dan/openwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ee41bf8810ce1c39446ff51f0bf56a70a1d8b51
openwrt/docs/vlan-requirements.md
Dan Head 4ee41bf881 chore: initial repo setup with baseline config backup 
- Pull current config from router (OpenWRT 24.10.2)
- Add backup, safe-apply, and push-all scripts
- Add CLAUDE.md with workflow rules and context
- Add network-map.md with current topology and planned VLANs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 23:37:53 +01:00

166 lines
13 KiB
Markdown
Raw Blame History

# VLAN Requirements
This document captures everything needed to implement VLANs.
---
## 1. Device Inventory
Static DHCP leases (MAC address required): servers VLAN devices, cameras, and Shield TV.
All other devices use dynamic DHCP — no MAC address needed.
### Servers VLAN (10.0.10.0/24)
Managed Linux devices. Full internet. Can reach IoT and media VLANs.
| Hostname | Current IP | MAC Address | New IP | Notes |
|-------------------|------------|-------------------|------------|--------------------------------------------|
| everlost.lan | 10.0.0.2 | 2C:CF:67:22:B0:52 | 10.0.10.2 | PiHole + Nginx reverse proxy + Letsencrypt |
| homeassistant.lan | 10.0.0.11 | 2C:CF:67:71:81:82 | 10.0.10.3 | Home Assistant + Music Assistant |
| frigate.lan | 10.0.0.12 | 2C:CF:67:71:91:F0 | 10.0.10.4 | Frigate NVR |
| jester.lan | 10.0.0.21 | 10:C3:7B:4E:B2:3F | 10.0.10.10 | NAS |
| wayfaerer.lan | 10.0.0.22 | B8:27:EB:F1:F4:FC | 10.0.10.11 | TVHeadend |
### Media VLAN (10.0.30.0/24)
Media, gaming, and speaker devices. Full internet. No access to IoT or trusted.
**Static DHCP lease (HA needs to find Shield by IP):**
| Hostname | Current IP | MAC Address | New IP | Notes |
|------------|------------|-------------------|-----------|---------------------------------------------------|
| shield.lan | 10.0.0.119 | 00:04:4B:E4:5A:1B | 10.0.30.2 | Nvidia Shield TV — Plex, Jellyfin, HA integration |
**Dynamic DHCP — no static lease needed:**
| Device | Current IP | Connection | Notes |
|----------------------|------------|---------------|---------------------------------------------------------------------------|
| Google-Nest-Mini | 10.0.0.210 | WiFi | Google speaker (Cast) |
| Google-Home-Mini.lan | 10.0.0.228 | WiFi | Google speaker (Cast) |
| Sonos Connect | 10.0.0.157 | Wired (LAN 3) | Wired Sonos bridge — wireless Sonos speakers mesh through it via SonosNet |
| Nintendo Switch | - | WiFi | Games console |
| Nintendo Switch 2 | - | WiFi | Games console |
| PS4 | - | WiFi | Games console |
### IoT VLAN (10.0.20.0/24)
Sensors, cameras, and embedded devices only.
**Firewall strategy: block all IoT → WAN by default. Explicit per-device allows for cloud-dependent devices only.**
#### Internet-blocked devices (dynamic DHCP, no static lease needed)
These devices only need to reach HA/Frigate on the servers VLAN (covered by cross-VLAN rule 5). No internet access.
| Hostname | Current IP | Notes |
|-------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| doorbell.lan | 10.0.0.41 | See static lease below — RTSP to Frigate only |
| esphome-web-647abc.lan | 10.0.0.238 | Bed occupancy sensor |
| esphome-web-642198.lan | 10.0.0.191 | Flexispot desk controller |
| everything-presence-lite-2c68f4.lan | 10.0.0.213 | Kitchen multisensor |
| everything-presence-lite-9232dc.lan | 10.0.0.237 | Office multisensor |
| everything-presence-lite-934e54.lan | 10.0.0.229 | Lounge multisensor |
| home-assistant-voice-0aac99.lan | 10.0.0.102 | Office voice assistant — managed via HA, no direct internet needed |
| home-assistant-voice-09e888.lan | 10.0.0.220 | Kitchen voice assistant — managed via HA, no direct internet needed |
| Brel_1968.lan | 10.0.0.113 | Blinds controller. Watchdog-resets on cloud loss but settles within ~2 mins and HA (motionblinds integration) works throughout. Blocking prevents unwanted firmware updates breaking the integration. |
#### Internet-allowed devices (static DHCP lease required)
These devices require cloud connectivity. Static leases give them predictable IPs so firewall allow rules can be written against them.
| Hostname | Current IP | MAC Address | New IP | Notes |
|------------------|------------|-------------------|-----------|---------------------------------------------|
| envoy | 10.0.0.144 | 44:EE:14:F9:3A:C3 | 10.0.20.2 | Enphase Envoy solar controller — Enlighten |
| Hypervolt.lan | 10.0.0.201 | 6C:0F:61:A9:30:90 | 10.0.20.3 | Car charger — cloud app + load balancing |
| OCTO-CADLITE.lan | 10.0.0.217 | 94:54:C5:53:EB:24 | 10.0.20.4 | Octopus Energy hub — reports usage data |
| HP83F0BD.lan | 10.0.0.164 | 38:CA:84:83:F0:BD | 10.0.20.5 | HP printer — cloud print + firmware updates |
| CLO_bc744b7ff139 | 10.0.0.118 | BC:74:4B:7F:F1:39 | 10.0.20.6 | Nintendo Alarmo — firmware updates |
#### Static DHCP lease (internet-blocked)
| Hostname | Current IP | MAC Address | New IP | Notes |
|--------------|------------|-------------------|-----------|--------------------------------------------------------|
| doorbell.lan | 10.0.0.41 | D0:76:02:1B:0E:26 | 10.0.20.1 | Doorbell IP camera — no internet, RTSP to Frigate only |
### Trusted VLAN (10.0.1.0/24)
Phones, laptops, personal devices. Full internet. Can cast to media VLAN.
