Skip to main content
Status: PlannedCategory: Core Infrastructure

Objective

Get the new switch in place, VLANs properly configured with firewall rules, and verify connectivity before any services move.

Entry Criteria

Phase 0 complete — all hardware racked and powered

VLAN Design

VLAN IDNameSubnetMembers & Purpose
10Management192.168.10.0/24Proxmox hosts, NAS management, UniFi switch, UDM-SE. Strict access — management devices only.
20Trusted192.168.20.0/24Personal laptops, phones, trusted devices. Current v2 services live here during migration — left untouched.
30Services192.168.30.0/24All v3 VMs and LXCs. docker-prod-01, auth-prod-01, immich-prod-01, PBS, AdGuard LXCs.
40IoT192.168.40.0/24Smart home devices, printers, anything untrusted. Internet access only. No inter-VLAN.
VLAN 1 Not UsedVLAN 1 (default untagged) will NOT be used as the management VLAN. A dedicated VLAN ID is assigned to management to avoid devices landing on it accidentally.

IP Address Plan

VLAN 10 — Management (192.168.10.0/24)

DeviceIPNotes
UDM-SE192.168.10.1Gateway — already configured
Core Switch (UniFi)192.168.10.2Management interface
nas-prod-01 (Unraid)192.168.10.10Management/NFS interface
pve-prod-01 (MS-A2)192.168.10.11Proxmox management UI
pve-prod-02 (Optiplex)192.168.10.12Proxmox management UI
pi-prod-01 (Raspberry Pi)192.168.10.20QDevice + monitoring

VLAN 30 — Services (192.168.30.0/24)

DeviceIPNotes
dns-prod-01 (AdGuard LXC)192.168.30.10Primary DNS — AdGuard Home
docker-prod-01 (media/apps VM)192.168.30.11All media stack containers behind Traefik
pbs-prod-01 (PBS VM)192.168.30.12Proxmox Backup Server
auth-prod-01 (Authentik VM)192.168.30.13Authentik IdP — dedicated VM
immich-prod-01 (Immich VM)192.168.30.14Immich — isolated for resource tuning
dns-prod-02 (AdGuard LXC)192.168.30.15Secondary DNS — synced from dns-prod-01

Tasks

1

Adopt New Switch

  • Adopt new UniFi switch into UDM-SE
  • Assign static IP 192.168.10.2
2

Create VLANs

  • VLAN 10 (Management, 192.168.10.0/24)
  • VLAN 20 (Trusted, 192.168.20.0/24)
  • VLAN 30 (Services, 192.168.30.0/24)
  • VLAN 40 (IoT, 192.168.40.0/24)
  • Verify Management VLAN is NOT VLAN 1 — test and confirm in UniFi
3

Assign Static IPs

  • UDM-SE at 192.168.10.1
  • Switch at 192.168.10.2
  • NAS at 192.168.10.10
  • Proxmox nodes at 192.168.10.11 and 192.168.10.12
  • Pi at 192.168.10.20
4

Migrate IoT Devices

Migrate 7 existing IoT devices from 192.168.30.0 → VLAN 40 (192.168.40.0/24)
5

Configure VLAN Trunks

Configure VLAN trunk ports to Proxmox hosts (MS-A2 and Optiplex)
6

Configure Firewall Rules

See Inter-VLAN Firewall Rules section below
7

Validate Connectivity

  • Test: laptop on Trusted VLAN can reach Proxmox UI
  • Test: IoT device cannot ping anything on Trusted or Services
  • Test: Trusted VLAN can reach Services VLAN
  • Test: Management VLAN only reachable from Trusted on specific ports (8006, 22, 443)

Inter-VLAN Firewall Rules

Rules enforced at UDM-SE. Default policy is DENY ALL inter-VLAN. Explicit ALLOW rules only.
SourceDestinationPort / ProtocolActionReason
Trusted (20)Services (30)AnyALLOWUsers reach internal services
Trusted (20)Management (10)TCP 8006, 22, 443ALLOWAdmin access to Proxmox, SSH, NAS UI
Services (30)Services (30)AnyALLOWInter-service communication
Services (30)Trusted (20)AnyDENYServices cannot initiate to user devices
Services (30)Management (10)AnyDENYServices cannot touch infra management
IoT (40)Any internalAnyDENYIoT fully isolated from all internal VLANs
AnyInternetAnyALLOWAll VLANs can reach WAN unless blocked
IoT IsolationIoT VLAN has Internet access only. No inter-VLAN routing to Trusted, Services, or Management. Smart home devices cannot reach internal services.

Validation Tests

1

Test 1: Trusted → Services

From laptop on Trusted VLAN (192.168.20.x), ping future Services VLAN IPs (192.168.30.x). Should succeed.
2

Test 2: Trusted → Management

From laptop on Trusted VLAN, access Proxmox UI at https://192.168.10.11:8006. Should succeed.
3

Test 3: IoT → Trusted

From IoT device on VLAN 40, ping laptop on Trusted VLAN. Should fail (blocked by firewall).
4

Test 4: IoT → Internet

From IoT device on VLAN 40, ping 8.8.8.8. Should succeed.
5

Test 5: Services → Management

From future Services VLAN VM, attempt SSH to 192.168.10.10. Should fail (blocked by firewall).

Exit Criteria

  • VLAN 10, 20, 30, 40 visible in UniFi
  • Management VLAN is NOT VLAN 1
  • DHCP enabled on each VLAN with correct subnet
  • Default deny policy active
  • All explicit ALLOW rules configured
  • All 5 validation tests pass
  • IoT VLAN cannot reach any internal VLAN
  • Services VLAN cannot reach Management VLAN
  • Services VLAN cannot initiate to Trusted VLAN

Next Phase

Phase 2 — NAS Build & Storage Commissioning

Unraid installation, pool creation, and NFS exports

Build docs developers (and LLMs) love

Get started for freeTalk to us