jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update VLAN proposal with decisions
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Added VLAN 35 for Cameras (isolated)
- Guest WiFi: password only, no captive portal
- Keep VLAN 1 (192.168.31.0/24) for transition
- Added camera geo-blocking rules
- Updated firewall matrix with camera view-only access
- Added rollback plan
This commit is contained in:
XTRM-Unraid
2026-01-25 15:51:01 +02:00
parent c1dca8526a
commit 2e58a3f663
1 changed files with 171 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

327
docs/wip/VLAN-PROPOSAL.md
View File

@@ -2,15 +2,21 @@
**Status:** Planning
**Created:** 2026-01-25
**Updated:** 2026-01-25
---
## Decisions Made
- ✅ Separate Camera VLAN (VLAN 35)
- ✅ Guest WiFi: Password only (no captive portal)
- ✅ Keep 192.168.31.0/24 during transition (VLAN 1)
---
## Current State
Single flat network: `192.168.31.0/24`
- All devices on same broadcast domain
- No traffic isolation between IoT, guests, and trusted devices
- Security risk: compromised IoT device can access entire network
Single flat network: `192.168.31.0/24` (will become transition VLAN)
---
@@ -18,35 +24,51 @@ Single flat network: `192.168.31.0/24`
```
┌─────────────────┐
│ INTERNET
INTERNET │
└────────┬────────┘
┌────────▼────────┐
│ MikroTik hAP │
192.168.31.1
│ (Router/FW) │
(Router/FW)
└────────┬────────┘
┌──────────────┬───────────────┼───────────────┬──────────────
┌────────────────┐ ┌──────────┐ ┌────▼────┐ ┌──────────────┐ ┌────────┐
VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ VLAN 50 │
Management │ │ Trusted │ │ IoT │ │ Servers │ │ Guest │
│ 192.168.10.0/24 │ │ .20.0/24 │ │ .30.0/24 │ │ .40.0/24 │ │.50.0/24 │
└─────────────────┘ └─────────┘ └───────────┘ └───────────────┘ └─────────┘
┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐
│ │ │ │
┌────────┐ ┌────────┐ ┌────────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌────────┐
│ VLAN 1 VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │
│ Legacy Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │
│.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 .35.0/24.40.0/24 │ │.50.0/24 │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
```
---
## VLAN Definitions
| VLAN ID | Name | Subnet | Purpose | Gateway |
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------|
| 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 |
| 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 |
| 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 |
| 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 |
| 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 |
| 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) |
| 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin |
| 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices |
| 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services |
| 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi |
---
## VLAN 1: Legacy/Transition
**Purpose:** Current network - devices migrate from here
| Device | IP | Target VLAN |
|--------|-----|-------------|
| MikroTik | 192.168.31.1 | VLAN 10 |
| Unraid | 192.168.31.2 | VLAN 10 |
| AdGuard | 192.168.31.4 | VLAN 40 |
| LG TV | 192.168.31.100 | VLAN 30 |
**Note:** This VLAN will be deprecated after migration.
---
@@ -58,32 +80,33 @@ Single flat network: `192.168.31.0/24`
|--------|-----|-------------|
| MikroTik | 192.168.10.1 | Router/Gateway |
| Unraid | 192.168.10.2 | Server management |
| Switch | 192.168.10.3 | CSS326 management |
| AP | 192.168.10.4 | cAP ac management |
| CSS326 | 192.168.10.3 | Switch management |
| cAP ac | 192.168.10.4 | AP management |
**Access Rules:**
- ✅ Full access to all VLANs (admin only)
- ✅ SSH, Web UI access
- ❌ No internet access (optional, security hardening)
- ❌ No access FROM other VLANs
- ✅ Full access to all VLANs
- ✅ SSH, Web UI, API access
- ❌ No access FROM other VLANs (except established)
---
## VLAN 20: Trusted
**Purpose:** Personal/family devices with full access
**Purpose:** Personal/family devices
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Laptops | .20.100-.150 | MacBooks, Windows PCs |
| Phones | .20.151-.200 | iPhones, Android |
| Tablets | .20.201-.220 | iPads |
| Static | .20.10-.50 | Reserved |
| Device Type | DHCP Range | Static Range |
