infrastructure/docs/06-CHANGELOG.md

Infrastructure Changelog

2026-02-01

WIP Documentation

• [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching
• DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching
• Scripts created on Mac at ~/scripts/

2026-01-31

Docker Cleanup

• [DOCKER] Removed 18 unused images (~4.9 GB reclaimed)
• [DOCKER] Removed 12 dangling images (old builds, untagged)
• [DOCKER] Removed Slurpit stack images (warehouse, portal, scanner, scraper)
• [DOCKER] Removed unused MongoDB 8 and MariaDB 11 images
• [DOCKER] Removed 35 orphaned volumes (~1.15 GB reclaimed)
• [DOCKER] Removed 28 anonymous dangling volumes
• [DOCKER] Removed 6 nextcloud_aio_* volumes (from old AIO install)
• [DOCKER] Removed orphaned redis-data volume
• [DOCKER] Total reclaimed: ~6 GB

Kept (Stopped Containers)

• open-webui, ollama (AI stack - for future use)
• pgAdmin4 (database management)
• diode-hydra-migrate, diode-auth-bootstrap (one-time migration jobs)

2026-01-27

VLAN Filtering Rolled Back

• [VLAN] Enabled VLAN filtering - caused connectivity issues
• [VLAN] ZX1 switch unreachable after activation (no management IP responding)
• [VLAN] CSS326 traffic routing through ZX1 (not direct eth3 link)
• [VLAN] Rolled back - VLAN filtering disabled
• [CONFIG] Added eth4 (ZX1) to all VLAN tagged lists for future use
• [STATUS] Network back to Legacy mode (192.168.31.0/24)
• [TODO] Need physical access to ZX1 to configure VLAN trunking

Issues Identified

• ZX1 switch not responding on documented IP 192.168.31.22
• ZX1 may need VLAN trunk configuration before re-enabling filtering
• All CSS326 traffic goes via ZX1→HAP1, not direct CSS326→HAP1 link (STP?)

Infrastructure Changelog

2026-02-01

WIP Documentation

• [WIP] Added KVM-SWITCH-MAC-NOBARA.md - Software KVM for Mac/Nobara switching
• DDC/CI monitor control (Dell U3821DW) + HID++ Logitech peripheral switching
• Scripts created on Mac at ~/scripts/

2026-01-26

VLAN Filtering Activated ✅

• [VLAN] VLAN filtering enabled on MikroTik bridge - SUCCESSFUL
• [VLAN] Internet connectivity verified (ping 1.1.1.1, google.com)
• [VLAN] DNS resolution working through AdGuard
• [VLAN] All previous fixes (DHCP DNS, firewall, NAT masquerade) working correctly
• [STATUS] Network segmentation now ACTIVE

Local AI Stack Deployed

• [AI] Deployed Ollama container with Intel GPU passthrough
• [AI] Deployed Open WebUI at http://192.168.31.2:3080
• [AI] Installed qwen2.5-coder:7b base model
• [AI] Created custom unraid-assistant model with infrastructure knowledge:
  • Network topology (all VLANs, IPs, gateways)
  • 45+ Docker containers (names, ports, purposes)
  • RouterOS 7 commands and patterns
  • Traefik labels and Authentik middleware
  • All external URLs (xtrm-lab.org)
• [AI] Created /usr/local/bin/ai terminal helper command
• [AI] Stopped non-critical containers for RAM: karakeep, unimus, homarr, netdisco-*

VLAN Activation Attempt & Fixes

• [VLAN] Configured CSS326 switch VLANs via SwOS web interface
• [VLAN] Enabled VLAN filtering on MikroTik - caused internet outage
• [VLAN] Rolled back VLAN filtering to restore connectivity
• [VLAN] ROOT CAUSE IDENTIFIED: Multiple configuration issues

Issues Fixed

• [FIX] DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1
  • VLAN 20: 192.168.20.1, VLAN 25: 192.168.25.1, etc.
• [FIX] Added DNS redirect rules for all VLANs (src-address-list=all-vlans)
• [FIX] Added all VLAN interfaces to LAN firewall interface list
• [FIX] Added NAT masquerade rules for VLAN traffic to AdGuard container
• [BACKUP] MikroTik config saved before activation attempt

