diff --git a/network-map.md b/network-map.md new file mode 100644 index 0000000..2833a3e --- /dev/null +++ b/network-map.md @@ -0,0 +1,292 @@ +# 🌐 Network Map & Topology + +**Last Updated:** October 31, 2025 +**Network Range:** 192.168.68.0/22 +**Maintained By:** Weston + +--- + +## πŸ“Š Quick Reference + +| Device | IP Address | Purpose | +|--------|-----------|---------| +| **TP-Link Router** | 192.168.68.1 | Gateway, DHCP, Mesh Primary | +| **Foxtrot (Gaming PC)** | 192.168.68.50 | Workstation | +| **Unraid Server (Tower)** | 192.168.68.51 | Main infrastructure | +| **PiKVM** | 192.168.68.53 | Server out-of-band management | +| **Pi-hole (Pi Zero 2W)** | 192.168.68.61 | DNS + Ad-blocking + Unbound | +| **Code-Server VM** | 192.168.68.70 | Ubuntu headless + VS Code | +| **TP-Link Mesh Node** | 192.168.71.250 | Office WiFi extender | + +--- + +## πŸ—ΊοΈ Physical Network Topology + +``` + Internet + β”‚ + β”‚ (WAN) + β”‚ + β”Œβ”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β” + β”‚ TP-Link Routerβ”‚ + β”‚ 192.168.68.1 β”‚ + β”‚ (Mesh Primary) β”‚ + β””β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ (LAN - Mesh Network) + β”‚ + β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” + β”‚ β”‚ β”‚ + β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” + β”‚TP-Link β”‚ β”‚ Unraid β”‚ β”‚Pi Zero β”‚ + β”‚Mesh Node β”‚ β”‚ Server β”‚ β”‚Pi-hole β”‚ + β”‚ .71.250 β”‚ β”‚ Tower β”‚ β”‚Unbound β”‚ + β”‚ (Office) β”‚ β”‚ .68.51 β”‚ β”‚ .68.61 β”‚ + β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ β”‚ + β”Œβ”€β”€β”€β”€β”Όβ”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β” + β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ + β”Œβ”€β”€β”€β”€β”΄β” β”Œβ”€β”΄β”€β”€β”€β”€β” β”Œβ”€β”΄β”€β”€β” β”‚ β”Œβ”€β”€β”΄β”€β”€β”€β”€β” + β”‚Foxtrotβ”‚Laptopβ”‚ β”‚PiKVMβ”‚ β”‚ β”‚VM: β”‚ + β”‚Gamingβ”‚(WiFi)β”‚ β”‚.68.53β”‚ β”‚ β”‚Code β”‚ + β”‚ PC β”‚ β”‚ β”‚(Directβ”‚ β”‚ β”‚Server β”‚ + β”‚.68.50β”‚ β”‚ β”‚to Svr)β”‚ β”‚ β”‚.68.70 β”‚ + β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ + (Server VMs) +``` + +--- + +## πŸ–₯️ Unraid Server Virtual Network + +``` +Physical: eth0 (2.5GbE) β†’ bond0 β†’ br0 (192.168.68.51) + β”‚ + β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” + β”‚ β”‚ β”‚ + β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” + β”‚ VMs β”‚ β”‚ Docker β”‚ β”‚ Tailscale β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ VPN β”‚ + β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ β”‚ 100.122.220.126 + β”‚ β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” + β”Œβ”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β” β”‚ docker0 β”‚ + β”‚Code-Srvr β”‚ β”‚172.17.0.1β”‚ + β”‚ .68.70 β”‚ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ + β”‚ (Ubuntu) β”‚ β”‚ + β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”Œβ”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β” + β”‚ β”‚ β”‚ β”‚ + β”Œβ”€β”€β”€β”€β”΄β” β”Œβ”€β”΄β”€β”€β” β”Œβ”€β”€β”€β”΄β”€β”€β” β”Œβ”€β”΄β”€β”€β”€β” + β”‚open-β”‚ β”‚NPM β”‚ β”‚Gitea