Updated April 29, 2026 โ after OPNsense cutover. Subnet: 192.168.8.0/24.
Replaced the GL.iNet GL-MT3000 (Beryl AX) on April 29, 2026 with OPNsense 25.7.11_9 on dedicated x86 hardware. See the OPNsense page for full configuration.
| Hostname | orchard.edmd.me |
| LAN IP | 192.168.8.1 |
| WAN IP | 192.168.254.65 (double-NATted behind ISP gateway) |
| DHCP server | Dnsmasq (range .150โ.242) |
| LAN DNS | Unbound (port 53) โ forwards edmd.me to Pi-hole CT102 |
| Web UI | https://192.168.8.1 โ root only, key-auth from Mac Studio |
WAN double-NAT (ISP gateway โ OPNsense WAN at 192.168.254.65) blocks IPv6 and inbound UDP 51820 forwarding to NetBird. Both upstream limitations, not OPNsense’s.
| IP | Device | Hostname | Notes |
|---|---|---|---|
| 192.168.8.1 | OPNsense Router | orchard.edmd.me | Replaces GL.iNet GL-MT3000 (retired Apr 29 2026) |
| 192.168.8.53 | CT102 Pi-hole | pihole | DNS + ad blocking, NetBird nameserver |
| 192.168.8.54 | CT103 Caddy | caddy | Internal *.edmd.me reverse proxy |
| 192.168.8.100 | CT100 Docker | docker-host | All Docker services (Sonarr/Radarr/Plex/etc.) |
| 192.168.8.103 | CT101 Immich | immich | Photo management |
| 192.168.8.180 | Mac Studio (Ethernet) | Mac-Studio.lan | Static reservation; MAC 1C:1D:D3:E1:A1:EC (10GbE en0) |
| 192.168.8.221 | Proxmox VE (hpve) | hpve | Hypervisor โ runs all CTs above |
| 192.168.8.245 | Weather Station | Orchard-Weather.lan | Local weather monitor |
DHCP range: .150โ.242. Mac Studio is the only static reservation.
LAN client
โ
โผ
OPNsense Unbound (192.168.8.1:53)
โโ edmd.me โ forwards to Pi-hole (192.168.8.53)
โโ everything else โ public roots (with DoT)
NetBird peer (mesh)
โ
โผ
NetBird magic DNS (100.123.255.254)
โโ forwards everything to Pi-hole (192.168.8.53)
Pi-hole (CT102, 192.168.8.53)
โโ ad blocking (StevenBlack list)
โโ short names (hpve, portainer, immich, etc.)
โโ *.edmd.me โ 192.168.8.54 (Caddy) [via /etc/dnsmasq.d/03-edmd-wildcard.conf]
โโ everything else โ Cloudflare (1.1.1.1) + Quad9
The OPNsense โ Pi-hole forward was added to Unbound on Apr 29 2026 to handle clients that query the router directly (some Mac/iOS DNS resolvers do). Without this, those queries would fail because Unbound’s <privateaddress> filter rejects RFC1918 answers from public DNS โ see the Pi-hole docs.
| Service | Port | Public URL |
|---|---|---|
| Plex | 32400 | plex.edmd.me |
| Calibre-Web | 8083 | calibre.edmd.me |
| Sonarr | 8989 | sonarr.edmd.me |
| Radarr | 7878 | radarr.edmd.me |
| Lidarr | 8686 | lidarr.edmd.me |
| Prowlarr | 9696 | prowlarr.edmd.me |
| Shelfmark | 8084 | shelfmark.edmd.me |
| Audiobookshelf | 13378 | audiobookshelf.edmd.me |
| Navidrome | 4533 | navidrome.edmd.me |
| Bookshelf | 8787 | bookshelf.edmd.me |
| FreshRSS | 8180 | freshrss.edmd.me |
| Wallabag | 8480 | wallabag.edmd.me |
| Immich | 2283 (CT101) | immich.edmd.me |
| Kiwix | 8380 | kiwix.edmd.me |
| Portainer | 9443 | portainer.edmd.me |
| Uptime Kuma | 3001 | kuma.edmd.me |
| Gotify | 8070 | gotify.edmd.me |
| N8N | 5678 | n8n.edmd.me |
| Homepage | 3000 | homepage.edmd.me |
| Prometheus | 9090 | prometheus.edmd.me |
| Grafana | 3200 | grafana.edmd.me |
| Dozzle | 9999 | dozzle.edmd.me |
| ConvertX | 3100 | convertx.edmd.me |
| FlareSolverr | 8191 | flaresolverr.edmd.me |
See Caddy for full URL aliases. See Services for the master directory.
