diff --git a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md index e99ce8ca..2a73bda2 100644 --- a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md +++ b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md @@ -15,10 +15,13 @@ untagged pfSense interface per segment. **Decision:** the CCTV segment (`dCCTV`, 10.0.30.1/24) rides a dedicated physical leg — R730 `eno2` (spare) → new bridge `vmbr2` → pfSense `net3` -(vtnet3), untagged end-to-end. The shared TL-SG105PE PoE switch in the rack -splits via port-based VLANs: {camera port, eno2 uplink} in an internal VLAN, -{home-LAN uplink, 4G router 192.168.1.7, UPS mgmt, switch mgmt 192.168.1.6} -stay in VLAN 1. Cameras are untrusted: default-deny on dCCTV with a single +(vtnet3), untagged end-to-end. The new TL-SG105PE PoE switch is a **dedicated +CCTV island**: camera in a PoE port, one port patched to eno2, no VLAN table +at all, mgmt IP inside the segment (10.0.30.6 via Kea). The existing garage +TL-SG105E (192.168.1.6 — apartment uplink, R730 LAN1, 4G router 192.168.1.7, +UPS mgmt; exactly one free port) is untouched — it has no PoE and no spare +port pair, which is also why the two roles cannot share one switch. +Cameras are untrusted: default-deny on dCCTV with a single NTP-to-gateway exception; Frigate (k8s) pulls RTSP in; ha-sofia (192.168.1.8) may reach ISAPI/RTSP directly; home-LAN clients route in via an AX6000 static route (10.0.30.0/24 via 192.168.1.2). 10.0.30.0/24 is deliberately NOT in the @@ -38,11 +41,17 @@ route (10.0.30.0/24 via 192.168.1.2). 10.0.30.0/24 is deliberately NOT in the ## Consequences - eno2 is consumed; eno3/eno4 remain the last spare NICs on the R730. -- The TL-SG105PE is now load-bearing shared infra: it carries pfSense's - backup-WAN path (4G router), UPS mgmt, AND the CCTV segment. Its Easy - Smart mgmt UI answers on every port regardless of VLAN — mitigated by a - strong password; residual L2 risk accepted. -- Adding a future camera = one PoE port in the CCTV VLAN + a Kea - reservation; no pfSense/PVE work. +- Two Easy Smart switches live in the rack: the OLD TL-SG105E at 192.168.1.6 + remains the load-bearing shared one (apartment uplink, R730 LAN1, pfSense's + backup-WAN path via the 4G router, UPS mgmt — one port free); the NEW + TL-SG105PE carries only CCTV. The Easy Smart mgmt-answers-on-every-port + quirk is therefore contained: the PE's mgmt UI is only L2-adjacent to + cameras, and pfSense still gates all L3. +- Adding a future camera = one free PoE port on the PE + a Kea + reservation; no pfSense/PVE/VLAN work. +- 2026-07-02 correction: an earlier revision of this ADR described ONE shared + PE switch with a port-based VLAN split — written before discovering the + live 192.168.1.6 device is a separate, older non-PoE TL-SG105E. No VLAN + table exists anywhere in the final design. - Frigate's ADR-0016 VRAM budget was bumped 2000 → 2300 MiB for the extra NVDEC stream. diff --git a/docs/adr/0017-cctv-segment-topology.svg b/docs/adr/0017-cctv-segment-topology.svg index e9259141..acba5936 100644 --- a/docs/adr/0017-cctv-segment-topology.svg +++ b/docs/adr/0017-cctv-segment-topology.svg @@ -1,6 +1,6 @@ - @@ -19,7 +19,7 @@ ADR-0017 — CCTV segment on a dedicated pfSense leg - Sofia/Vermont · as-built 2026-07-02 · dashed = camera-day · untagged on every wire + Sofia/Vermont · as-built 2026-07-02 · dashed = camera-day · no VLANs anywhere — isolation is physical @@ -39,55 +39,53 @@ DNS: garage-cam.viktorbarzin.lan PoE from switch · cloud/P2P off - - - cat6 in conduit · PoE + + + cat6 in conduit · PoE - - RACK — GARAGE + + RACK — GARAGE · TWO SWITCHES - - - TL-SG105PE - shared PoE switch · mgmt 192.168.1.6 (VLAN 1, Kea) - port-based VLANs, everything untagged - - + + + TL-SG105PE NEW · dedicated CCTV island · mgmt 10.0.30.6 (Kea) · no VLAN table - - P1 · VLAN 1 - home-LAN - uplink - - - P2 · VLAN 1 - 4G router - 192.168.1.7 - - - P3 · VLAN 1 - UPS mgmt - - - P4 · VLAN 30 - camera - PoE ON - - - P5 · VLAN 30 - uplink to - R730 eno2 + + camera · PoE + any of P1–P4 + + → R730 eno2 + uplink (P5) + + 3 × spare PoE + future cameras - backup-WAN path (pfSense 4g_router