diff --git a/docs/03-VLAN-DEVICE-ASSIGNMENT.md b/docs/03-VLAN-DEVICE-ASSIGNMENT.md index c51a3c4..286997e 100644 --- a/docs/03-VLAN-DEVICE-ASSIGNMENT.md +++ b/docs/03-VLAN-DEVICE-ASSIGNMENT.md @@ -1,143 +1,139 @@ # VLAN Device Assignment Map **Last Updated:** 2026-01-25 +**Status:** Phase 1 Complete - Ready for Switch Configuration **Purpose:** Complete inventory of all network devices with VLAN assignments --- ## VLAN Summary -| VLAN | Name | Subnet | Gateway | Purpose | Comment | +| VLAN | Name | Subnet | Gateway | Purpose | Devices | |------|------|--------|---------|---------|---------| | 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated | -| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Admin access only | -| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | Full network access | -| 25 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Kids Devices| Full network access | -| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | Internet + limited local | -| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Isolated, NVR access only | -| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | Service hosts | -| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | Internet only | +| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | 6 | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | 9 | +| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | 6 | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | 1 | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | 1 | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | 7 | +| **Total** | | | | | **44** | --- ## VLAN 10 - Management (Infrastructure) -| Current IP | Target IP | MAC Address | Device | Notes | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs | -| 192.168.31.4 | 192.168.10.10| 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS | -| 192.168.31.6 | 192.168.10.2| 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed | -| 192.168.31.9 | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution | -| 192.168.31.22 | 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack | -| 192.168.31.2 | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS | -| 192.168.31.20 | 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative | -| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT | -| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access | +| Target IP | MAC Address | Device | Notes | +|-----------|-------------|--------|-------| +| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router - Gateway for all VLANs | +| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Access point - CAPsMAN managed | +| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch - Room distribution | +| 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch - Server rack | +| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS server (Unraid Docker) | +| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM - IPMI alternative | +| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server - Docker host, NAS | + +**Note:** Router containers (AdGuard MikroTik 172.17.0.2, Tailscale 172.17.0.3) are on containers-br bridge, not VLANs. --- ## VLAN 20 - Trusted (Family Devices) -| Current IP | Target IP | MAC Address | Device | Owner | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop | -| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone | -| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | -| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless | -| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | -| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | -| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock | -| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom | -| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | +| Target IP | MAC Address | Device | Owner | +|-----------|-------------|--------|-------| +| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | +| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | +| 