jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add VLAN implementation documentation and scripts
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
- docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation
- scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script
- scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script

VLAN configuration is prepared but NOT YET ACTIVE.
Requires CSS326 switch configuration before enabling VLAN filtering.

VLANs configured:
- VLAN 1: Legacy (192.168.31.0/24)
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)
This commit is contained in:
XTRM-Unraid
2026-01-25 16:20:59 +02:00
parent ca0af337c3
commit 84b3952891
3 changed files with 359 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

215
docs/11-VLAN-IMPLEMENTATION.md Normal file
View File

@@ -0,0 +1,215 @@
# VLAN Network Segmentation
## Overview
Network segmentation using VLANs for security isolation between device types.
## VLAN Architecture
| VLAN ID | Name | Subnet | Purpose |
|---------|------|--------|---------|
| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) |
| 10 | Management | 192.168.10.0/24 | Network infrastructure |
| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) |
| 30 | IoT | 192.168.30.0/24 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | Unraid, services |
| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) |
## Current Status: PREPARED (Not Active)
VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires:
1. CSS326 switch VLAN configuration
2. Final activation
### What's Configured
**MikroTik hAP ax³:**
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest)
- [x] IP addresses assigned to VLAN interfaces
- [x] DHCP servers for each VLAN
- [x] DHCP pools configured
- [x] Static DHCP leases with MAC-to-IP mappings
- [x] Bridge VLAN table entries
- [x] WiFi ports PVID=20 (Trusted)
- [x] Firewall rules for inter-VLAN isolation
- [x] Address lists for firewall rules
- [ ] VLAN filtering enabled on bridge (PENDING)
**CSS326 Switch:**
- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)
## Network Diagram
```
Internet
┌───────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ │
│ │
│ Bridge (vlan-filtering=no) │
│ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │
│ ├── vlan10-mgmt 192.168.10.1/24 │
│ ├── vlan20-trusted 192.168.20.1/24 │
│ ├── vlan30-iot 192.168.30.1/24 │
│ ├── vlan35-cameras 192.168.35.1/24 │
│ ├── vlan40-servers 192.168.40.1/24 │
│ └── vlan50-guest 192.168.50.1/24 │
│ │
│ Ports: │
│ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │
│ ├── hap-wifi1 → PVID=20 (untagged VLAN 20) │
│ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │
└───────────────────────────────────────────────────────────┘
│ Trunk (VLANs 1,10,20,30,35,40,50)
┌───────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ │
│ 192.168.31.9 (SwOS) │
│ │
│ Requires VLAN configuration via web interface │
│ - Port 1: Uplink to MikroTik (Trunk) │
│ - Other ports: Access ports per VLAN │
└───────────────────────────────────────────────────────────┘
```
## Bridge VLAN Table
```
VLAN Tagged Untagged
---- ------ --------
1 bridge,eth3_CSS326_Uplink eth2,eth4,ether5
10 bridge,eth3_CSS326_Uplink -
20 bridge,eth3_CSS326_Uplink hap-wifi1,hap-wifi2
30 bridge,eth3_CSS326_Uplink -
35 bridge,eth3_CSS326_Uplink -
40 bridge,eth3_CSS326_Uplink -
50 bridge,eth3_CSS326_Uplink -
```
## WiFi VLAN Assignment
Since both SSIDs (XTRM/XTRM2) remain on the same bridge:
- **All WiFi clients → VLAN 20 (Trusted) by default**
- MAC-based filtering via firewall rules for additional restrictions
Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).
## Device Assignments (via Static DHCP Leases)
### VLAN 20 - Trusted (192.168.20.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra |
| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi |
| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone |
| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad |
### VLAN 30 - IoT (192.168.30.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV |
| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast |
| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven |
| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer |
### VLAN 35 - Cameras (192.168.35.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |
### VLAN 10 - Management (192.168.10.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac |
| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch |
### VLAN 40 - Servers (192.168.40.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |
## Firewall Rules (Active)
Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:
```
# Allow rules
- Management → All VLANs (full access)
- Legacy → All VLANs (full access during transition)
- Trusted → IoT (can control smart devices)
- Trusted → Cameras (ports 80,443,554,8080,8554 only)
- Trusted → Servers (full access)
- Trusted → Legacy (full access)
- IoT/Cameras/Guest → DNS only (192.168.31.1:53)
# Block rules
- Guest → All internal (isolated, internet only)
- Cameras → All VLANs (upload only, no lateral movement)
- IoT → Management (cannot access network devices)
- IoT → Trusted (cannot access family devices)
```
## Activation Steps
### Step 1: Configure CSS326 Switch (REQUIRED FIRST)
Access SwOS at http://192.168.31.9 and configure:
1. **VLAN settings:**
- Enable VLAN mode
- Create VLANs: 1, 10, 20, 30, 35, 40, 50
2. **Port 1 (Uplink to MikroTik):**
- VLAN Mode: Trunk
- Tagged VLANs: 1, 10, 20, 30, 35, 40, 50
3. **Port for Unraid:**
- VLAN Mode: Access
- PVID: 1 (Legacy) or 40 (Servers)
4. **Other ports:**
- Assign access VLAN based on connected device
### Step 2: Enable VLAN Filtering on MikroTik
```routeros
# CAUTION: This may cause temporary connectivity loss
# Have WinBox ready on 192.168.31.1:8291 as backup
/interface bridge set [find name=bridge] vlan-filtering=yes
```
### Step 3: Verify Connectivity
```bash
# From Unraid
ping 192.168.31.1 # MikroTik Legacy
ping 192.168.20.1 # MikroTik Trusted VLAN
ping 8.8.8.8 # Internet
```
### Rollback (If Needed)
```routeros
/interface bridge set [find name=bridge] vlan-filtering=no
```
## Scripts
- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once)
- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config)
## Related Documents
- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document
- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview

14
scripts/mikrotik-vlan-enable.rsc Normal file
View File

@@ -0,0 +1,14 @@
# MikroTik VLAN Filtering Enable Script
#
# PREREQUISITES:
# 1. Run mikrotik-vlan-setup.rsc first
# 2. Configure CSS326 switch for VLAN trunking
#
# WARNING: This may cause temporary connectivity loss!
# Have WinBox ready as backup access method.
# Enable VLAN filtering on bridge
/interface bridge set [find name=bridge] vlan-filtering=yes
# Verify
/interface bridge print where name=bridge

130
scripts/mikrotik-vlan-setup.rsc Normal file
View File

@@ -0,0 +1,130 @@
# MikroTik VLAN Setup Script
# Run this once to configure VLAN infrastructure
# NOTE: Does NOT enable VLAN filtering - see mikrotik-vlan-enable.rsc
# ===========================================
# VLAN Interfaces
# ===========================================
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10 comment="Management VLAN"
add interface=bridge name=vlan20-trusted vlan-id=20 comment="Trusted VLAN"
add interface=bridge name=vlan30-iot vlan-id=30 comment="IoT VLAN"
add interface=bridge name=vlan35-cameras vlan-id=35 comment="Cameras VLAN"
add interface=bridge name=vlan40-servers vlan-id=40 comment="Servers VLAN"
add interface=bridge name=vlan50-guest vlan-id=50 comment="Guest VLAN"
# ===========================================
# IP Addresses for VLANs
# ===========================================
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt comment="Management VLAN"
add address=192.168.20.1/24 interface=vlan20-trusted comment="Trusted VLAN"
add address=192.168.30.1/24 interface=vlan30-iot comment="IoT VLAN"
add address=192.168.35.1/24 interface=vlan35-cameras comment="Cameras VLAN"
add address=192.168.40.1/24 interface=vlan40-servers comment="Servers VLAN"
add address=192.168.50.1/24 interface=vlan50-guest comment="Guest VLAN"
# ===========================================
# DHCP Pools
# ===========================================
/ip pool
add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.150
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.220
# ===========================================
# DHCP Servers
# ===========================================
/ip dhcp-server
add name=dhcp-mgmt interface=vlan10-mgmt address-pool=pool-mgmt lease-time=30m
add name=dhcp-trusted interface=vlan20-trusted address-pool=pool-trusted lease-time=30m
add name=dhcp-iot interface=vlan30-iot address-pool=pool-iot lease-time=30m
add name=dhcp-cameras interface=vlan35-cameras address-pool=pool-cameras lease-time=30m
add name=dhcp-servers interface=vlan40-servers address-pool=pool-servers lease-time=30m
add name=dhcp-guest interface=vlan50-guest address-pool=pool-guest lease-time=4h
# ===========================================
# DHCP Networks
# ===========================================
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.1 comment="Management VLAN"
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.1 comment="Trusted VLAN"
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.1 comment="IoT VLAN"
add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.31.1 comment="Cameras VLAN"
add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.1 comment="Servers VLAN"
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.31.1 comment="Guest VLAN"
# ===========================================
# Bridge VLAN Table
# ===========================================
/interface bridge vlan
