
B0:37:95:79:AF:9B LG TV (LAN)
DC:03:98:6B:5A:3A LG TV (WiFi)
D0:E7:82:F7:65:DD Chromecast
B0:4A:39:3F:9A:14 Roborock Vacuum
94:27:70:1E:0C:EE Bosch Oven
C8:5C:CC:52:EA:53 Xiaomi Air Purifier
C8:D7:78:D6:DC:FC Bosch Washer
C8:D7:78:40:65:40 Bosch Dishwasher
50:2C:C6:7A:55:39 GREE Appliance
18:DE:50:5B:C8:A6 Tuya Device 1
38:1F:8D:04:6F:E4 Tuya Smart Gateway (JMWZG1)
D4:AD:FC:BE:13:B0 Intellirocks Device
FC:D5:D9:EB:6A:82 Settop Box (LAN)
08:FB:EA:61:9D:3A Settop Box (WiFi)
```
**VLAN 35 - Cameras:**
```
48:9E:9D:0E:16:F7 Reolink Doorbell
```
**VLAN 40 - Servers:**
```
64:4E:D7:D8:43:3E HP LaserJet
```
**VLAN 50 - Guest:**
```
AC:87:A3:77:8F:BD Apple Device (unknown)
22:4C:7F:1D:85:8E Random MAC device
D0:C9:07:92:1A:8E Private Vendor 1
D0:C9:07:8C:C9:46 Private Vendor 2
```
---
## Device Count Summary
| VLAN | Device Count | Comment |
|------|--------------|---------|
| 10 - Mgmt | 9 | Infrastructure only |
| 20 - Trusted | 9 | Family devices |
| 25 - Kids | 4 | Kids devices (subset of 20) |
| 30 - IoT | 14 | Smart home devices |
| 35 - Cameras | 1 | Security |
| 40 - Servers | 1 | Services |
| 50 - Guest | 4 | Unknown/unidentified devices |
| **Total** | **38** | All devices categorized |
---
## OUI Lookup Reference
| OUI Prefix | Vendor | Type |
|------------|--------|------|
| B0:37:95 | LG Electronics | TV/Displays (LAN) |
| DC:03:98 | LG Innotek | TV/Displays (WiFi) |
| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances |
| 18:DE:50 | Tuya Smart Inc. | IoT Platform |
| 38:1F:8D | Xiaomi | Smart Home Devices |
| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices |
| AC:87:A3 | Apple Inc. | Consumer Electronics |
| D0:C9:07 | Private (IEEE hidden) | Unknown |
| 22:xx:xx | Locally Administered | Random/Private MAC |

0
docs/19-WIFI-CAPSMAN-CONFIG.md → docs/07-WIFI-CAPSMAN-CONFIG.md
View File

387
docs/08-DNS-ARCHITECTURE.md Normal file
View File

@@ -0,0 +1,387 @@
# DNS Architecture with AdGuard Failover
**Last Updated:** 2026-02-06
---
## Overview
Dual AdGuard DNS setup with automatic failover. All DNS queries are filtered through AdGuard for ad-blocking, and if the primary (MikroTik) fails, traffic automatically switches to secondary (Unraid).
---
## Architecture
```
┌─────────────────────────────────────┐
│ INTERNET │
│ │
│ External clients (DoT/DoH) │
│ dns.xtrm-lab.org:853 (DoT) │
│ dns.xtrm-lab.org:8443 (DoH) │
└──────────────┬──────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ (192.168.10.1) │
│ │
│ ┌────────────────────────────────────────────────────────────────────────┐ │
│ │ AdGuard Home (PRIMARY) │ │
│ │ Container: 172.17.0.2 │ │
│ │ Web UI: http://192.168.10.1:3000 │ │
│ │ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Filters │ │ Blocklists │ │ Clients │ │ │
│ │ │ (synced) │ │ 143K rules │ │ (synced) │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ Netwatch monitors every 10s │
│ │ │
│ ┌─────────┴─────────┐ │
│ │ │ │
│ Container UP Container DOWN │
│ │ │ │
│ ▼ ▼ │
│ NAT → 172.17.0.2 NAT → 192.168.10.10 │
│ (MikroTik) (Unraid Failover) │
└──────────────────────────────────────────────────────────────────────────────┘
▲ ▲ ▲
│ │ │
NAT Redirect NAT Redirect NAT Redirect
│ │ │
┌───────┴───────┐ ┌────────┴────────┐ ┌────────┴────────┐
│ VLAN 10 │ │ VLAN 20/25 │ │ VLAN 30/40 │
│ Management │ │ Trusted/Kids │ │ IoT/CatchAll │
│ 192.168.10.x │ │ 192.168.20.x │ │ 192.168.30.x │
│ │ │ 192.168.25.x │ │ 192.168.1.x │
└───────────────┘ └─────────────────┘ └─────────────────┘
```
---
## AdGuard Instances
| Instance | Role | IP | Port | Web UI |
|----------|------|-----|------|--------|
| MikroTik | Primary | 172.17.0.2 | 53 | http://192.168.10.1:3000 |
| Unraid | Secondary/Failover | 192.168.10.10 | 3000 | http://192.168.10.10:3000 |
### Credentials (Same for Both)
| Username | Password |
|----------|----------|
| jazzymc | 7RqWElENNbZnPW |
---
## DNS Redirect Rules
All DNS queries (port 53) from any VLAN are intercepted and redirected:
| VLAN | Subnet | Redirected To |
|------|--------|---------------|
| 10 | 192.168.10.0/24 | 172.17.0.2:53 |
| 20 | 192.168.20.0/24 | 172.17.0.2:53 |
| 25 | 192.168.25.0/24 | 172.17.0.2:53 |
| 30 | 192.168.30.0/24 | 172.17.0.2:53 |
| 40 | 192.168.1.0/24 | 172.17.0.2:53 |
**Note:** Clients don't need any DNS configuration - even if they use 8.8.8.8, traffic is intercepted by NAT.
### NAT Rules on MikroTik
```routeros
# Exception rules (prevent loops) - MUST BE FIRST
/ip firewall nat
