infrastructure/docs/01-NETWORK-MAP.md

Network Map - xtrm-lab.org

Last Updated: 2026-01-25 Domain: xtrm-lab.org WAN IP: 62.73.120.142

---

Quick Reference

Resource	Address
Dashboard	https://xtrm-lab.org
DNS Primary	dns.xtrm-lab.org (HAP1)
DNS Secondary	dns2.xtrm-lab.org (XTRM-U)
Unraid SSH	ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
MikroTik SSH	ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1

---

Network Topology

flowchart TB
    subgraph Internet["Internet"]
        ISP["IGP Fiber Gateway<br/>(Vivacom)<br/>62.73.120.x"]
    end

    subgraph Rack19["19&quot; Rack (3U)"]
        HAP1["HAP1 | hAP ax³<br/>192.168.31.1"]
        PP1["PP1 | 24-port"]
        CSS1["CSS1 | CSS326-24G-2S+<br/>192.168.31.9"]
    end

    subgraph Rack10["10&quot; Rack (9U)"]
        ZX1["ZX1 | ZX-SWTGW218AS<br/>192.168.31.22"]
        PP2["PP2 | 12-port"]
        XTRMU["XTRM-U<br/>192.168.31.2"]
    end

    subgraph Wireless["WiFi"]
        CAP["CAP | cAP XL ac<br/>192.168.31.6"]
    end

    ISP -->|"ether1 WAN"| HAP1
    HAP1 -->|"ether2"| CAP
    HAP1 -->|"ether3"| CSS1
    HAP1 -->|"ether4"| XTRMU
    HAP1 -->|"ether5"| DELL["Dell Monitor<br/>192.168.10.100"]
    ZX1 <-->|"⚡ 10G SFP+ ⚡"| CSS1
    CSS1 -->|"Ports 16-24"| PP1

---

Physical Infrastructure

Rack Layout

10" Rack (9U)

U	Device	Model	IP	Notes
U9	Shelf + ISP Gateway	Vivacom ONT	62.73.120.2	WAN
U8	PP2	10" 12-port Cat6a	-	Patch panel
U7	Shelf + ZX1	ZX-SWTGW218AS	192.168.31.22	8x2.5G + 2x10G SFP+
U6	(empty)	-	-	Reserved for XTRM-N1
U1-U4	XTRM-U	NAS Server	192.168.31.2	4x 2.5GbE bond

19" Rack (3U)

U	Device	Model	IP	Notes
U3	Shelf + HAP1	hAP ax³	192.168.31.1	Router + WiFi controller
U2.5	PP1	19" 24-port Cat6a	-	Room connections
U1	CSS1	CSS326-24G-2S+	192.168.31.9	24x1G + 2x10G SFP+

HAP ax³ Port Assignments

Port	Connected To	VLAN	Notes
ether1	ISP Gateway	WAN	Vivacom ONT
ether2	CAP XL ac	10 (trunk)	Access Point
ether3	CSS326-24G-2S+	10 (trunk)	Distribution Switch
ether4	XTRM-U (Unraid)	10	Main Server
ether5	Dell Monitor LAN	10	Kaloyan workstation

Backbone Links

Link	From	To	Speed	Type
Primary	ZX1-SFP1	CSS1-SFP1	10G	SFP+ DAC
Router→CAP	HAP1 ether2	CAP XL ac	1G	Cat6a
Router→Dist	HAP1 ether3	CSS1-1	1G	Cat6a
Router→Server	HAP1 ether4	XTRM-U	1G	Cat6a
Router→Dell	HAP1 ether5	Dell Monitor	1G	Cat6a

