Networking¶
All network configuration for the Docker Swarm platform: VLANs, firewall rules, overlay networks, WiFi, and service discovery.
VLAN Segmentation¶
| Name | VLAN ID | Subnet | SSID |
|---|---|---|---|
| Default | untagged | 192.168.1.0/24 | BaywoodLife |
| IOT | 2 | 192.168.2.0/24 | BaywoodIOT |
| Guest | 3 | 192.168.3.0/24 | -- |
| Office | 4 | 192.168.8.0/24 | BaywoodOffice |
| wm-print | 9 | 192.168.9.160/27 | WM-Print |
| apps-gateway | 50 | 192.168.50.0/24 | -- |
| apps-prod | 51 | 192.168.51.0/24 | -- |
| apps-staging | 52 | 192.168.52.0/24 | -- |
| apps-ci/cd | 53 | 192.168.53.0/24 | -- |
| apps-monitoring | 54 | 192.168.54.0/24 | -- |
- VLAN 50 (Gateway) -- External-facing. Only
apps-gatewaylives here. Internet traffic enters via Cloudflare -> UDM firewall -> this VLAN. - VLAN 51 (Internal) -- All other swarm nodes. Internal cluster communication, data services, development.
Gateway¶
| Property | Value |
|---|---|
| Device | UDM "Baywood" |
| MAC | e4:38:83:78:30:b5 |
| WAN IP | 47.201.166.4 (Frontier Communications) |
| Firmware | 5.0.12.30269 |
Ports in use: 3 (IOT), 4 (IOT/HDHomeRun), 7 (Office), 8 (trunk to switch), 9, 11 (SFP+ to switch)
Switch¶
| Property | Value |
|---|---|
| Device | USW Pro Max 16 PoE |
| IP | 192.168.1.201 |
| MAC | 28:70:4e:32:6f:77 |
| Firmware | 7.2.123.16565 |
| Uplink | Port 17 (SFP+ 10Gbps to UDM) |
Port assignments: 1 = IOT VLAN (Zigbee coordinator SLZB-06M), 8 = Trunk (Proxmox VMs), 14 = Default VLAN
Access Points¶
| AP | IP | Firmware | 2.4 GHz | 5 GHz | 6 GHz | Status |
|---|---|---|---|---|---|---|
| Family Room | 192.168.1.60 | 8.4.6 | ch 1 | ch 44 (160MHz) | ch 117 | online |
| Upstairs | 192.168.1.21 | 8.4.6 | ch 6 | ch 36 (80MHz) | ch 69 | online |
| Office | 192.168.1.8 | 8.4.6 | ch 11 | ch 149 (80MHz) | ch 37 | online |
| AC Mesh | 192.168.1.165 | 6.6.77 | ch 6 (high/20dBm) | ch 100 (auto/20dBm) | -- | online |
The AC Mesh is in the master bedroom (temporary, hanging from power cord) and connects wirelessly via mesh to the Family Room AP on 5GHz ch 100. It provides coverage for the Apple TV (866M on 5GHz) and backyard camera through concrete wall.
AP Power Settings¶
| AP | 2.4 GHz | 5 GHz | Min RSSI |
|---|---|---|---|
| Family Room | medium (14dBm) | auto (24dBm) | -75dBm (both radios) |
| Upstairs | medium (14dBm) | auto (26dBm) | -75dBm (both radios) |
| Office | medium (14dBm) | auto (26dBm) | -75dBm (both radios) |
| AC Mesh | high (20dBm) | auto (20dBm) | disabled |
Min RSSI on AC Mesh
Min RSSI is disabled on AC Mesh because it was kicking the Apple TV at -76dBm. AC Mesh power is set to high (20dBm) on 2.4GHz to cover the backyard camera through concrete.
WiFi Optimization Applied
2.4 GHz channels set to 1/6/11 to eliminate co-channel interference (previously all on channel 6). 802.11r enabled on BaywoodOffice for faster laptop roaming. BaywoodIOT changed to dual-band (was 2.4 only). WPA3 transition disabled on BaywoodIOT (broke Apple TV connection). 802.11r on BaywoodIOT still needs UI enablement (API won't persist).
WiFi SSIDs¶
| SSID | Band | 802.11r | 802.11v | Notes |
|---|---|---|---|---|
| BaywoodLife | dual-band | yes | yes | Main household |
| BaywoodIOT | dual-band | no | no | IoT devices |
| BaywoodOffice | dual-band | yes | yes | Office VLAN |
| WM-Mobile | 2.4 only | no | no | Work mobile |
| WM-Print | dual-band | no | yes | Work print |
Firewall Rules¶
UDM Firewall (Edge)¶
- Port 80 -> 192.168.50.10:80 (Traefik HTTP)
- Port 443 -> 192.168.50.10:443 (Traefik HTTPS)
- All other ports blocked from internet
Inter-VLAN Rules (v2 Traffic Rules)¶
- Block IOT to all private: IOT VLAN cannot initiate connections to Default, Office, or any apps VLANs
- Block Guest to all private: Guest VLAN cannot reach any internal network including IOT
- mDNS reflector: Enabled (mode=all) for cross-VLAN discovery (allows Chromecast, AirPlay, etc.)
Docker Swarm Ports (inter-node, VLAN 51)¶
- 2377/tcp -- Cluster management
- 7946/tcp+udp -- Node communication
- 4789/udp -- Overlay network traffic
Docker Overlay Networks¶
| Network | Purpose | Connected Services |
|---|---|---|
public_net |
Traefik to frontends | Traefik, all public-facing services |
data_net |
Backend to data services | APIs, PostgreSQL, Redis, MinIO, PgBouncer, Vault |
ingress |
Swarm routing mesh | Automatic for published ports |
Services connect to public_net for external access via Traefik and data_net for database/cache access. Databases are never on public_net.
Service Discovery¶
Docker Swarm provides automatic DNS resolution within overlay networks:
# Within the same network, services resolve by name
ping app-recipicity-staging_api # resolves to service VIP
ping tasks.app-recipicity-staging_api # round-robin to all tasks
Port Exposure Summary¶
| Port | Status | Access |
|---|---|---|
| 80 | Forwarded | Internet (via Cloudflare) |
| 443 | Forwarded | Internet (via Cloudflare) |
| 8080 | Published (swarm) | Traefik metrics + dashboard at traefik.apps.jlwaller.com (BasicAuth) |
| 5000 | CLOSED | Registry at registry.apps.jlwaller.com (TLS) |
| 5432 | NOT forwarded | Internal only (PostgreSQL) |
| 6379 | NOT forwarded | Internal only (Redis) |
| 9000/9001 | NOT forwarded | Internal only (MinIO) |