kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Add comprehensive network upgrade plan

Browse Source 
- Created NETWORK-UPGRADE-PLAN.md with full topology and VLAN design
- Hardware: 2× GiGaPlus 10G PoE ($202), 2× U7 Pro ($378) = $580 total
- 10G backhaul between server closet and basement
- VLANs: Trusted (1), Servers (10), IoT (20), Guest (30)
- OPNsense VM for routing, UniFi Controller LXC for APs
- Updated TASKS.md with implementation checklist
- Updated DECISIONS.md with architecture rationale

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-18 12:32:05 -05:00
parent 6449212620
commit ef02ff5eb6
4 changed files with 324 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
docs/NETWORK-UPGRADE-PLAN.md Normal file
View File

@@ -0,0 +1,245 @@
# Network Upgrade Plan
> **Status**: Planning
> **Created**: 2025-12-18
> **Goal**: Replace Asus mesh with UniFi APs + 10G backhaul + VLAN segmentation
## Overview
Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper VLAN segmentation, 10G backhaul between floors, and OPNsense for routing/firewall.
## Hardware Purchase List
| Item | Qty | Unit Price | Total |
|------|-----|------------|-------|
| GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 |
| UniFi U7 Pro AP | 2 | $189 | $378 |
| **Total** | | | **$580** |
### GiGaPlus Switch Specs
- 4× 2.5G Base-T PoE ports
- 2× 10G RJ45 ports
- 60Gbps switching capacity
- Unmanaged with VLAN mode
### UniFi U7 Pro Specs
- WiFi 7, tri-band + 6GHz
- 2.5G PoE uplink
- 1,500 ft² coverage
- Multiple SSIDs per VLAN
## Existing Hardware (Keep)
| Item | Location | Purpose |
|------|----------|---------|
| UniFi U6 Enterprise AP | Server closet | Upstairs WiFi |
| Netgear GS308EP | Server closet | Cameras (managed, VLAN capable) |
| Cat 6 cable (floors) | Basement ↔ Server closet | 10G backhaul |
## Physical Topology
```
AT&T Modem (Server Closet - Upstairs)
┌──────────────────────────────────────────────────────────┐
│ SERVER CLOSET - GiGaPlus 10G PoE │
│ │
│ [10G RJ45] ─────────── Cat6 to basement │
│ [10G RJ45] spare │
│ [2.5G PoE] U6 Enterprise AP (upstairs coverage) │
│ [2.5G PoE] spare │
│ [2.5G PoE] spare │
│ [2.5G PoE] spare │
│ │
│ Netgear GS308EP ◄── cameras via attic runs │
│ Unmanaged switches ◄── wired PCs │
└──────────────────────────────────────────────────────────┘
│ 10G Cat6 backhaul
┌──────────────────────────────────────────────────────────┐
│ BASEMENT - GiGaPlus 10G PoE │
│ │
│ [10G RJ45] ◄── from server closet │
│ [10G RJ45] spare (future Elantris 10G NIC) │
│ [2.5G PoE] U7 Pro AP (basement coverage) │
│ [2.5G PoE] U7 Pro AP (main floor - long run) │
│ [2.5G PoE] Elantris (Proxmox node) │
│ [2.5G PoE] KavNas (Synology) │
└──────────────────────────────────────────────────────────┘
```
## WiFi Coverage
| Floor | AP | Model |
|-------|-----|-------|
| Upstairs (3rd) | Server closet | U6 Enterprise (existing) |
| Main (2nd) | Long run from basement | U7 Pro |
| Basement (1st) | Local | U7 Pro |
## VLAN Architecture
### VLAN Assignments
| VLAN | Name | Subnet | Purpose |
|------|------|--------|---------|
| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
| 10 | Servers | 10.4.10.0/24 | Server containers, NAS |
| 20 | IoT | 10.4.20.0/24 | Cameras, smart home, Home Assistant |
| 30 | Guest | 10.4.30.0/24 | Guest WiFi, isolated |
### WiFi SSIDs
| SSID | VLAN | Purpose |
|------|------|---------|
| KavCorp | 1 | Trusted devices (phones, laptops, PCs) |
| KavCorp-IoT | 20 | Smart home WiFi devices |
| KavCorp-Guest | 30 | Guest access (rate limited, internet only) |
### Device VLAN Assignments
| Device Type | VLAN | How Tagged |
|-------------|------|------------|
| WiFi - trusted | 1 | UniFi AP (SSID) |
| WiFi - IoT | 20 | UniFi AP (SSID) |
| WiFi - guest | 30 | UniFi AP (SSID) |
