jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VLAN Phase 1 Complete: Added VLAN 25, configured 44 devices
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Added VLAN 25 (Kids) infrastructure on MikroTik
- Fixed all VLAN device leases to match assignment document
- Added newly discovered devices (XTRM-Ally, Dancho Windows, lwip0 IoT)
- Updated device assignment doc with 44 total devices
- Updated implementation doc with Phase 1 complete status
- Updated changelog with all changes

VLANs configured: 10, 20, 25, 30, 35, 40, 50
Next: CSS326 switch configuration
This commit is contained in:
XTRM-Unraid
2026-01-25 21:26:41 +02:00
parent 8757bccca0
commit a022d49c78
3 changed files with 251 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
docs/11-VLAN-IMPLEMENTATION.md
View File

@@ -1,43 +1,49 @@
# VLAN Network Segmentation
**Last Updated:** 2026-01-25
**Status:** Phase 1 Complete - MikroTik Configured
## Overview
Network segmentation using VLANs for security isolation between device types.
## VLAN Architecture
| VLAN ID | Name | Subnet | Purpose |
|---------|------|--------|---------|
| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) |
| 10 | Management | 192.168.10.0/24 | Network infrastructure |
| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) |
| 30 | IoT | 192.168.30.0/24 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | Unraid, services |
| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) |
| VLAN ID | Name | Subnet | Gateway | Purpose | Devices |
|---------|------|--------|---------|---------|---------|
| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Default/Legacy network (transition) | - |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Network infrastructure | 6 |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices (phones, laptops) | 9 |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices (parental controls) | 6 |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras (isolated) | 1 |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Printers, services | 1 |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 |
| **Total** | | | | | **44** |
## Current Status: PREPARED (Not Active)
## Current Status: PHASE 1 COMPLETE
VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires:
1. CSS326 switch VLAN configuration
2. Final activation
### MikroTik hAP ax³ Configuration ✅
### What's Configured
**MikroTik hAP ax³:**
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest)
- [x] IP addresses assigned to VLAN interfaces
- [x] DHCP servers for each VLAN
- [x] DHCP pools configured
- [x] Static DHCP leases with MAC-to-IP mappings
- [x] Bridge VLAN table entries
**Completed:**
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids)
- [x] IP addresses assigned to all VLAN interfaces
- [x] DHCP servers for each VLAN (7 servers)
- [x] DHCP pools configured (7 pools)
- [x] Static DHCP leases with MAC-to-IP mappings (44 devices)
- [x] Bridge VLAN table entries for all VLANs
- [x] WiFi ports PVID=20 (Trusted)
- [x] Firewall rules for inter-VLAN isolation
- [x] Address lists for firewall rules
- [ ] VLAN filtering enabled on bridge (PENDING)
- [x] Firewall address lists for all VLANs
**CSS326 Switch:**
- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)
**Pending:**
- [ ] VLAN filtering enabled on bridge (requires switch config first)
### CSS326 Switch Configuration ⏳
**Required before VLAN activation:**
- [ ] VLAN configuration via SwOS web interface
- [ ] Port assignments per device
## Network Diagram
@@ -50,12 +56,13 @@ Internet
│ │
│ Bridge (vlan-filtering=no) │
│ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │
│ ├── vlan10-mgmt 192.168.10.1/24
│ ├── vlan20-trusted 192.168.20.1/24
│ ├── vlan30-iot 192.168.30.1/24
│ ├── vlan35-cameras 192.168.35.1/24
│ ├── vlan40-servers 192.168.40.1/24
── vlan50-guest 192.168.50.1/24
│ ├── vlan10-mgmt 192.168.10.1/24 (6 devices)
│ ├── vlan20-trusted 192.168.20.1/24 (9 devices)
│ ├── vlan25-kids 192.168.25.1/24 (6 devices)
│ ├── vlan30-iot 192.168.30.1/24 (14 devices)
│ ├── vlan35-cameras 192.168.35.1/24 (1 device)
── vlan40-servers 192.168.40.1/24 (1 device)
│ └── vlan50-guest 192.168.50.1/24 (7 devices) │
│ │
│ Ports: │
│ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │
@@ -63,7 +70,7 @@ Internet
│ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │
└───────────────────────────────────────────────────────────┘
│ Trunk (VLANs 1,10,20,30,35,40,50)
│ Trunk (VLANs 1,10,20,25,30,35,40,50)
┌───────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ │
@@ -77,87 +84,65 @@ Internet
## Bridge VLAN Table
```
VLAN Tagged Untagged
---- ------ --------
1 bridge,eth3_CSS326_Uplink eth2,eth4,ether5
10 bridge,eth3_CSS326_Uplink -
20 bridge,eth3_CSS326_Uplink hap-wifi1,hap-wifi2
30 bridge,eth3_CSS326_Uplink -
35 bridge,eth3_CSS326_Uplink -
40 bridge,eth3_CSS326_Uplink -
50 bridge,eth3_CSS326_Uplink -
```
| VLAN | Tagged | Untagged |
|------|--------|----------|
| 1 | bridge, eth3_CSS326_Uplink | eth2, eth4, ether5 |
| 10 | bridge, eth3_CSS326_Uplink | - |
| 20 | bridge, eth3_CSS326_Uplink | hap-wifi1, hap-wifi2 |
| 25 | bridge, eth3_CSS326_Uplink | - |
| 30 | bridge, eth3_CSS326_Uplink | - |
| 35 | bridge, eth3_CSS326_Uplink | - |
| 40 | bridge, eth3_CSS326_Uplink | - |
| 50 | bridge, eth3_CSS326_Uplink | - |
## WiFi VLAN Assignment
## DHCP Configuration
Since both SSIDs (XTRM/XTRM2) remain on the same bridge:
- **All WiFi clients → VLAN 20 (Trusted) by default**
- MAC-based filtering via firewall rules for additional restrictions
| VLAN | Server | Pool | Range | Lease Time |
|------|--------|------|-------|------------|
| 10 | dhcp-mgmt | pool-mgmt | 192.168.10.100-200 | 30m |
| 20 | dhcp-trusted | pool-trusted | 192.168.20.100-220 | 30m |
| 25 | dhcp-kids | pool-kids | 192.168.25.100-200 | 30m |
| 30 | dhcp-iot | pool-iot | 192.168.30.100-220 | 30m |
| 35 | dhcp-cameras | pool-cameras | 192.168.35.100-150 | 30m |
| 40 | dhcp-servers | pool-servers | 192.168.40.100-150 | 30m |
| 50 | dhcp-guest | pool-guest | 192.168.50.100-220 | 4h |
Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).
