diff --git a/docs/06-CHANGELOG.md b/docs/06-CHANGELOG.md
index 4f0da78..1950c6e 100644
--- a/docs/06-CHANGELOG.md
+++ b/docs/06-CHANGELOG.md
@@ -1,5 +1,27 @@
 # Infrastructure Changelog
 
+## 2026-01-26
+
+### VLAN Activation Attempt & Fixes
+- [VLAN] Configured CSS326 switch VLANs via SwOS web interface
+- [VLAN] Enabled VLAN filtering on MikroTik - caused internet outage
+- [VLAN] Rolled back VLAN filtering to restore connectivity
+- [VLAN] **ROOT CAUSE IDENTIFIED:** Multiple configuration issues
+
+### Issues Fixed
+- [FIX] DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1
+  - VLAN 20: 192.168.20.1, VLAN 25: 192.168.25.1, etc.
+- [FIX] Added DNS redirect rules for all VLANs (src-address-list=all-vlans)
+- [FIX] Added all VLAN interfaces to LAN firewall interface list
+- [FIX] Added NAT masquerade rules for VLAN traffic to AdGuard container
+- [BACKUP] MikroTik config saved before activation attempt
+
+### Current Status
+- MikroTik: Fully configured, fixes applied, ready for activation
+- CSS326: VLANs configured, port assignments done
+- VLAN Filtering: OFF (ready to enable when convenient)
+- Next: Enable VLAN filtering + force DHCP renewal on devices
+
 ## 2026-01-25 (Update 3)
 
 ### VLAN Phase 1 Complete
diff --git a/docs/11-VLAN-IMPLEMENTATION.md b/docs/11-VLAN-IMPLEMENTATION.md
index 73d095b..81bbe4b 100644
--- a/docs/11-VLAN-IMPLEMENTATION.md
+++ b/docs/11-VLAN-IMPLEMENTATION.md
@@ -1,7 +1,7 @@
 # VLAN Network Segmentation
 
-**Last Updated:** 2026-01-25
-**Status:** Phase 1 Complete - MikroTik Configured
+**Last Updated:** 2026-01-26
+**Status:** Phase 1 Complete, Phase 2 Partial - CSS326 Configured, Awaiting Activation
 
 ## Overview
 
@@ -21,163 +21,113 @@ Network segmentation using VLANs for security isolation between device types.
 | 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 |
 | **Total** | | | | | **44** |
 
-## Current Status: PHASE 1 COMPLETE
+## Current Status
 
-### MikroTik hAP ax³ Configuration ✅
-
-**Completed:**
-- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids)
-- [x] IP addresses assigned to all VLAN interfaces
-- [x] DHCP servers for each VLAN (7 servers)
-- [x] DHCP pools configured (7 pools)
-- [x] Static DHCP leases with MAC-to-IP mappings (44 devices)
-- [x] Bridge VLAN table entries for all VLANs
-- [x] WiFi ports PVID=20 (Trusted)
+### MikroTik hAP ax³ ✅ READY
+- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50)
+- [x] IP addresses assigned to all VLANs
+- [x] DHCP servers for each VLAN
+- [x] DHCP pools configured
+- [x] Static DHCP leases (44 devices)
+- [x] Bridge VLAN table entries
+- [x] **DHCP DNS set to each VLAN gateway** (fixed 2026-01-26)
+- [x] **VLAN interfaces added to LAN list** (fixed 2026-01-26)
+- [x] **DNS redirect rules for all VLANs** (fixed 2026-01-26)
+- [x] **NAT masquerade for VLAN→AdGuard** (fixed 2026-01-26)
 - [x] Firewall rules for inter-VLAN isolation
-- [x] Firewall address lists for all VLANs
+- [ ] VLAN filtering enabled (PENDING - ready to activate)
 
-**Pending:**
-- [ ] VLAN filtering enabled on bridge (requires switch config first)
+### CSS326 Switch ✅ CONFIGURED
+- [x] VLAN mode enabled
+- [x] VLANs created (1, 10, 20, 25, 30, 35, 40, 50)
+- [x] Port 1 - Trunk to router (tagged all VLANs)
+- [x] Port 2 - Access VLAN 10 (NanoKVM)
+- [x] Port 17-18 - Access VLAN 25 (Kids rooms)
+- [x] Port 19-21 - Access VLAN 20 (Main bedroom)
+- [x] Port 22-24 - Access VLAN 30 (Living room)
+- [x] SFP1 - Trunk to ZX1 (tagged all VLANs)
 
