Weston/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
homelab/network-map.md
weston e768ccb902 Corrected Foxtrot location in network topology 
- Foxtrot now correctly shown in office connected to mesh node
- Office: Mesh node, Foxtrot, Laptop, Pi-hole
- Server room: Unraid, PiKVM (direct), Code-Server VM
2025-11-01 00:31:43 +01:00

9.8 KiB
Raw Permalink Blame History

🌐 Network Map & Topology

Last Updated: October 31, 2025
Network Range: 192.168.68.0/22
Maintained By: Weston

📊 Quick Reference

Device IP Address Purpose
TP-Link Router 192.168.68.1 Gateway, DHCP, Mesh Primary
Foxtrot (Gaming PC) 192.168.68.50 Workstation
Unraid Server (Tower) 192.168.68.51 Main infrastructure
PiKVM 192.168.68.53 Server out-of-band management
Pi-hole (Pi Zero 2W) 192.168.68.61 DNS + Ad-blocking + Unbound
Code-Server VM 192.168.68.70 Ubuntu headless + VS Code
TP-Link Mesh Node 192.168.71.250 Office WiFi extender

🗺️ Physical Network Topology

                         Internet
                            │
                            │ (WAN)
                            │
                    ┌───────┴────────┐
                    │  TP-Link Router│
                    │  192.168.68.1  │
                    │ (Mesh Primary) │
                    └───────┬────────┘
                            │ (LAN - Mesh Network)
                            │
             ┌──────────────┼──────────────┐
             │              │              │
        ┌────┴─────┐   ┌────┴─────┐  ┌────┴─────┐
        │TP-Link   │   │  Unraid  │  │Pi Zero   │
        │Mesh Node │   │  Server  │  │Pi-hole   │
        │ .71.250  │   │  Tower   │  │Unbound   │
        │ (Office) │   │  .68.51  │  │ .68.61   │
        └────┬─────┘   └────┬─────┘  └──────────┘
             │              │
        ┌────┼────┐    ┌────┼─────┐
        │    │    │    │    │     │
   ┌────┴┐ ┌─┴────┐ ┌─┴──┐ │  ┌──┴────┐
   │Foxtrot│Laptop│ │PiKVM│ │  │VM:    │
   │Gaming│(WiFi)│ │.68.53│ │  │Code   │
   │  PC  │      │ │(Direct│ │  │Server │
   │.68.50│      │ │to Svr)│ │  │.68.70 │
   └──────┘ └─────┘ └──────┘ │  └───────┘
                              │
                         (Server VMs)

🖥️ Unraid Server Virtual Network

Physical: eth0 (2.5GbE) → bond0 → br0 (192.168.68.51)
                                    │
               ┌────────────────────┼────────────────────┐
               │                    │                    │
          ┌────┴─────┐        ┌─────┴──────┐      ┌─────┴─────┐
          │   VMs    │        │  Docker    │      │ Tailscale │
          │          │        │            │      │    VPN    │
          └────┬─────┘        └─────┬──────┘      └───────────┘
               │                    │           100.122.220.126
               │               ┌────┴─────┐
          ┌────┴─────┐        │ docker0  │
          │Code-Srvr │        │172.17.0.1│
          │ .68.70   │        └────┬─────┘
          │ (Ubuntu) │             │
          └──────────┘        ┌────┼────────┬──────┐
                              │    │        │      │
                         ┌────┴┐ ┌─┴──┐ ┌───┴──┐ ┌─┴───┐
                         │open-│ │NPM │ │Gitea │ │Guac │
                         │webui│ │ .4 │ │  .3  │ │ .2  │
                         │ .5  │ └────┘ └──────┘ └─────┘
                         └─────┘

📍 Complete IP Address Table

Infrastructure & Services

Device/Service IP Address MAC Type Notes
TP-Link Router 192.168.68.1 - Physical Gateway, DHCP, primary mesh
Foxtrot (Gaming PC) 192.168.68.50 - Physical Workstation, static IP
Unraid Server 192.168.68.51 58:47:ca:7b:97:b0 Physical Main server, static IP
PiKVM 192.168.68.53 - Physical Direct to server, management
Pi-hole (Pi Zero 2W) 192.168.68.61 - Physical DNS/ad-block/Unbound, static
Code-Server VM 192.168.68.70 - Virtual Ubuntu + VS Code, KVM/QEMU
Laptop DHCP - Physical Mobile device, WiFi
TP-Link Mesh Node 192.168.71.250 - Physical Office WiFi extender

Docker Containers (172.17.0.0/16)

Container Docker IP Host Port Purpose
ApacheGuacamole 172.17.0.2 4000 Remote desktop gateway
Gitea 172.17.0.3 3002, 22 Git server
NginxProxyManager 172.17.0.4 1880, 7818, 18443 Reverse proxy
open-webui 172.17.0.5 3000 LLM interface
Cloudflared 172.17.0.6 46495 Cloudflare tunnel
Vaultwarden 172.17.0.7 4743 Password manager