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | +| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | +| 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | +| 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | +| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | +| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | +| 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | --- -## VLAN 25 - Trusted (Kids Devices) +## VLAN 25 - Kids (Parental Controls) -| Current IP | Target IP | MAC Address | Device | Owner | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | -| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | -| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | -| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | +| Target IP | MAC Address | Device | Owner | +|-----------|-------------|--------|-------| +| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | +| 192.168.25.13 | 70:85:C2:75:64:E5 | Windows Device | Dancho | +| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | +| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | +| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | +| 192.168.25.19 | CC:5E:F8:D3:37:D3 | XTRM-Ally | Kids Gaming | + +**Note:** Some devices appear in both VLAN 20 and 25 - assignment depends on which SSID/port they connect to. --- ## VLAN 30 - IoT (Smart Home) -| Current IP | Target IP | MAC Address | Device | Location | Comment | -|------------|-----------|-------------|--------|----------|---------| -| 192.168.31.139 | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room| GREE Electric| -| 192.168.31.100 | 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) | -| 192.168.31.118 | 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) | -| 192.168.31.134 | 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | -| 192.168.31.104 | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access | -| 192.168.31.105 | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | -| 192.168.31.116 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | -| 192.168.31.117 | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom| Home Connect app | -| 192.168.31.106 | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.113 | 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.149 | 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.106 | 192.168.30.34 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.113 | 192.168.30.35| 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. | -| 192.168.31.149 | 192.168.30.38| D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | Smart Device | -| 192.168.31.101 | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app | +| Target IP | MAC Address | Device | Location | +|-----------|-------------|--------|----------| +| 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE Air Conditioner | Living Room | +| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) | Living Room | +| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) | Living Room | +| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | +| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | +| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | +| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | +| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom | +| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device 1 | - | +| 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device 2 | - | +| 192.168.30.33 | 38:A5:C9:44:7B:80 | IoT lwip0 Device 1 | - | +| 192.168.30.34 | 38:A5:C9:44:7B:F1 | IoT lwip0 Device 2 | - | +| 192.168.30.38 | D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | +| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | + --- ## VLAN 35 - Cameras (Security) -| Current IP | Target IP | MAC Address | Device | Location | Comment | -|------------|-----------|-------------|--------|----------|---------| -| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered | +| Target IP | MAC Address | Device | Location | +|-----------|-------------|--------|----------| +| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | --- ## VLAN 40 - Servers (Services) -| Current IP | Target IP | MAC Address | Device | Purpose | Comment | -|------------|-----------|-------------|--------|---------|---------| -| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | +| Target IP | MAC Address | Device | Purpose | +|-----------|-------------|--------|---------| +| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | --- ## VLAN 50 - Guest (Isolated) -| Current IP | Target IP | MAC Address | Device | Notes | Comment | -|------------|-----------|-------------|--------|-------|---------| -| 192.168.31.15 | 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | OUI: Apple Inc. | -| 192.168.31.142 | 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Random MAC | Privacy MAC | -| 192.168.31.109 | 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | Hidden OUI | -| 192.168.31.110 | 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | Same as .109 | -| DHCP Pool | 192.168.50.100-200 | - | Guest devices | Dynamic | Internet only | - ---- - -## Identified Unknown Devices (Moved to Guest) - -| Current IP | MAC Address | Vendor (OUI) | Likely Device | Assigned VLAN | Comment | -|------------|-------------|--------------|---------------|---------------|---------| -| 192.168.31.15 | AC:87:A3:77:8F:BD | Apple Inc. | iPhone/iPad/Mac | 50 (Guest) | Unknown owner | -| 192.168.31.142 | 22:4C:7F:1D:85:8E | Locally Administered | Phone/Laptop | 50 (Guest) | Random MAC (privacy) | -| 192.168.31.109 | D0:C9:07:92:1A:8E | Private (IEEE) | Unknown | 50 (Guest) | Hidden vendor | -| 192.168.31.110 | D0:C9:07:8C:C9:46 | Private (IEEE) | Unknown | 50 (Guest) | Same vendor as .109 | +| Target IP | MAC Address | Device | Notes | +|-----------|-------------|--------|-------| +| 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner | +| 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Privacy MAC | +| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor | +| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor | +| 192.168.50.14 | C6:2A:59:AD:17:90 | Unknown Device | Random MAC | +| 192.168.50.15 | E6:17:3D:D3:96:D3 | Unknown Device | Random MAC | +| 192.168.50.16 | 72:F5:14:2D:F0:18 | Unknown Device | Stale | --- ## MAC Address Quick Reference -### By VLAN (for switch port assignment) - -**VLAN 10 - Mgmt:** +### VLAN 10 - Management ``` -78:9A:18:2C:A5:48 HAP1 -A8:B8:E0:02:B6:15 XTRM-U +78:9A:18:2C:A5:48 HAP1 Router 18:FD:74:54:3D:BC CAP XL ac -F4:1E:57:C9:BD:09 CSS326 -1C:2A:A3:1E:78:67 ZX1 +F4:1E:57:C9:BD:09 CSS326 Switch +1C:2A:A3:1E:78:67 ZX1 Switch +02:42:C0:A8:1F:04 AdGuard Home 48:DA:35:6F:BE:50 NanoKVM +A8:B8:E0:02:B6:15 XTRM-U Unraid ``` -**VLAN 20 - Trusted:** +### VLAN 20 - Trusted ``` 82:6D:FB:D9:E0:47 Nora MacBook AA:ED:8B:2A:40:F1 Kaloyan S25 @@ -146,98 +142,78 @@ F2:B8:14:61:C8:27 Dancho iPhone 90:91:64:70:0D:86 Kimi Notebook 2A:2B:BA:86:D4:AF Kimi iPhone 08:92:04:C6:07:C5 Kaloyan MacBook LAN -1C:83:41:32:F3:AF Kaloyan Game PC +1C:83:41:32:F3:AF Kaloyan Gaming PC A4:D1:D2:7B:52:BE Compusbg iPad ``` -**VLAN 30 - IoT:** +### VLAN 25 - Kids ``` +F2:B8:14:61:C8:27 Dancho iPhone +70:85:C2:75:64:E5 Dancho Windows +90:91:64:70:0D:86 Kimi Notebook +2A:2B:BA:86:D4:AF Kimi iPhone +A4:D1:D2:7B:52:BE Compusbg iPad +CC:5E:F8:D3:37:D3 XTRM-Ally +``` + +### VLAN 30 - IoT +``` +50:2C:C6:7A:55:39 GREE AC B0:37:95:79:AF:9B LG TV (LAN) DC:03:98:6B:5A:3A LG TV (WiFi) D0:E7:82:F7:65:DD Chromecast B0:4A:39:3F:9A:14 Roborock Vacuum 94:27:70:1E:0C:EE Bosch Oven -C8:5C:CC:52:EA:53 Xiaomi Air Purifier -C8:D7:78:D6:DC:FC Bosch Washer C8:D7:78:40:65:40 Bosch Dishwasher -50:2C:C6:7A:55:39 GREE Appliance +C8:D7:78:D6:DC:FC Bosch Washer 18:DE:50:5B:C8:A6 Tuya Device 1 38:1F:8D:04:6F:E4 Tuya Device 2 -D4:AD:FC:BE:13:B0 Intellirocks