|-------------|------------|--------------|
| Reserved | - | .20.10-.50 |
| Laptops | .20.100-.130 | - |
| Phones | .20.131-.160 | - |
| Tablets | .20.161-.180 | - |
| Other | .20.181-.220 | - |
**Access Rules:**
- ✅ Internet access
- ✅ Access to Servers VLAN (Plex, services)
- ✅ Access to Servers VLAN
- ✅ Access to IoT VLAN (control devices)
- ✅ Access to Cameras VLAN (view feeds)
- ❌ No access to Management VLAN
- ❌ No access from Guest VLAN
@@ -95,117 +118,139 @@ Single flat network: `192.168.31.0/24`
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Smart TV | .30.100-.110 | LG TV, Apple TV |
| Smart TVs | .30.100-.110 | LG TV, Apple TV |
| Speakers | .30.111-.130 | Sonos, HomePod |
| Sensors | .30.131-.180 | Zigbee hubs, motion |
| Cameras | .30.181-.200 | Security cameras |
| Static | .30.10-.50 | Reserved |
| Hubs | .30.131-.150 | Zigbee, Z-Wave |
| Sensors | .30.151-.180 | Motion, temp |
| Other | .30.181-.220 | Plugs, lights |
**Access Rules:**
- ✅ Internet access (restricted destinations)
-Access to local DNS (AdGuard)
- ✅ mDNS/Bonjour relay from Trusted
- ❌ No inter-device communication (optional)
- ✅ Internet access (filtered)
-Local DNS (AdGuard)
- ✅ mDNS relay from Trusted
- ❌ No access to Management
- ❌ No access to Servers (except specific ports)
-Cannot initiate to Trusted (Trusted can initiate)
- ❌ No access to Cameras
-No access to Servers (except specific)
- ❌ Cannot initiate to Trusted
---
## VLAN 35: Cameras
**Purpose:** Security cameras (highly isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Indoor | .35.100-.120 | - |
| Outdoor | .35.121-.140 | - |
| NVR | .35.10 | Recording server |
**Access Rules:**
- ⚠️ Limited internet (firmware updates only)
- ✅ Access to NVR only
- ✅ Trusted can VIEW (no control)
- ❌ No access to any other VLAN
- ❌ No inter-camera communication
- ❌ Blocked: China, Russia IPs (common camera callback)
---
## VLAN 40: Servers/DMZ
**Purpose:** Services accessible from internet
**Purpose:** Services accessible externally
| Service | IP | Ports | Description |
|---------|-----|-------|-------------|
| Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS server |
| Gitea | 192.168.40.10 | 3000 | Git hosting |
| Plex | 192.168.40.20 | 32400 | Media server |
| Woodpecker | 192.168.40.11 | 8000 | CI/CD |
| Plex | 192.168.40.20 | 32400 | Media |
**Access Rules:**
- ✅ Internet access
- ✅ Inbound from WAN (via NAT)
- ✅ Access from Trusted VLAN
- ❌ Cannot initiate to Management
- ❌ Cannot initiate to Trusted
- ❌ No access from Guest
- ✅ Access from Trusted
- ❌ Cannot initiate to other VLANs
---
## VLAN 50: Guest
**Purpose:** Visitor WiFi with internet only
**Purpose:** Visitor WiFi (password protected, no captive portal)
| Setting | Value |
|---------|-------|
| DHCP Range | 192.168.50.100-.200 |
| Lease Time | 4 hours |
| Bandwidth Limit | 50 Mbps |
| Client Isolation | Yes |
| Bandwidth | 50 Mbps limit |
| Client Isolation | Enabled |
**Access Rules:**
- ✅ Internet access only
- ❌ No access to any internal VLAN
- ❌ No access to ANY internal VLAN
- ❌ No inter-client communication
- ❌ Captive portal (optional)
---
## Firewall Rules Summary
## Firewall Matrix
```
┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐
│ From \ To │ Mgmt │ Trusted │ IoT │ Servers │ Guest │
├─────────────┼──────┼─────────┼─────┼─────────┼───────┤
Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
Trusted │ ✅ │ ✅ │ ✅ │
IoT │ ❌ │ ⚠️⚠️ │ ❌ │
Servers │ ❌ │ ❌ │ │ ❌ │
Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️
Internet │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴──────┴─────────┴─────┴─────────┴───────┘
┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────
│ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │
├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────
Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
Management │ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅
Trusted │ ✅ │ ❌ │ 👁️ │ ✅ │ ❌ │
IoT │ │ ❌ │ ❌ │ ⚠️ │ ❌ ⚠️ │ ❌ │
Cameras │ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │
Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │
│ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘
✅ = Full access
❌ = Blocked
⚠️ = Limited/Specific ports only
❌ = Blocked
⚠️ = Limited (specific ports/IPs)
👁️ = View only (cameras: RTSP/HTTP streams)
