jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add VLAN migration plan with Unraid transition strategy
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Kaloyan Danchev
2026-01-25 20:34:15 +02:00
parent d931d607b0
commit 8757bccca0
1 changed files with 355 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
docs/04-VLAN-MIGRATION-PLAN.md Normal file
View File

@@ -0,0 +1,355 @@
# VLAN Migration Plan
**Created:** 2026-01-25
**Status:** Planning
**Risk Level:** High (DNS/Network critical)
---
## Overview
Migrate from flat 192.168.31.0/24 network to segmented VLANs while maintaining service continuity.
### Critical Dependencies
- **Unraid (192.168.31.2)** - Hosts 40+ Docker containers including AdGuard
- **AdGuard Unraid (192.168.31.4)** - Secondary DNS server
- **AdGuard MikroTik (172.17.0.2)** - Primary DNS server (container on router)
---
## Phase 1: Pre-Migration Setup (No Downtime)
### 1.1 Enable REST API on MikroTik
```routeros
/ip service set www-ssl disabled=no
/ip service set api-ssl disabled=no
```
### 1.2 Create VLAN Interfaces on Router
```routeros
# Create VLANs on bridge
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan25-kids vlan-id=25
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
```
### 1.3 Assign Gateway IPs to VLANs
```routeros
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.25.1/24 interface=vlan25-kids
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest
```
### 1.4 Create DHCP Pools
```routeros
/ip pool
add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
add name=pool-trusted ranges=192.168.20.100-192.168.20.200
add name=pool-kids ranges=192.168.25.100-192.168.25.200
add name=pool-iot ranges=192.168.30.100-192.168.30.200
add name=pool-cameras ranges=192.168.35.100-192.168.35.200
add name=pool-servers ranges=192.168.40.100-192.168.40.200
add name=pool-guest ranges=192.168.50.100-192.168.50.200
```
### 1.5 Create DHCP Servers
```routeros
/ip dhcp-server
add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt
add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
add address-pool=pool-kids interface=vlan25-kids name=dhcp-kids
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-cameras interface=vlan35-cameras name=dhcp-cameras
add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.10
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.10.10
add address=192.168.25.0/24 gateway=192.168.25.1 dns-server=192.168.10.10
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.10.10
add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.10.10
add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.10.10
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.10.10
```
---
## Phase 2: Static DHCP Leases (Pre-Migration)
Create static leases for all known devices BEFORE enabling VLANs.
### VLAN 10 - Management
```routeros
/ip dhcp-server lease
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt
add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt
add address=192.168.10.4 mac-address=1C:2A:A3:1E:78:67 comment="ZX1" server=dhcp-mgmt
add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt
```
### VLAN 20 - Trusted
```routeros
/ip dhcp-server lease
add address=192.168.20.10 mac-address=82:6D:FB:D9:E0:47 comment="Nora MacBook" server=dhcp-trusted
add address=192.168.20.11 mac-address=AA:ED:8B:2A:40:F1 comment="Kaloyan S25" server=dhcp-trusted
add address=192.168.20.13 mac-address=82:EC:EF:B5:F2:AF comment="Kaloyan MacBook WiFi" server=dhcp-trusted
add address=192.168.20.16 mac-address=08:92:04:C6:07:C5 comment="Kaloyan MacBook LAN" server=dhcp-trusted
add address=192.168.20.17 mac-address=1C:83:41:32:F3:AF comment="Kaloyan Gaming PC" server=dhcp-trusted
```
