Add WIP: VLAN Network Segmentation Proposal

- 5 VLANs: Management, Trusted, IoT, Servers, Guest - Complete firewall rules matrix - MikroTik implementation commands - DNS per-VLAN configuration - WiFi SSID mapping - Migration plan phases
2026-01-25 15:47:15 +02:00
parent 102fd101f3
commit c1dca8526a
1 changed files with 317 additions and 0 deletions
--- a/docs/wip/VLAN-PROPOSAL.md
+++ b/docs/wip/VLAN-PROPOSAL.md
@@ -0,0 +1,317 @@
 # WIP: VLAN Network Segmentation Proposal
 **Status:** Planning  
 **Created:** 2026-01-25  
 ---
 ## Current State
 Single flat network: `192.168.31.0/24`
 - All devices on same broadcast domain
 - No traffic isolation between IoT, guests, and trusted devices
 - Security risk: compromised IoT device can access entire network
 ---
 ## Proposed VLAN Architecture
 ```
                                    ┌─────────────────┐
                                    │   INTERNET      │
                                    └────────┬────────┘
                                             │
                                    ┌────────▼────────┐
                                    │  MikroTik hAP   │
                                    │   192.168.31.1  │
                                    │  (Router/FW)    │
                                    └────────┬────────┘
                                             │
              ┌──────────────┬───────────────┼───────────────┬──────────────┐
              │              │               │               │              │
     ┌────────▼────────┐ ┌───▼───────┐ ┌─────▼─────┐ ┌───────▼───────┐ ┌────▼────┐
     │   VLAN 10       │ │  VLAN 20  │ │  VLAN 30  │ │    VLAN 40    │ │ VLAN 50 │
     │   Management    │ │  Trusted  │ │    IoT    │ │    Servers    │ │  Guest  │
     │ 192.168.10.0/24 │ │ .20.0/24  │ │ .30.0/24  │ │  .40.0/24     │ │.50.0/24 │
     └─────────────────┘ └───────────┘ └───────────┘ └───────────────┘ └─────────┘
 ```
 ---
 ## VLAN Definitions
 | VLAN ID | Name | Subnet | Purpose | Gateway |
 |---------|------|--------|---------|---------|
 | 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 |
 | 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 |
 | 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 |
 | 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 |
 | 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 |
 ---
 ## VLAN 10: Management
 **Purpose:** Infrastructure administration only
 | Device | IP | Description |
 |--------|-----|-------------|
 | MikroTik | 192.168.10.1 | Router/Gateway |
 | Unraid | 192.168.10.2 | Server management |
 | Switch | 192.168.10.3 | CSS326 management |
 | AP | 192.168.10.4 | cAP ac management |
 **Access Rules:**
 - ✅ Full access to all VLANs (admin only)
 - ✅ SSH, Web UI access
 - ❌ No internet access (optional, security hardening)
 - ❌ No access FROM other VLANs
 ---
 ## VLAN 20: Trusted
 **Purpose:** Personal/family devices with full access
 | Device Type | DHCP Range | Examples |
 |-------------|------------|----------|
 | Laptops | .20.100-.150 | MacBooks, Windows PCs |
 | Phones | .20.151-.200 | iPhones, Android |
 | Tablets | .20.201-.220 | iPads |
 | Static | .20.10-.50 | Reserved |
 **Access Rules:**
 - ✅ Internet access
 - ✅ Access to Servers VLAN (Plex, services)
 - ✅ Access to IoT VLAN (control devices)
 - ❌ No access to Management VLAN
 - ❌ No access from Guest VLAN
 ---
 ## VLAN 30: IoT
 **Purpose:** Smart home devices (isolated)
 | Device Type | DHCP Range | Examples |
 |-------------|------------|----------|
 | Smart TV | .30.100-.110 | LG TV, Apple TV |
 | Speakers | .30.111-.130 | Sonos, HomePod |
 | Sensors | .30.131-.180 | Zigbee hubs, motion |
 | Cameras | .30.181-.200 | Security cameras |
 | Static | .30.10-.50 | Reserved |
 **Access Rules:**
 - ✅ Internet access (restricted destinations)
 - ✅ Access to local DNS (AdGuard)
 - ✅ mDNS/Bonjour relay from Trusted
 - ❌ No inter-device communication (optional)
 - ❌ No access to Management
 - ❌ No access to Servers (except specific ports)
 - ❌ Cannot initiate to Trusted (Trusted can initiate)
 ---
 ## VLAN 40: Servers/DMZ
 **Purpose:** Services accessible from internet
 | Service | IP | Ports | Description |
 |---------|-----|-------|-------------|
 | Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
 | AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) |
 | Gitea | 192.168.40.10 | 3000 | Git hosting |
 | Plex | 192.168.40.20 | 32400 | Media server |
 **Access Rules:**
 - ✅ Internet access
 - ✅ Inbound from WAN (via NAT)
 - ✅ Access from Trusted VLAN
 - ❌ Cannot initiate to Management
 - ❌ Cannot initiate to Trusted
 - ❌ No access from Guest
 ---
 ## VLAN 50: Guest
 **Purpose:** Visitor WiFi with internet only
 | Setting | Value |
 |---------|-------|
 | DHCP Range | 192.168.50.100-.200 |
 | Lease Time | 4 hours |
 | Bandwidth Limit | 50 Mbps |
 | Client Isolation | Yes |
 **Access Rules:**
 - ✅ Internet access only
 - ❌ No access to any internal VLAN
 - ❌ No inter-client communication
 - ❌ Captive portal (optional)