add chain=dstnat action=accept protocol=udp src-address=172.17.0.0/24 dst-port=53 comment="[DNS] Allow MikroTik AdGuard outbound"
add chain=dstnat action=accept protocol=udp src-address=192.168.10.10 dst-port=53 comment="[DNS] Allow Unraid AdGuard outbound"
# VLAN redirect rules
add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.10.0/24 dst-port=53 comment="[DNS] VLAN10 Mgmt redirect"
add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.20.0/24 dst-port=53 comment="[DNS] VLAN20 Trusted redirect"
add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.25.0/24 dst-port=53 comment="[DNS] VLAN25 Kids redirect"
add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.30.0/24 dst-port=53 comment="[DNS] VLAN30 IoT redirect"
add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.1.0/24 dst-port=53 comment="[DNS] VLAN40 CatchAll redirect"
# Masquerade for return traffic
add chain=srcnat action=masquerade protocol=udp src-address=192.168.10.0/24 dst-address=172.17.0.2 dst-port=53 comment="[DNS] VLAN10 masquerade"
# ... (similar for other VLANs)
```
---
## Automatic Failover
### How It Works (Dual Health Check)
Two independent Netwatch monitors trigger failover:
| Monitor | Type | What It Checks | Interval | Timeout |
|---------|------|----------------|----------|---------|
| Ping | simple | Container reachable | 10s | 3s |
| DNS | dns | DNS queries work | 30s | 10s |
**Either monitor failing triggers failover to Unraid.**
### Failure Scenarios Covered
| Scenario | Ping Check | DNS Check | Failover? |
|----------|------------|-----------|-----------|
| Container crashed | Fail | Fail | Yes |
| Container stopped | Fail | Fail | Yes |
| Network/routing issue | Fail | Fail | Yes |
| Upstream DNS unreachable | Pass | Fail | Yes |
| AdGuard overloaded | Pass | Fail | Yes |
| Everything working | Pass | Pass | No |
### Failover Timeline
| Event | Detection Time | Total Switchover |
|-------|----------------|------------------|
| Container crash (ping) | ~10-13 seconds | ~13-16 seconds |
| DNS failure (resolution) | ~30-40 seconds | ~33-43 seconds |
| Recovery | ~10-30 seconds | Automatic |
### Failover Scripts
```routeros
# dns-failover-down (runs when either check fails)
/system script add name=dns-failover-down dont-require-permissions=yes source={
:log warning "DNS Failover: Switching to Unraid"
/ip firewall nat set [find where comment~"VLAN" and comment~"redirect"] to-addresses=192.168.10.10 to-ports=3000
}
# dns-failover-up (runs when check recovers)
/system script add name=dns-failover-up dont-require-permissions=yes source={
:log info "DNS Failover: Switching back to MikroTik"
/ip firewall nat set [find where comment~"VLAN" and comment~"redirect"] to-addresses=172.17.0.2 to-ports=53
}
```
### Netwatch Configuration
```routeros
# Monitor 1: Ping check (fast crash detection)
/tool netwatch add type=simple host=172.17.0.2 interval=10s timeout=3s \
up-script=dns-failover-up down-script=dns-failover-down \
comment="AdGuard failover monitor"
# Monitor 2: DNS resolution check (functional verification)
/tool netwatch add type=dns host=google.com interval=30s timeout=10s \
up-script=dns-failover-up down-script=dns-failover-down \
comment="AdGuard DNS resolution check"
```
---
## Sync Configuration
Settings are synced from Unraid (source of truth) to MikroTik every 30 minutes.
### What Syncs
| Feature | Synced |
|---------|--------|
| Filter lists (blocklists) | Yes |
| User rules (custom blocks/allows) | Yes |
| Client settings (per-device rules) | Yes |
| Services (blocked services) | Yes |
| Rewrites (custom DNS entries) | Yes |
| DNS server config | No |
| DHCP settings | No |
| Query logs/stats | No |
### Sync Container
```yaml
# /mnt/user/appdata/adguard-sync/adguardhome-sync.yaml
cron: "*/30 * * * *"
runOnStart: true
origin:
url: http://192.168.10.10:3000
username: jazzymc
password: 7RqWElENNbZnPW
replicas:
- url: http://192.168.10.1:3000
username: jazzymc
password: 7RqWElENNbZnPW
features:
dns:
serverConfig: false
accessLists: true
rewrites: true
filters: true
clientSettings: true
services: true
```
**Note:** The sync container must be connected to both `dockerproxy` and `br0` networks to reach both AdGuard instances.
---
## Container Configuration (MikroTik)
### Container Details
| Setting | Value |
|---------|-------|
| Image | adguard/adguardhome:latest |
| Interface | veth-adguard |
| IP | 172.17.0.2/24 |
