infra/stacks/traefik
Viktor Barzin 936e6592e0 home-lans-only: add London guest net 192.168.9.0/24 — the Portal Plus lives there
Post-rollout discovery during wrap-up: the London Portal Plus leases on the
GUEST network (Portal-75AE8F9C2A8A = 192.168.9.198), not the main LAN, so the
allowlist shipped in 8bac9914 would have 403'd it once it woke. Verified the
forwarded path end-to-end on the Flint 2 (read-only): VPN_PREROUTING_HOOK
hooks BOTH br-lan and br-guest into ROUTE_POLICY -> TUNNEL10_ROUTE_POLICY,
which marks all dst_net10 (10/8) traffic onto the WG tunnel — so the Portal
reaches 10.0.20.203 with source 192.168.9.198 once on-screen. (Side finding,
router-originated only: the firewall.user LOCAL_POLICY dst_net10 injection
from vpn.md has rotted — admin curls from the router itself don't tunnel;
clients unaffected. Not fixed here — live-device change, needs Viktor's OK.)

Middleware already applied live via targeted tg apply (20:11 UTC).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 20:15:31 +00:00
..
modules/traefik home-lans-only: add London guest net 192.168.9.0/24 — the Portal Plus lives there 2026-07-04 20:15:31 +00:00
main.tf traefik/crowdsec: delete dead Yaegi plugin + middleware CRD + captcha (PR2/2) 2026-06-21 13:35:13 +00:00
secrets fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 2026-06-09 08:45:33 +00:00
terragrunt.hcl traefik: non-merge apply trigger (error-pages buffer fix) 2026-06-12 20:31:24 +00:00