From e9572ae166ef14939ac9be35e1cc76cde9d2e6a5 Mon Sep 17 00:00:00 2001 From: Kaloyan Danchev Date: Sat, 31 Jan 2026 10:40:58 +0200 Subject: [PATCH] Add VLAN setup documentation - complete implementation - docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup - docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan - docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach - docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary VLANs implemented: - VLAN 10: Management (192.168.10.0/24) - port-based - VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based - VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based - VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based - VLAN 40: Catch-All (192.168.1.0/24) - default Co-Authored-By: Claude Opus 4.5 --- docs/04-HARDWARE-INVENTORY.md | 6 +- docs/12-VLAN-SETUP-PROGRESS.md | 409 +++++++++++++++ docs/13-VLAN-SETUP-PLAN-V2.md | 594 ++++++++++++++++++++++ docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md | 352 +++++++++++++ docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md | 332 ++++++++++++ 5 files changed, 1691 insertions(+), 2 deletions(-) create mode 100644 docs/12-VLAN-SETUP-PROGRESS.md create mode 100644 docs/13-VLAN-SETUP-PLAN-V2.md create mode 100644 docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md create mode 100644 docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md diff --git a/docs/04-HARDWARE-INVENTORY.md b/docs/04-HARDWARE-INVENTORY.md index 0b6ab22..083e774 100644 --- a/docs/04-HARDWARE-INVENTORY.md +++ b/docs/04-HARDWARE-INVENTORY.md @@ -1,6 +1,6 @@ # Hardware Inventory -**Last Updated:** 2026-01-25 +**Last Updated:** 2026-01-27 --- @@ -38,8 +38,10 @@ | **Location** | 19" Rack U1 | | **IP** | 192.168.31.9 | | **MAC** | F4:1E:57:C9:BD:09 | -| **OS** | SwOS | +| **OS** | SwOS 2.16 | | **Serial** | - | +| **Docs** | https://help.mikrotik.com/docs/spaces/UM/pages/17498168/CSS326-24G-2S+RM | +| **Web UI** | http://192.168.31.9 | **Ports:** 24x 1G RJ45, 2x 10G SFP+ - SFP1: 10G DAC to ZX1 diff --git a/docs/12-VLAN-SETUP-PROGRESS.md b/docs/12-VLAN-SETUP-PROGRESS.md new file mode 100644 index 0000000..a62007f --- /dev/null +++ b/docs/12-VLAN-SETUP-PROGRESS.md @@ -0,0 +1,409 @@ +# VLAN Setup Progress + +**Created:** 2026-01-28 +**Status:** IN PROGRESS +**Last Updated:** 2026-01-28 + +--- + +## CRITICAL WARNING + +**ALWAYS ASK FOR EXPLICIT CONFIRMATION BEFORE:** +1. Enabling VLAN filtering (`/interface bridge set bridge vlan-filtering=yes`) +2. Changing bridge port PVID values +3. Modifying bridge VLAN table + +**Reason:** When VLAN filtering was enabled on 2026-01-28, the entire network lost connectivity: +- WiFi devices: No DHCP, no internet +- Wired devices on CSS326 (not VLAN 10): No DHCP, no internet +- Even with manual IP/DNS/gateway assignment: No internet +- Only VLAN 10 devices (Unraid on ether4/5) continued working + +**Root Cause (suspected):** Bridge VLAN table or NAT/masquerade configuration issue for VLAN 1 traffic. + +**Recovery:** User had to manually troubleshoot and fix the configuration. + +--- + +## Current Network State + +### Hardware Topology + +``` +Internet (62.73.120.142) + │ + ▼ +┌──────────────────────────────────────────────────────────────┐ +│ HAP1 | MikroTik hAP ax³ │ +│ IP: 192.168.88.1 │ +│ RouterOS: 7.21.1 │ +│ │ +│ Ports: │ +│ ├── ether1: WAN (DHCP from ISP) │ +│ ├── ether2: CAP XL ac (via PP1) │ +│ ├── ether3: CSS326 switch │ +│ ├── ether4: Unraid eth1 ──┐ VLAN 10 (PVID=10) │ +│ ├── ether5: Unraid eth2 ──┘ │ +│ ├── wifi1: XTRM (5GHz) │ +│ └── wifi2: XTRM2 (2.4GHz) │ +│ │ +│ Installed Packages: routeros, wifi-qcom, container, │ +│ user-manager │ +└──────────────────────────────────────────────────────────────┘ + │ + │ ether2 + ▼ +┌──────────────────────────────────────────────────────────────┐ +│ CAP | MikroTik cAP XL ac │ +│ IP: 192.168.88.250 │ +│ RouterOS: 7.21.1 │ +│ CAPsMAN managed by HAP1 │ +│ │ +│ WiFi (provisioned via CAPsMAN): │ +│ ├── cap-wifi1: XTRM2 (2.4GHz) │ +│ └── cap-wifi2: XTRM (5GHz) │ +└──────────────────────────────────────────────────────────────┘ + + │ ether3 + ▼ +┌──────────────────────────────────────────────────────────────┐ +│ CSS326-24G-2S+ │ +│ IP: 192.168.88.254 │ +│ SwOS │ +│ (VLAN config pending) │ +└──────────────────────────────────────────────────────────────┘ +``` + +### SSH Access + +| Device | IP | Port | User | Auth | +|--------|-----|------|------|------| +| HAP1 | 192.168.88.1 | 22 | xtrm | SSH key (~/.ssh/mikrotik_key) | +| CAP | 192.168.88.250 | 2222 | xtrm | SSH key (~/.ssh/mikrotik_key) | +| Unraid | 192.168.10.20 (pending) | 422 | root | SSH key (~/.ssh/id_ed25519_unraid) | + +### WiFi Configuration + +| SSID | Band | Password | Security | +|------|------|----------|----------| +| XTRM | 5GHz | M0stW4nt3d@home | WPA2/WPA3 | +| XTRM2 | 2.4GHz | M0stW4nt3d@IoT | WPA2 | + +--- + +## VLAN Architecture (Planned) + +| VLAN ID | Name | Subnet | Gateway | Purpose | Assignment Method | +|---------|------|--------|---------|---------|-------------------| +| 1 | Default | 192.168.88.0/24 | 192.168.88.1 | Current LAN (transition) | Default | +| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Port-based | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices | RADIUS MAC auth | +| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | RADIUS MAC auth | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | RADIUS MAC auth | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Port-based | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Services | Port-based | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Unknown/Guest devices | RADIUS default | + +### Assignment Strategy + +- **Port-based:** Wired devices with dedicated ports (Unraid, cameras) +- **RADIUS MAC auth:** WiFi devices - MikroTik User Manager assigns VLAN based on MAC +- **Default VLAN 50:** Unknown devices get internet-only access + +--- + +## Current Configuration Status + +### VLAN 10 - Management (IN PROGRESS) + +**Status:** Configured, waiting