| Gateway | 172.17.0.1 |
| Root dir | usb1/adguard/root |
| Config mount | usb1/adguard/conf → /opt/adguardhome/conf |
| Work mount | usb1/adguard/work → /opt/adguardhome/work |
| Start on boot | Yes |
### Container Commands
```routeros
# Check status
/container print
# Start container
/container start 0
# Stop container
/container stop 0
# View logs
/log print where topics~"container"
```
---
## Upstream DNS
Both AdGuard instances use the same upstream:
| Upstream | Type |
|----------|------|
| https://dns.quad9.net/dns-query | Primary (DoH) |
| 9.9.9.9 | Bootstrap |
| 149.112.112.112 | Bootstrap secondary |
---
## Management
| Task | Where to Do It |
|------|----------------|
| Change blocklists | Unraid AdGuard (syncs to MikroTik) |
| Add custom rules | Unraid AdGuard |
| Add client settings | Unraid AdGuard |
| View query logs | MikroTik AdGuard (real-time) |
| Check failover status | MikroTik `/tool netwatch print` |
---
## Troubleshooting
### Check Failover Status
```routeros
/tool netwatch print
# Both monitors should show STATUS=up normally
# Monitor 0: Ping check
# Monitor 1: DNS resolution check
```
### Check Current DNS Target
```routeros
/ip firewall nat print where comment~"VLAN10 Mgmt redirect"
# to-addresses should be 172.17.0.2 (normal) or 192.168.10.10 (failover)
```
### View Failover Logs
```routeros
/log print where message~"Failover"
```
### Manual Failover Test
```routeros
# Stop container (triggers failover)
/container stop 0
# Wait 15 seconds, check NAT rules switched to 192.168.10.10
# Start container (triggers recovery)
/container start 0
# Wait 15 seconds, check NAT rules switched back to 172.17.0.2
```
### DNS Not Working
1. Check container is running: `/container print`
2. Check netwatch status: `/tool netwatch print`
3. Test DNS directly: `:resolve google.com server=172.17.0.2`
4. Check NAT rules: `/ip firewall nat print where comment~"DNS"`
5. **Check /32 routes exist:** `/ip route print where dst-address~"172.17.0.[23]"`
6. **Ping container:** `/ping 172.17.0.2 count=3`
### Container Reachable but DNS Fails
If ping works but DNS queries timeout:
1. Check container can reach upstream: Look for timeout errors in logs
2. Verify /32 routes: Missing routes cause ECMP issues
3. Check NAT masquerade: `/ip firewall nat print where comment~"Container"`
4. Verify routes:
```routeros
/ip route print where dst-address~"172.17"
# Should show /32 routes for each container IP
```
### Sync Not Working
```bash
# On Unraid
docker logs adguardhome-sync --tail 20
# Check connectivity
docker exec adguardhome-sync ping -c 2 192.168.10.10
docker exec adguardhome-sync ping -c 2 192.168.10.1
```
---
## Container Network Routing
### Important: /32 Host Routes Required
When running multiple containers on the same subnet (172.17.0.0/24), specific host routes are required to prevent ECMP routing issues:
```routeros
# Without these routes, return traffic may go to wrong container
/ip route add dst-address=172.17.0.2/32 gateway=veth-adguard comment="AdGuard container - specific route"
/ip route add dst-address=172.17.0.3/32 gateway=veth-tailscale comment="Tailscale container - specific route"
```
**Why this matters:** Each veth interface creates a /24 route. With multiple veth interfaces on the same subnet, RouterOS enables ECMP load balancing, sending return traffic to random interfaces.
---
## Quick Reference
### Normal Operation
- DNS queries → MikroTik AdGuard (172.17.0.2)
- Ad blocking active
- ~143,000 filter rules
### During Failover
- DNS queries → Unraid AdGuard (192.168.10.10)
- Ad blocking still active (same rules synced)
- Automatic, no manual intervention needed
### Recovery
- Automatic when container comes back up
- NAT rules switch back to MikroTik
- No DNS interruption for clients

208
docs/09-TAILSCALE-VPN.md Normal file
View File

@@ -0,0 +1,208 @@
# MikroTik Tailscale Container Setup
**Last Updated:** 2026-02-06
---
## Overview
Tailscale VPN running as a container on MikroTik hAP ax³, providing remote access to the home network via the Tailscale mesh network.
---
## Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ (192.168.10.1) │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Container Network (172.17.0.0/24) │ │
│ │ │ │
│ │ ┌─────────────────────┐ ┌─────────────────────────┐ │ │
│ │ │ AdGuard Home │ │ Tailscale │ │ │
│ │ │ 172.17.0.2 │ │ 172.17.0.3 │ │ │
│ │ │ veth-adguard │ │ veth-tailscale │ │ │
