From 72d4f52637b6b7236e6d2847528d6af0c2599278 Mon Sep 17 00:00:00 2001 From: jazzymc Date: Sun, 18 Jan 2026 22:20:17 +0200 Subject: [PATCH] Add VLAN segmentation plan and CSS326 switch documentation - Created 10-VLAN-NETWORK-SEGMENTATION.md with full VLAN plan - Added CSS326-24G-2S+ SwOS switch to 00-CURRENT-STATE.md - Documented switch credentials and web UI access - Proposed 4 VLANs: Secure (10), IoT (20), Kids (30), Guest (40) - Included cross-VLAN solution for S25 accessing IoT devices - Added SwOS configuration steps for port VLAN assignments Co-Authored-By: Claude Opus 4.5 --- docs/00-CURRENT-STATE.md | 14 + docs/10-VLAN-NETWORK-SEGMENTATION.md | 444 +++++++++++++++++++++++++++ 2 files changed, 458 insertions(+) create mode 100644 docs/10-VLAN-NETWORK-SEGMENTATION.md diff --git a/docs/00-CURRENT-STATE.md b/docs/00-CURRENT-STATE.md index 1ec8c8b..a1cadc2 100644 --- a/docs/00-CURRENT-STATE.md +++ b/docs/00-CURRENT-STATE.md @@ -35,6 +35,20 @@ | pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) | | unbound:latest | 172.17.0.3 | Recursive DNS resolver | +### MikroTik CSS326-24G-2S+ Switch (192.168.31.9) + +| Parameter | Value | +|-----------|-------| +| Role | Managed Layer 2 Switch | +| Model | CSS326-24G-2S+ | +| Ports | 24x Gigabit + 2x SFP | +| OS | SwOS (MikroTik Switch OS) | +| Web UI | http://192.168.31.9/index.html | +| Username | admin | +| Password | M0stW4nt3d@xtrm | + +**Uplink:** Connected to hAP ax³ via eth4_CCS324_Uplink + ### MikroTik cAP ac (192.168.31.6) | Parameter | Value | diff --git a/docs/10-VLAN-NETWORK-SEGMENTATION.md b/docs/10-VLAN-NETWORK-SEGMENTATION.md new file mode 100644 index 0000000..50bf91e --- /dev/null +++ b/docs/10-VLAN-NETWORK-SEGMENTATION.md @@ -0,0 +1,444 @@ +# VLAN Network Segmentation Plan + +**Document Created:** 2026-01-18 +**Status:** PLANNING + +--- + +## Current Network Analysis + +### Network Devices +| Device | IP | Role | +|--------|-----|------| +| MikroTik hAP ax³ | 192.168.31.1 | Router, CAPsMAN, VLAN gateway | +| CSS326-24G-2S+ | 192.168.31.9 | Managed switch (24 port + 2 SFP) | +| cAP ac | 192.168.31.6 | Managed AP (CAPsMAN) | + +### Current Device Inventory + +**Secure Devices (should be isolated):** +| Device | IP | MAC | Notes | +|--------|-----|-----|-------| +| Unraid Server | 192.168.31.2 | - | Main server | +| Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | xtrm-pc via Dell KVM | +| Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc | +| Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | xtrm-pc | +| Kaloyan MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Mac | +| Kaloyan S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | S25-Ultra | +| Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | KVM access | + +**IoT Devices:** +| Device | IP | MAC | Notes | +|--------|-----|-----|-------| +| Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Smart home hub | +| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Streaming | +| Roborock S7 | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum | +| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Kitchen | +| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Security | +| HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer | +| Unknown IoT 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya? | +| Unknown IoT 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya? | +| Unknown IoT 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya? | +| Unknown