for Unraid to renew DHCP + +**What's Done:** +- [x] VLAN interface created: `vlan10-mgmt` +- [x] IP assigned: `192.168.10.1/24` +- [x] DHCP pool: `192.168.10.100-192.168.10.200` +- [x] DHCP server: `dhcp-mgmt` (DNS: 8.8.8.8) +- [x] Static leases created for VLAN 10 devices +- [x] Bridge VLAN table configured +- [x] ether4/ether5 PVID set to 10 +- [x] VLAN filtering enabled on bridge + +**What's Pending:** +- [ ] Unraid needs to renew DHCP to get 192.168.10.20 +- [ ] Verify Unraid connectivity on new IP +- [ ] Update Unraid SSH connection string in CLAUDE.md + +**Bridge VLAN Table:** +``` +VLAN 1: tagged=bridge, untagged=ether2,ether3,wifi1,wifi2 +VLAN 10: tagged=bridge, untagged=ether4,ether5 +``` + +**Bridge Ports:** +``` +ether2: PVID=1 (CAP) +ether3: PVID=1 (CSS326) +ether4: PVID=10 (Unraid) +ether5: PVID=10 (Unraid) +wifi1: PVID=1 (XTRM 5GHz) +wifi2: PVID=1 (XTRM2 2.4GHz) +``` + +### VLAN 10 Static Leases + +| IP | MAC | Device | Status | +|----|-----|--------|--------| +| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Waiting | +| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | Waiting | +| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Waiting | +| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Waiting | +| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | Waiting | + +### User Manager (Installed, Not Configured) + +**Status:** Package installed, not enabled + +**Purpose:** RADIUS server for MAC-based VLAN assignment on WiFi + +**Next Steps:** +1. Enable User Manager +2. Add router as RADIUS client (NAS) +3. Create user entries with MAC addresses and VLAN attributes +4. Configure WiFi for RADIUS MAC authentication +5. Set default VLAN 50 for unknown MACs + +--- + +## Device Inventory by VLAN + +### VLAN 10 - Management (5 devices) + +| Target IP | MAC | Device | Connection | +|-----------|-----|--------|------------| +| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ether2 via PP1 | +| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | ether3 | +| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Container | +| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | CSS326 port | +| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | ether4/5 | + +### VLAN 20 - Trusted (5 devices) + +| Target IP | MAC | Device | Owner | +|-----------|-----|--------|-------| +| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | +| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | +| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | +| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | +| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | + +### VLAN 25 - Kids (4 devices) + +| Target IP | MAC | Device | Owner | +|-----------|-----|--------|-------| +| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | +| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | +| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | +| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | + +### VLAN 30 - IoT (12 devices) + +| Target IP | MAC | Device | +|-----------|-----|--------| +| 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE AC | +| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) | +| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) | +| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | +| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock Vacuum | +| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Oven | +| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | +| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | +| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Device 1 | +| 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Device 2 | +| 192.168.30.38 | D4:AD:FC:BE:13:B0 | Intellirocks | +| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | + +### VLAN 35 - Cameras (1 device) + +| Target IP | MAC | Device | +|-----------|-----|--------| +| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | + +### VLAN 40 - Servers (1 device) + +| Target IP | MAC | Device | +|-----------|-----|--------| +| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | + +### VLAN 50 - Guest/Unknown (4 devices) + +| Target IP | MAC | Notes | +|-----------|-----|-------| +| 192.168.50.10 | AC:87:A3:77:8F:BD | Unknown Apple device | +| 192.168.50.11 | 22:4C:7F:1D:85:8E | Random MAC (privacy) | +| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown | +| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown | + +--- + +## Useful Commands + +### Check VLAN Status +```routeros +/interface vlan print +/interface bridge vlan print detail +/interface bridge port print +/interface bridge print where name=bridge +``` + +### Check DHCP Leases +```routeros +/ip dhcp-server lease print +/ip dhcp-server lease print where server=dhcp-mgmt +``` + +### Check User Manager +```routeros +/user-manager print +/user-manager user print +/user-manager router print +``` + +### Rollback VLAN Filtering +```routeros +/interface bridge set bridge vlan-filtering=no +``` + +### Force DHCP Renewal on Unraid +```bash +# On Unraid terminal +/etc/rc.d/rc.inet1 restart +# Or +dhclient -r eth0 && dhclient eth0 +``` + +--- + +## Next Steps (In Order) + +1. **Complete VLAN 10 Setup** + - Restart network on Unraid to get new IP (192.168.10.20) + - Verify connectivity + - Update CLAUDE.md with new Unraid IP + +2. **Configure User Manager for RADIUS** + - Enable User Manager + - Add router as NAS (RADIUS client) + - Configure WiFi for MAC authentication + +3. **Create Other VLANs** + - VLAN 20 (Trusted) - interface, DHCP, firewall + - VLAN 25 (Kids) - interface, DHCP, firewall + - VLAN 30 (IoT) - interface, DHCP, firewall + - VLAN 35 (Cameras) - interface, DHCP, firewall + - VLAN 40 (Servers) - interface, DHCP, firewall + - VLAN 50 (Guest) - interface, DHCP, firewall (default for unknown) + +4. **Add MAC-VLAN Mappings to User Manager** + - Add all trusted device MACs → VLAN 20 + - Add all kids device MACs → VLAN 25 + - Add all IoT device MACs → VLAN 30 + - Default (no match) → VLAN 50 + +5. **Configure Inter-VLAN Firewall Rules** + - Management → All (full access) + - Trusted → IoT, Cameras, Servers (control) + - Kids → Limited (parental controls) + - IoT → Internet only + - Cameras → Isolated + - Guest → Internet only + +6. **Test and Verify** + - Test each VLAN connectivity + - Test inter-VLAN access rules + - Test unknown device goes to VLAN 50 + +--- + +## Firewall Rules (Planned) + +```routeros +# Allow established/related +/ip firewall filter add chain=forward connection-state=established,related action=accept + +# Management can access everything +/ip firewall filter add chain=forward src-address=192.168.10.0/24 action=accept + +# Trusted can access IoT, Cameras, Servers +/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept +/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept +/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept + +# IoT - Internet only (block inter-VLAN) +/ip firewall filter add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop + +# Cameras - Isolated +/ip firewall filter add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop + +# Guest - Internet only +/ip firewall filter add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop + +# Drop all other inter-VLAN +/ip firewall filter add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop +``` + +--- + +## Incident Log + +### 2026-01-28: Network Outage After VLAN Filtering Enabled + +**Timeline:** +1. VLAN 10 interface, DHCP, static leases configured +2. Bridge VLAN table configured (VLAN 1 and VLAN 10) +3. ether4/ether5 PVID set to 10 +4. VLAN filtering enabled +5. **Result:** All non-VLAN 10 devices lost connectivity + +**Symptoms:** +- WiFi devices: No DHCP assignment +- CSS326 connected devices: No DHCP assignment +- Manual IP configuration: Still no internet +- VLAN 10 devices (Unraid): Working correctly + +**Suspected Cause:** +- Bridge VLAN table may not have been properly configured for VLAN 1 +- NAT masquerade may not have been applied to VLAN 1 traffic +- Possible missing egress tagging configuration + +**Resolution:** Manual fix by user (details TBD) + +**Lessons Learned:** +1. **ALWAYS** test VLAN config on a single device first before enabling filtering +2. **ALWAYS** ask for explicit user confirmation before enabling VLAN filtering +3. Have rollback command ready: `/interface bridge set bridge vlan-filtering=no` +4. Keep WinBox/MAC-based access available for recovery +5. Document exact state before making changes + +--- + +## Pre-Change Checklist (MANDATORY) + +Before enabling VLAN filtering, verify: + +- [ ] Bridge VLAN table has VLAN 1 with all non-VLAN ports as untagged +- [ ] Bridge itself is tagged in all VLANs +- [ ] NAT masquerade rule covers all internal networks +- [ ] DHCP servers exist for all active VLANs +- [ ] Static routes/addresses configured if needed +- [ ] WinBox or MAC-based access available for recovery +- [ ] User has confirmed they are ready for potential outage +- [ ] Rollback command documented: `/interface bridge set bridge vlan-filtering=no` + +--- + +## Reference Documents + +- `docs/03-VLAN-DEVICE-ASSIGNMENT.md` - Full device inventory +- `docs/04-VLAN-MIGRATION-PLAN.md` - Original migration plan +- `docs/11-VLAN-IMPLEMENTATION.md` - VLAN architecture overview +- `docs/wip/VLAN-PROPOSAL.md` - Initial proposal diff --git a/docs/13-VLAN-SETUP-PLAN-V2.md b/docs/13-VLAN-SETUP-PLAN-V2.md new file mode 100644 index 0000000..b6a85d1 --- /dev/null +++ b/docs/13-VLAN-SETUP-PLAN-V2.md @@ -0,0 +1,594 @@ +# VLAN Setup Plan v2 - Critical Approach + +**Created:** 2026-01-28 +**Status:** PLANNING +**Approach:** Step-by-step with verification before each change + +--- + +## CRITICAL RULES + +1. **NO CHANGES WITHOUT EXPLICIT USER APPROVAL** +2. **VERIFY current state before each step** +3. **TEST after each step before proceeding** +4. **HAVE ROLLBACK ready for each step** +5. **STOP and assess if anything unexpected happens** + +--- + +## Prerequisites + +- Router: MikroTik hAP ax³ (freshly reset to factory defaults) +- Current IP: 192.168.88.1 (factory default) +- Access: WinBox or physical console available for recovery + +--- + +## Phase 1: Basic Router Setup + +### Step 1.1: Create User `xtrm` + +**Action:** +```routeros +/user add name=xtrm password=M0stW4nt3d@xtrm group=full +``` + +**Verification:** +```routeros +/user print +``` + +**Expected Result:** +- User `xtrm` exists with group `full` + +**Rollback:** +```routeros +/user remove xtrm +``` + +--- + +### Step 1.2: Change SSH Port to 2222 + +**Action:** +```routeros +/ip service set ssh port=2222 +``` + +**Verification:** +```routeros +/ip service print where name=ssh +``` + +**Expected Result:** +- SSH service on port 2222 + +**Rollback:** +```routeros +/ip service set ssh port=22 +``` + +**Test:** SSH to router on port 2222 + +--- + +### Step 1.3: Import SSH Key for User `xtrm` + +**Prerequisite:** Upload `mikrotik_key.pub` to router via WinBox Files + +**Action:** +```routeros +/user ssh-keys import public-key-file=mikrotik_key.pub user=xtrm +``` + +**Verification:** +```routeros +/user ssh-keys print +``` + +**Expected Result:** +- SSH key associated with user `xtrm` + +**Test:** SSH with key authentication (no password) + +--- + +## Phase 2: WiFi & CAPsMAN Setup + +### Step 2.1: Create Security Profiles + +**Action:** +```routeros +# For XTRM (5GHz) - High security +/interface wifi security add name=sec-xtrm authentication-types=wpa2-psk,wpa3-psk passphrase=M0stW4nt3d@home + +# For XTRM2 (2.4GHz) - IoT compatibility +/interface wifi security add name=sec-xtrm2 authentication-types=wpa-psk,wpa2-psk passphrase=M0stW4nt3d@IoT +``` + +**Verification:** +```routeros +/interface wifi security print +``` + +**Expected Result:** +- `sec-xtrm`: WPA2-PSK + WPA3-PSK +- `sec-xtrm2`: WPA-PSK + WPA2-PSK (for old devices) + +--- + +### Step 2.2: Create Configuration Profiles + +**Action:** +```routeros +/interface wifi configuration add name=cfg-xtrm ssid=XTRM security=sec-xtrm country=Bulgaria +/interface