# Network Upgrade Plan

> **Status**: Planning
> **Created**: 2025-12-18
> **Goal**: Replace Asus mesh with UniFi APs + 10G backhaul + VLAN segmentation

## Overview

Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper VLAN segmentation, 10G backhaul between floors, and OPNsense for routing/firewall.

## Hardware Purchase List

| Item | Qty | Unit Price | Total |
|------|-----|------------|-------|
| GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 |
| UniFi U7 Pro AP | 2 | $189 | $378 |
| **Total** | | | **$580** |

### GiGaPlus Switch Specs
- 4× 2.5G Base-T PoE ports
- 2× 10G RJ45 ports
- 60Gbps switching capacity
- Unmanaged with VLAN mode

### UniFi U7 Pro Specs
- WiFi 7, tri-band + 6GHz
- 2.5G PoE uplink
- 1,500 ft² coverage
- Multiple SSIDs per VLAN

## Existing Hardware (Keep)

| Item | Location | Purpose |
|------|----------|---------|
| UniFi U6 Enterprise AP | Server closet | Upstairs WiFi |
| Netgear GS308EP | Server closet | Cameras (managed, VLAN capable) |
| Cat 6 cable (floors) | Basement ↔ Server closet | 10G backhaul |

## Physical Topology

```
AT&T Modem (Server Closet - Upstairs)
     │
     ▼
┌──────────────────────────────────────────────────────────┐
│ SERVER CLOSET - GiGaPlus 10G PoE                         │
│                                                          │
│  [10G RJ45] ─────────── Cat6 to basement                 │
│  [10G RJ45] spare                                        │
│  [2.5G PoE] U6 Enterprise AP (upstairs coverage)         │
│  [2.5G PoE] spare                                        │
│  [2.5G PoE] spare                                        │
│  [2.5G PoE] spare                                        │
│                                                          │
│  Netgear GS308EP ◄── cameras via attic runs              │
│  Unmanaged switches ◄── wired PCs                        │
└──────────────────────────────────────────────────────────┘
              │
              │ 10G Cat6 backhaul
              ▼
┌──────────────────────────────────────────────────────────┐
│ BASEMENT - GiGaPlus 10G PoE                              │
│                                                          │
│  [10G RJ45] ◄── from server closet                       │
│  [10G RJ45] spare (future Elantris 10G NIC)              │
│  [2.5G PoE] U7 Pro AP (basement coverage)                │
│  [2.5G PoE] U7 Pro AP (main floor - long run)            │
│  [2.5G PoE] Elantris (Proxmox node)                      │
│  [2.5G PoE] KavNas (Synology)                            │
└──────────────────────────────────────────────────────────┘
```

## WiFi Coverage

| Floor | AP | Model |
|-------|-----|-------|
| Upstairs (3rd) | Server closet | U6 Enterprise (existing) |
| Main (2nd) | Long run from basement | U7 Pro |
| Basement (1st) | Local | U7 Pro |

## VLAN Architecture

### VLAN Assignments

| VLAN | Name | Subnet | Purpose |
|------|------|--------|---------|
| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
| 10 | Servers | 10.4.10.0/24 | Server containers, NAS |
| 20 | IoT | 10.4.20.0/24 | Cameras, smart home, Home Assistant |
| 30 | Guest | 10.4.30.0/24 | Guest WiFi, isolated |

### WiFi SSIDs

| SSID | VLAN | Purpose |
|------|------|---------|
| KavCorp | 1 | Trusted devices (phones, laptops, PCs) |
| KavCorp-IoT | 20 | Smart home WiFi devices |
| KavCorp-Guest | 30 | Guest access (rate limited, internet only) |

### Device VLAN Assignments

| Device Type | VLAN | How Tagged |
|-------------|------|------------|
| WiFi - trusted | 1 | UniFi AP (SSID) |
| WiFi - IoT | 20 | UniFi AP (SSID) |
| WiFi - guest | 30 | UniFi AP (SSID) |
| Cameras | 20 | GS308EP (port-based) |
| Wired PCs | 1 | Untagged (unmanaged switches) |
| Proxmox containers | varies | Proxmox VLAN tag |

## Proxmox VLAN Configuration

### Enable VLAN-aware bridge on Elantris

```bash
# /etc/network/interfaces
auto vmbr0
iface vmbr0 inet static
    address 10.4.2.14/24
    gateway 10.4.2.254
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
```