IoT 4 | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Smart device? | +| lwip0 devices | 192.168.31.100-101 | 38:A5:C9:44:7B:xx | ESP/Tuya | + +**Kids/Guest Devices:** +| Device | IP | MAC | Notes | +|--------|-----|-----|-------| +| Nora MacBook | 192.168.31.79 | 82:6D:FB:D9:E0:47 | MacBookAir | +| Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi-Notebook | +| Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | iPhone | +| Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | iPhone | +| Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | iPad | + +--- + +## Proposed VLAN Architecture + +### VLAN Assignments + +| VLAN ID | Name | Subnet | Gateway | Purpose | +|---------|------|--------|---------|---------| +| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Network infrastructure only | +| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers | +| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras, IoT | +| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices | +| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi | + +### WiFi SSID to VLAN Mapping + +| SSID | VLAN | Security | Purpose | +|------|------|----------|---------| +| XTRM | 10 (Secure) | WPA2/WPA3 | Main network for trusted devices | +| XTRM-IoT | 20 (IoT) | WPA2 | IoT devices | +| XTRM-Kids | 30 (Kids) | WPA2 | Kids devices | +| XTRM-Guest | 40 (Guest) | WPA2 | Guest access | + +--- + +## The S25 Challenge: Cross-VLAN Access + +### Requirements +Your S25 needs to: +1. Be in Secure VLAN (192.168.10.x) for server management +2. Discover and cast to Chromecast (IoT VLAN) +3. Control Tuya smart devices +4. Access Home Assistant + +### Solution Architecture + +``` +┌─────────────────────────────────────────────────────────────────────┐ +│ VLAN 10 (Secure) │ +│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ +│ │ Unraid │ │ Nobara │ │ MacBook │ │ S25 │ │ +│ │ Server │ │ PC │ │ │ │ Ultra │ │ +│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ +│ │ │ │ │ │ +└───────┼────────────┼────────────┼────────────┼───────────────────────┘ + │ │ │ │ + │ │ │ │ Firewall Rules + + │ │ │ │ mDNS Reflector + │ │ │ ▼ +┌───────┼────────────┼────────────┼────────────────────────────────────┐ +│ │ │ │ VLAN 20 (IoT) │ +│ │ │ │ │ +│ ┌────▼────┐ ┌────┴────┐ ┌───┴────┐ ┌──────────┐ ┌───────────┐ │ +│ │ Home │ │ Printer │ │Chromec.│ │ Tuya │ │ Roborock │ │ +│ │Assistant│◄─┤ │ │ TV │ │ Devices │ │ S7 │ │ +│ └─────────┘ └─────────┘ └────────┘ └──────────┘ └───────────┘ │ +│ ▲ │ +│ │ Controls all IoT │ +└───────┼──────────────────────────────────────────────────────────────┘ + │ + HA manages IoT locally, + accessible from Secure VLAN +``` + +### Cross-VLAN Solutions + +#### 1. Home Assistant as IoT Bridge (Recommended) +- Home Assistant stays in **IoT VLAN** (can directly communicate with IoT devices) +- Firewall allows Secure VLAN → Home Assistant (port 8123) +- S25 controls everything through Home Assistant UI +- No direct IoT access from S25, but full control via HA + +#### 2. mDNS Reflector for Chromecast Discovery +MikroTik can reflect mDNS between VLANs: +``` +/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20 +``` +This allows S25 to discover Chromecast for casting. + +#### 3. Firewall Rules for Casting +Allow specific traffic from Secure → IoT: +``` +# Allow Chromecast (mDNS + casting ports) +/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ + dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept +/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ + dst-address=192.168.20.0/24 dst-port=32768-61000 protocol=udp action=accept + +# Allow Home Assistant access +/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ + dst-address=192.168.20.102 dst-port=8123 protocol=tcp action=accept +``` + +#### 4. Tuya Devices (Cloud-Based) +Tuya devices communicate via cloud, so they work from any VLAN with internet access. No special rules needed. + +--- + +## Implementation Plan + +### Phase 1: Router Configuration + +#### 1.1 Create VLAN Interfaces +``` +/interface/vlan/add name=vlan10-secure interface=bridge vlan-id=10 +/interface/vlan/add name=vlan20-iot interface=bridge vlan-id=20 +/interface/vlan/add name=vlan30-kids interface=bridge vlan-id=30 +/interface/vlan/add name=vlan40-guest interface=bridge vlan-id=40 +``` + +#### 1.2 Assign IP Addresses +``` +/ip/address/add address=192.168.10.1/24 interface=vlan10-secure +/ip/address/add address=192.168.20.1/24 interface=vlan20-iot +/ip/address/add address=192.168.30.1/24 interface=vlan30-kids +/ip/address/add address=192.168.40.1/24 interface=vlan40-guest +``` + +#### 1.3 Create DHCP Servers +``` +/ip/pool/add name=pool-secure ranges=192.168.10.100-192.168.10.200 +/ip/pool/add name=pool-iot ranges=192.168.20.100-192.168.20.200 +/ip/pool/add name=pool-kids ranges=192.168.30.100-192.168.30.200 +/ip/pool/add name=pool-guest ranges=192.168.40.100-192.168.40.200 + +/ip/dhcp-server/add name=dhcp-secure interface=vlan10-secure address-pool=pool-secure +/ip/dhcp-server/add name=dhcp-iot interface=vlan20-iot address-pool=pool-iot +/ip/dhcp-server/add name=dhcp-kids interface=vlan30-kids address-pool=pool-kids +/ip/dhcp-server/add name=dhcp-guest interface=vlan40-guest address-pool=pool-guest + +/ip/dhcp-server/network/add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.4 +/ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.4 +/ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.4 +/ip/dhcp-server/network/add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.4 +``` + +### Phase 2: Bridge VLAN Filtering + +#### 2.1 Enable VLAN Filtering +``` +/interface/bridge/set bridge vlan-filtering=yes +``` + +#### 2.2 Configure Bridge VLANs +``` +/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=10 +/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=20 +/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=30 +/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=40 +``` + +### Phase 3: Switch Configuration (CSS326-24G-2S+ SwOS) + +**Switch Access:** +- Web UI: http://192.168.31.9/index.html +- Model: CSS326-24G-2S+ (24 Gigabit ports + 2 SFP) +- OS: SwOS (MikroTik Switch OS) +- Username: `admin` +- Password: `M0stW4nt3d@xtrm` + +#### 3.1 SwOS VLAN Configuration + +Access the switch at http://192.168.31.9 and configure: + +**Step 1: Enable VLAN Mode** +- Go to **VLAN** tab +- Set VLAN Mode to **Enabled** + +**Step 2: Create VLANs** +| VLAN ID | Name | +|---------|------| +| 1 | Management | +| 10 | Secure | +| 20 | IoT | +| 30 | Kids | +| 40 | Guest | + +**Step 3: Port VLAN Assignments** + +| Port | Device | VLAN Mode | VLAN ID | Tagged VLANs | +|------|--------|-----------|---------|--------------| +| 1 | Uplink to hAP ax³ | Trunk | 1 | 10,20,30,40 | +| 2 | Unraid Server | Access | 10 | - | +| 3 | Nobara PC (LAN) | Access | 10 | - | +| 4 | Game Machine | Access | 10 | - | +| 5-8 | Reserved Secure | Access | 10 | - | +| 