# Network Map - xtrm-lab.org
**Last Updated:** 2026-02-14
**Domain:** xtrm-lab.org
**WAN IP:** 62.73.120.142
---
## Quick Reference
| Resource | Address |
|----------|---------|
| **Dashboard** | https://xtrm-lab.org |
| **DNS Primary** | dns.xtrm-lab.org (HAP1) |
| **DNS Secondary** | dns2.xtrm-lab.org (XTRM-U) |
| **Unraid SSH** | `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422` |
| **MikroTik SSH** | `ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1` |
---
## Network Topology
```mermaid
flowchart TB
subgraph Internet["Internet"]
ISP["IGP Fiber Gateway
(Vivacom)
62.73.120.x"]
end
subgraph Rack19["19" Rack (3U)"]
HAP1["HAP1 | hAP ax³
192.168.10.1"]
PP1["PP1 | 24-port"]
CSS1["CSS1 | CSS326-24G-2S+
192.168.10.3"]
end
subgraph Rack10["10" Rack (9U)"]
ZX1["ZX1 | ZX-SWTGW218AS
192.168.10.4"]
PP2["PP2 | 12-port"]
XTRMU["XTRM-U
192.168.10.20"]
end
subgraph Wireless["WiFi"]
CAP["CAP | cAP XL ac
192.168.10.2"]
end
ISP -->|"ether1 WAN"| HAP1
HAP1 -->|"ether2"| CAP
HAP1 -->|"ether3"| CSS1
HAP1 -->|"ether4"| XTRMU
HAP1 -->|"ether5"| DELL["Dell Monitor
192.168.10.100"]
ZX1 <-->|"⚡ 10G SFP+ ⚡"| CSS1
CSS1 -->|"Ports 16-24"| PP1
```
---
## Physical Infrastructure
### Rack Layout
#### 10" Rack (9U)
| U | Device | Model | IP | Notes |
|---|--------|-------|-----|-------|
| U9 | Shelf + ISP Gateway | Vivacom ONT | 62.73.120.2 | WAN |
| U8 | PP2 | 10" 12-port Cat6a | - | Patch panel |
| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.10.4 | 8x2.5G + 2x10G SFP+ |
| U6 | (empty) | - | - | Reserved for XTRM-N1 |
| U1-U4 | XTRM-U | NAS Server | 192.168.10.20 | 4x 2.5GbE bond |
#### 19" Rack (3U)
| U | Device | Model | IP | Notes |
|---|--------|-------|-----|-------|
| U3 | Shelf + HAP1 | hAP ax³ | 192.168.10.1 | Router + WiFi controller |
| U2.5 | PP1 | 19" 24-port Cat6a | - | Room connections |
| U1 | CSS1 | CSS326-24G-2S+ | 192.168.10.3 | 24x1G + 2x10G SFP+ |
### HAP ax³ Port Assignments
| Port | Connected To | VLAN | Notes |
|------|--------------|------|-------|
| ether1 | ISP Gateway | WAN | Vivacom ONT |
| ether2 | CAP XL ac | 10 (trunk) | Access Point |
| ether3 | CSS326-24G-2S+ | 10 (trunk) | Distribution Switch |
| ether4 | XTRM-U (Unraid) | 10 | Main Server |
| ether5 | Dell Monitor LAN | 10 | Kaloyan workstation |
### Backbone Links
| Link | From | To | Speed | Type |
|------|------|----|-------|------|
| **Primary** | ZX1-SFP1 | CSS1-SFP1 | 10G | SFP+ DAC |
| Router→CAP | HAP1 ether2 | CAP XL ac | 1G | Cat6a |
| Router→Dist | HAP1 ether3 | CSS1-1 | 1G | Cat6a |
| Router→Server | HAP1 ether4 | XTRM-U | 1G | Cat6a |
| Router→Dell | HAP1 ether5 | Dell Monitor | 1G | Cat6a |
---
## IP Address Allocation
### VLAN Summary
| VLAN | Subnet | Gateway | Purpose |
|------|--------|---------|---------|
| 10 | 192.168.10.0/24 | 192.168.10.1 | Management |
| 20 | 192.168.20.0/24 | 192.168.20.1 | Trusted |
| 25 | 192.168.25.0/24 | 192.168.25.1 | Kids |
| 30 | 192.168.30.0/24 | 192.168.30.1 | IoT |
| 40 | 192.168.1.0/24 | 192.168.1.1 | CatchAll |
### VLAN 10 - Infrastructure Devices
| IP | Device | Type |
|----|--------|------|
| 192.168.10.1 | HAP1 \| hAP ax³ | Router |
| 192.168.10.3 | CSS1 \| CSS326-24G-2S+ | Switch |
| 192.168.10.4 | ZX1 \| ZX-SWTGW218AS | Switch |
| 192.168.10.2 | CAP \| cAP XL ac | Access Point |
| 192.168.10.10 | AdGuard Home (Unraid macvlan) | DNS Secondary |
| 192.168.10.20 | XTRM-U | Server |
| 192.168.10.103 | XTRM-Nobara | Failover Node |
| 192.168.10.200 | NanoKVM | Remote KVM |
For complete device-to-VLAN mapping, see `06-VLAN-DEVICE-ASSIGNMENT.md`.
