From 8757bccca025be23d8304a8352df62f08089d8ad Mon Sep 17 00:00:00 2001 From: Kaloyan Danchev Date: Sun, 25 Jan 2026 20:34:15 +0200 Subject: [PATCH] Add VLAN migration plan with Unraid transition strategy --- docs/04-VLAN-MIGRATION-PLAN.md | 355 +++++++++++++++++++++++++++++++++ 1 file changed, 355 insertions(+) create mode 100644 docs/04-VLAN-MIGRATION-PLAN.md diff --git a/docs/04-VLAN-MIGRATION-PLAN.md b/docs/04-VLAN-MIGRATION-PLAN.md new file mode 100644 index 0000000..8f9c0a8 --- /dev/null +++ b/docs/04-VLAN-MIGRATION-PLAN.md @@ -0,0 +1,355 @@ +# VLAN Migration Plan + +**Created:** 2026-01-25 +**Status:** Planning +**Risk Level:** High (DNS/Network critical) + +--- + +## Overview + +Migrate from flat 192.168.31.0/24 network to segmented VLANs while maintaining service continuity. + +### Critical Dependencies +- **Unraid (192.168.31.2)** - Hosts 40+ Docker containers including AdGuard +- **AdGuard Unraid (192.168.31.4)** - Secondary DNS server +- **AdGuard MikroTik (172.17.0.2)** - Primary DNS server (container on router) + +--- + +## Phase 1: Pre-Migration Setup (No Downtime) + +### 1.1 Enable REST API on MikroTik +```routeros +/ip service set www-ssl disabled=no +/ip service set api-ssl disabled=no +``` + +### 1.2 Create VLAN Interfaces on Router +```routeros +# Create VLANs on bridge +/interface vlan +add interface=bridge name=vlan10-mgmt vlan-id=10 +add interface=bridge name=vlan20-trusted vlan-id=20 +add interface=bridge name=vlan25-kids vlan-id=25 +add interface=bridge name=vlan30-iot vlan-id=30 +add interface=bridge name=vlan35-cameras vlan-id=35 +add interface=bridge name=vlan40-servers vlan-id=40 +add interface=bridge name=vlan50-guest vlan-id=50 +``` + +### 1.3 Assign Gateway IPs to VLANs +```routeros +/ip address +add address=192.168.10.1/24 interface=vlan10-mgmt +add address=192.168.20.1/24 interface=vlan20-trusted +add address=192.168.25.1/24 interface=vlan25-kids +add address=192.168.30.1/24 interface=vlan30-iot +add address=192.168.35.1/24 interface=vlan35-cameras +add address=192.168.40.1/24 interface=vlan40-servers +add address=192.168.50.1/24 interface=vlan50-guest +``` + +### 1.4 Create DHCP Pools +```routeros +/ip pool +add name=pool-mgmt ranges=192.168.10.100-192.168.10.200 +add name=pool-trusted ranges=192.168.20.100-192.168.20.200 +add name=pool-kids ranges=192.168.25.100-192.168.25.200 +add name=pool-iot ranges=192.168.30.100-192.168.30.200 +add name=pool-cameras ranges=192.168.35.100-192.168.35.200 +add name=pool-servers ranges=192.168.40.100-192.168.40.200 +add name=pool-guest ranges=192.168.50.100-192.168.50.200 +``` + +### 1.5 Create DHCP Servers +```routeros +/ip dhcp-server +add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt +add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted +add address-pool=pool-kids interface=vlan25-kids name=dhcp-kids +add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot +add address-pool=pool-cameras interface=vlan35-cameras name=dhcp-cameras +add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers +add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest + +/ip dhcp-server network +add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.10 +add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.10.10 +add address=192.168.25.0/24 gateway=192.168.25.1 dns-server=192.168.10.10 +add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.10.10 +add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.10.10 +add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.10.10 +add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.10.10 +``` + +--- + +## Phase 2: Static DHCP Leases (Pre-Migration) + +Create static leases for all known devices BEFORE enabling VLANs. + +### VLAN 10 - Management +```routeros +/ip dhcp-server lease +add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt +add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt +add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt +add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt +add address=192.168.10.4 mac-address=1C:2A:A3:1E:78:67 comment="ZX1" server=dhcp-mgmt +add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt +``` + +### VLAN 20 - Trusted +```routeros +/ip dhcp-server lease +add address=192.168.20.10 mac-address=82:6D:FB:D9:E0:47 comment="Nora MacBook" server=dhcp-trusted +add address=192.168.20.11 mac-address=AA:ED:8B:2A:40:F1 comment="Kaloyan S25" server=dhcp-trusted +add address=192.168.20.13 mac-address=82:EC:EF:B5:F2:AF comment="Kaloyan MacBook WiFi" server=dhcp-trusted +add address=192.168.20.16 mac-address=08:92:04:C6:07:C5 comment="Kaloyan MacBook LAN" server=dhcp-trusted +add address=192.168.20.17 mac-address=1C:83:41:32:F3:AF comment="Kaloyan Gaming PC" server=dhcp-trusted +``` + +### VLAN 25 - Kids +```routeros +/ip dhcp-server lease +add address=192.168.25.12 mac-address=F2:B8:14:61:C8:27 comment="Dancho iPhone" server=dhcp-kids +add address=192.168.25.14 mac-address=90:91:64:70:0D:86 comment="Kimi Notebook" server=dhcp-kids +add address=192.168.25.15 mac-address=2A:2B:BA:86:D4:AF comment="Kimi iPhone" server=dhcp-kids +add address=192.168.25.18 mac-address=A4:D1:D2:7B:52:BE comment="Compusbg iPad" server=dhcp-kids +``` + +### VLAN 30 - IoT +```routeros +/ip dhcp-server lease +add address=192.168.30.10 mac-address=50:2C:C6:7A:55:39 comment="GREE AC" server=dhcp-iot +add address=192.168.30.11 mac-address=B0:37:95:79:AF:9B comment="LG TV LAN" server=dhcp-iot +add address=192.168.30.12 mac-address=DC:03:98:6B:5A:3A comment="LG TV WiFi" server=dhcp-iot +add address=192.168.30.13 mac-address=D0:E7:82:F7:65:DD comment="Chromecast" server=dhcp-iot +add address=192.168.30.14 mac-address=B0:4A:39:3F:9A:14 comment="Roborock Vacuum" server=dhcp-iot +add address=192.168.30.20 mac-address=94:27:70:1E:0C:EE comment="Bosch Oven" server=dhcp-iot +add address=192.168.30.21 mac-address=C8:D7:78:40:65:40 comment="Bosch Dishwasher" server=dhcp-iot +add address=192.168.30.22 mac-address=C8:D7:78:D6:DC:FC comment="Bosch Washer" server=dhcp-iot +add address=192.168.30.31 mac-address=18:DE:50:5B:C8:A6 comment="Tuya Device 1" server=dhcp-iot +add address=192.168.30.32 mac-address=38:1F:8D:04:6F:E4 comment="Tuya Device 2" server=dhcp-iot +add address=192.168.30.38 mac-address=D4:AD:FC:BE:13:B0 comment="Intellirocks" server=dhcp-iot +add address=192.168.30.39 mac-address=C8:5C:CC:52:EA:53 comment="Xiaomi Air Purifier" server=dhcp-iot +``` + +### VLAN 35 - Cameras +```routeros +/ip dhcp-server lease +add address=192.168.35.10 mac-address=48:9E:9D:0E:16:F7 comment="Reolink Doorbell" server=dhcp-cameras +``` + +### VLAN 40 - Servers +```routeros +/ip dhcp-server lease +add address=192.168.40.19 mac-address=64:4E:D7:D8:43:3E comment="HP LaserJet" server=dhcp-servers +``` + +### VLAN 50 - Guest +```routeros +/ip dhcp-server lease +add address=192.168.50.10 mac-address=AC:87:A3:77:8F:BD comment="Unknown Apple" server=dhcp-guest +add address=192.168.50.11 mac-address=22:4C:7F:1D:85:8E comment="Unknown Random MAC" server=dhcp-guest +add address=192.168.50.12 mac-address=D0:C9:07:92:1A:8E comment="Unknown Private 1" server=dhcp-guest +add address=192.168.50.13 mac-address=D0:C9:07:8C:C9:46 comment="Unknown Private 2" server=dhcp-guest +``` + +--- + +## Phase 3: Switch Configuration + +### 3.1 CSS326 VLAN Setup + +**Port Assignments:** +| Port | Device | VLAN | Mode | +|------|--------|------|------| +| 1 | Uplink to HAP1 | Trunk | Tagged (all VLANs) | +| 2-8 | Room ports | TBD | Access | +| SFP1 | ZX1 Backbone | Trunk | Tagged (all VLANs) | + +### 3.2 ZX1 VLAN Setup + +**Port Assignments:** +| Port | Device | VLAN | Mode | +|------|--------|------|------| +| 1 | CSS326 Backbone | Trunk | Tagged (all VLANs) | +| 2 | Unraid | 10 | Access (Mgmt) | +| 3-8 | Other servers | TBD | Access | + +--- + +## Phase 4: Unraid Migration (CRITICAL) + +### The Challenge +- Unraid has IP 192.168.31.2 (will become 192.168.10.20) +- AdGuard container has IP 192.168.31.4 (will become 192.168.10.10) +- Many services reference these IPs +- DNS must remain functional throughout + +### Migration Strategy + +#### Option A: Dual-Stack Transition (Recommended) +1. Keep 192.168.31.0/24 network active during migration +2. Add VLAN 10 IP to Unraid as secondary +3. Update DNS/services to use new IP +4. Remove old IP after validation + +#### Option B: Big Bang (Risky) +1. Pre-configure everything +2. Enable