Network Topology
Last updated: 2026-06-22
Source notes:
unifi/HANDOFF.md
unifi/topology/README.md
unifi/security/PORT_FORWARDS.md
pihole/HANDOFF.md
synology/HANDOFF.md
google-cloud-dns/README.mdCurrent Best Understanding
flowchart TB
Internet["Internet"]
Frontier["Frontier Fiber\n5GbE symmetric service reported"]
DNSPublic["Google Cloud DNS\nravick5.com"]
UDM["UDM SE / Dream Machine Special Edition\nLAN gateway: 10.0.0.1\nWAN observed: 47.204.57.28"]
Switch["USW Pro 48\n10.0.0.99"]
subgraph LAN["Primary LAN: 10.0.0.0/24"]
Synology["Synology NAS\n10.0.0.119\nVick-NAS"]
Desktop["Gaming/Desktop PC\n5GbE reported\nP: -> \\\\10.0.0.119\\data"]
Pi4["PiHolePi4\n10.0.0.195\nRaspberry Pi 4\nPrimary/peer DNS"]
Pi4B["PiHole4B\n10.0.0.132\nRaspberry Pi 4\nSecondary/peer DNS"]
APDesk["Desk Side U7-Pro\n10.0.0.159"]
APDining["Dining Room U7-Pro\n10.0.0.242"]
Grafana["Grafana / Prometheus\n10.0.0.119:3000 / :9090\ninternal only"]
Clients["LAN/Wi-Fi Clients\ntracked by weekly UniFi inventory\nlatest report 2026-06-21"]
end
Internet --> Frontier --> UDM --> Switch
Switch --> Synology
Switch --> Desktop
Switch --> Pi4
Switch --> Pi4B
Switch --> APDesk
Switch --> APDining
Synology --> Grafana
APDesk -. Wi-Fi .-> Clients
APDining -. Wi-Fi .-> Clients
Clients --> Pi4
Clients --> Pi4B
DNSPublic -->|"ravick5.com / internal.ravick5.com\nrequest-app aliases"| UDM
UDM -->|"80/443 -> 8088/8443\nCaddy reverse proxy"| Synology
UDM -->|"32400 Plex\n80/443 Caddy reverse proxy\nPlex Test/Minecraft removal approved; verify live state"| Synology
Public Port Forwards Observed
flowchart LR
Internet["Internet"]
UDM["UDM SE\nPort forwarding"]
NAS["Synology\n10.0.0.119"]
Caddy["Caddy reverse proxy\nhost ports 8088/8443"]
Seerr["Seerr\ncontainer port 5055"]
Plex["Plex\n32400"]
MC["Minecraft Bedrock\n19131/19132"]
Internet --> UDM
UDM -->|"80 -> 8088\n443 -> 8443\nrequest app HTTPS"| Caddy
Caddy --> Seerr
UDM -->|"32400 -> 32400\nPlex"| Plex
UDM -.-|"remove: 32401 -> 32400\nPlex Test"| Plex
UDM -.-|"disabled: 80 -> 5055\nOverseerr direct exposure"| NAS
UDM -.-|"disabled: 443 -> 5055\nNamed HTTPS Routing"| NAS
UDM -.-|"disabled: 5055 -> 5055\nOverseerr direct exposure"| NAS
UDM -.-|"disabled: 6881 -> 6881\nqBittorrent relic"| NAS
UDM -.-|"disable: 19131 / 19132\nMinecraft servers"| MC
UDM -.-|"disabled: 19191\nMinecraft Oneblock"| NAS
Client DNS Flow
flowchart LR
DHCP["UDM SE DHCP\nDefault LAN"]
Client["LAN/Wi-Fi client"]
Pi4["PiHolePi4\n10.0.0.195"]
Pi4B["PiHole4B\n10.0.0.132"]
Upstream["Current public upstream resolver set\nQuad9 helper prepared but live state needs verification"]
Internet["Internet DNS"]
DHCP -. "advertises DNS 1/2" .-> Client
Client -->|"DNS queries"| Pi4
Client -->|"fallback/secondary DNS"| Pi4B
Pi4 --> Upstream --> Internet
Pi4B --> Upstream --> Internet
Notes And Assumptions
- UniFi inventory captures these infrastructure devices: UDM SE, USW Pro 48,
- Exact physical switch ports, UDM-to-switch uplink speed, Synology link layout,
- UniFi Default LAN DHCP is documented as handing out both Pi-hole IPs.
- Public DNS has explicit records; broad wildcard DNS was removed.
- Direct Overseerr/Seerr app-port public forwards are disabled. The active
- Grafana/Prometheus is internal only and should not be exposed publicly until
- Homepage, Audiobookshelf, and Kavita/Mylar3 are currently internal-only LAN
- Confirm WAN and LAN negotiated speeds.
- Confirm switch port map.
- Verify whether approved UniFi changes have removed
Plex Testand disabled - Add deeper UniFi WAN/AP/client counters to observability if a supported API
two U7-Pro APs, Synology, desktop/client devices, and Pi-holes. Latest
weekly report bundle is reports/weekly-maintenance/20260621-073001.
and desktop negotiated speed still need confirmation.
request-app path is through Caddy on Synology host ports 8088 and 8443.
a hardened identity-aware path is designed.
services. Bazarr was retired from the active stack on 2026-06-14.
Open Follow-Ups
Minecraft public forwards. Keep qBittorrent public forward disabled.
exposes them cleanly.