Compare commits
5 Commits
4815a70dd0
...
d999047b1c
| Author | SHA1 | Date | |
|---|---|---|---|
| d999047b1c | |||
| 9784c51ffb | |||
| 7e4ff79a11 | |||
| cc72ed8309 | |||
| c3f567f639 |
@@ -2,6 +2,23 @@
|
||||
|
||||
> **Purpose**: Historical record of all significant infrastructure changes
|
||||
|
||||
## 2025-12-22
|
||||
|
||||
### NAT Reflection & External Access Fix
|
||||
- **Root cause**: Traefik (LXC 104) had gateway set to 10.4.2.254 (Asus) instead of 10.4.2.1 (OPNsense)
|
||||
- **Symptom**: External traffic and VLAN traffic to Traefik via WAN IP failed (asymmetric routing)
|
||||
- **Fix**: Changed Traefik gateway to 10.4.2.1 in both runtime and `/etc/pve/lxc/104.conf`
|
||||
|
||||
### OPNsense NAT Configuration
|
||||
- Enabled NAT reflection (Pure NAT mode) in Firewall → Settings → Advanced
|
||||
- Enabled automatic outbound NAT for reflection
|
||||
- Port forwards for HTTPS (443) → Traefik (10.4.2.10) now work from all VLANs and external
|
||||
|
||||
### NFS Storage Issues
|
||||
- KavNas has two NICs with different IPs; primary is 10.4.2.13
|
||||
- Fixed stale NFS mounts on pm2 and pm4 by updating `/etc/pve/storage.cfg` to correct IP
|
||||
- Pi-hole (LXC 103) and other containers recovered after NFS fix
|
||||
|
||||
## 2025-12-21
|
||||
|
||||
### Traefik Updates
|
||||
|
||||
157
docs/IP-MIGRATION-PLAN.md
Normal file
157
docs/IP-MIGRATION-PLAN.md
Normal file
@@ -0,0 +1,157 @@
|
||||
# IP Address Migration Plan
|
||||
|
||||
## Status: IN PROGRESS
|
||||
|
||||
**Completed 2025-12-22:**
|
||||
- [x] All LXC gateways fixed to 10.4.2.1 (OPNsense)
|
||||
- [x] Critical containers migrated to local-lvm (Pi-hole, Traefik, Authelia, Vaultwarden, UniFi, Gitea)
|
||||
- [x] Traefik gateway fixed (was 10.4.2.254, now 10.4.2.1)
|
||||
- [x] NAT reflection enabled in OPNsense
|
||||
- [x] UniFi, Immich, Gitea set to static IPs and verified working through Traefik
|
||||
- [x] Radarr IP conflict resolved (moved from 10.4.2.16 to 10.4.2.24)
|
||||
|
||||
**Current Static IPs (verified working):**
|
||||
- UniFi (111): 10.4.2.16 - Traefik verified
|
||||
- Gitea (127): 10.4.2.31 - Traefik verified
|
||||
- Immich (126): 10.4.2.30 - Traefik verified
|
||||
- Radarr (108): 10.4.2.24 - Traefik updated
|
||||
|
||||
**Pending:**
|
||||
- [ ] Media stack IP reorganization (10.4.2.20-29)
|
||||
- [ ] Pi-hole migration (10.4.2.129 → 10.4.2.11)
|
||||
- [ ] KavNas / Elantris IP updates (deferred)
|
||||
- [ ] Update docs/INFRASTRUCTURE.md with final IPs
|
||||
|
||||
**Current IP Map (pm2 - 10.4.2.6):**
|
||||
- 104 traefik: 10.4.2.10
|
||||
- 105 sonarr: 10.4.2.15
|
||||
- 108 radarr: 10.4.2.24
|
||||
- 113 docker-pm2: 10.4.2.203
|
||||
- 114 prowlarr: 10.4.2.17
|
||||