-### CSS326 Switch Configuration ⏳
-
-**Required before VLAN activation:**
-- [ ] VLAN configuration via SwOS web interface
-- [ ] Port assignments per device
-
-## Network Diagram
-
-```
-Internet
-    │
-    ▼
-┌───────────────────────────────────────────────────────────┐
-│                   MikroTik hAP ax³                        │
-│                                                           │
-│  Bridge (vlan-filtering=no)                               │
-│  ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged)          │
-│  ├── vlan10-mgmt    192.168.10.1/24  (6 devices)         │
-│  ├── vlan20-trusted 192.168.20.1/24  (9 devices)         │
-│  ├── vlan25-kids    192.168.25.1/24  (6 devices)         │
-│  ├── vlan30-iot     192.168.30.1/24  (14 devices)        │
-│  ├── vlan35-cameras 192.168.35.1/24  (1 device)          │
-│  ├── vlan40-servers 192.168.40.1/24  (1 device)          │
-│  └── vlan50-guest   192.168.50.1/24  (7 devices)         │
-│                                                           │
-│  Ports:                                                   │
-│  ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs)       │
-│  ├── hap-wifi1 → PVID=20 (untagged VLAN 20)              │
-│  └── hap-wifi2 → PVID=20 (untagged VLAN 20)              │
-└───────────────────────────────────────────────────────────┘
-              │
-              │ Trunk (VLANs 1,10,20,25,30,35,40,50)
-              ▼
-┌───────────────────────────────────────────────────────────┐
-│                   CSS326-24G-2S+                          │
-│                   192.168.31.9 (SwOS)                     │
-│                                                           │
-│  Requires VLAN configuration via web interface            │
-│  - Port 1: Uplink to MikroTik (Trunk)                    │
-│  - Other ports: Access ports per VLAN                     │
-└───────────────────────────────────────────────────────────┘
-```
-
-## Bridge VLAN Table
-
-| VLAN | Tagged | Untagged |
-|------|--------|----------|
-| 1 | bridge, eth3_CSS326_Uplink | eth2, eth4, ether5 |
-| 10 | bridge, eth3_CSS326_Uplink | - |
-| 20 | bridge, eth3_CSS326_Uplink | hap-wifi1, hap-wifi2 |
-| 25 | bridge, eth3_CSS326_Uplink | - |
-| 30 | bridge, eth3_CSS326_Uplink | - |
-| 35 | bridge, eth3_CSS326_Uplink | - |
-| 40 | bridge, eth3_CSS326_Uplink | - |
-| 50 | bridge, eth3_CSS326_Uplink | - |
+### Backup Created ✅
+- MikroTik backup: `/mnt/user/appdata/backups/mikrotik/backup-before-vlan-filtering-20260125-213635.rsc`
 
 ## DHCP Configuration
 
-| VLAN | Server | Pool | Range | Lease Time |
-|------|--------|------|-------|------------|
-| 10 | dhcp-mgmt | pool-mgmt | 192.168.10.100-200 | 30m |
-| 20 | dhcp-trusted | pool-trusted | 192.168.20.100-220 | 30m |
-| 25 | dhcp-kids | pool-kids | 192.168.25.100-200 | 30m |
-| 30 | dhcp-iot | pool-iot | 192.168.30.100-220 | 30m |
-| 35 | dhcp-cameras | pool-cameras | 192.168.35.100-150 | 30m |
-| 40 | dhcp-servers | pool-servers | 192.168.40.100-150 | 30m |
-| 50 | dhcp-guest | pool-guest | 192.168.50.100-220 | 4h |
+| VLAN | Server | Pool | DNS Server | Lease |
+|------|--------|------|------------|-------|
+| 10 | dhcp-mgmt | 192.168.10.100-200 | 192.168.10.1 | 30m |
+| 20 | dhcp-trusted | 192.168.20.100-220 | 192.168.20.1 | 30m |
+| 25 | dhcp-kids | 192.168.25.100-200 | 192.168.25.1 | 30m |
+| 30 | dhcp-iot | 192.168.30.100-220 | 192.168.30.1 | 30m |
+| 35 | dhcp-cameras | 192.168.35.100-150 | 192.168.35.1 | 30m |
+| 40 | dhcp-servers | 192.168.40.100-150 | 192.168.40.1 | 30m |
+| 50 | dhcp-guest | 192.168.50.100-220 | 192.168.50.1 | 4h |
 
-## Static DHCP Leases Summary
+**DNS Flow:** Device → VLAN Gateway → NAT Redirect → AdGuard (172.17.0.2) → Internet
 
-| VLAN | Devices | Examples |
-|------|---------|----------|
-| 10 - Mgmt | 6 | CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid |
-| 20 - Trusted | 9 | Nora MacBook, Kaloyan devices, family phones |
-| 25 - Kids | 6 | Dancho iPhone/Windows, Kimi devices, XTRM-Ally |
-| 30 - IoT | 14 | GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi |
-| 35 - Cameras | 1 | Reolink Doorbell |
-| 40 - Servers | 1 | HP LaserJet |
-| 50 - Guest | 7 | Unknown/unidentified devices |
+## Issues Fixed (2026-01-26)
 