### VLAN 25 - Kids
```routeros
/ip dhcp-server lease
add address=192.168.25.12 mac-address=F2:B8:14:61:C8:27 comment="Dancho iPhone" server=dhcp-kids
add address=192.168.25.14 mac-address=90:91:64:70:0D:86 comment="Kimi Notebook" server=dhcp-kids
add address=192.168.25.15 mac-address=2A:2B:BA:86:D4:AF comment="Kimi iPhone" server=dhcp-kids
add address=192.168.25.18 mac-address=A4:D1:D2:7B:52:BE comment="Compusbg iPad" server=dhcp-kids
```
### VLAN 30 - IoT
```routeros
/ip dhcp-server lease
add address=192.168.30.10 mac-address=50:2C:C6:7A:55:39 comment="GREE AC" server=dhcp-iot
add address=192.168.30.11 mac-address=B0:37:95:79:AF:9B comment="LG TV LAN" server=dhcp-iot
add address=192.168.30.12 mac-address=DC:03:98:6B:5A:3A comment="LG TV WiFi" server=dhcp-iot
add address=192.168.30.13 mac-address=D0:E7:82:F7:65:DD comment="Chromecast" server=dhcp-iot
add address=192.168.30.14 mac-address=B0:4A:39:3F:9A:14 comment="Roborock Vacuum" server=dhcp-iot
add address=192.168.30.20 mac-address=94:27:70:1E:0C:EE comment="Bosch Oven" server=dhcp-iot
add address=192.168.30.21 mac-address=C8:D7:78:40:65:40 comment="Bosch Dishwasher" server=dhcp-iot
add address=192.168.30.22 mac-address=C8:D7:78:D6:DC:FC comment="Bosch Washer" server=dhcp-iot
add address=192.168.30.31 mac-address=18:DE:50:5B:C8:A6 comment="Tuya Device 1" server=dhcp-iot
add address=192.168.30.32 mac-address=38:1F:8D:04:6F:E4 comment="Tuya Device 2" server=dhcp-iot
add address=192.168.30.38 mac-address=D4:AD:FC:BE:13:B0 comment="Intellirocks" server=dhcp-iot
add address=192.168.30.39 mac-address=C8:5C:CC:52:EA:53 comment="Xiaomi Air Purifier" server=dhcp-iot
```
### VLAN 35 - Cameras
```routeros
/ip dhcp-server lease
add address=192.168.35.10 mac-address=48:9E:9D:0E:16:F7 comment="Reolink Doorbell" server=dhcp-cameras
```
### VLAN 40 - Servers
```routeros
/ip dhcp-server lease
add address=192.168.40.19 mac-address=64:4E:D7:D8:43:3E comment="HP LaserJet" server=dhcp-servers
```
### VLAN 50 - Guest
```routeros
/ip dhcp-server lease
add address=192.168.50.10 mac-address=AC:87:A3:77:8F:BD comment="Unknown Apple" server=dhcp-guest
add address=192.168.50.11 mac-address=22:4C:7F:1D:85:8E comment="Unknown Random MAC" server=dhcp-guest
add address=192.168.50.12 mac-address=D0:C9:07:92:1A:8E comment="Unknown Private 1" server=dhcp-guest
add address=192.168.50.13 mac-address=D0:C9:07:8C:C9:46 comment="Unknown Private 2" server=dhcp-guest
```
---
## Phase 3: Switch Configuration
### 3.1 CSS326 VLAN Setup
**Port Assignments:**
| Port | Device | VLAN | Mode |
|------|--------|------|------|
| 1 | Uplink to HAP1 | Trunk | Tagged (all VLANs) |
| 2-8 | Room ports | TBD | Access |
| SFP1 | ZX1 Backbone | Trunk | Tagged (all VLANs) |
### 3.2 ZX1 VLAN Setup
**Port Assignments:**
| Port | Device | VLAN | Mode |
|------|--------|------|------|
| 1 | CSS326 Backbone | Trunk | Tagged (all VLANs) |
| 2 | Unraid | 10 | Access (Mgmt) |
| 3-8 | Other servers | TBD | Access |
---
## Phase 4: Unraid Migration (CRITICAL)
### The Challenge
- Unraid has IP 192.168.31.2 (will become 192.168.10.20)
- AdGuard container has IP 192.168.31.4 (will become 192.168.10.10)
- Many services reference these IPs
- DNS must remain functional throughout
### Migration Strategy
#### Option A: Dual-Stack Transition (Recommended)
1. Keep 192.168.31.0/24 network active during migration
2. Add VLAN 10 IP to Unraid as secondary
3. Update DNS/services to use new IP
4. Remove old IP after validation
#### Option B: Big Bang (Risky)
1. Pre-configure everything
2. Enable VLAN filtering on switch
3. Pray everything works
### Recommended Steps (Option A)
**Step 1: Add secondary IP to Unraid**
```bash