---
## Docker Networks
### HAP1 (MikroTik Router)
**Network:** 172.17.0.0/24 (veth)
| Container | IP | Purpose |
|-----------|-----|---------|
| AdGuard Home | 172.17.0.2 | DNS Primary (DoH/DoT/DoQ) |
| Tailscale | 172.17.0.3 | VPN mesh |
### XTRM-U (Unraid Server)
#### dockerproxy (172.18.0.0/16)
**Static IP Assignments:**
| Range | Purpose |
|-------|---------|
| 172.18.0.2-10 | Core Infrastructure |
| 172.18.0.11-15 | Security |
| 172.18.0.16-30 | Productivity |
| 172.18.0.31-40 | DevOps |
| 172.18.0.41-50 | NetDisco |
| 172.18.0.61-69 | NetBox |
| 172.18.0.70-79 | Diode Discovery |
**Core Infrastructure (172.18.0.2-10)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.2 | dockersocket | Docker socket proxy |
| 172.18.0.3 | traefik | Reverse proxy |
| 172.18.0.4 | homarr | Dashboard |
**Security (172.18.0.11-15)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.11 | authentik | Identity provider |
| 172.18.0.12 | authentik-worker | Background tasks |
| 172.18.0.13 | postgresql17 | Shared database |
| 172.18.0.14 | Redis | Shared cache/queue |
| 172.18.0.15 | vaultwarden | Password manager |
**Productivity (172.18.0.16-30)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.16 | actual-budget | Budget tracking |
| 172.18.0.17 | n8n | Workflow automation |
| 172.18.0.18 | Uptime-Kuma-API | Monitoring API |
| 172.18.0.19 | AutoKuma | Auto-monitor |
| 172.18.0.20 | UptimeKuma | Uptime monitoring |
| 172.18.0.21 | speedtest-tracker | Speed tests |
| 172.18.0.23 | Libation | Audiobooks |
| 172.18.0.24 | Nextcloud | Cloud storage |
| 172.18.0.25 | karakeep | Bookmarks |
| 172.18.0.26 | transmission | Torrent |
| 172.18.0.27 | adguardhome-sync | DNS sync |
**DevOps (172.18.0.31-40)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.31 | gitea | Git server |
| 172.18.0.32 | woodpecker-server | CI/CD server |
| 172.18.0.33 | woodpecker-agent | CI/CD agent |
**NetDisco (172.18.0.41-50)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.41 | netdisco-web | Web UI |
| 172.18.0.42 | netdisco-backend | SNMP poller |
**NetBox (172.18.0.61-69)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.61 | netbox | Web UI (DCIM/IPAM) |
| 172.18.0.62 | netbox-worker | Background tasks |
| 172.18.0.64 | netbox-redis-cache | Query cache |
**Diode Discovery (172.18.0.70-79)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.70 | diode-ingress | API Gateway |
| 172.18.0.71 | diode-ingester | Data ingestion |
| 172.18.0.72 | diode-reconciler | NetBox sync |
| 172.18.0.73 | diode-hydra | OAuth2 |
| 172.18.0.74 | diode-auth | Token service |
#### Host Network Containers
| Container | Purpose |
|-----------|---------|
| plex | Media server (:32400) |
| unimus | Network config backup |
| UrBackup | Backup server |
| NetAlertX | Network scanner |
| HomeAssistant | Home automation |
#### Bridge Network (172.17.0.0/16)
| Container | Purpose |
|-----------|---------|
| portainer | Container management |
| rustdesk-hbbs | RustDesk signaling |
| rustdesk-hbbr | RustDesk relay |
---
## Port Forwarding (NAT)
| External Port | Destination | Service |
|---------------|-------------|---------|
| 80 | 192.168.10.20:8001 | Traefik HTTP |
| 443 | 192.168.10.20:44301 | Traefik HTTPS |
| 32400 | 192.168.10.20:32400 | Plex |
| 51413 | 192.168.10.20:51413 | Transmission |
| 21115-21119 | 192.168.10.20 | RustDesk |
### Hairpin NAT (internal access to WAN IP)
| Destination | To | Service |
|-------------|-----|---------|
