docs: Add comprehensive network upgrade plan

- Created NETWORK-UPGRADE-PLAN.md with full topology and VLAN design
- Hardware: 2× GiGaPlus 10G PoE ($202), 2× U7 Pro ($378) = $580 total
- 10G backhaul between server closet and basement
- VLANs: Trusted (1), Servers (10), IoT (20), Guest (30)
- OPNsense VM for routing, UniFi Controller LXC for APs
- Updated TASKS.md with implementation checklist
- Updated DECISIONS.md with architecture rationale

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -14,6 +14,17 @@
   - Deployed via ProxmoxVE community helper script
   - Tagged: adblock, dns
 
+### Planning
+- **Network Upgrade Plan**: Created comprehensive plan for network overhaul
+  - Replace Asus mesh with UniFi APs (U6 Enterprise existing + 2× U7 Pro)
+  - Add 10G backhaul between server closet and basement
+  - Hardware: 2× GiGaPlus 10G PoE switches (~$202), 2× U7 Pro (~$378)
+  - Total estimated cost: ~$580
+  - VLAN segmentation: Trusted (1), Servers (10), IoT (20), Guest (30)
+  - OPNsense VM on Elantris for routing/firewall
+  - UniFi Controller LXC for AP management
+  - See `docs/NETWORK-UPGRADE-PLAN.md` for full details
+
 ## 2025-12-15
 
 ### Frigate Migration & Upgrade

docs/DECISIONS.md

@@ -41,6 +41,62 @@
 
 ## Network Architecture
 
+### VLAN Strategy (Planned)
+
+**Decision**: Segment network into 4 VLANs
+**See**: [NETWORK-UPGRADE-PLAN.md](NETWORK-UPGRADE-PLAN.md)
+
+| VLAN | Name | Subnet | Purpose |
+|------|------|--------|---------|
+| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
+| 10 | Servers | 10.4.10.0/24 | Server containers, NAS |
+| 20 | IoT | 10.4.20.0/24 | Cameras, smart home, Home Assistant |
+| 30 | Guest | 10.4.30.0/24 | Guest WiFi, isolated |
+
+**VLAN Tagging Methods**:
+- WiFi: UniFi APs (SSID → VLAN mapping)
+- Cameras: GS308EP (port-based VLAN)
+- Containers: Proxmox (bridge VLAN tag)
+- Wired PCs: Untagged (VLAN 1 via unmanaged switches)
+
+### Router/Firewall (Planned)
+
+**Decision**: OPNsense VM on Elantris
+**Reason**:
+- Free, full-featured firewall/router
+- VLAN routing and inter-VLAN firewall rules
+- IDS/IPS capability
+- Elantris has ample resources (128GB RAM)
+
+**Alternative Considered**: Ubiquiti Dream Machine
+- Rejected due to cost and ecosystem lock-in
+- OPNsense more flexible for homelab
+
+### 10G Backhaul (Planned)
+
+**Decision**: 10G RJ45 between server closet and basement
+**Hardware**: 2× GiGaPlus 6-Port 10G PoE switches ($101 each)
+**Why GiGaPlus over UniFi**:
+- Native 10G RJ45 (no SFP+ transceivers needed)
+- Includes PoE for APs
+- $202 total vs $800+ for UniFi equivalent
+- Cat6 can handle 10G at house distances (<55m)
+
+### WiFi (Planned)
+
+**Decision**: UniFi APs with mixed models
+**Hardware**:
+- 1× U6 Enterprise (existing) - server closet/upstairs
+- 2× U7 Pro ($189 each) - basement + main floor
+
+**Why UniFi**:
+- Multiple SSIDs mapped to VLANs
+- Seamless roaming between APs
+- Centralized management via controller
+- Better than Asus mesh for VLAN support
+
+**Controller**: LXC on Proxmox (free) via community helper script
+
 ### Reverse Proxy
 