│ │ └─────────────────────┘ └─────────────────────────┘ │ │
│ │ │ │ │ │
│ │ └───────────┬───────────────┘ │ │
│ │ │ │ │
│ │ Gateway: 172.17.0.1 │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │ │
│ NAT Masquerade │
│ │ │
│ WAN (ether1) │
└──────────────────────────────┬──────────────────────────────────────┘
┌─────────────────────┐
│ Tailscale Network │
│ 100.x.x.x mesh │
│ │
│ Home Router IP: │
│ 100.74.219.35 │
└─────────────────────┘
```
---
## Container Details
| Setting | Value |
|---------|-------|
| Image | tailscale/tailscale:latest |
| Interface | veth-tailscale |
| Container IP | 172.17.0.3/24 |
| Gateway | 172.17.0.1 |
| Tailscale IP | 100.74.219.35 |
| Root dir | usb1/tailscale/root |
| State mount | usb1/tailscale → /var/lib/tailscale |
| DNS | 8.8.8.8 |
| Start on boot | Yes |
| Networking mode | Userspace (TS_USERSPACE=true) |
---
## Environment Variables
| Variable | Value | Purpose |
|----------|-------|---------|
| TS_AUTHKEY | tskey-auth-... | One-time auth key (used during setup) |
| TS_STATE_DIR | /var/lib/tailscale | Persistent state directory |
| TS_USERSPACE | true | Required for MikroTik containers (no /dev/net/tun) |
---
## Network Configuration
### veth Interface
```routeros
/interface veth add address=172.17.0.3/24 gateway=172.17.0.1 name=veth-tailscale
```
### Gateway IP on Interface
```routeros
/ip address add address=172.17.0.1/24 interface=veth-tailscale comment="Tailscale container gateway"
```
### NAT Masquerade for Internet Access
```routeros
/ip firewall nat add chain=srcnat action=masquerade src-address=172.17.0.0/24 out-interface-list=WAN comment="Container network NAT"
```
### Firewall Forward Rules
```routeros
/ip firewall filter add chain=forward action=accept dst-address=172.17.0.0/24 comment="[Container] Forward to container network"
/ip firewall filter add chain=forward action=accept src-address=172.17.0.0/24 comment="[Container] Forward from container network"
```
---
## Container Setup Commands
### Create Mounts
```routeros
/container mounts add list=ts-state src=usb1/tailscale dst=/var/lib/tailscale
```
### Create Environment Variables
```routeros
/container envs add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale
/container envs add list=ts-env key=TS_USERSPACE value=true
/container envs add list=ts-env key=TS_AUTHKEY value=<your-auth-key>
```
### Create Container
```routeros
/container add remote-image=tailscale/tailscale:latest interface=veth-tailscale \
root-dir=usb1/tailscale/root mountlists=ts-state envlists=ts-env \
dns=8.8.8.8 start-on-boot=yes logging=yes
```
---
## Management
### Check Container Status
```routeros
/container print
```
### View Logs
```routeros
/log print where topics~"container" and message~"tailscale"
```
### Start/Stop Container
```routeros
/container start [find name~"tailscale"]
/container stop [find name~"tailscale"]
```
---
## Troubleshooting
### Container Won't Start (Exit Status 1)
**Cause:** Missing /dev/net/tun device (default for Tailscale)
**Solution:** Enable userspace networking mode:
```routeros
/container envs add list=ts-env key=TS_USERSPACE value=true
```
### Can't Reach Internet from Container
**Cause:** Missing NAT masquerade or gateway IP
**Solution:**
1. Verify gateway IP on veth interface:
```routeros
/ip address print where interface=veth-tailscale
```
2. Verify NAT masquerade rule:
```routeros
/ip firewall nat print where src-address=172.17.0.0/24
```
### Container Not Connecting to Tailscale
1. Check DNS resolution works (logs should show no timeout)
2. Verify auth key is valid and not expired
3. Check firewall isn't blocking outbound HTTPS
---
## Tailscale Network Devices
| Tailscale IP | Device | Status |
|--------------|--------|--------|
| 100.74.219.35 | MikroTik hAP ax³ (container) | Online |
| 100.100.208.70 | xtrm-unraid | Online |
| 100.112.103.7 | hapax3 (old native install) | Offline |
| 100.75.93.123 | mikrotik-tailscale (previous container) | Offline |
---
## Important Notes
1. **Userspace Networking Required:** MikroTik containers don't have /dev/net/tun access, so TS_USERSPACE=true is mandatory
2. **Auth Key:** After initial authentication, the key is no longer needed - state is persisted in the mount
3. **Container Network:** Both AdGuard and Tailscale share the 172.17.0.0/24 network but have separate veth interfaces
4. **Accept Routes:** If subnet routing is needed, add TS_EXTRA_ARGS="--accept-routes" to environment

