diff --git a/docs/wip/VLAN-PROPOSAL.md b/docs/wip/VLAN-PROPOSAL.md
new file mode 100644
index 0000000..e54835b
--- /dev/null
+++ b/docs/wip/VLAN-PROPOSAL.md
@@ -0,0 +1,317 @@
+# WIP: VLAN Network Segmentation Proposal
+
+**Status:** Planning  
+**Created:** 2026-01-25  
+
+---
+
+## Current State
+
+Single flat network: `192.168.31.0/24`
+- All devices on same broadcast domain
+- No traffic isolation between IoT, guests, and trusted devices
+- Security risk: compromised IoT device can access entire network
+
+---
+
+## Proposed VLAN Architecture
+
+```
+                                    ┌─────────────────┐
+                                    │   INTERNET      │
+                                    └────────┬────────┘
+                                             │
+                                    ┌────────▼────────┐
+                                    │  MikroTik hAP   │
+                                    │   192.168.31.1  │
+                                    │  (Router/FW)    │
+                                    └────────┬────────┘
+                                             │
+              ┌──────────────┬───────────────┼───────────────┬──────────────┐
+              │              │               │               │              │
+     ┌────────▼────────┐ ┌───▼───────┐ ┌─────▼─────┐ ┌───────▼───────┐ ┌────▼────┐
+     │   VLAN 10       │ │  VLAN 20  │ │  VLAN 30  │ │    VLAN 40    │ │ VLAN 50 │
+     │   Management    │ │  Trusted  │ │    IoT    │ │    Servers    │ │  Guest  │
+     │ 192.168.10.0/24 │ │ .20.0/24  │ │ .30.0/24  │ │  .40.0/24     │ │.50.0/24 │
+     └─────────────────┘ └───────────┘ └───────────┘ └───────────────┘ └─────────┘
+```
+
+---
+
+## VLAN Definitions
+
+| VLAN ID | Name | Subnet | Purpose | Gateway |
+|---------|------|--------|---------|---------|
+| 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 |
+| 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 |
+| 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 |
+| 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 |
+| 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 |
+
+---
+
+## VLAN 10: Management
+
+**Purpose:** Infrastructure administration only
+
+| Device | IP | Description |
+|--------|-----|-------------|
+| MikroTik | 192.168.10.1 | Router/Gateway |
+| Unraid | 192.168.10.2 | Server management |
+| Switch | 192.168.10.3 | CSS326 management |
+| AP | 192.168.10.4 | cAP ac management |
+
+**Access Rules:**
+- ✅ Full access to all VLANs (admin only)
+- ✅ SSH, Web UI access
+- ❌ No internet access (optional, security hardening)
+- ❌ No access FROM other VLANs
+
+---
+
+## VLAN 20: Trusted
+
+**Purpose:** Personal/family devices with full access
+
+| Device Type | DHCP Range | Examples |
+|-------------|------------|----------|
+| Laptops | .20.100-.150 | MacBooks, Windows PCs |
+| Phones | .20.151-.200 | iPhones, Android |
+| Tablets | .20.201-.220 | iPads |
+| Static | .20.10-.50 | Reserved |
+
+**Access Rules:**
+- ✅ Internet access
+- ✅ Access to Servers VLAN (Plex, services)
+- ✅ Access to IoT VLAN (control devices)
+- ❌ No access to Management VLAN
+- ❌ No access from Guest VLAN
+
+---
+
+## VLAN 30: IoT
+
+**Purpose:** Smart home devices (isolated)
+
+| Device Type | DHCP Range | Examples |
+|-------------|------------|----------|
+| Smart TV | .30.100-.110 | LG TV, Apple TV |
+| Speakers | .30.111-.130 | Sonos, HomePod |
+| Sensors | .30.131-.180 | Zigbee hubs, motion |
+| Cameras | .30.181-.200 | Security cameras |
+| Static | .30.10-.50 | Reserved |
+
+**Access Rules:**
+- ✅ Internet access (restricted destinations)
+- ✅ Access to local DNS (AdGuard)
+- ✅ mDNS/Bonjour relay from Trusted
+- ❌ No inter-device communication (optional)
+- ❌ No access to Management
+- ❌ No access to Servers (except specific ports)
+- ❌ Cannot initiate to Trusted (Trusted can initiate)
+
+---
+
+## VLAN 40: Servers/DMZ
+
+**Purpose:** Services accessible from internet
+
+| Service | IP | Ports | Description |
+|---------|-----|-------|-------------|
+| Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
+| AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) |
+| Gitea | 192.168.40.10 | 3000 | Git hosting |
+| Plex | 192.168.40.20 | 32400 | Media server |
+
+**Access Rules:**
+- ✅ Internet access
+- ✅ Inbound from WAN (via NAT)
+- ✅ Access from Trusted VLAN
+- ❌ Cannot initiate to Management
+- ❌ Cannot initiate to Trusted
+- ❌ No access from Guest
+
+---
+
+## VLAN 50: Guest
+
+**Purpose:** Visitor WiFi with internet only
+
+| Setting | Value |
+|---------|-------|
+| DHCP Range | 192.168.50.100-.200 |
+| Lease Time | 4 hours |
+| Bandwidth Limit | 50 Mbps |
+| Client Isolation | Yes |
+
+**Access Rules:**
+- ✅ Internet access only
+- ❌ No access to any internal VLAN
+- ❌ No inter-client communication
+- ❌ Captive portal (optional)
+
+---
+
+## Firewall Rules Summary
+
+```
+┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐
+│ From \ To   │ Mgmt │ Trusted │ IoT │ Servers │ Guest │
+├─────────────┼──────┼─────────┼─────┼─────────┼───────┤
+│ Management  │  ✅  │   ✅    │ ✅  │   ✅    │  ✅   │
+│ Trusted     │  ❌  │   ✅    │ ✅  │   ✅    │  ❌   │
+│ IoT         │  ❌  │   ❌    │ ⚠️  │   ⚠️    │  ❌   │
+│ Servers     │  ❌  │   ❌    │ ❌  │   ✅    │  ❌   │
+│ Guest       │  ❌  │   ❌    │ ❌  │   ❌    │  ⚠️   │
+│ Internet    │  ❌  │   ❌    │ ❌  │   ✅    │  ❌   │
+└─────────────┴──────┴─────────┴─────┴─────────┴───────┘
+
+✅ = Full access
+❌ = Blocked
+⚠️ = Limited/Specific ports only
+```
+
+---
+
+## DNS Configuration
+
+| VLAN | DNS Server | Purpose |
+|------|------------|---------|
+| 10 Management | 192.168.10.1 | MikroTik DNS |
+| 20 Trusted | 192.168.40.4 | AdGuard (full filtering) |
+| 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) |
+| 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS |
+| 50 Guest | 192.168.40.4 | AdGuard (strict filtering) |
+
+**Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN.
