openwrt/docs/network-map.md

Network Map

Router

Item	Value
Device	TP-Link Archer AX23 v1
OpenWRT	24.10.2
LAN IP	10.0.0.1
LAN Subnet	10.0.0.0/24 (pre-VLAN)
WAN	Full fibre, 1gbps down / 100mbps up
SSH	ssh openwrt

Current SSIDs

SSID	Band	Status
Moonshield	2.4GHz + 5GHz	Main network
Stow on the Wireless	2.4GHz	Unused — will become IoT SSID ("Cloud Connected")

Planned VLAN Layout

VLAN ID	Name	Subnet	Purpose
1	trusted	10.0.1.0/24	Phones, laptops
10	servers	10.0.10.0/24	NAS, Pis, HA, Frigate, PiHole
20	iot	10.0.20.0/24	Smart devices, cameras
30	media	10.0.30.0/24	Shield TV, consoles, smart TVs
40	guest	10.0.40.0/24	Guest WiFi

Planned SSID → VLAN Mapping

SSID	VLAN	Notes
Moonshield	trusted	Existing main SSID
Cloud Connected	iot	Renamed from "Stow on the Wireless"
Pinball Map	media	New SSID for Shield + consoles
Passenger	guest	New — optional

External Access

Ports forwarded to everlost.lan (10.0.0.2), which runs Nginx + Letsencrypt + auth before proxying to internal services.

Port Forwards

Name	Proto	WAN Port	Dest IP	Dest Port
HTTP	TCP	80	10.0.0.2	80
HTTPS	TCP	443	10.0.0.2	443
SSH - Everlost	TCP	22563	10.0.0.2	22563
SSH - Home Assistant	TCP	22553	10.0.0.11	22553
SSH - Frigate	TCP	22583	10.0.0.12	22583
SSH - Jester	TCP	22573	10.0.0.21	22573
SSH - Wayfaerer	TCP	22593	10.0.0.22	22593
SSH - Gitea	TCP	2222	10.0.0.2	2222
Wireguard	UDP	51820	10.0.0.2	51820
Plex - Jester	TCP	32400	10.0.0.21	32400
Plex - Wayfaerer	TCP	32450	10.0.0.22	32450

Planned WAN2 (Failover)

Item	Value
Device	GL-XE300 (Puli)
Firmware	GL.iNet 4.3.27 (based on OpenWRT 22.03.4)
LAN IP	10.0.100.1 (change from default 192.168.8.1 before wiring in)
Subnet	10.0.100.0/24
WAN	4G LTE via M.2 modem
SSH	ssh openwrtwan

mwan3 on the main router handles automatic failover. A firewall rule on the main router allows management access from the trusted VLAN to 10.0.100.1 on ports 22/80/443.

---

For full device inventory, static DHCP leases, and cross-VLAN firewall requirements see: vlan-requirements.md