jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update VLAN proposal with decisions
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Added VLAN 35 for Cameras (isolated)
- Guest WiFi: password only, no captive portal
- Keep VLAN 1 (192.168.31.0/24) for transition
- Added camera geo-blocking rules
- Updated firewall matrix with camera view-only access
- Added rollback plan
This commit is contained in:
XTRM-Unraid
2026-01-25 15:51:01 +02:00
parent c1dca8526a
commit 2e58a3f663
1 changed files with 171 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
docs/wip/VLAN-PROPOSAL.md
View File

@@ -2,15 +2,21 @@
**Status:** Planning **Status:** Planning
**Created:** 2026-01-25 **Created:** 2026-01-25
**Updated:** 2026-01-25
---
## Decisions Made
- ✅ Separate Camera VLAN (VLAN 35)
- ✅ Guest WiFi: Password only (no captive portal)
- ✅ Keep 192.168.31.0/24 during transition (VLAN 1)
--- ---
## Current State ## Current State
Single flat network: `192.168.31.0/24` Single flat network: `192.168.31.0/24` (will become transition VLAN)
- All devices on same broadcast domain
- No traffic isolation between IoT, guests, and trusted devices
- Security risk: compromised IoT device can access entire network
--- ---
@@ -18,35 +24,51 @@ Single flat network: `192.168.31.0/24`
``` ```
┌─────────────────┐ ┌─────────────────┐
│ INTERNET INTERNET │
└────────┬────────┘ └────────┬────────┘
┌────────▼────────┐ ┌────────▼────────┐
│ MikroTik hAP │ │ MikroTik hAP │
192.168.31.1 (Router/FW)
│ (Router/FW) │
└────────┬────────┘ └────────┬────────┘
┌──────────────┬───────────────┼───────────────┬────────────── ┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐
│ │ │ │
┌────────────────┐ ┌──────────┐ ┌────▼────┐ ┌──────────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌────────┐
VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ VLAN 50 │ │ VLAN 1 VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │
Management │ │ Trusted │ │ IoT │ │ Servers │ │ Guest │ │ Legacy Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │
│ 192.168.10.0/24 │ │ .20.0/24 │ │ .30.0/24 │ │ .40.0/24 │ │.50.0/24 │ │.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 .35.0/24.40.0/24 │ │.50.0/24 │
└─────────────────┘ └─────────┘ └───────────┘ └───────────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
``` ```
--- ---
## VLAN Definitions ## VLAN Definitions
| VLAN ID | Name | Subnet | Purpose | Gateway | | VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------| |---------|------|--------|---------|---------|
| 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 | | 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) |
| 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 | | 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin |
| 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 | | 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices |
| 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 | | 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices |
| 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 | | 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services |
