infra/docs/adr/0017-cctv-segment-topology.svg
Viktor Barzin e11bd6e893 ADR-0017 rev 2: two switches — the PE is a dedicated CCTV island, no VLAN table anywhere
Viktor asked to verify free ports on the garage switch (192.168.1.6)
before finalizing. Logging into it showed it is NOT the TL-SG105PE from
the plan but a pre-existing non-PoE TL-SG105E with 4 of 5 ports in use
(apartment uplink, R730 LAN1, 4G router, UPS) - the single-shared-switch
port-VLAN design written earlier today was based on conflating the two
devices. Corrected: the new TL-SG105PE carries ONLY camera + eno2
uplink (mgmt 10.0.30.6 inside the segment), the old switch is untouched,
and no VLAN config exists anywhere. ADR, topology SVG and networking.md
updated to match.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 08:37:15 +00:00

195 lines
15 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<svg xmlns="http://www.w3.org/2000/svg" width="1600" height="880" viewBox="0 0 1600 880" font-family="system-ui, -apple-system, 'Segoe UI', Roboto, sans-serif">
<!-- ADR-0017 dCCTV topology (two-switch revision). Colors: reference dataviz
palette (light mode). blue #2a78d6 = home LAN · violet #4a3aa7 = dCCTV ·
aqua #1baf7a = dKubernetes · yellow #eda100 = dManagementsVms ·
green #008300 = allowed flow · red #e34948 = denied flow -->
<defs>
<marker id="arrGreen" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
<path d="M0,0 L10,5 L0,10 z" fill="#008300"/>
</marker>
<marker id="arrRed" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
<path d="M0,0 L10,5 L0,10 z" fill="#e34948"/>
</marker>
<marker id="arrGray" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
<path d="M0,0 L10,5 L0,10 z" fill="#52514e"/>
</marker>
</defs>
<rect width="1600" height="880" fill="#fcfcfb"/>
<!-- title -->
<text x="40" y="42" font-size="26" font-weight="700" fill="#0b0b0b">ADR-0017 — CCTV segment on a dedicated pfSense leg</text>
<text x="40" y="66" font-size="15" fill="#52514e">Sofia/Vermont · as-built 2026-07-02 · dashed = camera-day · no VLANs anywhere — isolation is physical</text>
<!-- camera -> everything else (denied): kept above the zones, below the subtitle -->
<path d="M240,168 C520,104 900,104 1148,140" fill="none" stroke="#e34948" stroke-width="3" marker-end="url(#arrRed)"/>
<g transform="translate(560,111)">
<circle r="11" fill="#fcfcfb" stroke="#e34948" stroke-width="2.5"/>
<path d="M-5,-5 L5,5 M5,-5 L-5,5" stroke="#e34948" stroke-width="2.5"/>
</g>
<text x="588" y="100" font-size="13.5" font-weight="700" fill="#e34948">DENY · camera → LAN / other segments / internet (default deny on dCCTV)</text>
<!-- ═════════ GARAGE ENTRANCE zone ═════════ -->
<rect x="40" y="128" width="240" height="180" rx="10" fill="#4a3aa7" fill-opacity="0.06" stroke="#4a3aa7" stroke-opacity="0.35"/>
<text x="56" y="154" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">GARAGE ENTRANCE</text>
<rect x="64" y="170" width="192" height="112" rx="8" fill="#ffffff" stroke="#4a3aa7" stroke-width="2"/>
<text x="80" y="196" font-size="15" font-weight="700" fill="#0b0b0b">vermont-garage</text>
<text x="80" y="216" font-size="12.5" fill="#52514e">HiLook IPC-T241H-C · pure IR</text>
<text x="80" y="234" font-size="12.5" fill="#52514e">10.0.30.70 (Kea reservation)</text>
<text x="80" y="252" font-size="12.5" fill="#52514e">DNS: garage-cam.viktorbarzin.lan</text>
<text x="80" y="270" font-size="12.5" fill="#52514e">PoE from switch · cloud/P2P off</text>
<!-- camera cable to PE switch (camera day, dashed) -->
<path d="M160,308 L160,390" fill="none" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5" marker-end="url(#arrGray)"/>
