kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0a64b1b9233d6718012511eacf492ce7b740365
proxmox-infra/docs/TASKS.md
kavren e0a64b1b92 docs: Add DHCP-based network isolation strategy 
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 19:20:07 -05:00

2.4 KiB
Raw Blame History

Current Tasks

Last Updated: 2025-12-21

In Progress

None currently.

Pending

OPNsense Migration (Priority)

OPNsense VM 130 deployed on pm4 with vmbr1 (USB NIC) for WAN.

Pending:

  • Connect USB NIC to AT&T modem (WAN cutover)
  • Configure OPNsense WAN interface (DHCP or PPPoE from AT&T)
  • Configure OPNsense as DHCP server for LAN (10.4.2.0/24)
  • Test internet connectivity through OPNsense
  • Update gateway on all devices from 10.4.2.254 → 10.4.2.1

Network Isolation (DHCP Workaround)

Using DHCP-based isolation due to unmanaged Gigabyte switches. See DECISIONS.md.

Pending:

  • Configure OPNsense DHCP scope for IoT (10.4.10.0/24)
  • Configure OPNsense DHCP scope for Guest (10.4.20.0/24)
  • Configure UniFi to assign IoT/Guest clients to correct subnets (via DHCP options or UniFi DHCP)
  • Create OPNsense firewall rules:
    • Block IoT → LAN
    • Block Guest → LAN
    • Block Guest → IoT
    • Allow Smart Home VMs → IoT
  • Test isolation (IoT device cannot ping LAN device)
  • Test Smart Home access (Home Assistant can reach IoT)

Future Network Upgrades

  • Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul
  • Consider managed 2.5G PoE switches for proper VLAN support
  • Consider OPNsense HA (CARP) with second USB NIC on another node

Media Organization

  • Verify Jellyfin can see all imported media
  • Clean up .processing-loose-episodes folder
  • Review and potentially restore TV shows from processing folder

Configuration

  • Consider custom format to prefer English audio releases
  • Review Sonarr language profiles for non-English releases

Infrastructure

  • Define backup strategy and schedule
  • Set up monitoring/alerting system
  • Document disaster recovery procedures

Completed (Recent)

  • Configured pm4 vmbr1 bridge with USB 2.5G NIC for OPNsense WAN
  • Added net1 (vmbr1) to OPNsense VM 130
  • Documented DHCP-based network isolation strategy
  • Deployed UniFi Controller LXC 111 on pm4
  • Fixed SSH access between cluster nodes (pm2 can access all nodes)
  • Fixed NZBGet permissions (UMask=0000 for 777 files)
  • Fixed Sonarr permissions (chmod 777 on imports)
  • Fixed Jellyfin LXC mounts (restarted LXC)
  • Fixed Jellyseerr IP in Traefik config
  • Consolidated documentation structure
  • Created documentation index

Blocked

None currently.

Reference in New Issue View Git Blame Copy Permalink