Add WIP docs for incomplete planned items
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
New WIP documents: - FOSSORIAL-TUNNELS.md - Pangolin/Gerbil self-hosted tunnels (not deployed) - VLAN-SEGMENTATION.md - Network segmentation plan (not implemented) - REMOTE-GAMING.md - Sunshine/Moonlight streaming (in progress) Changes: - Renamed 05-CHANGELOG.md → 00-CHANGELOG.md - Updated wip/README.md with all planned items Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
142
docs/wip/VLAN-SEGMENTATION.md
Normal file
142
docs/wip/VLAN-SEGMENTATION.md
Normal file
@@ -0,0 +1,142 @@
|
||||
# VLAN Network Segmentation
|
||||
|
||||
**Status:** 📋 PLANNED
|
||||
**Priority:** Medium
|
||||
**Risk:** HIGH (network disruption during implementation)
|
||||
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Segment flat 192.168.31.0/24 network into VLANs for security isolation.
|
||||
|
||||
---
|
||||
|
||||
## Proposed VLANs
|
||||
|
||||
| VLAN | Name | Subnet | Gateway | Purpose |
|
||||
|------|------|--------|---------|---------|
|
||||
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only |
|
||||
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
|
||||
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras |
|
||||
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
|
||||
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
|
||||
|
||||
---
|
||||
|
||||
## WiFi SSID Mapping
|
||||
|
||||
| SSID | VLAN | Purpose |
|
||||
|------|------|---------|
|
||||
| XTRM | 10 | Primary (trusted devices) |
|
||||
| XTRM-IoT | 20 | IoT devices |
|
||||
| XTRM-Kids | 30 | Kids devices |
|
||||
| XTRM-Guest | 40 | Guest access |
|
||||
|
||||
---
|
||||
|
||||
## Device Assignments
|
||||
|
||||
### VLAN 10 - Secure
|
||||
| Device | Current IP | New IP |
|
||||
|--------|------------|--------|
|
||||
| XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 |
|
||||
| Nobara PC | 192.168.31.95 | 192.168.10.10 |
|
||||
| MacBook | 192.168.31.99 | 192.168.10.15 |
|
||||
| S25 Ultra | 192.168.31.98 | 192.168.10.20 |
|
||||
|
||||
### VLAN 20 - IoT
|
||||
| Device | Current IP | New IP |
|
||||
|--------|------------|--------|
|
||||
| Home Assistant | 192.168.31.102 | 192.168.20.2 |
|
||||
| Chromecast | 192.168.31.134 | 192.168.20.10 |
|
||||
| Roborock S7 | 192.168.31.104 | 192.168.20.11 |
|
||||
| Reolink Doorbell | 192.168.31.68 | 192.168.20.13 |
|
||||
| HP Printer | 192.168.31.19 | 192.168.20.20 |
|
||||
|
||||
### VLAN 30 - Kids
|
||||
| Device | Current IP | New IP |
|
||||
|--------|------------|--------|
|
||||
| Nora MacBook | 192.168.31.79 | 192.168.30.10 |
|
||||
| Kimi Notebook | 192.168.31.108 | 192.168.30.11 |
|
||||
| Dancho iPhone | 192.168.31.114 | 192.168.30.13 |
|
||||
|
||||
---
|
||||
|
||||
## Cross-VLAN Access Requirements
|
||||
|
||||
### S25 → Chromecast (Casting)
|
||||
```routeros
|
||||
/ip/firewall/filter add chain=forward \
|
||||
src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
|
||||
dst-port=8008,8009,8443 protocol=tcp action=accept
|
||||
```
|
||||
|
||||
### Secure → Home Assistant
|
||||
```routeros
|
||||
/ip/firewall/filter add chain=forward \
|
||||
src-address=192.168.10.0/24 dst-address=192.168.20.2 \
|
||||
dst-port=8123 protocol=tcp action=accept
|
||||
```
|
||||
|
||||
### mDNS Reflector (Device Discovery)
|
||||
```routeros
|
||||
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Implementation Steps
|
||||
|
||||
### Phase 1: Router (HAP1)
|
||||
1. Create VLAN interfaces
|
||||
2. Assign IP addresses
|
||||
3. Create DHCP servers per VLAN
|
||||
4. Configure firewall rules
|
||||
|
||||
### Phase 2: Switch (CSS326)
|
||||
1. Enable VLAN mode in SwOS
|
||||
2. Configure trunk port (to HAP1)
|
||||
3. Assign access VLANs to ports
|
||||
4. Set PVIDs
|
||||
|
||||
### Phase 3: WiFi (CAPsMAN)
|
||||
1. Create VLAN-tagged SSIDs
|
||||
2. Update provisioning rules
|
||||
3. Apply to CAP
|
||||
|
||||
---
|
||||
|
||||
## Risks
|
||||
|
||||
| Risk | Impact | Mitigation |
|
||||
|------|--------|------------|
|
||||
| All devices lose connectivity | HIGH | Schedule maintenance window |
|
||||
| Docker br0 containers break | MEDIUM | Reconfigure macvlan |
|
||||
| Static IPs need updating | LOW | Pre-configure DHCP reservations |
|
||||
|
||||
---
|
||||
|
||||
## Rollback
|
||||
|
||||
Disable VLAN filtering immediately:
|
||||
```routeros
|
||||
/interface/bridge/set bridge vlan-filtering=no
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- [ ] Map CSS326 switch ports to devices
|
||||
- [ ] Backup MikroTik config
|
||||
- [ ] Schedule maintenance window (30-60 min)
|
||||
- [ ] Decide WiFi passwords for new SSIDs
|
||||
- [ ] Console/serial access to router (in case of lockout)
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
- Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md`
|
||||
- Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`
|
||||
Reference in New Issue
Block a user