From 936e6592e043f0e48f809415c9019b97fc853c86 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 4 Jul 2026 20:15:31 +0000 Subject: [PATCH] =?UTF-8?q?home-lans-only:=20add=20London=20guest=20net=20?= =?UTF-8?q?192.168.9.0/24=20=E2=80=94=20the=20Portal=20Plus=20lives=20ther?= =?UTF-8?q?e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Post-rollout discovery during wrap-up: the London Portal Plus leases on the GUEST network (Portal-75AE8F9C2A8A = 192.168.9.198), not the main LAN, so the allowlist shipped in 8bac9914 would have 403'd it once it woke. Verified the forwarded path end-to-end on the Flint 2 (read-only): VPN_PREROUTING_HOOK hooks BOTH br-lan and br-guest into ROUTE_POLICY -> TUNNEL10_ROUTE_POLICY, which marks all dst_net10 (10/8) traffic onto the WG tunnel — so the Portal reaches 10.0.20.203 with source 192.168.9.198 once on-screen. (Side finding, router-originated only: the firewall.user LOCAL_POLICY dst_net10 injection from vpn.md has rotted — admin curls from the router itself don't tunnel; clients unaffected. Not fixed here — live-device change, needs Viktor's OK.) Middleware already applied live via targeted tg apply (20:11 UTC). Co-Authored-By: Claude Fable 5 --- docs/plans/2026-07-04-immich-frame-lan-only-design.md | 6 ++++-- stacks/traefik/modules/traefik/middleware.tf | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/plans/2026-07-04-immich-frame-lan-only-design.md b/docs/plans/2026-07-04-immich-frame-lan-only-design.md index 63298216..199316cf 100644 --- a/docs/plans/2026-07-04-immich-frame-lan-only-design.md +++ b/docs/plans/2026-07-04-immich-frame-lan-only-design.md @@ -21,7 +21,9 @@ Two cooperating pieces — the gate and the reachability pointer: 1. **The gate — `home-lans-only` Traefik middleware** (traefik stack, next to `local-only`): `ipAllowList` of `192.168.1.0/24` (Sofia LAN), `10.0.0.0/8` (VLANs, K8s pods `10.10.0.0/16`, services `10.96.0.0/12`, WG tunnel - `10.3.2.0/24`), `192.168.8.0/24` (London LAN), `192.168.0.0/24` + `10.3.2.0/24`), `192.168.8.0/24` (London LAN), `192.168.9.0/24` (London + GUEST net — post-rollout discovery: the Portal Plus actually leases here, + `Portal-75AE8F9C2A8A` = `192.168.9.198`, added same day), `192.168.0.0/24` (Valchedrym LAN), `fc00::/7`, `fe80::/10`. Attached to both frame ingresses via `extra_middlewares`. Everyone else gets a Traefik 403 — including direct-to-WAN-IP requests carrying the right SNI, which DNS @@ -55,7 +57,7 @@ convention comment now names the ipAllowList as the gate. | Client | Path | Result | |---|---|---| | Emo's Portal Mini (Sofia LAN) | Technitium CNAME → `.203` direct (unchanged) | allowed (`192.168.1.x`) | -| Viktor's Portal Plus (London LAN) | public A → `10.0.20.203` → WG tunnel | allowed (`192.168.8.x`) | +| Viktor's Portal Plus (London GUEST net) | public A → `10.0.20.203` → WG tunnel | allowed (`192.168.9.x`) | | Household browsers (any of the 3 LANs) | same as above | allowed | | In-cluster checks (`homelab browser`, blackbox) | CoreDNS → Technitium → `.203` | allowed (pod IP in 10/8) | | Stranger, resolves hostname | gets `10.0.20.203` | unroutable | diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf index f81b14fc..07283b70 100644 --- a/stacks/traefik/modules/traefik/middleware.tf +++ b/stacks/traefik/modules/traefik/middleware.tf @@ -142,6 +142,7 @@ resource "kubernetes_manifest" "middleware_home_lans_only" { "192.168.1.0/24", # Sofia LAN (hub site) "10.0.0.0/8", # VLANs, K8s pod/svc CIDRs, WG tunnel subnet "192.168.8.0/24", # London LAN (via WG tunnel) + "192.168.9.0/24", # London GUEST net — the Portal Plus actually leases here (Portal-75AE8F9C2A8A = 192.168.9.198) "192.168.0.0/24", # Valchedrym LAN (via WG tunnel) "fc00::/7", "fe80::/10",