ISP /28 Routing BROKEN: Frontier confirmed the public subnet (74.40.140.16/28) is broken — return traffic not routed to modem WAN (74.32.185.184). Fix expected ~2026-03-09. Currently single public IP via double-NAT through modem private LAN.
Firewall Policy: MGMT has full access. HOME/WORK/SCHOOL get general internet. GUEST isolated except PROD web. Tenants fully isolated from each other — only PROD, DNS, NAS, and internet. VOIP is SIP-only outbound.
noc1, Mac Mini (SSH+VNC), Edge1 Pi5, Synology NAS, Edge2 Pi4
SSH/VNC
\n
Web Consoles (1)
Harvester Dashboard
HTTPS
\n\n
\n\n\n\n
\n
VPN & Security
\n
OpenVPN Status: 8 servers were configured and verified but have been cleaned out pending ISP /28 fix. CA and certificates remain in pfSense config. Will re-create bound to new tenant VIPs (.17-.20) after Frontier restores /28 routing.
\n
OpenVPN Configuration
\n
\n
Tenant
VIP
TUN Port
TAP Port
Tunnel (TUN)
Tunnel (TAP)
VLAN
\n\n
ANDREW
.17
1194/UDP
1195/UDP
10.0.68.0/27
10.0.68.128/27
60
\n
MATT
.18
1194/UDP
1195/UDP
10.0.68.32/27
10.0.68.160/27
61
\n
DUSTIN
.19
1194/UDP
1195/UDP
10.0.68.64/27
10.0.68.192/27
62
\n
ERIK
.20
1194/UDP
1195/UDP
10.0.68.96/27
10.0.68.224/27
63
\n\n
\n
VPN Certificate Infrastructure
\n
\n
Component
Details
\n\n
CA
BlueJay VPN CA (4096-bit RSA, SHA-256, 10-year)
\n
Server Certs
8 (one per VPN instance, 2048-bit RSA)
\n
Client Certs
4 (one per tenant, 2048-bit RSA)
\n
TLS Auth
Shared HMAC key across all servers
\n
Data Ciphers
AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305
\n\n
\n
IPsec Site-to-Site (Planned)
\n
\n
Tunnel
Local
Remote
Phase 1
Phase 2 SAs
\n\n
Matt
.29 (pfSense WAN)
Matt's public IP
IKEv2, AES-256-GCM, DH 14+
MATT (10.0.61.0/24) + PROD (10.0.57.0/24)
\n
Dustin
.29 (pfSense WAN)
Dustin's public IP
IKEv2, AES-256-GCM, DH 14+
DUSTIN (10.0.62.0/24) + PROD (10.0.57.0/24)
\n\n
\n
PKI Hierarchy
\n
\n
CA
Status
Purpose
\n\n
Root CA (IAmWorkin ACME CA)
Operational
Trust anchor, ECDSA P-256, expires 2036
\n
ACME CA (step-ca on noc1)
Operational
Automated cert issuance via ACME protocol
\n
Network CA
Planned
Switch, AP, pfSense device certs
\n
Windows AD CS CA
Planned
Domain-joined machine/user certs
\n
Internal Services CA
Planned
K8s service mesh, inter-service mTLS
\n\n
\n
\n\n\n
\n
Edge Nodes
\n
\n
\n
edge1 — Raspberry Pi 5 + Hailo AI
\n
\n
IP:10.0.57.15 (PROD VLAN 57)
\n
SSH:stoltz@10.0.57.15
\n
Password:1qaz@WSX3edc$RFV
\n
Hardware: Pi 5 16GB + Hailo-10H 40 TOPS
\n
OS: Debian 13 (trixie) aarch64
\n
PCIe: Gen 3 x1 (8.0 GT/s)
\n
Power: 27W USB-C
\n
.NET SDK: 10.0.103
\n
GitHub Runner: v2.332.0 (labels: pi5, hailo)
\n
Node Exporter: :9100
\n
Switch Port: 13
\n
\n
\n
\n
edge2 — Raspberry Pi 4 (Argon ONE)
\n
\n
IP:10.0.57.16 (PROD VLAN 57)
\n
SSH:stoltz@10.0.57.16
\n
