# Infrastructure Changelog **Purpose:** Major infrastructure events only. Minor changes are in git commit messages. --- ## 2026-01 ### 2026-01-25 - **[INCIDENT]** DNS outage after MikroTik restart - multiple root causes fixed: - NAT rules blocking AdGuard outbound DNS (added exception rules) - DHCP pushing wrong DNS (8.8.8.8 → 192.168.31.1) - NAT redirect pointing to wrong IP/port (172.17.0.5:5355 → 192.168.31.4:53) - Asymmetric routing (added srcnat masquerade for DNS redirect) - **[SERVICE]** Removed MikroTik AdGuard Home container (storage/overlay errors) - **[SERVICE]** Removed MikroTik Tailscale container (root directory missing) - **[SERVICE]** Removed Pi-hole/Unbound leftovers from MikroTik (veth, mounts, envs) - **[NETWORK]** Consolidated DNS architecture: MikroTik → Unraid AdGuard (192.168.31.4) only - **[DOCS]** Created incident reports in docs/incidents/ - **[DOCS]** Restructured documentation - consolidated into 5 core docs + archive - **[NETBOX]** Added shelf devices for rack organization (U9, U7, U3) ### 2026-01-24 - **[NETBOX]** Standardized device names to NetBox convention (HAP1, CSS1, ZX1) - **[DOCS]** Created NETWORK-PHYSICAL-MAP.md with complete port maps ### 2026-01-23 - **[SERVICE]** Deployed Diode network discovery stack - **[SERVICE]** Removed Slurp'it (replaced by Diode + NetDisco) - **[SERVICE]** Consolidated NetBox Redis to shared instance - **[SERVICE]** Removed redundant DNS services (Unbound, DoH-Server, stunnel-dot) ### 2026-01-22 - **[SERVICE]** Migrated NetBox to shared PostgreSQL 17 - **[SERVICE]** Deployed AdGuard Home on MikroTik (primary DNS) - **[SERVICE]** Deployed AdGuard Home on Unraid (secondary DNS) - **[SERVICE]** Removed Pi-hole (replaced by AdGuard Home) - **[DOCS]** Created INFRASTRUCTURE-DIAGRAM.md ### 2026-01-21 - **[BACKUP]** Configured Rclone sync to Google Drive ### 2026-01-19 - **[SERVICE]** Deployed NetBox IPAM/DCIM - **[SERVICE]** Deployed NetDisco network discovery - **[NETWORK]** Enabled SNMP on all MikroTik devices ### 2026-01-18 - **[SERVICE]** Deployed Gitea git server - **[SERVICE]** Deployed Woodpecker CI - **[NETWORK]** Configured CAPsMAN on HAP1 - **[WIRELESS]** CAP added to CAPsMAN management ### 2026-01-17 - **[SERVICE]** Deployed Portainer CE --- ## Format Guide ```markdown ### YYYY-MM-DD - **[CATEGORY]** Brief description Categories: - [DEVICE] - Hardware added/removed/changed - [SERVICE] - Container/service deployed/removed - [NETWORK] - Network topology/config changes - [WIRELESS] - WiFi/CAPsMAN changes - [BACKUP] - Backup configuration - [DOCS] - Major documentation changes - [INCIDENT] - Outages and fixes ``` --- ## Previous History For detailed history before 2026-01-17, see archived changelogs: - `archive/06-CHANGELOG.md` - `archive/07-CHANGELOG.md` - `archive/00-CHANGELOG.md` ## 2026-01-25 - [PHASE DNS] MikroTik AdGuard Home container installed - COMPLETED - Container: adguardhome v0.107.71 on veth-adguard (172.17.0.2/24) - Upstreams: 192.168.31.4 (Unraid AdGuard), 8.8.8.8, 1.1.1.1 - TLS enabled with Let's Encrypt cert for dns.xtrm-lab.org - DoT on port 853, DoH on port 8443 (external) - LAN DNS redirect updated to use MikroTik AdGuard - Old docker-bridge removed (routing conflict) - Web UI at http://192.168.31.1:3000 - [ISSUE] Container failed after restart with 'could not load config json' - Fix: Removed and recreated container, added mountlists, restarted - AdGuard config preserved (on separate mount) - Documented fix in 09-MIKROTIK-ADGUARD-DOT-DOH.md - [CONTAINERS] Created container bridge (containers-br) for shared networking - Both AdGuard and Tailscale containers now use the same bridge - Added NAT masquerade for container outbound traffic - [SERVICE] Tailscale container installed and running - Image: tailscale/tailscale:latest - IP: 172.17.0.3/24 on veth-tailscale - State persisted to usb1/tailscale/state - Userspace mode enabled ## 2026-01-25 (VLAN Implementation) - [VLAN] Created VLAN interfaces on bridge: - VLAN 10: Management (192.168.10.0/24) - VLAN 20: Trusted (192.168.20.0/24) - VLAN 30: IoT (192.168.30.0/24) - VLAN 35: Cameras (192.168.35.0/24) - VLAN 40: Servers (192.168.40.0/24) - VLAN 50: Guest (192.168.50.0/24) - [VLAN] DHCP servers configured for all VLANs - [VLAN] Inter-VLAN firewall rules created - [VLAN] WiFi SSIDs created: Home-Trusted, Home-IoT, Home-Guest - [STATUS] VLAN filtering NOT yet enabled (Phase 1 complete) - [NOTE] Legacy 192.168.31.0/24 still active for transition