From 2e58a3f663e28d0e1f3fba83267210ae94ecb527 Mon Sep 17 00:00:00 2001 From: XTRM-Unraid Date: Sun, 25 Jan 2026 15:51:01 +0200 Subject: [PATCH] Update VLAN proposal with decisions - Added VLAN 35 for Cameras (isolated) - Guest WiFi: password only, no captive portal - Keep VLAN 1 (192.168.31.0/24) for transition - Added camera geo-blocking rules - Updated firewall matrix with camera view-only access - Added rollback plan --- docs/wip/VLAN-PROPOSAL.md | 327 ++++++++++++++++++++------------------ 1 file changed, 171 insertions(+), 156 deletions(-) diff --git a/docs/wip/VLAN-PROPOSAL.md b/docs/wip/VLAN-PROPOSAL.md index e54835b..9774829 100644 --- a/docs/wip/VLAN-PROPOSAL.md +++ b/docs/wip/VLAN-PROPOSAL.md @@ -2,15 +2,21 @@ **Status:** Planning **Created:** 2026-01-25 +**Updated:** 2026-01-25 + +--- + +## Decisions Made + +- ✅ Separate Camera VLAN (VLAN 35) +- ✅ Guest WiFi: Password only (no captive portal) +- ✅ Keep 192.168.31.0/24 during transition (VLAN 1) --- ## Current State -Single flat network: `192.168.31.0/24` -- All devices on same broadcast domain -- No traffic isolation between IoT, guests, and trusted devices -- Security risk: compromised IoT device can access entire network +Single flat network: `192.168.31.0/24` (will become transition VLAN) --- @@ -18,35 +24,51 @@ Single flat network: `192.168.31.0/24` ``` ┌─────────────────┐ - │ INTERNET │ + │ INTERNET │ └────────┬────────┘ │ ┌────────▼────────┐ │ MikroTik hAP │ - │ 192.168.31.1 │ - │ (Router/FW) │ + │ (Router/FW) │ └────────┬────────┘ │ - ┌──────────────┬───────────────┼───────────────┬──────────────┐ - │ │ │ │ │ - ┌────────▼────────┐ ┌───▼───────┐ ┌─────▼─────┐ ┌───────▼───────┐ ┌────▼────┐ - │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ VLAN 50 │ - │ Management │ │ Trusted │ │ IoT │ │ Servers │ │ Guest │ - │ 192.168.10.0/24 │ │ .20.0/24 │ │ .30.0/24 │ │ .40.0/24 │ │.50.0/24 │ - └─────────────────┘ └───────────┘ └───────────┘ └───────────────┘ └─────────┘ + ┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐ + │ │ │ │ │ │ │ +┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌▼────────┐ +│ VLAN 1 │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │ +│ Legacy │ │ Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │ +│.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 │ │.35.0/24 │ │.40.0/24 │ │.50.0/24 │ +└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ ``` --- ## VLAN Definitions -| VLAN ID | Name | Subnet | Purpose | Gateway | +| VLAN ID | Name | Subnet | Gateway | Purpose | |---------|------|--------|---------|---------| -| 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 | -| 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 | -| 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 | -| 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 | -| 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 | +| 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) | +| 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin | +| 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices | +| 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices | +| 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) | +| 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services | +| 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi | + +--- + +## VLAN 1: Legacy/Transition + +**Purpose:** Current network - devices migrate from here + +| Device | IP | Target VLAN | +|--------|-----|-------------| +| MikroTik | 192.168.31.1 | VLAN 10 | +| Unraid | 192.168.31.2 | VLAN 10 | +| AdGuard | 192.168.31.4 | VLAN 40 | +| LG TV | 192.168.31.100 | VLAN 30 | + +**Note:** This VLAN will be deprecated after migration. --- @@ -58,32 +80,33 @@ Single flat network: `192.168.31.0/24` |--------|-----|-------------| | MikroTik | 192.168.10.1 | Router/Gateway | | Unraid | 192.168.10.2 | Server management | -| Switch | 192.168.10.3 | CSS326 management | -| AP | 192.168.10.4 | cAP ac management | +| CSS326 | 192.168.10.3 | Switch