# Network Map - xtrm-lab.org
**Last Updated:** 2026-01-25
**Domain:** xtrm-lab.org
**WAN IP:** 62.73.120.142
---
## Quick Reference
| Resource | Address |
|----------|---------|
| **Dashboard** | https://xtrm-lab.org |
| **DNS Primary** | dns.xtrm-lab.org (HAP1) |
| **DNS Secondary** | dns2.xtrm-lab.org (XTRM-U) |
| **Unraid SSH** | `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422` |
| **MikroTik SSH** | `ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1` |
---
## Network Topology
```mermaid
flowchart TB
subgraph Internet["Internet"]
ISP["IGP Fiber Gateway
(Vivacom)
62.73.120.x"]
end
subgraph Rack19["19" Rack (3U)"]
HAP1["HAP1 | hAP ax³
192.168.31.1"]
PP1["PP1 | 24-port"]
CSS1["CSS1 | CSS326-24G-2S+
192.168.31.9"]
end
subgraph Rack10["10" Rack (9U)"]
ZX1["ZX1 | ZX-SWTGW218AS
192.168.31.22"]
PP2["PP2 | 12-port"]
XTRMU["XTRM-U
192.168.31.2"]
end
subgraph Wireless["WiFi"]
CAP["CAP | cAP XL ac
192.168.31.6"]
end
ISP -->|"H-1 WAN"| HAP1
HAP1 -->|"H-4 → ZX1-1"| ZX1
HAP1 -->|"H-3 → CSS1-1"| CSS1
ZX1 <-->|"⚡ 10G SFP+ ⚡"| CSS1
ZX1 -->|"ZX1-2/3 via PP2"| XTRMU
HAP1 -->|"H-2 via PP1"| CAP
CSS1 -->|"Ports 16-24"| PP1
```
---
## Physical Infrastructure
### Rack Layout
#### 10" Rack (9U)
| U | Device | Model | IP | Notes |
|---|--------|-------|-----|-------|
| U9 | Shelf + ISP Gateway | Vivacom ONT | 62.73.120.2 | WAN |
| U8 | PP2 | 10" 12-port Cat6a | - | Patch panel |
| U7 | Shelf + ZX1 | ZX-SWTGW218AS | 192.168.31.22 | 8x2.5G + 2x10G SFP+ |
| U6 | (empty) | - | - | Reserved for XTRM-N1 |
| U1-U4 | XTRM-U | NAS Server | 192.168.31.2 | 4x 2.5GbE bond |
#### 19" Rack (3U)
| U | Device | Model | IP | Notes |
|---|--------|-------|-----|-------|
| U3 | Shelf + HAP1 | hAP ax³ | 192.168.31.1 | Router + WiFi controller |
| U2.5 | PP1 | 19" 24-port Cat6a | - | Room connections |
| U1 | CSS1 | CSS326-24G-2S+ | 192.168.31.9 | 24x1G + 2x10G SFP+ |
### Backbone Links
| Link | From | To | Speed | Type |
|------|------|----|-------|------|
| **Primary** | ZX1-SFP1 | CSS1-SFP1 | 10G | SFP+ DAC |
| Router→Core | HAP1 H-4 | ZX1-1 | 2.5G | Cat6a |
| Router→Dist | HAP1 H-3 | CSS1-1 | 1G | Cat6a |
| Server Bond | ZX1-2/3 | XTRM-U via PP2 | 2x 2.5G | Cat6a |
---
## IP Address Allocation
### Network: 192.168.31.0/24
#### Infrastructure Devices
| IP | Device | Type | MAC |
|----|--------|------|-----|
| 192.168.31.1 | HAP1 \| hAP ax³ | Router | 78:9A:18:2C:A5:48 |
| 192.168.31.2 | XTRM-U | Server | A8:B8:E0:02:B6:15 |
| 192.168.31.6 | CAP \| cAP XL ac | Access Point | 18:FD:74:54:3D:BC |
| 192.168.31.22 | ZX1 \| ZX-SWTGW218AS | Switch | 1C:2A:A3:1E:78:67 |
| 192.168.31.9 | CSS1 \| CSS326-24G-2S+ | Switch | F4:1E:57:C9:BD:09 |
#### Containers (br0 Macvlan)
| IP | Container | Purpose |
|----|-----------|---------|
| 192.168.31.4 | AdGuard Home | DNS Secondary |
| 192.168.31.5 | Unbound | Recursive DNS (stopped) |
| 192.168.31.12 | TimeMachine | macOS backups |
#### DHCP Ranges
| Range | Purpose |
|-------|---------|