VPN

Service IP Network Purpose
Tailscale 100.122.220.126 100.64.0.0/10 Secure remote access

🌐 Network Details

Subnet: 192.168.68.0/22
Netmask: 255.255.252.0
Usable Range: 192.168.68.1 - 192.168.71.254 (1022 hosts)
Gateway: 192.168.68.1
Primary DNS: 192.168.68.61 (Pi-hole)
Secondary DNS: 9.9.9.9 (Quad9)
Broadcast: 192.168.71.255

🔌 Port Reference Guide

Unraid Server Ports

Service Port Protocol URL
Unraid WebUI 80 HTTP http://192.168.68.51
Unraid SSL 443 HTTPS https://192.168.68.51
SMB 445 TCP \\192.168.68.51
SSH 22 TCP ssh root@192.168.68.51

Container Access

Service URL Port Notes
open-webui http://192.168.68.51:3000 3000 LLM chat interface
Gitea http://192.168.68.51:3002 3002 Git web UI
Gitea (domain) https://gitea.segelschiff.app 443 Via Cloudflare
NPM Web http://192.168.68.51:1880 1880 Proxy frontend
NPM Admin http://192.168.68.51:7818 7818 Management UI
Guacamole http://192.168.68.51:4000 4000 Remote desktop
Vaultwarden http://192.168.68.51:4743 4743 Password vault

Infrastructure Access

Service URL Default Port
PiKVM https://192.168.68.53 443
Pi-hole Admin http://192.168.68.61/admin 80
Code-Server http://192.168.68.70:8080 8080 (typical)

🛡️ DNS Configuration

Primary: Pi-hole (192.168.68.61)

  • Ad-blocking
  • Local DNS records
  • Query logging
  • DHCP relay

Upstream: Unbound (same device)

  • Recursive DNS resolver
  • No forwarding to ISP
  • Privacy-focused
  • DNSSEC validation

Resolution Flow:

Client → Pi-hole (192.168.68.61) → Unbound → Root Servers

Fallback: 9.9.9.9 (Quad9) - Privacy-respecting public DNS

🌐 Remote Access

Cloudflare Tunnel

Internet → Cloudflare Edge → Tunnel → NPM → Services
  • Domain: *.segelschiff.app
  • Services Exposed: Gitea (and others via NPM)
  • Benefits: No open ports, DDoS protection, SSL
  • Container: Cloudflared (172.17.0.6)

Tailscale VPN

Remote Device → Encrypted Tunnel → Unraid (100.122.220.126)
  • Network: 100.64.0.0/10 (CGNAT)
  • Protocol: WireGuard
  • Benefits: Zero-trust, peer-to-peer, NAT traversal
  • Access: Full homelab as if local

📊 Network Performance

Link Capacity Usage Status
Unraid NIC 2.5 Gbps <1% Underutilized
Mesh Backhaul Unknown Unknown Check model specs
Internet WAN Unknown Unknown ISP dependent

Observed (eth0): ~2 Mbps average = 0.08% of 2.5G capacity

🔧 Troubleshooting Commands

Connectivity Tests

# Test key infrastructure
ping 192.168.68.1    # Router
ping 192.168.68.51   # Unraid
ping 192.168.68.61   # Pi-hole
ping 192.168.68.70   # Code-Server VM
ping 8.8.8.8         # Internet

# DNS tests
nslookup google.com 192.168.68.61  # Test Pi-hole
dig @192.168.68.61 example.com     # Detailed DNS query

Network Status (from Unraid)

# Interfaces
ip addr show
ip link show

# Routes
ip route show

# Active connections
ss -tulpn

# Docker networks
docker network ls
docker network inspect bridge

VM Network (Code-Server)

# List VMs
virsh list --all

# Get VM IP
virsh domifaddr <vm-name>

# VM network info
virsh net-info default

📝 Recommendations

Security

  1. ⚠️ Separate Gitea SSH port - Currently conflicts with Unraid SSH (both port 22)
  2. ⚠️ Implement VLANs - Segment management/services/workstations
  3. ⚠️ Firewall hardening - Move from ACCEPT-all to explicit rules

Performance

  1. Monitor mesh performance between nodes
  2. Document ISP speeds and plan accordingly
  3. Consider 10GbE upgrade path (future)

Documentation

  1. Document Code-Server VM configuration
  2. Record TP-Link mesh model and capabilities
  3. Map exact ISP speeds and plan

Last Updated: October 31, 2025
Next Review: When network topology changes
Quick Access: See README.md for service URLs

Reference in New Issue View Git Blame Copy Permalink