<text x="172" y="344" font-size="12" fill="#52514e">cat6 in conduit · PoE</text>
<!-- ═════════ RACK zone ═════════ -->
<rect x="40" y="360" width="560" height="265" rx="10" fill="#0b0b0b" fill-opacity="0.03" stroke="#b9b8b2"/>
<text x="56" y="384" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">RACK — GARAGE · TWO SWITCHES</text>
<!-- TL-SG105PE: NEW, dedicated CCTV island -->
<rect x="64" y="396" width="512" height="88" rx="8" fill="#4a3aa7" fill-opacity="0.05" stroke="#4a3aa7" stroke-width="2"/>
<text x="80" y="420" font-size="15" font-weight="700" fill="#0b0b0b">TL-SG105PE <tspan font-size="12.5" font-weight="400" fill="#52514e">NEW · dedicated CCTV island · mgmt 10.0.30.6 (Kea) · no VLAN table</tspan></text>
<g font-size="11.5" text-anchor="middle">
<rect x="80" y="432" width="120" height="40" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7"/>
<text x="140" y="449" font-weight="700" fill="#0b0b0b">camera · PoE</text>
<text x="140" y="465" fill="#52514e">any of P1P4</text>
<rect x="212" y="432" width="120" height="40" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7"/>
<text x="272" y="449" font-weight="700" fill="#0b0b0b">→ R730 eno2</text>
<text x="272" y="465" fill="#52514e">uplink (P5)</text>
<rect x="344" y="432" width="120" height="40" rx="6" fill="#ffffff" stroke="#8a8984" stroke-dasharray="4,3"/>
<text x="404" y="449" fill="#52514e">3 × spare PoE</text>
<text x="404" y="465" fill="#52514e">future cameras</text>
</g>
<!-- TL-SG105E: existing garage switch, untouched -->
<rect x="64" y="496" width="512" height="116" rx="8" fill="#ffffff" stroke="#8a8984"/>
<text x="80" y="520" font-size="15" font-weight="700" fill="#0b0b0b">TL-SG105E · 192.168.1.6 <tspan font-size="12.5" font-weight="400" fill="#52514e">existing · no PoE · UNTOUCHED by this design</tspan></text>
<g font-size="11.5" text-anchor="middle">
<rect x="80" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="124" y="553" fill="#0b0b0b">P1 · 1G</text>
<rect x="178" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="222" y="553" fill="#0b0b0b">P2 · 100M</text>
<rect x="276" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="320" y="553" fill="#0b0b0b">P3 · 100M</text>
<rect x="374" y="532" width="88" height="34" rx="6" fill="#ffffff" stroke="#8a8984" stroke-dasharray="4,3"/>
<text x="418" y="553" fill="#52514e">P4 · free</text>
<rect x="472" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="516" y="553" fill="#0b0b0b">P5 · 1G</text>
</g>
<text x="80" y="590" font-size="12" fill="#52514e">1G ports: apartment uplink + R730 LAN1 · 100M ports: 4G router .7 (pfSense backup-WAN) + UPS mgmt</text>
<!-- PE -> eno2 patch (camera day, dashed) -->
<path d="M576,452 C630,452 640,478 676,490" fill="none" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5" marker-end="url(#arrGray)"/>
<text x="592" y="440" font-size="12" fill="#52514e">patch</text>
<!-- E -> eno1 (existing R730 LAN1) -->
<path d="M576,522 C630,522 650,470 696,432" fill="none" stroke="#2a78d6" stroke-width="2" opacity="0.6"/>
<text x="604" y="516" font-size="12" fill="#2a78d6">R730 LAN1</text>
<!-- ═════════ R730 / PVE zone ═════════ -->
<rect x="680" y="330" width="880" height="440" rx="10" fill="#0b0b0b" fill-opacity="0.03" stroke="#b9b8b2"/>
<text x="696" y="356" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">DELL R730 — PVE HOST 192.168.1.127 (IN THE RACK)</text>
<!-- NIC/bridge chips on left edge -->
<g font-size="12">
<rect x="700" y="400" width="150" height="46" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="712" y="419" font-weight="700" fill="#0b0b0b">eno1 → vmbr0</text>