| 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi |
---
## VLAN 1: Legacy/Transition
**Purpose:** Current network - devices migrate from here
| Device | IP | Target VLAN |
|--------|-----|-------------|
| MikroTik | 192.168.31.1 | VLAN 10 |
| Unraid | 192.168.31.2 | VLAN 10 |
| AdGuard | 192.168.31.4 | VLAN 40 |
| LG TV | 192.168.31.100 | VLAN 30 |
**Note:** This VLAN will be deprecated after migration.
--- ---
@@ -58,32 +80,33 @@ Single flat network: `192.168.31.0/24`
|--------|-----|-------------| |--------|-----|-------------|
| MikroTik | 192.168.10.1 | Router/Gateway | | MikroTik | 192.168.10.1 | Router/Gateway |
| Unraid | 192.168.10.2 | Server management | | Unraid | 192.168.10.2 | Server management |
| Switch | 192.168.10.3 | CSS326 management | | CSS326 | 192.168.10.3 | Switch management |
| AP | 192.168.10.4 | cAP ac management | | cAP ac | 192.168.10.4 | AP management |
**Access Rules:** **Access Rules:**
- ✅ Full access to all VLANs (admin only) - ✅ Full access to all VLANs
- ✅ SSH, Web UI access - ✅ SSH, Web UI, API access
- ❌ No internet access (optional, security hardening) - ❌ No access FROM other VLANs (except established)
- ❌ No access FROM other VLANs
--- ---
## VLAN 20: Trusted ## VLAN 20: Trusted
**Purpose:** Personal/family devices with full access **Purpose:** Personal/family devices
| Device Type | DHCP Range | Examples | | Device Type | DHCP Range | Static Range |
|-------------|------------|----------| |-------------|------------|--------------|
| Laptops | .20.100-.150 | MacBooks, Windows PCs | | Reserved | - | .20.10-.50 |
| Phones | .20.151-.200 | iPhones, Android | | Laptops | .20.100-.130 | - |
| Tablets | .20.201-.220 | iPads | | Phones | .20.131-.160 | - |
| Static | .20.10-.50 | Reserved | | Tablets | .20.161-.180 | - |
| Other | .20.181-.220 | - |
**Access Rules:** **Access Rules:**
- ✅ Internet access - ✅ Internet access
- ✅ Access to Servers VLAN (Plex, services) - ✅ Access to Servers VLAN
- ✅ Access to IoT VLAN (control devices) - ✅ Access to IoT VLAN (control devices)
- ✅ Access to Cameras VLAN (view feeds)
- ❌ No access to Management VLAN - ❌ No access to Management VLAN
- ❌ No access from Guest VLAN - ❌ No access from Guest VLAN
@@ -95,117 +118,139 @@ Single flat network: `192.168.31.0/24`
| Device Type | DHCP Range | Examples | | Device Type | DHCP Range | Examples |
|-------------|------------|----------| |-------------|------------|----------|
| Smart TV | .30.100-.110 | LG TV, Apple TV | | Smart TVs | .30.100-.110 | LG TV, Apple TV |
| Speakers | .30.111-.130 | Sonos, HomePod | | Speakers | .30.111-.130 | Sonos, HomePod |
| Sensors | .30.131-.180 | Zigbee hubs, motion | | Hubs | .30.131-.150 | Zigbee, Z-Wave |
| Cameras | .30.181-.200 | Security cameras | | Sensors | .30.151-.180 | Motion, temp |
| Static | .30.10-.50 | Reserved | | Other | .30.181-.220 | Plugs, lights |
**Access Rules:** **Access Rules:**
- ✅ Internet access (restricted destinations) - ✅ Internet access (filtered)
-Access to local DNS (AdGuard) -Local DNS (AdGuard)
- ✅ mDNS/Bonjour relay from Trusted - ✅ mDNS relay from Trusted
- ❌ No inter-device communication (optional)
- ❌ No access to Management - ❌ No access to Management
- ❌ No access to Servers (except specific ports) - ❌ No access to Cameras
-Cannot initiate to Trusted (Trusted can initiate) -No access to Servers (except specific)
- ❌ Cannot initiate to Trusted
---
## VLAN 35: Cameras
**Purpose:** Security cameras (highly isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Indoor | .35.100-.120 | - |
| Outdoor | .35.121-.140 | - |
| NVR | .35.10 | Recording server |
**Access Rules:**
- ⚠️ Limited internet (firmware updates only)
- ✅ Access to NVR only
- ✅ Trusted can VIEW (no control)
- ❌ No access to any other VLAN
- ❌ No inter-camera communication
- ❌ Blocked: China, Russia IPs (common camera callback)
--- ---
## VLAN 40: Servers/DMZ ## VLAN 40: Servers/DMZ
**Purpose:** Services accessible from internet **Purpose:** Services accessible externally
| Service | IP | Ports | Description | | Service | IP | Ports | Description |
|---------|-----|-------|-------------| |---------|-----|-------|-------------|
| Traefik | 192.168.40.2 | 80,443 | Reverse proxy | | Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) | | AdGuard | 192.168.40.4 | 53,853,443 | DNS server |