# On Unraid, temporarily add VLAN interface
ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 192.168.10.20/24 dev eth0.10
ip link set eth0.10 up
```
**Step 2: Configure ZX1 port for Unraid as trunk (temporarily)**
- Allow both untagged (VLAN 1) and tagged (VLAN 10)
- Unraid can then communicate on both networks
**Step 3: Update AdGuard container**
```bash
# Update container to bind to new IP
docker network connect --ip 192.168.10.10 vlan10 adguardhome
```
**Step 4: Test connectivity**
- Ping 192.168.10.20 from router
- Ping 192.168.10.10 (AdGuard)
- Test DNS resolution via 192.168.10.10
**Step 5: Update DNS references**
- Update MikroTik DNS settings
- Update DHCP server DNS settings
- Update any hardcoded references
**Step 6: Switch Unraid to access mode**
- Change ZX1 port to access mode VLAN 10
- Unraid now only on VLAN 10
**Step 7: Remove old IP**
```bash
ip addr del 192.168.31.2/24 dev eth0
ip link del eth0.10
```
---
## Phase 5: Inter-VLAN Routing & Firewall
### Default Policy
- All VLANs can reach Internet
- Management (10) can reach all VLANs
- Trusted (20) can reach IoT (30), Cameras (35), Servers (40)
- Kids (25) limited access (parental controls via AdGuard)
- IoT (30) isolated - Internet only
- Cameras (35) isolated - only NVR access
- Guest (50) isolated - Internet only
### Firewall Rules (MikroTik)
```routeros
# Allow established/related
/ip firewall filter
add chain=forward connection-state=established,related action=accept
# Management can access everything
add chain=forward src-address=192.168.10.0/24 action=accept
# Trusted can access IoT, Cameras, Servers
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept
# IoT to Internet only (drop inter-VLAN)
add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop
# Cameras to NVR only (future: add NVR IP)
add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop
# Guest to Internet only
add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop
# Drop everything else between VLANs
add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
```
---
## Rollback Plan
If migration fails:
1. Disable VLAN filtering on CSS326/ZX1
2. All ports return to untagged VLAN 1
3. Network returns to flat 192.168.31.0/24
4. Restore original Unraid IP if changed
### Quick Rollback Commands
```routeros
# Disable VLAN filtering (emergency)
/interface bridge set bridge vlan-filtering=no
```
---
## Pre-Migration Checklist
- [ ] Backup MikroTik configuration
- [ ] Backup CSS326 configuration
- [ ] Backup ZX1 configuration
- [ ] Document current Unraid network config
- [ ] Test REST API access to router
- [ ] Verify all MAC addresses in device list
- [ ] Create all VLAN interfaces (disabled)
- [ ] Create all DHCP pools (disabled)
- [ ] Create all static leases
- [ ] Plan maintenance window (low usage time)
---
## Migration Order
1. **Night 1: Router Setup**
- Create VLANs, IPs, DHCP (all disabled)
- Create static leases
- Test with single device on VLAN 10
2. **Night 2: Switch Setup**
- Configure CSS326 VLANs (filtering off)
- Configure ZX1 VLANs (filtering off)
- Test trunk links
3. **Night 3: Unraid Migration**
- Add VLAN 10 interface to Unraid
- Migrate AdGuard to new IP
- Update DNS references
- Test extensively
4. **Night 4: Enable VLAN Filtering**
- Enable on CSS326
- Enable on ZX1
- Monitor for issues
5. **Day 5+: Device Migration**
- Migrate devices VLAN by VLAN
- Start with IoT (least critical)
- End with Trusted (most critical)
---
## Verification Tests
After each phase, verify:
- [ ] DNS resolution works (nslookup google.com)
- [ ] Internet access works (ping 8.8.8.8)
- [ ] Local services accessible (Unraid web UI)
- [ ] DHCP working (release/renew gets expected IP)
- [ ] Inter-VLAN routing as expected