| 192.168.31.10-99 | Reserved (static) |
| 192.168.31.100-200 | DHCP Pool |
| 192.168.31.201-254 | Reserved |
---
## Docker Networks
### HAP1 (MikroTik Router)
**Network:** 172.17.0.0/16 (bridge)
| Container | IP | Purpose |
|-----------|-----|---------|
| AdGuard Home | 172.17.0.5 | DNS Primary (DoH/DoT/DoQ) |
| Tailscale | 172.17.0.4 | VPN mesh |
### XTRM-U (Unraid Server)
#### dockerproxy (172.18.0.0/16)
**Static IP Assignments:**
| Range | Purpose |
|-------|---------|
| 172.18.0.2-10 | Core Infrastructure |
| 172.18.0.11-15 | Security |
| 172.18.0.16-30 | Productivity |
| 172.18.0.31-40 | DevOps |
| 172.18.0.41-50 | NetDisco |
| 172.18.0.61-69 | NetBox |
| 172.18.0.70-79 | Diode Discovery |
**Core Infrastructure (172.18.0.2-10)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.2 | dockersocket | Docker socket proxy |
| 172.18.0.3 | traefik | Reverse proxy |
| 172.18.0.4 | homarr | Dashboard |
**Security (172.18.0.11-15)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.11 | authentik | Identity provider |
| 172.18.0.12 | authentik-worker | Background tasks |
| 172.18.0.13 | postgresql17 | Shared database |
| 172.18.0.14 | Redis | Shared cache/queue |
| 172.18.0.15 | vaultwarden | Password manager |
**Productivity (172.18.0.16-30)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.16 | actual-budget | Budget tracking |
| 172.18.0.17 | n8n | Workflow automation |
| 172.18.0.18 | Uptime-Kuma-API | Monitoring API |
| 172.18.0.19 | AutoKuma | Auto-monitor |
| 172.18.0.20 | UptimeKuma | Uptime monitoring |
| 172.18.0.21 | speedtest-tracker | Speed tests |
| 172.18.0.23 | Libation | Audiobooks |
| 172.18.0.24 | Nextcloud | Cloud storage |
| 172.18.0.25 | karakeep | Bookmarks |
| 172.18.0.26 | transmission | Torrent |
| 172.18.0.27 | adguardhome-sync | DNS sync |
**DevOps (172.18.0.31-40)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.31 | gitea | Git server |
| 172.18.0.32 | woodpecker-server | CI/CD server |
| 172.18.0.33 | woodpecker-agent | CI/CD agent |
**NetDisco (172.18.0.41-50)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.41 | netdisco-web | Web UI |
| 172.18.0.42 | netdisco-backend | SNMP poller |
**NetBox (172.18.0.61-69)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.61 | netbox | Web UI (DCIM/IPAM) |
| 172.18.0.62 | netbox-worker | Background tasks |
| 172.18.0.64 | netbox-redis-cache | Query cache |
**Diode Discovery (172.18.0.70-79)**
| IP | Container | Purpose |
|----|-----------|---------|
| 172.18.0.70 | diode-ingress | API Gateway |
| 172.18.0.71 | diode-ingester | Data ingestion |
| 172.18.0.72 | diode-reconciler | NetBox sync |
| 172.18.0.73 | diode-hydra | OAuth2 |
| 172.18.0.74 | diode-auth | Token service |
#### Host Network Containers
| Container | Purpose |
|-----------|---------|
| plex | Media server (:32400) |
| unimus | Network config backup |
| UrBackup | Backup server |
| NetAlertX | Network scanner |
| HomeAssistant | Home automation |
#### Bridge Network (172.17.0.0/16)
| Container | Purpose |