Current Status

• MikroTik: Fully configured, fixes applied, ready for activation
• CSS326: VLANs configured, port assignments done
• VLAN Filtering: OFF (ready to enable when convenient)
• Next: Enable VLAN filtering + force DHCP renewal on devices

2026-01-25 (Update 3)

VLAN Phase 1 Complete

• [VLAN] Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry
• [VLAN] Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc
• [VLAN] Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs
• [VLAN] Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally
• [VLAN] Added VLAN 50 (Guest) leases - 7 unknown devices
• [VLAN] Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS)
• [VLAN] Total devices configured: 44

Device Discovery

• [NETWORK] Discovered XTRM-Ally gaming device → assigned to Kids VLAN
• [NETWORK] Discovered Dancho Windows device → assigned to Kids VLAN
• [NETWORK] Discovered 2x lwip0 IoT devices → assigned to IoT VLAN
• [NETWORK] Discovered 3x unknown devices → assigned to Guest VLAN

Documentation Updates

• [DOCS] Updated 03-VLAN-DEVICE-ASSIGNMENT.md - complete device inventory (44 devices)
• [DOCS] Updated 11-VLAN-IMPLEMENTATION.md - Phase 1 complete status
• [DOCS] All VLANs now documented: 10, 20, 25, 30, 35, 40, 50

Next Steps

• CSS326 switch VLAN configuration via SwOS
• Enable VLAN filtering on MikroTik bridge
• Test connectivity

2026-01-25

VLAN Implementation (Prepared)

• [VLAN] Created 6 VLANs on MikroTik bridge (10, 20, 30, 35, 40, 50)
• [VLAN] Configured IP addresses for all VLAN interfaces
• [VLAN] Created DHCP servers and pools for each VLAN
• [VLAN] Added static DHCP leases mapping MACs to VLAN IPs
• [VLAN] Configured bridge VLAN table with tagged/untagged ports
• [VLAN] Set WiFi ports PVID=20 (Trusted VLAN default)
• [VLAN] Added inter-VLAN firewall rules (active)
• [VLAN] VLAN filtering NOT YET ENABLED (pending CSS326 switch config)
• [DOCS] Added docs/11-VLAN-IMPLEMENTATION.md
• [SCRIPTS] Added scripts/mikrotik-vlan-setup.rsc
• [SCRIPTS] Added scripts/mikrotik-vlan-enable.rsc

MikroTik Containers

• [CONTAINER] AdGuard Home container running on MikroTik
• [CONTAINER] Tailscale container configured (inactive)
• [CONTAINER] Container bridge (containers-br) with NAT

DNS Configuration

• [DNS] AdGuard Home as primary DNS (172.17.0.2)
• [DNS] DNS redirect rules for all clients
• [DNS] DoT/DoH upstream configured in AdGuard

Previous Changes

See git history for earlier changes.

2026-01-25 (Update 2)

DNS Configuration

• [DNS] Updated both AdGuard instances to use Quad9 DoH
• [DNS] MikroTik AdGuard: upstream=https://dns.quad9.net/dns-query
• [DNS] Unraid AdGuard: upstream=https://dns.quad9.net/dns-query
• [DNS] Bootstrap DNS: 9.9.9.9, 149.112.112.112

Containers

• [CONTAINER] Fixed Tailscale container authentication
• [CONTAINER] Tailscale DNS changed from 8.8.8.8 to 172.17.0.1,1.1.1.1 (fallback)
• [CONTAINER] Tailscale route fixed: 100.64.0.0/10 → 172.17.0.3

Documentation

• [DOCS] Created 02-PORT-UTILIZATION.md with ASCII port diagrams
• [DOCS] Updated 09-MIKROTIK-ADGUARD-DOT-DOH.md with Quad9 DoH config

Network

• [NETWORK] Enabled CSS326 SFP1 port - 10G backbone link to ZX1 now active

Documentation Fix

• [DOCS] Fixed ZX1 switch IP: 192.168.31.22 (was incorrectly documented as .7)