diff --git a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md index 9eeb61c8..e99ce8ca 100644 --- a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md +++ b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md @@ -2,6 +2,8 @@ Status: accepted (2026-07-02) +![Network topology — dCCTV segment, flows, and camera-day steps](./0017-cctv-segment-topology.svg) + The first owned camera at the Sofia/Vermont site (`vermont-garage`, HiLook IPC-T241H-C at the garage entrance) needs to be network-isolated: its cable is physically exposed outside the apartment, so anything plugged into that cable diff --git a/docs/adr/0017-cctv-segment-topology.svg b/docs/adr/0017-cctv-segment-topology.svg new file mode 100644 index 00000000..e9259141 --- /dev/null +++ b/docs/adr/0017-cctv-segment-topology.svg @@ -0,0 +1,196 @@ + + + + + + + + + + + + + + + + + + ADR-0017 — CCTV segment on a dedicated pfSense leg + Sofia/Vermont · as-built 2026-07-02 · dashed = camera-day · untagged on every wire + + + + + + + + DENY · camera → LAN / other segments / internet (default deny on dCCTV) + + + + GARAGE ENTRANCE + + vermont-garage + HiLook IPC-T241H-C · pure IR + 10.0.30.70 (Kea reservation) + DNS: garage-cam.viktorbarzin.lan + PoE from switch · cloud/P2P off + + + + cat6 in conduit · PoE + + + + RACK — GARAGE + + + + TL-SG105PE + shared PoE switch · mgmt 192.168.1.6 (VLAN 1, Kea) + port-based VLANs, everything untagged + + + + + P1 · VLAN 1 + home-LAN + uplink + + + P2 · VLAN 1 + 4G router + 192.168.1.7 + + + P3 · VLAN 1 + UPS mgmt + + + P4 · VLAN 30 + camera + PoE ON + + + P5 · VLAN 30 + uplink to + R730 eno2 + + backup-WAN path (pfSense 4g_router gateway) and UPS ride VLAN 1 — untouched + + + + patch + + + + existing home-LAN uplink (VLAN 1) + + + + DELL R730 — PVE HOST 192.168.1.127 (IN THE RACK) + + + + + eno1 → vmbr0 + LAN1 · vlan-aware + + + eno2 → vmbr2 + NEW · dedicated leg + + + vmbr1 + internal · tags 10/20 + + + + + pfSense (VM 101) + gateway + firewall for every segment + + + net0 · WAN 192.168.1.2 (home LAN) + + net1 · dManagementsVms 10.0.10.1 + + net2 · dKubernetes 10.0.20.1 + + net3 · dCCTV 10.0.30.1/24 · NEW + + + + + + + + + + k8s VMs · 10.0.20.0/24 + vmbr1 tag 20 · pod egress SNATs + to node IPs + + Frigate · k8s-node1 (T4) + detect sub / record main + gpumem budget 2300 MiB + + go2rtc LB 10.0.20.204 + restream → HA live view (MSE/HLS) + + + + HOME LAN 192.168.1.0/24 (VLAN 1) + + AX6000 · .1 + + route 10.0.30.0/24 → .2 + + ha-sofia · .8 + Frigate card + hikvision_next + + SW1 + clients + laptops, R730 eno1 uplink + + + CAMERA DAY: static route + 10.0.30.0/24 via 192.168.1.2 + + + + + + + + ALLOW · Frigate → camera RTSP :554 (routed k8s → dCCTV; opt1 allow-all) + + + + ALLOW · ha-sofia → camera :80 ISAPI + :554 + enters pfSense WAN · reply-to off · needs the AX6000 route + + + + ALLOW · camera → 10.0.30.1:123 (NTP) + + + + + home LAN / VLAN 1 + + CCTV · VLAN 30 / dCCTV 10.0.30.0/24 + + dKubernetes + + dManagementsVms + + allowed flow + + denied + + camera-day step + ADR-0017 · 2026-07-02 + +