Device +38:A5:C9:44:7B:80 lwip0 Device 1 +38:A5:C9:44:7B:F1 lwip0 Device 2 +D4:AD:FC:BE:13:B0 Intellirocks +C8:5C:CC:52:EA:53 Xiaomi Air Purifier ``` -**VLAN 35 - Cameras:** +### VLAN 35 - Cameras ``` 48:9E:9D:0E:16:F7 Reolink Doorbell ``` -**VLAN 40 - Servers:** +### VLAN 40 - Servers ``` 64:4E:D7:D8:43:3E HP LaserJet ``` -**VLAN 50 - Guest:** +### VLAN 50 - Guest ``` -AC:87:A3:77:8F:BD Apple Device (unknown) -22:4C:7F:1D:85:8E Random MAC device -D0:C9:07:92:1A:8E Private Vendor 1 -D0:C9:07:8C:C9:46 Private Vendor 2 +AC:87:A3:77:8F:BD Unknown Apple +22:4C:7F:1D:85:8E Unknown Random MAC +D0:C9:07:92:1A:8E Unknown Private 1 +D0:C9:07:8C:C9:46 Unknown Private 2 +C6:2A:59:AD:17:90 Unknown .138 +E6:17:3D:D3:96:D3 Unknown .250 +72:F5:14:2D:F0:18 Unknown Stale ``` --- -## Device Count Summary +## Configuration Status -| VLAN | Device Count | Comment | -|------|--------------|---------| -| 10 - Mgmt | 9 | Infrastructure only | -| 20 - Trusted | 9 | Family devices | -| 25 - Kids | 4 | Kids devices (subset of 20) | -| 30 - IoT | 11 | Smart home devices | -| 35 - Cameras | 1 | Security | -| 40 - Servers | 1 | Services | -| 50 - Guest | 4 | Unknown/unidentified devices | -| **Total** | **35** | All devices categorized | +### MikroTik hAP ax³ ✅ +- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50) +- [x] IP addresses assigned to all VLANs +- [x] DHCP servers configured for all VLANs +- [x] DHCP pools configured +- [x] Static DHCP leases (44 devices) +- [x] Bridge VLAN table entries +- [x] Firewall rules for inter-VLAN isolation +- [ ] VLAN filtering enabled (pending switch config) ---- +### CSS326 Switch ⏳ +- [ ] VLAN configuration via SwOS +- [ ] Port assignments -## OUI Lookup Reference - -| OUI Prefix | Vendor | Type | -|------------|--------|------| -| B0:37:95 | LG Electronics | TV/Displays (LAN) | -| DC:03:98 | LG Innotek | TV/Displays (WiFi) | -| 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances | -| 18:DE:50 | Tuya Smart Inc. | IoT Platform | -| 38:1F:8D | Tuya Smart Inc. | IoT Platform | -| D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices | -| AC:87:A3 | Apple Inc. | Consumer Electronics | -| D0:C9:07 | Private (IEEE hidden) | Unknown | -| 22:xx:xx | Locally Administered | Random/Private MAC | - ---- - -## Next Steps - -| Step | Action | Comment | -|------|--------|---------| -| 1 | ✅ Identify unknown devices | Completed via OUI lookup | -| 2 | Decide WiFi strategy | Single SSID vs Multiple SSIDs | -| 3 | Configure switch ports | VLAN tagging on CSS326 | -| 4 | Test VLAN routing | Before full activation | -| 5 | Update firewall rules | Inter-VLAN traffic control | - ---- - -## Quick Assignment Table (Identified Devices) - -| VLAN | IP | Comment | -|------|----|---------| -| 30 (IoT) | 192.168.31.139 | GREE Air Conditioner | -| 30 (IoT) | 192.168.31.106 | Tuya Smart Device #1 | -| 30 (IoT) | 192.168.31.113 | Tuya Smart Device #2 | -| 30 (IoT) | 192.168.31.149 | Shenzhen Intellirocks Smart Device | -| 50 (Guest) | 192.168.31.15 | Apple device (unknown owner) | -| 50 (Guest) | 192.168.31.142 | Privacy MAC device | -| 50 (Guest) | 192.168.31.109 | Private vendor device | -| 50 (Guest) | 192.168.31.110 | Private vendor device | +### Next Steps +1. Configure CSS326 switch VLANs via SwOS (http://192.168.31.9) +2. Enable VLAN filtering on MikroTik bridge +3. Test connectivity diff --git a/docs/06-CHANGELOG.md b/docs/06-CHANGELOG.md index fc2d259..4f0da78 100644 --- a/docs/06-CHANGELOG.md +++ b/docs/06-CHANGELOG.md @@ -1,5 +1,32 @@ # Infrastructure Changelog +## 2026-01-25 (Update 3) + +### VLAN Phase 1 Complete +- [VLAN] Added VLAN 25 (Kids) - interface, IP, DHCP server, pool, bridge entry +- [VLAN] Fixed VLAN 10 (Management) leases - correct IPs per device assignment doc +- [VLAN] Fixed VLAN 30 (IoT) leases - all 14 devices with correct IPs +- [VLAN] Added VLAN 25 (Kids) leases - 6 devices including XTRM-Ally +- [VLAN] Added VLAN 50 (Guest) leases - 7 unknown