dan/openwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2f4fa3eebb436b9a860309b298b3ce761eaa942e
openwrt/docs/vlan-requirements.md
Dan Head 2f4fa3eebb chore: initial repo setup with baseline config backup 
- Pull current config from router (OpenWRT 24.10.2)
- Add backup, safe-apply, and push-all scripts
- Add CLAUDE.md with workflow rules and context
- Add network-map.md with current topology and planned VLANs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 23:13:31 +01:00

13 KiB
Raw Blame History

VLAN Requirements

This document captures everything needed to implement VLANs.

1. Device Inventory

Static DHCP leases (MAC address required): servers VLAN devices, cameras, and Shield TV. All other devices use dynamic DHCP — no MAC address needed.

Servers VLAN (10.0.10.0/24)

Managed Linux devices. Full internet. Can reach IoT and media VLANs.

Hostname Current IP MAC Address New IP Notes
everlost.lan 10.0.0.2 2C:CF:67:22:B0:52 10.0.10.2 PiHole + Nginx reverse proxy + Letsencrypt
homeassistant.lan 10.0.0.11 2C:CF:67:71:81:82 10.0.10.3 Home Assistant + Music Assistant
frigate.lan 10.0.0.12 2C:CF:67:71:91:F0 10.0.10.4 Frigate NVR
jester.lan 10.0.0.21 10:C3:7B:4E:B2:3F 10.0.10.10 NAS
wayfaerer.lan 10.0.0.22 B8:27:EB:F1:F4:FC 10.0.10.11 TVHeadend

Media VLAN (10.0.30.0/24)

Media, gaming, and speaker devices. Full internet. No access to IoT or trusted.

Static DHCP lease (HA needs to find Shield by IP):

Hostname Current IP MAC Address New IP Notes
shield.lan 10.0.0.119 00:04:4B:E4:5A:1B 10.0.30.2 Nvidia Shield TV — Plex, Jellyfin, HA integration

Dynamic DHCP — no static lease needed:

Device Current IP Connection Notes
Google-Nest-Mini 10.0.0.210 WiFi Google speaker (Cast)
Google-Home-Mini.lan 10.0.0.228 WiFi Google speaker (Cast)
Sonos Connect 10.0.0.157 Wired (LAN 3) Wired Sonos bridge — wireless Sonos speakers mesh through it via SonosNet
Nintendo Switch - WiFi Games console
Nintendo Switch 2 - WiFi Games console
PS4 - WiFi Games console

IoT VLAN (10.0.20.0/24)

Sensors, cameras, and embedded devices only.

Firewall strategy: block all IoT → WAN by default. Explicit per-device allows for cloud-dependent devices only.

Internet-blocked devices (dynamic DHCP, no static lease needed)

These devices only need to reach HA/Frigate on the servers VLAN (covered by cross-VLAN rule 5). No internet access.

Hostname Current IP Notes
doorbell.lan 10.0.0.41 See static lease below — RTSP to Frigate only
esphome-web-647abc.lan 10.0.0.238 Bed occupancy sensor
esphome-web-642198.lan 10.0.0.191 Flexispot desk controller
everything-presence-lite-2c68f4.lan 10.0.0.213 Kitchen multisensor
everything-presence-lite-9232dc.lan 10.0.0.237 Office multisensor
everything-presence-lite-934e54.lan 10.0.0.229 Lounge multisensor
home-assistant-voice-0aac99.lan 10.0.0.102 Office voice assistant — managed via HA, no direct internet needed
home-assistant-voice-09e888.lan 10.0.0.220 Kitchen voice assistant — managed via HA, no direct internet needed
Brel_1968.lan 10.0.0.113 Blinds controller. Watchdog-resets on cloud loss but settles within ~2 mins and HA (motionblinds integration) works throughout. Blocking prevents unwanted firmware updates breaking the integration.

Internet-allowed devices (static DHCP lease required)

These devices require cloud connectivity. Static leases give them predictable IPs so firewall allow rules can be written against them.

Hostname Current IP MAC Address New IP Notes
envoy 10.0.0.144 44:EE:14:F9:3A:C3 10.0.20.2 Enphase Envoy solar controller — Enlighten
Hypervolt.lan 10.0.0.201 6C:0F:61:A9:30:90 10.0.20.3 Car charger — cloud app + load balancing
OCTO-CADLITE.lan 10.0.0.217 94:54:C5:53:EB:24 10.0.20.4 Octopus Energy hub — reports usage data
HP83F0BD.lan 10.0.0.164 38:CA:84:83:F0:BD 10.0.20.5 HP printer — cloud print + firmware updates
CLO_bc744b7ff139 10.0.0.118 BC:74:4B:7F:F1:39 10.0.20.6 Nintendo Alarmo — firmware updates

Static DHCP lease (internet-blocked)

Hostname Current IP MAC Address New IP Notes
doorbell.lan 10.0.0.41 D0:76:02:1B:0E:26 10.0.20.1 Doorbell IP camera — no internet, RTSP to Frigate only

Trusted VLAN (10.0.1.0/24)

Phones, laptops, personal devices. Full internet. Can cast to media VLAN. Dynamic DHCP only — no static leases needed. Any device connecting to Moonshield gets a 10.0.1.x IP automatically.

