jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VLAN: Fixed DNS/NAT issues, ready for activation
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
Issues fixed after first activation attempt:
- DHCP DNS now points to each VLAN gateway
- DNS redirect rules cover all VLANs
- VLAN interfaces added to LAN firewall list
- NAT masquerade for VLAN→AdGuard traffic

CSS326 switch configured via SwOS.
MikroTik backup saved.
Ready to enable VLAN filtering when convenient.
This commit is contained in:
XTRM-Unraid
2026-01-26 13:38:26 +02:00
parent a022d49c78
commit 5982e4c444
2 changed files with 111 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/06-CHANGELOG.md
View File

@@ -1,5 +1,27 @@
# Infrastructure Changelog # Infrastructure Changelog
## 2026-01-26
### VLAN Activation Attempt & Fixes
- [VLAN] Configured CSS326 switch VLANs via SwOS web interface
- [VLAN] Enabled VLAN filtering on MikroTik - caused internet outage
- [VLAN] Rolled back VLAN filtering to restore connectivity
- [VLAN] **ROOT CAUSE IDENTIFIED:** Multiple configuration issues
### Issues Fixed
- [FIX] DHCP DNS now points to each VLAN gateway instead of legacy 192.168.31.1
- VLAN 20: 192.168.20.1, VLAN 25: 192.168.25.1, etc.
- [FIX] Added DNS redirect rules for all VLANs (src-address-list=all-vlans)
- [FIX] Added all VLAN interfaces to LAN firewall interface list
- [FIX] Added NAT masquerade rules for VLAN traffic to AdGuard container
- [BACKUP] MikroTik config saved before activation attempt
### Current Status
- MikroTik: Fully configured, fixes applied, ready for activation
- CSS326: VLANs configured, port assignments done
- VLAN Filtering: OFF (ready to enable when convenient)
- Next: Enable VLAN filtering + force DHCP renewal on devices
## 2026-01-25 (Update 3) ## 2026-01-25 (Update 3)
### VLAN Phase 1 Complete ### VLAN Phase 1 Complete

228
docs/11-VLAN-IMPLEMENTATION.md
View File

@@ -1,7 +1,7 @@
# VLAN Network Segmentation # VLAN Network Segmentation
**Last Updated:** 2026-01-25 **Last Updated:** 2026-01-26
**Status:** Phase 1 Complete - MikroTik Configured **Status:** Phase 1 Complete, Phase 2 Partial - CSS326 Configured, Awaiting Activation
## Overview ## Overview
@@ -21,163 +21,113 @@ Network segmentation using VLANs for security isolation between device types.
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 | | 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 |
| **Total** | | | | | **44** | | **Total** | | | | | **44** |
## Current Status: PHASE 1 COMPLETE ## Current Status
### MikroTik hAP ax³ Configuration ✅ ### MikroTik hAP ax³ ✅ READY
- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50)
**Completed:** - [x] IP addresses assigned to all VLANs
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids) - [x] DHCP servers for each VLAN
- [x] IP addresses assigned to all VLAN interfaces - [x] DHCP pools configured
- [x] DHCP servers for each VLAN (7 servers) - [x] Static DHCP leases (44 devices)
- [x] DHCP pools configured (7 pools) - [x] Bridge VLAN table entries
- [x] Static DHCP leases with MAC-to-IP mappings (44 devices) - [x] **DHCP DNS set to each VLAN gateway** (fixed 2026-01-26)
- [x] Bridge VLAN table entries for all VLANs - [x] **VLAN interfaces added to LAN list** (fixed 2026-01-26)
- [x] WiFi ports PVID=20 (Trusted) - [x] **DNS redirect rules for all VLANs** (fixed 2026-01-26)
- [x] **NAT masquerade for VLAN→AdGuard** (fixed 2026-01-26)
- [x] Firewall rules for inter-VLAN isolation - [x] Firewall rules for inter-VLAN isolation
- [x] Firewall address lists for all VLANs - [ ] VLAN filtering enabled (PENDING - ready to activate)
**Pending:** ### CSS326 Switch ✅ CONFIGURED
- [ ] VLAN filtering enabled on bridge (requires switch config first) - [x] VLAN mode enabled
- [x] VLANs created (1, 10, 20, 25, 30, 35, 40, 50)
