Viktor asked to verify free ports on the garage switch (192.168.1.6) before finalizing. Logging into it showed it is NOT the TL-SG105PE from the plan but a pre-existing non-PoE TL-SG105E with 4 of 5 ports in use (apartment uplink, R730 LAN1, 4G router, UPS) - the single-shared-switch port-VLAN design written earlier today was based on conflating the two devices. Corrected: the new TL-SG105PE carries ONLY camera + eno2 uplink (mgmt 10.0.30.6 inside the segment), the old switch is untouched, and no VLAN config exists anywhere. ADR, topology SVG and networking.md updated to match. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
195 lines
15 KiB
XML
195 lines
15 KiB
XML
<svg xmlns="http://www.w3.org/2000/svg" width="1600" height="880" viewBox="0 0 1600 880" font-family="system-ui, -apple-system, 'Segoe UI', Roboto, sans-serif">
|
||
<!-- ADR-0017 dCCTV topology (two-switch revision). Colors: reference dataviz
|
||
palette (light mode). blue #2a78d6 = home LAN · violet #4a3aa7 = dCCTV ·
|
||
aqua #1baf7a = dKubernetes · yellow #eda100 = dManagementsVms ·
|
||
green #008300 = allowed flow · red #e34948 = denied flow -->
|
||
<defs>
|
||
<marker id="arrGreen" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
|
||
<path d="M0,0 L10,5 L0,10 z" fill="#008300"/>
|
||
</marker>
|
||
<marker id="arrRed" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
|
||
<path d="M0,0 L10,5 L0,10 z" fill="#e34948"/>
|
||
</marker>
|
||
<marker id="arrGray" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
|
||
<path d="M0,0 L10,5 L0,10 z" fill="#52514e"/>
|
||
</marker>
|
||
</defs>
|
||
|
||
<rect width="1600" height="880" fill="#fcfcfb"/>
|
||
|
||
<!-- title -->
|
||
<text x="40" y="42" font-size="26" font-weight="700" fill="#0b0b0b">ADR-0017 — CCTV segment on a dedicated pfSense leg</text>
|
||
<text x="40" y="66" font-size="15" fill="#52514e">Sofia/Vermont · as-built 2026-07-02 · dashed = camera-day · no VLANs anywhere — isolation is physical</text>
|
||
|
||
<!-- camera -> everything else (denied): kept above the zones, below the subtitle -->
|
||
<path d="M240,168 C520,104 900,104 1148,140" fill="none" stroke="#e34948" stroke-width="3" marker-end="url(#arrRed)"/>
|
||
<g transform="translate(560,111)">
|
||
<circle r="11" fill="#fcfcfb" stroke="#e34948" stroke-width="2.5"/>
|
||
<path d="M-5,-5 L5,5 M5,-5 L-5,5" stroke="#e34948" stroke-width="2.5"/>
|
||
</g>
|
||
<text x="588" y="100" font-size="13.5" font-weight="700" fill="#e34948">DENY · camera → LAN / other segments / internet (default deny on dCCTV)</text>
|
||
|
||
<!-- ═════════ GARAGE ENTRANCE zone ═════════ -->
|
||
<rect x="40" y="128" width="240" height="180" rx="10" fill="#4a3aa7" fill-opacity="0.06" stroke="#4a3aa7" stroke-opacity="0.35"/>
|
||
<text x="56" y="154" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">GARAGE ENTRANCE</text>
|
||
<rect x="64" y="170" width="192" height="112" rx="8" fill="#ffffff" stroke="#4a3aa7" stroke-width="2"/>
|
||
<text x="80" y="196" font-size="15" font-weight="700" fill="#0b0b0b">vermont-garage</text>
|
||
