# Network Plan

## Goals
- rebuild the home network with clear segmentation
- migrate from `192.168.0.0/24` to easier-to-type `10.x.x.x` ranges
- isolate wireless IoT devices from trusted systems
- make server and management access more explicit and safer
- support Proxmox, storage, reverse proxy, Home Assistant, media, and game services cleanly

## Current known environment
- current flat subnet: `192.168.0.0/24`
- `192.168.0.1` appears to be the router/firewall
- one Proxmox node currently runs OPNsense and nginx
- one server is intended to become the main file/media/game server
- one laptop-based Proxmox node runs Home Assistant and small internal services
- UniFi AP may be able to tag multiple SSIDs for VLAN separation

## Target network model
Use multiple small `/24` networks inside `10.0.0.0/8`.

### Proposed VLANs / subnets
- **VLAN 10 — Trusted LAN**
  - subnet: `10.0.10.0/24`
  - gateway: `10.0.10.1`
  - desktops, laptops, admin devices
- **VLAN 20 — Servers**
  - subnet: `10.0.20.0/24`
  - gateway: `10.0.20.1`
  - Proxmox guests, reverse proxy, media, game, storage-facing service IPs
- **VLAN 30 — IoT**
  - subnet: `10.0.30.0/24`
  - gateway: `10.0.30.1`
  - wireless IoT devices, smart home devices, TVs, low-trust gear
- **VLAN 40 — Guest WiFi**
  - subnet: `10.0.40.0/24`
  - gateway: `10.0.40.1`
  - internet-only guest devices
- **VLAN 50 — Management**
  - subnet: `10.0.50.0/24`
  - gateway: `10.0.50.1`
  - Proxmox management, switch/AP management, OPNsense admin, IPMI/iDRAC/ILO if present

## Device placement target
### Trusted LAN
- personal desktops
- personal laptops
- admin workstation(s)
- phones/tablets you trust for administration

### Servers
- reverse proxy VM/LXC
- Nextcloud
- Vaultwarden dedicated VM (planned critical service; LAN/Tailscale-only by default)
- media services
- game services
- internal DNS helpers if separated from firewall
- file-serving guest IPs if serving over network

### IoT
- Home Assistant client devices and integrations
- smart plugs
- TVs / media sticks if desired
- cameras only if policy is carefully planned

### Management
- Proxmox web UIs
- OPNsense management
- UniFi AP/controller management
- managed switch management
- out-of-band interfaces

## Routing / firewall policy target
Default posture: **deny lateral movement unless needed**.

### Allow rules to plan for
- Trusted LAN -> all VLANs for administration
- Management -> infra management endpoints
- Servers -> internet as needed for updates
- Home Assistant -> IoT devices as needed
- reverse proxy -> backend services on Servers VLAN
- selected clients -> file shares on Servers VLAN

### Block rules to plan for
- IoT -> Trusted LAN (block by default)
- Guest -> all local VLANs (block by default)
- Servers -> Management (only allow specific admin flows if needed)
- IoT -> Management (block)

## Wireless / UniFi assumptions
If the UniFi AP supports VLAN-tagged SSIDs, create:
- main SSID -> VLAN 10
- IoT SSID -> VLAN 30
- guest SSID -> VLAN 40

Need to verify:
- AP model
- whether switch path to AP is VLAN-aware
- whether OPNsense interfaces/trunks are already configured or need redesign

## DNS / naming goals
- keep internal names consistent and documented
- default service domain: `dropcutstud.io`
- default hostname style: simple, memorable, single-word service names, e.g. `tickets.dropcutstud.io`
- default service exposure: LAN + Tailscale only, unless the user explicitly requests public internet exposure
- separate public DNS from internal naming where useful
- decide whether public names like `amp.dropcutstud.io` should resolve internally, externally, or both
- current known issue: `*.dropcutstud.io` points to the external IP, while OPNsense/Unbound local overrides/exceptions are used for internal resolution; this should be replaced with a better internal DNS/Tailscale-integrated design
- consider local DNS overrides in OPNsense / Unbound, split-horizon DNS, and Tailscale MagicDNS approaches
- Vaultwarden FQDN: `vw.dropcutstud.io`; user will set up a LAN Unbound override/exception to `192.168.0.238`; public DNS/provider automation is deferred
- SearxNG intended FQDN: `search.dropcutstud.io`; DNS/Tailscale/TLS are follow-up work; current verified URL is `http://192.168.0.133:8080/`

## Vaultwarden access boundary
- placement: dedicated Proxmox VM `102` on `buntbox01`, default bridge/storage path
- IP addressing: DHCP observed at `192.168.0.238`; consider DHCP reservation before production use
- reachability: LAN and Tailscale only by default
- TLS: self-signed/internal TLS is in place for bootstrap; production trust/DNS remains follow-up before critical secret migration
- public exposure: no public port forwarding or public reverse proxy exposure; user confirmed no public exposure on 2026-06-06
- firewall intent: trusted/admin clients may reach the vault; guest/IoT networks should not reach it unless explicitly approved
- Tailscale: handle separately after LAN deployment
- assistant access: user wants controlled assistant vault access; design must use a dedicated/scoped assistant identity and documented authorization/revocation before use

## Migration strategy
### Phase 1 — document and verify
- identify switch, AP, and VLAN capability
- inventory current static IPs, DHCP reservations, and important services
- identify what must remain reachable during migration

### Phase 2 — build new VLANs in parallel
- create VLAN interfaces on OPNsense
- configure DHCP scopes for `10.0.10.0/24`, `10.0.20.0/24`, `10.0.30.0/24`, `10.0.40.0/24`, `10.0.50.0/24`
- configure switch ports/trunks
- configure UniFi SSIDs

### Phase 3 — move infrastructure first
- move management interfaces
- move Proxmox hosts
- move servers and reverse proxy
- test DNS and routing

### Phase 4 — move clients and IoT
- move trusted clients to VLAN 10
- move IoT devices to VLAN 30
- tune Home Assistant access rules

### Phase 5 — cleanup
- retire `192.168.0.0/24`
- remove temporary firewall exceptions
- update docs and reservations

## Open questions
- what managed switch is in use?
- can the UniFi AP tag multiple SSIDs to VLANs?
- should Proxmox host management live only on VLAN 50?
- should storage traffic remain on Servers VLAN or get its own dedicated storage network later?
- which services must be publicly exposed versus internal-only?

## Recommended next actions
1. inventory physical network gear and models
2. inventory all current servers and important clients
3. confirm UniFi VLAN SSID capability
4. define exact service IP/reservation plan
5. implement OPNsense VLAN interfaces and DHCP scopes