wifi configuration add name=cfg-xtrm2 ssid=XTRM2 security=sec-xtrm2 country=Bulgaria +``` + +**Verification:** +```routeros +/interface wifi configuration print +``` + +--- + +### Step 2.3: Apply WiFi to Local Radios + +**Action:** +```routeros +# wifi1 = 5GHz radio → XTRM +/interface wifi set wifi1 configuration=cfg-xtrm configuration.ssid=XTRM disabled=no + +# wifi2 = 2.4GHz radio → XTRM2 +/interface wifi set wifi2 configuration=cfg-xtrm2 configuration.ssid=XTRM2 disabled=no +``` + +**Verification:** +```routeros +/interface wifi print +``` + +**Test:** Connect a device to each SSID, verify internet works + +--- + +### Step 2.4: Enable CAPsMAN + +**Action:** +```routeros +/interface wifi capsman set enabled=yes interfaces=bridge +``` + +**Verification:** +```routeros +/interface wifi capsman print +``` + +--- + +### Step 2.5: Create CAPsMAN Provisioning Rules + +**Action:** +```routeros +# For 5GHz radios → XTRM +/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm supported-bands=5ghz-a,5ghz-n,5ghz-ac + +# For 2.4GHz radios → XTRM2 +/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm2 supported-bands=2ghz-g,2ghz-n +``` + +**Verification:** +```routeros +/interface wifi provisioning print +``` + +--- + +### Step 2.6: Configure CAP to Join CAPsMAN + +**On CAP device (192.168.88.250 or via WinBox):** +```routeros +/interface wifi cap set enabled=yes discovery-interfaces=bridge caps-man-addresses="" +``` + +**Verification on HAP:** +```routeros +/interface wifi capsman remote-cap print +/interface wifi radio print +``` + +**Expected Result:** +- CAP appears as connected +- CAP radios show up (cap-wifi1, cap-wifi2) + +**Test:** Connect device to XTRM/XTRM2 via CAP, verify internet + +--- + +## Phase 3: Install Additional Packages + +### Step 3.1: Install User Manager and Container Packages + +**Action:** +1. Download packages from MikroTik website (arm64, version 7.21.1) +2. Upload to router via WinBox: + - `user-manager-7.21.1-arm64.npk` + - `container-7.21.1-arm64.npk` (if not already installed) +3. Reboot router + +**Verification after reboot:** +```routeros +/system package print +``` + +**Expected Result:** +- `user-manager` package listed +- `container` package listed + +--- + +## Phase 4: Network Reconfiguration (CRITICAL) + +### Step 4.0: Pre-Change Verification + +**Before ANY changes, verify current state:** +```routeros +echo "=== CURRENT STATE ===" +/ip address print +/ip pool print +/ip dhcp-server print +/ip dhcp-server network print +/interface bridge print +/interface bridge port print +/interface bridge vlan print +/ip firewall nat print +``` + +**Document the output before proceeding!** + +--- + +### Step 4.1: Change Network to 192.168.31.0/24 + +**Current:** 192.168.88.0/24 (factory default) +**Target:** 192.168.31.0/24 + +**Action (all in one command block to minimize disruption):** +```routeros +/ip address set [find where address~"192.168.88"] address=192.168.31.1/24 +/ip pool set [find where name="default-dhcp"] ranges=192.168.31.100-192.168.31.254 +/ip dhcp-server network set [find where address="192.168.88.0/24"] address=192.168.31.0/24 gateway=192.168.31.1 dns-server=8.8.8.8 +``` + +**After change:** Reconnect to WiFi to get new IP + +**Verification:** +```routeros +/ip address print +/ip pool print +/ip dhcp-server network print +/ping 8.8.8.8 count=2 +``` + +**Test:** Browse internet from connected device + +--- + +### Step 4.2: Create VLAN40 Interface (Catch-All) + +**IMPORTANT:** Do NOT move IP to VLAN interface yet! + +**Action:** +```routeros +/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40 +``` + +**Verification:** +```routeros +/interface vlan print +``` + +**Expected Result:** +- `vlan40-catchall` interface exists +- Network still works (IP still on bridge) + +--- + +### Step 4.3: Add VLAN40 to Bridge VLAN Table + +**Action:** +```routeros +/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,wifi1,wifi2 +``` + +**Verification:** +```routeros +/interface bridge vlan print detail +``` + +--- + +### Step 4.4: Create VLAN40 DHCP Infrastructure + +**Action:** +```routeros +# Create pool for VLAN40 +/ip pool add name=pool-vlan40 ranges=192.168.31.100-192.168.31.254 + +# Add IP to VLAN40 interface (SECOND IP - keep bridge IP!) +/ip address add address=192.168.31.1/24 interface=vlan40-catchall + +# This will show warning about duplicate - that's expected for now +``` + +**Verification:** +```routeros +/ip address print +``` + +**Expected:** TWO entries for 192.168.31.1 (bridge AND vlan40) + +--- + +### Step 4.5: STOP AND VERIFY + +**Before enabling VLAN filtering:** + +1. Can you ping 192.168.31.1? +2. Can you access router via SSH? +3. Can you access router via WinBox? +4. Is internet working? + +**If ANY answer is NO - STOP and troubleshoot!** + +--- + +### Step 4.6: Enable VLAN Filtering (REQUIRES EXPLICIT USER APPROVAL) + +⚠️ **THIS STEP REQUIRES USER TO TYPE "APPROVED" BEFORE EXECUTION** ⚠️ + +**Pre-flight checks:** +```routeros +/interface bridge vlan print detail +/interface bridge port print +``` + +**Ensure:** +- VLAN 40 has all current ports as untagged +- Bridge is tagged in VLAN 40 + +**Action:** +```routeros +/interface bridge set bridge vlan-filtering=yes +``` + +**Immediate verification:** +```routeros +/ping 8.8.8.8 count=2 +``` + +**If ping fails - IMMEDIATELY rollback:** +```routeros +/interface bridge set bridge vlan-filtering=no +``` + +--- + +### Step 4.7: Post-Activation Cleanup + +**Only after confirming VLAN filtering works:** + +1. Move DHCP server to VLAN40 interface: +```routeros +/ip dhcp-server set defconf interface=vlan40-catchall +``` + +2. Remove duplicate IP from bridge: +```routeros +/ip address remove [find where interface=bridge and address~"192.168.31"] +``` + +**Verification:** +```routeros +/ip address print +/ip dhcp-server print +``` + +--- + +## Phase 5: Create VLAN10 (Management - Port Based) + +### Step 5.1: Create VLAN10 Interface + +**Action:** +```routeros +/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 +/ip address add address=192.168.10.1/24 interface=vlan10-mgmt +``` + +--- + +### Step 5.2: Create VLAN10 DHCP + +**Action:** +```routeros +/ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200 +/ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt +/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8 +``` + +--- + +### Step 5.3: Create VLAN10 Static Leases + +**Action:** +```routeros +/ip dhcp-server lease +add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt +add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt +add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt +add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt +add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt +``` + +--- + +### Step 5.4: Configure Bridge for VLAN10 + +**Action:** +```routeros +# Add VLAN10 to bridge table - ether4/ether5 as untagged (Unraid ports) +/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5 + +# Set PVID on Unraid ports +/interface bridge port set [find interface=ether4] pvid=10 +/interface bridge port set [find interface=ether5] pvid=10 +``` + +--- + +### Step 5.5: STOP AND TEST VLAN10 + +⚠️ **REQUIRES USER APPROVAL TO PROCEED** ⚠️ + +**Test:** +1. Unraid should get IP 192.168.10.20 +2. Unraid should have internet access +3. Other devices still work on VLAN40 + +--- + +## Phase 6: Create Remaining VLANs + +### VLAN Overview + +| VLAN | Name | Subnet | Purpose | Assignment | +|------|------|--------|---------|------------| +| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based | +| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS | +| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS | +| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS | +| 35 | Cameras | 192.168.35.0/24 | Security | Port-based | +| 40 | Catch-All | 192.168.31.0/24 | Default/Unknown | Default | + +### Step 6.1-6.4: Create Each VLAN + +**Repeat for each VLAN (20, 25, 30, 35):** + +```routeros +# Create interface +/interface vlan add interface=bridge name=vlanXX-name vlan-id=XX + +# Add IP +/ip address add address=192.168.XX.1/24 interface=vlanXX-name + +# Create pool +/ip pool add name=pool-vlanXX ranges=192.168.XX.100-192.168.XX.200 + +# Create DHCP server +/ip dhcp-server add address-pool=pool-vlanXX interface=vlanXX-name name=dhcp-vlanXX + +# Create DHCP network +/ip dhcp-server network add address=192.168.XX.0/24 gateway=192.168.XX.1 dns-server=8.8.8.8 + +# Add to bridge VLAN table (tagged only - RADIUS will assign) +/interface bridge vlan add bridge=bridge vlan-ids=XX tagged=bridge +``` + +--- + +## Phase 7: Configure User Manager (RADIUS) + +### Step 7.1: Enable User Manager + +```routeros +/user-manager set enabled=yes +``` + +### Step 7.2: Add Router as RADIUS Client + +```routeros +/user-manager router add name=local address=127.0.0.1 shared-secret=radius-secret +``` + +### Step 7.3: Add MAC-VLAN Mappings + +**For each device, add user with MAC and VLAN attribute:** + +```routeros +# Example for trusted device +/user-manager user add name=AA:ED:8B:2A:40:F1 password="" shared-users=1 +/user-manager user set [find name=AA:ED:8B:2A:40:F1] attributes="Tunnel-Type:VLAN,Tunnel-Medium-Type:IEEE-802,Tunnel-Private-Group-Id:20" +``` + +### Step 7.4: Configure WiFi for RADIUS + +```routeros +/interface wifi security set sec-xtrm radius=yes +/interface wifi security set sec-xtrm2 radius=yes +``` + +--- + +## Phase 8: Activation Plan + +### Step 8.1: Final Pre-Activation Checklist + +- [ ] All VLAN interfaces created +- [ ] All DHCP servers configured +- [ ] All static leases added +- [ ] User Manager configured with all MACs +- [ ] WiFi configured for RADIUS +- [ ] WinBox access verified +- [ ] Rollback command ready + +### Step 8.2: Staged Activation + +1. **Test VLAN10 only** (port-based, Unraid) +2. **Verify 24 hours** +3. **Test VLAN20** (one trusted device via RADIUS) +4. **Verify 24 hours** +5. **Enable remaining VLANs** + +--- + +## Rollback Commands + +**Disable VLAN filtering (emergency):** +```routeros +/interface bridge set bridge vlan-filtering=no +``` + +**Reset to factory:** +```routeros +/system reset-configuration no-defaults=no +``` + +--- + +## Device Inventory Reference + +See: `docs/03-VLAN-DEVICE-ASSIGNMENT.md` + +--- + +## Verification Commands + +```routeros +# Check VLAN status +/interface vlan print +/interface bridge vlan print detail +/interface bridge port print + +# Check DHCP +/ip dhcp-server print +/ip dhcp-server lease print + +# Check connectivity +/ping 8.8.8.8 count=3 +/ping 192.168.31.1 count=3 + +# Check User Manager +/user-manager user print +/user-manager router print +``` diff --git a/docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md b/docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md new file mode 100644 index 0000000..90475ea --- /dev/null +++ b/docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md @@ -0,0 +1,352 @@ +# VLAN Setup Plan v3 - Safe Mode Approach + +**Created:** 2026-01-31 +**Status:** PLANNING +**Approach:** Safe Mode with atomic commands for auto-rollback protection + +--- + +## Lessons Learned from Previous Failures + +1. **IP on bridge stops working** when VLAN filtering is enabled +2. **Duplicate same IP** on bridge + VLAN interface causes routing confusion +3. **VLAN interface doesn't receive traffic** until VLAN filtering is enabled +4. **Solution**: Use Safe Mode + atomic script execution + +--- + +## Prerequisites + +- Router: MikroTik hAP ax³ +- Current IP: 192.168.1.1/24 on bridge +- Access: WinBox connected via **MAC address** (not IP!) +- CAPsMAN: Already configured and working + +--- + +## Phase 1: Preparation (No Risk) + +### Step 1.1: Backup Current Configuration + +```routeros +/system backup save name=before-vlan-v3 +/export file=before-vlan-v3 +``` + +Download both files from WinBox → Files. + +### Step 1.2: Verify Current State + +```routeros +/ip address print +/interface bridge print +/interface bridge port print +/interface bridge vlan print +/ip dhcp-server print +``` + +**Expected:** +- IP 