β”‚ β”‚Guac β”‚ + β”‚webuiβ”‚ β”‚ .4 β”‚ β”‚ .3 β”‚ β”‚ .2 β”‚ + β”‚ .5 β”‚ β””β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”˜ + β””β”€β”€β”€β”€β”€β”˜ +``` + +--- + +## πŸ“ Complete IP Address Table + +### Infrastructure & Services + +| Device/Service | IP Address | MAC | Type | Notes | +|---------------|-----------|-----|------|-------| +| **TP-Link Router** | 192.168.68.1 | - | Physical | Gateway, DHCP, primary mesh | +| **Foxtrot (Gaming PC)** | 192.168.68.50 | - | Physical | Workstation, static IP | +| **Unraid Server** | 192.168.68.51 | 58:47:ca:7b:97:b0 | Physical | Main server, static IP | +| **PiKVM** | 192.168.68.53 | - | Physical | Direct to server, management | +| **Pi-hole (Pi Zero 2W)** | 192.168.68.61 | - | Physical | DNS/ad-block/Unbound, static | +| **Code-Server VM** | 192.168.68.70 | - | Virtual | Ubuntu + VS Code, KVM/QEMU | +| **Laptop** | DHCP | - | Physical | Mobile device, WiFi | +| **TP-Link Mesh Node** | 192.168.71.250 | - | Physical | Office WiFi extender | + +### Docker Containers (172.17.0.0/16) + +| Container | Docker IP | Host Port | Purpose | +|-----------|-----------|-----------|---------| +| **ApacheGuacamole** | 172.17.0.2 | 4000 | Remote desktop gateway | +| **Gitea** | 172.17.0.3 | 3002, 22 | Git server | +| **NginxProxyManager** | 172.17.0.4 | 1880, 7818, 18443 | Reverse proxy | +| **open-webui** | 172.17.0.5 | 3000 | LLM interface | +| **Cloudflared** | 172.17.0.6 | 46495 | Cloudflare tunnel | +| **Vaultwarden** | 172.17.0.7 | 4743 | Password manager | + +### VPN + +| Service | IP | Network | Purpose | +|---------|----|---------| --------| +| **Tailscale** | 100.122.220.126 | 100.64.0.0/10 | Secure remote access | + +--- + +## 🌐 Network Details + +**Subnet:** 192.168.68.0/22 +**Netmask:** 255.255.252.0 +**Usable Range:** 192.168.68.1 - 192.168.71.254 (1022 hosts) +**Gateway:** 192.168.68.1 +**Primary DNS:** 192.168.68.61 (Pi-hole) +**Secondary DNS:** 9.9.9.9 (Quad9) +**Broadcast:** 192.168.71.255 + +--- + +## πŸ”Œ Port Reference Guide + +### Unraid Server Ports + +| Service | Port | Protocol | URL | +|---------|------|----------|-----| +| **Unraid WebUI** | 80 | HTTP | http://192.168.68.51 | +| **Unraid SSL** | 443 | HTTPS | https://192.168.68.51 | +| **SMB** | 445 | TCP | \\\\192.168.68.51 | +| **SSH** | 22 | TCP | ssh root@192.168.68.51 | + +### Container Access + +| Service | URL | Port | Notes | +|---------|-----|------|-------| +| **open-webui** | http://192.168.68.51:3000 | 3000 | LLM chat interface | +| **Gitea** | http://192.168.68.51:3002 | 3002 | Git web UI | +| **Gitea (domain)** | https://gitea.segelschiff.app | 443 | Via Cloudflare | +| **NPM Web** | http://192.168.68.51:1880 | 1880 | Proxy frontend | +| **NPM Admin** | http://192.168.68.51:7818 | 7818 | Management UI | +| **Guacamole** | http://192.168.68.51:4000 | 4000 | Remote desktop | +| **Vaultwarden** | http://192.168.68.51:4743 | 4743 | Password vault | + +### Infrastructure Access + +| Service | URL | Default Port | +|---------|-----|--------------| +| **PiKVM** | https://192.168.68.53 | 443 | +| **Pi-hole Admin** | http://192.168.68.61/admin | 80 | +| **Code-Server** | http://192.168.68.70:8080 | 8080 (typical) | + +--- + +## πŸ›‘οΈ DNS Configuration + +**Primary:** Pi-hole (192.168.68.61) +- Ad-blocking +- Local DNS records +- Query logging +- DHCP relay + +**Upstream:** Unbound (same device) +- Recursive DNS resolver +- No forwarding to ISP +- Privacy-focused +- DNSSEC validation + +**Resolution Flow:** +``` +Client β†’ Pi-hole (192.168.68.61) β†’ Unbound β†’ Root Servers +``` + +**Fallback:** 9.9.9.9 (Quad9) - Privacy-respecting public DNS + +--- + +## 🌐 Remote Access + +### Cloudflare Tunnel +``` +Internet β†’ Cloudflare Edge β†’ Tunnel β†’ NPM β†’ Services +``` +- **Domain:** *.segelschiff.app +- **Services Exposed:** Gitea (and others via NPM) +- **Benefits:** No open ports, DDoS protection, SSL +- **Container:** Cloudflared (172.17.0.6) + +### Tailscale VPN +``` +Remote Device β†’ Encrypted Tunnel β†’ Unraid (100.122.220.126) +``` +- **Network:** 100.64.0.0/10 (CGNAT) +- **Protocol:** WireGuard +- **Benefits:** Zero-trust, peer-to-peer, NAT traversal +- **Access:** Full homelab as if local + +--- + +## πŸ“Š Network Performance + +| Link | Capacity | Usage | Status | +|------|----------|-------|--------| +| **Unraid NIC** | 2.5 Gbps | <1% | Underutilized | +| **Mesh Backhaul** | Unknown | Unknown | Check model specs | +| **Internet WAN** | Unknown | Unknown | ISP dependent | + +**Observed (eth0):** ~2 Mbps average = 0.08% of 2.5G capacity + +--- + +## πŸ”§ Troubleshooting Commands + +### Connectivity Tests +```bash +# Test key infrastructure +ping 192.168.68.1 # Router +ping 192.168.68.51 # Unraid +ping 192.168.68.61 # Pi-hole +ping 192.168.68.70 # Code-Server VM +ping 8.8.8.8 # Internet + +# DNS tests +nslookup google.com 192.168.68.61 # Test Pi-hole +dig @192.168.68.61 example.com # Detailed DNS query +``` + +### Network Status (from Unraid) +```bash +# Interfaces +ip addr show +ip link show + +# Routes +ip route show + +# Active connections +ss -tulpn + +# Docker networks +docker network ls +docker network inspect bridge +``` + +### VM Network (Code-Server) +```bash +# List VMs +virsh list --all + +# Get VM IP +virsh domifaddr + +# VM network info +virsh net-info default +``` + +--- + +## πŸ“ Recommendations + +### Security +1. ⚠️ **Separate Gitea SSH port** - Currently conflicts with Unraid SSH (both port 22) +2. ⚠️ **Implement VLANs** - Segment management/services/workstations +3. ⚠️ **Firewall hardening** - Move from ACCEPT-all to explicit rules + +### Performance +1. Monitor mesh performance between nodes +2. Document ISP speeds and plan accordingly +3. Consider 10GbE upgrade path (future) + +### Documentation +1. βœ… Document Code-Server VM configuration +2. βœ… Record TP-Link mesh model and capabilities +3. βœ… Map exact ISP speeds and plan + +--- + +**Last Updated:** October 31, 2025 +**Next Review:** When network topology changes +**Quick Access:** See README.md for service URLs