From 84b39528910e53ae04d1d3c7cff85cb0f309d2b4 Mon Sep 17 00:00:00 2001 From: XTRM-Unraid Date: Sun, 25 Jan 2026 16:20:59 +0200 Subject: [PATCH] Add VLAN implementation documentation and scripts - docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation - scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script - scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script VLAN configuration is prepared but NOT YET ACTIVE. Requires CSS326 switch configuration before enabling VLAN filtering. VLANs configured: - VLAN 1: Legacy (192.168.31.0/24) - VLAN 10: Management (192.168.10.0/24) - VLAN 20: Trusted (192.168.20.0/24) - VLAN 30: IoT (192.168.30.0/24) - VLAN 35: Cameras (192.168.35.0/24) - VLAN 40: Servers (192.168.40.0/24) - VLAN 50: Guest (192.168.50.0/24) --- docs/11-VLAN-IMPLEMENTATION.md | 215 +++++++++++++++++++++++++++++++ scripts/mikrotik-vlan-enable.rsc | 14 ++ scripts/mikrotik-vlan-setup.rsc | 130 +++++++++++++++++++ 3 files changed, 359 insertions(+) create mode 100644 docs/11-VLAN-IMPLEMENTATION.md create mode 100644 scripts/mikrotik-vlan-enable.rsc create mode 100644 scripts/mikrotik-vlan-setup.rsc diff --git a/docs/11-VLAN-IMPLEMENTATION.md b/docs/11-VLAN-IMPLEMENTATION.md new file mode 100644 index 0000000..d0c187b --- /dev/null +++ b/docs/11-VLAN-IMPLEMENTATION.md @@ -0,0 +1,215 @@ +# VLAN Network Segmentation + +## Overview + +Network segmentation using VLANs for security isolation between device types. + +## VLAN Architecture + +| VLAN ID | Name | Subnet | Purpose | +|---------|------|--------|---------| +| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) | +| 10 | Management | 192.168.10.0/24 | Network infrastructure | +| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) | +| 30 | IoT | 192.168.30.0/24 | Smart home devices | +| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) | +| 40 | Servers | 192.168.40.0/24 | Unraid, services | +| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) | + +## Current Status: PREPARED (Not Active) + +VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires: +1. CSS326 switch VLAN configuration +2. Final activation + +### What's Configured + +**MikroTik hAP ax³:** +- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest) +- [x] IP addresses assigned to VLAN interfaces +- [x] DHCP servers for each VLAN +- [x] DHCP pools configured +- [x] Static DHCP leases with MAC-to-IP mappings +- [x] Bridge VLAN table entries +- [x] WiFi ports PVID=20 (Trusted) +- [x] Firewall rules for inter-VLAN isolation +- [x] Address lists for firewall rules +- [ ] VLAN filtering enabled on bridge (PENDING) + +**CSS326 Switch:** +- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS) + +## Network Diagram + +``` +Internet + │ + ▼ +┌───────────────────────────────────────────────────────────┐ +│ MikroTik hAP ax³ │ +│ │ +│ Bridge (vlan-filtering=no) │ +│ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │ +│ ├── vlan10-mgmt 192.168.10.1/24 │ +│ ├── vlan20-trusted 192.168.20.1/24 │ +│ ├── vlan30-iot 192.168.30.1/24 │ +│ ├── vlan35-cameras 192.168.35.1/24 │ +│ ├── vlan40-servers 192.168.40.1/24 │ +│ └── vlan50-guest 192.168.50.1/24 │ +│ │ +│ Ports: │ +│ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │ +│ ├── hap-wifi1 → PVID=20 (untagged VLAN 20) │ +│ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │ +└───────────────────────────────────────────────────────────┘ + │ + │ Trunk (VLANs 1,10,20,30,35,40,50) + ▼ +┌───────────────────────────────────────────────────────────┐ +│ CSS326-24G-2S+ │ +│ 192.168.31.9 (SwOS) │ +│ │ +│ Requires VLAN configuration via web interface │ +│ - Port 1: Uplink to MikroTik (Trunk) │ +│ - Other ports: Access ports per VLAN │ +└───────────────────────────────────────────────────────────┘ +``` + +## Bridge VLAN Table + +``` +VLAN Tagged Untagged +---- ------ -------- +1 bridge,eth3_CSS326_Uplink