192.168.1.1/24 on bridge +- VLAN filtering = no +- No bridge VLANs configured + +--- + +## Phase 2: Create VLAN Infrastructure (Safe - No Filtering Yet) + +### Step 2.1: Create VLAN 40 Interface + +```routeros +/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40 +``` + +**Verify:** +```routeros +/interface vlan print +``` + +### Step 2.2: Add VLAN 40 to Bridge Table + +All LAN ports untagged, bridge tagged (for CPU access): + +```routeros +/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,ether4,ether5,wifi1,wifi2 +``` + +**Verify:** +```routeros +/interface bridge vlan print detail +``` + +### Step 2.3: Set PVID on All LAN Ports + +```routeros +/interface bridge port set [find interface=ether2] pvid=40 +/interface bridge port set [find interface=ether3] pvid=40 +/interface bridge port set [find interface=ether4] pvid=40 +/interface bridge port set [find interface=ether5] pvid=40 +/interface bridge port set [find interface=wifi1] pvid=40 +/interface bridge port set [find interface=wifi2] pvid=40 +``` + +**Verify:** +```routeros +/interface bridge port print +``` + +**Expected:** All ports show PVID=40 + +### Step 2.4: Add IP to VLAN Interface + +This creates a "duplicate" IP temporarily: + +```routeros +/ip address add address=192.168.1.1/24 interface=vlan40-catchall comment="VLAN40-Management" +``` + +**Verify:** +```routeros +/ip address print +``` + +**Expected:** Two entries for 192.168.1.1 (bridge and vlan40-catchall) + +### Step 2.5: Create VLAN40 DHCP Pool (if not exists) + +```routeros +/ip pool add name=pool-vlan40 ranges=192.168.1.10-192.168.1.250 +``` + +### Step 2.6: Verify Everything Before Critical Step + +```routeros +:put "=== VLAN Interface ===" +/interface vlan print +:put "=== Bridge VLANs ===" +/interface bridge vlan print detail +:put "=== Bridge Ports (check PVID) ===" +/interface bridge port print +:put "=== IP Addresses ===" +/ip address print +:put "=== Ping Test ===" +/ping 8.8.8.8 count=2 +``` + +**STOP HERE if anything is wrong!** + +--- + +## Phase 3: Enable VLAN Filtering (Critical - Use Safe Mode) + +### Step 3.1: Enter Safe Mode in WinBox + +1. In WinBox, press **Ctrl+X** +2. You'll see "Safe Mode" indicator in title bar +3. All changes will auto-rollback if connection is lost + +### Step 3.2: Create the Activation Script + +Create a script that does everything atomically: + +```routeros +/system script add name=activate-vlan source={ + # Enable VLAN filtering + /interface bridge set bridge vlan-filtering=yes + + # Move DHCP server to VLAN interface + /ip dhcp-server set [find name~"defconf"] interface=vlan40-catchall + + # Wait 2 seconds for changes to apply + :delay 2s + + # Remove duplicate IP from bridge (keep only VLAN interface IP) + /ip address remove [find interface=bridge and address~"192.168.1.1"] + + :put "VLAN activation complete" +} +``` + +### Step 3.3: Run the Script (While in Safe Mode!) + +```routeros +/system script run activate-vlan +``` + +### Step 3.4: Verify Immediately + +```routeros +/ping 8.8.8.8 count=3 +/ip address print +/interface bridge print +``` + +### Step 3.5: If Everything Works - Exit Safe Mode + +Press **Ctrl+X** again to confirm and save changes. + +### Step 3.6: If Connection Lost + +- Wait up to 10 minutes +- Router will auto-rollback to previous state +- Reconnect via WinBox (MAC address) + +--- + +## Phase 4: Verification + +### Step 4.1: Check All Settings + +```routeros +:put "=== Bridge VLAN Filtering ===" +/interface bridge print where name=bridge + +:put "=== IP Addresses ===" +/ip address print + +:put "=== DHCP Server ===" +/ip dhcp-server print + +:put "=== Internet Test ===" +/ping 8.8.8.8 count=3 +``` + +**Expected:** +- vlan-filtering=yes on bridge +- IP 192.168.1.1/24 ONLY on vlan40-catchall +- DHCP server on vlan40-catchall +- Internet working + +### Step 4.2: Test Client Connectivity + +From a device on the network: +1. Disconnect and reconnect WiFi +2. Check if you get IP from 192.168.1.x range +3. Test internet access + +--- + +## Phase 5: Add Additional VLANs (After VLAN40 is Stable) + +Wait 24-48 hours to ensure VLAN40 is stable before adding more VLANs. + +### VLAN Overview + +| VLAN | Name | Subnet | Purpose | Assignment | +|------|------|--------|---------|------------| +| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based (ether4,5) | +| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS | +| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS | +| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS | +| 40 | Catch-All | 192.168.1.0/24 | Default/Unknown | Default | + +### Step 5.1: Create VLAN 10 (Management) + +```routeros +# Create VLAN interface +/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 + +# Add IP +/ip address add address=192.168.10.1/24 interface=vlan10-mgmt + +# Add to bridge VLAN table - ether4/5 untagged for Unraid +/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5 + +# Update PVID on Unraid ports +/interface bridge port set [find interface=ether4] pvid=10 +/interface bridge port set [find interface=ether5] pvid=10 + +# Remove ether4/5 from VLAN40 +/interface bridge vlan set [find vlan-ids=40] untagged=ether2,ether3,wifi1,wifi2 + +# Create DHCP for VLAN10 +/ip pool add name=pool-vlan10 ranges=192.168.10.100-192.168.10.200 +/ip dhcp-server add address-pool=pool-vlan10 interface=vlan10-mgmt name=dhcp-vlan10 disabled=no +/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8 +``` + +### Step 5.2: Add Static Leases for VLAN10 + +```routeros +/ip dhcp-server lease +add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-vlan10 +add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-vlan10 +add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="Unraid" server=dhcp-vlan10 +``` + +--- + +## Rollback Commands + +### Emergency: Disable VLAN Filtering + +```routeros +/interface bridge set bridge vlan-filtering=no +``` + +### Full Rollback: Restore Backup + +```routeros +/system backup load name=before-vlan-v3 +``` + +### Factory Reset (Last Resort) + +Hold