 **Decision**: Single Traefik instance handles all external access

docs/NETWORK-UPGRADE-PLAN.md

@@ -0,0 +1,245 @@
+# Network Upgrade Plan
+
+> **Status**: Planning
+> **Created**: 2025-12-18
+> **Goal**: Replace Asus mesh with UniFi APs + 10G backhaul + VLAN segmentation
+
+## Overview
+
+Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper VLAN segmentation, 10G backhaul between floors, and OPNsense for routing/firewall.
+
+## Hardware Purchase List
+
+| Item | Qty | Unit Price | Total |
+|------|-----|------------|-------|
+| GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 |
+| UniFi U7 Pro AP | 2 | $189 | $378 |
+| **Total** | | | **$580** |
+
+### GiGaPlus Switch Specs
+- 4× 2.5G Base-T PoE ports
+- 2× 10G RJ45 ports
+- 60Gbps switching capacity
+- Unmanaged with VLAN mode
+
+### UniFi U7 Pro Specs
+- WiFi 7, tri-band + 6GHz
+- 2.5G PoE uplink
+- 1,500 ft² coverage
+- Multiple SSIDs per VLAN
+
+## Existing Hardware (Keep)
+
+| Item | Location | Purpose |
+|------|----------|---------|
+| UniFi U6 Enterprise AP | Server closet | Upstairs WiFi |
+| Netgear GS308EP | Server closet | Cameras (managed, VLAN capable) |
+| Cat 6 cable (floors) | Basement ↔ Server closet | 10G backhaul |
+
+## Physical Topology
+
+```
+AT&T Modem (Server Closet - Upstairs)
+     │
+     ▼
+┌──────────────────────────────────────────────────────────┐
+│ SERVER CLOSET - GiGaPlus 10G PoE                         │
+│                                                          │
+│  [10G RJ45] ─────────── Cat6 to basement                 │
+│  [10G RJ45] spare                                        │
+│  [2.5G PoE] U6 Enterprise AP (upstairs coverage)         │
+│  [2.5G PoE] spare                                        │
+│  [2.5G PoE] spare                                        │
+│  [2.5G PoE] spare                                        │
+│                                                          │
+│  Netgear GS308EP ◄── cameras via attic runs              │
+│  Unmanaged switches ◄── wired PCs                        │
+└──────────────────────────────────────────────────────────┘
+              │
+              │ 10G Cat6 backhaul
+              ▼
+┌──────────────────────────────────────────────────────────┐
+│ BASEMENT - GiGaPlus 10G PoE                              │
+│                                                          │
+│  [10G RJ45] ◄── from server closet                       │
+│  [10G RJ45] spare (future Elantris 10G NIC)              │
+│  [2.5G PoE] U7 Pro AP (basement coverage)                │
+│  [2.5G PoE] U7 Pro AP (main floor - long run)            │
+│  [2.5G PoE] Elantris (Proxmox node)                      │
+│  [2.5G PoE] KavNas (Synology)                            │
+└──────────────────────────────────────────────────────────┘
+```
+
+## WiFi Coverage
+
+| Floor | AP | Model |
+|-------|-----|-------|
+| Upstairs (3rd) | Server closet | U6 Enterprise (existing) |
+| Main (2nd) | Long run from basement | U7 Pro |
+| Basement (1st) | Local | U7 Pro |
+
+## VLAN Architecture
+
+### VLAN Assignments
+
+| VLAN | Name | Subnet | Purpose |
+|------|------|--------|---------|
+| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
+| 10 | Servers | 10.4.10.0/24 | Server containers, NAS |
+| 20 | IoT | 10.4.20.0/24 | Cameras, smart home, Home Assistant |
+| 30 | Guest | 10.4.30.0/24 | Guest WiFi, isolated |
+
+### WiFi SSIDs
+
+| SSID | VLAN | Purpose |
+|------|------|---------|
+| KavCorp | 1 | Trusted devices (phones, laptops, PCs) |
+| KavCorp-IoT | 20 | Smart home WiFi devices |
+| KavCorp-Guest | 30 | Guest access (rate limited, internet only) |
+
+### Device VLAN Assignments
+
+| Device Type | VLAN | How Tagged |
+|-------------|------|------------|
+| WiFi - trusted | 1 | UniFi AP (SSID) |
+| WiFi - IoT | 20 | UniFi AP (SSID) |
+| WiFi - guest | 30 | UniFi AP (SSID) |
+| Cameras | 20 | GS308EP (port-based) |
+| Wired PCs | 1 | Untagged (unmanaged switches) |
+| Proxmox containers | varies | Proxmox VLAN tag |
+
+## Proxmox VLAN Configuration
+
+### Enable VLAN-aware bridge on Elantris
+
+```bash
+# /etc/network/interfaces
+auto vmbr0
+iface vmbr0 inet static
+    address 10.4.2.14/24
+    gateway 10.4.2.254
+    bridge-ports eno1
+    bridge-stp off
+    bridge-fd 0
+    bridge-vlan-aware yes
