diff --git a/CLAUDE.md b/CLAUDE.md index 40c6961..a942e99 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -49,12 +49,16 @@ infrastructure/ └── docs/ ├── 01-NETWORK-MAP.md # Network topology ├── 02-SERVICES-CRITICAL.md # P0/P1 services (DNS, Auth, Proxy) - ├── 02-PORT-UTILIZATION.md # Device port assignments ├── 03-SERVICES-OTHER.md # Non-critical services - ├── 03-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping ├── 04-HARDWARE-INVENTORY.md # Hardware list - ├── 06-CHANGELOG.md # Change history - ├── archive/ # Completed phase docs + ├── 05-PORT-UTILIZATION.md # Device port assignments + ├── 06-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping + ├── 07-WIFI-CAPSMAN-CONFIG.md # WiFi and CAPsMAN settings + ├── 08-DNS-ARCHITECTURE.md # DNS failover architecture + ├── 09-TAILSCALE-VPN.md # Tailscale VPN setup + ├── CHANGELOG.md # Change history + ├── archive/ # Completed/legacy docs + │ └── vlan-migration/ # VLAN migration project artifacts ├── incidents/ # Incident reports └── wip/ # Work in progress ``` @@ -93,7 +97,7 @@ cd /tmp && \ git push ``` -### Changelog Format (docs/06-CHANGELOG.md) +### Changelog Format (docs/CHANGELOG.md) ```markdown ## YYYY-MM-DD - [PHASE X] Task description - COMPLETED/FIXED/ISSUE diff --git a/README.md b/README.md index 0c0ab29..bd79984 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # XTRM Home Lab Infrastructure -**Domain:** xtrm-lab.org +**Domain:** xtrm-lab.org **Repository:** https://git.xtrm-lab.org/jazzymc/infrastructure --- @@ -22,15 +22,20 @@ ``` docs/ -├── 01-NETWORK-MAP.md # Network topology, IPs, Docker networks -├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up -├── 03-SERVICES-OTHER.md # All other services -├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials -├── 00-CHANGELOG.md # Major events only -├── wip/ # Planned changes & ideas -│ ├── UPGRADE-2026-HARDWARE.md -│ └── GITOPS-CONTAINERS.md -└── archive/ # Legacy docs (read-only) +├── 01-NETWORK-MAP.md # Network topology, IPs, Docker networks +├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up +├── 03-SERVICES-OTHER.md # All other services +├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials +├── 05-PORT-UTILIZATION.md # Device port assignments +├── 06-VLAN-DEVICE-ASSIGNMENT.md # VLAN device mapping +├── 07-WIFI-CAPSMAN-CONFIG.md # WiFi and CAPsMAN settings +├── 08-DNS-ARCHITECTURE.md # DNS failover architecture +├── 09-TAILSCALE-VPN.md # Tailscale VPN setup +├── CHANGELOG.md # Change history +├── archive/ # Completed/legacy docs +│ └── vlan-migration/ # VLAN migration project artifacts +├── incidents/ # Incident reports +└── wip/ # Work in progress ``` --- @@ -39,11 +44,11 @@ docs/ | Device | IP | Role | |--------|-----|------| -| HAP1 | 192.168.31.1 | Router, DNS, WiFi Controller | -| XTRM-U | 192.168.31.2 | Production Server (Unraid) | -| CSS1 | 192.168.31.9 | Distribution Switch | -| ZX1 | 192.168.31.7 | Core Switch (2.5G) | -| CAP | 192.168.31.6 | Wireless Access Point | +| HAP1 | 192.168.10.1 | Router, DNS, WiFi Controller | +| XTRM-U | 192.168.10.20 | Production Server (Unraid) | +| CSS1 | 192.168.10.3 | Distribution Switch | +| ZX1 | 192.168.10.4 | Core Switch (2.5G) | +| CAP | 192.168.10.6 | Wireless Access Point | --- @@ -51,26 +56,26 @@ docs/ ```bash # Unraid -ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422 +ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 # MikroTik Router -ssh -i ~/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1 +ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1 ``` --- ## Emergency Recovery -1. **DNS down?** → Clients fallback to 192.168.31.4 (secondary) -2. **Internet down?** → Check HAP1 at 192.168.31.1 -3. **Services down?** → Check Unraid at 192.168.31.2 +1. **DNS down?** → Automatic failover to 192.168.10.10 (secondary), see `08-DNS-ARCHITECTURE.md` +2. **Internet down?** → Check HAP1 at 192.168.10.1 +3. **Services down?** → Check Unraid at 192.168.10.20 4. **Full outage?** → See `02-SERVICES-CRITICAL.md` startup order --- ## Change Management -- **Major changes:** Document in `00-CHANGELOG.md` +- **Major changes:** Document in `CHANGELOG.md` - **Minor changes:** Git commit messages only - **Planned work:** Create doc in `wip/` folder diff --git a/docs/00-CHANGELOG.md b/docs/00-CHANGELOG.md deleted file mode 100644 index 9e48ed5..0000000 --- a/docs/00-CHANGELOG.md +++ /dev/null @@ -1,118 +0,0 @@ -# Infrastructure Changelog - -**Purpose:** Major infrastructure events only. Minor changes are in git commit messages. - ---- - -## 2026-01 - -### 2026-01-25 -- **[INCIDENT]** DNS outage after MikroTik restart - multiple root causes fixed: - - NAT rules blocking AdGuard outbound DNS (added exception rules) - - DHCP pushing wrong DNS (8.8.8.8 → 192.168.31.1) - - NAT redirect pointing to wrong IP/port (172.17.0.5:5355 → 192.168.31.4:53) - - Asymmetric routing (added srcnat masquerade for DNS redirect) -- **[SERVICE]** Removed MikroTik AdGuard Home container (storage/overlay errors) -- **[SERVICE]** Removed MikroTik Tailscale container (root directory missing) -- **[SERVICE]** Removed Pi-hole/Unbound leftovers from MikroTik (veth, mounts, envs) -- **[NETWORK]** Consolidated DNS architecture: MikroTik → Unraid AdGuard (192.168.31.4) only -- **[DOCS]** Created incident reports in docs/incidents/ -- **[DOCS]** Restructured documentation - consolidated into 5 core docs + archive -- **[NETBOX]** Added shelf devices for rack organization (U9, U7, U3) - -### 2026-01-24 -- **[NETBOX]** Standardized device names to NetBox convention (HAP1, CSS1, ZX1) -- **[DOCS]** Created NETWORK-PHYSICAL-MAP.md with complete port maps - -### 2026-01-23 -- **[SERVICE]** Deployed Diode network discovery stack -- **[SERVICE]** Removed Slurp'it (replaced by Diode + NetDisco) -- **[SERVICE]** Consolidated NetBox Redis to shared instance -- **[SERVICE]** Removed redundant DNS services (Unbound, DoH-Server, stunnel-dot) - -### 2026-01-22 -- **[SERVICE]** Migrated NetBox to shared PostgreSQL 17 -- **[SERVICE]** Deployed AdGuard Home on MikroTik (primary DNS) -- **[SERVICE]** Deployed AdGuard Home on Unraid (secondary DNS) -- **[SERVICE]** Removed Pi-hole (replaced by AdGuard Home) -- **[DOCS]** Created INFRASTRUCTURE-DIAGRAM.md - -### 2026-01-21 -- **[BACKUP]** Configured Rclone sync to Google Drive - -### 2026-01-19 -- **[SERVICE]** Deployed NetBox IPAM/DCIM -- **[SERVICE]** Deployed NetDisco network discovery -- **[NETWORK]** Enabled SNMP on all MikroTik devices - -### 2026-01-18 -- **[SERVICE]** Deployed Gitea git server -- **[SERVICE]** Deployed Woodpecker CI -- **[NETWORK]** Configured CAPsMAN on HAP1 -- **[WIRELESS]** CAP added to CAPsMAN management - -### 2026-01-17 -- **[SERVICE]** Deployed Portainer CE - ---- - -## Format Guide - -```markdown -### YYYY-MM-DD -- **[CATEGORY]** Brief description - -Categories: -- [DEVICE] - Hardware added/removed/changed -- [SERVICE] - Container/service deployed/removed -- [NETWORK] - Network topology/config changes -- [WIRELESS] - WiFi/CAPsMAN changes -- [BACKUP] - Backup configuration -- [DOCS] - Major documentation changes -- [INCIDENT] - Outages and fixes -``` - ---- - -## Previous History - -For detailed history before 2026-01-17, see archived changelogs: -- `archive/06-CHANGELOG.md` -- `archive/07-CHANGELOG.md` -- `archive/00-CHANGELOG.md` - -## 2026-01-25 -- [PHASE DNS] MikroTik AdGuard Home container installed - COMPLETED - - Container: adguardhome v0.107.71 on veth-adguard (172.17.0.2/24) - - Upstreams: 192.168.31.4 (Unraid AdGuard), 8.8.8.8, 1.1.1.1 - - TLS enabled with Let's Encrypt cert for dns.xtrm-lab.org - - DoT on port 853, DoH on port 8443 (external) - - LAN DNS redirect updated to use MikroTik AdGuard - - Old docker-bridge removed (routing conflict) - - Web UI at http://192.168.31.1:3000 -- [ISSUE] Container failed after restart with 'could not load config json' - - Fix: Removed and recreated container, added mountlists, restarted - - AdGuard config preserved (on separate mount) - - Documented fix in 09-MIKROTIK-ADGUARD-DOT-DOH.md -- [CONTAINERS] Created container bridge (containers-br) for shared networking - - Both AdGuard and Tailscale containers now use the same bridge - - Added NAT masquerade for container outbound traffic -- [SERVICE] Tailscale container installed and running - - Image: tailscale/tailscale:latest - - IP: 172.17.0.3/24 on veth-tailscale - - State persisted to usb1/tailscale/state - - Userspace mode enabled - -## 2026-01-25 (VLAN Implementation) -- [VLAN] Created VLAN interfaces on bridge: - - VLAN 10: Management (192.168.10.0/24) - - VLAN 20: Trusted (192.168.20.0/24) - - VLAN 30: IoT (192.168.30.0/24) - - VLAN 35: Cameras (192.168.35.0/24) - - VLAN 40: Servers (192.168.40.0/24) - - VLAN 50: Guest (192.168.50.0/24) -- [VLAN] DHCP servers configured for all VLANs -- [VLAN] Inter-VLAN firewall rules created -- [VLAN] WiFi SSIDs created: Home-Trusted, Home-IoT, Home-Guest -- [STATUS] VLAN filtering NOT yet enabled (Phase 1 complete) -- [NOTE] Legacy 192.168.31.0/24 still active for transition diff --git a/docs/01-NETWORK-MAP.md b/docs/01-NETWORK-MAP.md index 59bf465..4f94bbc 100644 --- a/docs/01-NETWORK-MAP.md +++ b/docs/01-NETWORK-MAP.md @@ -1,6 +1,6 @@ # Network Map - xtrm-lab.org -**Last Updated:** 2026-02-02 +**Last Updated:** 2026-02-06 **Domain:** xtrm-lab.org **WAN IP:** 62.73.120.142 @@ -27,19 +27,19 @@ flowchart TB end subgraph Rack19["19" Rack (3U)"] - HAP1["HAP1 | hAP ax³