eth2,eth4,ether5 +10 bridge,eth3_CSS326_Uplink - +20 bridge,eth3_CSS326_Uplink hap-wifi1,hap-wifi2 +30 bridge,eth3_CSS326_Uplink - +35 bridge,eth3_CSS326_Uplink - +40 bridge,eth3_CSS326_Uplink - +50 bridge,eth3_CSS326_Uplink - +``` + +## WiFi VLAN Assignment + +Since both SSIDs (XTRM/XTRM2) remain on the same bridge: +- **All WiFi clients → VLAN 20 (Trusted) by default** +- MAC-based filtering via firewall rules for additional restrictions + +Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured). + +## Device Assignments (via Static DHCP Leases) + +### VLAN 20 - Trusted (192.168.20.x) +| IP | MAC | Device | +|----|-----|--------| +| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir | +| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra | +| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone | +| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi | +| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook | +| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone | +| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN | +| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC | +| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad | + +### VLAN 30 - IoT (192.168.30.x) +| IP | MAC | Device | +|----|-----|--------| +| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV | +| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast | +| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum | +| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven | +| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | +| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer | + +### VLAN 35 - Cameras (192.168.35.x) +| IP | MAC | Device | +|----|-----|--------| +| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | + +### VLAN 10 - Management (192.168.10.x) +| IP | MAC | Device | +|----|-----|--------| +| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac | +| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch | + +### VLAN 40 - Servers (192.168.40.x) +| IP | MAC | Device | +|----|-----|--------| +| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | + +## Firewall Rules (Active) + +Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering: + +``` +# Allow rules +- Management → All VLANs (full access) +- Legacy → All VLANs (full access during transition) +- Trusted → IoT (can control smart devices) +- Trusted → Cameras (ports 80,443,554,8080,8554 only) +- Trusted → Servers (full access) +- Trusted → Legacy (full access) +- IoT/Cameras/Guest → DNS only (192.168.31.1:53) + +# Block rules +- Guest → All internal (isolated, internet only) +- Cameras → All VLANs (upload only, no lateral movement) +- IoT → Management (cannot access network devices) +- IoT → Trusted (cannot access family devices) +``` + +## Activation Steps + +### Step 1: Configure CSS326 Switch (REQUIRED FIRST) + +Access SwOS at http://192.168.31.9 and configure: + +1. **VLAN settings:** + - Enable VLAN mode + - Create VLANs: 1, 10, 20, 30, 35, 40, 50 + +2. **Port 1 (Uplink to MikroTik):** + - VLAN Mode: Trunk + - Tagged VLANs: 1, 10, 20, 30, 35, 40, 50 + +3. **Port for Unraid:** + - VLAN Mode: Access + - PVID: 1 (Legacy) or 40 (Servers) + +4. **Other ports:** + - Assign access VLAN based on connected device + +### Step 2: Enable VLAN Filtering on MikroTik + +```routeros +# CAUTION: This may cause temporary connectivity loss +# Have WinBox ready on 192.168.31.1:8291 as backup + +/interface bridge set [find name=bridge] vlan-filtering=yes +``` + +### Step 3: Verify Connectivity + +```bash +# From Unraid +ping 192.168.31.1 # MikroTik Legacy +ping 192.168.20.1 # MikroTik Trusted VLAN +ping 8.8.8.8 # Internet +``` + +### Rollback (If Needed) + +```routeros +/interface bridge set [find name=bridge] vlan-filtering=no +``` + +## Scripts + +- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once) +- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config) + +## Related Documents + +- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document +- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview diff --git a/scripts/mikrotik-vlan-enable.rsc b/scripts/mikrotik-vlan-enable.rsc new file mode 100644 index 0000000..3b07bfc --- /dev/null +++ b/scripts/mikrotik-vlan-enable.rsc @@ -0,0 +1,14 @@ +# MikroTik VLAN Filtering Enable Script +# +# PREREQUISITES: +# 1. Run mikrotik-vlan-setup.rsc first +# 2. Configure CSS326 switch for VLAN trunking +# +# WARNING: This may cause temporary connectivity loss! +# Have WinBox ready as backup access method. + +# Enable VLAN filtering on bridge +/interface bridge set [find name=bridge] vlan-filtering=yes + +# Verify +/interface bridge print where name=bridge diff --git a/scripts/mikrotik-vlan-setup.rsc b/scripts/mikrotik-vlan-setup.rsc new file mode 100644 index 0000000..c6a156d --- /dev/null +++ b/scripts/mikrotik-vlan-setup.rsc @@ -0,0 +1,130 @@ +# MikroTik VLAN Setup Script +# Run this once to configure VLAN infrastructure +# NOTE: Does NOT enable VLAN filtering - see mikrotik-vlan-enable.rsc + +# =========================================== +# VLAN Interfaces +# =========================================== + +/interface vlan +add interface=bridge name=vlan10-mgmt vlan-id=10 comment="Management VLAN" +add interface=bridge name=vlan20-trusted vlan-id=20 comment="Trusted VLAN" +add interface=bridge name=vlan30-iot vlan-id=30 comment="IoT VLAN" +add interface=bridge name=vlan35-cameras vlan-id=35 comment="Cameras VLAN" +add interface=bridge name=vlan40-servers vlan-id=40 comment="Servers VLAN" +add interface=bridge name=vlan50-guest vlan-id=50 comment="Guest VLAN" + +# =========================================== +# IP Addresses for VLANs +# =========================================== + +/ip address +add address=192.168.10.1/24 interface=vlan10-mgmt comment="Management VLAN" +add address=192.168.20.1/24 interface=vlan20-trusted comment="Trusted VLAN" +add address=192.168.30.1/24 interface=vlan30-iot comment="IoT VLAN" +add address=192.168.35.1/24 interface=vlan35-cameras comment="Cameras VLAN" +add address=192.168.40.1/24 interface=vlan40-servers comment="Servers VLAN" +add address=192.168.50.1/24 interface=vlan50-guest comment="Guest VLAN" + +# =========================================== +# DHCP Pools +# =========================================== + +/ip pool +add name=pool-mgmt ranges=192.168.10.100-192.168.10.200 +add name=pool-trusted ranges=192.168.20.100-192.168.20.220 +add name=pool-iot ranges=192.168.30.100-192.168.30.220 +add name=pool-cameras ranges=192.168.35.100-192.168.35.150 +add name=pool-servers ranges=192.168.40.100-192.168.40.150 +add name=pool-guest ranges=192.168.50.100-192.168.50.220 + +# =========================================== +# DHCP Servers +# =========================================== + +/ip dhcp-server +add name=dhcp-mgmt interface=vlan10-mgmt address-pool=pool-mgmt lease-time=30m +add name=dhcp-trusted interface=vlan20-trusted address-pool=pool-trusted lease-time=30m +add name=dhcp-iot interface=vlan30-iot address-pool=pool-iot lease-time=30m +add name=dhcp-cameras interface=vlan35-cameras address-pool=pool-cameras lease-time=30m +add name=dhcp-servers interface=vlan40-servers address-pool=pool-servers lease-time=30m +add name=dhcp-guest interface=vlan50-guest address-pool=pool-guest lease-time=4h + +# =========================================== +# DHCP Networks +# =========================================== + +/ip dhcp-server network +add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.1 comment="Management VLAN" +add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.1 comment="Trusted VLAN" +add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.1 comment="IoT