## ✅ **Point 3 – Networking – FINAL**

### **Role**

* Defines how all homelab components (control, compute, storage, users) connect and communicate
* Baseline: single-site, flat LAN for all core infra, with best-practice VLANs and segmentation as future upgrades

---

### **Baseline LAN**

* Primary LAN: `10.0.0.0/24` (gateway: `10.0.0.2`)
* DHCP range: `10.0.0.50–10.0.0.150`
* Static infra: `.2–.10` (infra), `.10–.14` (Proxmox), `.200+` (homelab), `.249` (Synology), `.250` (TerraMaster)
* Key static IPs:
  * Watchtower: `10.0.0.200`
  * Proxmox hosts: `10.0.0.10–.14`
  * Synology: `10.0.0.249`
  * TerraMaster: `10.0.0.250`
* All core infra and homelab services live in the "main" VLAN
* IoT is segregated; guest WiFi VLAN exists but is unused

---

### **Service exposure & remote access**

* Most services are reverse-proxied via Traefik and exposed to the internet
* Tailscale is used for network ingress, not direct service exposure
* Operator remote access: Omada VPN, Tailscale, VS Code Tunnel; SSH/terminal access can be added as needed
* Management UIs (Proxmox, Watchtower, NAS) are not intentionally public, but most services are proxied

---

### **Interconnection & segmentation**

* Watchtower can reach all Proxmox hosts, Synology, and TerraMaster directly (no firewall blocks)
* Homelab is entirely in the "main" VLAN; IoT is isolated; guest VLAN is unused
* Segmentation exists for IoT, but not for homelab/infra yet; setup should be reviewed periodically

---

### **Future VLAN model (intent)**

* Follow best practices for small networks:
  * mgmt: hypervisors, switches, Watchtower
  * workloads: Swarm worker VMs, app traffic
  * storage: NAS traffic
  * users/guests: client devices
* All VLANs must be isolated except via explicit firewall rules
* Review and update segmentation as needs evolve

---

### **Operational constraints / "never do this"**

* Never bridge production and lab VLANs
* Never expose management VLAN or core infra directly to the internet
* Never allow IoT VLAN to reach core infra or management
* Never mix guest and production traffic without a firewall
* All changes to VLANs, firewall, or router config must be deliberate and documented

---

### **Further considerations**

* Exact VLAN IDs, IP ranges, DHCP/DNS, and firewall rules will live in a separate, detailed networking doc (to be referenced here)
* Networking is single-site only; future multi-site/remote backup will require explicit design
* Router/firewall implementation details (e.g., Omada, OPNsense, UniFi) will be documented separately; this contract is vendor-neutral
* Review this contract and underlying network setup at least annually or after major infra changes