---

IP Address Allocation

Network: 192.168.31.0/24

Infrastructure Devices

IP	Device	Type	MAC
192.168.31.1	HAP1 | hAP ax³	Router	78:9A:18:2C:A5:48
192.168.31.2	XTRM-U	Server	A8:B8:E0:02:B6:15
192.168.31.6	CAP | cAP XL ac	Access Point	18:FD:74:54:3D:BC
192.168.31.22	ZX1 | ZX-SWTGW218AS	Switch	1C:2A:A3:1E:78:67
192.168.31.9	CSS1 | CSS326-24G-2S+	Switch	F4:1E:57:C9:BD:09

Containers (br0 Macvlan)

IP	Container	Purpose
192.168.31.4	AdGuard Home	DNS Secondary
192.168.31.5	Unbound	Recursive DNS (stopped)
192.168.31.12	TimeMachine	macOS backups

DHCP Ranges

Range	Purpose
192.168.31.10-99	Reserved (static)
192.168.31.100-200	DHCP Pool
192.168.31.201-254	Reserved

---

Docker Networks

HAP1 (MikroTik Router)

Network: 172.17.0.0/16 (bridge)

Container	IP	Purpose
AdGuard Home	172.17.0.5	DNS Primary (DoH/DoT/DoQ)
Tailscale	172.17.0.4	VPN mesh

XTRM-U (Unraid Server)

dockerproxy (172.18.0.0/16)

Static IP Assignments:

Range	Purpose
172.18.0.2-10	Core Infrastructure
172.18.0.11-15	Security
172.18.0.16-30	Productivity
172.18.0.31-40	DevOps
172.18.0.41-50	NetDisco
172.18.0.61-69	NetBox
172.18.0.70-79	Diode Discovery

Core Infrastructure (172.18.0.2-10)

IP	Container	Purpose
172.18.0.2	dockersocket	Docker socket proxy
172.18.0.3	traefik	Reverse proxy
172.18.0.4	homarr	Dashboard

Security (172.18.0.11-15)

IP	Container	Purpose
172.18.0.11	authentik	Identity provider
172.18.0.12	authentik-worker	Background tasks
172.18.0.13	postgresql17	Shared database
172.18.0.14	Redis	Shared cache/queue
172.18.0.15	vaultwarden	Password manager

Productivity (172.18.0.16-30)

IP	Container	Purpose
172.18.0.16	actual-budget	Budget tracking
172.18.0.17	n8n	Workflow automation
172.18.0.18	Uptime-Kuma-API	Monitoring API
172.18.0.19	AutoKuma	Auto-monitor
172.18.0.20	UptimeKuma	Uptime monitoring
172.18.0.21	speedtest-tracker	Speed tests
172.18.0.23	Libation	Audiobooks
172.18.0.24	Nextcloud	Cloud storage
172.18.0.25	karakeep	Bookmarks
172.18.0.26	transmission	Torrent
172.18.0.27	adguardhome-sync	DNS sync

DevOps (172.18.0.31-40)

IP	Container	Purpose
172.18.0.31	gitea	Git server
172.18.0.32	woodpecker-server	CI/CD server
172.18.0.33	woodpecker-agent	CI/CD agent

NetDisco (172.18.0.41-50)

IP	Container	Purpose
172.18.0.41	netdisco-web	Web UI
172.18.0.42	netdisco-backend	SNMP poller

NetBox (172.18.0.61-69)

IP	Container	Purpose
172.18.0.61	netbox	Web UI (DCIM/IPAM)
172.18.0.62	netbox-worker	Background tasks
172.18.0.64	netbox-redis-cache	Query cache

Diode Discovery (172.18.0.70-79)

IP	Container	Purpose
172.18.0.70	diode-ingress	API Gateway
172.18.0.71	diode-ingester	Data ingestion
172.18.0.72	diode-reconciler	NetBox sync
172.18.0.73	diode-hydra	OAuth2
172.18.0.74	diode-auth	Token service

Host Network Containers

Container	Purpose
plex	Media server (:32400)
unimus	Network config backup
UrBackup	Backup server
NetAlertX	Network scanner
HomeAssistant	Home automation

Bridge Network (172.17.0.0/16)