Password:1qaz@WSX3edc$RFV
\n
Hardware: Pi 4 Model B 4GB, Argon ONE case
\n
OS: Debian 13 (trixie) aarch64
\n
Fan Control: argononed.service
\n
.NET SDK: 10.0.103
\n
GitHub Runner: v2.332.0 (labels: pi4, ci-runner)
\n
Node Exporter: :9100
\n
Switch Port: 11
\n
\n
\n
\n
Mac Mini (Build/Test Node)
\n
\n
IP:10.0.57.50 (PROD VLAN 57)
\n
SSH:bluejay@10.0.57.50
\n
Password:indigene-new-neptune-nuthatch
\n
VNC Password:tacokisses
\n
Role: Xcode builds, automated browser/app testing
\n
\n
\n
\n
\n\n\n
\n
WiFi Networks
\n
Credentials: All WiFi passwords are stored in the IAmWorkin vault on 1Password. To connect a device, open the 1Password app, find the WiFi entry, and scan the QR code from there. Passwords are not stored in this page for security.
\n
QR Code Connection: Open 1Password → search for the SSID name → tap “Show QR Code” → scan with your device camera. The QR code encodes the full WIFI:T:WPA;S:{SSID};P:{PASSWORD};;; connection string.
\n\n
\n \n
\n
\n
BlueJay-Home
\n
HOME (VLAN 58)
\n
\n
\n
\n \n Scan from 1Password app\n
\n
\n
\n
\n SSID\n BlueJay-Home\n
\n
\n VLAN\n 58 (untagged on AP)\n
\n
\n Security\n WPA2/WPA3\n
\n
\n Password\n See 1Password\n
\n
\n Purpose\n Home network — personal / family use\n
Mode: Access Point (bridge mode), all trunk ports enabled
\n
Bands: Wi-Fi 6E (2.4 GHz + 5 GHz + 6 GHz)
\n
Switch Port: 3 (trunk, native VLAN 58)
\n
\n
\n
\n\n
Network Isolation: Each SSID maps to a separate VLAN with independent firewall rules and bandwidth limits. GUEST is fully isolated with NAT — no access to internal resources. EMPLOYEE, WORK, and SCHOOL share public IP .28 with traffic shaping.
\n
\n\n\n
\n
Credentials & 1Password
\n
\n
\n
1Password Connect Server
\n
\n
API:http://10.0.56.10:8180
\n
Sync:http://10.0.56.10:8181
\n
Host: noc1 (Podman containers)
\n
Status:Online
\n
\n
\n
\n
1Password K8s Operator
\n
\n
Namespace:onepassword-system
\n
Chart: 1password/connect v2.3.0
\n
Operator: v1.11.0
\n
Poll Interval: 600s
\n
Status:Online
\n
\n
\n
\n
IAmWorkin Vault
\n
\n
Vault Name: IAmWorkin
\n
Items: 26+ credentials
\n
Rotation: Quarterly (Jan/Apr/Jul/Oct)
\n
Script:/opt/scripts/rotate-credentials.sh
\n
Timer:credential-rotation.timer
\n
\n
\n
\n\n
All infrastructure credentials are managed in 1Password. The IAmWorkin vault contains credentials for every service listed on this intranet. K8s workloads (Zabbix, Matrix, Guacamole, Mail, IRC, Gitea, ArgoCD) sync secrets automatically via OnePasswordItem CRDs. Credential rotation runs quarterly via systemd timer.
Split-Horizon DNS (planned): External requests to flowercore.io resolve via Cloudflare to public IP .21. Internal requests resolve via pfSense Unbound to K8s MetalLB VIP (10.0.56.200), avoiding NAT hairpin. All internal infrastructure uses iamworkin.lan zone.