| Gitea | 192.168.40.10 | 3000 | Git hosting | | Gitea | 192.168.40.10 | 3000 | Git hosting |
| Plex | 192.168.40.20 | 32400 | Media server | | Woodpecker | 192.168.40.11 | 8000 | CI/CD |
| Plex | 192.168.40.20 | 32400 | Media |
**Access Rules:** **Access Rules:**
- ✅ Internet access - ✅ Internet access
- ✅ Inbound from WAN (via NAT) - ✅ Inbound from WAN (via NAT)
- ✅ Access from Trusted VLAN - ✅ Access from Trusted
- ❌ Cannot initiate to Management - ❌ Cannot initiate to other VLANs
- ❌ Cannot initiate to Trusted
- ❌ No access from Guest
--- ---
## VLAN 50: Guest ## VLAN 50: Guest
**Purpose:** Visitor WiFi with internet only **Purpose:** Visitor WiFi (password protected, no captive portal)
| Setting | Value | | Setting | Value |
|---------|-------| |---------|-------|
| DHCP Range | 192.168.50.100-.200 | | DHCP Range | 192.168.50.100-.200 |
| Lease Time | 4 hours | | Lease Time | 4 hours |
| Bandwidth Limit | 50 Mbps | | Bandwidth | 50 Mbps limit |
| Client Isolation | Yes | | Client Isolation | Enabled |
**Access Rules:** **Access Rules:**
- ✅ Internet access only - ✅ Internet access only
- ❌ No access to any internal VLAN - ❌ No access to ANY internal VLAN
- ❌ No inter-client communication - ❌ No inter-client communication
- ❌ Captive portal (optional)
--- ---
## Firewall Rules Summary ## Firewall Matrix
``` ```
┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐ ┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────
│ From \ To │ Mgmt │ Trusted │ IoT │ Servers │ Guest │ │ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │
├─────────────┼──────┼─────────┼─────┼─────────┼───────┤ ├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────
Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
Trusted │ ✅ │ ✅ │ ✅ │ Management │ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅
IoT │ ❌ │ ⚠️⚠️ │ ❌ │ Trusted │ ✅ │ ❌ │ 👁️ │ ✅ │ ❌ │
Servers │ ❌ │ ❌ │ │ ❌ │ IoT │ │ ❌ │ ❌ │ ⚠️ │ ❌ ⚠️ │ ❌ │
Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ Cameras │ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │
Internet │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴──────┴─────────┴─────┴─────────┴───────┘ │ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │
│ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘
✅ = Full access ✅ = Full access
❌ = Blocked ❌ = Blocked
⚠️ = Limited/Specific ports only ⚠️ = Limited (specific ports/IPs)
👁️ = View only (cameras: RTSP/HTTP streams)
``` ```
--- ---
## DNS Configuration ## DNS Configuration
| VLAN | DNS Server | Purpose | | VLAN | DNS Server | Filtering Level |
|------|------------|---------| |------|------------|-----------------|
| 10 Management | 192.168.10.1 | MikroTik DNS | | 1 Legacy | 192.168.31.1 | Current setup |
| 20 Trusted | 192.168.40.4 | AdGuard (full filtering) | | 10 Management | 192.168.10.1 | Minimal |
| 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) | | 20 Trusted | 192.168.40.4 | Standard |
| 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS | | 30 IoT | 192.168.40.4 | IoT blocklist |
| 50 Guest | 192.168.40.4 | AdGuard (strict filtering) | | 35 Cameras | 192.168.40.4 | Strict + geo-block |
| 40 Servers | 8.8.8.8/1.1.1.1 | None (external) |
**Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN. | 50 Guest | 192.168.40.4 | Strict |
--- ---
## WiFi SSID Mapping ## WiFi SSID Mapping
| SSID | VLAN | Security | Notes | | SSID | VLAN | Band | Security | Hidden |
|------|------|----------|-------| |------|------|------|----------|--------|
| Home | 20 | WPA3 | Trusted devices | | Home | 20 | 2.4+5 GHz | WPA3 | No |
| Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) | | Home-IoT | 30 | 2.4 GHz | WPA2 | No |
| Home-Guest | 50 | WPA2 | Visitors | | Home-Guest | 50 | 2.4+5 GHz | WPA2 | No |
| (hidden) Admin | 10 | WPA3 | Management only | | Admin | 10 | 5 GHz | WPA3 | Yes |
--- ---
## MikroTik Implementation ## MikroTik Implementation
### 1. Create VLANs on Bridge ### 1. Create VLANs
```routeros ```routeros
/interface vlan /interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10 add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20 add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30 add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40 add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50 add interface=bridge name=vlan50-guest vlan-id=50