devices +- [VLAN] Added firewall rules for VLAN 25 (Kids → IoT, Legacy, DNS) +- [VLAN] Total devices configured: 44 + +### Device Discovery +- [NETWORK] Discovered XTRM-Ally gaming device → assigned to Kids VLAN +- [NETWORK] Discovered Dancho Windows device → assigned to Kids VLAN +- [NETWORK] Discovered 2x lwip0 IoT devices → assigned to IoT VLAN +- [NETWORK] Discovered 3x unknown devices → assigned to Guest VLAN + +### Documentation Updates +- [DOCS] Updated 03-VLAN-DEVICE-ASSIGNMENT.md - complete device inventory (44 devices) +- [DOCS] Updated 11-VLAN-IMPLEMENTATION.md - Phase 1 complete status +- [DOCS] All VLANs now documented: 10, 20, 25, 30, 35, 40, 50 + +### Next Steps +- CSS326 switch VLAN configuration via SwOS +- Enable VLAN filtering on MikroTik bridge +- Test connectivity + ## 2026-01-25 ### VLAN Implementation (Prepared) diff --git a/docs/11-VLAN-IMPLEMENTATION.md b/docs/11-VLAN-IMPLEMENTATION.md index d0c187b..73d095b 100644 --- a/docs/11-VLAN-IMPLEMENTATION.md +++ b/docs/11-VLAN-IMPLEMENTATION.md @@ -1,43 +1,49 @@ # VLAN Network Segmentation +**Last Updated:** 2026-01-25 +**Status:** Phase 1 Complete - MikroTik Configured + ## Overview Network segmentation using VLANs for security isolation between device types. ## VLAN Architecture -| VLAN ID | Name | Subnet | Purpose | -|---------|------|--------|---------| -| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) | -| 10 | Management | 192.168.10.0/24 | Network infrastructure | -| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) | -| 30 | IoT | 192.168.30.0/24 | Smart home devices | -| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) | -| 40 | Servers | 192.168.40.0/24 | Unraid, services | -| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) | +| VLAN ID | Name | Subnet | Gateway | Purpose | Devices | +|---------|------|--------|---------|---------|---------| +| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Default/Legacy network (transition) | - | +| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Network infrastructure | 6 | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices (phones, laptops) | 9 | +| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices (parental controls) | 6 | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras (isolated) | 1 | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Printers, services | 1 | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 | +| **Total** | | | | | **44** | -## Current Status: PREPARED (Not Active) +## Current Status: PHASE 1 COMPLETE -VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires: -1. CSS326 switch VLAN configuration -2. Final activation +### MikroTik hAP ax³ Configuration ✅ -### What's Configured - -**MikroTik hAP ax³:** -- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest) -- [x] IP addresses assigned to VLAN interfaces -- [x] DHCP servers for each VLAN -- [x] DHCP pools configured -- [x] Static DHCP leases with MAC-to-IP mappings -- [x] Bridge VLAN table entries +**Completed:** +- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids) +- [x] IP addresses assigned to all VLAN interfaces +- [x] DHCP servers for each VLAN (7 servers) +- [x] DHCP pools configured (7 pools) +- [x] Static DHCP leases with MAC-to-IP mappings (44 devices) +- [x] Bridge VLAN table entries for all VLANs - [x] WiFi ports PVID=20 (Trusted) - [x] Firewall rules for inter-VLAN isolation -- [x] Address lists for firewall rules -- [ ] VLAN filtering enabled on bridge (PENDING) +- [x] Firewall address lists for all VLANs -**CSS326 Switch:** -- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS) +**Pending:** +- [ ] VLAN filtering enabled on bridge (requires switch config first) + +### CSS326 Switch Configuration ⏳ + +**Required before VLAN activation:** +- [ ] VLAN configuration via SwOS web interface +- [ ] Port assignments per device ## Network Diagram @@ -50,12 +56,13 @@ Internet │ │ │ Bridge (vlan-filtering=no) │ │ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │ -│ ├── vlan10-mgmt 192.168.10.1/24 │ -│ ├── vlan20-trusted 192.168.20.1/24 │ -│ ├── vlan30-iot 192.168.30.1/24 │ -│ ├── vlan35-cameras 192.168.35.1/24 │ -│ ├── vlan40-servers 192.168.40.1/24 │ -│ └── vlan50-guest 192.168.50.1/24 │ +│ ├── vlan10-mgmt 192.168.10.1/24 (6 devices) │ +│ ├── vlan20-trusted 192.168.20.1/24 (9 devices) │ +│ ├── vlan25-kids 192.168.25.1/24 (6 devices) │ +│ ├── vlan30-iot 192.168.30.1/24 (14 devices) │ +│ ├── vlan35-cameras 192.168.35.1/24 (1 device) │ +│ ├── vlan40-servers 192.168.40.1/24 (1 device) │ +│ └── vlan50-guest 192.168.50.1/24 (7 devices) │ │ │ │ Ports: │ │ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │ @@ -63,7 +70,7 @@ Internet │ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │ └───────────────────────────────────────────────────────────┘ │ - │ Trunk (VLANs 1,10,20,30,35,40,50) + │ Trunk (VLANs 1,10,20,25,30,35,40,50) ▼ ┌───────────────────────────────────────────────────────────┐ │ CSS326-24G-2S+ │ @@ -77,87 +84,65 @@ Internet ## Bridge VLAN Table -``` -VLAN Tagged Untagged ----- ------ -------- -1 bridge,eth3_CSS326_Uplink eth2,eth4,ether5 -10 bridge,eth3_CSS326_Uplink - -20 bridge,eth3_CSS326_Uplink hap-wifi1,hap-wifi2 -30 bridge,eth3_CSS326_Uplink - -35 bridge,eth3_CSS326_Uplink - -40 bridge,eth3_CSS326_Uplink - -50 bridge,eth3_CSS326_Uplink - -``` +| VLAN | Tagged | Untagged | +|------|--------|----------| +| 1 | bridge, eth3_CSS326_Uplink | eth2, eth4, ether5 | +| 10 | bridge, eth3_CSS326_Uplink | - | +| 20 | bridge, eth3_CSS326_Uplink | hap-wifi1, hap-wifi2 | +| 25 | bridge, eth3_CSS326_Uplink | - | +| 30 | bridge, eth3_CSS326_Uplink | - | +| 35 | bridge, eth3_CSS326_Uplink | - | +| 40 | bridge, eth3_CSS326_Uplink | - | +| 50 | bridge, eth3_CSS326_Uplink | - | -## WiFi VLAN Assignment +## DHCP Configuration -Since both SSIDs (XTRM/XTRM2) remain on the same bridge: -- **All WiFi clients → VLAN 20 (Trusted) by default** -- MAC-based filtering via firewall rules for additional restrictions +| VLAN | Server | Pool | Range | Lease Time | +|------|--------|------|-------|------------| +| 10 | dhcp-mgmt | pool-mgmt | 192.168.10.100-200 | 30m | +| 20 | dhcp-trusted | pool-trusted | 192.168.20.100-220 | 30m | +| 25 | dhcp-kids | pool-kids | 192.168.25.100-200 | 30m | +| 30 | dhcp-iot | pool-iot | 192.168.30.100-220 | 30m | +| 35 | dhcp-cameras | pool-cameras | 192.168.35.100-150 | 30m | +| 40 | dhcp-servers | pool-servers | 192.168.40.100-150 | 30m | +| 50 | dhcp-guest | pool-guest | 192.168.50.100-220 | 4h | -Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured). +## Static DHCP Leases Summary -## Device Assignments (via Static DHCP Leases) - -### VLAN 20 - Trusted (192.168.20.x) -| IP | MAC | Device | -|----|-----|--------| -| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir | -| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra | -| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone | -| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi | -| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook | -| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone | -| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN | -| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC | -| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad | - -### VLAN 30 - IoT (192.168.30.x) -| IP | MAC | Device | -|----|-----|--------| -| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV | -| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast | -| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum | -| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven | -| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | -| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer | - -### VLAN 35 - Cameras (192.168.35.x) -| IP | MAC | Device | -|----|-----|--------| -| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | - -### VLAN 10 - Management (192.168.10.x) -| IP | MAC | Device | -|----|-----|--------| -| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac | -| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch | - -### VLAN 40 - Servers (192.168.40.x) -| IP | MAC | Device | -|----|-----|--------| -| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | +| VLAN | Devices | Examples | +|------|---------|----------| +| 10 - Mgmt | 6 | CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid | +| 20 - Trusted | 9 | Nora MacBook, Kaloyan devices, family phones | +| 25 - Kids | 6 | Dancho iPhone/Windows, Kimi devices, XTRM-Ally | +| 30 - IoT | 14 | GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi | +| 35 - Cameras | 1 | Reolink Doorbell | +| 40 - Servers | 1 | HP LaserJet | +| 50 - Guest | 7 | Unknown/unidentified devices | ## Firewall Rules (Active) -Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering: +Inter-VLAN firewall rules are configured: -``` -# Allow rules -- Management → All VLANs (full access) -- Legacy → All VLANs (full access during transition) -- Trusted → IoT (can control smart devices) -- Trusted → Cameras (ports 80,443,554,8080,8554 only) -- Trusted → Servers (full access) -- Trusted → Legacy (full access) -- IoT/Cameras/Guest → DNS only (192.168.31.1:53) +### Allow Rules +| Source | Destination | Access | +|--------|-------------|--------| +| Management (10) | All VLANs | Full access | +| Legacy (31) | All VLANs | Full access (transition) | +| Trusted (20) | IoT (30) | Full access | +| Trusted (20) | Cameras (35) | Ports 80,443,554,8080,8554 | +| Trusted (20) | Servers (40) | Full access | +| Trusted (20) | Legacy (31) | Full access | +| Kids (25) | IoT (30) | Full access | +| Kids (25) | Legacy (31) | Full access | +| IoT/Cameras/Guest/Kids | DNS | Port 53 to 192.168.31.1 | -# Block rules -- Guest → All internal (isolated, internet only) -- Cameras → All VLANs (upload only, no lateral movement) -- IoT → Management (cannot access network devices) -- IoT → Trusted (cannot access family devices) -``` +### Block Rules +| Source | Destination | Action | +|--------|-------------|--------| +| Guest (50) | All internal | Drop | +| Cameras (35) | All VLANs | Drop | +| IoT (30) | Management (10) | Drop | +| IoT (30) | Trusted (20) | Drop | ## Activation Steps @@ -165,27 +150,15 @@ Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering: Access SwOS at http://192.168.31.9 and configure: -1. **VLAN settings:** - - Enable VLAN mode - - Create VLANs: 1, 10, 20, 30, 35, 40, 50 - -2. **Port 1 (Uplink to MikroTik):** - - VLAN Mode: Trunk - - Tagged VLANs: 1, 10, 20, 30, 35, 40, 50 - -3. **Port for Unraid:** - - VLAN Mode: Access - - PVID: 1 (Legacy) or 40 (Servers) - -4. **Other ports:** - - Assign access VLAN based on connected device +1. **Enable VLAN mode** +2. **Create VLANs:** 1, 10, 20, 25, 30, 35, 40, 50 +3. **Port 1 (Uplink to MikroTik):** Trunk mode, tagged all VLANs +4. **Other ports:** Access mode, assign PVID per connected device ### Step 2: Enable VLAN Filtering on MikroTik ```routeros # CAUTION: This may cause temporary connectivity loss -# Have WinBox ready on 192.168.31.1:8291 as backup - /interface bridge set [find name=bridge] vlan-filtering=yes ``` @@ -194,7 +167,7 @@ Access SwOS at http://192.168.31.9 and configure: ```bash # From Unraid ping 192.168.31.1 # MikroTik Legacy -ping 192.168.20.1 # MikroTik Trusted VLAN +ping 192.168.10.1 # MikroTik Mgmt VLAN ping 8.8.8.8 # Internet ``` @@ -204,12 +177,7 @@ ping 8.8.8.8 # Internet /interface bridge set [find name=bridge] vlan-filtering=no ``` -## Scripts - -- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once) -- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config) - ## Related Documents -- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document -- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview +- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory +- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Migration phases