| Cameras | 20 | GS308EP (port-based) |
| Wired PCs | 1 | Untagged (unmanaged switches) |
| Proxmox containers | varies | Proxmox VLAN tag |
## Proxmox VLAN Configuration
### Enable VLAN-aware bridge on Elantris
```bash
# /etc/network/interfaces
auto vmbr0
iface vmbr0 inet static
address 10.4.2.14/24
gateway 10.4.2.254
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
```
### Container VLAN Assignments
| Container | VLAN | Subnet | Reason |
|-----------|------|--------|--------|
| OPNsense | trunk | all | Router - needs all VLANs |
| Traefik | 1 | 10.4.2.x | Reverse proxy - reaches all |
| Pi-hole | 1 | 10.4.2.x | DNS for all VLANs |
| Sonarr/Radarr/*arr | 10 | 10.4.10.x | Server VLAN |
| Jellyfin | 10 | 10.4.10.x | Server VLAN |
| Frigate | 20 | 10.4.20.x | Needs camera access |
| Home Assistant | 20 | 10.4.20.x | IoT control |
| UniFi Controller | 1 | 10.4.2.x | AP management |
### LXC VLAN Tag Example
```bash
# Per container in Proxmox GUI or CLI:
pct set <vmid> -net0 name=eth0,bridge=vmbr0,tag=10
# Or in /etc/pve/lxc/<vmid>.conf:
net0: name=eth0,bridge=vmbr0,tag=10,type=veth
```
## OPNsense VM Setup
### Location
- **Host**: Elantris (most stable, 128GB RAM)
- **Resources**: 2-4 vCPU, 4GB RAM
- **Network**: VLAN trunk (all VLANs)
### Interfaces
| Interface | VLAN | IP | Role |
|-----------|------|-----|------|
| vtnet0 | - | DHCP from AT&T | WAN |
| vtnet1.1 | 1 | 10.4.2.1 | LAN - Management |
| vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers |
| vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT |
| vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest |
### Firewall Rules (High Level)
| From | To | Action |
|------|-----|--------|
| Trusted (1) | Any | Allow |
| Servers (10) | Internet | Allow |
| Servers (10) | Trusted (1) | Allow (for access) |
| IoT (20) | Internet | Allow |
| IoT (20) | Servers (10) | Block (except Frigate, HA) |
| IoT (20) | Trusted (1) | Block |
| Guest (30) | Internet | Allow (rate limit) |
| Guest (30) | Any internal | Block |
## UniFi Controller
### Deployment Options
1. **LXC on Proxmox** (recommended) - Free, uses existing hardware
2. **Cloud Gateway** - Extra cost, dedicated hardware
### LXC Setup (via helper script)
```bash
# On Proxmox node:
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/unifi.sh)"
```
## Implementation Steps
### Phase 1: Hardware
- [ ] Order 2× GiGaPlus 10G PoE switches
- [ ] Order 2× UniFi U7 Pro APs
- [ ] Test Cat6 cable for 10G capability
### Phase 2: Switches
- [ ] Install GiGaPlus switch in server closet
- [ ] Install GiGaPlus switch in basement
- [ ] Connect 10G backhaul
- [ ] Verify 10G link speed
### Phase 3: OPNsense
- [ ] Create OPNsense VM on Elantris
- [ ] Configure WAN (AT&T modem)
- [ ] Configure VLAN interfaces
- [ ] Set up basic firewall rules
- [ ] Test internet connectivity
### Phase 4: UniFi
- [ ] Deploy UniFi Controller LXC
- [ ] Adopt U6 Enterprise
- [ ] Install U7 Pro APs
- [ ] Adopt U7 Pro APs
- [ ] Configure SSIDs with VLAN tags
### Phase 5: VLAN Migration
- [ ] Configure GS308EP camera ports for VLAN 20
- [ ] Update Proxmox bridge to VLAN-aware
- [ ] Migrate containers to appropriate VLANs
- [ ] Test inter-VLAN routing
- [ ] Verify firewall rules
### Phase 6: Cleanup
- [ ] Remove Asus mesh routers
- [ ] Update documentation
- [ ] Test all services
## Rollback Plan
Keep Asus mesh routers available during migration. If issues arise:
1. Disconnect GiGaPlus switches
2. Reconnect Asus routers
3. Restore original network config
## Notes
- GiGaPlus switches are unmanaged - VLAN tagging happens at endpoints (APs, GS308EP, Proxmox)
- Wired PCs on unmanaged switches will stay on VLAN 1 (trusted)
- Pi-hole should remain accessible from all VLANs for DNS
- Consider adding 10G NIC to Elantris later for direct 10G connection