``` ```
@@ -216,102 +261,72 @@ add interface=bridge name=vlan50-guest vlan-id=50
add address=192.168.10.1/24 interface=vlan10-mgmt add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest add address=192.168.50.1/24 interface=vlan50-guest
``` ```
### 3. DHCP Servers ### 3. DHCP Pools
```routeros ```routeros
/ip pool /ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.200 add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.200 add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.140
add name=pool-servers ranges=192.168.40.100-192.168.40.150 add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200 add name=pool-guest ranges=192.168.50.100-192.168.50.200
/ip dhcp-server
add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
``` ```
### 4. Inter-VLAN Firewall (Example) ### 4. Camera Geo-Blocking
```routeros ```routeros
/ip firewall address-list
add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges"
/ip firewall filter /ip firewall filter
# Allow established/related add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries
add chain=forward action=accept connection-state=established,related
# Management can access all
add chain=forward action=accept src-address=192.168.10.0/24
# Trusted to IoT
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24
# Trusted to Servers
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24
# Block all other inter-VLAN
add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16
``` ```
--- ---
## Migration Plan ## Migration Plan
### Phase 1: Preparation ### Phase 1: Preparation (No Downtime)
- [ ] Document all current static IPs - [ ] Document all static IPs and MAC addresses
- [ ] List all devices and target VLANs - [ ] Create device inventory with target VLANs
- [ ] Configure switch for VLAN trunking - [ ] Configure VLANs on MikroTik (inactive)
- [ ] Test VLAN setup on isolated port - [ ] Configure switch trunk ports
- [ ] Test on isolated port
### Phase 2: Infrastructure ### Phase 2: Infrastructure (Brief Downtime)
- [ ] Create VLANs on MikroTik - [ ] Create VLAN interfaces and IPs
- [ ] Configure DHCP per VLAN - [ ] Configure DHCP per VLAN
- [ ] Move Unraid to VLAN 10 (management) - [ ] Move Unraid management to VLAN 10
- [ ] Move AdGuard to VLAN 40 (servers) - [ ] Move AdGuard to VLAN 40
- [ ] Update DNS redirect rules - [ ] Update container networks
### Phase 3: Devices ### Phase 3: WiFi (Rolling)
- [ ] Configure WiFi SSIDs per VLAN - [ ] Create new SSIDs per VLAN
- [ ] Move trusted devices to VLAN 20 - [ ] Move personal devices to VLAN 20
- [ ] Move IoT devices to VLAN 30 - [ ] Move IoT devices to VLAN 30
- [ ] Test inter-VLAN access rules - [ ] Test mDNS/Bonjour relay
### Phase 4: Hardening ### Phase 4: Cameras & Security
- [ ] Implement firewall rules - [ ] Move cameras to VLAN 35
- [ ] Enable DNS enforcement per VLAN - [ ] Implement geo-blocking
- [ ] Set up guest captive portal (optional) - [ ] Test camera isolation
- [ ] Verify Trusted can view feeds
### Phase 5: Cleanup
- [ ] Implement all firewall rules
- [ ] Enable DNS enforcement
- [ ] Migrate remaining devices from VLAN 1
- [ ] Document final configuration - [ ] Document final configuration
- [ ] Deprecate VLAN 1 (keep for emergency)
--- ---
## Considerations ## Rollback Plan
### Pros If issues occur:
- Security isolation between device types 1. All devices can temporarily use VLAN 1 (legacy)
- Compromised IoT cannot access trusted devices 2. MikroTik remains accessible on 192.168.31.1
- Guest cannot snoop on internal traffic 3. Keep VLAN 1 DHCP active during transition
- Granular firewall control
- Better traffic management
### Cons
- Increased complexity
- mDNS/Bonjour requires relay configuration
- Some IoT devices may have issues
- Initial migration effort
### Services Requiring Special Attention
- **Plex:** Needs access from Trusted to Servers
- **Sonos/AirPlay:** Requires mDNS relay
- **Chromecast:** Needs multicast between VLANs
- **Printers:** May need access from multiple VLANs
---
## Questions to Decide
1. Should Management VLAN have internet access?
2. IoT device discovery - enable mDNS relay or use static configs?
3. Guest WiFi - captive portal or just password?
4. Camera VLAN - separate from IoT or combined?
5. Keep legacy 192.168.31.0/24 for transition period?