Dynamic DHCP only — no static leases needed. Any device connecting to Moonshield gets a `10.0.1.x` IP automatically.
### Guest VLAN (10.0.40.0/24)
Internet only. No access to any other VLAN. DHCP pool, no static leases.
---
## 2. Cross-VLAN Access Rules
| # | Source | Destination | Protocol / Port | Reason |
|------|----------------|--------------------|---------------------------------|---------------------------------------------------------------|
| 1 | trusted | media | TCP 8008, 8009 | Phone → Google speakers + Shield (Cast) |
| 2 | trusted | media | TCP 1400, 3400, 3401 / UDP 1900 | Phone → Sonos (control + SSDP) |
| 3 | trusted | servers | TCP 22 | SSH into servers from laptop/NAS |
| 4 | trusted | servers (everlost) | TCP 80, 443 | Internal services via Nginx |
| 5a | trusted | servers (jester) | TCP 8096 | Jellyfin direct access (local only, not proxied) |
| 5 | servers | iot | allow all | HA, Frigate, Music Assistant → IoT devices |
| 6 | servers (HA) | media | allow all | HA → Shield (Android TV) + Music Assistant → speakers |
| 7 | media (Shield) | servers (NAS) | TCP 32400, 8096 | Plex and Jellyfin → NAS |
| 8 | any | servers (everlost) | TCP/UDP 53 | PiHole DNS for all VLANs |
| 9 | media (Shield) | servers (wayfaerer) | TCP 9981, 9982 | TVHeadend web UI and HTSP streaming |
| 10 | trusted | iot (printer) | TCP 9100, 631 | Raw printing and IPP from laptops/phones |
| 11 | trusted | iot (printer) | TCP 80, 443 | Printer web UI / config |
> **Guest VLAN:** internet only — no casting to speakers or Shield from guest devices.
>
> **mDNS:** `avahi-daemon` reflects mDNS across trusted, servers, media and iot.
> Speakers and Shield are discoverable from phones (trusted) and HA (servers) via mDNS reflection.
> The printer (IoT) is discoverable from phones and laptops (trusted) via mDNS reflection (AirPrint).
> No firewall rules needed for discovery — only for the data connections above.
---
## 3. Internet Access per VLAN
| VLAN | Internet | Notes |
|---------|----------|-------------------------------------------------|
| trusted | Yes | Unrestricted |
| servers | Yes | Unrestricted |
| media | Yes | Unrestricted — consoles need online gaming |
| iot | Partial | Blocked by default. Explicit allows for Hypervolt, OCTO-CADLITE, HP printer, Alarmo, Envoy |
| guest | Yes | Internet only — no access to any internal VLAN |
---
## 4. DNS
- PiHole on `everlost.lan` (10.0.10.2) handles DNS for all VLANs
- DHCP on each VLAN advertises PiHole (`10.0.10.2`) as the DNS server
- DNS hijacking enabled: all outbound DNS (TCP/UDP 53) intercepted and redirected to PiHole, preventing devices hardcoding `8.8.8.8` or similar from bypassing it
- PiHole upstream DNS: Quad9 `9.9.9.9` — filtered, DNSSEC, IPv4 only
---
## 5. Physical Port Assignment
| Port | Device | VLAN | Notes |
|-------|-------------------------|---------|-------------------------------------------------------|
| WAN | Primary fibre | — | Unchanged |
| LAN 1 | 4G failover device | WAN2 | Repurposed as second WAN |
| LAN 2 | Servers switch | servers | Wired servers, including wayfaerer.lan (TVHeadend Pi) |
| LAN 3 | Sonos Connect (lounge) | media | Wired Sonos bridge |
| LAN 4 | Laptop (during cutover) | trusted | Reserved — ensures reliable connection during Phase 9 |
---
## 6. Open Questions
- [x] MAC addresses: servers VLAN devices (`ip link show eth0`) + doorbell + Shield TV (LuCI DHCP leases)
- [x] Shield TV current hostname/IP on the network
- [x] Console models (for the device inventory record)
- [x] Any smart TVs to add to media VLAN? No
- [x] Sonos: how many speakers, which models? They're all connected to SonosNet via the Connect
- [x] Any other IoT/smart devices not listed? Yes, added
- [x] Any devices that should stay on the flat 10.0.0.0/24 and NOT move to a VLAN? I don't believe so, I've added all known devices and annotated if they need internet access
- [x] Brel blinds controller: HA-initiated via UDP 32100 (servers → iot, covered by rule 5). Brel maintains a persistent cloud connection so needs internet access.
- [x] TVHeadend (wayfaerer): Shield streams via TCP 9981/9982 (media → servers); jester SSH is intra-VLAN, no rule needed
- [x] PiHole upstream DNS servers currently configured? Quad9
- [x] Which LAN port is physically convenient for the 4G device: LAN 1
- [x] 4G device model: GL.iNet XE300C6 Puli
- [x] SSID name for media VLAN: **Pinball Map**
- [x] SSID name for guest VLAN: **Passenger**
Reference in New Issue View Git Blame Copy Permalink