- 115 jellyseerr: 10.4.2.18
|
||||
- 116 authelia: 10.4.2.19
|
||||
- 117 whisparr: 10.4.2.20
|
||||
- 118 notifiarr: 10.4.2.21
|
||||
- 119 bazarr: 10.4.2.22
|
||||
- 120 kometa: 10.4.2.23
|
||||
- 122 recyclarr: 10.4.2.25
|
||||
|
||||
**Current IP Map (pm4 - 10.4.2.5):**
|
||||
- 103 pihole: 10.4.2.129
|
||||
- 110 docker-pm4: 10.4.2.204
|
||||
- 111 unifi: 10.4.2.16
|
||||
- 125 vaultwarden: 10.4.2.212
|
||||
- 126 immich: 10.4.2.30
|
||||
- 127 gitea: 10.4.2.31
|
||||
|
||||
## New IP Allocation Scheme
|
||||
|
||||
| Range | Purpose |
|
||||
|-------|---------|
|
||||
| 10.4.2.1 | OPNsense gateway |
|
||||
| 10.4.2.2-9 | Proxmox nodes |
|
||||
| 10.4.2.10-19 | **Core Infrastructure** (proxy, DNS, auth, NAS) |
|
||||
| 10.4.2.20-39 | **Services** (media stack, apps) |
|
||||
| 10.4.2.40-49 | **Game servers / AMP** |
|
||||
| 10.4.2.50-99 | **Reserved / Future** |
|
||||
| 10.4.2.100-199 | **DHCP Dynamic Pool** |
|
||||
| 10.4.2.200-239 | **Docker hosts / VMs** |
|
||||
| 10.4.2.240-249 | **IoT / Network controllers** |
|
||||
| 10.4.2.250-254 | **Network gear** |
|
||||
|
||||
## Migration Table
|
||||
|
||||
### Core Infrastructure (10.4.2.10-19)
|
||||
|
||||
| Service | VMID | Node | Current IP | New IP | Gateway Fix |
|
||||
|---------|------|------|------------|--------|-------------|
|
||||
| Traefik | 104 | pm2 | 10.4.2.10 | 10.4.2.10 | Already 10.4.2.1 |
|
||||
| Pi-hole | 103 | pm4 | 10.4.2.129 | 10.4.2.11 | Already 10.4.2.1 |
|
||||
| Authelia | 116 | pm2 | 10.4.2.19 | 10.4.2.12 | 10.4.2.254→10.4.2.1 |
|
||||
| KavNas | - | NAS | 10.4.2.13 | 10.4.2.13 | N/A (DHCP static) |
|
||||
| Gitea | 127 | pm4 | 10.4.2.7 (DHCP) | 10.4.2.14 | Set to 10.4.2.1 |
|
||||
| Vaultwarden | 125 | pm4 | 10.4.2.212 | 10.4.2.15 | 10.4.2.254→10.4.2.1 |
|
||||
| UniFi | 111 | pm4 | 10.4.2.242 (DHCP) | 10.4.2.16 | Set to 10.4.2.1 |
|
||||
|
||||
### Services - Media Stack (10.4.2.20-29)
|
||||
|
||||
| Service | VMID | Node | Current IP | New IP | Gateway Fix |
|
||||
|---------|------|------|------------|--------|-------------|
|
||||
| Sonarr | 105 | pm2 | 10.4.2.15 | 10.4.2.20 | 10.4.2.254→10.4.2.1 |
|
||||
| Radarr | 108 | pm2 | 10.4.2.24 | 10.4.2.24 | ✅ Done |
|
||||
| Prowlarr | 114 | pm2 | 10.4.2.17 | 10.4.2.22 | 10.4.2.254→10.4.2.1 |
|
||||
| Bazarr | 119 | pm2 | 10.4.2.22 | 10.4.2.23 | 10.4.2.254→10.4.2.1 |
|
||||
| Whisparr | 117 | pm2 | 10.4.2.20 | 10.4.2.24 | 10.4.2.254→10.4.2.1 |
|
||||
| Jellyseerr | 115 | pm2 | 10.4.2.18 | 10.4.2.25 | 10.4.2.254→10.4.2.1 |
|
||||
| Jellyfin | 121 | elantris | 10.4.2.21 | 10.4.2.26 | Check |
|
||||
| Kometa | 120 | pm2 | 10.4.2.23 | 10.4.2.27 | 10.4.2.254→10.4.2.1 |
|
||||
| Recyclarr | 122 | pm2 | 10.4.2.25 | 10.4.2.28 | 10.4.2.254→10.4.2.1 |
