Simplified operator view focused on VLAN identity and firewall intent as of 2026-05-23. This intentionally strips most host-by-host detail so the important story is obvious: which lanes are internal, which are untrusted, where DNS now lands, and which paths are allowed, blocked, or preserved only as narrow exceptions.
Internal zone: Management + Trusted + Servers
Untrusted zone: IoT + Camera + Old IoT
Hotspot: Guest internet-only
Restricted-lane DNS target: 10.5.30.53
Read this diagram as policy, not inventory
• Left side is where control and deliberate administration belong.
• Right side is where devices live when they need containment more than trust.
• The important service export from Servers is shared DNS at 10.5.30.53.
The two rules that matter most
• Internal can initiate outward when needed.
• Untrusted does not get broad gateway access back in, especially not UDM admin TCP.
• Any exception has to earn its keep with a real failing device.
What still deserves live validation
• Renew a DHCP lease on one client from each restricted lane.
• Confirm that client resolves through 10.5.30.53.
• Confirm gateway UI/admin ports still fail from those lanes.
Open locally with: xdg-open /home/fizzlepoof/repos/truenas-stacks/docs/architecture/network-policy-lanes-2026-05-23.html