Container	Purpose
portainer	Container management
rustdesk-hbbs	RustDesk signaling
rustdesk-hbbr	RustDesk relay

---

Port Forwarding (NAT)

External Port	Destination	Service
80	192.168.10.20:8001	Traefik HTTP
443	192.168.10.20:44301	Traefik HTTPS
32400	192.168.10.20:32400	Plex
51413	192.168.10.20:51413	Transmission
21115-21119	192.168.10.20	RustDesk

Hairpin NAT (internal access to WAN IP)

Destination	To	Service
62.73.120.142:80	192.168.10.20:8001	Traefik HTTP
62.73.120.142:443	192.168.10.20:44301	Traefik HTTPS

AdGuard DNS (pending - not configured yet)

External Port	Destination	Service
853	172.17.0.5:853	AdGuard DoT
8853	172.17.0.5:8853	AdGuard DoQ

---

DNS Architecture

flowchart TB
    subgraph External["External Access"]
        DOH["DoH: dns.xtrm-lab.org"]
        DOT["DoT: dns.xtrm-lab.org:853"]
    end

    subgraph HAP1["HAP1 (Primary)"]
        AGH1["AdGuard Home<br/>172.17.0.5"]
    end

    subgraph XTRMU["XTRM-U (Secondary)"]
        AGH2["AdGuard Home<br/>192.168.31.4"]
    end

    subgraph Sync["Sync"]
        SYNC["adguardhome-sync<br/>Every 30 min"]
    end

    DOH --> AGH1
    DOT --> AGH1
    AGH1 <-.->|sync| SYNC
    SYNC <-.->|sync| AGH2
    AGH1 --> Q9["Quad9 DoH"]
    AGH2 --> Q9

---

WiFi Networks

SSID	Band	Security	Purpose
XTRM	5GHz	WPA2/WPA3	Primary devices
XTRM	2.4GHz	WPA/WPA2	Legacy support
XTRM2	2.4GHz	WPA/WPA2	IoT devices

CAPsMAN: HAP1 manages CAP access point

---

External URLs

Service	URL
Dashboard	https://xtrm-lab.org
Auth	https://auth.xtrm-lab.org
Git	https://git.xtrm-lab.org
CI/CD	https://ci.xtrm-lab.org
NetBox	https://netbox.xtrm-lab.org
Uptime	https://uptime.xtrm-lab.org
Plex	https://plex.xtrm-lab.org
Nextcloud	https://cloud.xtrm-lab.org
Vault	https://vault.xtrm-lab.org
NetDisco	https://netdisco.xtrm-lab.org

---

CSS326 Port Assignments

Port	Device/Room	VLAN	Notes
1	HAP Uplink	Trunk	10,20,25,30,35,40
2	KVM	10	Management
3-15	-	-	Available
16-18	Kids Rooms	25	Family VLAN
19-21	Main Bedroom	20	Trusted VLAN
22-24	Living Room	30	IoT VLAN (Settop box on 23)
SFP1	ZX1 10G	Trunk	Backbone

Room Outlets

Room	Outlets	Switch Ports	VLAN	Status
Living Room	L1, L2, L3	CSS1-22/23/24	30	Active
Main Bedroom	M1, M2, M3	CSS1-19/20/21	20	Active
Boys Room	B1, B2	CSS1-17/18	25	Active
Girls Room	G1	CSS1-16	25	Active
Corridor	C1 (CAP)	HAP1 ether2	10	Active

---

Shared Databases

PostgreSQL 17 (172.18.0.13)

Database	User	Consumer
authentik_db	authentik_user	Authentik
netbox	netbox_user	NetBox
gitea	gitea_user	Gitea
netdisco_db	netdisco_user	NetDisco
diode	diode_user	Diode Reconciler
hydra	hydra_user	Diode Hydra

Redis (172.18.0.14)

Consumer	Purpose
Authentik	Session cache
NetBox Worker	Task queue
Diode	Ingestion queue