nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/ansible/archive/documentation/contracts/Networking.md

2.6 KiB
Raw Blame History

Point 3 Networking FINAL

Role

  • Defines how all homelab components (control, compute, storage, users) connect and communicate
  • Baseline: single-site, flat LAN for all core infra, with best-practice VLANs and segmentation as future upgrades

Baseline LAN

  • Primary LAN: 10.0.0.0/24 (gateway: 10.0.0.2)
  • DHCP range: 10.0.0.5010.0.0.150
  • Static infra: .2.10 (infra), .10.14 (Proxmox), .200+ (homelab), .249 (Synology), .250 (TerraMaster)
  • Key static IPs:
    • Watchtower: 10.0.0.200
    • Proxmox hosts: 10.0.0.10.14
    • Synology: 10.0.0.249
    • TerraMaster: 10.0.0.250
  • All core infra and homelab services live in the "main" VLAN
  • IoT is segregated; guest WiFi VLAN exists but is unused

Service exposure & remote access

  • Most services are reverse-proxied via Traefik and exposed to the internet
  • Tailscale is used for network ingress, not direct service exposure
  • Operator remote access: Omada VPN, Tailscale, VS Code Tunnel; SSH/terminal access can be added as needed
  • Management UIs (Proxmox, Watchtower, NAS) are not intentionally public, but most services are proxied

Interconnection & segmentation

  • Watchtower can reach all Proxmox hosts, Synology, and TerraMaster directly (no firewall blocks)
  • Homelab is entirely in the "main" VLAN; IoT is isolated; guest VLAN is unused
  • Segmentation exists for IoT, but not for homelab/infra yet; setup should be reviewed periodically

Future VLAN model (intent)

  • Follow best practices for small networks:
    • mgmt: hypervisors, switches, Watchtower
    • workloads: Swarm worker VMs, app traffic
    • storage: NAS traffic
    • users/guests: client devices
  • All VLANs must be isolated except via explicit firewall rules
  • Review and update segmentation as needs evolve

Operational constraints / "never do this"

  • Never bridge production and lab VLANs
  • Never expose management VLAN or core infra directly to the internet
  • Never allow IoT VLAN to reach core infra or management
  • Never mix guest and production traffic without a firewall
  • All changes to VLANs, firewall, or router config must be deliberate and documented

Further considerations

  • Exact VLAN IDs, IP ranges, DHCP/DNS, and firewall rules will live in a separate, detailed networking doc (to be referenced here)
  • Networking is single-site only; future multi-site/remote backup will require explicit design
  • Router/firewall implementation details (e.g., Omada, OPNsense, UniFi) will be documented separately; this contract is vendor-neutral
  • Review this contract and underlying network setup at least annually or after major infra changes