reset button while powering on until LEDs flash. + +--- + +## Safe Mode Quick Reference + +| Action | WinBox | CLI | +|--------|--------|-----| +| Enter Safe Mode | Ctrl+X | Ctrl+X | +| Exit & Save | Ctrl+X | Ctrl+X | +| Exit & Discard | Close WinBox | Ctrl+D | +| Auto-rollback | ~10 minutes | ~10 minutes | + +**Important:** Safe Mode only protects while you're connected. If disconnected, changes rollback automatically. + +--- + +## Checklist Before Enabling VLAN Filtering + +- [ ] Backup saved and downloaded +- [ ] WinBox connected via MAC (not IP) +- [ ] VLAN interface created +- [ ] Bridge tagged in VLAN table +- [ ] All ports have correct PVID +- [ ] IP added to VLAN interface +- [ ] Safe Mode entered (Ctrl+X) +- [ ] Ready to run activation script + +--- + +## Troubleshooting + +### Lost Connection After Enabling Filtering + +1. Wait 10 minutes for Safe Mode rollback +2. If no rollback: Connect via WinBox MAC discovery +3. Run: `/interface bridge set bridge vlan-filtering=no` + +### DHCP Not Working + +Check DHCP server interface: +```routeros +/ip dhcp-server print +``` +Should show `interface=vlan40-catchall` + +### Internet Not Working + +Check NAT: +```routeros +/ip firewall nat print +``` +Should have masquerade rule for WAN. + +### Devices Not Getting IP + +1. Check bridge VLAN table has ports as untagged +2. Check ports have correct PVID +3. Check DHCP pool has available addresses diff --git a/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md b/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md new file mode 100644 index 0000000..412bbd8 --- /dev/null +++ b/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md @@ -0,0 +1,332 @@ +# VLAN Setup Complete - Session Summary + +**Date:** 2026-01-31 +**Status:** COMPLETED +**Backup:** `vlan-setup-complete-2026-01-31.backup` and `.rsc` on router + +--- + +## Executive Summary + +Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with: +- Port-based VLAN assignment for wired infrastructure +- MAC-based dynamic VLAN assignment for WiFi devices via access-list +- CAPsMAN configured for CAP XL ac management + +--- + +## Current Network Configuration + +### Router Access + +| Method | IP | Port | User | Notes | +|--------|-----|------|------|-------| +| WinBox | 192.168.10.1 | 8291 | xtrm | Primary management | +| WebFig | 192.168.10.1 | 80 | xtrm | Web interface | +| SSH | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key | +| WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 | +| WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 | + +**Important:** SSH is on port **2222**, not 22! + +### VLAN Structure (Implemented) + +| VLAN | Name | Subnet | Gateway | DHCP Pool | Status | +|------|------|--------|---------|-----------|--------| +| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | .100-.200 | ✅ Working | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | .100-.200 | ✅ Working | +| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | .100-.200 | ✅ Configured | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | .100-.200 | ✅ Configured | +| 40 | Catch-All | 192.168.1.0/24 | 192.168.1.1 | .10-.250 | ✅ Default | + +### Port Assignments + +``` +HAP ax³ Ports: +├── ether1: WAN (ISP DHCP) +├── ether2: CAP XL ac → VLAN 10 (PVID=10) +├── ether3: CSS326 switch → VLAN 10 (PVID=10) +├── ether4: Unraid eth1 → VLAN 10 (PVID=10) +├── ether5: Unraid eth2 → VLAN 10 (PVID=10) +├── wifi1: XTRM (5GHz) → Tagged VLANs 20,25,30,40 +└── wifi2: XTRM2 (2.4GHz) → Tagged VLANs 20,25,30,40 +``` + +### Bridge VLAN Table + +```routeros +# VLAN 10 - Management (port-based) +vlan-ids=10 tagged=bridge untagged=ether2,ether3,ether4,ether5 + +# VLAN 20 - Trusted (WiFi MAC-based) +vlan-ids=20 tagged=bridge,wifi1,wifi2 + +# VLAN 25 - Kids (WiFi MAC-based) +vlan-ids=25 tagged=bridge,wifi1,wifi2 + +# VLAN 30 - IoT (WiFi MAC-based) +vlan-ids=30 tagged=bridge,wifi1,wifi2 + +# VLAN 40 - Catch-All (WiFi default) +vlan-ids=40 tagged=bridge untagged=wifi1,wifi2 +``` + +--- + +## WiFi Configuration + +### SSIDs + +| SSID | Band | Interface | Password | Security | +|------|------|-----------|----------|----------| +| XTRM | 5GHz | wifi1 | M0stW4nt3d@home | WPA2/WPA3 | +| XTRM2 | 2.4GHz | wifi2 | M0stW4nt3d@IoT | WPA2 | + +### WiFi Datapath (Critical for VLAN) + +```routeros +/interface wifi datapath +add name=dp-vlan bridge=bridge + +/interface wifi configuration +set cfg-xtrm datapath=dp-vlan +set cfg-xtrm2 datapath=dp-vlan +``` + +### WiFi Access-List (MAC-based VLAN Assignment) + +The access-list assigns VLANs based on client MAC address: + +```routeros +/interface wifi access-list + +# VLAN 20 - Trusted devices +add action=accept mac-address=AA:ED:8B:2A:40:F1 vlan-id=20 comment="Samsung S25 Ultra - Kaloyan" +add action=accept mac-address=CE:B8:11:EA:8D:55 vlan-id=20 comment="MacBook - Kaloyan" +add action=accept mac-address=BE:A7:95:87:19:4A vlan-id=20 comment="MacBook 5GHz - Kaloyan" + +# VLAN 25 - Kids devices +add action=accept mac-address=F2:B8:14:61:C8:27 vlan-id=25 comment="iPhone - Dancho" +add action=accept mac-address=90:91:64:70:0D:86 vlan-id=25 comment="Notebook - Kimi" +add action=accept mac-address=2A:2B:BA:86:D4:AF vlan-id=25 comment="iPhone - Kimi" + +# VLAN 30 - IoT devices +add action=accept mac-address=D0:E7:82:F7:65:DD vlan-id=30 comment="Chromecast" +add action=accept mac-address=94:27:70:1E:0C:EE vlan-id=30 comment="Bosch Oven" +add action=accept mac-address=C8:5C:CC:52:EA:53 vlan-id=30 comment="Xiaomi Air Purifier" +add action=accept mac-address=18:DE:50:5B:C8:A6 vlan-id=30 comment="Tuya Device 1" +add action=accept mac-address=38:1F:8D:04:6F:E4 vlan-id=30 comment="Tuya Device 2" +add action=accept mac-address=D4:AD:FC:BE:13:B0 vlan-id=30 comment="Intellirocks" + +# Default - VLAN 40 for unknown devices (MUST be last!) +add action=accept vlan-id=40 comment="Default - VLAN40" +``` + +**Important:** The default rule (no MAC specified) must be LAST in the list! + +--- + +## VLAN 10 Verified Devices + +| IP | MAC | Device | Status | +|----|-----|--------|--------| +| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP ax³ (Gateway) | ✅ | +| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ✅ | +| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ | +| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ | +| 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified | +| 192.168.10.199 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ | + +--- + +## CAPsMAN Configuration + +```routeros +/interface wifi capsman +set enabled=yes interfaces=wifi1,wifi2 package-path="" upgrade-policy=suggest-same-version + +/interface wifi provisioning +add action=create-enabled master-configuration=cfg-xtrm name-format=identity slave-configurations=cfg-xtrm2 supported-bands=5ghz-ax +add action=create-enabled master-configuration=cfg-xtrm2 name-format=identity slave-configurations=cfg-xtrm supported-bands=2ghz-ax +``` + +--- + +## Critical Lessons Learned + +### 1. VLAN Filtering Breaks IP on Bridge +When you enable `vlan-filtering=yes` on the bridge: +- IP address on the bridge interface **stops working** +- You **must** have IP on the VLAN interface instead +- Never have same IP on both bridge and VLAN interface simultaneously + +### 2. Correct Order of Operations +``` +1. Create VLAN interfaces +2. Add IPs to VLAN interfaces (can have temporary duplicate) +3. Configure bridge VLAN table +4. Set port PVIDs +5. Add VLAN interfaces to firewall interface lists (LAN) +6. Enable VLAN filtering +7. Remove IP from bridge (if any duplicate) +8. Move DHCP server to VLAN interface +``` + +### 3. WiFi VLAN Assignment +- **Do NOT use** `action=query-radius` without configured RADIUS users +- **Use** WiFi datapath with `bridge=bridge` +- **Use** access-list with `vlan-id=XX` for MAC-based assignment +- WiFi interfaces must be **tagged** in bridge VLAN table for dynamic VLANs + +### 4. Firewall Interface Lists +After creating VLAN interfaces, add them to the LAN list: +```routeros +/interface list member add list=LAN interface=vlan10-mgmt +/interface list member add list=LAN interface=vlan20-trusted +/interface list member add list=LAN interface=vlan25-kids +/interface list member add list=LAN interface=vlan30-iot +/interface list member add list=LAN interface=vlan40-catchall +``` + +### 5. Safe Mode +- Enter with **Ctrl+X** in WinBox +- Changes auto-rollback if connection lost (~10 minutes) +- Exit and save with **Ctrl+X** again + +--- + +## Useful Commands + +### Verify VLAN Status +```routeros +/interface bridge print where name=bridge +/interface bridge vlan print detail +/interface bridge port print +/ip address print +``` + +### Check WiFi Clients and VLAN Assignment +```routeros +/interface wifi registration-table print +/interface wifi access-list print +``` + +### Check DHCP Leases per VLAN +```routeros +/ip dhcp-server lease print where server=dhcp-vlan10 +/ip dhcp-server lease print where server=dhcp-vlan20 +``` + +### Add New Device to Access-List +```routeros +/interface wifi access-list add action=accept mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 comment="Device Name" place-before=[find comment="Default - VLAN40"] +``` + +### Emergency Rollback +```routeros +/interface bridge set bridge vlan-filtering=no +``` + +### Restore from Backup +```routeros +/system backup load name=vlan-setup-complete-2026-01-31 +``` + +--- + +## Pending Tasks + +1. **Configure CAP XL ac to join CAPsMAN** + - CAP is on VLAN 10 at 192.168.10.2 + - Needs provisioning to extend WiFi coverage + +2. **Configure CSS326 for VLAN Trunking** + - Switch is on VLAN 10 at 192.168.10.3 + - Needs VLAN configuration for room distribution + +3. **Add Remaining Devices to Access-List** + - As devices connect, add their MACs to appropriate VLANs + +4. **Configure Inter-VLAN Firewall Rules** + - Management → All (full access) + - Trusted → IoT (control smart home) + - IoT → Internet only (isolated) + - Guest → Internet only (isolated) + +5. **Test VLAN 25 (Kids) and VLAN 30 (IoT)** + - Connect devices and verify DHCP/internet + +--- + +## Connection Commands Reference + +### SSH to Unraid (VLAN 10) +```bash +ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 +``` + +### SSH to MikroTik (port 2222!) +```bash +ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1 +``` + +### Quick Status from Unraid +```bash +ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'" +``` + +--- + +## Backup Files on Router + +| File | Size | Description | +|------|------|-------------| +| vlan-setup-complete-2026-01-31.backup | 177.6 KiB | Binary backup (full restore) | +| vlan-setup-complete-2026-01-31.rsc | 12.5 KiB | Script export (readable) | + +**Download via:** WinBox → Files → Select file → Download + +--- + +## Network Diagram (Current) + +``` + Internet + │ + ▼ +┌───────────────────────────────────────────────────────────────┐ +│ HAP ax³ (192.168.10.1) │ +│ RouterOS 7.21.1 │ +│ │ +│ VLAN 10: 192.168.10.0/24 (Management) │ +│ VLAN 20: 192.168.20.0/24 (Trusted) │ +│ VLAN 25: 192.168.25.0/24 (Kids) │ +│ VLAN 30: 192.168.30.0/24 (IoT) │ +│ VLAN 40: 192.168.1.0/24 (Catch-All/Default) │ +│ │ +│ ether2 ─┬─ CAP XL ac (192.168.10.2) │ +│ ether3 ─┼─ CSS326 (192.168.10.3) ─── NanoKVM (.199) │ +│ ether4 ─┼─ Unraid (192.168.10.20) │ +│ ether5 ─┘ │ +│ │ +│ wifi1 (XTRM 5GHz) ──┬── VLAN 20/25/30/40 via access-list │ +│ wifi2 (XTRM2 2.4GHz)─┘ │ +└───────────────────────────────────────────────────────────────┘ +``` + +--- + +## Session Timeline + +1. **CAPsMAN Setup** - Configured WiFi profiles (cfg-xtrm, cfg-xtrm2) and security +2. **Research** - Studied MikroTik forums for correct VLAN approach +3. **VLAN Infrastructure** - Created VLANs 10, 20, 25, 30, 40 with DHCP +4. **Safe Mode Implementation** - Used atomic script for VLAN filtering +5. **WiFi VLAN** - Configured datapath and access-list for MAC-based assignment +6. **Verification** - Tested connectivity on all VLANs +7. **Backup** - Created `vlan-setup-complete-2026-01-31` + +--- + +**Document Version:** 1.0 +**Last Updated:** 2026-01-31