9-16 | IoT Devices | Access | 20 | - | +| 17-20 | Kids Devices | Access | 30 | - | +| 21-24 | Guest/Unused | Access | 40 | - | +| SFP1 | Unused | - | - | - | +| SFP2 | Unused | - | - | - | + +**Step 4: PVID Settings** +For each access port, set PVID (Port VLAN ID) to match the access VLAN. + +**Step 5: Uplink Port Configuration** +Port 1 (uplink to router) must be configured as trunk: +- VLAN Receive: Any +- Default VLAN ID: 1 +- Tagged VLANs: 10, 20, 30, 40 +- Force VLAN ID: No + +#### 3.2 SwOS Web Interface Navigation + +``` +┌─────────────────────────────────────────────────────────┐ +│ CSS326-24G-2S+ SwOS │ +├─────────────────────────────────────────────────────────┤ +│ Tabs: Link | VLAN | VLANs | Isolation | Statistics │ +│ │ +│ VLAN Tab: │ +│ ┌─────┬──────────┬──────┬────────┬─────────┐ │ +│ │Port │VLAN Mode │ PVID │ Tagged │ Untagged│ │ +│ ├─────┼──────────┼──────┼────────┼─────────┤ │ +│ │ 1 │ Trunk │ 1 │10,20,30│ 1 │ │ +│ │ 2 │ Access │ 10 │ - │ 10 │ │ +│ │ ... │ ... │ ... │ ... │ ... │ │ +│ └─────┴──────────┴──────┴────────┴─────────┘ │ +└─────────────────────────────────────────────────────────┘ +``` + +#### 3.3 Current Port Mapping (TO BE FILLED) + +**Please identify which device is connected to which switch port:** + +| Port | Cable Color/Label | Connected Device | +|------|-------------------|------------------| +| 1 | | Uplink to hAP ax³ (eth4_CCS324_Uplink) | +| 2 | | | +| 3 | | | +| 4 | | | +| 5 | | | +| 6 | | | +| 7 | | | +| 8 | | | +| 9 | | | +| 10 | | | +| 11 | | | +| 12 | | | +| ... | | | + +> **Note:** You can identify ports by checking the **Link** tab in SwOS - it shows which ports have active links and their speed. + +### Phase 4: WiFi VLAN Configuration + +#### 4.1 Create WiFi Configurations +``` +/interface/wifi/configuration/add name=cfg-secure ssid="XTRM" \ + security.authentication-types=wpa2-psk,wpa3-psk \ + security.passphrase="M0stW4nt3d@home" \ + datapath.bridge=bridge datapath.vlan-id=10 + +/interface/wifi/configuration/add name=cfg-iot ssid="XTRM-IoT" \ + security.authentication-types=wpa2-psk \ + security.passphrase="M0stW4nt3d@IoT" \ + datapath.bridge=bridge datapath.vlan-id=20 + +/interface/wifi/configuration/add name=cfg-kids ssid="XTRM-Kids" \ + security.authentication-types=wpa2-psk \ + security.passphrase="KidsPassword123" \ + datapath.bridge=bridge datapath.vlan-id=30 + +/interface/wifi/configuration/add name=cfg-guest ssid="XTRM-Guest" \ + security.authentication-types=wpa2-psk \ + security.passphrase="GuestPassword123" \ + datapath.bridge=bridge datapath.vlan-id=40 +``` + +### Phase 5: Firewall Rules + +#### 5.1 Inter-VLAN Firewall +``` +# Allow established/related +/ip/firewall/filter/add chain=forward connection-state=established,related action=accept + +# Secure VLAN can access everything (management) +/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 action=accept + +# IoT VLAN - Internet only, no inter-VLAN +/ip/firewall/filter/add chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/16 action=accept + +# Kids VLAN - Internet only +/ip/firewall/filter/add chain=forward src-address=192.168.30.0/24 dst-address=!192.168.0.0/16 action=accept + +# Guest VLAN - Internet only, strict isolation +/ip/firewall/filter/add chain=forward src-address=192.168.40.0/24 dst-address=!192.168.0.0/16 action=accept + +# Drop all other inter-VLAN traffic +/ip/firewall/filter/add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop +``` + +#### 5.2 