From 0c27218091bb7e709a6d40cfa7d2f2f0fe421adf Mon Sep 17 00:00:00 2001 From: Kaloyan Danchev Date: Sat, 31 Jan 2026 10:51:24 +0200 Subject: [PATCH] Update NanoKVM IP to 192.168.10.200 Co-Authored-By: Claude Opus 4.5 --- docs/.DS_Store | Bin 0 -> 8196 bytes docs/03-VLAN-DEVICE-ASSIGNMENT.md | 278 ++++++++++++---------- docs/04-VLAN-MIGRATION-PLAN.md | 2 +- docs/12-VLAN-SETUP-PROGRESS.md | 4 +- docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md | 12 +- docs/wip/DNS-REDIRECT-RULES-BACKUP.md | 56 +++++ 6 files changed, 220 insertions(+), 132 deletions(-) create mode 100644 docs/.DS_Store create mode 100644 docs/wip/DNS-REDIRECT-RULES-BACKUP.md diff --git a/docs/.DS_Store b/docs/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..fc66ceac4521ecfa3a74646075bc191e1b639b55 GIT binary patch literal 8196 zcmeHM&2AGh5FRI$2twjVsvwp42@ep|07BxHHVMtDZ4zbEL~uZmq@tCQZbS=Q^8no7 z0uR75aOc341LD91i36_@z8SmOKNt0cP_U!*xc1EFna}oGvn3+6{$f}n$`erz56g?^ zP+1C(^OGtW({l|{!Jep2Yt*0(s?k<@pqRt zFnc0v=<$HjHAuW74{dlEUWq8)iopy0+!n9ez&&0CUMC%eC34J4>L{`vytnSbpHuBE z0{=1V>#)8LYxZIjQ84S=V#caqYsbXReDau;jI9V&q2tY2W;l5Heb__MGJSl8Yx6R7a=0=!w#Zup|>S`Y@p`-?c03h)ySNW zti~C7O3!IPd$dn4X*YhdSvz*J6WYVW!KfbuBffzXL!)OUe-Ml(7{QDmU#B(3LA7dL zBDoLE)vpiUd|tC@4Nsvp*^A7Ul}XPcpaTT9Pea;8>xd2$!ST_KzP2nDu_)-~Pgq#A zqLD23=8;%6!)X4j8H)(J5+zHo5X~eWg}hjzQ5dbb=kGs-_EB$d{CJlgz7^h$-8cw6 zOpnIB`odnhvOo-Ebu4+#|7$0I|6ibpT_}zL$3T(+wN&-1>*zJPb#h!%^#XdIm=V^S z;(-(sRFaNEN;(cX|A!&k1*o!O*~qDu=t24G9|C4Gnb&e($8S-0|GWENcFJN_zX2VK Byn6ru literal 0 HcmV?d00001 diff --git a/docs/03-VLAN-DEVICE-ASSIGNMENT.md b/docs/03-VLAN-DEVICE-ASSIGNMENT.md index 286997e..50ec624 100644 --- a/docs/03-VLAN-DEVICE-ASSIGNMENT.md +++ b/docs/03-VLAN-DEVICE-ASSIGNMENT.md @@ -1,139 +1,143 @@ # VLAN Device Assignment Map **Last Updated:** 2026-01-25 -**Status:** Phase 1 Complete - Ready for Switch Configuration **Purpose:** Complete inventory of all network devices with VLAN assignments --- ## VLAN Summary -| VLAN | Name | Subnet | Gateway | Purpose | Devices | +| VLAN | Name | Subnet | Gateway | Purpose | Comment | |------|------|--------|---------|---------|---------| | 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated | -| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | 6 | -| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | 9 | -| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | 6 | -| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 | -| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | 1 | -| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | 1 | -| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | 7 | -| **Total** | | | | | **44** | +| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Admin access only | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | Full network access | +| 25 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Kids Devices| Full network access | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | Internet + limited local | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Isolated, NVR access only | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | Service hosts | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | Internet only | --- ## VLAN 10 - Management (Infrastructure) -| Target IP | MAC Address | Device | Notes | -|-----------|-------------|--------|-------| -| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router - Gateway for all VLANs | -| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Access point - CAPsMAN managed | -| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch - Room distribution | -| 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch - Server rack | -| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS server (Unraid Docker) | -| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM - IPMI alternative | -| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server - Docker host, NAS | - -**Note:** Router containers (AdGuard MikroTik 172.17.0.2, Tailscale 172.17.0.3) are on containers-br bridge, not VLANs. +| Current IP | Target IP | MAC Address | Device | Notes | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs | +| 192.168.31.4 | 192.168.10.10| 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS | +| 192.168.31.6 | 192.168.10.2| 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed | +| 192.168.31.9 | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution | +| 192.168.31.22 | 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack | +| 192.168.31.2 | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS | +| 192.168.31.20 | 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative | +| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT | +| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access | --- ## VLAN 20 - Trusted (Family Devices) -| Target IP | MAC Address | Device | Owner | -|-----------|-------------|--------|-------| -| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | -| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | -| 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | -| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | -| 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | -| 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | -| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | -| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | -| 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | +| Current IP | Target IP | MAC Address | Device | Owner | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop | +| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone | +| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | +| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless | +| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | +| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | +| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock | +| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom | +| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | --- -## VLAN 25 - Kids (Parental Controls) +## VLAN 25 - Trusted (Kids Devices) -| Target IP | MAC Address | Device | Owner | -|-----------|-------------|--------|-------| -| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | -| 192.168.25.13 | 70:85:C2:75:64:E5 | Windows Device | Dancho | -| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | -| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | -| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | -| 192.168.25.19 | CC:5E:F8:D3:37:D3 | XTRM-Ally | Kids Gaming | - -**Note:** Some devices appear in both VLAN 20 and 25 - assignment depends on which SSID/port they connect to. +| Current IP | Target IP | MAC Address | Device | Owner | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | +| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | +| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | +| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | --- ## VLAN 30 - IoT (Smart Home) -| Target IP | MAC Address | Device | Location | -|-----------|-------------|--------|----------| -| 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE Air Conditioner | Living Room | -| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) | Living Room | -| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) | Living Room | -| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | -| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | -| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | -| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | -| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom | -| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device 1 | - | -| 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device 2 | - | -| 192.168.30.33 | 38:A5:C9:44:7B:80 | IoT lwip0 Device 1 | - | -| 