VLAN filtering on switch +3. Pray everything works + +### Recommended Steps (Option A) + +**Step 1: Add secondary IP to Unraid** +```bash +# On Unraid, temporarily add VLAN interface +ip link add link eth0 name eth0.10 type vlan id 10 +ip addr add 192.168.10.20/24 dev eth0.10 +ip link set eth0.10 up +``` + +**Step 2: Configure ZX1 port for Unraid as trunk (temporarily)** +- Allow both untagged (VLAN 1) and tagged (VLAN 10) +- Unraid can then communicate on both networks + +**Step 3: Update AdGuard container** +```bash +# Update container to bind to new IP +docker network connect --ip 192.168.10.10 vlan10 adguardhome +``` + +**Step 4: Test connectivity** +- Ping 192.168.10.20 from router +- Ping 192.168.10.10 (AdGuard) +- Test DNS resolution via 192.168.10.10 + +**Step 5: Update DNS references** +- Update MikroTik DNS settings +- Update DHCP server DNS settings +- Update any hardcoded references + +**Step 6: Switch Unraid to access mode** +- Change ZX1 port to access mode VLAN 10 +- Unraid now only on VLAN 10 + +**Step 7: Remove old IP** +```bash +ip addr del 192.168.31.2/24 dev eth0 +ip link del eth0.10 +``` + +--- + +## Phase 5: Inter-VLAN Routing & Firewall + +### Default Policy +- All VLANs can reach Internet +- Management (10) can reach all VLANs +- Trusted (20) can reach IoT (30), Cameras (35), Servers (40) +- Kids (25) limited access (parental controls via AdGuard) +- IoT (30) isolated - Internet only +- Cameras (35) isolated - only NVR access +- Guest (50) isolated - Internet only + +### Firewall Rules (MikroTik) +```routeros +# Allow established/related +/ip firewall filter +add chain=forward connection-state=established,related action=accept + +# Management can access everything +add chain=forward src-address=192.168.10.0/24 action=accept + +# Trusted can access IoT, Cameras, Servers +add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept +add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept +add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept + +# IoT to Internet only (drop inter-VLAN) +add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop + +# Cameras to NVR only (future: add NVR IP) +add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop + +# Guest to Internet only +add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop + +# Drop everything else between VLANs +add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop +``` + +--- + +## Rollback Plan + +If migration fails: +1. Disable VLAN filtering on CSS326/ZX1 +2. All ports return to untagged VLAN 1 +3. Network returns to flat 192.168.31.0/24 +4. Restore original Unraid IP if changed + +### Quick Rollback Commands +```routeros +# Disable VLAN filtering (emergency) +/interface bridge set bridge vlan-filtering=no +``` + +--- + +## Pre-Migration Checklist + +- [ ] Backup MikroTik configuration +- [ ] Backup CSS326 configuration +- [ ] Backup ZX1 configuration +- [ ] Document current Unraid network config +- [ ] Test REST API access to router +- [ ] Verify all MAC addresses in device list +- [ ] Create all VLAN interfaces (disabled) +- [ ] Create all DHCP pools (disabled) +- [ ] Create all static leases +- [ ] Plan maintenance window (low usage time) + +--- + +## Migration Order + +1. **Night 1: Router Setup** + - Create VLANs, IPs, DHCP (all disabled) + - Create static leases + - Test with single device on VLAN 10 + +2. **Night 2: Switch Setup** + - Configure CSS326 VLANs (filtering off) + - Configure ZX1 VLANs (filtering off) + - Test trunk links + +3. **Night 3: Unraid Migration** + - Add VLAN 10 interface to Unraid + - Migrate AdGuard to new IP + - Update DNS references + - Test extensively + +4. **Night 4: Enable VLAN Filtering** + - Enable on CSS326 + - Enable on ZX1 + - Monitor for issues + +5. **Day 5+: Device Migration** + - Migrate devices VLAN by VLAN + - Start with IoT (least critical) + - End with Trusted (most critical) + +--- + +## Verification Tests + +After each phase, verify: +- [ ] DNS resolution works (nslookup google.com) +- [ ] Internet access works (ping 8.8.8.8) +- [ ] Local services accessible (Unraid web UI) +- [ ] DHCP working (release/renew gets expected IP) +- [ ] Inter-VLAN routing as expected