+
+---
+
+## WiFi SSID Mapping
+
+| SSID | VLAN | Security | Notes |
+|------|------|----------|-------|
+| Home | 20 | WPA3 | Trusted devices |
+| Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) |
+| Home-Guest | 50 | WPA2 | Visitors |
+| (hidden) Admin | 10 | WPA3 | Management only |
+
+---
+
+## MikroTik Implementation
+
+### 1. Create VLANs on Bridge
+```routeros
+/interface vlan
+add interface=bridge name=vlan10-mgmt vlan-id=10
+add interface=bridge name=vlan20-trusted vlan-id=20
+add interface=bridge name=vlan30-iot vlan-id=30
+add interface=bridge name=vlan40-servers vlan-id=40
+add interface=bridge name=vlan50-guest vlan-id=50
+```
+
+### 2. IP Addresses
+```routeros
+/ip address
+add address=192.168.10.1/24 interface=vlan10-mgmt
+add address=192.168.20.1/24 interface=vlan20-trusted
+add address=192.168.30.1/24 interface=vlan30-iot
+add address=192.168.40.1/24 interface=vlan40-servers
+add address=192.168.50.1/24 interface=vlan50-guest
+```
+
+### 3. DHCP Servers
+```routeros
+/ip pool
+add name=pool-trusted ranges=192.168.20.100-192.168.20.200
+add name=pool-iot ranges=192.168.30.100-192.168.30.200
+add name=pool-servers ranges=192.168.40.100-192.168.40.150
+add name=pool-guest ranges=192.168.50.100-192.168.50.200
+
+/ip dhcp-server
+add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
+add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
+add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
+add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
+```
+
+### 4. Inter-VLAN Firewall (Example)
+```routeros
+/ip firewall filter
+# Allow established/related
+add chain=forward action=accept connection-state=established,related
+
+# Management can access all
+add chain=forward action=accept src-address=192.168.10.0/24
+
+# Trusted to IoT
+add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24
+
+# Trusted to Servers
+add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24
+
+# Block all other inter-VLAN
+add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16
+```
+
+---
+
+## Migration Plan
+
+### Phase 1: Preparation
+- [ ] Document all current static IPs
+- [ ] List all devices and target VLANs
+- [ ] Configure switch for VLAN trunking
+- [ ] Test VLAN setup on isolated port
+
+### Phase 2: Infrastructure
+- [ ] Create VLANs on MikroTik
+- [ ] Configure DHCP per VLAN
+- [ ] Move Unraid to VLAN 10 (management)
+- [ ] Move AdGuard to VLAN 40 (servers)
+- [ ] Update DNS redirect rules
+
+### Phase 3: Devices
+- [ ] Configure WiFi SSIDs per VLAN
+- [ ] Move trusted devices to VLAN 20
+- [ ] Move IoT devices to VLAN 30
+- [ ] Test inter-VLAN access rules
+
+### Phase 4: Hardening
+- [ ] Implement firewall rules
+- [ ] Enable DNS enforcement per VLAN
+- [ ] Set up guest captive portal (optional)
+- [ ] Document final configuration
+
+---
+
+## Considerations
+
+### Pros
+- Security isolation between device types
+- Compromised IoT cannot access trusted devices
+- Guest cannot snoop on internal traffic
+- Granular firewall control
+- Better traffic management
+
+### Cons
+- Increased complexity
+- mDNS/Bonjour requires relay configuration
+- Some IoT devices may have issues
+- Initial migration effort
+
+### Services Requiring Special Attention
+- **Plex:** Needs access from Trusted to Servers
+- **Sonos/AirPlay:** Requires mDNS relay
+- **Chromecast:** Needs multicast between VLANs
+- **Printers:** May need access from multiple VLANs
+
+---
+
+## Questions to Decide
+
+1. Should Management VLAN have internet access?
+2. IoT device discovery - enable mDNS relay or use static configs?
+3. Guest WiFi - captive portal or just password?
+4. Camera VLAN - separate from IoT or combined?
+5. Keep legacy 192.168.31.0/24 for transition period?