<text x="712" y="436" fill="#52514e">LAN1 · vlan-aware</text>
<rect x="700" y="471" width="150" height="46" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
<text x="712" y="490" font-weight="700" fill="#0b0b0b">eno2 → vmbr2</text>
<text x="712" y="507" fill="#52514e">NEW · dedicated leg</text>
<rect x="700" y="542" width="150" height="46" rx="6" fill="#0b0b0b" fill-opacity="0.04" stroke="#8a8984"/>
<text x="712" y="561" font-weight="700" fill="#0b0b0b">vmbr1</text>
<text x="712" y="578" fill="#52514e">internal · tags 10/20</text>
</g>
<!-- pfSense VM -->
<rect x="890" y="388" width="300" height="230" rx="8" fill="#ffffff" stroke="#8a8984"/>
<text x="906" y="414" font-size="15" font-weight="700" fill="#0b0b0b">pfSense (VM 101)</text>
<text x="906" y="432" font-size="12" fill="#52514e">gateway + firewall for every segment</text>
<g font-size="12">
<rect x="906" y="444" width="268" height="34" rx="5" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="916" y="465" fill="#0b0b0b">net0 · WAN <tspan fill="#52514e">192.168.1.2 (home LAN)</tspan></text>
<rect x="906" y="484" width="268" height="34" rx="5" fill="#eda100" fill-opacity="0.14" stroke="#eda100"/>
<text x="916" y="505" fill="#0b0b0b">net1 · dManagementsVms <tspan fill="#52514e">10.0.10.1</tspan></text>
<rect x="906" y="524" width="268" height="34" rx="5" fill="#1baf7a" fill-opacity="0.12" stroke="#1baf7a"/>
<text x="916" y="545" fill="#0b0b0b">net2 · dKubernetes <tspan fill="#52514e">10.0.20.1</tspan></text>
<rect x="906" y="564" width="268" height="34" rx="5" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
<text x="916" y="585" fill="#0b0b0b">net3 · dCCTV <tspan fill="#52514e">10.0.30.1/24 · NEW</tspan></text>
</g>
<!-- bridge attachments -->
<path d="M850,423 L890,458" fill="none" stroke="#2a78d6" stroke-width="1.6" opacity="0.6"/>
<path d="M850,494 L890,581" fill="none" stroke="#4a3aa7" stroke-width="2"/>
<path d="M850,565 L890,501" fill="none" stroke="#8a8984" stroke-width="1.6" opacity="0.6"/>
<path d="M850,565 L890,541" fill="none" stroke="#8a8984" stroke-width="1.6" opacity="0.6"/>
<!-- k8s VMs -->
<rect x="1240" y="388" width="290" height="230" rx="8" fill="#1baf7a" fill-opacity="0.07" stroke="#1baf7a"/>
<text x="1256" y="414" font-size="15" font-weight="700" fill="#0b0b0b">k8s VMs · 10.0.20.0/24</text>
<text x="1256" y="434" font-size="12.5" fill="#52514e">vmbr1 tag 20 · pod egress SNATs</text>
<text x="1256" y="450" font-size="12.5" fill="#52514e">to node IPs</text>
<rect x="1256" y="464" width="258" height="66" rx="6" fill="#ffffff" stroke="#1baf7a"/>
<text x="1268" y="486" font-size="13.5" font-weight="700" fill="#0b0b0b">Frigate · k8s-node1 (T4)</text>
<text x="1268" y="504" font-size="12" fill="#52514e">detect sub / record main</text>
<text x="1268" y="520" font-size="12" fill="#52514e">gpumem budget 2300 MiB</text>
<rect x="1256" y="540" width="258" height="52" rx="6" fill="#ffffff" stroke="#1baf7a"/>
<text x="1268" y="562" font-size="13.5" font-weight="700" fill="#0b0b0b">go2rtc LB 10.0.20.204</text>
<text x="1268" y="580" font-size="12" fill="#52514e">restream → HA live view (MSE/HLS)</text>
<!-- ═════════ HOME LAN zone ═════════ -->
<rect x="1148" y="128" width="412" height="180" rx="10" fill="#2a78d6" fill-opacity="0.06" stroke="#2a78d6" stroke-opacity="0.4"/>
<text x="1164" y="154" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">HOME LAN 192.168.1.0/24</text>
<rect x="1164" y="168" width="180" height="56" rx="6" fill="#ffffff" stroke="#2a78d6"/>
<text x="1176" y="190" font-size="13.5" font-weight="700" fill="#0b0b0b">AX6000 · .1</text>
<text x="1176" y="208" font-size="11.5" fill="#52514e">+ route 10.0.30.0/24 → .2</text>