192.168.31.1"] + HAP1["HAP1 | hAP ax³
192.168.10.1"] PP1["PP1 | 24-port"] - CSS1["CSS1 | CSS326-24G-2S+
192.168.31.9"] + CSS1["CSS1 | CSS326-24G-2S+
192.168.10.3"] end subgraph Rack10["10" Rack (9U)"] - ZX1["ZX1 | ZX-SWTGW218AS
192.168.31.22"] + ZX1["ZX1 | ZX-SWTGW218AS
192.168.10.4"] PP2["PP2 | 12-port"] - XTRMU["XTRM-U
192.168.31.2"] + XTRMU["XTRM-U
192.168.10.20"] end subgraph Wireless["WiFi"] - CAP["CAP | cAP XL ac
192.168.31.6"] + CAP["CAP | cAP XL ac
192.168.10.6"] end ISP -->|"ether1 WAN"| HAP1 @@ -63,17 +63,17 @@ flowchart TB |---|--------|-------|-----|-------| | U9 | Shelf + ISP Gateway | Vivacom ONT | 62.73.120.2 | WAN | | U8 | PP2 | 10" 12-port Cat6a | - | Patch panel | -| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.31.22 | 8x2.5G + 2x10G SFP+ | +| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.10.4 | 8x2.5G + 2x10G SFP+ | | U6 | (empty) | - | - | Reserved for XTRM-N1 | -| U1-U4 | XTRM-U | NAS Server | 192.168.31.2 | 4x 2.5GbE bond | +| U1-U4 | XTRM-U | NAS Server | 192.168.10.20 | 4x 2.5GbE bond | #### 19" Rack (3U) | U | Device | Model | IP | Notes | |---|--------|-------|-----|-------| -| U3 | Shelf + HAP1 | hAP ax³ | 192.168.31.1 | Router + WiFi controller | +| U3 | Shelf + HAP1 | hAP ax³ | 192.168.10.1 | Router + WiFi controller | | U2.5 | PP1 | 19" 24-port Cat6a | - | Room connections | -| U1 | CSS1 | CSS326-24G-2S+ | 192.168.31.9 | 24x1G + 2x10G SFP+ | +| U1 | CSS1 | CSS326-24G-2S+ | 192.168.10.3 | 24x1G + 2x10G SFP+ | ### HAP ax³ Port Assignments @@ -99,33 +99,29 @@ flowchart TB ## IP Address Allocation -### Network: 192.168.31.0/24 +### VLAN Summary -#### Infrastructure Devices +| VLAN | Subnet | Gateway | Purpose | +|------|--------|---------|---------| +| 10 | 192.168.10.0/24 | 192.168.10.1 | Management | +| 20 | 192.168.20.0/24 | 192.168.20.1 | Trusted | +| 25 | 192.168.25.0/24 | 192.168.25.1 | Kids | +| 30 | 192.168.30.0/24 | 192.168.30.1 | IoT | +| 40 | 192.168.1.0/24 | 192.168.1.1 | CatchAll | -| IP | Device | Type | MAC | -|----|--------|------|-----| -| 192.168.31.1 | HAP1 \| hAP ax³ | Router | 78:9A:18:2C:A5:48 | -| 192.168.31.2 | XTRM-U | Server | A8:B8:E0:02:B6:15 | -| 192.168.31.6 | CAP \| cAP XL ac | Access Point | 18:FD:74:54:3D:BC | -| 192.168.31.22 | ZX1 \| ZX-SWTGW218AS | Switch | 1C:2A:A3:1E:78:67 | -| 192.168.31.9 | CSS1 \| CSS326-24G-2S+ | Switch | F4:1E:57:C9:BD:09 | +### VLAN 10 - Infrastructure Devices -#### Containers (br0 Macvlan) +| IP | Device | Type | +|----|--------|------| +| 192.168.10.1 | HAP1 \| hAP ax³ | Router | +| 192.168.10.3 | CSS1 \| CSS326-24G-2S+ | Switch | +| 192.168.10.4 | ZX1 \| ZX-SWTGW218AS | Switch | +| 192.168.10.6 | CAP \| cAP XL ac | Access Point | +| 192.168.10.10 | AdGuard Home (Unraid macvlan) | DNS Secondary | +| 192.168.10.20 | XTRM-U | Server | +| 192.168.10.200 | NanoKVM | Remote KVM | -| IP | Container | Purpose | -|----|-----------|---------| -| 192.168.31.4 | AdGuard Home | DNS Secondary | -| 192.168.31.5 | Unbound | Recursive DNS (stopped) | -| 192.168.31.12 | TimeMachine | macOS backups | - -#### DHCP Ranges - -| Range | Purpose | -|-------|---------| -| 192.168.31.10-99 | Reserved (static) | -| 192.168.31.100-200 | DHCP Pool | -| 192.168.31.201-254 | Reserved | +For complete device-to-VLAN mapping, see `06-VLAN-DEVICE-ASSIGNMENT.md`. --- @@ -133,12 +129,12 @@ flowchart TB ### HAP1 (MikroTik Router) -**Network:** 172.17.0.0/16 (bridge) +**Network:** 172.17.0.0/24 (veth) | Container | IP | Purpose | |-----------|-----|---------| -| AdGuard Home | 172.17.0.5 | DNS Primary (DoH/DoT/DoQ) | -| Tailscale | 172.17.0.4 | VPN mesh | +| AdGuard Home | 172.17.0.2 | DNS Primary (DoH/DoT/DoQ) | +| Tailscale | 172.17.0.3 | VPN mesh | ### XTRM-U (Unraid Server) @@ -264,8 +260,8 @@ flowchart TB | External Port | Destination | Service | |---------------|-------------|---------| -| 853 | 172.17.0.5:853 | AdGuard DoT | -| 8853 | 172.17.0.5:8853 | AdGuard DoQ | +| 853 | 172.17.0.2:853 | AdGuard DoT | +| 8853 | 172.17.0.2:8853 | AdGuard DoQ | --- @@ -279,11 +275,11 @@ flowchart TB end subgraph HAP1["HAP1 (Primary)"] - AGH1["AdGuard Home
172.17.0.5"] + AGH1["AdGuard Home
172.17.0.2"] end subgraph XTRMU["XTRM-U (Secondary)"] - AGH2["AdGuard Home
192.168.31.4"] + AGH2["AdGuard Home
192.168.10.10"] end subgraph Sync["Sync"] diff --git a/docs/03-SERVICES-OTHER.md b/docs/03-SERVICES-OTHER.md index 7345917..e1ca755 100644 --- a/docs/03-SERVICES-OTHER.md +++ b/docs/03-SERVICES-OTHER.md @@ -64,7 +64,7 @@ Non-critical services that enhance functionality but don't affect core network o | diode-auth | 172.18.0.74 | Token service | | diode-agent | host | Network scanner | -**Discovery:** 192.168.31.0/24 every 30 minutes +**Discovery:** 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 every 30 minutes ### Unimus @@ -182,7 +182,7 @@ Non-critical services that enhance functionality but don't affect core network o | Network | IP | |---------|-----| -| br0 macvlan | 192.168.31.12 | +| br0 macvlan | 192.168.10.12 | **Purpose:** macOS Time Machine backup target @@ -219,7 +219,7 @@ Non-critical services that enhance functionality but don't affect core network o | Host | IP | |------|-----| -| HAP1 | 172.17.0.4 | +| HAP1 | 172.17.0.3 | **Purpose:** Mesh VPN for remote access diff --git a/docs/03-VLAN-DEVICE-ASSIGNMENT.md b/docs/03-VLAN-DEVICE-ASSIGNMENT.md deleted file mode 100644 index 7909713..0000000 --- a/docs/03-VLAN-DEVICE-ASSIGNMENT.md +++ /dev/null @@ -1,248 +0,0 @@ -# VLAN Device Assignment Map - -**Last Updated:** 2026-02-01 -**Purpose:** Complete inventory of all network devices with VLAN assignments - ---- - -## VLAN Summary - -| VLAN | Name | Subnet | Gateway | Purpose | Comment | -|------|------|--------|---------|---------|---------| -| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated | -| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Admin access only | -| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | Full network access | -| 25 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Kids Devices| Full network access | -| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | Internet + limited local | -| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Isolated, NVR access only | -| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | Service hosts | -| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | Internet only | - ---- - -## VLAN 10 - Management (Infrastructure) - -| Current IP | Target IP | MAC Address | Device | Notes | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs | -| 192.168.31.4 | 192.168.10.10| 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS | -| 192.168.31.6 | 192.168.10.2| 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed | -| 192.168.31.9 | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution | -| 192.168.31.22 | 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack | -| 192.168.31.2 | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS | -| 192.168.31.20 | 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative | -| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT | -| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access | - ---- - -## VLAN 20 - Trusted (Family Devices) - -| Current IP | Target IP | MAC Address | Device | Owner | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop | -| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone | -| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | -| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless | -| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | -| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | -| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock | -| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom | -| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | - ---- - -## VLAN 25 - Trusted (Kids Devices) - -| Current IP | Target IP | MAC Address | Device | Owner | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | -| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | -| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | -| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | - ---- - -## VLAN 30 - IoT (Smart Home) - -| Current IP | Target IP | MAC Address | Device | Location | Comment | -|------------|-----------|-------------|--------|----------|---------| -| 192.168.31.139 | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room| GREE Electric| -| 192.168.31.100 | 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) | -| 192.168.31.118 | 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) | -| 192.168.31.134 | 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | -| 192.168.31.104 | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access | -| 192.168.31.105 | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | -| 192.168.31.116 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | -| 192.168.31.117 | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom| Home Connect app | -| 192.168.31.106 | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.113 | 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP | -| 192.168.31.149 | 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.106 | 192.168.30.34 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.113 | 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP | -| 192.168.31.149 | 192.168.30.38| D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | Smart Device | -| 192.168.31.101 | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app | -| - | 192.168.30.50 | FC:D5:D9:EB:6A:82 | Settop Box (LAN) | Living Room | CSS326 Port 23 | -| - | 192.168.30.51 | 08:FB:EA:61:9D:3A | Settop Box (WiFi) | Living Room | XTRM2 2.4GHz | - ---- - -## VLAN 35 - Cameras (Security) - -| Current IP | Target IP | MAC Address | Device | Location | Comment | -|------------|-----------|-------------|--------|----------|---------| -| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered | - ---- - -## VLAN 40 - Servers (Services) - -| Current IP | Target IP | MAC Address | Device | Purpose | Comment | -|------------|-----------|-------------|--------|---------|---------| -| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | - ---- - -## VLAN 50 - Guest (Isolated) - -| Current IP | Target IP | MAC Address | Device | Notes | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.15 | 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. | -| 192.168.31.142 | 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC | -| 192.168.31.109 | 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI | -| 192.168.31.110 | 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .109 | -| DHCP Pool | 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only | - ---- - -## Identified Unknown Devices (Moved to Guest) - -| Current IP | MAC Address | Vendor (OUI) | Likely Device | Assigned VLAN | Comment | -|------------|-------------|--------------|---------------|---------------|---------| -| 192.168.31.15 | AC:87:A3:77:8F:BD | Apple Inc. | iPhone/iPad/Mac | 50 (Guest) | Unknown owner | -| 192.168.31.142 | 22:4C:7F:1D:85:8E | Locally Administered | Phone/Laptop | 50 (Guest) | Random MAC (privacy) | -| 192.168.31.109 | D0:C9:07:92:1A:8E | Private (IEEE) | Unknown | 50 (Guest) | Hidden vendor | -| 192.168.31.110 | D0:C9:07:8C:C9:46 | Private (IEEE) | Unknown | 50 (Guest) | Same vendor as .109 | - ---- - -## MAC Address Quick Reference - -### By VLAN (for switch port assignment) - -**VLAN 10 - Mgmt:** -``` -78:9A:18:2C:A5:48 HAP1 -A8:B8:E0:02:B6:15 XTRM-U -18:FD:74:54:3D:BC CAP XL ac -F4:1E:57:C9:BD:09 CSS326 -1C:2A:A3:1E:78:67 ZX1 -48:DA:35:6F:BE:50 NanoKVM -``` - -**VLAN 20 - Trusted:** -``` -82:6D:FB:D9:E0:47 Nora MacBook -AA:ED:8B:2A:40:F1 Kaloyan S25 -F2:B8:14:61:C8:27 Dancho iPhone -82:EC:EF:B5:F2:AF Kaloyan MacBook WiFi -90:91:64:70:0D:86 Kimi Notebook -2A:2B:BA:86:D4:AF Kimi iPhone -08:92:04:C6:07:C5 Kaloyan MacBook LAN -1C:83:41:32:F3:AF Kaloyan Game PC -A4:D1:D2:7B:52:BE Compusbg iPad -``` - -**VLAN 30 - IoT:** -``` -B0:37:95:79:AF:9B LG TV (LAN) -DC:03:98:6B:5A:3A LG TV (WiFi) -D0:E7:82:F7:65:DD Chromecast -B0:4A:39:3F:9A:14 Roborock Vacuum -94:27:70:1E:0C:EE Bosch Oven -C8:5C:CC:52:EA:53 Xiaomi Air Purifier -C8:D7:78:D6:DC:FC Bosch Washer -C8:D7:78:40:65:40 Bosch Dishwasher -50:2C:C6:7A:55:39 GREE Appliance -18:DE:50:5B:C8:A6 Tuya Device 1 -38:1F:8D:04:6F:E4 Tuya Smart Gateway (JMWZG1) -D4:AD:FC:BE:13:B0 Intellirocks Device -FC:D5:D9:EB:6A:82 Settop Box (LAN) -08:FB:EA:61:9D:3A Settop Box (WiFi) -``` - -**VLAN 35 - Cameras:** -``` -48:9E:9D:0E:16:F7 Reolink Doorbell -``` - -**VLAN 40 - Servers:** -``` -64:4E:D7:D8:43:3E HP LaserJet -``` - -**VLAN 50 - Guest:** -``` -AC:87:A3:77:8F:BD Apple Device (unknown) -22:4C:7F:1D:85:8E Random MAC device -D0:C9:07:92:1A:8E Private Vendor 1 -D0:C9:07:8C:C9:46 Private Vendor 2 -``` - ---- - -## Device Count Summary - -| VLAN | Device Count | Comment | -|------|--------------|---------| -| 10 - Mgmt | 9 | Infrastructure only | -| 20 - Trusted | 9 | Family devices | -| 25 - Kids | 4 | Kids devices (subset of 20) | -| 30 - IoT | 11 | Smart home devices | -| 35 - Cameras | 1 | Security | -| 40 - Servers | 1 | Services | -| 50 - Guest | 4 | Unknown/unidentified devices | -| **Total** | **35** | All devices categorized | - ---- - -## OUI Lookup Reference - -| OUI Prefix | Vendor | Type | -|------------|--------|------| -| B0:37:95 | LG Electronics | TV/Displays (LAN) | -| DC:03:98 | LG Innotek | TV/Displays (WiFi) | -| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances | -| 18:DE:50 | Tuya Smart Inc. | IoT Platform | -| 38:1F:8D | Xiaomi | Smart Home Devices | -| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices | -| AC:87:A3 | Apple Inc. | Consumer Electronics | -| D0:C9:07 | Private (IEEE hidden) | Unknown | -| 22:xx:xx | Locally Administered | Random/Private MAC | - ---- - -## Next Steps - -| Step | Action | Comment | -|------|--------|---------| -| 1 | ✅ Identify unknown devices | Completed via OUI lookup | -| 2 | Decide WiFi strategy | Single SSID vs Multiple SSIDs | -| 3 | Configure switch ports | VLAN tagging on CSS326 | -| 4 | Test VLAN routing | Before full activation | -| 5 | Update firewall rules | Inter-VLAN traffic control | - ---- - -## Quick Assignment Table (Identified Devices) - -| VLAN | IP | Comment | -|------|----|---------| -| 30 (IoT) | 192.168.31.139 | GREE Air Conditioner | -| 30 (IoT) | 192.168.31.106 | Tuya Smart Device #1 | -| 30 (IoT) | 192.168.31.113 | Tuya Smart Gateway (JMWZG1) | -| 30 (IoT) | 192.168.31.149 | Shenzhen Intellirocks Smart Device | -| 50 (Guest) | 192.168.31.15 | Apple device (unknown owner) | -| 50 (Guest) | 192.168.31.142 | Privacy MAC device | -| 50 (Guest) | 192.168.31.109 | Private vendor device | -| 50 (Guest) | 192.168.31.110 | Private vendor device | diff --git a/docs/04-HARDWARE-INVENTORY.md b/docs/04-HARDWARE-INVENTORY.md index 257baaf..22cb18a 100644 --- a/docs/04-HARDWARE-INVENTORY.md +++ b/docs/04-HARDWARE-INVENTORY.md @@ -36,12 +36,12 @@ |----------|-------| | **Role** | Distribution Switch | | **Location** | 19" Rack U1 | -| **IP** | 192.168.10.9 | +| **IP** | 192.168.10.3 | | **MAC** | F4:1E:57:C9:BD:09 | | **OS** | SwOS 2.16 | | **Serial** | - | | **Docs** | https://help.mikrotik.com/docs/spaces/UM/pages/17498168/CSS326-24G-2S+RM | -| **Web UI** | http://192.168.10.9 | +| **Web UI** | http://192.168.10.3 | **Ports:** 24x 1G RJ45, 2x 10G SFP+ - SFP1: 10G DAC to ZX1 @@ -55,7 +55,7 @@ |----------|-------| | **Role** | Core Switch (2.5GbE) | | **Location** | 10" Rack U7 (on shelf) | -| **IP** | 192.168.10.7 | +| **IP** | 192.168.10.4 | | **MAC** | 1C:2A:A3:1E:78:67 | | **Serial** | - | diff --git a/docs/02-PORT-UTILIZATION.md b/docs/05-PORT-UTILIZATION.md similarity index 98% rename from docs/02-PORT-UTILIZATION.md rename to docs/05-PORT-UTILIZATION.md index f41029d..14f55f4 100644 --- a/docs/02-PORT-UTILIZATION.md +++ b/docs/05-PORT-UTILIZATION.md @@ -1,11 +1,11 @@ # Device Port Utilization -**Last Updated:** 2026-01-25 +**Last Updated:** 2026-02-06 **Legend:** 🟢 Connected | ⚪ Enabled/No Link | 🔘 Disabled | 🩷 High Speed (≥2.5G) --- -## HAP1 | MikroTik hAP ax³ (192.168.31.1) +## HAP1 | MikroTik hAP ax³ (192.168.10.1) ``` ┌─────────────────────────────────────────────────────────┐ @@ -29,7 +29,7 @@ Connections: --- -## CSS1 | MikroTik CSS326-24G-2S+ (192.168.31.9) +## CSS1 | MikroTik CSS326-24G-2S+ (192.168.10.3) ``` ┌───────────────────────────────────────────────────────────────────────────┐ @@ -68,7 +68,7 @@ Port Details: --- -## ZX1 | ZX-SWTGW218AS (192.168.31.22) +## ZX1 | ZX-SWTGW218AS (192.168.10.4) ``` ┌─────────────────────────────────────────────────────────┐ diff --git a/docs/06-CHANGELOG.md b/docs/06-CHANGELOG.md deleted file mode 100644 index 4cff1df..0000000 --- a/docs/06-CHANGELOG.md +++ /dev/null @@ -1,175 +0,0 @@ -# Infrastructure Changelog - -## 2026-02-01 - -### WIP Documentation -- [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching -- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching -- Scripts created on Mac at ~/scripts/ - - -## 2026-01-31 - -### Docker Cleanup -- [DOCKER] Removed 18 unused images (~4.9 GB reclaimed) -- [DOCKER] Removed 12 dangling images (old builds, untagged) -- [DOCKER] Removed Slurpit stack images (warehouse, portal, scanner, scraper) -- [DOCKER] Removed unused MongoDB 8 and MariaDB 11 images -- [DOCKER] Removed 35 orphaned volumes (~1.15 GB reclaimed) -- [DOCKER] Removed 28 anonymous dangling volumes -- [DOCKER] Removed 6 nextcloud_aio_* volumes (from old AIO install) -- [DOCKER] Removed orphaned redis-data volume -- [DOCKER] **Total reclaimed: ~6 GB** - -### Kept (Stopped Containers) -- open-webui, ollama (AI stack - for future use) -- pgAdmin4 (database management) -- diode-hydra-migrate, diode-auth-bootstrap (one-time migration jobs) - -## 2026-01-27 - -### VLAN Filtering Rolled Back -- [VLAN] Enabled VLAN filtering - caused connectivity issues -- [VLAN] ZX1 switch unreachable after activation (no management IP responding) -- [VLAN] CSS326 traffic routing through ZX1 (not direct eth3 link) -- [VLAN] **Rolled back** - VLAN filtering disabled -- [CONFIG] Added eth4 (ZX1) to all VLAN tagged lists for future use -- [STATUS] Network back to Legacy mode (192.168.31.0/24) -- [TODO] Need physical access to ZX1 to configure VLAN trunking - -### Issues Identified -- ZX1 switch not responding on documented IP 192.168.31.22 -- ZX1 may need VLAN trunk configuration before re-enabling filtering -- All CSS326 traffic goes via ZX1→HAP1, not direct CSS326→HAP1 link (STP?) - -# Infrastructure Changelog - -## 2026-02-01 - -### WIP Documentation -- [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching -- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching -- Scripts created on Mac at ~/scripts/ - - -## 2026-01-26 - -### VLAN Filtering Activated ✅ -- [VLAN] **VLAN filtering enabled on MikroTik bridge - SUCCESSFUL** -- [VLAN] Internet connectivity verified (ping 1.1.1.1, google.com) -- [VLAN] DNS resolution working through AdGuard -- [VLAN] All previous fixes (DHCP DNS, firewall, NAT masquerade) working correctly -- [STATUS] Network segmentation now ACTIVE - -### Local AI Stack Deployed -- [AI] Deployed Ollama container with Intel GPU passthrough -- [AI] Deployed Open WebUI at http://192.168.31.2:3080 -- [AI] Installed qwen2.5-coder:7b base model -- [AI] Created custom `unraid-assistant` model with infrastructure knowledge: - - Network topology (all VLANs, IPs, gateways) - - 45+ Docker containers (names, ports, purposes) - - RouterOS 7 commands and patterns - - Traefik labels and Authentik middleware - - All external URLs (xtrm-lab.org) -- [AI] Created `/usr/local/bin/ai` terminal helper command -- [AI] Stopped non-critical containers for RAM: karakeep, unimus, homarr, netdisco-* - - -### VLAN Activation Attempt & Fixes -- [VLAN] Configured CSS326 switch VLANs via SwOS web interface -- [VLAN] Enabled VLAN filtering on MikroTik - caused internet outage -- [VLAN] Rolled back VLAN filtering to restore connectivity -- [VLAN] **ROOT CAUSE IDENTIFIED:** Multiple configuration issues - -### Issues Fixed -- [FIX] DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1 - - VLAN 20: 192.168.20.1, VLAN 25: 192.168.25.1, etc. -- [FIX] Added DNS redirect rules for all VLANs (src-address-list=all-vlans) -- [FIX] Added all VLAN interfaces to LAN firewall interface list -- [FIX] Added NAT masquerade rules for VLAN traffic to AdGuard container -- [BACKUP] MikroTik config saved before activation attempt - -### Current Status -- MikroTik: Fully configured, fixes applied, ready for activation -- CSS326: VLANs configured, port assignments done -- VLAN Filtering: OFF (ready to enable when convenient) -- Next: Enable VLAN filtering + force DHCP renewal on devices - -## 2026-01-25 (Update 3) - -### VLAN Phase 1 Complete -- [VLAN] Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry -- [VLAN] Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc -- [VLAN] Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs -- [VLAN] Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally -- [VLAN] Added VLAN 50 (Guest) leases - 7 unknown devices -- [VLAN] Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS) -- [VLAN] Total devices configured: 44 - -### Device Discovery -- [NETWORK] Discovered XTRM-Ally gaming device → assigned to Kids VLAN -- [NETWORK] Discovered Dancho Windows device → assigned to Kids VLAN -- [NETWORK] Discovered 2x lwip0 IoT devices → assigned to IoT VLAN -- [NETWORK] Discovered 3x unknown devices → assigned to Guest VLAN - -### Documentation Updates -- [DOCS] Updated 03-VLAN-DEVICE-ASSIGNMENT.md - complete device inventory (44 devices) -- [DOCS] Updated 11-VLAN-IMPLEMENTATION.md - Phase 1 complete status -- [DOCS] All VLANs now documented: 10, 20, 25, 30, 35, 40, 50 - -### Next Steps -- CSS326 switch VLAN configuration via SwOS -- Enable VLAN filtering on MikroTik bridge -- Test connectivity - -## 2026-01-25 - -### VLAN Implementation (Prepared) -- [VLAN] Created 6 VLANs on MikroTik bridge (10, 20, 30, 35, 40, 50) -- [VLAN] Configured IP addresses for all VLAN interfaces -- [VLAN] Created DHCP servers and pools for each VLAN -- [VLAN] Added static DHCP leases mapping MACs to VLAN IPs -- [VLAN] Configured bridge VLAN table with tagged/untagged ports -- [VLAN] Set WiFi ports PVID=20 (Trusted VLAN default) -- [VLAN] Added inter-VLAN firewall rules (active) -- [VLAN] VLAN filtering NOT YET ENABLED (pending CSS326 switch config) -- [DOCS] Added docs/11-VLAN-IMPLEMENTATION.md -- [SCRIPTS] Added scripts/mikrotik-vlan-setup.rsc -- [SCRIPTS] Added scripts/mikrotik-vlan-enable.rsc - -### MikroTik Containers -- [CONTAINER] AdGuard Home container running on MikroTik -- [CONTAINER] Tailscale container configured (inactive) -- [CONTAINER] Container bridge (containers-br) with NAT - -### DNS Configuration -- [DNS] AdGuard Home as primary DNS (172.17.0.2) -- [DNS] DNS redirect rules for all clients -- [DNS] DoT/DoH upstream configured in AdGuard - -## Previous Changes - -See git history for earlier changes. - -## 2026-01-25 (Update 2) - -### DNS Configuration -- [DNS] Updated both AdGuard instances to use Quad9 DoH -- [DNS] MikroTik AdGuard: upstream=https://dns.quad9.net/dns-query -- [DNS] Unraid AdGuard: upstream=https://dns.quad9.net/dns-query -- [DNS] Bootstrap DNS: 9.9.9.9, 149.112.112.112 - -### Containers -- [CONTAINER] Fixed Tailscale container authentication -- [CONTAINER] Tailscale DNS changed from 8.8.8.8 to 172.17.0.1,1.1.1.1 (fallback) -- [CONTAINER] Tailscale route fixed: 100.64.0.0/10 → 172.17.0.3 - -### Documentation -- [DOCS] Created 02-PORT-UTILIZATION.md with ASCII port diagrams -- [DOCS] Updated 09-MIKROTIK-ADGUARD-DOT-DOH.md with Quad9 DoH config - -### Network -- [NETWORK] Enabled CSS326 SFP1 port - 10G backbone link to ZX1 now active - -### Documentation Fix -- [DOCS] Fixed ZX1 switch IP: 192.168.31.22 (was incorrectly documented as .7) diff --git a/docs/06-VLAN-DEVICE-ASSIGNMENT.md b/docs/06-VLAN-DEVICE-ASSIGNMENT.md new file mode 100644 index 0000000..f16589f --- /dev/null +++ b/docs/06-VLAN-DEVICE-ASSIGNMENT.md @@ -0,0 +1,206 @@ +# VLAN Device Assignment Map + +**Last Updated:** 2026-02-06 +**Purpose:** Complete inventory of all network devices with VLAN assignments + +--- + +## VLAN Summary + +| VLAN | Name | Subnet | Gateway | Purpose | +|------|------|--------|---------|---------| +| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | +| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | + +--- + +## VLAN 10 - Management (Infrastructure) + +| IP | MAC Address | Device | Notes | Comment | +|----|-------------|--------|-------|---------| +| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs | +| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS | +| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed | +| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution | +| 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack | +| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS | +| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative | +| 172.17.0.2 | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT | +| 172.17.0.3 | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access | + +--- + +## VLAN 20 - Trusted (Family Devices) + +| IP | MAC Address | Device | Owner | Comment | +|----|-------------|--------|-------|---------| +| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop | +| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone | +| 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | +| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless | +| 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | +| 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | +| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock | +| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom | +| 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | + +--- + +## VLAN 25 - Kids (Kids Devices) + +| IP | MAC Address | Device | Owner | Comment | +|----|-------------|--------|-------|---------| +| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | +| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | +| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | +| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | + +--- + +## VLAN 30 - IoT (Smart Home) + +| IP | MAC Address | Device | Location | Comment | +|----|-------------|--------|----------|---------| +| 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room | GREE Electric | +| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) | +| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) | +| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | +| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access | +| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | +| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | +| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom | Home Connect app | +| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.30.5 | 38:1F:8D:04:6F:E4 | Tuya Smart Gateway (JMWZG1) | - | Requires WPA+TKIP | +| 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app | +| 192.168.30.50 | FC:D5:D9:EB:6A:82 | Settop Box (LAN) | Living Room | CSS326 Port 23 | +| 192.168.30.51 | 08:FB:EA:61:9D:3A | Settop Box (WiFi) | Living Room | XTRM2 2.4GHz | + +--- + +## VLAN 35 - Cameras (Security) + +| IP | MAC Address | Device | Location | Comment | +|----|-------------|--------|----------|---------| +| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered | + +--- + +## VLAN 40 - Servers (Services) + +| IP | MAC Address | Device | Purpose | Comment | +|----|-------------|--------|---------|---------| +| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | + +--- + +## VLAN 50 - Guest (Isolated) + +| IP | MAC Address | Device | Notes | Comment | +|----|-------------|--------|-------|---------| +| 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. | +| 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC | +| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI | +| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .12 | +| 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only | + +--- + +## MAC Address Quick Reference + +### By VLAN (for switch port assignment) + +**VLAN 10 - Mgmt:** +``` +78:9A:18:2C:A5:48 HAP1 +A8:B8:E0:02:B6:15 XTRM-U +18:FD:74:54:3D:BC CAP XL ac +F4:1E:57:C9:BD:09 CSS326 +1C:2A:A3:1E:78:67 ZX1 +48:DA:35:6F:BE:50 NanoKVM +``` + +**VLAN 20 - Trusted:** +``` +82:6D:FB:D9:E0:47 Nora MacBook +AA:ED:8B:2A:40:F1 Kaloyan S25 +F2:B8:14:61:C8:27 Dancho iPhone +82:EC:EF:B5:F2:AF Kaloyan MacBook WiFi +90:91:64:70:0D:86 Kimi Notebook +2A:2B:BA:86:D4:AF Kimi iPhone +08:92:04:C6:07:C5 Kaloyan MacBook LAN +1C:83:41:32:F3:AF Kaloyan Game PC +A4:D1:D2:7B:52:BE Compusbg iPad +``` + +**VLAN 30 - IoT:** +``` +B0:37:95:79:AF:9B LG TV (LAN) +DC:03:98:6B:5A:3A LG TV (WiFi) +D0:E7:82:F7:65:DD Chromecast +B0:4A:39:3F:9A:14 Roborock Vacuum +94:27:70:1E:0C:EE Bosch Oven +C8:5C:CC:52:EA:53 Xiaomi Air Purifier +C8:D7:78:D6:DC:FC Bosch Washer +C8:D7:78:40:65:40 Bosch Dishwasher +50:2C:C6:7A:55:39 GREE Appliance +18:DE:50:5B:C8:A6 Tuya Device 1 +38:1F:8D:04:6F:E4 Tuya Smart Gateway (JMWZG1) +D4:AD:FC:BE:13:B0 Intellirocks Device +FC:D5:D9:EB:6A:82 Settop Box (LAN) +08:FB:EA:61:9D:3A Settop Box (WiFi) +``` + +**VLAN 35 - Cameras:** +``` +48:9E:9D:0E:16:F7 Reolink Doorbell +``` + +**VLAN 40 - Servers:** +``` +64:4E:D7:D8:43:3E HP LaserJet +``` + +**VLAN 50 - Guest:** +``` +AC:87:A3:77:8F:BD Apple Device (unknown) +22:4C:7F:1D:85:8E Random MAC device +D0:C9:07:92:1A:8E Private Vendor 1 +D0:C9:07:8C:C9:46 Private Vendor 2 +``` + +--- + +## Device Count Summary + +| VLAN | Device Count | Comment | +|------|--------------|---------| +| 10 - Mgmt | 9 | Infrastructure only | +| 20 - Trusted | 9 | Family devices | +| 25 - Kids | 4 | Kids devices (subset of 20) | +| 30 - IoT | 14 | Smart home devices | +| 35 - Cameras | 1 | Security | +| 40 - Servers | 1 | Services | +| 50 - Guest | 4 | Unknown/unidentified devices | +| **Total** | **38** | All devices categorized | + +--- + +## OUI Lookup Reference + +| OUI Prefix | Vendor | Type | +|------------|--------|------| +| B0:37:95 | LG Electronics | TV/Displays (LAN) | +| DC:03:98 | LG Innotek | TV/Displays (WiFi) | +| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances | +| 18:DE:50 | Tuya Smart Inc. | IoT Platform | +| 38:1F:8D | Xiaomi | Smart Home Devices | +| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices | +| AC:87:A3 | Apple Inc. | Consumer Electronics | +| D0:C9:07 | Private (IEEE hidden) | Unknown | +| 22:xx:xx | Locally Administered | Random/Private MAC | diff --git a/docs/19-WIFI-CAPSMAN-CONFIG.md b/docs/07-WIFI-CAPSMAN-CONFIG.md similarity index 100% rename from docs/19-WIFI-CAPSMAN-CONFIG.md rename to docs/07-WIFI-CAPSMAN-CONFIG.md diff --git a/docs/08-DNS-ARCHITECTURE.md b/docs/08-DNS-ARCHITECTURE.md new file mode 100644 index 0000000..eefd219 --- /dev/null +++ b/docs/08-DNS-ARCHITECTURE.md @@ -0,0 +1,387 @@ +# DNS Architecture with AdGuard Failover + +**Last Updated:** 2026-02-06 + +--- + +## Overview + +Dual AdGuard DNS setup with automatic failover. All DNS queries are filtered through AdGuard for ad-blocking, and if the primary (MikroTik) fails, traffic automatically switches to secondary (Unraid). + +--- + +## Architecture + +``` + ┌─────────────────────────────────────┐ + │ INTERNET │ + │ │ + │ External clients (DoT/DoH) │ + │ dns.xtrm-lab.org:853 (DoT) │ + │ dns.xtrm-lab.org:8443 (DoH) │ + └──────────────┬──────────────────────┘ + │ + ▼ +┌──────────────────────────────────────────────────────────────────────────────┐ +│ MikroTik hAP ax³ (192.168.10.1) │ +│ │ +│ ┌────────────────────────────────────────────────────────────────────────┐ │ +│ │ AdGuard Home (PRIMARY) │ │ +│ │ Container: 172.17.0.2 │ │ +│ │ Web UI: http://192.168.10.1:3000 │ │ +│ │ │ │ +│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ +│ │ │ Filters │ │ Blocklists │ │ Clients │ │ │ +│ │ │ (synced) │ │ 143K rules │ │ (synced) │ │ │ +│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ +│ └────────────────────────────────────────────────────────────────────────┘ │ +│ │ │ +│ Netwatch monitors every 10s │ +│ │ │ +│ ┌─────────┴─────────┐ │ +│ │ │ │ +│ Container UP Container DOWN │ +│ │ │ │ +│ ▼ ▼ │ +│ NAT → 172.17.0.2 NAT → 192.168.10.10 │ +│ (MikroTik) (Unraid Failover) │ +└──────────────────────────────────────────────────────────────────────────────┘ + ▲ ▲ ▲ + │ │ │ + NAT Redirect NAT Redirect NAT Redirect + │ │ │ +┌───────┴───────┐ ┌────────┴────────┐ ┌────────┴────────┐ +│ VLAN 10 │ │ VLAN 20/25 │ │ VLAN 30/40 │ +│ Management │ │ Trusted/Kids │ │ IoT/CatchAll │ +│ 192.168.10.x │ │ 192.168.20.x │ │ 192.168.30.x │ +│ │ │ 192.168.25.x │ │ 192.168.1.x │ +└───────────────┘ └─────────────────┘ └─────────────────┘ +``` + +--- + +## AdGuard Instances + +| Instance | Role | IP | Port | Web UI | +|----------|------|-----|------|--------| +| MikroTik | Primary | 172.17.0.2 | 53 | http://192.168.10.1:3000 | +| Unraid | Secondary/Failover | 192.168.10.10 | 3000 | http://192.168.10.10:3000 | + +### Credentials (Same for Both) + +| Username | Password | +|----------|----------| +| jazzymc | 7RqWElENNbZnPW | + +--- + +## DNS Redirect Rules + +All DNS queries (port 53) from any VLAN are intercepted and redirected: + +| VLAN | Subnet | Redirected To | +|------|--------|---------------| +| 10 | 192.168.10.0/24 | 172.17.0.2:53 | +| 20 | 192.168.20.0/24 | 172.17.0.2:53 | +| 25 | 192.168.25.0/24 | 172.17.0.2:53 | +| 30 | 192.168.30.0/24 | 172.17.0.2:53 | +| 40 | 192.168.1.0/24 | 172.17.0.2:53 | + +**Note:** Clients don't need any DNS configuration - even if they use 8.8.8.8, traffic is intercepted by NAT. + +### NAT Rules on MikroTik + +```routeros +# Exception rules (prevent loops) - MUST BE FIRST +/ip firewall nat +add chain=dstnat action=accept protocol=udp src-address=172.17.0.0/24 dst-port=53 comment="[DNS] Allow MikroTik AdGuard outbound" +add chain=dstnat action=accept protocol=udp src-address=192.168.10.10 dst-port=53 comment="[DNS] Allow Unraid AdGuard outbound" + +# VLAN redirect rules +add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.10.0/24 dst-port=53 comment="[DNS] VLAN10 Mgmt redirect" +add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.20.0/24 dst-port=53 comment="[DNS] VLAN20 Trusted redirect" +add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.25.0/24 dst-port=53 comment="[DNS] VLAN25 Kids redirect" +add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.30.0/24 dst-port=53 comment="[DNS] VLAN30 IoT redirect" +add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address=192.168.1.0/24 dst-port=53 comment="[DNS] VLAN40 CatchAll redirect" + +# Masquerade for return traffic +add chain=srcnat action=masquerade protocol=udp src-address=192.168.10.0/24 dst-address=172.17.0.2 dst-port=53 comment="[DNS] VLAN10 masquerade" +# ... (similar for other VLANs) +``` + +--- + +## Automatic Failover + +### How It Works (Dual Health Check) + +Two independent Netwatch monitors trigger failover: + +| Monitor | Type | What It Checks | Interval | Timeout | +|---------|------|----------------|----------|---------| +| Ping | simple | Container reachable | 10s | 3s | +| DNS | dns | DNS queries work | 30s | 10s | + +**Either monitor failing triggers failover to Unraid.** + +### Failure Scenarios Covered + +| Scenario | Ping Check | DNS Check | Failover? | +|----------|------------|-----------|-----------| +| Container crashed | Fail | Fail | Yes | +| Container stopped | Fail | Fail | Yes | +| Network/routing issue | Fail | Fail | Yes | +| Upstream DNS unreachable | Pass | Fail | Yes | +| AdGuard overloaded | Pass | Fail | Yes | +| Everything working | Pass | Pass | No | + +### Failover Timeline + +| Event | Detection Time | Total Switchover | +|-------|----------------|------------------| +| Container crash (ping) | ~10-13 seconds | ~13-16 seconds | +| DNS failure (resolution) | ~30-40 seconds | ~33-43 seconds | +| Recovery | ~10-30 seconds | Automatic | + +### Failover Scripts + +```routeros +# dns-failover-down (runs when either check fails) +/system script add name=dns-failover-down dont-require-permissions=yes source={ + :log warning "DNS Failover: Switching to Unraid" + /ip firewall nat set [find where comment~"VLAN" and comment~"redirect"] to-addresses=192.168.10.10 to-ports=3000 +} + +# dns-failover-up (runs when check recovers) +/system script add name=dns-failover-up dont-require-permissions=yes source={ + :log info "DNS Failover: Switching back to MikroTik" + /ip firewall nat set [find where comment~"VLAN" and comment~"redirect"] to-addresses=172.17.0.2 to-ports=53 +} +``` + +### Netwatch Configuration + +```routeros +# Monitor 1: Ping check (fast crash detection) +/tool netwatch add type=simple host=172.17.0.2 interval=10s timeout=3s \ + up-script=dns-failover-up down-script=dns-failover-down \ + comment="AdGuard failover monitor" + +# Monitor 2: DNS resolution check (functional verification) +/tool netwatch add type=dns host=google.com interval=30s timeout=10s \ + up-script=dns-failover-up down-script=dns-failover-down \ + comment="AdGuard DNS resolution check" +``` + +--- + +## Sync Configuration + +Settings are synced from Unraid (source of truth) to MikroTik every 30 minutes. + +### What Syncs + +| Feature | Synced | +|---------|--------| +| Filter lists (blocklists) | Yes | +| User rules (custom blocks/allows) | Yes | +| Client settings (per-device rules) | Yes | +| Services (blocked services) | Yes | +| Rewrites (custom DNS entries) | Yes | +| DNS server config | No | +| DHCP settings | No | +| Query logs/stats | No | + +### Sync Container + +```yaml +# /mnt/user/appdata/adguard-sync/adguardhome-sync.yaml +cron: "*/30 * * * *" +runOnStart: true + +origin: + url: http://192.168.10.10:3000 + username: jazzymc + password: 7RqWElENNbZnPW + +replicas: + - url: http://192.168.10.1:3000 + username: jazzymc + password: 7RqWElENNbZnPW + +features: + dns: + serverConfig: false + accessLists: true + rewrites: true + filters: true + clientSettings: true + services: true +``` + +**Note:** The sync container must be connected to both `dockerproxy` and `br0` networks to reach both AdGuard instances. + +--- + +## Container Configuration (MikroTik) + +### Container Details + +| Setting | Value | +|---------|-------| +| Image | adguard/adguardhome:latest | +| Interface | veth-adguard | +| IP | 172.17.0.2/24 | +| Gateway | 172.17.0.1 | +| Root dir | usb1/adguard/root | +| Config mount | usb1/adguard/conf → /opt/adguardhome/conf | +| Work mount | usb1/adguard/work → /opt/adguardhome/work | +| Start on boot | Yes | + +### Container Commands + +```routeros +# Check status +/container print + +# Start container +/container start 0 + +# Stop container +/container stop 0 + +# View logs +/log print where topics~"container" +``` + +--- + +## Upstream DNS + +Both AdGuard instances use the same upstream: + +| Upstream | Type | +|----------|------| +| https://dns.quad9.net/dns-query | Primary (DoH) | +| 9.9.9.9 | Bootstrap | +| 149.112.112.112 | Bootstrap secondary | + +--- + +## Management + +| Task | Where to Do It | +|------|----------------| +| Change blocklists | Unraid AdGuard (syncs to MikroTik) | +| Add custom rules | Unraid AdGuard | +| Add client settings | Unraid AdGuard | +| View query logs | MikroTik AdGuard (real-time) | +| Check failover status | MikroTik `/tool netwatch print` | + +--- + +## Troubleshooting + +### Check Failover Status + +```routeros +/tool netwatch print +# Both monitors should show STATUS=up normally +# Monitor 0: Ping check +# Monitor 1: DNS resolution check +``` + +### Check Current DNS Target + +```routeros +/ip firewall nat print where comment~"VLAN10 Mgmt redirect" +# to-addresses should be 172.17.0.2 (normal) or 192.168.10.10 (failover) +``` + +### View Failover Logs + +```routeros +/log print where message~"Failover" +``` + +### Manual Failover Test + +```routeros +# Stop container (triggers failover) +/container stop 0 + +# Wait 15 seconds, check NAT rules switched to 192.168.10.10 + +# Start container (triggers recovery) +/container start 0 + +# Wait 15 seconds, check NAT rules switched back to 172.17.0.2 +``` + +### DNS Not Working + +1. Check container is running: `/container print` +2. Check netwatch status: `/tool netwatch print` +3. Test DNS directly: `:resolve google.com server=172.17.0.2` +4. Check NAT rules: `/ip firewall nat print where comment~"DNS"` +5. **Check /32 routes exist:** `/ip route print where dst-address~"172.17.0.[23]"` +6. **Ping container:** `/ping 172.17.0.2 count=3` + +### Container Reachable but DNS Fails + +If ping works but DNS queries timeout: + +1. Check container can reach upstream: Look for timeout errors in logs +2. Verify /32 routes: Missing routes cause ECMP issues +3. Check NAT masquerade: `/ip firewall nat print where comment~"Container"` +4. Verify routes: +```routeros +/ip route print where dst-address~"172.17" +# Should show /32 routes for each container IP +``` + +### Sync Not Working + +```bash +# On Unraid +docker logs adguardhome-sync --tail 20 + +# Check connectivity +docker exec adguardhome-sync ping -c 2 192.168.10.10 +docker exec adguardhome-sync ping -c 2 192.168.10.1 +``` + +--- + +## Container Network Routing + +### Important: /32 Host Routes Required + +When running multiple containers on the same subnet (172.17.0.0/24), specific host routes are required to prevent ECMP routing issues: + +```routeros +# Without these routes, return traffic may go to wrong container +/ip route add dst-address=172.17.0.2/32 gateway=veth-adguard comment="AdGuard container - specific route" +/ip route add dst-address=172.17.0.3/32 gateway=veth-tailscale comment="Tailscale container - specific route" +``` + +**Why this matters:** Each veth interface creates a /24 route. With multiple veth interfaces on the same subnet, RouterOS enables ECMP load balancing, sending return traffic to random interfaces. + +--- + +## Quick Reference + +### Normal Operation +- DNS queries → MikroTik AdGuard (172.17.0.2) +- Ad blocking active +- ~143,000 filter rules + +### During Failover +- DNS queries → Unraid AdGuard (192.168.10.10) +- Ad blocking still active (same rules synced) +- Automatic, no manual intervention needed + +### Recovery +- Automatic when container comes back up +- NAT rules switch back to MikroTik +- No DNS interruption for clients diff --git a/docs/09-TAILSCALE-VPN.md b/docs/09-TAILSCALE-VPN.md new file mode 100644 index 0000000..9d78fae --- /dev/null +++ b/docs/09-TAILSCALE-VPN.md @@ -0,0 +1,208 @@ +# MikroTik Tailscale Container Setup + +**Last Updated:** 2026-02-06 + +--- + +## Overview + +Tailscale VPN running as a container on MikroTik hAP ax³, providing remote access to the home network via the Tailscale mesh network. + +--- + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────────┐ +│ MikroTik hAP ax³ (192.168.10.1) │ +│ │ +│ ┌─────────────────────────────────────────────────────────────┐ │ +│ │ Container Network (172.17.0.0/24) │ │ +│ │ │ │ +│ │ ┌─────────────────────┐ ┌─────────────────────────┐ │ │ +│ │ │ AdGuard Home │ │ Tailscale │ │ │ +│ │ │ 172.17.0.2 │ │ 172.17.0.3 │ │ │ +│ │ │ veth-adguard │ │ veth-tailscale │ │ │ +│ │ └─────────────────────┘ └─────────────────────────┘ │ │ +│ │ │ │ │ │ +│ │ └───────────┬───────────────┘ │ │ +│ │ │ │ │ +│ │ Gateway: 172.17.0.1 │ │ +│ └─────────────────────────────────────────────────────────────┘ │ +│ │ │ +│ NAT Masquerade │ +│ │ │ +│ WAN (ether1) │ +└──────────────────────────────┬──────────────────────────────────────┘ + │ + ▼ + ┌─────────────────────┐ + │ Tailscale Network │ + │ 100.x.x.x mesh │ + │ │ + │ Home Router IP: │ + │ 100.74.219.35 │ + └─────────────────────┘ +``` + +--- + +## Container Details + +| Setting | Value | +|---------|-------| +| Image | tailscale/tailscale:latest | +| Interface | veth-tailscale | +| Container IP | 172.17.0.3/24 | +| Gateway | 172.17.0.1 | +| Tailscale IP | 100.74.219.35 | +| Root dir | usb1/tailscale/root | +| State mount | usb1/tailscale → /var/lib/tailscale | +| DNS | 8.8.8.8 | +| Start on boot | Yes | +| Networking mode | Userspace (TS_USERSPACE=true) | + +--- + +## Environment Variables + +| Variable | Value | Purpose | +|----------|-------|---------| +| TS_AUTHKEY | tskey-auth-... | One-time auth key (used during setup) | +| TS_STATE_DIR | /var/lib/tailscale | Persistent state directory | +| TS_USERSPACE | true | Required for MikroTik containers (no /dev/net/tun) | + +--- + +## Network Configuration + +### veth Interface + +```routeros +/interface veth add address=172.17.0.3/24 gateway=172.17.0.1 name=veth-tailscale +``` + +### Gateway IP on Interface + +```routeros +/ip address add address=172.17.0.1/24 interface=veth-tailscale comment="Tailscale container gateway" +``` + +### NAT Masquerade for Internet Access + +```routeros +/ip firewall nat add chain=srcnat action=masquerade src-address=172.17.0.0/24 out-interface-list=WAN comment="Container network NAT" +``` + +### Firewall Forward Rules + +```routeros +/ip firewall filter add chain=forward action=accept dst-address=172.17.0.0/24 comment="[Container] Forward to container network" +/ip firewall filter add chain=forward action=accept src-address=172.17.0.0/24 comment="[Container] Forward from container network" +``` + +--- + +## Container Setup Commands + +### Create Mounts + +```routeros +/container mounts add list=ts-state src=usb1/tailscale dst=/var/lib/tailscale +``` + +### Create Environment Variables + +```routeros +/container envs add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale +/container envs add list=ts-env key=TS_USERSPACE value=true +/container envs add list=ts-env key=TS_AUTHKEY value= +``` + +### Create Container + +```routeros +/container add remote-image=tailscale/tailscale:latest interface=veth-tailscale \ + root-dir=usb1/tailscale/root mountlists=ts-state envlists=ts-env \ + dns=8.8.8.8 start-on-boot=yes logging=yes +``` + +--- + +## Management + +### Check Container Status + +```routeros +/container print +``` + +### View Logs + +```routeros +/log print where topics~"container" and message~"tailscale" +``` + +### Start/Stop Container + +```routeros +/container start [find name~"tailscale"] +/container stop [find name~"tailscale"] +``` + +--- + +## Troubleshooting + +### Container Won't Start (Exit Status 1) + +**Cause:** Missing /dev/net/tun device (default for Tailscale) + +**Solution:** Enable userspace networking mode: +```routeros +/container envs add list=ts-env key=TS_USERSPACE value=true +``` + +### Can't Reach Internet from Container + +**Cause:** Missing NAT masquerade or gateway IP + +**Solution:** +1. Verify gateway IP on veth interface: +```routeros +/ip address print where interface=veth-tailscale +``` + +2. Verify NAT masquerade rule: +```routeros +/ip firewall nat print where src-address=172.17.0.0/24 +``` + +### Container Not Connecting to Tailscale + +1. Check DNS resolution works (logs should show no timeout) +2. Verify auth key is valid and not expired +3. Check firewall isn't blocking outbound HTTPS + +--- + +## Tailscale Network Devices + +| Tailscale IP | Device | Status | +|--------------|--------|--------| +| 100.74.219.35 | MikroTik hAP ax³ (container) | Online | +| 100.100.208.70 | xtrm-unraid | Online | +| 100.112.103.7 | hapax3 (old native install) | Offline | +| 100.75.93.123 | mikrotik-tailscale (previous container) | Offline | + +--- + +## Important Notes + +1. **Userspace Networking Required:** MikroTik containers don't have /dev/net/tun access, so TS_USERSPACE=true is mandatory + +2. **Auth Key:** After initial authentication, the key is no longer needed - state is persisted in the mount + +3. **Container Network:** Both AdGuard and Tailscale share the 172.17.0.0/24 network but have separate veth interfaces + +4. **Accept Routes:** If subnet routing is needed, add TS_EXTRA_ARGS="--accept-routes" to environment diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md new file mode 100644 index 0000000..18f9479 --- /dev/null +++ b/docs/CHANGELOG.md @@ -0,0 +1,228 @@ +# Infrastructure Changelog + +**Purpose:** Major infrastructure events only. Minor changes are in git commit messages. + +--- + +## 2026-02-06 + +### Documentation Restructure +- **[DOCS]** Restructured docs/ from 23 files to clean 9-doc structure +- **[DOCS]** Archived 12 completed VLAN migration project docs to archive/vlan-migration/ +- **[DOCS]** Archived 5 done/superseded WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup) +- **[DOCS]** Created standing reference docs: 08-DNS-ARCHITECTURE.md, 09-TAILSCALE-VPN.md +- **[DOCS]** Renamed docs to clean numbering (05-PORT-UTILIZATION, 06-VLAN-DEVICE-ASSIGNMENT, 07-WIFI-CAPSMAN-CONFIG) +- **[DOCS]** Merged 00-CHANGELOG.md + 06-CHANGELOG.md → CHANGELOG.md +- **[DOCS]** Updated all core docs with current VLAN IPs (192.168.31.x → 192.168.10.x) +- **[DOCS]** Fixed CSS1 IP: 192.168.10.9 → 192.168.10.3, ZX1 IP: 192.168.10.7 → 192.168.10.4 +- **[DOCS]** Cleaned 06-VLAN-DEVICE-ASSIGNMENT.md: removed migration-era columns and sections, fixed VLAN 25 subnet +- **[DOCS]** Updated README.md, CLAUDE.md, archive/README.md, wip/README.md + +--- + +## 2026-02-01 + +### WIP Documentation +- **[DOCS]** Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching +- DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching +- Scripts created on Mac at ~/scripts/ + +--- + +## 2026-01-31 + +### Docker Cleanup +- **[DOCKER]** Removed 18 unused images (~4.9 GB reclaimed) +- **[DOCKER]** Removed 12 dangling images (old builds, untagged) +- **[DOCKER]** Removed Slurpit stack images (warehouse, portal, scanner, scraper) +- **[DOCKER]** Removed unused MongoDB 8 and MariaDB 11 images +- **[DOCKER]** Removed 35 orphaned volumes (~1.15 GB reclaimed) +- **[DOCKER]** Removed 28 anonymous dangling volumes +- **[DOCKER]** Removed 6 nextcloud_aio_* volumes (from old AIO install) +- **[DOCKER]** Removed orphaned redis-data volume +- **[DOCKER]** **Total reclaimed: ~6 GB** + +### Kept (Stopped Containers) +- open-webui, ollama (AI stack - for future use) +- pgAdmin4 (database management) +- diode-hydra-migrate, diode-auth-bootstrap (one-time migration jobs) + +--- + +## 2026-01-27 + +### VLAN Filtering Rolled Back +- **[VLAN]** Enabled VLAN filtering - caused connectivity issues +- **[VLAN]** ZX1 switch unreachable after activation (no management IP responding) +- **[VLAN]** CSS326 traffic routing through ZX1 (not direct eth3 link) +- **[VLAN]** **Rolled back** - VLAN filtering disabled +- **[CONFIG]** Added eth4 (ZX1) to all VLAN tagged lists for future use +- **[STATUS]** Network back to Legacy mode (192.168.31.0/24) +- **[TODO]** Need physical access to ZX1 to configure VLAN trunking + +### Issues Identified +- ZX1 switch not responding on documented IP 192.168.31.22 +- ZX1 may need VLAN trunk configuration before re-enabling filtering +- All CSS326 traffic goes via ZX1→HAP1, not direct CSS326→HAP1 link (STP?) + +--- + +## 2026-01-26 + +### VLAN Filtering Activated +- **[VLAN]** VLAN filtering enabled on MikroTik bridge - SUCCESSFUL +- **[VLAN]** Internet connectivity verified (ping 1.1.1.1, google.com) +- **[VLAN]** DNS resolution working through AdGuard +- **[VLAN]** All previous fixes (DHCP DNS, firewall, NAT masquerade) working correctly +- **[STATUS]** Network segmentation now ACTIVE + +### Local AI Stack Deployed +- **[AI]** Deployed Ollama container with Intel GPU passthrough +- **[AI]** Deployed Open WebUI at http://192.168.31.2:3080 +- **[AI]** Installed qwen2.5-coder:7b base model +- **[AI]** Created custom `unraid-assistant` model with infrastructure knowledge +- **[AI]** Created `/usr/local/bin/ai` terminal helper command +- **[AI]** Stopped non-critical containers for RAM: karakeep, unimus, homarr, netdisco-* + +### VLAN Activation Attempt & Fixes +- **[VLAN]** Configured CSS326 switch VLANs via SwOS web interface +- **[VLAN]** Enabled VLAN filtering on MikroTik - caused internet outage +- **[VLAN]** Rolled back VLAN filtering to restore connectivity +- **[VLAN]** **ROOT CAUSE IDENTIFIED:** Multiple configuration issues + +### Issues Fixed +- **[FIX]** DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1 +- **[FIX]** Added DNS redirect rules for all VLANs (src-address-list=all-vlans) +- **[FIX]** Added all VLAN interfaces to LAN firewall interface list +- **[FIX]** Added NAT masquerade rules for VLAN traffic to AdGuard container +- **[BACKUP]** MikroTik config saved before activation attempt + +--- + +## 2026-01-25 + +### VLAN Phase 1 Complete +- **[VLAN]** Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry +- **[VLAN]** Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc +- **[VLAN]** Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs +- **[VLAN]** Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally +- **[VLAN]** Added VLAN 50 (Guest) leases - 7 unknown devices +- **[VLAN]** Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS) +- **[VLAN]** Total devices configured: 44 + +### VLAN Implementation (Prepared) +- **[VLAN]** Created 6 VLANs on MikroTik bridge (10, 20, 30, 35, 40, 50) +- **[VLAN]** Configured IP addresses for all VLAN interfaces +- **[VLAN]** Created DHCP servers and pools for each VLAN +- **[VLAN]** Added static DHCP leases mapping MACs to VLAN IPs +- **[VLAN]** Configured bridge VLAN table with tagged/untagged ports +- **[VLAN]** Set WiFi ports PVID=20 (Trusted VLAN default) +- **[VLAN]** Added inter-VLAN firewall rules (active) +- **[VLAN]** VLAN filtering NOT YET ENABLED (pending CSS326 switch config) +- **[DOCS]** Added docs/11-VLAN-IMPLEMENTATION.md +- **[SCRIPTS]** Added scripts/mikrotik-vlan-setup.rsc and mikrotik-vlan-enable.rsc + +### DNS Configuration +- **[DNS]** Updated both AdGuard instances to use Quad9 DoH +- **[DNS]** Bootstrap DNS: 9.9.9.9, 149.112.112.112 + +### MikroTik Containers +- **[CONTAINER]** AdGuard Home container running on MikroTik (172.17.0.2) +- **[CONTAINER]** Tailscale container configured (172.17.0.3) +- **[CONTAINER]** Fixed Tailscale container authentication +- **[CONTAINER]** Container bridge (containers-br) with NAT + +### Network +- **[NETWORK]** Enabled CSS326 SFP1 port - 10G backbone link to ZX1 now active + +### Documentation +- **[DOCS]** Created 02-PORT-UTILIZATION.md with ASCII port diagrams +- **[DOCS]** Fixed ZX1 switch IP: 192.168.31.22 (was incorrectly documented as .7) + +### Incident +- **[INCIDENT]** DNS outage after MikroTik restart - multiple root causes fixed: + - NAT rules blocking AdGuard outbound DNS (added exception rules) + - DHCP pushing wrong DNS (8.8.8.8 → 192.168.31.1) + - NAT redirect pointing to wrong IP/port (172.17.0.5:5355 → 192.168.31.4:53) + - Asymmetric routing (added srcnat masquerade for DNS redirect) +- **[SERVICE]** Removed MikroTik AdGuard Home container (storage/overlay errors) +- **[SERVICE]** Removed MikroTik Tailscale container (root directory missing) +- **[SERVICE]** Removed Pi-hole/Unbound leftovers from MikroTik (veth, mounts, envs) +- **[NETWORK]** Consolidated DNS architecture: MikroTik → Unraid AdGuard (192.168.31.4) only +- **[DOCS]** Created incident reports in docs/incidents/ +- **[DOCS]** Restructured documentation - consolidated into 5 core docs + archive +- **[NETBOX]** Added shelf devices for rack organization (U9, U7, U3) + +--- + +## 2026-01-24 +- **[NETBOX]** Standardized device names to NetBox convention (HAP1, CSS1, ZX1) +- **[DOCS]** Created NETWORK-PHYSICAL-MAP.md with complete port maps + +--- + +## 2026-01-23 +- **[SERVICE]** Deployed Diode network discovery stack +- **[SERVICE]** Removed Slurp'it (replaced by Diode + NetDisco) +- **[SERVICE]** Consolidated NetBox Redis to shared instance +- **[SERVICE]** Removed redundant DNS services (Unbound, DoH-Server, stunnel-dot) + +--- + +## 2026-01-22 +- **[SERVICE]** Migrated NetBox to shared PostgreSQL 17 +- **[SERVICE]** Deployed AdGuard Home on MikroTik (primary DNS) +- **[SERVICE]** Deployed AdGuard Home on Unraid (secondary DNS) +- **[SERVICE]** Removed Pi-hole (replaced by AdGuard Home) +- **[DOCS]** Created INFRASTRUCTURE-DIAGRAM.md + +--- + +## 