<text x="80" y="216" font-size="12.5" fill="#52514e">HiLook IPC-T241H-C · pure IR</text>
|
||
<text x="80" y="234" font-size="12.5" fill="#52514e">10.0.30.70 (Kea reservation)</text>
|
||
<text x="80" y="252" font-size="12.5" fill="#52514e">DNS: garage-cam.viktorbarzin.lan</text>
|
||
<text x="80" y="270" font-size="12.5" fill="#52514e">PoE from switch · cloud/P2P off</text>
|
||
|
||
<!-- camera cable to PE switch (camera day, dashed) -->
|
||
<path d="M160,308 L160,390" fill="none" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5" marker-end="url(#arrGray)"/>
|
||
<text x="172" y="344" font-size="12" fill="#52514e">cat6 in conduit · PoE</text>
|
||
|
||
<!-- ═════════ RACK zone ═════════ -->
|
||
<rect x="40" y="360" width="560" height="265" rx="10" fill="#0b0b0b" fill-opacity="0.03" stroke="#b9b8b2"/>
|
||
<text x="56" y="384" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">RACK — GARAGE · TWO SWITCHES</text>
|
||
|
||
<!-- TL-SG105PE: NEW, dedicated CCTV island -->
|
||
<rect x="64" y="396" width="512" height="88" rx="8" fill="#4a3aa7" fill-opacity="0.05" stroke="#4a3aa7" stroke-width="2"/>
|
||
<text x="80" y="420" font-size="15" font-weight="700" fill="#0b0b0b">TL-SG105PE <tspan font-size="12.5" font-weight="400" fill="#52514e">NEW · dedicated CCTV island · mgmt 10.0.30.6 (Kea) · no VLAN table</tspan></text>
|
||
<g font-size="11.5" text-anchor="middle">
|
||
<rect x="80" y="432" width="120" height="40" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7"/>
|
||
<text x="140" y="449" font-weight="700" fill="#0b0b0b">camera · PoE</text>
|
||
<text x="140" y="465" fill="#52514e">any of P1–P4</text>
|
||
<rect x="212" y="432" width="120" height="40" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7"/>
|
||
<text x="272" y="449" font-weight="700" fill="#0b0b0b">→ R730 eno2</text>
|
||
<text x="272" y="465" fill="#52514e">uplink (P5)</text>
|
||
<rect x="344" y="432" width="120" height="40" rx="6" fill="#ffffff" stroke="#8a8984" stroke-dasharray="4,3"/>
|
||
<text x="404" y="449" fill="#52514e">3 × spare PoE</text>
|
||
<text x="404" y="465" fill="#52514e">future cameras</text>
|
||
</g>
|
||
|
||
<!-- TL-SG105E: existing garage switch, untouched -->
|
||
<rect x="64" y="496" width="512" height="116" rx="8" fill="#ffffff" stroke="#8a8984"/>
|
||
<text x="80" y="520" font-size="15" font-weight="700" fill="#0b0b0b">TL-SG105E · 192.168.1.6 <tspan font-size="12.5" font-weight="400" fill="#52514e">existing · no PoE · UNTOUCHED by this design</tspan></text>
|
||
<g font-size="11.5" text-anchor="middle">
|
||
<rect x="80" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="124" y="553" fill="#0b0b0b">P1 · 1G</text>
|
||
<rect x="178" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="222" y="553" fill="#0b0b0b">P2 · 100M</text>
|
||
<rect x="276" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="320" y="553" fill="#0b0b0b">P3 · 100M</text>
|
||
<rect x="374" y="532" width="88" height="34" rx="6" fill="#ffffff" stroke="#8a8984" stroke-dasharray="4,3"/>
|
||
<text x="418" y="553" fill="#52514e">P4 · free</text>