|
||||
| Notifiarr | 118 | pm2 | 10.4.2.21 | 10.4.2.29 | 10.4.2.254→10.4.2.1 |
|
||||
| Immich | 126 | pm4 | DHCP | 10.4.2.30 | Set to 10.4.2.1 |
|
||||
|
||||
### Services - Other (10.4.2.30-39)
|
||||
|
||||
| Service | VMID | Node | Current IP | New IP | Gateway Fix |
|
||||
|---------|------|------|------------|--------|-------------|
|
||||
| Immich | 126 | pm4 | DHCP | 10.4.2.30 | Set to 10.4.2.1 |
|
||||
| Frigate | 128 | pm3 | 10.4.2.8 | 10.4.2.31 | Check |
|
||||
| Foundry VTT | 112 | pm3 | 10.4.2.37 | 10.4.2.32 | Check |
|
||||
| Home Assistant | 100 | pm1 | 10.4.2.62 | 10.4.2.33 | Check |
|
||||
| llama.cpp | 123 | elantris | 10.4.2.224 | 10.4.2.34 | Check |
|
||||
|
||||
### Game Servers (10.4.2.40-49)
|
||||
|
||||
| Service | VMID | Node | Current IP | New IP | Gateway Fix |
|
||||
|---------|------|------|------------|--------|-------------|
|
||||
| AMP | 124 | elantris | 10.4.2.26 | 10.4.2.40 | Check |
|
||||
|
||||
### Docker Hosts (10.4.2.200-209)
|
||||
|
||||
| Service | VMID | Node | Current IP | New IP | Gateway Fix |
|
||||
|---------|------|------|------------|--------|-------------|
|
||||
| docker-pm2 | 113 | pm2 | 10.4.2.203 | 10.4.2.200 | 10.4.2.254→10.4.2.1 |
|
||||
| docker-pm4 | 110 | pm4 | 10.4.2.204 | 10.4.2.201 | 10.4.2.254→10.4.2.1 |
|
||||
| docker-pm3 | 109 | pm3 | ? | 10.4.2.202 | Check |
|
||||
| dockge | 107 | pm3 | ? | 10.4.2.203 | Check |
|
||||
|
||||
## Migration Order
|
||||
|
||||
**Phase 1: Fix gateways only (no IP changes)**
|
||||
- Restart not required, just config update
|
||||
|
||||
**Phase 2: Migrate non-critical services**
|
||||
1. Media stack (Sonarr, Radarr, etc.) - low impact
|
||||
2. Docker hosts
|
||||
3. Game servers
|
||||
|
||||
**Phase 3: Migrate core services (brief downtime)**
|
||||
1. Authelia
|
||||
2. Vaultwarden
|
||||
3. UniFi
|
||||
4. Gitea
|
||||
|
||||
**Phase 4: Migrate DNS (coordinate carefully)**
|
||||
1. Update all DHCP clients to use new Pi-hole IP FIRST
|
||||
2. Then migrate Pi-hole
|
||||
|
||||
**Phase 5: Update Traefik configs**
|
||||
- Update all backend IPs in Traefik route configs
|
||||
|
||||
## Post-Migration
|
||||
|
||||
1. Update OPNsense DHCP static mappings
|
||||
2. Update docs/INFRASTRUCTURE.md
|
||||
3. Update Traefik configs
|
||||
4. Test all services
|
||||
5. Delete this migration plan file
|
||||
|
||||
## Commands Reference
|
||||
|
||||
**Change LXC IP and gateway:**
|
||||
```bash
|
||||
pct set <vmid> --net0 name=eth0,bridge=vmbr0,gw=10.4.2.1,ip=<NEW_IP>/24,type=veth
|
||||
pct reboot <vmid>
|
||||
```
|
||||
|
||||
**Add DHCP static mapping in OPNsense:**
|
||||
Via UI: Services → DHCPv4 → [LAN] → Static Mappings
|
||||
Reference in New Issue
Block a user