|-----------|---------|
| portainer | Container management |
| rustdesk-hbbs | RustDesk signaling |
| rustdesk-hbbr | RustDesk relay |
---
## Port Forwarding (NAT)
| External Port | Destination | Service |
|---------------|-------------|---------|
| 80 | 192.168.10.20:8001 | Traefik HTTP |
| 443 | 192.168.10.20:44301 | Traefik HTTPS |
| 32400 | 192.168.10.20:32400 | Plex |
| 51413 | 192.168.10.20:51413 | Transmission |
| 21115-21119 | 192.168.10.20 | RustDesk |
### Hairpin NAT (internal access to WAN IP)
| Destination | To | Service |
|-------------|-----|---------|
| 62.73.120.142:80 | 192.168.10.20:8001 | Traefik HTTP |
| 62.73.120.142:443 | 192.168.10.20:44301 | Traefik HTTPS |
### AdGuard DNS (pending - not configured yet)
| External Port | Destination | Service |
|---------------|-------------|---------|
| 853 | 172.17.0.5:853 | AdGuard DoT |
| 8853 | 172.17.0.5:8853 | AdGuard DoQ |
---
## DNS Architecture
```mermaid
flowchart TB
subgraph External["External Access"]
DOH["DoH: dns.xtrm-lab.org"]
DOT["DoT: dns.xtrm-lab.org:853"]
end
subgraph HAP1["HAP1 (Primary)"]
AGH1["AdGuard Home
172.17.0.5"]
end
subgraph XTRMU["XTRM-U (Secondary)"]
AGH2["AdGuard Home
192.168.31.4"]
end
subgraph Sync["Sync"]
SYNC["adguardhome-sync
Every 30 min"]
end
DOH --> AGH1
DOT --> AGH1
AGH1 <-.->|sync| SYNC
SYNC <-.->|sync| AGH2
AGH1 --> Q9["Quad9 DoH"]
AGH2 --> Q9
```
---
## WiFi Networks
| SSID | Band | Security | Purpose |
|------|------|----------|---------|
| XTRM | 5GHz | WPA2/WPA3 | Primary devices |
| XTRM | 2.4GHz | WPA/WPA2 | Legacy support |
| XTRM2 | 2.4GHz | WPA/WPA2 | IoT devices |
**CAPsMAN:** HAP1 manages CAP access point
---
## External URLs
| Service | URL |
|---------|-----|
| Dashboard | https://xtrm-lab.org |
| Auth | https://auth.xtrm-lab.org |
| Git | https://git.xtrm-lab.org |
| CI/CD | https://ci.xtrm-lab.org |
| NetBox | https://netbox.xtrm-lab.org |
| Uptime | https://uptime.xtrm-lab.org |
| Plex | https://plex.xtrm-lab.org |
| Nextcloud | https://cloud.xtrm-lab.org |
| Vault | https://vault.xtrm-lab.org |
| NetDisco | https://netdisco.xtrm-lab.org |
---
## Room Outlets
| Room | Outlets | Switch Ports | Status |
|------|---------|--------------|--------|
| Living Room | L1, L2, L3 | CSS1-22/23/24 | Active |
| Main Bedroom | M1, M2, M3 | CSS1-19/20/21 | Active |
| Boys Room | B1, B2 | CSS1-17/18 | Active |
| Girls Room | G1 | CSS1-16 | Unused |
| Corridor | C1 (CAP) | HAP1 H-2 | Active |
---
## Shared Databases
### PostgreSQL 17 (172.18.0.13)
| Database | User | Consumer |
|----------|------|----------|
| authentik_db | authentik_user | Authentik |
| netbox | netbox_user | NetBox |
| gitea | gitea_user | Gitea |
| netdisco_db | netdisco_user | NetDisco |
| diode | diode_user | Diode Reconciler |
| hydra | hydra_user | Diode Hydra |
### Redis (172.18.0.14)
| Consumer | Purpose |
|----------|---------|
| Authentik | Session cache |
| NetBox Worker | Task queue |
| Diode | Ingestion queue |