```
---
## DNS Configuration
| VLAN | DNS Server | Purpose |
|------|------------|---------|
| 10 Management | 192.168.10.1 | MikroTik DNS |
| 20 Trusted | 192.168.40.4 | AdGuard (full filtering) |
| 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) |
| 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS |
| 50 Guest | 192.168.40.4 | AdGuard (strict filtering) |
**Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN.
| VLAN | DNS Server | Filtering Level |
|------|------------|-----------------|
| 1 Legacy | 192.168.31.1 | Current setup |
| 10 Management | 192.168.10.1 | Minimal |
| 20 Trusted | 192.168.40.4 | Standard |
| 30 IoT | 192.168.40.4 | IoT blocklist |
| 35 Cameras | 192.168.40.4 | Strict + geo-block |
| 40 Servers | 8.8.8.8/1.1.1.1 | None (external) |
| 50 Guest | 192.168.40.4 | Strict |
---
## WiFi SSID Mapping
| SSID | VLAN | Security | Notes |
|------|------|----------|-------|
| Home | 20 | WPA3 | Trusted devices |
| Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) |
| Home-Guest | 50 | WPA2 | Visitors |
| (hidden) Admin | 10 | WPA3 | Management only |
| SSID | VLAN | Band | Security | Hidden |
|------|------|------|----------|--------|
| Home | 20 | 2.4+5 GHz | WPA3 | No |
| Home-IoT | 30 | 2.4 GHz | WPA2 | No |
| Home-Guest | 50 | 2.4+5 GHz | WPA2 | No |
| Admin | 10 | 5 GHz | WPA3 | Yes |
---
## MikroTik Implementation
### 1. Create VLANs on Bridge
### 1. Create VLANs
```routeros
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
```
@@ -216,102 +261,72 @@ add interface=bridge name=vlan50-guest vlan-id=50
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest
```
### 3. DHCP Servers
### 3. DHCP Pools
```routeros
/ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.200
add name=pool-iot ranges=192.168.30.100-192.168.30.200
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.140
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200
/ip dhcp-server
add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
```
### 4. Inter-VLAN Firewall (Example)
### 4. Camera Geo-Blocking
```routeros
/ip firewall address-list
add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges"
/ip firewall filter
# Allow established/related
add chain=forward action=accept connection-state=established,related
# Management can access all
add chain=forward action=accept src-address=192.168.10.0/24
# Trusted to IoT
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24
# Trusted to Servers
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24
# Block all other inter-VLAN
add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16
add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries
```
---
## Migration Plan
### Phase 1: Preparation
- [ ] Document all current static IPs
- [ ] List all devices and target VLANs
- [ ] Configure switch for VLAN trunking
- [ ] Test VLAN setup on isolated port
### Phase 1: Preparation (No Downtime)
- [ ] Document all static IPs and MAC addresses
- [ ] Create device inventory with target VLANs
- [ ] Configure VLANs on MikroTik (inactive)
- [ ] Configure switch trunk ports
- [ ] Test on isolated port
### Phase 2: Infrastructure
- [ ] Create VLANs on MikroTik
### Phase 2: Infrastructure (Brief Downtime)
- [ ] Create VLAN interfaces and IPs
- [ ] Configure DHCP per VLAN
- [ ] Move Unraid to VLAN 10 (management)
- [ ] Move AdGuard to VLAN 40 (servers)
- [ ] Update DNS redirect rules
- [ ] Move Unraid management to VLAN 10
- [ ] Move AdGuard to VLAN 40
- [ ] Update container networks
### Phase 3: Devices
- [ ] Configure WiFi SSIDs per VLAN
- [ ] Move trusted devices to VLAN 20
### Phase 3: WiFi (Rolling)
- [ ] Create new SSIDs per VLAN
- [ ] Move personal devices to VLAN 20
- [ ] Move IoT devices to VLAN 30
- [ ] Test inter-VLAN access rules
- [ ] Test mDNS/Bonjour relay
### Phase 4: Hardening
- [ ] Implement firewall rules
- [ ] Enable DNS enforcement per VLAN
- [ ] Set up guest captive portal (optional)
### Phase 4: Cameras & Security
- [ ] Move cameras to VLAN 35
- [ ] Implement geo-blocking
- [ ] Test camera isolation
- [ ] Verify Trusted can view feeds
### Phase 5: Cleanup
- [ ] Implement all firewall rules
- [ ] Enable DNS enforcement
- [ ] Migrate remaining devices from VLAN 1
- [ ] Document final configuration
- [ ] Deprecate VLAN 1 (keep for emergency)
---
## Considerations
## Rollback Plan
### Pros
- Security isolation between device types
- Compromised IoT cannot access trusted devices
- Guest cannot snoop on internal traffic
- Granular firewall control
- Better traffic management
### Cons
- Increased complexity
- mDNS/Bonjour requires relay configuration
- Some IoT devices may have issues
- Initial migration effort
### Services Requiring Special Attention
- **Plex:** Needs access from Trusted to Servers
- **Sonos/AirPlay:** Requires mDNS relay
- **Chromecast:** Needs multicast between VLANs
- **Printers:** May need access from multiple VLANs
---
## Questions to Decide
1. Should Management VLAN have internet access?
2. IoT device discovery - enable mDNS relay or use static configs?
3. Guest WiFi - captive portal or just password?
4. Camera VLAN - separate from IoT or combined?
5. Keep legacy 192.168.31.0/24 for transition period?
If issues occur:
1. All devices can temporarily use VLAN 1 (legacy)
2. MikroTik remains accessible on 192.168.31.1
3. Keep VLAN 1 DHCP active during transition