# VLAN Requirements This document captures everything needed to implement VLANs. --- ## 1. Device Inventory Static DHCP leases (MAC address required): servers VLAN devices, cameras, and Shield TV. All other devices use dynamic DHCP — no MAC address needed. ### Servers VLAN (10.0.10.0/24) Managed Linux devices. Full internet. Can reach IoT and media VLANs. | Hostname | Current IP | MAC Address | New IP | Notes | |-------------------|------------|-------------------|------------|--------------------------------------------| | everlost.lan | 10.0.0.2 | 2C:CF:67:22:B0:52 | 10.0.10.2 | PiHole + Nginx reverse proxy + Letsencrypt | | homeassistant.lan | 10.0.0.11 | 2C:CF:67:71:81:82 | 10.0.10.3 | Home Assistant + Music Assistant | | frigate.lan | 10.0.0.12 | 2C:CF:67:71:91:F0 | 10.0.10.4 | Frigate NVR | | jester.lan | 10.0.0.21 | 10:C3:7B:4E:B2:3F | 10.0.10.10 | NAS | | wayfaerer.lan | 10.0.0.22 | B8:27:EB:F1:F4:FC | 10.0.10.11 | TVHeadend | ### Media VLAN (10.0.30.0/24) Media, gaming, and speaker devices. Full internet. No access to IoT or trusted. **Static DHCP lease (HA needs to find Shield by IP):** | Hostname | Current IP | MAC Address | New IP | Notes | |------------|------------|-------------------|-----------|---------------------------------------------------| | shield.lan | 10.0.0.119 | 00:04:4B:E4:5A:1B | 10.0.30.2 | Nvidia Shield TV — Plex, Jellyfin, HA integration | **Dynamic DHCP — no static lease needed:** | Device | Current IP | Connection | Notes | |----------------------|------------|---------------|---------------------------------------------------------------------------| | Google-Nest-Mini | 10.0.0.210 | WiFi | Google speaker (Cast) | | Google-Home-Mini.lan | 10.0.0.228 | WiFi | Google speaker (Cast) | | Sonos Connect | 10.0.0.157 | Wired (LAN 3) | Wired Sonos bridge — wireless Sonos speakers mesh through it via SonosNet | | Nintendo Switch | - | WiFi | Games console | | Nintendo Switch 2 | - | WiFi | Games console | | PS4 | - | WiFi | Games console | ### IoT VLAN (10.0.20.0/24) Sensors, cameras, and embedded devices only. **Firewall strategy: block all IoT → WAN by default. Explicit per-device allows for cloud-dependent devices only.** #### Internet-blocked devices (dynamic DHCP, no static lease needed) These devices only need to reach HA/Frigate on the servers VLAN (covered by cross-VLAN rule 5). No internet access. | Hostname | Current IP | Notes | |-------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | doorbell.lan | 10.0.0.41 | See static lease below — RTSP to Frigate only | | esphome-web-647abc.lan | 10.0.0.238 | Bed occupancy sensor | | esphome-web-642198.lan | 10.0.0.191 | Flexispot desk controller | | everything-presence-lite-2c68f4.lan | 10.0.0.213 | Kitchen multisensor | | everything-presence-lite-9232dc.lan | 10.0.0.237 | Office multisensor | | everything-presence-lite-934e54.lan | 10.0.0.229 | Lounge multisensor | | home-assistant-voice-0aac99.lan | 10.0.0.102 | Office voice assistant — managed via HA, no direct internet needed | | home-assistant-voice-09e888.lan | 10.0.0.220 | Kitchen voice assistant — managed via HA, no direct internet needed | | Brel_1968.lan | 10.0.0.113 | Blinds controller. Watchdog-resets on cloud loss but settles within ~2 mins and HA (motionblinds integration) works throughout. Blocking prevents unwanted firmware updates breaking the integration. | #### Internet-allowed devices (static DHCP lease required) These devices require cloud connectivity. Static leases give them predictable IPs so firewall allow rules can be written against them. | Hostname | Current IP | MAC Address | New IP | Notes | |------------------|------------|-------------------|-----------|---------------------------------------------| | envoy | 10.0.0.144 | 44:EE:14:F9:3A:C3 | 10.0.20.2 | Enphase Envoy solar controller — Enlighten | | Hypervolt.lan | 10.0.0.201 | 6C:0F:61:A9:30:90 | 10.0.20.3 | Car charger — cloud app + load balancing | | OCTO-CADLITE.lan | 10.0.0.217 | 94:54:C5:53:EB:24 | 10.0.20.4 | Octopus Energy hub — reports usage data | | HP83F0BD.lan | 10.0.0.164 | 38:CA:84:83:F0:BD | 10.0.20.5 | HP printer — cloud print + firmware updates | | CLO_bc744b7ff139 | 10.0.0.118 | BC:74:4B:7F:F1:39 | 10.0.20.6 | Nintendo Alarmo — firmware updates | #### Static DHCP lease (internet-blocked) | Hostname | Current IP | MAC Address | New IP | Notes | |--------------|------------|-------------------|-----------|--------------------------------------------------------| | doorbell.lan | 10.0.0.41 | D0:76:02:1B:0E:26 | 10.0.20.1 | Doorbell IP camera — no internet, RTSP