228
docs/CHANGELOG.md Normal file
View File

@@ -0,0 +1,228 @@
# Infrastructure Changelog
**Purpose:** Major infrastructure events only. Minor changes are in git commit messages.
---
## 2026-02-06
### Documentation Restructure
- **[DOCS]** Restructured docs/ from 23 files to clean 9-doc structure
- **[DOCS]** Archived 12 completed VLAN migration project docs to archive/vlan-migration/
- **[DOCS]** Archived 5 done/superseded WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- **[DOCS]** Created standing reference docs: 08-DNS-ARCHITECTURE.md, 09-TAILSCALE-VPN.md
- **[DOCS]** Renamed docs to clean numbering (05-PORT-UTILIZATION, 06-VLAN-DEVICE-ASSIGNMENT, 07-WIFI-CAPSMAN-CONFIG)
- **[DOCS]** Merged 00-CHANGELOG.md + 06-CHANGELOG.md → CHANGELOG.md
- **[DOCS]** Updated all core docs with current VLAN IPs (192.168.31.x → 192.168.10.x)
- **[DOCS]** Fixed CSS1 IP: 192.168.10.9 → 192.168.10.3, ZX1 IP: 192.168.10.7 → 192.168.10.4
- **[DOCS]** Cleaned 06-VLAN-DEVICE-ASSIGNMENT.md: removed migration-era columns and sections, fixed VLAN 25 subnet
- **[DOCS]** Updated README.md, CLAUDE.md, archive/README.md, wip/README.md
---
## 2026-02-01
### WIP Documentation
- **[DOCS]** Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching
- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching
- Scripts created on Mac at ~/scripts/
---
## 2026-01-31
### Docker Cleanup
- **[DOCKER]** Removed 18 unused images (~4.9 GB reclaimed)
- **[DOCKER]** Removed 12 dangling images (old builds, untagged)
- **[DOCKER]** Removed Slurpit stack images (warehouse, portal, scanner, scraper)
- **[DOCKER]** Removed unused MongoDB 8 and MariaDB 11 images
- **[DOCKER]** Removed 35 orphaned volumes (~1.15 GB reclaimed)
- **[DOCKER]** Removed 28 anonymous dangling volumes
- **[DOCKER]** Removed 6 nextcloud_aio_* volumes (from old AIO install)
- **[DOCKER]** Removed orphaned redis-data volume
- **[DOCKER]** **Total reclaimed: ~6 GB**
### Kept (Stopped Containers)
- open-webui, ollama (AI stack - for future use)
- pgAdmin4 (database management)
- diode-hydra-migrate, diode-auth-bootstrap (one-time migration jobs)
---
## 2026-01-27
### VLAN Filtering Rolled Back
- **[VLAN]** Enabled VLAN filtering - caused connectivity issues
- **[VLAN]** ZX1 switch unreachable after activation (no management IP responding)
- **[VLAN]** CSS326 traffic routing through ZX1 (not direct eth3 link)
- **[VLAN]** **Rolled back** - VLAN filtering disabled
- **[CONFIG]** Added eth4 (ZX1) to all VLAN tagged lists for future use
- **[STATUS]** Network back to Legacy mode (192.168.31.0/24)
- **[TODO]** Need physical access to ZX1 to configure VLAN trunking
### Issues Identified
- ZX1 switch not responding on documented IP 192.168.31.22
- ZX1 may need VLAN trunk configuration before re-enabling filtering
- All CSS326 traffic goes via ZX1→HAP1, not direct CSS326→HAP1 link (STP?)
---
## 2026-01-26
### VLAN Filtering Activated
- **[VLAN]** VLAN filtering enabled on MikroTik bridge - SUCCESSFUL
- **[VLAN]** Internet connectivity verified (ping 1.1.1.1, google.com)
- **[VLAN]** DNS resolution working through AdGuard
- **[VLAN]** All previous fixes (DHCP DNS, firewall, NAT masquerade) working correctly
- **[STATUS]** Network segmentation now ACTIVE
### Local AI Stack Deployed
- **[AI]** Deployed Ollama container with Intel GPU passthrough
- **[AI]** Deployed Open WebUI at http://192.168.31.2:3080
- **[AI]** Installed qwen2.5-coder:7b base model
- **[AI]** Created custom `unraid-assistant` model with infrastructure knowledge
- **[AI]** Created `/usr/local/bin/ai` terminal helper command
- **[AI]** Stopped non-critical containers for RAM: karakeep, unimus, homarr, netdisco-*
### VLAN Activation Attempt & Fixes
- **[VLAN]** Configured CSS326 switch VLANs via SwOS web interface
- **[VLAN]** Enabled VLAN filtering on MikroTik - caused internet outage
- **[VLAN]** Rolled back VLAN filtering to restore connectivity
- **[VLAN]** **ROOT CAUSE IDENTIFIED:** Multiple configuration issues
### Issues Fixed
- **[FIX]** DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1
- **[FIX]** Added DNS redirect rules for all VLANs (src-address-list=all-vlans)
- **[FIX]** Added all VLAN interfaces to LAN firewall interface list
- **[FIX]** Added NAT masquerade rules for VLAN traffic to AdGuard container
- **[BACKUP]** MikroTik config saved before activation attempt
---
## 2026-01-25
### VLAN Phase 1 Complete
- **[VLAN]** Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry
