Network Topology#

VLAN Layout#

VLAN ID	Name	Subnet	Purpose
10	management	10.0.10.0/24	Servers, NAS, infrastructure
20	workstations	10.0.20.0/24	Developer machines
30	iot	10.0.30.0/24	Smart home devices
40	guests	10.0.40.0/24	Guest Wi-Fi (isolated)

DNS Configuration#

Pi-hole on hydrogen (10.0.10.10):

# /etc/dnsmasq.d/custom.conf
server=1.1.1.1
server=8.8.8.8
local=/mrzk.io/
address=/hydrogen.mrzk.io/10.0.10.10
address=/helium.mrzk.io/10.0.10.20
address=/lithium.mrzk.io/10.0.10.30

Traefik Reverse Proxy#

Docker Compose (helium):

version: '3.8'
services:
  traefik:
    image: traefik:v2.10
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mrzk.io`)"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"

traefik.yml:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@mrzk.io
      storage: /acme.json
      httpChallenge:
        entryPoint: web

UniFi Integration#

Controller deployment (helium):

version: '3.8'
services:
  unifi-network-application:
    image: lscr.io/linuxserver/unifi-network-application:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      - MONGO_USER=unifi
      - MONGO_PASS=changeme
      - MONGO_HOST=127.0.0.1
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi
    ports:
      - "8443:8443"
      - "3478:3478/udp"
      - "10001:10001/udp"
      - "8080:8080"
      - "1900:1900/udp"
    volumes:
      - ./unifi/data:/config
    restart: unless-stopped

Access:

Web UI: https://unifi.mrzk.io:8443
SSH into APs/Switches via UniFi

Firewall Rules (UniFi Gateway)#

Default policy: deny inter-VLAN

Allow rules:

workstations → management: ports 22, 80, 443
workstations → internet: all
iot → internet: ports 80, 443 (no inbound)
guests → internet: ports 80, 443 (isolated)
management → internet: all

Remote Access#

Option 1: UniFi Cloud

Enable UniFi Cloud Gateway
Access via UniFi mobile app
No port forwarding required

Option 2: WireGuard VPN

# docker-compose.yml
wireguard:
  image: linuxserver/wireguard
  cap_add:
    - NET_ADMIN
    - SYS_MODULE
  environment:
    - PUID=1000
    - PGID=1000
    - TZ=America/New_York
    - SERVERURL=your-public-ip
    - SERVERPORT=51820
    - PEERS=3
    - PEERDNS=auto
    - INTERNAL_SUBNET=10.13.13.0
  volumes:
    - ./wireguard:/config
  ports:
    - "51820:51820/udp"

Option 3: Tailscale

# Install on all boxes
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up