|
||
<rect x="472" y="532" width="88" height="34" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="516" y="553" fill="#0b0b0b">P5 · 1G</text>
|
||
</g>
|
||
<text x="80" y="590" font-size="12" fill="#52514e">1G ports: apartment uplink + R730 LAN1 · 100M ports: 4G router .7 (pfSense backup-WAN) + UPS mgmt</text>
|
||
|
||
<!-- PE -> eno2 patch (camera day, dashed) -->
|
||
<path d="M576,452 C630,452 640,478 676,490" fill="none" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5" marker-end="url(#arrGray)"/>
|
||
<text x="592" y="440" font-size="12" fill="#52514e">patch</text>
|
||
|
||
<!-- E -> eno1 (existing R730 LAN1) -->
|
||
<path d="M576,522 C630,522 650,470 696,432" fill="none" stroke="#2a78d6" stroke-width="2" opacity="0.6"/>
|
||
<text x="604" y="516" font-size="12" fill="#2a78d6">R730 LAN1</text>
|
||
|
||
<!-- ═════════ R730 / PVE zone ═════════ -->
|
||
<rect x="680" y="330" width="880" height="440" rx="10" fill="#0b0b0b" fill-opacity="0.03" stroke="#b9b8b2"/>
|
||
<text x="696" y="356" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">DELL R730 — PVE HOST 192.168.1.127 (IN THE RACK)</text>
|
||
|
||
<!-- NIC/bridge chips on left edge -->
|
||
<g font-size="12">
|
||
<rect x="700" y="400" width="150" height="46" rx="6" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="712" y="419" font-weight="700" fill="#0b0b0b">eno1 → vmbr0</text>
|
||
<text x="712" y="436" fill="#52514e">LAN1 · vlan-aware</text>
|
||
|
||
<rect x="700" y="471" width="150" height="46" rx="6" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
|
||
<text x="712" y="490" font-weight="700" fill="#0b0b0b">eno2 → vmbr2</text>
|
||
<text x="712" y="507" fill="#52514e">NEW · dedicated leg</text>
|
||
|
||
<rect x="700" y="542" width="150" height="46" rx="6" fill="#0b0b0b" fill-opacity="0.04" stroke="#8a8984"/>
|
||
<text x="712" y="561" font-weight="700" fill="#0b0b0b">vmbr1</text>
|
||
<text x="712" y="578" fill="#52514e">internal · tags 10/20</text>
|
||
</g>
|
||
|
||
<!-- pfSense VM -->
|
||
<rect x="890" y="388" width="300" height="230" rx="8" fill="#ffffff" stroke="#8a8984"/>
|
||
<text x="906" y="414" font-size="15" font-weight="700" fill="#0b0b0b">pfSense (VM 101)</text>
|
||
<text x="906" y="432" font-size="12" fill="#52514e">gateway + firewall for every segment</text>
|
||
<g font-size="12">
|
||
<rect x="906" y="444" width="268" height="34" rx="5" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="916" y="465" fill="#0b0b0b">net0 · WAN <tspan fill="#52514e">192.168.1.2 (home LAN)</tspan></text>
|
||
<rect x="906" y="484" width="268" height="34" rx="5" fill="#eda100" fill-opacity="0.14" stroke="#eda100"/>
|
||
<text x="916" y="505" fill="#0b0b0b">net1 · dManagementsVms <tspan fill="#52514e">10.0.10.1</tspan></text>
|
||
<rect x="906" y="524" width="268" height="34" rx="5" fill="#1baf7a" fill-opacity="0.12" stroke="#1baf7a"/>
|
||
<text x="916" y="545" fill="#0b0b0b">net2 · dKubernetes <tspan fill="#52514e">10.0.20.1</tspan></text>
|
||
<rect x="906" y="564" width="268" height="34" rx="5" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