| 62.73.120.142:80 | 192.168.10.20:8001 | Traefik HTTP |
| 62.73.120.142:443 | 192.168.10.20:44301 | Traefik HTTPS |
### AdGuard DNS (pending - not configured yet)
| External Port | Destination | Service |
|---------------|-------------|---------|
| 853 | 172.17.0.2:853 | AdGuard DoT |
| 8853 | 172.17.0.2:8853 | AdGuard DoQ |
---
## DNS Architecture
```mermaid
flowchart TB
subgraph External["External Access"]
DOH["DoH: dns.xtrm-lab.org"]
DOT["DoT: dns.xtrm-lab.org:853"]
end
subgraph HAP1["HAP1 (Primary)"]
AGH1["AdGuard Home
172.17.0.2"]
end
subgraph XTRMU["XTRM-U (Secondary)"]
AGH2["AdGuard Home
192.168.10.10"]
end
subgraph Sync["Sync"]
SYNC["adguardhome-sync
Every 30 min"]
end
DOH --> AGH1
DOT --> AGH1
AGH1 <-.->|sync| SYNC
SYNC <-.->|sync| AGH2
AGH1 --> Q9["Quad9 DoH"]
AGH2 --> Q9
```
---
## WiFi Networks
| SSID | Band | Security | Purpose |
|------|------|----------|---------|
| XTRM | 5GHz | WPA2/WPA3 | Primary devices |
| XTRM2 | 2.4GHz | WPA/WPA2 | IoT devices |
**CAPsMAN:** HAP1 manages CAP XL ac (192.168.10.2) - both 2.4GHz and 5GHz radios active
---
## External URLs
| Service | URL |
|---------|-----|
| Dashboard | https://xtrm-lab.org |
| Auth | https://auth.xtrm-lab.org |
| Git | https://git.xtrm-lab.org |
| CI/CD | https://ci.xtrm-lab.org |
| NetBox | https://netbox.xtrm-lab.org |
| Uptime | https://uptime.xtrm-lab.org |
| Plex | https://plex.xtrm-lab.org |
| Nextcloud | https://cloud.xtrm-lab.org |
| Vault | https://vault.xtrm-lab.org |
| NetDisco | https://netdisco.xtrm-lab.org |
---
## CSS326 Port Assignments (Configured 2026-02-02)
| Port | Label | Device/Room | VLAN | Notes |
|------|-------|-------------|------|-------|
| 1 | HAP-Trunk | HAP Uplink | Trunk | 10,20,25,30 tagged |
| 2 | KVM-V10 | NanoKVM | 10 | Management |
| 3-15 | - | - | 1 | Available |
| 16 | Kids-B1 | Boys Room | 25 | Family VLAN |
| 17 | Kids-B2 | Boys Room | 25 | Family VLAN |
| 18 | Kids-G1 | Girls Room | 25 | Family VLAN |
| 19 | Main-M1 | Main Bedroom | 20 | Trusted VLAN |
| 20 | Main-M2 | Main Bedroom | 20 | Trusted VLAN |
| 21 | Main-M3 | Main Bedroom | 20 | Trusted VLAN |
| 22 | LR-L1 | Living Room | 30 | IoT VLAN |
| 23 | LR-L2 | Living Room | 30 | IoT VLAN (Settop box) |
| 24 | LR-L3 | Living Room | 30 | IoT VLAN |
| SFP1 | ZX1-10G | ZX1 Switch | Trunk | 10G Backbone |
| SFP2 | - | - | 1 | Available |
## Room Outlets
| Room | Outlets | Switch Ports | VLAN | Status |
|------|---------|--------------|------|--------|
| Living Room | L1, L2, L3 | CSS1-22/23/24 | 30 | Active |
| Main Bedroom | M1, M2, M3 | CSS1-19/20/21 | 20 | Active |
| Boys Room | B1, B2 | CSS1-17/18 | 25 | Active |
| Girls Room | G1 | CSS1-16 | 25 | Active |
| Corridor | C1 (CAP) | HAP1 ether2 | 10 | Active |
---
## SMB Shares
| Share | Path | Size | Access | Consumers |
|-------|------|------|--------|-----------|
| roms | /mnt/user/roms | 2.3 TB | Guest (read-only) | Nobara (/mnt/roms), Recalbox (network mount) |
---
## Shared Databases
### PostgreSQL 17 (172.18.0.13)
| Database | User | Consumer |
|----------|------|----------|
| authentik_db | authentik_user | Authentik |
| netbox | netbox_user | NetBox |
| gitea | gitea_user | Gitea |
| netdisco_db | netdisco_user | NetDisco |
| diode | diode_user | Diode Reconciler |
| hydra | hydra_user | Diode Hydra |
### Redis (172.18.0.14)
| Consumer | Purpose |
|----------|---------|
| Authentik | Session cache |
| NetBox Worker | Task queue |
| Diode | Ingestion queue |