Paccoco VLAN Policy Lanes

Simplified operator view focused on VLAN identity and firewall intent as of 2026-05-23. This intentionally strips most host-by-host detail so the important story is obvious: which lanes are internal, which are untrusted, where DNS now lands, and which paths are allowed, blocked, or preserved only as narrow exceptions.
Internal zone: Management + Trusted + Servers
Untrusted zone: IoT + Camera + Old IoT
Hotspot: Guest internet-only
Restricted-lane DNS target: 10.5.30.53
Control plane and zone definitions Gateway / UDM Pro Mgmt IP 10.5.0.1 • control surface lives only in Management Internal Zone Management + Trusted + Servers can initiate where needed Untrusted Zone IoT + Camera + Old IoT get DNS help but no broad gateway reach Shared DNS Anchor Pi-hole HA VIP 10.5.30.53 advertised to restricted lanes by DHCP Internal lanes Restricted / edge lanes policy edge Management 10.5.0.0/24 control plane Lives here UDM Pro 10.5.0.1 switches, AP management Operator-only admin surface Trusted 10.5.1.0/24 • VLAN 51 people + daily drivers Purpose phones, laptops, tablets normal admin origin points Can initiate toward Servers and Untrusted Servers 10.5.30.0/24 • VLAN 30 core services Anchor services PD .6 • Serenity .5 Nomad .7 • Rocinante .112 Pi-hole VIP 10.5.30.53 Service destination for the rest of the network Internal policy summary Trusted/admin workflows can reach Servers Internal can initiate into restricted lanes when needed Servers host shared DNS target used by restricted lanes • Management remains the only rightful home of gateway administration. • Trusted is where John/admin clients live and where most deliberate control starts. • Servers is the service center, not a client junk drawer. IoT 10.5.10.0/24 • VLAN 510 appliances + smart-home gear Kept DNS -> 10.5.30.53 DHCP preserved mDNS preserved where needed No broad gateway reach Camera 10.5.20.0/24 • VLAN 520 Protect chimes + camera-adjacent gear Kept DNS -> 10.5.30.53 DHCP preserved same shield posture as IoT No broad gateway reach Old IoT / Legacy 192.168.1.0/24 • VLAN 2 shrinking-only containment lane Still tolerated DNS -> 10.5.30.53 same shield posture as other untrusted lanes no new joins if avoidable Exception-only future Guest / Hotspot 10.5.90.0/24 • VLAN 590 internet-only lane • kept separate from the internal story Firewall intent Restricted lanes get DNS service path Blocked: Untrusted -> Gateway admin / broad gateway access Only proven exceptions survive Legend trusted / operator lane servers / service core restricted edge lane management / sensitive control surface allowed path blocked path narrow preserved exception

Read this diagram as policy, not inventory

  • • Left side is where control and deliberate administration belong.
  • • Right side is where devices live when they need containment more than trust.
  • • The important service export from Servers is shared DNS at 10.5.30.53.

The two rules that matter most

  • • Internal can initiate outward when needed.
  • • Untrusted does not get broad gateway access back in, especially not UDM admin TCP.
  • • Any exception has to earn its keep with a real failing device.

What still deserves live validation

  • • Renew a DHCP lease on one client from each restricted lane.
  • • Confirm that client resolves through 10.5.30.53.
  • • Confirm gateway UI/admin ports still fail from those lanes.
Open locally with: xdg-open /home/fizzlepoof/repos/truenas-stacks/docs/architecture/network-policy-lanes-2026-05-23.html