Networking
| Item | Detail |
|---|---|
| Router | UniFi Dream Router 7 |
| Network name | Wight Trash |
| Subnet | 192.168.1.0/24 |
| Gateway | 192.168.1.1 |
| DHCP range | 192.168.1.6 - 192.168.1.254 |
| DNS servers | 1.1.1.2 (primary), 1.0.0.2 (secondary) |
| Upstream | Virgin Media (modem mode) |
The Virgin Media router is in modem mode. The Dream Router 7 handles routing, DHCP, and DNS for the home network. No VLANs, port forwarding, or static DHCP leases are currently configured, though the Dream Router 7 supports all of these when needed.
Network devices
Section titled “Network devices”| Hostname | IP Address | Vendor | Description | MAC |
|---|---|---|---|---|
| truenas | 192.168.1.28 | UGREEN | TrueNAS Scale NAS - primary homelab server | 6c:1f:f7:0d:15:33 |
| 9800X3D | 192.168.1.99 | - | Main workstation and local development machine | - |
| Samsung TV | 192.168.1.63 | Samsung | Samsung smart TV running Jellyfin Tizen app | - |
Dream Router 7
Section titled “Dream Router 7”The UniFi Dream Router 7 replaced the Virgin Media router as the primary network device. The Virgin router remains in the chain but operates in modem mode only - it passes a public IP directly to the DR7.
Key settings in the Wight Trash network:
| Setting | Value |
|---|---|
| Protocol | IPv4 only |
| Host address | 192.168.1.1 |
| Netmask | /24 |
| DHCP mode | DHCP Server |
| DHCP range | 192.168.1.6 - 192.168.1.254 |
| DNS server 1 | 1.1.1.2 |
| DNS server 2 | 1.0.0.2 |
| Domain name | localdomain |
| Multicast DNS | On |
| Ping conflict detection | On |
No port forwarding is configured on the DR7. External access for all services uses either the Cloudflare Tunnel (cloudflared on TrueNAS) or Pangolin (WireGuard tunnel to the Netcup VPS). Neither requires inbound ports on the home router.
DNS records
Section titled “DNS records”DNS is managed by Cloudflare for the wighttrash.uk domain. SSL/TLS mode is Full.
| Name | Type | Content | Proxy | Notes |
|---|---|---|---|---|
| wighttrash.uk | A | 37.27.183.241 | Proxied | - |
| api | A | 37.27.183.241 | Proxied | - |
| cp | A | 37.27.183.241 | Proxied | - |
| auth | A | 152.53.226.118 | Proxied | Keycloak |
| cloud | A | 152.53.226.118 | Proxied | OpenCloud |
| collabora | A | 152.53.226.118 | Proxied | Collabora Online (OpenCloud) |
| docs | CNAME | 2707e2392d6596dc.vercel-dns-017.com | Proxied | Wiki - hosted on Vercel |
| media | A | 152.53.226.118 | Proxied | Jellyfin |
| pangolin | A | 152.53.226.118 | Proxied | Pangolin admin dashboard |
| photos | A | 152.53.226.118 | DNS only | Immich - must remain DNS-only (upload size limit) |
| planka | A | 152.53.226.118 | Proxied | Planka kanban board |
| wopiserver | A | 152.53.226.118 | Proxied | OpenCloud WOPI server (Collabora endpoint) |
| docker | Tunnel | TrueNAS | Tunnel | Arcane via cloudflared |
| nas | Tunnel | TrueNAS | Tunnel | TrueNAS admin via cloudflared |
photos.wighttrash.uk must remain DNS-only. Proxying it through Cloudflare reintroduces the 100 MB request size limit, which blocks large Immich video uploads. This is the original reason Pangolin was set up.
media.wighttrash.uk is proxied through Cloudflare. This routes Jellyfin video streams through Cloudflare’s network. Cloudflare’s terms of service technically discourage using the proxy for large-scale video streaming - this is an accepted trade-off for a personal homelab.
Cloudflare Access applications
Section titled “Cloudflare Access applications”All applications use the shared Admin Only policy (Allow, email: [email protected]).
| Application | URL | Policy | Notes |
|---|---|---|---|
| Arcane | docker.wighttrash.uk | Admin Only | - |
| Pangolin | pangolin.wighttrash.uk | Admin Only | - |
| Pangolin API Bypass | pangolin.wighttrash.uk/api/ | Bypass (Everyone) | Required for Newt token requests |
| Docs | docs.wighttrash.uk | Keycloak OIDC (wighttrash realm) | - |
| TrueNAS Admin | nas.wighttrash.uk | Admin Only | - |
The Pangolin API Bypass application is required because the Newt tunnel client makes unauthenticated API calls to /api/v1/auth/... to obtain a WireGuard token. Without the bypass, Cloudflare Access returns an HTML challenge page instead of a JSON response and Newt fails to connect.
photos.wighttrash.uk has no Access policy. The Immich mobile app cannot handle Cloudflare Access authentication flows. Immich’s own Keycloak-backed authentication is the protection layer.
External access summary
Section titled “External access summary”| Service | Route | Proxied | Access policy |
|---|---|---|---|
| Docs wiki | Vercel + Cloudflare | Yes | Cloudflare Access (Keycloak OIDC) |
| TrueNAS | Cloudflare Tunnel | Yes | Admin Only |
| Arcane | Cloudflare Tunnel | Yes | Admin Only |
| Pangolin admin | VPS A record | Yes | Admin Only |
| Immich | VPS A record | No | None (Keycloak via Immich) |
| Jellyfin | VPS A record | Yes | None (Keycloak via Jellyfin) |
| Keycloak | VPS A record | Yes | None (public IdP) |
Future considerations
Section titled “Future considerations”The DR7 supports VLANs, port forwarding with source IP restrictions, static DHCP leases, and local DNS overrides. None of these are currently configured. Potential future improvements include VLAN segmentation to isolate homelab devices from general home network traffic, and local DNS to allow accessing services by hostname rather than IP.