add bridge=bridge vlan-ids=1 tagged=bridge,eth3_CSS326_Uplink untagged=eth2_CAPac_Uplink,eth4_ZX-SWTGW218AS_Uplink,ether5 comment="Legacy VLAN"
add bridge=bridge vlan-ids=10 tagged=bridge,eth3_CSS326_Uplink comment="Management VLAN"
add bridge=bridge vlan-ids=20 tagged=bridge,eth3_CSS326_Uplink untagged=hap-wifi1,hap-wifi2 comment="Trusted VLAN"
add bridge=bridge vlan-ids=30 tagged=bridge,eth3_CSS326_Uplink comment="IoT VLAN"
add bridge=bridge vlan-ids=35 tagged=bridge,eth3_CSS326_Uplink comment="Cameras VLAN"
add bridge=bridge vlan-ids=40 tagged=bridge,eth3_CSS326_Uplink comment="Servers VLAN"
add bridge=bridge vlan-ids=50 tagged=bridge,eth3_CSS326_Uplink comment="Guest VLAN"
# ===========================================
# Bridge Port PVIDs
# ===========================================
/interface bridge port
set [find interface=hap-wifi1] pvid=20
set [find interface=hap-wifi2] pvid=20
# ===========================================
# Firewall Address Lists
# ===========================================
/ip firewall address-list
add list=vlan-mgmt address=192.168.10.0/24
add list=vlan-trusted address=192.168.20.0/24
add list=vlan-iot address=192.168.30.0/24
add list=vlan-cameras address=192.168.35.0/24
add list=vlan-servers address=192.168.40.0/24
add list=vlan-guest address=192.168.50.0/24
add list=vlan-legacy address=192.168.31.0/24
add list=all-vlans address=192.168.10.0/24
add list=all-vlans address=192.168.20.0/24
add list=all-vlans address=192.168.30.0/24
add list=all-vlans address=192.168.35.0/24
add list=all-vlans address=192.168.40.0/24
add list=all-vlans address=192.168.50.0/24
add list=all-vlans address=192.168.31.0/24
# ===========================================
# Inter-VLAN Firewall Rules
# ===========================================
/ip firewall filter
# Allow rules
add chain=forward action=accept src-address-list=vlan-mgmt dst-address-list=all-vlans comment="VLAN: Mgmt to All"
add chain=forward action=accept src-address-list=vlan-legacy dst-address-list=all-vlans comment="VLAN: Legacy to All"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-iot comment="VLAN: Trusted to IoT"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-cameras dst-port=80,443,554,8080,8554 protocol=tcp comment="VLAN: Trusted to Cameras (view)"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-servers comment="VLAN: Trusted to Servers"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-legacy comment="VLAN: Trusted to Legacy"
# DNS access for isolated VLANs
add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: IoT to DNS"
add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=tcp comment="VLAN: IoT to DNS TCP"
add chain=forward action=accept src-address-list=vlan-cameras dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Cameras to DNS"
add chain=forward action=accept src-address-list=vlan-guest dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Guest to DNS"
# Block rules
add chain=forward action=drop src-address-list=vlan-guest dst-address-list=all-vlans comment="VLAN: Block Guest to internal"
add chain=forward action=drop src-address-list=vlan-cameras dst-address-list=all-vlans comment="VLAN: Block Cameras to VLANs"
add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-mgmt comment="VLAN: Block IoT to Mgmt"
add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-trusted comment="VLAN: Block IoT to Trusted"