VLAN" +add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.31.1 comment="Cameras VLAN" +add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.1 comment="Servers VLAN" +add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.31.1 comment="Guest VLAN" + +# =========================================== +# Bridge VLAN Table +# =========================================== + +/interface bridge vlan +add bridge=bridge vlan-ids=1 tagged=bridge,eth3_CSS326_Uplink untagged=eth2_CAPac_Uplink,eth4_ZX-SWTGW218AS_Uplink,ether5 comment="Legacy VLAN" +add bridge=bridge vlan-ids=10 tagged=bridge,eth3_CSS326_Uplink comment="Management VLAN" +add bridge=bridge vlan-ids=20 tagged=bridge,eth3_CSS326_Uplink untagged=hap-wifi1,hap-wifi2 comment="Trusted VLAN" +add bridge=bridge vlan-ids=30 tagged=bridge,eth3_CSS326_Uplink comment="IoT VLAN" +add bridge=bridge vlan-ids=35 tagged=bridge,eth3_CSS326_Uplink comment="Cameras VLAN" +add bridge=bridge vlan-ids=40 tagged=bridge,eth3_CSS326_Uplink comment="Servers VLAN" +add bridge=bridge vlan-ids=50 tagged=bridge,eth3_CSS326_Uplink comment="Guest VLAN" + +# =========================================== +# Bridge Port PVIDs +# =========================================== + +/interface bridge port +set [find interface=hap-wifi1] pvid=20 +set [find interface=hap-wifi2] pvid=20 + +# =========================================== +# Firewall Address Lists +# =========================================== + +/ip firewall address-list +add list=vlan-mgmt address=192.168.10.0/24 +add list=vlan-trusted address=192.168.20.0/24 +add list=vlan-iot address=192.168.30.0/24 +add list=vlan-cameras address=192.168.35.0/24 +add list=vlan-servers address=192.168.40.0/24 +add list=vlan-guest address=192.168.50.0/24 +add list=vlan-legacy address=192.168.31.0/24 +add list=all-vlans address=192.168.10.0/24 +add list=all-vlans address=192.168.20.0/24 +add list=all-vlans address=192.168.30.0/24 +add list=all-vlans address=192.168.35.0/24 +add list=all-vlans address=192.168.40.0/24 +add list=all-vlans address=192.168.50.0/24 +add list=all-vlans address=192.168.31.0/24 + +# =========================================== +# Inter-VLAN Firewall Rules +# =========================================== + +/ip firewall filter + +# Allow rules +add chain=forward action=accept src-address-list=vlan-mgmt dst-address-list=all-vlans comment="VLAN: Mgmt to All" +add chain=forward action=accept src-address-list=vlan-legacy dst-address-list=all-vlans comment="VLAN: Legacy to All" +add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-iot comment="VLAN: Trusted to IoT" +add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-cameras dst-port=80,443,554,8080,8554 protocol=tcp comment="VLAN: Trusted to Cameras (view)" +add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-servers comment="VLAN: Trusted to Servers" +add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-legacy comment="VLAN: Trusted to Legacy" + +# DNS access for isolated VLANs +add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: IoT to DNS" +add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=tcp comment="VLAN: IoT to DNS TCP" +add chain=forward action=accept src-address-list=vlan-cameras dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Cameras to DNS" +add chain=forward action=accept src-address-list=vlan-guest dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Guest to DNS" + +# Block rules +add chain=forward action=drop src-address-list=vlan-guest dst-address-list=all-vlans comment="VLAN: Block Guest to internal" +add chain=forward action=drop src-address-list=vlan-cameras dst-address-list=all-vlans comment="VLAN: Block Cameras to VLANs" +add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-mgmt comment="VLAN: Block IoT to Mgmt" +add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-trusted comment="VLAN: Block IoT to Trusted"