|
||
<text x="916" y="585" fill="#0b0b0b">net3 · dCCTV <tspan fill="#52514e">10.0.30.1/24 · NEW</tspan></text>
|
||
</g>
|
||
<!-- bridge attachments -->
|
||
<path d="M850,423 L890,458" fill="none" stroke="#2a78d6" stroke-width="1.6" opacity="0.6"/>
|
||
<path d="M850,494 L890,581" fill="none" stroke="#4a3aa7" stroke-width="2"/>
|
||
<path d="M850,565 L890,501" fill="none" stroke="#8a8984" stroke-width="1.6" opacity="0.6"/>
|
||
<path d="M850,565 L890,541" fill="none" stroke="#8a8984" stroke-width="1.6" opacity="0.6"/>
|
||
|
||
<!-- k8s VMs -->
|
||
<rect x="1240" y="388" width="290" height="230" rx="8" fill="#1baf7a" fill-opacity="0.07" stroke="#1baf7a"/>
|
||
<text x="1256" y="414" font-size="15" font-weight="700" fill="#0b0b0b">k8s VMs · 10.0.20.0/24</text>
|
||
<text x="1256" y="434" font-size="12.5" fill="#52514e">vmbr1 tag 20 · pod egress SNATs</text>
|
||
<text x="1256" y="450" font-size="12.5" fill="#52514e">to node IPs</text>
|
||
<rect x="1256" y="464" width="258" height="66" rx="6" fill="#ffffff" stroke="#1baf7a"/>
|
||
<text x="1268" y="486" font-size="13.5" font-weight="700" fill="#0b0b0b">Frigate · k8s-node1 (T4)</text>
|
||
<text x="1268" y="504" font-size="12" fill="#52514e">detect sub / record main</text>
|
||
<text x="1268" y="520" font-size="12" fill="#52514e">gpumem budget 2300 MiB</text>
|
||
<rect x="1256" y="540" width="258" height="52" rx="6" fill="#ffffff" stroke="#1baf7a"/>
|
||
<text x="1268" y="562" font-size="13.5" font-weight="700" fill="#0b0b0b">go2rtc LB 10.0.20.204</text>
|
||
<text x="1268" y="580" font-size="12" fill="#52514e">restream → HA live view (MSE/HLS)</text>
|
||
|
||
<!-- ═════════ HOME LAN zone ═════════ -->
|
||
<rect x="1148" y="128" width="412" height="180" rx="10" fill="#2a78d6" fill-opacity="0.06" stroke="#2a78d6" stroke-opacity="0.4"/>
|
||
<text x="1164" y="154" font-size="13" font-weight="700" fill="#52514e" letter-spacing="1">HOME LAN 192.168.1.0/24</text>
|
||
<rect x="1164" y="168" width="180" height="56" rx="6" fill="#ffffff" stroke="#2a78d6"/>
|
||
<text x="1176" y="190" font-size="13.5" font-weight="700" fill="#0b0b0b">AX6000 · .1</text>
|
||
<text x="1176" y="208" font-size="11.5" fill="#52514e">+ route 10.0.30.0/24 → .2</text>
|
||
<rect x="1164" y="236" width="180" height="52" rx="6" fill="#ffffff" stroke="#2a78d6"/>
|
||
<text x="1176" y="258" font-size="13.5" font-weight="700" fill="#0b0b0b">ha-sofia · .8</text>
|
||
<text x="1176" y="275" font-size="11.5" fill="#52514e">Frigate card + hikvision_next</text>
|
||
<rect x="1360" y="168" width="184" height="56" rx="6" fill="#ffffff" stroke="#2a78d6"/>
|
||
<text x="1372" y="190" font-size="13.5" font-weight="700" fill="#0b0b0b">apartment clients</text>
|
||
<text x="1372" y="208" font-size="11.5" fill="#52514e">laptops, phones</text>
|
||
<!-- AX6000 route badge (camera day) -->
|
||
<rect x="1360" y="236" width="184" height="52" rx="6" fill="#ffffff" stroke="#52514e" stroke-dasharray="5,4"/>
|
||
<text x="1372" y="256" font-size="11.5" font-weight="700" fill="#52514e">CAMERA DAY: static route</text>
