Add VLAN implementation documentation and scripts

- docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation
- scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script
- scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script

VLAN configuration is prepared but NOT YET ACTIVE.
Requires CSS326 switch configuration before enabling VLAN filtering.

VLANs configured:
- VLAN 1: Legacy (192.168.31.0/24)
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)

docs/11-VLAN-IMPLEMENTATION.md

@@ -0,0 +1,215 @@
+# VLAN Network Segmentation
+
+## Overview
+
+Network segmentation using VLANs for security isolation between device types.
+
+## VLAN Architecture
+
+| VLAN ID | Name | Subnet | Purpose |
+|---------|------|--------|---------|
+| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) |
+| 10 | Management | 192.168.10.0/24 | Network infrastructure |
+| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) |
+| 30 | IoT | 192.168.30.0/24 | Smart home devices |
+| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) |
+| 40 | Servers | 192.168.40.0/24 | Unraid, services |
+| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) |
+
+## Current Status: PREPARED (Not Active)
+
+VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires:
+1. CSS326 switch VLAN configuration
+2. Final activation
+
+### What's Configured
+
+**MikroTik hAP ax³:**
+- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest)
+- [x] IP addresses assigned to VLAN interfaces
+- [x] DHCP servers for each VLAN
+- [x] DHCP pools configured
+- [x] Static DHCP leases with MAC-to-IP mappings
+- [x] Bridge VLAN table entries
+- [x] WiFi ports PVID=20 (Trusted)
+- [x] Firewall rules for inter-VLAN isolation
+- [x] Address lists for firewall rules
+- [ ] VLAN filtering enabled on bridge (PENDING)
+
+**CSS326 Switch:**
+- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)
+
+## Network Diagram
+
+```
+Internet
+    │
+    ▼
+┌───────────────────────────────────────────────────────────┐
+│                   MikroTik hAP ax³                        │
+│                                                           │
+│  Bridge (vlan-filtering=no)                               │
+│  ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged)          │
+│  ├── vlan10-mgmt    192.168.10.1/24                       │
+│  ├── vlan20-trusted 192.168.20.1/24                       │
+│  ├── vlan30-iot     192.168.30.1/24                       │
+│  ├── vlan35-cameras 192.168.35.1/24                       │
+│  ├── vlan40-servers 192.168.40.1/24                       │
+│  └── vlan50-guest   192.168.50.1/24                       │
+│                                                           │
+│  Ports:                                                   │
+│  ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs)       │
+│  ├── hap-wifi1 → PVID=20 (untagged VLAN 20)              │
+│  └── hap-wifi2 → PVID=20 (untagged VLAN 20)              │
+└───────────────────────────────────────────────────────────┘
+              │
+              │ Trunk (VLANs 1,10,20,30,35,40,50)
+              ▼
+┌───────────────────────────────────────────────────────────┐
+│                   CSS326-24G-2S+                          │
+│                   192.168.31.9 (SwOS)                     │
+│                                                           │
+│  Requires VLAN configuration via web interface            │
+│  - Port 1: Uplink to MikroTik (Trunk)                    │
+│  - Other ports: Access ports per VLAN                     │
+└───────────────────────────────────────────────────────────┘
+```
+
+## Bridge VLAN Table
+
+```
+VLAN  Tagged                         Untagged
+----  ------                         --------
+1     bridge,eth3_CSS326_Uplink      eth2,eth4,ether5
+10    bridge,eth3_CSS326_Uplink      -
+20    bridge,eth3_CSS326_Uplink      hap-wifi1,hap-wifi2
+30    bridge,eth3_CSS326_Uplink      -
+35    bridge,eth3_CSS326_Uplink      -
+40    bridge,eth3_CSS326_Uplink      -
+50    bridge,eth3_CSS326_Uplink      -
+```
+
+## WiFi VLAN Assignment
+
+Since both SSIDs (XTRM/XTRM2) remain on the same bridge:
+- **All WiFi clients → VLAN 20 (Trusted) by default**
+- MAC-based filtering via firewall rules for additional restrictions
+
+Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).
+
+## Device Assignments (via Static DHCP Leases)
+
+### VLAN 20 - Trusted (192.168.20.x)
+| IP | MAC | Device |
+|----|-----|--------|
+| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir |
+| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra |
+| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone |
+| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi |
+| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook |
+| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone |
+| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN |
+| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC |
+| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad |
+
+### VLAN 30 - IoT (192.168.30.x)
+| IP | MAC | Device |
+|----|-----|--------|
+| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV |
+| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast |
+| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
+| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven |
+| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
+| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer |
+
+### VLAN 35 - Cameras (192.168.35.x)
+| IP | MAC | Device |
+|----|-----|--------|
+| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |
+
+### VLAN 10 - Management (192.168.10.x)
+| IP | MAC | Device |
+|----|-----|--------|
+| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac |
+| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch |
+
+### VLAN 40 - Servers (192.168.40.x)
+| IP | MAC | Device |
+|----|-----|--------|
+| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |
+
+## Firewall Rules (Active)
+
+Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:
+
+```
+# Allow rules
+- Management → All VLANs (full access)
+- Legacy → All VLANs (full access during transition)
+- Trusted → IoT (can control smart devices)
+- Trusted → Cameras (ports 80,443,554,8080,8554 only)
+- Trusted → Servers (full access)
+- Trusted → Legacy (full access)
+- IoT/Cameras/Guest → DNS only (192.168.31.1:53)
+
+# Block rules
+- Guest → All internal (isolated, internet only)
+- Cameras → All VLANs (upload only, no lateral movement)
+- IoT → Management (cannot access network devices)
+- IoT → Trusted (cannot access family devices)
+```
+
+## Activation Steps
+
+### Step 1: Configure CSS326 Switch (REQUIRED FIRST)
+
+Access SwOS at http://192.168.31.9 and configure:
+
+1. **VLAN settings:**
+   - Enable VLAN mode
+   - Create VLANs: 1, 10, 20, 30, 35, 40, 50
+   
+2. **Port 1 (Uplink to MikroTik):**
+   - VLAN Mode: Trunk
+   - Tagged VLANs: 1, 10, 20, 30, 35, 40, 50
+   
+3. **Port for Unraid:**
+   - VLAN Mode: Access
+   - PVID: 1 (Legacy) or 40 (Servers)
+   
+4. **Other ports:**
+   - Assign access VLAN based on connected device
+
+### Step 2: Enable VLAN Filtering on MikroTik
+
+```routeros
+# CAUTION: This may cause temporary connectivity loss
+# Have WinBox ready on 192.168.31.1:8291 as backup
+
+/interface bridge set [find name=bridge] vlan-filtering=yes
+```
+
+### Step 3: Verify Connectivity
+
+```bash
+# From Unraid
+ping 192.168.31.1  # MikroTik Legacy
+ping 192.168.20.1  # MikroTik Trusted VLAN
+ping 8.8.8.8       # Internet
+```
+
+### Rollback (If Needed)
+
+```routeros
+/interface bridge set [find name=bridge] vlan-filtering=no
+```
+
+## Scripts
+
+- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once)
+- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config)
+
+## Related Documents
+
+- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document
+- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview

scripts/mikrotik-vlan-enable.rsc

@@ -0,0 +1,14 @@
+# MikroTik VLAN Filtering Enable Script
+# 
+# PREREQUISITES:
+# 1. Run mikrotik-vlan-setup.rsc first
+# 2. Configure CSS326 switch for VLAN trunking
+#
+# WARNING: This may cause temporary connectivity loss!
+# Have WinBox ready as backup access method.
+
+# Enable VLAN filtering on bridge
+/interface bridge set [find name=bridge] vlan-filtering=yes
+
+# Verify
+/interface bridge print where name=bridge

scripts/mikrotik-vlan-setup.rsc

@@ -0,0 +1,130 @@
+# MikroTik VLAN Setup Script
+# Run this once to configure VLAN infrastructure
+# NOTE: Does NOT enable VLAN filtering - see mikrotik-vlan-enable.rsc
+
+# ===========================================
+# VLAN Interfaces
+# ===========================================
+
+/interface vlan
+add interface=bridge name=vlan10-mgmt vlan-id=10 comment="Management VLAN"
+add interface=bridge name=vlan20-trusted vlan-id=20 comment="Trusted VLAN"
+add interface=bridge name=vlan30-iot vlan-id=30 comment="IoT VLAN"
+add interface=bridge name=vlan35-cameras vlan-id=35 comment="Cameras VLAN"
+add interface=bridge name=vlan40-servers vlan-id=40 comment="Servers VLAN"
+add interface=bridge name=vlan50-guest vlan-id=50 comment="Guest VLAN"
+
+# ===========================================
+# IP Addresses for VLANs
+# ===========================================
+
+/ip address
+add address=192.168.10.1/24 interface=vlan10-mgmt comment="Management VLAN"
+add address=192.168.20.1/24 interface=vlan20-trusted comment="Trusted VLAN"
+add address=192.168.30.1/24 interface=vlan30-iot comment="IoT VLAN"
+add address=192.168.35.1/24 interface=vlan35-cameras comment="Cameras VLAN"
+add address=192.168.40.1/24 interface=vlan40-servers comment="Servers VLAN"
+add address=192.168.50.1/24 interface=vlan50-guest comment="Guest VLAN"
+
+# ===========================================
+# DHCP Pools
+# ===========================================
+
+/ip pool
+add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
+add name=pool-trusted ranges=192.168.20.100-192.168.20.220
+add name=pool-iot ranges=192.168.30.100-192.168.30.220
+add name=pool-cameras ranges=192.168.35.100-192.168.35.150
+add name=pool-servers ranges=192.168.40.100-192.168.40.150
+add name=pool-guest ranges=192.168.50.100-192.168.50.220
+
+# ===========================================
+# DHCP Servers
+# ===========================================
+
+/ip dhcp-server
+add name=dhcp-mgmt interface=vlan10-mgmt address-pool=pool-mgmt lease-time=30m
+add name=dhcp-trusted interface=vlan20-trusted address-pool=pool-trusted lease-time=30m
+add name=dhcp-iot interface=vlan30-iot address-pool=pool-iot lease-time=30m
+add name=dhcp-cameras interface=vlan35-cameras address-pool=pool-cameras lease-time=30m
+add name=dhcp-servers interface=vlan40-servers address-pool=pool-servers lease-time=30m
+add name=dhcp-guest interface=vlan50-guest address-pool=pool-guest lease-time=4h
+
+# ===========================================
+# DHCP Networks
+# ===========================================
+
+/ip dhcp-server network
+add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.1 comment="Management VLAN"
+add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.1 comment="Trusted VLAN"
+add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.1 comment="IoT VLAN"
+add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.31.1 comment="Cameras VLAN"
+add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.1 comment="Servers VLAN"
+add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.31.1 comment="Guest VLAN"
+