to Frigate only | ### Trusted VLAN (10.0.1.0/24) Phones, laptops, personal devices. Full internet. Can cast to media VLAN. Dynamic DHCP only — no static leases needed. Any device connecting to Moonshield gets a `10.0.1.x` IP automatically. ### Guest VLAN (10.0.40.0/24) Internet only. No access to any other VLAN. DHCP pool, no static leases. --- ## 2. Cross-VLAN Access Rules | # | Source | Destination | Protocol / Port | Reason | |------|----------------|--------------------|---------------------------------|---------------------------------------------------------------| | 1 | trusted | media | TCP 8008, 8009 | Phone → Google speakers + Shield (Cast) | | 2 | trusted | media | TCP 1400, 3400, 3401 / UDP 1900 | Phone → Sonos (control + SSDP) | | 3 | trusted | servers | TCP 22 | SSH into servers from laptop/NAS | | 4 | trusted | servers (everlost) | TCP 80, 443 | Internal services via Nginx | | 5a | trusted | servers (jester) | TCP 8096 | Jellyfin direct access (local only, not proxied) | | 5 | servers | iot | allow all | HA, Frigate, Music Assistant → IoT devices | | 6 | servers (HA) | media | allow all | HA → Shield (Android TV) + Music Assistant → speakers | | 7 | media (Shield) | servers (NAS) | TCP 32400, 8096 | Plex and Jellyfin → NAS | | 8 | any | servers (everlost) | TCP/UDP 53 | PiHole DNS for all VLANs | | 9 | media (Shield) | servers (wayfaerer) | TCP 9981, 9982 | TVHeadend web UI and HTSP streaming | | 10 | trusted | iot (printer) | TCP 9100, 631 | Raw printing and IPP from laptops/phones | | 11 | trusted | iot (printer) | TCP 80, 443 | Printer web UI / config | > **Guest VLAN:** internet only — no casting to speakers or Shield from guest devices. > > **mDNS:** `avahi-daemon` reflects mDNS across trusted, servers, media and iot. > Speakers and Shield are discoverable from phones (trusted) and HA (servers) via mDNS reflection. > The printer (IoT) is discoverable from phones and laptops (trusted) via mDNS reflection (AirPrint). > No firewall rules needed for discovery — only for the data connections above. --- ## 3. Internet Access per VLAN | VLAN | Internet | Notes | |---------|----------|-------------------------------------------------| | trusted | Yes | Unrestricted | | servers | Yes | Unrestricted | | media | Yes | Unrestricted — consoles need online gaming | | iot | Partial | Blocked by default. Explicit allows for Hypervolt, OCTO-CADLITE, HP printer, Alarmo, Envoy | | guest | Yes | Internet only — no access to any internal VLAN | --- ## 4. DNS - PiHole on `everlost.lan` (10.0.10.2) handles DNS for all VLANs - DHCP on each VLAN advertises PiHole (`10.0.10.2`) as the DNS server - DNS hijacking enabled: all outbound DNS (TCP/UDP 53) intercepted and redirected to PiHole, preventing devices hardcoding `8.8.8.8` or similar from bypassing it - PiHole upstream DNS: Quad9 `9.9.9.9` — filtered, DNSSEC, IPv4 only --- ## 5. Physical Port Assignment | Port | Device | VLAN | Notes | |-------|-------------------------|---------|-------------------------------------------------------| | WAN | Primary fibre | — | Unchanged | | LAN 1 | 4G failover device | WAN2 | Repurposed as second WAN | | LAN 2 | Servers switch | servers | Wired servers, including wayfaerer.lan (TVHeadend Pi) | | LAN 3 | Sonos Connect (lounge) | media | Wired Sonos bridge | | LAN 4 | Laptop (during cutover) | trusted | Reserved — ensures reliable connection during Phase 9 | --- ## 6. Open Questions - [x] MAC addresses: servers VLAN devices (`ip link show eth0`) + doorbell + Shield TV (LuCI DHCP leases) - [x] Shield TV current hostname/IP on the network - [x] Console models (for the device inventory record) - [x] Any smart TVs to add to media VLAN? No - [x] Sonos: how many speakers, which models? They're all connected to SonosNet via the Connect - [x] Any other IoT/smart devices not listed? Yes, added - [x] Any devices that should stay on the flat 10.0.0.0/24 and NOT move to a VLAN? I don't believe so, I've added all known devices and annotated if they need internet access - [x] Brel blinds controller: HA-initiated via UDP 32100 (servers → iot, covered by rule 5). Brel maintains a persistent cloud connection so needs internet access. - [x] TVHeadend (wayfaerer): Shield streams via TCP 9981/9982 (media → servers); jester SSH is intra-VLAN, no rule needed - [x] PiHole upstream DNS servers currently configured? Quad9 - [x] Which LAN port is physically convenient for the 4G device: LAN 1 - [x] 4G device model: GL.iNet XE300C6 Puli - [x] SSID name for media VLAN: **Pinball Map** - [x] SSID name for guest VLAN: **Passenger**