+```
+
+### Container VLAN Assignments
+
+| Container | VLAN | Subnet | Reason |
+|-----------|------|--------|--------|
+| OPNsense | trunk | all | Router - needs all VLANs |
+| Traefik | 1 | 10.4.2.x | Reverse proxy - reaches all |
+| Pi-hole | 1 | 10.4.2.x | DNS for all VLANs |
+| Sonarr/Radarr/*arr | 10 | 10.4.10.x | Server VLAN |
+| Jellyfin | 10 | 10.4.10.x | Server VLAN |
+| Frigate | 20 | 10.4.20.x | Needs camera access |
+| Home Assistant | 20 | 10.4.20.x | IoT control |
+| UniFi Controller | 1 | 10.4.2.x | AP management |
+
+### LXC VLAN Tag Example
+
+```bash
+# Per container in Proxmox GUI or CLI:
+pct set <vmid> -net0 name=eth0,bridge=vmbr0,tag=10
+
+# Or in /etc/pve/lxc/<vmid>.conf:
+net0: name=eth0,bridge=vmbr0,tag=10,type=veth
+```
+
+## OPNsense VM Setup
+
+### Location
+- **Host**: Elantris (most stable, 128GB RAM)
+- **Resources**: 2-4 vCPU, 4GB RAM
+- **Network**: VLAN trunk (all VLANs)
+
+### Interfaces
+
+| Interface | VLAN | IP | Role |
+|-----------|------|-----|------|
+| vtnet0 | - | DHCP from AT&T | WAN |
+| vtnet1.1 | 1 | 10.4.2.1 | LAN - Management |
+| vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers |
+| vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT |
+| vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest |
+
+### Firewall Rules (High Level)
+
+| From | To | Action |
+|------|-----|--------|
+| Trusted (1) | Any | Allow |
+| Servers (10) | Internet | Allow |
+| Servers (10) | Trusted (1) | Allow (for access) |
+| IoT (20) | Internet | Allow |
+| IoT (20) | Servers (10) | Block (except Frigate, HA) |
+| IoT (20) | Trusted (1) | Block |
+| Guest (30) | Internet | Allow (rate limit) |
+| Guest (30) | Any internal | Block |
+
+## UniFi Controller
+
+### Deployment Options
+
+1. **LXC on Proxmox** (recommended) - Free, uses existing hardware
+2. **Cloud Gateway** - Extra cost, dedicated hardware
+
+### LXC Setup (via helper script)
+
+```bash
+# On Proxmox node:
+bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/unifi.sh)"
+```
+
+## Implementation Steps
+
+### Phase 1: Hardware
+- [ ] Order 2× GiGaPlus 10G PoE switches
+- [ ] Order 2× UniFi U7 Pro APs
+- [ ] Test Cat6 cable for 10G capability
+
+### Phase 2: Switches
+- [ ] Install GiGaPlus switch in server closet
+- [ ] Install GiGaPlus switch in basement
+- [ ] Connect 10G backhaul
+- [ ] Verify 10G link speed
+
+### Phase 3: OPNsense
+- [ ] Create OPNsense VM on Elantris
+- [ ] Configure WAN (AT&T modem)
+- [ ] Configure VLAN interfaces
+- [ ] Set up basic firewall rules
+- [ ] Test internet connectivity
+
+### Phase 4: UniFi
+- [ ] Deploy UniFi Controller LXC
+- [ ] Adopt U6 Enterprise
+- [ ] Install U7 Pro APs
+- [ ] Adopt U7 Pro APs
+- [ ] Configure SSIDs with VLAN tags
+
+### Phase 5: VLAN Migration
+- [ ] Configure GS308EP camera ports for VLAN 20
+- [ ] Update Proxmox bridge to VLAN-aware
+- [ ] Migrate containers to appropriate VLANs
+- [ ] Test inter-VLAN routing
+- [ ] Verify firewall rules
+
+### Phase 6: Cleanup
+- [ ] Remove Asus mesh routers
+- [ ] Update documentation
+- [ ] Test all services
+
+## Rollback Plan
+
+Keep Asus mesh routers available during migration. If issues arise:
+1. Disconnect GiGaPlus switches
+2. Reconnect Asus routers
+3. Restore original network config
+
+## Notes
+
+- GiGaPlus switches are unmanaged - VLAN tagging happens at endpoints (APs, GS308EP, Proxmox)
+- Wired PCs on unmanaged switches will stay on VLAN 1 (trusted)
+- Pi-hole should remain accessible from all VLANs for DNS
+- Consider adding 10G NIC to Elantris later for direct 10G connection

docs/TASKS.md

@@ -1,6 +1,6 @@
 # Current Tasks
 
-> **Last Updated**: 2025-11-17
+> **Last Updated**: 2025-12-18
 
 ## In Progress
 
@@ -8,6 +8,17 @@ None currently.
 
 ## Pending
 
+### Network Upgrade (Priority)
+See [NETWORK-UPGRADE-PLAN.md](NETWORK-UPGRADE-PLAN.md) for full details.
+
+- [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro)
+- [ ] Test Cat6 cable for 10G capability
+- [ ] Install switches and verify 10G backhaul
+- [ ] Deploy OPNsense VM on Elantris
+- [ ] Deploy UniFi Controller LXC
+- [ ] Configure VLANs and migrate services
+- [ ] Remove Asus mesh routers
+
 ### Media Organization
 - [ ] Verify Jellyfin can see all imported media
 - [ ] Clean up `.processing-loose-episodes` folder