- [x] Port 1 - Trunk to router (tagged all VLANs)
- [x] Port 2 - Access VLAN 10 (NanoKVM)
- [x] Port 17-18 - Access VLAN 25 (Kids rooms)
- [x] Port 19-21 - Access VLAN 20 (Main bedroom)
- [x] Port 22-24 - Access VLAN 30 (Living room)
- [x] SFP1 - Trunk to ZX1 (tagged all VLANs)
### CSS326 Switch Configuration ⏳ ### Backup Created ✅
- MikroTik backup: `/mnt/user/appdata/backups/mikrotik/backup-before-vlan-filtering-20260125-213635.rsc`
**Required before VLAN activation:**
- [ ] VLAN configuration via SwOS web interface
- [ ] Port assignments per device
## Network Diagram
```
Internet
┌───────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ │
│ │
│ Bridge (vlan-filtering=no) │
│ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │
│ ├── vlan10-mgmt 192.168.10.1/24 (6 devices) │
│ ├── vlan20-trusted 192.168.20.1/24 (9 devices) │
│ ├── vlan25-kids 192.168.25.1/24 (6 devices) │
│ ├── vlan30-iot 192.168.30.1/24 (14 devices) │
│ ├── vlan35-cameras 192.168.35.1/24 (1 device) │
│ ├── vlan40-servers 192.168.40.1/24 (1 device) │
│ └── vlan50-guest 192.168.50.1/24 (7 devices) │
│ │
│ Ports: │
│ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │
│ ├── hap-wifi1 → PVID=20 (untagged VLAN 20) │
│ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │
└───────────────────────────────────────────────────────────┘
│ Trunk (VLANs 1,10,20,25,30,35,40,50)
┌───────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ │
│ 192.168.31.9 (SwOS) │
│ │
│ Requires VLAN configuration via web interface │
│ - Port 1: Uplink to MikroTik (Trunk) │
│ - Other ports: Access ports per VLAN │
└───────────────────────────────────────────────────────────┘
```
## Bridge VLAN Table
| VLAN | Tagged | Untagged |
|------|--------|----------|
| 1 | bridge, eth3_CSS326_Uplink | eth2, eth4, ether5 |
| 10 | bridge, eth3_CSS326_Uplink | - |
| 20 | bridge, eth3_CSS326_Uplink | hap-wifi1, hap-wifi2 |
| 25 | bridge, eth3_CSS326_Uplink | - |
| 30 | bridge, eth3_CSS326_Uplink | - |
| 35 | bridge, eth3_CSS326_Uplink | - |
| 40 | bridge, eth3_CSS326_Uplink | - |
| 50 | bridge, eth3_CSS326_Uplink | - |
## DHCP Configuration ## DHCP Configuration
| VLAN | Server | Pool | Range | Lease Time | | VLAN | Server | Pool | DNS Server | Lease |
|------|--------|------|-------|------------| |------|--------|------|------------|-------|
| 10 | dhcp-mgmt | pool-mgmt | 192.168.10.100-200 | 30m | | 10 | dhcp-mgmt | 192.168.10.100-200 | 192.168.10.1 | 30m |
| 20 | dhcp-trusted | pool-trusted | 192.168.20.100-220 | 30m | | 20 | dhcp-trusted | 192.168.20.100-220 | 192.168.20.1 | 30m |
| 25 | dhcp-kids | pool-kids | 192.168.25.100-200 | 30m | | 25 | dhcp-kids | 192.168.25.100-200 | 192.168.25.1 | 30m |
| 30 | dhcp-iot | pool-iot | 192.168.30.100-220 | 30m | | 30 | dhcp-iot | 192.168.30.100-220 | 192.168.30.1 | 30m |
| 35 | dhcp-cameras | pool-cameras | 192.168.35.100-150 | 30m | | 35 | dhcp-cameras | 192.168.35.100-150 | 192.168.35.1 | 30m |
| 40 | dhcp-servers | pool-servers | 192.168.40.100-150 | 30m | | 40 | dhcp-servers | 192.168.40.100-150 | 192.168.40.1 | 30m |
| 50 | dhcp-guest | pool-guest | 192.168.50.100-220 | 4h | | 50 | dhcp-guest | 192.168.50.100-220 | 192.168.50.1 | 4h |
## Static DHCP Leases Summary **DNS Flow:** Device → VLAN Gateway → NAT Redirect → AdGuard (172.17.0.2) → Internet
| VLAN | Devices | Examples | ## Issues Fixed (2026-01-26)
|------|---------|----------|
| 10 - Mgmt | 6 | CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid |
| 20 - Trusted | 9 | Nora MacBook, Kaloyan devices, family phones |
| 25 - Kids | 6 | Dancho iPhone/Windows, Kimi devices, XTRM-Ally |
| 30 - IoT | 14 | GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi |
| 35 - Cameras | 1 | Reolink Doorbell |
| 40 - Servers | 1 | HP LaserJet |
| 50 - Guest | 7 | Unknown/unidentified devices |