management | +| cAP ac | 192.168.10.4 | AP management | **Access Rules:** -- ✅ Full access to all VLANs (admin only) -- ✅ SSH, Web UI access -- ❌ No internet access (optional, security hardening) -- ❌ No access FROM other VLANs +- ✅ Full access to all VLANs +- ✅ SSH, Web UI, API access +- ❌ No access FROM other VLANs (except established) --- ## VLAN 20: Trusted -**Purpose:** Personal/family devices with full access +**Purpose:** Personal/family devices -| Device Type | DHCP Range | Examples | -|-------------|------------|----------| -| Laptops | .20.100-.150 | MacBooks, Windows PCs | -| Phones | .20.151-.200 | iPhones, Android | -| Tablets | .20.201-.220 | iPads | -| Static | .20.10-.50 | Reserved | +| Device Type | DHCP Range | Static Range | +|-------------|------------|--------------| +| Reserved | - | .20.10-.50 | +| Laptops | .20.100-.130 | - | +| Phones | .20.131-.160 | - | +| Tablets | .20.161-.180 | - | +| Other | .20.181-.220 | - | **Access Rules:** - ✅ Internet access -- ✅ Access to Servers VLAN (Plex, services) +- ✅ Access to Servers VLAN - ✅ Access to IoT VLAN (control devices) +- ✅ Access to Cameras VLAN (view feeds) - ❌ No access to Management VLAN - ❌ No access from Guest VLAN @@ -95,117 +118,139 @@ Single flat network: `192.168.31.0/24` | Device Type | DHCP Range | Examples | |-------------|------------|----------| -| Smart TV | .30.100-.110 | LG TV, Apple TV | +| Smart TVs | .30.100-.110 | LG TV, Apple TV | | Speakers | .30.111-.130 | Sonos, HomePod | -| Sensors | .30.131-.180 | Zigbee hubs, motion | -| Cameras | .30.181-.200 | Security cameras | -| Static | .30.10-.50 | Reserved | +| Hubs | .30.131-.150 | Zigbee, Z-Wave | +| Sensors | .30.151-.180 | Motion, temp | +| Other | .30.181-.220 | Plugs, lights | **Access Rules:** -- ✅ Internet access (restricted destinations) -- ✅ Access to local DNS (AdGuard) -- ✅ mDNS/Bonjour relay from Trusted -- ❌ No inter-device communication (optional) +- ✅ Internet access (filtered) +- ✅ Local DNS (AdGuard) +- ✅ mDNS relay from Trusted - ❌ No access to Management -- ❌ No access to Servers (except specific ports) -- ❌ Cannot initiate to Trusted (Trusted can initiate) +- ❌ No access to Cameras +- ❌ No access to Servers (except specific) +- ❌ Cannot initiate to Trusted + +--- + +## VLAN 35: Cameras + +**Purpose:** Security cameras (highly isolated) + +| Device Type | DHCP Range | Examples | +|-------------|------------|----------| +| Indoor | .35.100-.120 | - | +| Outdoor | .35.121-.140 | - | +| NVR | .35.10 | Recording server | + +**Access Rules:** +- ⚠️ Limited internet (firmware updates only) +- ✅ Access to NVR only +- ✅ Trusted can VIEW (no control) +- ❌ No access to any other VLAN +- ❌ No inter-camera communication +- ❌ Blocked: China, Russia IPs (common camera callback) --- ## VLAN 40: Servers/DMZ -**Purpose:** Services accessible from internet +**Purpose:** Services accessible externally | Service | IP | Ports | Description | |---------|-----|-------|-------------| | Traefik | 192.168.40.2 | 80,443 | Reverse proxy | -| AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) | +| AdGuard | 192.168.40.4 | 53,853,443 | DNS server | | Gitea | 192.168.40.10 | 3000 | Git hosting | -| Plex | 192.168.40.20 | 32400 | Media server | +| Woodpecker | 192.168.40.11 | 8000 | CI/CD | +| Plex | 192.168.40.20 | 32400 | Media | **Access Rules:** - ✅ Internet access - ✅ Inbound from WAN (via NAT) -- ✅ Access from Trusted VLAN -- ❌ Cannot initiate to Management -- ❌ Cannot initiate to Trusted -- ❌ No access from Guest +- ✅ Access from Trusted +- ❌ Cannot initiate to other VLANs --- ## VLAN 50: Guest -**Purpose:** Visitor WiFi with internet only +**Purpose:** Visitor WiFi (password protected, no captive portal) | Setting | Value | |---------|-------| | DHCP Range | 192.168.50.100-.200 | | Lease Time | 4 hours | -| Bandwidth Limit | 50 Mbps | -| Client Isolation | Yes | +| Bandwidth | 50 Mbps limit | +| Client Isolation | Enabled | **Access Rules:** - ✅ Internet access only -- ❌ No access to any internal VLAN +- ❌ No access to ANY internal VLAN - ❌ No inter-client communication -- ❌ Captive portal (optional) --- -## Firewall Rules Summary +## Firewall Matrix ``` -┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐ -│ From \ To │ Mgmt │ Trusted │ IoT │ Servers │ Guest │ -├─────────────┼──────┼─────────┼─────┼─────────┼───────┤ -│ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ -│ Trusted │ ❌ │ ✅ │ ✅ │ ✅ │ ❌ │ -│ IoT │ ❌ │ ❌ │ ⚠️ │ ⚠️ │ ❌ │ -│ Servers │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ -│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ -│ Internet │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ -└─────────────┴──────┴─────────┴─────┴─────────┴───────┘ +┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────┐ +│ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │ +├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────┤ +│ Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ +│ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ +│ Trusted │ ✅ │ ❌ │ ✅ │ ✅ │ 👁️ │ ✅ │ ❌ │ +│ IoT │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ⚠️ │ ❌ │ +│ Cameras │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ❌ │ +│ Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ +│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ +│ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ +└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘ ✅ = Full access -❌ = Blocked -⚠️ = Limited/Specific ports only +❌ = Blocked +⚠️ = Limited (specific ports/IPs) +👁️ = View only (cameras: RTSP/HTTP streams) ``` --- ## DNS Configuration -| VLAN | DNS Server | Purpose | -|------|------------|---------| -| 10 Management | 192.168.10.1 | MikroTik DNS | -| 20 Trusted | 192.168.40.4 | AdGuard (full filtering) | -| 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) | -| 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS | -| 50 Guest | 192.168.40.4 | AdGuard (strict filtering) | - -**Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN. +| VLAN | DNS Server | Filtering Level | +|------|------------|-----------------| +| 1 Legacy | 192.168.31.1 | Current setup | +| 10 Management | 192.168.10.1 | Minimal | +| 20 Trusted | 192.168.40.4 | Standard | +| 30 IoT | 192.168.40.4 | IoT blocklist | +| 35 Cameras | 192.168.40.4 | Strict + geo-block | +| 40 Servers | 8.8.8.8/1.1.1.1 | None (external) | +| 50 Guest | 192.168.40.4 | Strict | --- ## WiFi SSID Mapping -| SSID | VLAN | Security | Notes | -|------|------|----------|-------| -| Home | 20 | WPA3 | Trusted devices | -| Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) | -| Home-Guest | 50 | WPA2 | Visitors | -| (hidden) Admin | 10 | WPA3 | Management only | +| SSID | VLAN | Band | Security | Hidden | +|------|------|------|----------|--------| +| Home | 20 | 2.4+5 GHz | WPA3 | No | +| Home-IoT | 30 | 2.4 GHz | WPA2 | No | +| Home-Guest | 50 | 2.4+5 GHz | WPA2 | No | +| Admin | 10 | 5 GHz | WPA3 | Yes | --- ## MikroTik Implementation -### 1. Create VLANs on Bridge +### 1. Create VLANs ```routeros /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 add interface=bridge name=vlan20-trusted vlan-id=20 add interface=bridge name=vlan30-iot vlan-id=30 +add interface=bridge name=vlan35-cameras vlan-id=35 add interface=bridge name=vlan40-servers vlan-id=40 add interface=bridge name=vlan50-guest vlan-id=50 ``` @@ -216,102 +261,72 @@ add interface=bridge name=vlan50-guest vlan-id=50 add address=192.168.10.1/24 interface=vlan10-mgmt add address=192.168.20.1/24 interface=vlan20-trusted add address=192.168.30.1/24 interface=vlan30-iot +add address=192.168.35.1/24 interface=vlan35-cameras add address=192.168.40.1/24 interface=vlan40-servers add address=192.168.50.1/24 interface=vlan50-guest ``` -### 3. DHCP Servers +### 3. DHCP Pools ```routeros /ip pool -add name=pool-trusted ranges=192.168.20.100-192.168.20.200 -add name=pool-iot ranges=192.168.30.100-192.168.30.200 +add name=pool-trusted ranges=192.168.20.100-192.168.20.220 +add name=pool-iot ranges=192.168.30.100-192.168.30.220 +add name=pool-cameras ranges=192.168.35.100-192.168.35.140 add name=pool-servers ranges=192.168.40.100-192.168.40.150 add name=pool-guest ranges=192.168.50.100-192.168.50.200 - -/ip dhcp-server -add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted -add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot -add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers -add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest ``` -### 4. Inter-VLAN Firewall (Example) +### 4. Camera Geo-Blocking ```routeros +/ip firewall address-list +add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges" + /ip firewall filter -# Allow established/related -add chain=forward action=accept connection-state=established,related - -# Management can access all -add chain=forward action=accept src-address=192.168.10.0/24 - -# Trusted to IoT -add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 - -# Trusted to Servers -add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24 - -# Block all other inter-VLAN -add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16 +add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries ``` --- ## Migration Plan -### Phase 1: Preparation -- [ ] Document all current static IPs -- [ ] List all devices and target VLANs -- [ ] Configure switch for VLAN trunking -- [ ] Test VLAN setup on isolated port +### Phase 1: Preparation (No Downtime) +- [ ] Document all static IPs and MAC addresses +- [ ] Create device inventory with target VLANs +- [ ] Configure VLANs on MikroTik (inactive) +- [ ] Configure switch trunk ports +- [ ] Test on isolated port -### Phase 2: Infrastructure -- [ ] Create VLANs on MikroTik +### Phase 2: Infrastructure (Brief Downtime) +- [ ] Create VLAN interfaces and IPs - [ ] Configure DHCP per VLAN -- [ ] Move Unraid to VLAN 10 (management) -- [ ] Move AdGuard to VLAN 40 (servers) -- [ ] Update DNS redirect rules +- [ ] Move Unraid management to VLAN 10 +- [ ] Move AdGuard to VLAN 40 +- [ ] Update container networks -### Phase 3: Devices -- [ ] Configure WiFi SSIDs per VLAN -- [ ] Move trusted devices to VLAN 20 +### Phase 3: WiFi (Rolling) +- [ ] Create new SSIDs per VLAN +- [ ] Move personal devices to VLAN 20 - [ ] Move IoT devices to VLAN 30 -- [ ] Test inter-VLAN access rules +- [ ] Test mDNS/Bonjour relay -### Phase 4: Hardening -- [ ] Implement firewall rules -- [ ] Enable DNS enforcement per VLAN -- [ ] Set up guest captive portal (optional) +### Phase 4: Cameras & Security +- [ ] Move cameras to VLAN 35 +- [ ] Implement geo-blocking +- [ ] Test camera isolation +- [ ] Verify Trusted can view feeds + +### Phase 5: Cleanup +- [ ] Implement all firewall rules +- [ ] Enable DNS enforcement +- [ ] Migrate remaining devices from VLAN 1 - [ ] Document final configuration +- [ ] Deprecate VLAN 1 (keep for emergency) --- -## Considerations +## Rollback Plan -### Pros -- Security isolation between device types -- Compromised IoT cannot access trusted devices -- Guest cannot snoop on internal traffic -- Granular firewall control -- Better traffic management - -### Cons -- Increased complexity -- mDNS/Bonjour requires relay configuration -- Some IoT devices may have issues -- Initial migration effort - -### Services Requiring Special Attention -- **Plex:** Needs access from Trusted to Servers -- **Sonos/AirPlay:** Requires mDNS relay -- **Chromecast:** Needs multicast between VLANs -- **Printers:** May need access from multiple VLANs - ---- - -## Questions to Decide - -1. Should Management VLAN have internet access? -2. IoT device discovery - enable mDNS relay or use static configs? -3. Guest WiFi - captive portal or just password? -4. Camera VLAN - separate from IoT or combined? -5. Keep legacy 192.168.31.0/24 for transition period? +If issues occur: +1. All devices can temporarily use VLAN 1 (legacy) +2. MikroTik remains accessible on 192.168.31.1 +3. Keep VLAN 1 DHCP active during transition