TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: homelab infrastructure wiki

Browse Source 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
This commit is contained in:
Hermes Agent
2026-05-24 16:08:40 -07:00
parent d132442429
commit e4d91aadf9
285 changed files with 30018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
homelab/concepts/device-placement-policy.md Normal file
View File

@@ -0,0 +1,162 @@
---
title: Device Placement Policy
created: 2026-05-10
updated: 2026-05-10
type: concept
tags: [iot, smart-home, concept, vlan, security, policy]
confidence: high
sources: [network-device-census, UniFi controller configuration]
---
# Device Placement Policy
> Defines which device classes belong on which VLAN, firewall rules required for cross-VLAN access, and the rationale for each placement decision.
## VLAN Architecture
```
┌─────────────────────────────────────────────────────────┐
│ UniFi Dream Machine │
│ 192.168.50.1 (Controller) │
├──────────┬──────────┬───────────┬──────────┬─────────────┤
│ VLAN 10 │ VLAN 20 │ VLAN 30 │ VLAN 50 │ Default │
│ Family │ Guest │ IoT │ Prod │ Mgmt │
│ .10.x │ .20.x │ .30.x │ .50.x │ .1.x │
└──────────┴──────────┴───────────┴──────────┴─────────────┘
```
## Device Class → VLAN Assignment
### VLAN 10 — "Family of D." (Personal Devices)
**Policy**: Trusted personal devices with full internal access. Phones, tablets, laptops, watches. No IoT devices unless they require direct phone access without firewall rules.
| Device Class | Examples | Rationale |
|-------------|----------|-----------|
| Phones | TophPhone14 (×3) | Need access to everything |
| Tablets | iPad | Personal use |
| Laptops | MacBook | Personal use |
| Watches | Apple Watch | Companion to phone |
| Baby monitors | Eufy cameras (×3) | **Exception**: Require constant phone access; avoid firewall complexity |
| RPi (personal) | Ice (.10.178 WiFi) | Personal use connection |
### VLAN 30 — "Will of D. IoT" (Smart Home + Infrastructure)
**Policy**: All IoT devices, smart home hardware, and infrastructure hosts that need inter-device communication. This is where [[panda]] and all smart home controllers live.
| Device Class | Examples | Rationale |
|-------------|----------|-----------|
| HA controller | [[panda]] (.30.196) | Central hub — needs access to all IoT |
| Zigbee/Thread hubs | [[home-assistant-connect-zbt-2]], [[aqara-hub-m3]] (.30.59) | Must reach Zigbee devices + HA |
| Voice assistants | Echo Dots (×4) | Matter controllers, need HA access |
| Media players | Apple TV (.30.234), LG TV (.30.79) | Controlled by HA + phones |
| Smart lighting | Shelly (×2), Govee (×5), TP-Link (×4) | WiFi actuators, HA-controlled |
| Climate | Nest Thermostat (.30.179) | HA + Google ecosystem |
| Air purifiers | Levoit Vital 200S (.30.21), AMWAY (.30.161) | WiFi appliances |
| Sensors/Locks | Aqara Zigbee devices (via hubs) | Non-IP, behind Zigbee coordinators |
| Cameras | Aqara Doorbell (.30.118), Camera Hub G3 (.30.113) | Aqara ecosystem, HA-managed |
| Robot vacuum | Eufy Omni C20 (.30.50) | WiFi appliance |
| Voice PE | HA Voice PE (.30.25) | ESPHome voice assistant |
| Sleep mat | Withings Rest (.30.177) | Health device |
| Infrastructure | Grizzley (.30.84), Ubuntu (.30.61), Ice (.30.197) | Also have .50.x on Production |
| NAS | TrueNAS (.30.11) | Also .50.12 on Production |
### VLAN 50 — "Production" (Server Infrastructure)
**Policy**: Server-to-server communication only. Infrastructure hosts carry dual NICs — .50.x for production traffic, .30.x for HA/IoT management.
