220 lines
6.8 KiB
Markdown
220 lines
6.8 KiB
Markdown
# Home Network Redesign Plan
|
|
|
|
> For Doris: this is the target architecture and migration plan that the interactive site visualizes.
|
|
|
|
Goal: redesign John's home network and homelab into a simpler, future-proof VLAN model that supports camera growth, cleaner firewall policy, better Wi-Fi placement, and easier operations.
|
|
|
|
Architecture summary:
|
|
- Collapse historical clutter into six intentional VLANs.
|
|
- Separate user devices, servers, infrastructure, IoT, guests, and cameras/security.
|
|
- Move all non-infrastructure devices off Management.
|
|
- Retire Old IoT after staged migration.
|
|
- Add the downstairs U6 LR back into service if coverage or roaming needs it.
|
|
|
|
## Target VLANs
|
|
|
|
1. Infrastructure / Management
|
|
- VLAN 10
|
|
- Subnet: 10.5.10.0/24
|
|
- Contains: UDM, switches, APs, management IPs, controller-facing infra, OOB/admin surfaces
|
|
- Policy: only Trusted admin devices and designated server tooling may initiate into this VLAN
|
|
|
|
2. Trusted Clients
|
|
- VLAN 20
|
|
- Subnet: 10.5.20.0/24
|
|
- Contains: phones, tablets, laptops, handhelds, Steam Deck, personal endpoints
|
|
- Policy: can reach Servers and selected admin surfaces; not a dumping ground for random smart devices
|
|
|
|
3. Servers / Core Services
|
|
- VLAN 30
|
|
- Subnet: 10.5.30.0/24
|
|
- Contains: PlausibleDeniability, Serenity, Nomad, Rocinante, FlyingDutchman if it is a real service host
|
|
- Policy: tightly controlled east-west; explicit service exposure to IoT/Camera where needed
|
|
|
|
4. IoT / Smart Home
|
|
- VLAN 40
|
|
- Subnet: 10.5.40.0/24
|
|
- Contains: ecobees, appliances, MyQ, Google Home-class devices, legacy smart junk worth keeping
|
|
- Policy: default deny to internal networks except DNS, NTP, specific server services, and carefully allowed discovery flows
|
|
|
|
5. Guest
|
|
- VLAN 50
|
|
- Subnet: 10.5.50.0/24
|
|
- Contains: visitor and untrusted BYOD devices
|
|
- Policy: internet only, client isolation on Wi-Fi
|
|
|
|
6. Cameras / Security
|
|
- VLAN 60
|
|
- Subnet: 10.5.60.0/24
|
|
- Contains: doorbell, Protect chimes, future cameras, NVR-adjacent accessories, security-specific Wi-Fi endpoints
|
|
- Policy: no broad access to LAN; only specific flows to Protect/NVR services and operator/admin clients
|
|
|
|
Current live exception:
|
|
- this is still the target design, not the currently proven-safe lane for every Protect accessory
|
|
- a 2026-05-22 client-override attempt put the Wi-Fi chimes on the Camera lane, but they later had to be returned to Management/default `UniFi Wireless` because Protect health failed there
|
|
- future camera/security-lane work must preserve this documented exception until Protect connectivity is explicitly re-validated
|
|
|
|
## SSID Plan
|
|
|
|
Preferred steady-state SSIDs:
|
|
- Trusted: one main trusted SSID
|
|
- Trusted-Compat: optional temporary fallback for stubborn devices only
|
|
- IoT: one dedicated smart-home SSID
|
|
- Guest: one guest SSID
|
|
- Security: one dedicated SSID for Wi-Fi doorbells/chimes/cameras if needed
|
|
|
|
Mapping recommendation:
|
|
- Trusted SSID -> VLAN 20
|
|
- Trusted-Compat SSID -> VLAN 20 (temporary or policy-reduced fallback)
|
|
- IoT SSID -> VLAN 40
|
|
- Guest SSID -> VLAN 50
|
|
- Security SSID -> VLAN 60
|
|
|
|
Current-name migration suggestion:
|
|
- Yer a Wifi Harry -> Trusted
|
|
- Whiskey Neat Fuck Ice -> temporary Trusted-Compat or retire later
|
|
- CIA Via -> repoint to IoT during migration, then decide whether to keep or rename
|
|
- UNEF's Playhouse -> Security / Cameras
|
|
|
|
## Device Placement Recommendations
|
|
|
|
Infrastructure / Management:
|
|
- UDM Pro
|
|
- USW Pro HD 24
|
|
- USW-24-PoE
|
|
- U7 Pro
|
|
- U6 LR
|
|
- other management-only appliance interfaces
|
|
|
|
Servers / Core Services:
|
|
- PlausibleDeniability
|
|
- Serenity
|
|
- Nomad
|
|
- Rocinante
|
|
- FlyingDutchman if used as a real service host
|
|
|
|
Trusted Clients:
|
|
- phones
|
|
- tablets
|
|
- handhelds
|
|
- laptops/desktops
|
|
- Steam Deck
|
|
|
|
IoT / Smart Home:
|
|
- Main-Floor ecobee
|
|
- Upstairs ecobee
|
|
- MyQ
|
|
- Samsung FamilyHub
|
|
- LG dryer
|
|
- Google Home Mini
|
|
- Google / Chromecast-class devices
|
|
- retained legacy smart devices
|
|
|
|
Cameras / Security:
|
|
- front-doorbell
|
|
- Protect chimes (target design; current live exception keeps the Wi-Fi chimes on Management/default `UniFi Wireless` until Protect validation exists on the security lane)
|
|
- future wired/PoE cameras
|
|
- future Wi-Fi security accessories
|
|
|
|
## Wi-Fi and AP Placement
|
|
|
|
Primary AP design:
|
|
- U7 Pro remains active as the main upstairs AP.