<rect x="1164" y="236" width="180" height="52" rx="6" fill="#ffffff" stroke="#2a78d6"/>
<text x="1176" y="258" font-size="13.5" font-weight="700" fill="#0b0b0b">ha-sofia · .8</text>
<text x="1176" y="275" font-size="11.5" fill="#52514e">Frigate card + hikvision_next</text>
<rect x="1360" y="168" width="184" height="56" rx="6" fill="#ffffff" stroke="#2a78d6"/>
<text x="1372" y="190" font-size="13.5" font-weight="700" fill="#0b0b0b">apartment clients</text>
<text x="1372" y="208" font-size="11.5" fill="#52514e">laptops, phones</text>
<!-- AX6000 route badge (camera day) -->
<rect x="1360" y="236" width="184" height="52" rx="6" fill="#ffffff" stroke="#52514e" stroke-dasharray="5,4"/>
<text x="1372" y="256" font-size="11.5" font-weight="700" fill="#52514e">CAMERA DAY: static route</text>
<text x="1372" y="272" font-size="11.5" fill="#52514e">10.0.30.0/24 via 192.168.1.2</text>
<!-- home LAN -> pfSense WAN (via apartment uplink path) -->
<path d="M1254,308 C1150,352 950,372 790,400" fill="none" stroke="#2a78d6" stroke-width="2" opacity="0.6"/>
<text x="1010" y="374" font-size="12" fill="#2a78d6">apartment uplink · SG105E · eno1</text>
<!-- ═════════ FLOWS ═════════ -->
<!-- Frigate -> camera RTSP (allowed): sweeps under the rack, terminates at the camera box -->
<path d="M1256,497 C1010,690 330,730 120,650 C40,618 40,380 96,286" fill="none" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
<text x="620" y="700" font-size="13.5" font-weight="700" fill="#008300">ALLOW · Frigate → camera RTSP :554 (routed k8s → dCCTV; opt1 allow-all)</text>
<!-- HA -> camera (allowed, via AX6000 route + WAN rules): labels above, arc dips below them -->
<path d="M1164,262 C820,282 470,268 302,176 C286,167 278,166 270,172" fill="none" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
<text x="484" y="216" font-size="13.5" font-weight="700" fill="#008300">ALLOW · ha-sofia → camera :80 ISAPI + :554</text>
<text x="484" y="234" font-size="12" fill="#52514e">enters pfSense WAN · reply-to off · needs the AX6000 route</text>
<!-- camera -> NTP (allowed) -->
<path d="M280,232 C660,200 860,320 936,386" fill="none" stroke="#008300" stroke-width="2" opacity="0.85" marker-end="url(#arrGreen)"/>
<text x="740" y="322" font-size="12.5" font-weight="700" fill="#008300">ALLOW · camera → 10.0.30.1:123 (NTP)</text>
<!-- ═════════ LEGEND ═════════ -->
<g transform="translate(40,800)" font-size="12.5">
<rect x="0" y="0" width="18" height="18" rx="4" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
<text x="26" y="14" fill="#0b0b0b">home LAN 192.168.1.0/24</text>
<rect x="230" y="0" width="18" height="18" rx="4" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
<text x="256" y="14" fill="#0b0b0b">CCTV island / dCCTV 10.0.30.0/24</text>
<rect x="510" y="0" width="18" height="18" rx="4" fill="#1baf7a" fill-opacity="0.12" stroke="#1baf7a"/>
<text x="536" y="14" fill="#0b0b0b">dKubernetes</text>
<rect x="650" y="0" width="18" height="18" rx="4" fill="#eda100" fill-opacity="0.14" stroke="#eda100"/>
<text x="676" y="14" fill="#0b0b0b">dManagementsVms</text>
<line x1="830" y1="9" x2="870" y2="9" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
<text x="880" y="14" fill="#0b0b0b">allowed flow</text>
<line x1="990" y1="9" x2="1030" y2="9" stroke="#e34948" stroke-width="3" marker-end="url(#arrRed)"/>
<text x="1040" y="14" fill="#0b0b0b">denied</text>
<line x1="1110" y1="9" x2="1150" y2="9" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5"/>
<text x="1160" y="14" fill="#0b0b0b">camera-day step</text>
<text x="1330" y="14" fill="#52514e">ADR-0017 · rev 2</text>
</g>
</svg>