- **[VLAN]** Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc
- **[VLAN]** Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs
- **[VLAN]** Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally
- **[VLAN]** Added VLAN 50 (Guest) leases - 7 unknown devices
- **[VLAN]** Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS)
- **[VLAN]** Total devices configured: 44
### VLAN Implementation (Prepared)
- **[VLAN]** Created 6 VLANs on MikroTik bridge (10, 20, 30, 35, 40, 50)
- **[VLAN]** Configured IP addresses for all VLAN interfaces
- **[VLAN]** Created DHCP servers and pools for each VLAN
- **[VLAN]** Added static DHCP leases mapping MACs to VLAN IPs
- **[VLAN]** Configured bridge VLAN table with tagged/untagged ports
- **[VLAN]** Set WiFi ports PVID=20 (Trusted VLAN default)
- **[VLAN]** Added inter-VLAN firewall rules (active)
- **[VLAN]** VLAN filtering NOT YET ENABLED (pending CSS326 switch config)
- **[DOCS]** Added docs/11-VLAN-IMPLEMENTATION.md
- **[SCRIPTS]** Added scripts/mikrotik-vlan-setup.rsc and mikrotik-vlan-enable.rsc
### DNS Configuration
- **[DNS]** Updated both AdGuard instances to use Quad9 DoH
- **[DNS]** Bootstrap DNS: 9.9.9.9, 149.112.112.112
### MikroTik Containers
- **[CONTAINER]** AdGuard Home container running on MikroTik (172.17.0.2)
- **[CONTAINER]** Tailscale container configured (172.17.0.3)
- **[CONTAINER]** Fixed Tailscale container authentication
- **[CONTAINER]** Container bridge (containers-br) with NAT
### Network
- **[NETWORK]** Enabled CSS326 SFP1 port - 10G backbone link to ZX1 now active
### Documentation
- **[DOCS]** Created 02-PORT-UTILIZATION.md with ASCII port diagrams
- **[DOCS]** Fixed ZX1 switch IP: 192.168.31.22 (was incorrectly documented as .7)
### Incident
- **[INCIDENT]** DNS outage after MikroTik restart - multiple root causes fixed:
- NAT rules blocking AdGuard outbound DNS (added exception rules)
- DHCP pushing wrong DNS (8.8.8.8 → 192.168.31.1)
- NAT redirect pointing to wrong IP/port (172.17.0.5:5355 → 192.168.31.4:53)
- Asymmetric routing (added srcnat masquerade for DNS redirect)
- **[SERVICE]** Removed MikroTik AdGuard Home container (storage/overlay errors)
- **[SERVICE]** Removed MikroTik Tailscale container (root directory missing)
- **[SERVICE]** Removed Pi-hole/Unbound leftovers from MikroTik (veth, mounts, envs)
- **[NETWORK]** Consolidated DNS architecture: MikroTik → Unraid AdGuard (192.168.31.4) only
- **[DOCS]** Created incident reports in docs/incidents/
- **[DOCS]** Restructured documentation - consolidated into 5 core docs + archive
- **[NETBOX]** Added shelf devices for rack organization (U9, U7, U3)
---
## 2026-01-24
- **[NETBOX]** Standardized device names to NetBox convention (HAP1, CSS1, ZX1)
- **[DOCS]** Created NETWORK-PHYSICAL-MAP.md with complete port maps
---
## 2026-01-23
- **[SERVICE]** Deployed Diode network discovery stack
- **[SERVICE]** Removed Slurp'it (replaced by Diode + NetDisco)
- **[SERVICE]** Consolidated NetBox Redis to shared instance
- **[SERVICE]** Removed redundant DNS services (Unbound, DoH-Server, stunnel-dot)
---
## 2026-01-22
- **[SERVICE]** Migrated NetBox to shared PostgreSQL 17
- **[SERVICE]** Deployed AdGuard Home on MikroTik (primary DNS)
- **[SERVICE]** Deployed AdGuard Home on Unraid (secondary DNS)
- **[SERVICE]** Removed Pi-hole (replaced by AdGuard Home)
- **[DOCS]** Created INFRASTRUCTURE-DIAGRAM.md
---
## 2026-01-21
- **[BACKUP]** Configured Rclone sync to Google Drive
---
## 2026-01-19
- **[SERVICE]** Deployed NetBox IPAM/DCIM
- **[SERVICE]** Deployed NetDisco network discovery
- **[NETWORK]** Enabled SNMP on all MikroTik devices
---
## 2026-01-18
- **[SERVICE]** Deployed Gitea git server
- **[SERVICE]** Deployed Woodpecker CI
- **[NETWORK]** Configured CAPsMAN on HAP1
- **[WIRELESS]** CAP added to CAPsMAN management
---
## 2026-01-17
- **[SERVICE]** Deployed Portainer CE
---
## Previous History
For detailed history before 2026-01-17, see archived changelogs in `archive/`.
---
## Format Guide
```markdown
### YYYY-MM-DD
- **[CATEGORY]** Brief description
Categories:
- [DEVICE] - Hardware added/removed/changed
- [SERVICE] - Container/service deployed/removed
- [NETWORK] - Network topology/config changes
- [WIRELESS] - WiFi/CAPsMAN changes
- [BACKUP] - Backup configuration
- [DOCS] - Major documentation changes
- [INCIDENT] - Outages and fixes
- [VLAN] - VLAN configuration changes
- [DOCKER] - Docker maintenance
```