|
|
- Reinstall the U6 LR downstairs if downstairs coverage, roaming, or camera/IoT RSSI is weak.
|
|
- Prefer wired backhaul for both APs.
|
|
|
|
Operational stance:
|
|
- Do not overcomplicate RF tuning on day one.
|
|
- First restore dual-AP coverage, then evaluate channels, transmit power, and minimum RSSI with real client behavior.
|
|
- For growing cameras/security footprint, bias toward wired PoE cameras on the Cameras VLAN when practical.
|
|
|
|
## Firewall Intent
|
|
|
|
Trusted -> Management
|
|
- allow only designated admin devices/services
|
|
|
|
Trusted -> Servers
|
|
- allow
|
|
|
|
Trusted -> IoT
|
|
- limited allow for control/discovery as needed
|
|
|
|
Trusted -> Cameras
|
|
- allow operator/admin access
|
|
|
|
Servers -> IoT
|
|
- allow only explicitly needed services
|
|
|
|
Servers -> Cameras
|
|
- allow Protect/NVR-related flows only
|
|
|
|
IoT -> internal networks
|
|
- default deny
|
|
- explicit allow to DNS, NTP, specific server services, and required discovery helpers only
|
|
|
|
Cameras -> internal networks
|
|
- default deny
|
|
- explicit allow to Protect/NVR, time, DNS, and update paths only
|
|
|
|
Guest -> internal networks
|
|
- deny
|
|
|
|
Management -> internet
|
|
- only what infrastructure actually needs
|
|
|
|
## Migration Order
|
|
|
|
Phase 0: groundwork
|
|
- create target VLANs and port profiles
|
|
- stage firewall rules
|
|
- stage target SSIDs
|
|
- document rollback points
|
|
|
|
Phase 1: infrastructure cleanup
|
|
- move all infra to Management VLAN 10
|
|
- remove non-infra clients from management
|
|
- verify switch/AP/gateway management reachability
|
|
|
|
Phase 2: servers
|
|
- move core hosts to Servers VLAN 30
|
|
- confirm service reachability from Trusted
|
|
- update DNS/static mappings/firewall rules
|
|
|
|
Phase 3: cameras/security
|
|
- move doorbell and chimes to VLAN 60 only after explicit Protect-path validation proves that the Wi-Fi chimes stay healthy there
|
|
- prepare room for future camera growth
|
|
|
|
Phase 4: IoT migration
|
|
- move active smart-home devices from Old IoT into VLAN 40 in batches
|
|
- start with easiest cloud-managed devices, then thermostats, then Google ecosystem devices
|
|
|
|
Phase 5: SSID simplification
|
|
- retire Old IoT SSID after validation
|
|
- collapse or retire temporary Trusted-Compat if not needed
|
|
|
|
Phase 6: cleanup
|
|
- remove Old IoT VLAN 2
|
|
- remove stale port profiles
|
|
- remove stale firewall rules and historical exceptions
|
|
|
|
## Port Profile Set
|
|
|
|
Maintain only intentional profiles:
|
|
- trunk-uplink
|
|
- access-management
|
|
- access-trusted
|
|
- access-servers
|
|
- access-iot
|
|
- access-guest
|
|
- access-cameras
|
|
|
|
## Success Criteria
|
|
|
|
- Management contains infrastructure only
|
|
- Old IoT is retired
|
|
- Cameras/Security has room to grow now, not later
|
|
- VLAN purpose is obvious at a glance
|
|
- Wi-Fi SSIDs reflect policy, not historical accidents
|
|
- Firewall rules match intent and are explainable
|
|
- A tired operator can still understand the network at 2 AM
|