Network Overview
Topology Summary
Traffic flows: Internet → pfSense (WAN) → UDM-Pro → LAN segments → Hosts
INTERNET │ ▼pfSense (192.168.100.2) ← secondary firewall / VPN gateway │ eth8 → 192.168.11.1 │ ▼UDM-Pro (Planet-Toys-Utah-Prod-UDM-Pro) WAN : 192.168.11.2 (eth8) LAN : 192.168.5.1 (br0 / vmbr0) VPN : 192.168.100.3/32 (WireGuard wg0) │ ├─── 192.168.5.0/24 (Main LAN — all servers) │ PVE2, SOC, Energonhub, Pulse, PMG, ISPConfig… │ ├─── 192.168.1.0/24 (PVE1 internal — via vmbr0 on PVE1) │ PVE1 host, all PVE1 CTs and VMs │ ├─── 192.168.127.0/24 (VLAN 127 — Cloudflare tunnel segment) │ CF-HQ (192.168.127.55) │ └─── 192.168.100.0/24 (WireGuard / pfSense tunnel) pfSense internal: 192.168.100.2 UDM-Pro WG peer: 192.168.100.3Subnets
| Subnet | Gateway | Purpose |
|---|---|---|
192.168.5.0/24 | 192.168.5.1 (UDM-Pro) | Main LAN — all PVE2 hosts and most services |
192.168.1.0/24 | 192.168.1.1 | PVE1 internal — all PVE1 CTs and VMs |
192.168.11.0/24 | — | WAN uplink between pfSense and UDM-Pro |
192.168.100.0/24 | — | WireGuard VPN tunnel |
192.168.127.0/24 | — | VLAN 127 — Cloudflare Zero Trust segment |
172.17.0.0/16 | — | Docker internal (master-control, optination-phase-vault) |
Key Network Devices
| Device | IP | Role |
|---|---|---|
| UDM-Pro | 192.168.5.1 / 192.168.11.2 | Primary router, firewall, DHCP |
| pfSense | 192.168.100.2 | Secondary firewall, WireGuard endpoint |
| PVE2 | 192.168.5.114 | Proxmox node 2 (hypervisor) |
| PVE1 | 192.168.1.5 | Proxmox node 1 (hypervisor) |
| Energonhub | 192.168.5.9 | Monitoring hub (Grafana, Prometheus, etc.) |
| SOC | 192.168.5.211 | Security Operations Center (Wazuh manager) |
| Pulse | 192.168.5.145 | Network pulse / monitoring agent |
| CF-HQ | 192.168.127.55 | Cloudflare Zero Trust connector |
Routing
PVE1 (192.168.1.0/24) is reachable from PVE2 via the UDM-Pro. Both Proxmox hosts bridge traffic through vmbr0.
- PVE2 → PVE1: routed via 192.168.5.1 (UDM-Pro)
- Direct SSH from PVE2 to PVE1 uses key-based auth (
/root/.ssh/id_rsa) - pfSense syslog is forwarded to SOC (192.168.5.211) and whitelisted in Wazuh (
192.168.100.0/24,192.168.11.0/24)
DNS
- Primary DNS: 192.168.1.1 (gateway for 192.168.1.0/24)
- Internal search domain:
planettoysutah.com - Public DNS fallback: 1.1.1.1 / 8.8.8.8
External Connectivity
| Service | Details |
|---|---|
| Cloudflare Zero Trust | CF-HQ connector at 192.168.127.55, VLAN127 |
| WireGuard VPN | wg0 on UDM-Pro (192.168.100.3/32) |
| Wazuh SIEM | Inbound agent connections on port 1514, auth on 1515 |
| Grafana | 192.168.5.9:3000 |
| Zabbix | PVE2 VM101 |