| Device Class | Examples | Rationale |
|-------------|----------|-----------|
| Docker hosts | Ubuntu (.50.61), Grizzley (.50.84) | Production services |
| NAS | TrueNAS (.50.12) | Storage backend |
| Control plane | Ice (.50.197) | Gateway + monitoring |
| Proxmox | PVE (.50.11) | Hypervisor |
### VLAN 20 — "Will of D. (Guest)" (Guest Access)
**Policy**: Internet-only access, no internal device communication.
| Device Class | Examples | Rationale |
|-------------|----------|-----------|
| Guest phones | Any | Internet only |
| Solar monitor | SunPower (.20.190) | Internet-only reporting? ⚠️ Verify |
### Default — No VLAN (Management)
**Policy**: Network infrastructure management. Switches, wired-only devices without VLAN tagging.
| Device Class | Examples | Rationale |
|-------------|----------|-----------|
| Managed switch | TP-Link SG108PE (.1.92) | Switch management |
| Unknown wired | HYTERevolt (.1.143), VectorPro (.1.77) | Unidentified — investigate |
## Cross-VLAN Firewall Rules
Current state and recommended rules:
### Required (Missing)
| Source | Destination | Ports | Purpose | Priority |
|--------|------------|-------|---------|----------|
| VLAN 10 | VLAN 30:8123 | TCP 8123 | Phone → HA dashboard | High |
| VLAN 10 | VLAN 30:443 | TCP 443 | Phone → Traefik ingress to HA | High |
| VLAN 10 | VLAN 30 (Eufy) | Eufy app ports | Phone → Baby cameras | Medium |
| VLAN 50 | VLAN 30 | All | Server ↔ IoT management | Medium |
| VLAN 30 | VLAN 50 | All | IoT → Storage (NFS, S3) | Medium |
### Already Working (Same VLAN)
| Source → Dest | VLAN | Why it works |
|--------------|------|-------------|
| Phone → Eufy cameras | 10 → 10 | Same VLAN, no firewall needed |
| HA → All IoT devices | 30 → 30 | Same VLAN, no firewall needed |
| Echo → Alexa cloud | 30 → Internet | Outbound allowed by default |
| Nest → Google cloud | 30 → Internet | Outbound allowed by default |
## Placement Decision Tree
```
New device arrives
├── Is it a personal phone/tablet/laptop/watch?
│ └── YES → VLAN 10
├── Is it a server or infrastructure host?
│ ├── YES → Dual: VLAN 50 (production) + VLAN 30 (management)
│ └── NO ↓
├── Is it an IoT device managed by HA?
│ ├── YES → VLAN 30
│ └── NO ↓
├── Does it need direct phone access WITHOUT HA?
│ ├── YES → VLAN 10 (with note: add to HA if possible)
│ └── NO ↓
├── Is it a guest device?
│ ├── YES → VLAN 20
│ └── NO ↓
└── Unknown → VLAN 30 (IoT) + investigate
```
## Exceptions & Rationale
| Device | Expected VLAN | Actual VLAN | Reason |
|--------|-------------|-------------|--------|
| Eufy Baby Cameras (×3) | 30 | 10 | Phone accessibility without firewall rules |
| SunPower Solar Monitor | 30 or 10 | 20 | Possibly internet-only reporting; verify |
| HYTERevolt | 10 or 50 | Default | Unknown device — needs identification |
| VectorPro | 50 | Default | Unknown device — needs identification |
## Migration Checklist
If moving Eufy cameras to VLAN 30 for better segmentation:
1. Reserve IPs on VLAN 30 for 3 Eufy cameras
2. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow Eufy app ports (TCP 8006, 8080, 9000 — verify with Eufy docs)
3. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow mDNS (UDP 5353) for device discovery
4. Reconnect cameras to IoT SSID
5. Test phone app access from VLAN 10
6. Update [[network-device-census]] with new IPs
## Related Pages
- [[network-device-census]] — Full device classification
- [[iot-device-inventory]] — IoT devices by room
- [[matter-multi-fabric]] — Matter ecosystem architecture
- [[smart-home-handbook]] — Operational handbook