|
||
<text x="1372" y="272" font-size="11.5" fill="#52514e">10.0.30.0/24 via 192.168.1.2</text>
|
||
|
||
<!-- home LAN -> pfSense WAN (via apartment uplink path) -->
|
||
<path d="M1254,308 C1150,352 950,372 790,400" fill="none" stroke="#2a78d6" stroke-width="2" opacity="0.6"/>
|
||
<text x="1010" y="374" font-size="12" fill="#2a78d6">apartment uplink · SG105E · eno1</text>
|
||
|
||
<!-- ═════════ FLOWS ═════════ -->
|
||
<!-- Frigate -> camera RTSP (allowed): sweeps under the rack, terminates at the camera box -->
|
||
<path d="M1256,497 C1010,690 330,730 120,650 C40,618 40,380 96,286" fill="none" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
|
||
<text x="620" y="700" font-size="13.5" font-weight="700" fill="#008300">ALLOW · Frigate → camera RTSP :554 (routed k8s → dCCTV; opt1 allow-all)</text>
|
||
|
||
<!-- HA -> camera (allowed, via AX6000 route + WAN rules): labels above, arc dips below them -->
|
||
<path d="M1164,262 C820,282 470,268 302,176 C286,167 278,166 270,172" fill="none" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
|
||
<text x="484" y="216" font-size="13.5" font-weight="700" fill="#008300">ALLOW · ha-sofia → camera :80 ISAPI + :554</text>
|
||
<text x="484" y="234" font-size="12" fill="#52514e">enters pfSense WAN · reply-to off · needs the AX6000 route</text>
|
||
|
||
<!-- camera -> NTP (allowed) -->
|
||
<path d="M280,232 C660,200 860,320 936,386" fill="none" stroke="#008300" stroke-width="2" opacity="0.85" marker-end="url(#arrGreen)"/>
|
||
<text x="740" y="322" font-size="12.5" font-weight="700" fill="#008300">ALLOW · camera → 10.0.30.1:123 (NTP)</text>
|
||
|
||
<!-- ═════════ LEGEND ═════════ -->
|
||
<g transform="translate(40,800)" font-size="12.5">
|
||
<rect x="0" y="0" width="18" height="18" rx="4" fill="#2a78d6" fill-opacity="0.12" stroke="#2a78d6"/>
|
||
<text x="26" y="14" fill="#0b0b0b">home LAN 192.168.1.0/24</text>
|
||
<rect x="230" y="0" width="18" height="18" rx="4" fill="#4a3aa7" fill-opacity="0.12" stroke="#4a3aa7" stroke-width="2"/>
|
||
<text x="256" y="14" fill="#0b0b0b">CCTV island / dCCTV 10.0.30.0/24</text>
|
||
<rect x="510" y="0" width="18" height="18" rx="4" fill="#1baf7a" fill-opacity="0.12" stroke="#1baf7a"/>
|
||
<text x="536" y="14" fill="#0b0b0b">dKubernetes</text>
|
||
<rect x="650" y="0" width="18" height="18" rx="4" fill="#eda100" fill-opacity="0.14" stroke="#eda100"/>
|
||
<text x="676" y="14" fill="#0b0b0b">dManagementsVms</text>
|
||
<line x1="830" y1="9" x2="870" y2="9" stroke="#008300" stroke-width="3" marker-end="url(#arrGreen)"/>
|
||
<text x="880" y="14" fill="#0b0b0b">allowed flow</text>
|
||
<line x1="990" y1="9" x2="1030" y2="9" stroke="#e34948" stroke-width="3" marker-end="url(#arrRed)"/>
|
||
<text x="1040" y="14" fill="#0b0b0b">denied</text>
|
||
<line x1="1110" y1="9" x2="1150" y2="9" stroke="#52514e" stroke-width="2" stroke-dasharray="6,5"/>
|
||
<text x="1160" y="14" fill="#0b0b0b">camera-day step</text>
|
||
<text x="1330" y="14" fill="#52514e">ADR-0017 · rev 2</text>
|
||
</g>
|
||
</svg>
|