+# ===========================================
+# Bridge VLAN Table
+# ===========================================
+
+/interface bridge vlan
+add bridge=bridge vlan-ids=1 tagged=bridge,eth3_CSS326_Uplink untagged=eth2_CAPac_Uplink,eth4_ZX-SWTGW218AS_Uplink,ether5 comment="Legacy VLAN"
+add bridge=bridge vlan-ids=10 tagged=bridge,eth3_CSS326_Uplink comment="Management VLAN"
+add bridge=bridge vlan-ids=20 tagged=bridge,eth3_CSS326_Uplink untagged=hap-wifi1,hap-wifi2 comment="Trusted VLAN"
+add bridge=bridge vlan-ids=30 tagged=bridge,eth3_CSS326_Uplink comment="IoT VLAN"
+add bridge=bridge vlan-ids=35 tagged=bridge,eth3_CSS326_Uplink comment="Cameras VLAN"
+add bridge=bridge vlan-ids=40 tagged=bridge,eth3_CSS326_Uplink comment="Servers VLAN"
+add bridge=bridge vlan-ids=50 tagged=bridge,eth3_CSS326_Uplink comment="Guest VLAN"
+
+# ===========================================
+# Bridge Port PVIDs
+# ===========================================
+
+/interface bridge port
+set [find interface=hap-wifi1] pvid=20
+set [find interface=hap-wifi2] pvid=20
+
+# ===========================================
+# Firewall Address Lists
+# ===========================================
+
+/ip firewall address-list
+add list=vlan-mgmt address=192.168.10.0/24
+add list=vlan-trusted address=192.168.20.0/24
+add list=vlan-iot address=192.168.30.0/24
+add list=vlan-cameras address=192.168.35.0/24
+add list=vlan-servers address=192.168.40.0/24
+add list=vlan-guest address=192.168.50.0/24
+add list=vlan-legacy address=192.168.31.0/24
+add list=all-vlans address=192.168.10.0/24
+add list=all-vlans address=192.168.20.0/24
+add list=all-vlans address=192.168.30.0/24
+add list=all-vlans address=192.168.35.0/24
+add list=all-vlans address=192.168.40.0/24
+add list=all-vlans address=192.168.50.0/24
+add list=all-vlans address=192.168.31.0/24
+
+# ===========================================
+# Inter-VLAN Firewall Rules
+# ===========================================
+
+/ip firewall filter
+
+# Allow rules
+add chain=forward action=accept src-address-list=vlan-mgmt dst-address-list=all-vlans comment="VLAN: Mgmt to All"
+add chain=forward action=accept src-address-list=vlan-legacy dst-address-list=all-vlans comment="VLAN: Legacy to All"
+add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-iot comment="VLAN: Trusted to IoT"
+add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-cameras dst-port=80,443,554,8080,8554 protocol=tcp comment="VLAN: Trusted to Cameras (view)"
+add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-servers comment="VLAN: Trusted to Servers"
+add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-legacy comment="VLAN: Trusted to Legacy"
+
+# DNS access for isolated VLANs
+add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: IoT to DNS"
+add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=tcp comment="VLAN: IoT to DNS TCP"
+add chain=forward action=accept src-address-list=vlan-cameras dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Cameras to DNS"
+add chain=forward action=accept src-address-list=vlan-guest dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Guest to DNS"
+
+# Block rules
+add chain=forward action=drop src-address-list=vlan-guest dst-address-list=all-vlans comment="VLAN: Block Guest to internal"
+add chain=forward action=drop src-address-list=vlan-cameras dst-address-list=all-vlans comment="VLAN: Block Cameras to VLANs"
+add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-mgmt comment="VLAN: Block IoT to Mgmt"
+add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-trusted comment="VLAN: Block IoT to Trusted"