Guest VLAN (10.0.40.0/24)

Internet only. No access to any other VLAN. DHCP pool, no static leases.

2. Cross-VLAN Access Rules

# Source Destination Protocol / Port Reason
1 trusted media TCP 8008, 8009 Phone → Google speakers + Shield (Cast)
2 trusted media TCP 1400, 3400, 3401 / UDP 1900 Phone → Sonos (control + SSDP)
3 trusted servers TCP 22 SSH into servers from laptop/NAS
4 trusted servers (everlost) TCP 80, 443 Internal services via Nginx
5a trusted servers (jester) TCP 8096 Jellyfin direct access (local only, not proxied)
5 servers iot allow all HA, Frigate, Music Assistant → IoT devices
6 servers (HA) media allow all HA → Shield (Android TV) + Music Assistant → speakers
7 media (Shield) servers (NAS) TCP 32400, 8096 Plex and Jellyfin → NAS
8 any servers (everlost) TCP/UDP 53 PiHole DNS for all VLANs
9 media (Shield) servers (wayfaerer) TCP 9981, 9982 TVHeadend web UI and HTSP streaming
10 trusted iot (printer) TCP 9100, 631 Raw printing and IPP from laptops/phones
11 trusted iot (printer) TCP 80, 443 Printer web UI / config

Guest VLAN: internet only — no casting to speakers or Shield from guest devices.

mDNS: avahi-daemon reflects mDNS across trusted, servers, media and iot. Speakers and Shield are discoverable from phones (trusted) and HA (servers) via mDNS reflection. The printer (IoT) is discoverable from phones and laptops (trusted) via mDNS reflection (AirPrint). No firewall rules needed for discovery — only for the data connections above.

3. Internet Access per VLAN

VLAN Internet Notes
trusted Yes Unrestricted
servers Yes Unrestricted
media Yes Unrestricted — consoles need online gaming
iot Partial Blocked by default. Explicit allows for Hypervolt, OCTO-CADLITE, HP printer, Alarmo, Envoy
guest Yes Internet only — no access to any internal VLAN

4. DNS

  • PiHole on everlost.lan (10.0.10.2) handles DNS for all VLANs
  • DHCP on each VLAN advertises PiHole (10.0.10.2) as the DNS server
  • DNS hijacking enabled: all outbound DNS (TCP/UDP 53) intercepted and redirected to PiHole, preventing devices hardcoding 8.8.8.8 or similar from bypassing it
  • PiHole upstream DNS: Quad9 9.9.9.9 — filtered, DNSSEC, IPv4 only

5. Physical Port Assignment

Port Device VLAN Notes
WAN Primary fibre Unchanged
LAN 1 4G failover device WAN2 Repurposed as second WAN
LAN 2 Servers switch servers Wired servers, including wayfaerer.lan (TVHeadend Pi)
LAN 3 Sonos Connect (lounge) media Wired Sonos bridge
LAN 4 Laptop (during cutover) trusted Reserved — ensures reliable connection during Phase 9

6. Open Questions

  • MAC addresses: servers VLAN devices (ip link show eth0) + doorbell + Shield TV (LuCI DHCP leases)
  • Shield TV current hostname/IP on the network
  • Console models (for the device inventory record)
  • Any smart TVs to add to media VLAN? No
  • Sonos: how many speakers, which models? They're all connected to SonosNet via the Connect
  • Any other IoT/smart devices not listed? Yes, added
  • Any devices that should stay on the flat 10.0.0.0/24 and NOT move to a VLAN? I don't believe so, I've added all known devices and annotated if they need internet access
  • Brel blinds controller: HA-initiated via UDP 32100 (servers → iot, covered by rule 5). Brel maintains a persistent cloud connection so needs internet access.
  • TVHeadend (wayfaerer): Shield streams via TCP 9981/9982 (media → servers); jester SSH is intra-VLAN, no rule needed
  • PiHole upstream DNS servers currently configured? Quad9
  • Which LAN port is physically convenient for the 4G device: LAN 1
  • 4G device model: GL.iNet XE300C6 Puli
  • SSID name for media VLAN: Pinball Map
  • SSID name for guest VLAN: Passenger
Reference in New Issue View Git Blame Copy Permalink