### Container VLAN Assignments

| Container | VLAN | Subnet | Reason |
|-----------|------|--------|--------|
| OPNsense | trunk | all | Router - needs all VLANs |
| Traefik | 1 | 10.4.2.x | Reverse proxy - reaches all |
| Pi-hole | 1 | 10.4.2.x | DNS for all VLANs |
| Sonarr/Radarr/*arr | 10 | 10.4.10.x | Server VLAN |
| Jellyfin | 10 | 10.4.10.x | Server VLAN |
| Frigate | 20 | 10.4.20.x | Needs camera access |
| Home Assistant | 20 | 10.4.20.x | IoT control |
| UniFi Controller | 1 | 10.4.2.x | AP management |

### LXC VLAN Tag Example

```bash
# Per container in Proxmox GUI or CLI:
pct set <vmid> -net0 name=eth0,bridge=vmbr0,tag=10

# Or in /etc/pve/lxc/<vmid>.conf:
net0: name=eth0,bridge=vmbr0,tag=10,type=veth
```

## OPNsense VM Setup

### Location
- **Host**: Elantris (most stable, 128GB RAM)
- **Resources**: 2-4 vCPU, 4GB RAM
- **Network**: VLAN trunk (all VLANs)

### Interfaces

| Interface | VLAN | IP | Role |
|-----------|------|-----|------|
| vtnet0 | - | DHCP from AT&T | WAN |
| vtnet1.1 | 1 | 10.4.2.1 | LAN - Management |
| vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers |
| vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT |
| vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest |

### Firewall Rules (High Level)

| From | To | Action |
|------|-----|--------|
| Trusted (1) | Any | Allow |
| Servers (10) | Internet | Allow |
| Servers (10) | Trusted (1) | Allow (for access) |
| IoT (20) | Internet | Allow |
| IoT (20) | Servers (10) | Block (except Frigate, HA) |
| IoT (20) | Trusted (1) | Block |
| Guest (30) | Internet | Allow (rate limit) |
| Guest (30) | Any internal | Block |

## UniFi Controller

### Deployment Options

1. **LXC on Proxmox** (recommended) - Free, uses existing hardware
2. **Cloud Gateway** - Extra cost, dedicated hardware

### LXC Setup (via helper script)

```bash
# On Proxmox node:
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/unifi.sh)"
```

## Implementation Steps

### Phase 1: Hardware
- [ ] Order 2× GiGaPlus 10G PoE switches
- [ ] Order 2× UniFi U7 Pro APs
- [ ] Test Cat6 cable for 10G capability

### Phase 2: Switches
- [ ] Install GiGaPlus switch in server closet
- [ ] Install GiGaPlus switch in basement
- [ ] Connect 10G backhaul
- [ ] Verify 10G link speed

### Phase 3: OPNsense
- [ ] Create OPNsense VM on Elantris
- [ ] Configure WAN (AT&T modem)
- [ ] Configure VLAN interfaces
- [ ] Set up basic firewall rules
- [ ] Test internet connectivity

### Phase 4: UniFi
- [ ] Deploy UniFi Controller LXC
- [ ] Adopt U6 Enterprise
- [ ] Install U7 Pro APs
- [ ] Adopt U7 Pro APs
- [ ] Configure SSIDs with VLAN tags

### Phase 5: VLAN Migration
- [ ] Configure GS308EP camera ports for VLAN 20
- [ ] Update Proxmox bridge to VLAN-aware
- [ ] Migrate containers to appropriate VLANs
- [ ] Test inter-VLAN routing
- [ ] Verify firewall rules

### Phase 6: Cleanup
- [ ] Remove Asus mesh routers
- [ ] Update documentation
- [ ] Test all services

## Rollback Plan

Keep Asus mesh routers available during migration. If issues arise:
1. Disconnect GiGaPlus switches
2. Reconnect Asus routers
3. Restore original network config

## Notes

- GiGaPlus switches are unmanaged - VLAN tagging happens at endpoints (APs, GS308EP, Proxmox)
- Wired PCs on unmanaged switches will stay on VLAN 1 (trusted)
- Pi-hole should remain accessible from all VLANs for DNS
- Consider adding 10G NIC to Elantris later for direct 10G connection