# Network Map

## Router
| Item       | Value                               |
|------------|-------------------------------------|
| Device     | TP-Link Archer AX23 v1              |
| OpenWRT    | 24.10.2                             |
| LAN IP     | 10.0.0.1                            |
| LAN Subnet | 10.0.0.0/24 (pre-VLAN)              |
| WAN        | Full fibre, 1gbps down / 100mbps up |
| SSH        | `ssh openwrt`                       |

## Current SSIDs
| SSID                 | Band          | Status                                            |
|----------------------|---------------|---------------------------------------------------|
| Moonshield           | 2.4GHz + 5GHz | Main network                                      |
| Stow on the Wireless | 2.4GHz        | Unused — will become IoT SSID ("Cloud Connected") |

## Planned VLAN Layout
| VLAN ID | Name    | Subnet       | Purpose                        |
|---------|---------|--------------|--------------------------------|
| 1       | trusted | 10.0.1.0/24  | Phones, laptops                |
| 10      | servers | 10.0.10.0/24 | NAS, Pis, HA, Frigate, PiHole  |
| 20      | iot     | 10.0.20.0/24 | Smart devices, cameras         |
| 30      | media   | 10.0.30.0/24 | Shield TV, consoles, smart TVs |
| 40      | guest   | 10.0.40.0/24 | Guest WiFi                     |

## Planned SSID → VLAN Mapping
| SSID            | VLAN    | Notes                               |
|-----------------|---------|-------------------------------------|
| Moonshield      | trusted | Existing main SSID                  |
| Cloud Connected | iot     | Renamed from "Stow on the Wireless" |
| Pinball Map     | media   | New SSID for Shield + consoles      |
| Passenger       | guest   | New — optional                      |

## External Access

Ports forwarded to `everlost.lan` (10.0.0.2), which runs Nginx + Letsencrypt + auth before proxying to internal services.

### Port Forwards
| Name                 | Proto | WAN Port | Dest IP   | Dest Port |
|----------------------|-------|----------|-----------|-----------|
| HTTP                 | TCP   | 80       | 10.0.0.2  | 80        |
| HTTPS                | TCP   | 443      | 10.0.0.2  | 443       |
| SSH - Everlost       | TCP   | 22563    | 10.0.0.2  | 22563     |
| SSH - Home Assistant | TCP   | 22553    | 10.0.0.11 | 22553     |
| SSH - Frigate        | TCP   | 22583    | 10.0.0.12 | 22583     |
| SSH - Jester         | TCP   | 22573    | 10.0.0.21 | 22573     |
| SSH - Wayfaerer      | TCP   | 22593    | 10.0.0.22 | 22593     |
| SSH - Gitea          | TCP   | 2222     | 10.0.0.2  | 2222      |
| Wireguard            | UDP   | 51820    | 10.0.0.2  | 51820     |
| Plex - Jester        | TCP   | 32400    | 10.0.0.21 | 32400     |
| Plex - Wayfaerer     | TCP   | 32450    | 10.0.0.22 | 32450     |

## Planned WAN2 (Failover)
| Item     | Value                                                         |
|----------|---------------------------------------------------------------|
| Device   | GL-XE300 (Puli)                                               |
| Firmware | GL.iNet 4.3.27 (based on OpenWRT 22.03.4)                     |
| LAN IP   | 10.0.100.1 (change from default 192.168.8.1 before wiring in) |
| Subnet   | 10.0.100.0/24                                                 |
| WAN      | 4G LTE via M.2 modem                                          |
| SSH      | `ssh openwrtwan`                                              |

`mwan3` on the main router handles automatic failover. A firewall rule on the main router allows management access from the trusted VLAN to `10.0.100.1` on ports 22/80/443.

---

> For full device inventory, static DHCP leases, and cross-VLAN firewall requirements see:
> [`vlan-requirements.md`](vlan-requirements.md)