gateway) and UPS ride VLAN 1 — untouched - - - patch + + + TL-SG105E · 192.168.1.6 existing · no PoE · UNTOUCHED by this design + + + P1 · 1G + + P2 · 100M + + P3 · 100M + + P4 · free + + P5 · 1G + + 1G ports: apartment uplink + R730 LAN1 · 100M ports: 4G router .7 (pfSense backup-WAN) + UPS mgmt - - - existing home-LAN uplink (VLAN 1) + + + patch + + + + R730 LAN1 @@ -143,7 +141,7 @@ - HOME LAN 192.168.1.0/24 (VLAN 1) + HOME LAN 192.168.1.0/24 AX6000 · .1 + route 10.0.30.0/24 → .2 @@ -151,20 +149,21 @@ ha-sofia · .8 Frigate card + hikvision_next - SW1 + clients - laptops, R730 eno1 uplink + apartment clients + laptops, phones CAMERA DAY: static route 10.0.30.0/24 via 192.168.1.2 - + + apartment uplink · SG105E · eno1 - - ALLOW · Frigate → camera RTSP :554 (routed k8s → dCCTV; opt1 allow-all) + + ALLOW · Frigate → camera RTSP :554 (routed k8s → dCCTV; opt1 allow-all) @@ -178,19 +177,19 @@ - home LAN / VLAN 1 - - CCTV · VLAN 30 / dCCTV 10.0.30.0/24 - - dKubernetes - - dManagementsVms - - allowed flow - - denied - - camera-day step - ADR-0017 · 2026-07-02 + home LAN 192.168.1.0/24 + + CCTV island / dCCTV 10.0.30.0/24 + + dKubernetes + + dManagementsVms + + allowed flow + + denied + + camera-day step + ADR-0017 · rev 2 diff --git a/docs/architecture/networking.md b/docs/architecture/networking.md index 53f7562e..970fc421 100644 --- a/docs/architecture/networking.md +++ b/docs/architecture/networking.md @@ -89,7 +89,7 @@ graph TB | phpIPAM | v1.7.0 | phpipam.viktorbarzin.me | IP address management, device inventory, DNS sync | | vmbr0 | Linux bridge | 192.168.1.127/24 | Physical bridge on eno1, uplink to LAN | | vmbr1 | Linux bridge (VLAN-aware) | Internal | VLAN trunk for VM isolation | -| vmbr2 | Linux bridge | Physical (eno2) | dCCTV segment leg: eno2 → TL-SG105PE (rack) → cameras; pfSense net3 is the only L3 exit (ADR-0017) | +| vmbr2 | Linux bridge | Physical (eno2) | dCCTV segment leg: eno2 → TL-SG105PE (dedicated CCTV switch in the rack) → cameras; pfSense net3 is the only L3 exit (ADR-0017) | | Technitium DNS | Container | 10.0.20.201 (LB) / 10.96.0.53 (ClusterIP) | Internal DNS (viktorbarzin.lan) + full recursive resolver | | Cloudflare DNS | SaaS | External | ~50 public domains under viktorbarzin.me | | Cloudflared | Container | K8s (3 replicas) | Tunnel ingress, replaces port forwarding | @@ -103,9 +103,9 @@ graph TB Isolated camera segment for owned cameras at the Sofia site (first: `vermont-garage`, HiLook IPC-T241H-C at the garage entrance). Decision + rejected alternatives: `docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md`. -**Physical path**: camera → TL-SG105PE PoE port (CCTV VLAN, port-based) → R730 `eno2` → `vmbr2` (bridge-ports eno2, not vlan-aware) → pfSense `net3`/vtnet3 = interface **dCCTV `10.0.30.1/24`**. Untagged end-to-end; the only 802.1Q is the internal port-VLAN table on the TL-SG105PE, which also keeps its home-LAN ports (uplink, 4G router `192.168.1.7`, UPS mgmt, switch mgmt `192.168.1.6`) in VLAN 1. +**Physical path**: camera → TL-SG105PE PoE port → R730 `eno2` → `vmbr2` (bridge-ports eno2, not vlan-aware) → pfSense `net3`/vtnet3 = interface **dCCTV `10.0.30.1/24`**. The TL-SG105PE is a dedicated CCTV island — camera + eno2 uplink + 3 spare PoE ports, **no VLAN table anywhere**, mgmt at `10.0.30.6` (Kea). It is a second switch: the pre-existing garage TL-SG105E (`192.168.1.6`; apartment uplink, R730 LAN1, 4G router `192.168.1.7`, UPS mgmt, one free port; no PoE) is not involved in the CCTV path at all. -**Addressing**: Kea DHCP pool `10.0.30.100-199`; devices get MAC reservations (camera `10.0.30.70`). Kea DDNS auto-registers names in Technitium; `phpipam-pfsense-import` picks up leases hourly. +**Addressing**: Kea DHCP pool `10.0.30.100-199`; devices get MAC reservations (camera `10.0.30.70`, PE switch mgmt `10.0.30.6`). Kea DDNS auto-registers names in Technitium; `phpipam-pfsense-import` picks up leases hourly. **Firewall** (all on pfSense): - dCCTV in: pass `udp OPT4-net → 10.0.30.1:123` (NTP) — everything else hits the interface's default deny. Cameras cannot reach LAN, other segments, or the internet.