Special Rules for Casting/mDNS +``` +# Allow Secure to access Chromecast +/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 \ + dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept \ + comment="Chromecast from Secure" + +# Allow mDNS (for device discovery) +/ip/firewall/filter/add chain=input dst-port=5353 protocol=udp action=accept comment="mDNS" +/ip/firewall/filter/add chain=forward dst-port=5353 protocol=udp action=accept comment="mDNS forward" +``` + +--- + +## Static IP Reservations (New Subnets) + +### VLAN 10 - Secure (192.168.10.0/24) +| Device | IP | MAC | +|--------|-----|-----| +| Unraid Server | 192.168.10.2 | (current MAC) | +| Pi-hole (Unraid) | 192.168.10.4 | (current MAC) | +| Unbound (Unraid) | 192.168.10.5 | (current MAC) | +| Nobara PC (LAN) | 192.168.10.10 | 08:92:04:C6:07:C5 | +| Nobara PC (WiFi) | 192.168.10.11 | 22:4C:7F:1D:85:8E | +| Game Machine | 192.168.10.12 | 1C:83:41:32:F3:AF | +| MacBook (Kaloyan) | 192.168.10.15 | 82:EC:EF:B5:F2:AF | +| S25 Ultra | 192.168.10.20 | AA:ED:8B:2A:40:F1 | + +### VLAN 20 - IoT (192.168.20.0/24) +| Device | IP | MAC | +|--------|-----|-----| +| Home Assistant | 192.168.20.2 | AC:87:A3:77:8F:BD | +| Chromecast | 192.168.20.10 | D0:E7:82:F7:65:DD | +| Roborock S7 | 192.168.20.11 | B0:4A:39:3F:9A:14 | +| Bosch Oven | 192.168.20.12 | 94:27:70:1E:0C:EE | +| Reolink Doorbell | 192.168.20.13 | 48:9E:9D:0E:16:F7 | +| HP Printer | 192.168.20.20 | 64:4E:D7:D8:43:3E | + +### VLAN 30 - Kids (192.168.30.0/24) +| Device | IP | MAC | +|--------|-----|-----| +| Nora MacBook | 192.168.30.10 | 82:6D:FB:D9:E0:47 | +| Kimi Notebook | 192.168.30.11 | 90:91:64:70:0D:86 | +| Kimi iPhone | 192.168.30.12 | 2A:2B:BA:86:D4:AF | +| Dancho iPhone | 192.168.30.13 | F2:B8:14:61:C8:27 | + +--- + +## Risks & Considerations + +### Service Interruption +- **HIGH RISK**: Enabling VLAN filtering will temporarily disrupt all devices +- **Mitigation**: Perform during maintenance window, have console access ready + +### Device Re-configuration +- All devices will get new IPs from new DHCP pools +- Static IP reservations should be configured before migration +- Some devices may need manual WiFi reconnection + +### Unraid Considerations +- Unraid needs to be on VLAN 10 (secure) +- Docker containers with br0 (192.168.31.x) need reconfiguration +- Pi-hole and Unbound IPs will change + +### Home Assistant +- Will be on IoT VLAN +- Integrations may need reconfiguration for new IP ranges +- Traefik routing may need adjustment + +--- + +## Rollback Plan + +If issues occur, disable VLAN filtering: +``` +/interface/bridge/set bridge vlan-filtering=no +``` + +This immediately returns to flat network mode. + +--- + +## Questions Before Implementation + +1. **WiFi passwords for new SSIDs** - What should Kids and Guest passwords be? +2. **Printer access** - Should Kids be able to print? (Requires firewall rule) +3. **Home Assistant location** - IoT VLAN (recommended) or Secure VLAN? +4. **Unraid Docker networks** - br0 containers need VLAN assignment decision +5. **Switch port mapping** - Need to know which CSS326 ports connect to which devices + +--- + +## Next Steps + +1. [ ] Confirm device categorization is correct +2. [ ] Decide on WiFi passwords for new SSIDs +3. [ ] Map CSS326 switch ports to devices +4. [ ] Schedule maintenance window for implementation +5. [ ] Backup MikroTik and switch configs before changes +6. [ ] Implement in phases with testing between each