## Static DHCP Leases Summary
## Device Assignments (via Static DHCP Leases)
### VLAN 20 - Trusted (192.168.20.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra |
| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi |
| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone |
| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad |
### VLAN 30 - IoT (192.168.30.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV |
| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast |
| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven |
| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer |
### VLAN 35 - Cameras (192.168.35.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |
### VLAN 10 - Management (192.168.10.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac |
| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch |
### VLAN 40 - Servers (192.168.40.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |
| VLAN | Devices | Examples |
|------|---------|----------|
| 10 - Mgmt | 6 | CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid |
| 20 - Trusted | 9 | Nora MacBook, Kaloyan devices, family phones |
| 25 - Kids | 6 | Dancho iPhone/Windows, Kimi devices, XTRM-Ally |
| 30 - IoT | 14 | GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi |
| 35 - Cameras | 1 | Reolink Doorbell |
| 40 - Servers | 1 | HP LaserJet |
| 50 - Guest | 7 | Unknown/unidentified devices |
## Firewall Rules (Active)
Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:
Inter-VLAN firewall rules are configured:
```
# Allow rules
- Management → All VLANs (full access)
- Legacy → All VLANs (full access during transition)
- Trusted → IoT (can control smart devices)
- Trusted → Cameras (ports 80,443,554,8080,8554 only)
- Trusted → Servers (full access)
- Trusted → Legacy (full access)
- IoT/Cameras/Guest → DNS only (192.168.31.1:53)
### Allow Rules
| Source | Destination | Access |
|--------|-------------|--------|
| Management (10) | All VLANs | Full access |
| Legacy (31) | All VLANs | Full access (transition) |
| Trusted (20) | IoT (30) | Full access |
| Trusted (20) | Cameras (35) | Ports 80,443,554,8080,8554 |
| Trusted (20) | Servers (40) | Full access |
| Trusted (20) | Legacy (31) | Full access |
| Kids (25) | IoT (30) | Full access |
| Kids (25) | Legacy (31) | Full access |
| IoT/Cameras/Guest/Kids | DNS | Port 53 to 192.168.31.1 |
# Block rules
- Guest → All internal (isolated, internet only)
- Cameras → All VLANs (upload only, no lateral movement)
- IoT → Management (cannot access network devices)
- IoT → Trusted (cannot access family devices)
```
### Block Rules
| Source | Destination | Action |
|--------|-------------|--------|
| Guest (50) | All internal | Drop |
| Cameras (35) | All VLANs | Drop |
| IoT (30) | Management (10) | Drop |
| IoT (30) | Trusted (20) | Drop |
## Activation Steps
@@ -165,27 +150,15 @@ Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:
Access SwOS at http://192.168.31.9 and configure:
1. **VLAN settings:**
- Enable VLAN mode
- Create VLANs: 1, 10, 20, 30, 35, 40, 50
2. **Port 1 (Uplink to MikroTik):**
- VLAN Mode: Trunk
- Tagged VLANs: 1, 10, 20, 30, 35, 40, 50
3. **Port for Unraid:**
- VLAN Mode: Access
- PVID: 1 (Legacy) or 40 (Servers)
4. **Other ports:**
- Assign access VLAN based on connected device
1. **Enable VLAN mode**
2. **Create VLANs:** 1, 10, 20, 25, 30, 35, 40, 50
3. **Port 1 (Uplink to MikroTik):** Trunk mode, tagged all VLANs
4. **Other ports:** Access mode, assign PVID per connected device
### Step 2: Enable VLAN Filtering on MikroTik
```routeros
# CAUTION: This may cause temporary connectivity loss
# Have WinBox ready on 192.168.31.1:8291 as backup
/interface bridge set [find name=bridge] vlan-filtering=yes
```
@@ -194,7 +167,7 @@ Access SwOS at http://192.168.31.9 and configure:
```bash
# From Unraid
ping 192.168.31.1 # MikroTik Legacy
ping 192.168.20.1 # MikroTik Trusted VLAN
ping 192.168.10.1 # MikroTik Mgmt VLAN
ping 8.8.8.8 # Internet
```
@@ -204,12 +177,7 @@ ping 8.8.8.8 # Internet
/interface bridge set [find name=bridge] vlan-filtering=no
```
## Scripts
- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once)
- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config)
## Related Documents
- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document
- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview
- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory
- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Migration phases