 ---
 ## Firewall Rules Summary
 ```
 ┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐
 │ From \ To   │ Mgmt │ Trusted │ IoT │ Servers │ Guest │
 ├─────────────┼──────┼─────────┼─────┼─────────┼───────┤
 │ Management  │  ✅  │   ✅    │ ✅  │   ✅    │  ✅   │
 │ Trusted     │  ❌  │   ✅    │ ✅  │   ✅    │  ❌   │
 │ IoT         │  ❌  │   ❌    │ ⚠️  │   ⚠️    │  ❌   │
 │ Servers     │  ❌  │   ❌    │ ❌  │   ✅    │  ❌   │
 │ Guest       │  ❌  │   ❌    │ ❌  │   ❌    │  ⚠️   │
 │ Internet    │  ❌  │   ❌    │ ❌  │   ✅    │  ❌   │
 └─────────────┴──────┴─────────┴─────┴─────────┴───────┘
 ✅ = Full access
 ❌ = Blocked
 ⚠️ = Limited/Specific ports only
 ```
 ---
 ## DNS Configuration
 | VLAN | DNS Server | Purpose |
 |------|------------|---------|
 | 10 Management | 192.168.10.1 | MikroTik DNS |
 | 20 Trusted | 192.168.40.4 | AdGuard (full filtering) |
 | 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) |
 | 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS |
 | 50 Guest | 192.168.40.4 | AdGuard (strict filtering) |
 **Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN.
 ---
 ## WiFi SSID Mapping
 | SSID | VLAN | Security | Notes |
 |------|------|----------|-------|
 | Home | 20 | WPA3 | Trusted devices |
 | Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) |
 | Home-Guest | 50 | WPA2 | Visitors |
 | (hidden) Admin | 10 | WPA3 | Management only |
 ---
 ## MikroTik Implementation
 ### 1. Create VLANs on Bridge
 ```routeros
 /interface vlan
 add interface=bridge name=vlan10-mgmt vlan-id=10
 add interface=bridge name=vlan20-trusted vlan-id=20
 add interface=bridge name=vlan30-iot vlan-id=30
 add interface=bridge name=vlan40-servers vlan-id=40
 add interface=bridge name=vlan50-guest vlan-id=50
 ```
 ### 2. IP Addresses
 ```routeros
 /ip address
 add address=192.168.10.1/24 interface=vlan10-mgmt
 add address=192.168.20.1/24 interface=vlan20-trusted
 add address=192.168.30.1/24 interface=vlan30-iot
 add address=192.168.40.1/24 interface=vlan40-servers
 add address=192.168.50.1/24 interface=vlan50-guest
 ```
 ### 3. DHCP Servers
 ```routeros
 /ip pool
 add name=pool-trusted ranges=192.168.20.100-192.168.20.200
 add name=pool-iot ranges=192.168.30.100-192.168.30.200
 add name=pool-servers ranges=192.168.40.100-192.168.40.150
 add name=pool-guest ranges=192.168.50.100-192.168.50.200
 /ip dhcp-server
 add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
 add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
 add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
 add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
 ```
 ### 4. Inter-VLAN Firewall (Example)
 ```routeros
 /ip firewall filter
 # Allow established/related
 add chain=forward action=accept connection-state=established,related
 # Management can access all
 add chain=forward action=accept src-address=192.168.10.0/24
 # Trusted to IoT
 add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24
 # Trusted to Servers
 add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24
 # Block all other inter-VLAN
 add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16
 ```
 ---
 ## Migration Plan
 ### Phase 1: Preparation
 - [ ] Document all current static IPs
 - [ ] List all devices and target VLANs
 - [ ] Configure switch for VLAN trunking
 - [ ] Test VLAN setup on isolated port
 ### Phase 2: Infrastructure
 - [ ] Create VLANs on MikroTik
 - [ ] Configure DHCP per VLAN
 - [ ] Move Unraid to VLAN 10 (management)
 - [ ] Move AdGuard to VLAN 40 (servers)
 - [ ] Update DNS redirect rules
 ### Phase 3: Devices
 - [ ] Configure WiFi SSIDs per VLAN
 - [ ] Move trusted devices to VLAN 20
 - [ ] Move IoT devices to VLAN 30
 - [ ] Test inter-VLAN access rules
 ### Phase 4: Hardening
 - [ ] Implement firewall rules
 - [ ] Enable DNS enforcement per VLAN
 - [ ] Set up guest captive portal (optional)
 - [ ] Document final configuration
 ---
 ## Considerations
 ### Pros
 - Security isolation between device types
 - Compromised IoT cannot access trusted devices
 - Guest cannot snoop on internal traffic
 - Granular firewall control
 - Better traffic management
 ### Cons
 - Increased complexity
 - mDNS/Bonjour requires relay configuration
 - Some IoT devices may have issues
 - Initial migration effort
 ### Services Requiring Special Attention
 - **Plex:** Needs access from Trusted to Servers
 - **Sonos/AirPlay:** Requires mDNS relay
 - **Chromecast:** Needs multicast between VLANs
 - **Printers:** May need access from multiple VLANs
 ---
 ## Questions to Decide
 1. Should Management VLAN have internet access?
 2. IoT device discovery - enable mDNS relay or use static configs?
 3. Guest WiFi - captive portal or just password?
 4. Camera VLAN - separate from IoT or combined?
 5. Keep legacy 192.168.31.0/24 for transition period?