192.168.30.34 | 38:A5:C9:44:7B:F1 | IoT lwip0 Device 2 | - | -| 192.168.30.38 | D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | -| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | - +| Current IP | Target IP | MAC Address | Device | Location | Comment | +|------------|-----------|-------------|--------|----------|---------| +| 192.168.31.139 | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room| GREE Electric| +| 192.168.31.100 | 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) | +| 192.168.31.118 | 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) | +| 192.168.31.134 | 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | +| 192.168.31.104 | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access | +| 192.168.31.105 | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | +| 192.168.31.116 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | +| 192.168.31.117 | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom| Home Connect app | +| 192.168.31.106 | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.31.113 | 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.31.149 | 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.31.106 | 192.168.30.34 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.31.113 | 192.168.30.35| 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | +| 192.168.31.149 | 192.168.30.38| D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | Smart Device | +| 192.168.31.101 | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app | --- ## VLAN 35 - Cameras (Security) -| Target IP | MAC Address | Device | Location | -|-----------|-------------|--------|----------| -| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | +| Current IP | Target IP | MAC Address | Device | Location | Comment | +|------------|-----------|-------------|--------|----------|---------| +| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered | --- ## VLAN 40 - Servers (Services) -| Target IP | MAC Address | Device | Purpose | -|-----------|-------------|--------|---------| -| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | +| Current IP | Target IP | MAC Address | Device | Purpose | Comment | +|------------|-----------|-------------|--------|---------|---------| +| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | --- ## VLAN 50 - Guest (Isolated) -| Target IP | MAC Address | Device | Notes | -|-----------|-------------|--------|-------| -| 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | -| 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Privacy MAC | -| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | -| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | -| 192.168.50.14 | C6:2A:59:AD:17:90 | Unknown Device | Random MAC | -| 192.168.50.15 | E6:17:3D:D3:96:D3 | Unknown Device | Random MAC | -| 192.168.50.16 | 72:F5:14:2D:F0:18 | Unknown Device | Stale | +| Current IP | Target IP | MAC Address | Device | Notes | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.15 | 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. | +| 192.168.31.142 | 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC | +| 192.168.31.109 | 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI | +| 192.168.31.110 | 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .109 | +| DHCP Pool | 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only | + +--- + +## Identified Unknown Devices (Moved to Guest) + +| Current IP | MAC Address | Vendor (OUI) | Likely Device | Assigned VLAN | Comment | +|------------|-------------|--------------|---------------|---------------|---------| +| 192.168.31.15 | AC:87:A3:77:8F:BD | Apple Inc. | iPhone/iPad/Mac | 50 (Guest) | Unknown owner | +| 192.168.31.142 | 22:4C:7F:1D:85:8E | Locally Administered | Phone/Laptop | 50 (Guest) | Random MAC (privacy) | +| 192.168.31.109 | D0:C9:07:92:1A:8E | Private (IEEE) | Unknown | 50 (Guest) | Hidden vendor | +| 192.168.31.110 | D0:C9:07:8C:C9:46 | Private (IEEE) | Unknown | 50 (Guest) | Same vendor as .109 | --- ## MAC Address Quick Reference -### VLAN 10 - Management +### By VLAN (for switch port assignment) + +**VLAN 10 - Mgmt:** ``` -78:9A:18:2C:A5:48 HAP1 Router +78:9A:18:2C:A5:48 HAP1 +A8:B8:E0:02:B6:15 XTRM-U 18:FD:74:54:3D:BC CAP XL ac -F4:1E:57:C9:BD:09 CSS326 Switch -1C:2A:A3:1E:78:67 ZX1 Switch -02:42:C0:A8:1F:04 AdGuard Home +F4:1E:57:C9:BD:09 CSS326 +1C:2A:A3:1E:78:67 ZX1 48:DA:35:6F:BE:50 NanoKVM -A8:B8:E0:02:B6:15 XTRM-U Unraid ``` -### VLAN 20 - Trusted +**VLAN 20 - Trusted:** ``` 82:6D:FB:D9:E0:47 Nora MacBook AA:ED:8B:2A:40:F1 Kaloyan S25 @@ -142,78 +146,98 @@ F2:B8:14:61:C8:27 Dancho iPhone 90:91:64:70:0D:86 Kimi Notebook 2A:2B:BA:86:D4:AF Kimi iPhone 08:92:04:C6:07:C5 Kaloyan MacBook LAN -1C:83:41:32:F3:AF Kaloyan Gaming PC +1C:83:41:32:F3:AF Kaloyan Game PC A4:D1:D2:7B:52:BE Compusbg iPad ``` -### VLAN 25 - Kids +**VLAN 30 - IoT:** ``` -F2:B8:14:61:C8:27 Dancho iPhone -70:85:C2:75:64:E5 Dancho Windows -90:91:64:70:0D:86 Kimi Notebook -2A:2B:BA:86:D4:AF Kimi iPhone -A4:D1:D2:7B:52:BE Compusbg iPad -CC:5E:F8:D3:37:D3 XTRM-Ally -``` - -### VLAN 30 - IoT -``` -50:2C:C6:7A:55:39 GREE AC B0:37:95:79:AF:9B LG TV (LAN) DC:03:98:6B:5A:3A LG TV (WiFi) D0:E7:82:F7:65:DD Chromecast B0:4A:39:3F:9A:14 Roborock Vacuum 94:27:70:1E:0C:EE Bosch Oven -C8:D7:78:40:65:40 Bosch Dishwasher +C8:5C:CC:52:EA:53 Xiaomi Air Purifier C8:D7:78:D6:DC:FC Bosch Washer +C8:D7:78:40:65:40 Bosch Dishwasher +50:2C:C6:7A:55:39 GREE Appliance 18:DE:50:5B:C8:A6 Tuya Device 1 38:1F:8D:04:6F:E4 Tuya Device 2 -38:A5:C9:44:7B:80 lwip0 Device 1 -38:A5:C9:44:7B:F1 lwip0 Device 2 -D4:AD:FC:BE:13:B0 Intellirocks -C8:5C:CC:52:EA:53 Xiaomi Air Purifier +D4:AD:FC:BE:13:B0 Intellirocks Device ``` -### VLAN 35 - Cameras +**VLAN 35 - Cameras:** ``` 48:9E:9D:0E:16:F7 Reolink Doorbell ``` -### VLAN 40 - Servers +**VLAN 40 - Servers:** ``` 64:4E:D7:D8:43:3E HP LaserJet ``` -### VLAN 50 - Guest +**VLAN 50 - Guest:** ``` -AC:87:A3:77:8F:BD Unknown Apple -22:4C:7F:1D:85:8E Unknown Random MAC -D0:C9:07:92:1A:8E Unknown Private 1 -D0:C9:07:8C:C9:46 Unknown Private 2 -C6:2A:59:AD:17:90 Unknown .138 -E6:17:3D:D3:96:D3 Unknown .250 -72:F5:14:2D:F0:18 Unknown Stale +AC:87:A3:77:8F:BD Apple Device (unknown) +22:4C:7F:1D:85:8E Random MAC device +D0:C9:07:92:1A:8E Private Vendor 1 +D0:C9:07:8C:C9:46 Private Vendor 2 ``` --- -## Configuration Status +## Device Count Summary -### MikroTik hAP ax³ ✅ -- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50) -- [x] IP addresses assigned to all VLANs -- [x] DHCP servers configured for all VLANs -- [x] DHCP pools configured -- [x] Static DHCP leases (44 devices) -- [x] Bridge VLAN table entries -- [x] Firewall rules for inter-VLAN isolation -- [ ] VLAN filtering enabled (pending switch config) +| VLAN | Device Count | Comment | +|------|--------------|---------| +| 10 - Mgmt | 9 | Infrastructure only | +| 20 - Trusted | 9 | Family devices | +| 25 - Kids | 4 | Kids devices (subset of 20) | +| 30 - IoT | 11 | Smart home devices | +| 35 - Cameras | 1 | Security | +| 40 - Servers | 1 | Services | +| 50 - Guest | 4 | Unknown/unidentified devices | +| **Total** | **35** | All devices categorized | -### CSS326 Switch ⏳ -- [ ] VLAN configuration via SwOS -- [ ] Port assignments +--- -### Next Steps -1. Configure CSS326 switch VLANs via SwOS (http://192.168.31.9) -2. Enable VLAN filtering on MikroTik bridge -3. Test connectivity +## OUI Lookup Reference + +| OUI Prefix | Vendor | Type | +|------------|--------|------| +| B0:37:95 | LG Electronics | TV/Displays (LAN) | +| DC:03:98 | LG Innotek | TV/Displays (WiFi) | +| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances | +| 18:DE:50 | Tuya Smart Inc. | IoT Platform | +| 38:1F:8D | Tuya Smart Inc. | IoT Platform | +| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices | +| AC:87:A3 | Apple Inc. | Consumer Electronics | +| D0:C9:07 | Private (IEEE hidden) | Unknown | +| 22:xx:xx | Locally Administered | Random/Private MAC | + +--- + +## Next Steps + +| Step | Action | Comment | +|------|--------|---------| +| 1 | ✅ Identify unknown devices | Completed via OUI lookup | +| 2 | Decide WiFi strategy | Single SSID vs Multiple SSIDs | +| 3 | Configure switch ports | VLAN tagging on CSS326 | +| 4 | Test VLAN routing | Before full activation | +| 5 | Update firewall rules | Inter-VLAN traffic control | + +--- + +## Quick Assignment Table (Identified Devices) + +| VLAN | IP | Comment | +|------|----|---------| +| 30 (IoT) | 192.168.31.139 | GREE Air Conditioner | +| 30 (IoT) | 192.168.31.106 | Tuya Smart Device #1 | +| 30 (IoT) | 192.168.31.113 | Tuya Smart Device #2 | +| 30 (IoT) | 192.168.31.149 | Shenzhen Intellirocks Smart Device | +| 50 (Guest) | 192.168.31.15 | Apple device (unknown owner) | +| 50 (Guest) | 192.168.31.142 | Privacy MAC device | +| 50 (Guest) | 192.168.31.109 | Private vendor device | +| 50 (Guest) | 192.168.31.110 | Private vendor device | diff --git a/docs/04-VLAN-MIGRATION-PLAN.md b/docs/04-VLAN-MIGRATION-PLAN.md index 8f9c0a8..c2363be 100644 --- a/docs/04-VLAN-MIGRATION-PLAN.md +++ b/docs/04-VLAN-MIGRATION-PLAN.md @@ -97,7 +97,7 @@ add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt add address=192.168.10.4 mac-address=1C:2A:A3:1E:78:67 comment="ZX1" server=dhcp-mgmt -add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt +add address=192.168.10.200 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt ``` ### VLAN 20 - Trusted diff --git a/docs/12-VLAN-SETUP-PROGRESS.md b/docs/12-VLAN-SETUP-PROGRESS.md index a62007f..f442c00 100644 --- a/docs/12-VLAN-SETUP-PROGRESS.md +++ b/docs/12-VLAN-SETUP-PROGRESS.md @@ -156,7 +156,7 @@ wifi2: PVID=1 (XTRM2 2.4GHz) | 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Waiting | | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | Waiting | | 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Waiting | -| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Waiting | +| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Waiting | | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | Waiting | ### User Manager (Installed, Not Configured) @@ -183,7 +183,7 @@ wifi2: PVID=1 (XTRM2 2.4GHz) | 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ether2 via PP1 | | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | ether3 | | 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Container | -| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | CSS326 port | +| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | CSS326 port | | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | ether4/5 | ### VLAN 20 - Trusted (5 devices) diff --git a/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md b/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md index 412bbd8..cb65d2e 100644 --- a/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md +++ b/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md @@ -23,7 +23,8 @@ Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with: |--------|-----|------|------|-------| | WinBox | 192.168.10.1 | 8291 | xtrm | Primary management | | WebFig | 192.168.10.1 | 80 | xtrm | Web interface | -| SSH | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key | +| SSH (Mac) | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key | +| SSH (Unraid) | 192.168.10.1 | **2222** | unraid | Key: ~/.ssh/id_ed25519 | | WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 | | WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 | @@ -135,7 +136,7 @@ add action=accept vlan-id=40 comment="Default - VLAN40" | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ | | 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ | | 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified | -| 192.168.10.199 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ | +| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ | --- @@ -266,10 +267,17 @@ ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 ``` ### SSH to MikroTik (port 2222!) + +From Mac: ```bash ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1 ``` +From Unraid: +```bash +ssh -p 2222 unraid@192.168.10.1 +``` + ### Quick Status from Unraid ```bash ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'" diff --git a/docs/wip/DNS-REDIRECT-RULES-BACKUP.md b/docs/wip/DNS-REDIRECT-RULES-BACKUP.md new file mode 100644 index 0000000..0b0cd85 --- /dev/null +++ b/docs/wip/DNS-REDIRECT-RULES-BACKUP.md @@ -0,0 +1,56 @@ +# DNS Redirect Rules Backup + +**Date:** 2026-01-27 +**Reason:** Temporarily disabled during VLAN migration +**Status:** DISABLED - to be re-enabled after VLAN setup complete + +## NAT Rules (dstnat) + +| # | Comment | Chain | Action | Src Address | Dst Port | To Address | To Port | +|---|---------|-------|--------|-------------|----------|------------|---------| +| 3 | Allow MikroTik AdGuard outbound DNS | dstnat | accept | 172.17.0.0/24 | 53/udp | - | - | +| 25 | Allow Unraid AdGuard outbound DNS | dstnat | accept | 192.168.31.4 | 53/udp | - | - | +| 26 | Allow Unraid AdGuard outbound DNS TCP | dstnat | accept | 192.168.31.4 | 53/tcp | - | - | +| 27 | Redirect DNS to MikroTik AdGuard | dstnat | dst-nat | 192.168.31.0/24 | 53/udp | 172.17.0.2 | 53 | +| 28 | Redirect DNS to MikroTik AdGuard TCP | dstnat | dst-nat | 192.168.31.0/24 | 53/tcp | 172.17.0.2 | 53 | +| 30 | DNS over TLS (DoT) | dstnat | dst-nat | in-interface=eth1_WAN | 853/tcp | 172.17.0.2 | 853 | +| 31 | DNS over HTTPS (DoH) | dstnat | dst-nat | in-interface=eth1_WAN | 8443/tcp | 172.17.0.2 | 443 | +| 32 | Redirect VLAN DNS to AdGuard | dstnat | dst-nat | src-address-list=all-vlans | 53/udp | 172.17.0.2 | 53 | +| 33 | Redirect VLAN DNS to AdGuard TCP | dstnat | dst-nat | src-address-list=all-vlans | 53/tcp | 172.17.0.2 | 53 | + +## NAT Rules (srcnat - masquerade) + +| # | Comment | Chain | Action | Src Address | Dst Address | Dst Port | +|---|---------|-------|--------|-------------|-------------|----------| +| 8 | Masquerade DNS to MikroTik AdGuard | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/udp | +| 9 | Masquerade DNS to MikroTik AdGuard TCP | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/tcp | +| 34 | Masquerade VLAN DNS to AdGuard | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/udp | +| 35 | Masquerade VLAN DNS to AdGuard TCP | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/tcp | + +## Filter Rules (forward - allow DNS) + +| # | Comment | Chain | Action | Src Address List | Dst Address | Dst Port | +|---|---------|-------|--------|------------------|-------------|----------| +| 12 | VLAN: IoT to DNS | forward | accept | vlan-iot | 192.168.31.1 | 53/udp | +| 14 | VLAN: IoT to DNS TCP | forward | accept | vlan-iot | 192.168.31.1 | 53/tcp | +| 16 | VLAN: Cameras to DNS | forward | accept | vlan-cameras | 192.168.31.1 | 53/udp | +| 18 | VLAN: Guest to DNS | forward | accept | vlan-guest | 192.168.31.1 | 53/udp | +| 51 | VLAN: Kids to DNS | forward | accept | vlan-kids | 192.168.31.1 | 53/udp | + +## Re-enable Commands + +When ready to restore DNS redirect to AdGuard: + +```routeros +# Enable NAT redirect rules +/ip firewall nat enable [find comment~"Redirect DNS" or comment~"Masquerade DNS"] + +# Note: Filter rules (VLAN to DNS) should remain enabled - they just allow traffic +``` + +## Notes + +- Rules 27, 28, 32, 33 are the main redirect rules that force DNS through AdGuard +- Rules 8, 9, 34, 35 are masquerade rules needed for AdGuard container to work +- Rules 3, 25, 26 allow AdGuard containers to make outbound DNS queries +- Filter rules 12, 14, 16, 18, 51 allow VLAN devices to reach DNS - these are OK to keep