0
docs/wip/FOSSORIAL-TUNNELS.md → docs/archive/FOSSORIAL-TUNNELS.md
View File

0
docs/wip/LOCAL-AI-STACK.md → docs/archive/LOCAL-AI-STACK.md
View File

29
docs/archive/README.md
View File

@@ -1,8 +1,8 @@
# Archived Documentation
> ⚠️ **OBSOLETE - DO NOT UPDATE**
> **OBSOLETE - DO NOT UPDATE**
These documents are from the legacy documentation structure (pre-2026-01-25).
These documents are from completed projects and legacy documentation.
They are kept for historical reference only.
**For current documentation, see the parent `docs/` folder:**
@@ -10,7 +10,28 @@ They are kept for historical reference only.
- `02-SERVICES-CRITICAL.md` - Essential services
- `03-SERVICES-OTHER.md` - Non-critical services
- `04-HARDWARE-INVENTORY.md` - Hardware details
- `05-CHANGELOG.md` - Major events
- `05-PORT-UTILIZATION.md` - Device port assignments
- `06-VLAN-DEVICE-ASSIGNMENT.md` - VLAN device mapping
- `07-WIFI-CAPSMAN-CONFIG.md` - WiFi and CAPsMAN settings
- `08-DNS-ARCHITECTURE.md` - DNS failover architecture
- `09-TAILSCALE-VPN.md` - Tailscale VPN setup
- `CHANGELOG.md` - Change history
## Subfolders
### vlan-migration/
12 documents from the VLAN migration project (completed 2026-01-31):
- Migration plans (v1, v2, v3)
- Implementation status trackers
- Setup progress logs
- DNS/AdGuard/Tailscale project docs (superseded by standing docs 08- and 09-)
- Device migration worksheet
### Legacy Docs (root archive/)
- Pre-2026-01-25 documentation structure
- Completed WIP items (VLAN proposals, AI stack, Fossorial tunnels)
- Historical changelogs
**Do not reference these archived documents for current state.**
All relevant information has been migrated to the new structure.