CT100 outbound traffic exits via WireGuard tunnel to UltraCC NL (added Apr 29 2026). Public IP from CT100’s perspective is
45.86.221.26. The kill-switch firewall blocks all egress if the tunnel drops. See WireGuard tunnel for details.
| Service | Port | URL |
|---|---|---|
| SSH | 22 | ssh bee@192.168.8.180 |
| Screen Sharing | 5900 | vnc://192.168.8.180 |
| Hugo Hub | 1313 | http://192.168.8.180:1313 |
| Syncthing | 8384 | http://192.168.8.180:8384 |
| Paperless-NGX | 8100 | http://192.168.8.180:8100 |
| Life Archive API | 8900 | http://192.168.8.180:8900 |
| Life Archive MCP | 8901 | http://192.168.8.180:8901/mcp |
| LM Studio | 1234 | http://192.168.8.180:1234 |
| Embed Server | 1235 | http://localhost:1235 (local only) |
| Service | Port | URL |
|---|---|---|
| Proxmox Web UI | 8006 | https://hpve.edmd.me (alias: pve, proxmox) |
| Cockpit | 9090 | https://cockpit.edmd.me |
| SSH | 22 | ssh root@192.168.8.221 |
| SMB Share | 445 | \\192.168.8.221\shared (user: bee) |
| Syncthing | 8384 | http://192.168.8.221:8384 |
| Transmission RPC (tunneled) | 13010 | SSH tunnel โ seedbox โ required for *arr app download management |
NetBird daemon runs as netbird.service on hpve, advertising 192.168.8.0/24 to the mesh.
| IP | Node | Hostname |
|---|---|---|
| 192.168.8.140 | eero (main) | eero.lan |
| 192.168.8.123 | eero #2 | eero-d066.local |
| 192.168.8.203 | eero #3 | eero-3y3p.local |
| 192.168.8.212 | eero #4 | eero-f8js.local |
| 192.168.8.169 | eero #5 | eero-kchd.local |
Eeros run in bridge mode behind OPNsense โ they handle WiFi only, OPNsense handles routing/DHCP/DNS.
| IP | Device |
|---|---|
| 192.168.8.115 | Sonos Speaker |
| 192.168.8.202 | Sonos Speaker (Living Room) |
| 192.168.8.116 | YouTube TV (Google TV Streamer) |
| 192.168.8.141 | WiiM Ultra |
| 192.168.8.233 | TiVo Stream 4K |
| IP | Device |
|---|---|
| 192.168.8.224 | Homey (smart home hub) |
| 192.168.8.245 | Weather Station (Orchard-Weather) |
| IP | Device |
|---|---|
| 192.168.8.190 | Brother HL-L3280CDW (Office) |
| 192.168.8.240 | Brother HL-L2460DW |
| Public IP | external (SSDNodes) |
| NetBird IP | 100.123.69.155 |
| Role | Public Caddy for troglodyteconsulting.com; NetBird mesh peer |
| Access | ssh admin@<vps-ip> (LAN/NetBird-side admin) |
Pangolin was retired Apr 19 2026 and replaced with NetBird mesh. The VPS no longer hosts a Pangolin dashboard.
Farm runs on 192.168.0.x (separate subnet from home’s 192.168.8.x). Connected via NetBird mesh โ fpve peer at 192.168.0.191 advertises the 192.168.0.0/24 subnet to the mesh.
| IP | Device | Description |
|---|---|---|
| 192.168.0.10 | Home Assistant | Smart home automation |
| 192.168.0.191 | Farm Proxmox | Hypervisor, NetBird peer (fpve) |
See Farm for the full farm inventory.