2026-01-21 +- **[BACKUP]** Configured Rclone sync to Google Drive + +--- + +## 2026-01-19 +- **[SERVICE]** Deployed NetBox IPAM/DCIM +- **[SERVICE]** Deployed NetDisco network discovery +- **[NETWORK]** Enabled SNMP on all MikroTik devices + +--- + +## 2026-01-18 +- **[SERVICE]** Deployed Gitea git server +- **[SERVICE]** Deployed Woodpecker CI +- **[NETWORK]** Configured CAPsMAN on HAP1 +- **[WIRELESS]** CAP added to CAPsMAN management + +--- + +## 2026-01-17 +- **[SERVICE]** Deployed Portainer CE + +--- + +## Previous History + +For detailed history before 2026-01-17, see archived changelogs in `archive/`. + +--- + +## Format Guide + +```markdown +### YYYY-MM-DD +- **[CATEGORY]** Brief description + +Categories: +- [DEVICE] - Hardware added/removed/changed +- [SERVICE] - Container/service deployed/removed +- [NETWORK] - Network topology/config changes +- [WIRELESS] - WiFi/CAPsMAN changes +- [BACKUP] - Backup configuration +- [DOCS] - Major documentation changes +- [INCIDENT] - Outages and fixes +- [VLAN] - VLAN configuration changes +- [DOCKER] - Docker maintenance +``` diff --git a/docs/wip/FOSSORIAL-TUNNELS.md b/docs/archive/FOSSORIAL-TUNNELS.md similarity index 100% rename from docs/wip/FOSSORIAL-TUNNELS.md rename to docs/archive/FOSSORIAL-TUNNELS.md diff --git a/docs/wip/LOCAL-AI-STACK.md b/docs/archive/LOCAL-AI-STACK.md similarity index 100% rename from docs/wip/LOCAL-AI-STACK.md rename to docs/archive/LOCAL-AI-STACK.md diff --git a/docs/archive/README.md b/docs/archive/README.md index 0130faf..8223374 100644 --- a/docs/archive/README.md +++ b/docs/archive/README.md @@ -1,8 +1,8 @@ # Archived Documentation -> ⚠️ **OBSOLETE - DO NOT UPDATE** +> **OBSOLETE - DO NOT UPDATE** -These documents are from the legacy documentation structure (pre-2026-01-25). +These documents are from completed projects and legacy documentation. They are kept for historical reference only. **For current documentation, see the parent `docs/` folder:** @@ -10,7 +10,28 @@ They are kept for historical reference only. - `02-SERVICES-CRITICAL.md` - Essential services - `03-SERVICES-OTHER.md` - Non-critical services - `04-HARDWARE-INVENTORY.md` - Hardware details -- `05-CHANGELOG.md` - Major events +- `05-PORT-UTILIZATION.md` - Device port assignments +- `06-VLAN-DEVICE-ASSIGNMENT.md` - VLAN device mapping +- `07-WIFI-CAPSMAN-CONFIG.md` - WiFi and CAPsMAN settings +- `08-DNS-ARCHITECTURE.md` - DNS failover architecture +- `09-TAILSCALE-VPN.md` - Tailscale VPN setup +- `CHANGELOG.md` - Change history + +## Subfolders + +### vlan-migration/ + +12 documents from the VLAN migration project (completed 2026-01-31): +- Migration plans (v1, v2, v3) +- Implementation status trackers +- Setup progress logs +- DNS/AdGuard/Tailscale project docs (superseded by standing docs 08- and 09-) +- Device migration worksheet + +### Legacy Docs (root archive/) + +- Pre-2026-01-25 documentation structure +- Completed WIP items (VLAN proposals, AI stack, Fossorial tunnels) +- Historical changelogs **Do not reference these archived documents for current state.** -All relevant information has been migrated to the new structure. diff --git a/docs/wip/VLAN-PROPOSAL.md b/docs/archive/VLAN-PROPOSAL.md similarity index 100% rename from docs/wip/VLAN-PROPOSAL.md rename to docs/archive/VLAN-PROPOSAL.md diff --git a/docs/wip/VLAN-SEGMENTATION.md b/docs/archive/VLAN-SEGMENTATION.md similarity index 100% rename from docs/wip/VLAN-SEGMENTATION.md rename to docs/archive/VLAN-SEGMENTATION.md diff --git a/docs/04-VLAN-MIGRATION-PLAN.md b/docs/archive/vlan-migration/04-VLAN-MIGRATION-PLAN.md similarity index 100% rename from docs/04-VLAN-MIGRATION-PLAN.md rename to docs/archive/vlan-migration/04-VLAN-MIGRATION-PLAN.md diff --git a/docs/09-MIKROTIK-ADGUARD-DOT-DOH.md b/docs/archive/vlan-migration/09-MIKROTIK-ADGUARD-DOT-DOH.md similarity index 100% rename from docs/09-MIKROTIK-ADGUARD-DOT-DOH.md rename to docs/archive/vlan-migration/09-MIKROTIK-ADGUARD-DOT-DOH.md diff --git a/docs/10-MIKROTIK-TAILSCALE.md b/docs/archive/vlan-migration/10-MIKROTIK-TAILSCALE.md similarity index 100% rename from docs/10-MIKROTIK-TAILSCALE.md rename to docs/archive/vlan-migration/10-MIKROTIK-TAILSCALE.md diff --git a/docs/11-VLAN-IMPLEMENTATION.md b/docs/archive/vlan-migration/11-VLAN-IMPLEMENTATION.md similarity index 100% rename from docs/11-VLAN-IMPLEMENTATION.md rename to docs/archive/vlan-migration/11-VLAN-IMPLEMENTATION.md diff --git a/docs/12-VLAN-SETUP-PROGRESS.md b/docs/archive/vlan-migration/12-VLAN-SETUP-PROGRESS.md similarity index 100% rename from docs/12-VLAN-SETUP-PROGRESS.md rename to docs/archive/vlan-migration/12-VLAN-SETUP-PROGRESS.md diff --git a/docs/13-VLAN-SETUP-PLAN-V2.md b/docs/archive/vlan-migration/13-VLAN-SETUP-PLAN-V2.md similarity index 100% rename from docs/13-VLAN-SETUP-PLAN-V2.md rename to docs/archive/vlan-migration/13-VLAN-SETUP-PLAN-V2.md diff --git a/docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md b/docs/archive/vlan-migration/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md similarity index 100% rename from docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md rename to docs/archive/vlan-migration/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md diff --git a/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md b/docs/archive/vlan-migration/15-VLAN-SETUP-COMPLETE-2026-01-31.md similarity index 100% rename from docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md rename to docs/archive/vlan-migration/15-VLAN-SETUP-COMPLETE-2026-01-31.md diff --git a/docs/16-ADGUARD-VLAN-PLAN.md b/docs/archive/vlan-migration/16-ADGUARD-VLAN-PLAN.md similarity index 100% rename from docs/16-ADGUARD-VLAN-PLAN.md rename to docs/archive/vlan-migration/16-ADGUARD-VLAN-PLAN.md diff --git a/docs/17-DNS-ADGUARD-FAILOVER.md b/docs/archive/vlan-migration/17-DNS-ADGUARD-FAILOVER.md similarity index 100% rename from docs/17-DNS-ADGUARD-FAILOVER.md rename to docs/archive/vlan-migration/17-DNS-ADGUARD-FAILOVER.md diff --git a/docs/18-MIKROTIK-TAILSCALE.md b/docs/archive/vlan-migration/18-MIKROTIK-TAILSCALE.md similarity index 100% rename from docs/18-MIKROTIK-TAILSCALE.md rename to docs/archive/vlan-migration/18-MIKROTIK-TAILSCALE.md diff --git a/docs/20-DEVICE-MIGRATION-WORKSHEET.md b/docs/archive/vlan-migration/20-DEVICE-MIGRATION-WORKSHEET.md similarity index 100% rename from docs/20-DEVICE-MIGRATION-WORKSHEET.md rename to docs/archive/vlan-migration/20-DEVICE-MIGRATION-WORKSHEET.md diff --git a/docs/wip/DNS-REDIRECT-RULES-BACKUP.md b/docs/archive/vlan-migration/DNS-REDIRECT-RULES-BACKUP.md similarity index 100% rename from docs/wip/DNS-REDIRECT-RULES-BACKUP.md rename to docs/archive/vlan-migration/DNS-REDIRECT-RULES-BACKUP.md diff --git a/docs/wip/GITOPS-CONTAINERS.md b/docs/wip/GITOPS-CONTAINERS.md index 768bfde..b7e8c0e 100644 --- a/docs/wip/GITOPS-CONTAINERS.md +++ b/docs/wip/GITOPS-CONTAINERS.md @@ -104,7 +104,7 @@ pipeline: when: path: configs/xtrm-n5/** commands: - - ssh root@192.168.31.2 "cd /path && docker compose up -d" + - ssh root@192.168.10.20 "cd /path && docker compose up -d" secrets: [ssh_key] deploy-n1: diff --git a/docs/wip/README.md b/docs/wip/README.md index 75a63f8..7641d38 100644 --- a/docs/wip/README.md +++ b/docs/wip/README.md @@ -8,9 +8,9 @@ Planned changes, evaluations, and ideas not yet implemented. | Status | Meaning | |--------|---------| -| 📋 PLANNED | Approved, waiting for resources/time | -| 🔬 EVALUATING | Under investigation/research | -| 💡 IDEA | Concept, needs further definition | +| PLANNED | Approved, waiting for resources/time | +| EVALUATING | Under investigation/research | +| IDEA | Concept, needs further definition | --- @@ -20,24 +20,24 @@ Planned changes, evaluations, and ideas not yet implemented. | Document | Status | Priority | Description | |----------|--------|----------|-------------| -| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | 📋 PLANNED | High | N5 Air + N100 server migration | -| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | 💡 IDEA | Medium | Container config in Git with CI/CD | +| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | PLANNED | High | N5 Air + N100 server migration | +| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | IDEA | Medium | Container config in Git with CI/CD | ### Network | Document | Status | Priority | Description | |----------|--------|----------|-------------| -| [VLAN-SEGMENTATION.md](VLAN-SEGMENTATION.md) | 📋 PLANNED | Medium | Network segmentation (Secure/IoT/Kids/Guest) | -| [FOSSORIAL-TUNNELS.md](FOSSORIAL-TUNNELS.md) | 💡 IDEA | Low | Self-hosted Pangolin/Gerbil tunnels | +| [CONSOLE-PORT-ETHER5.md](CONSOLE-PORT-ETHER5.md) | EVALUATING | Low | Console/serial port on HAP1 ether5 | +| [KVM-SWITCH-MAC-NOBARA.md](KVM-SWITCH-MAC-NOBARA.md) | EVALUATING | Medium | Software KVM for Mac/Nobara switching | ### Applications | Document | Status | Priority | Description | |----------|--------|----------|-------------| -| [REMOTE-GAMING.md](REMOTE-GAMING.md) | 🔬 EVALUATING | Low | Sunshine + Moonlight game streaming | +| [REMOTE-GAMING.md](REMOTE-GAMING.md) | EVALUATING | Low | Sunshine + Moonlight game streaming | --- ## Completed Items -Move to main docs or archive when done. Update `05-CHANGELOG.md` with major completions. +Move to main docs or archive when done. Update `CHANGELOG.md` with major completions.