0
docs/wip/VLAN-PROPOSAL.md → docs/archive/VLAN-PROPOSAL.md
View File

0
docs/wip/VLAN-SEGMENTATION.md → docs/archive/VLAN-SEGMENTATION.md
View File

0
docs/04-VLAN-MIGRATION-PLAN.md → docs/archive/vlan-migration/04-VLAN-MIGRATION-PLAN.md
View File

0
docs/09-MIKROTIK-ADGUARD-DOT-DOH.md → docs/archive/vlan-migration/09-MIKROTIK-ADGUARD-DOT-DOH.md
View File

0
docs/10-MIKROTIK-TAILSCALE.md → docs/archive/vlan-migration/10-MIKROTIK-TAILSCALE.md
View File

0
docs/11-VLAN-IMPLEMENTATION.md → docs/archive/vlan-migration/11-VLAN-IMPLEMENTATION.md
View File

0
docs/12-VLAN-SETUP-PROGRESS.md → docs/archive/vlan-migration/12-VLAN-SETUP-PROGRESS.md
View File

0
docs/13-VLAN-SETUP-PLAN-V2.md → docs/archive/vlan-migration/13-VLAN-SETUP-PLAN-V2.md
View File

0
docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md → docs/archive/vlan-migration/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md
View File

0
docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md → docs/archive/vlan-migration/15-VLAN-SETUP-COMPLETE-2026-01-31.md
View File

0
docs/16-ADGUARD-VLAN-PLAN.md → docs/archive/vlan-migration/16-ADGUARD-VLAN-PLAN.md
View File

0
docs/17-DNS-ADGUARD-FAILOVER.md → docs/archive/vlan-migration/17-DNS-ADGUARD-FAILOVER.md
View File

0
docs/18-MIKROTIK-TAILSCALE.md → docs/archive/vlan-migration/18-MIKROTIK-TAILSCALE.md
View File

0
docs/20-DEVICE-MIGRATION-WORKSHEET.md → docs/archive/vlan-migration/20-DEVICE-MIGRATION-WORKSHEET.md
View File

0
docs/wip/DNS-REDIRECT-RULES-BACKUP.md → docs/archive/vlan-migration/DNS-REDIRECT-RULES-BACKUP.md
View File

2
docs/wip/GITOPS-CONTAINERS.md
View File

@@ -104,7 +104,7 @@ pipeline:
when:
path: configs/xtrm-n5/**
commands:
- ssh root@192.168.31.2 "cd /path && docker compose up -d"
- ssh root@192.168.10.20 "cd /path && docker compose up -d"
secrets: [ssh_key]
deploy-n1:

18
docs/wip/README.md
View File

@@ -8,9 +8,9 @@ Planned changes, evaluations, and ideas not yet implemented.
| Status | Meaning |
|--------|---------|
| 📋 PLANNED | Approved, waiting for resources/time |
| 🔬 EVALUATING | Under investigation/research |
| 💡 IDEA | Concept, needs further definition |
| PLANNED | Approved, waiting for resources/time |
| EVALUATING | Under investigation/research |
| IDEA | Concept, needs further definition |
---
@@ -20,24 +20,24 @@ Planned changes, evaluations, and ideas not yet implemented.
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | 📋 PLANNED | High | N5 Air + N100 server migration |
| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | 💡 IDEA | Medium | Container config in Git with CI/CD |
| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | PLANNED | High | N5 Air + N100 server migration |
| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | IDEA | Medium | Container config in Git with CI/CD |
### Network
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [VLAN-SEGMENTATION.md](VLAN-SEGMENTATION.md) | 📋 PLANNED | Medium | Network segmentation (Secure/IoT/Kids/Guest) |
| [FOSSORIAL-TUNNELS.md](FOSSORIAL-TUNNELS.md) | 💡 IDEA | Low | Self-hosted Pangolin/Gerbil tunnels |
| [CONSOLE-PORT-ETHER5.md](CONSOLE-PORT-ETHER5.md) | EVALUATING | Low | Console/serial port on HAP1 ether5 |
| [KVM-SWITCH-MAC-NOBARA.md](KVM-SWITCH-MAC-NOBARA.md) | EVALUATING | Medium | Software KVM for Mac/Nobara switching |
### Applications
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [REMOTE-GAMING.md](REMOTE-GAMING.md) | 🔬 EVALUATING | Low | Sunshine + Moonlight game streaming |
| [REMOTE-GAMING.md](REMOTE-GAMING.md) | EVALUATING | Low | Sunshine + Moonlight game streaming |
---
## Completed Items
Move to main docs or archive when done. Update `05-CHANGELOG.md` with major completions.
Move to main docs or archive when done. Update `CHANGELOG.md` with major completions.