-## Firewall Rules (Active)
-
-Inter-VLAN firewall rules are configured:
-
-### Allow Rules
-| Source | Destination | Access |
-|--------|-------------|--------|
-| Management (10) | All VLANs | Full access |
-| Legacy (31) | All VLANs | Full access (transition) |
-| Trusted (20) | IoT (30) | Full access |
-| Trusted (20) | Cameras (35) | Ports 80,443,554,8080,8554 |
-| Trusted (20) | Servers (40) | Full access |
-| Trusted (20) | Legacy (31) | Full access |
-| Kids (25) | IoT (30) | Full access |
-| Kids (25) | Legacy (31) | Full access |
-| IoT/Cameras/Guest/Kids | DNS | Port 53 to 192.168.31.1 |
-
-### Block Rules
-| Source | Destination | Action |
-|--------|-------------|--------|
-| Guest (50) | All internal | Drop |
-| Cameras (35) | All VLANs | Drop |
-| IoT (30) | Management (10) | Drop |
-| IoT (30) | Trusted (20) | Drop |
-
-## Activation Steps
-
-### Step 1: Configure CSS326 Switch (REQUIRED FIRST)
-
-Access SwOS at http://192.168.31.9 and configure:
-
-1. **Enable VLAN mode**
-2. **Create VLANs:** 1, 10, 20, 25, 30, 35, 40, 50
-3. **Port 1 (Uplink to MikroTik):** Trunk mode, tagged all VLANs
-4. **Other ports:** Access mode, assign PVID per connected device
-
-### Step 2: Enable VLAN Filtering on MikroTik
+### Problem: Internet broke when VLAN filtering enabled
+**Root Causes:**
+1. DHCP DNS pointed to 192.168.31.1 (legacy) - unreachable from VLANs
+2. DNS redirect rules only covered 192.168.31.0/24
+3. VLAN interfaces not in LAN firewall list
+4. No NAT masquerade for VLAN→AdGuard traffic
 
+**Fixes Applied:**
 ```routeros
-# CAUTION: This may cause temporary connectivity loss
-/interface bridge set [find name=bridge] vlan-filtering=yes
+# 1. DHCP DNS now points to each VLAN gateway
+/ip dhcp-server network set [find address=192.168.20.0/24] dns-server=192.168.20.1
+# ... repeated for all VLANs
+
+# 2. DNS redirect for all VLANs
+/ip firewall nat add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address-list=all-vlans dst-port=53
+
+# 3. VLAN interfaces in LAN list
+/interface list member add list=LAN interface=vlan20-trusted
+# ... repeated for all VLANs
+
+# 4. NAT masquerade for VLAN DNS
+/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address-list=all-vlans dst-address=172.17.0.2 dst-port=53
 ```
 
-### Step 3: Verify Connectivity
+## Activation Steps (When Ready)
 
-```bash
-# From Unraid
-ping 192.168.31.1  # MikroTik Legacy
-ping 192.168.10.1  # MikroTik Mgmt VLAN
-ping 8.8.8.8       # Internet
+### Step 1: Enable VLAN Filtering
+```routeros
+/interface bridge set bridge vlan-filtering=yes
 ```
 
+### Step 2: Force DHCP Renewal on Devices
+Devices need new IP from their VLAN DHCP:
+- **Windows:** `ipconfig /release && ipconfig /renew`
+- **Mac:** System Preferences → Network → Renew DHCP
+- **Linux:** `sudo dhclient -r && sudo dhclient`
+- **Phones/IoT:** Toggle WiFi off/on
+
 ### Rollback (If Needed)
-
 ```routeros
-/interface bridge set [find name=bridge] vlan-filtering=no
+/interface bridge set bridge vlan-filtering=no
 ```
 
+## CSS326 Port Assignment
+
+| Port | Connection | VLAN | Mode |
+|------|------------|------|------|
+| 1 | HAP1 Router | All | Trunk |
+| 2 | NanoKVM | 10 | Access |
+| 3-16 | Unused | - | - |
+| 17 | Boys Room B2 | 25 | Access |
+| 18 | Boys Room B1 | 25 | Access |
+| 19 | Main Bedroom M1 | 20 | Access |
+| 20 | Main Bedroom M2 | 20 | Access |
+| 21 | Main Bedroom M3 | 20 | Access |
+| 22 | Living Room L1 | 30 | Access |
+| 23 | Living Room L2 | 30 | Access |
+| 24 | Living Room L3 | 30 | Access |
+| SFP1 | ZX1 10G | All | Trunk |
+| SFP2 | Unused | - | - |
+
 ## Related Documents
 
-- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory
-- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Migration phases
+- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory (44 devices)
+- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Original migration plan