## Firewall Rules (Active) ### Problem: Internet broke when VLAN filtering enabled
**Root Causes:**
Inter-VLAN firewall rules are configured: 1. DHCP DNS pointed to 192.168.31.1 (legacy) - unreachable from VLANs
2. DNS redirect rules only covered 192.168.31.0/24
### Allow Rules 3. VLAN interfaces not in LAN firewall list
| Source | Destination | Access | 4. No NAT masquerade for VLAN→AdGuard traffic
|--------|-------------|--------|
| Management (10) | All VLANs | Full access |
| Legacy (31) | All VLANs | Full access (transition) |
| Trusted (20) | IoT (30) | Full access |
| Trusted (20) | Cameras (35) | Ports 80,443,554,8080,8554 |
| Trusted (20) | Servers (40) | Full access |
| Trusted (20) | Legacy (31) | Full access |
| Kids (25) | IoT (30) | Full access |
| Kids (25) | Legacy (31) | Full access |
| IoT/Cameras/Guest/Kids | DNS | Port 53 to 192.168.31.1 |
### Block Rules
| Source | Destination | Action |
|--------|-------------|--------|
| Guest (50) | All internal | Drop |
| Cameras (35) | All VLANs | Drop |
| IoT (30) | Management (10) | Drop |
| IoT (30) | Trusted (20) | Drop |
## Activation Steps
### Step 1: Configure CSS326 Switch (REQUIRED FIRST)
Access SwOS at http://192.168.31.9 and configure:
1. **Enable VLAN mode**
2. **Create VLANs:** 1, 10, 20, 25, 30, 35, 40, 50
3. **Port 1 (Uplink to MikroTik):** Trunk mode, tagged all VLANs
4. **Other ports:** Access mode, assign PVID per connected device
### Step 2: Enable VLAN Filtering on MikroTik
**Fixes Applied:**
```routeros ```routeros
# CAUTION: This may cause temporary connectivity loss # 1. DHCP DNS now points to each VLAN gateway
/interface bridge set [find name=bridge] vlan-filtering=yes /ip dhcp-server network set [find address=192.168.20.0/24] dns-server=192.168.20.1
# ... repeated for all VLANs
# 2. DNS redirect for all VLANs
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address-list=all-vlans dst-port=53
# 3. VLAN interfaces in LAN list
/interface list member add list=LAN interface=vlan20-trusted
# ... repeated for all VLANs
# 4. NAT masquerade for VLAN DNS
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address-list=all-vlans dst-address=172.17.0.2 dst-port=53
``` ```
### Step 3: Verify Connectivity ## Activation Steps (When Ready)
```bash ### Step 1: Enable VLAN Filtering
# From Unraid ```routeros
ping 192.168.31.1 # MikroTik Legacy /interface bridge set bridge vlan-filtering=yes
ping 192.168.10.1 # MikroTik Mgmt VLAN
ping 8.8.8.8 # Internet
``` ```
### Step 2: Force DHCP Renewal on Devices
Devices need new IP from their VLAN DHCP:
- **Windows:** `ipconfig /release && ipconfig /renew`
- **Mac:** System Preferences → Network → Renew DHCP
- **Linux:** `sudo dhclient -r && sudo dhclient`
- **Phones/IoT:** Toggle WiFi off/on
### Rollback (If Needed) ### Rollback (If Needed)
```routeros ```routeros
/interface bridge set [find name=bridge] vlan-filtering=no /interface bridge set bridge vlan-filtering=no
``` ```
## CSS326 Port Assignment
| Port | Connection | VLAN | Mode |
|------|------------|------|------|
| 1 | HAP1 Router | All | Trunk |
| 2 | NanoKVM | 10 | Access |
| 3-16 | Unused | - | - |
| 17 | Boys Room B2 | 25 | Access |
| 18 | Boys Room B1 | 25 | Access |
| 19 | Main Bedroom M1 | 20 | Access |
| 20 | Main Bedroom M2 | 20 | Access |
| 21 | Main Bedroom M3 | 20 | Access |
| 22 | Living Room L1 | 30 | Access |
| 23 | Living Room L2 | 30 | Access |
| 24 | Living Room L3 | 30 | Access |
| SFP1 | ZX1 10G | All | Trunk |
| SFP2 | Unused | - | - |
## Related Documents ## Related Documents
- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory - [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory (44 devices)
- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Migration phases - [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Original migration plan