Add VLAN setup documentation - complete implementation

- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup - docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan - docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach - docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary VLANs implemented: - VLAN 10: Management (192.168.10.0/24) - port-based - VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based - VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based - VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based - VLAN 40: Catch-All (192.168.1.0/24) - default Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 10:40:58 +02:00
parent 380dc84d61
commit e9572ae166
5 changed files with 1691 additions and 2 deletions
--- a/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md
+++ b/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md
@@ -0,0 +1,332 @@
+# VLAN Setup Complete - Session Summary
+
+**Date:** 2026-01-31
+**Status:** COMPLETED
+**Backup:** `vlan-setup-complete-2026-01-31.backup` and `.rsc` on router
+
+---
+
+## Executive Summary
+
+Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with:
+- Port-based VLAN assignment for wired infrastructure
+- MAC-based dynamic VLAN assignment for WiFi devices via access-list
+- CAPsMAN configured for CAP XL ac management
+
+---
+
+## Current Network Configuration
+
+### Router Access
+
+| Method | IP | Port | User | Notes |
+|--------|-----|------|------|-------|
+| WinBox | 192.168.10.1 | 8291 | xtrm | Primary management |
+| WebFig | 192.168.10.1 | 80 | xtrm | Web interface |
+| SSH | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key |
+| WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 |
+| WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 |
+
+**Important:** SSH is on port **2222**, not 22!
+
+### VLAN Structure (Implemented)
+
+| VLAN | Name | Subnet | Gateway | DHCP Pool | Status |
+|------|------|--------|---------|-----------|--------|
+| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | .100-.200 | ✅ Working |
+| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | .100-.200 | ✅ Working |
+| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | .100-.200 | ✅ Configured |
+| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | .100-.200 | ✅ Configured |
+| 40 | Catch-All | 192.168.1.0/24 | 192.168.1.1 | .10-.250 | ✅ Default |
+
+### Port Assignments
+
+```
+HAP ax³ Ports:
+├── ether1: WAN (ISP DHCP)
+├── ether2: CAP XL ac → VLAN 10 (PVID=10)
+├── ether3: CSS326 switch → VLAN 10 (PVID=10)
+├── ether4: Unraid eth1 → VLAN 10 (PVID=10)
+├── ether5: Unraid eth2 → VLAN 10 (PVID=10)
+├── wifi1: XTRM (5GHz) → Tagged VLANs 20,25,30,40
+└── wifi2: XTRM2 (2.4GHz) → Tagged VLANs 20,25,30,40
+```
+
+### Bridge VLAN Table
+
+```routeros
+# VLAN 10 - Management (port-based)
+vlan-ids=10 tagged=bridge untagged=ether2,ether3,ether4,ether5
+
+# VLAN 20 - Trusted (WiFi MAC-based)
+vlan-ids=20 tagged=bridge,wifi1,wifi2
+
+# VLAN 25 - Kids (WiFi MAC-based)
+vlan-ids=25 tagged=bridge,wifi1,wifi2
+
+# VLAN 30 - IoT (WiFi MAC-based)
+vlan-ids=30 tagged=bridge,wifi1,wifi2
+
+# VLAN 40 - Catch-All (WiFi default)
+vlan-ids=40 tagged=bridge untagged=wifi1,wifi2
+```
+
+---
+
+## WiFi Configuration
+
+### SSIDs
+
+| SSID | Band | Interface | Password | Security |
+|------|------|-----------|----------|----------|
+| XTRM | 5GHz | wifi1 | M0stW4nt3d@home | WPA2/WPA3 |
+| XTRM2 | 2.4GHz | wifi2 | M0stW4nt3d@IoT | WPA2 |
+
+### WiFi Datapath (Critical for VLAN)
+
+```routeros
+/interface wifi datapath
+add name=dp-vlan bridge=bridge
+
+/interface wifi configuration
+set cfg-xtrm datapath=dp-vlan
+set cfg-xtrm2 datapath=dp-vlan
+```
+
+### WiFi Access-List (MAC-based VLAN Assignment)
+
+The access-list assigns VLANs based on client MAC address:
+
+```routeros
+/interface wifi access-list
+
+# VLAN 20 - Trusted devices
+add action=accept mac-address=AA:ED:8B:2A:40:F1 vlan-id=20 comment="Samsung S25 Ultra - Kaloyan"
+add action=accept mac-address=CE:B8:11:EA:8D:55 vlan-id=20 comment="MacBook - Kaloyan"
+add action=accept mac-address=BE:A7:95:87:19:4A vlan-id=20 comment="MacBook 5GHz - Kaloyan"
+
+# VLAN 25 - Kids devices
+add action=accept mac-address=F2:B8:14:61:C8:27 vlan-id=25 comment="iPhone - Dancho"
+add action=accept mac-address=90:91:64:70:0D:86 vlan-id=25 comment="Notebook - Kimi"
+add action=accept mac-address=2A:2B:BA:86:D4:AF vlan-id=25 comment="iPhone - Kimi"
+
+# VLAN 30 - IoT devices
+add action=accept mac-address=D0:E7:82:F7:65:DD vlan-id=30 comment="Chromecast"
+add action=accept mac-address=94:27:70:1E:0C:EE vlan-id=30 comment="Bosch Oven"
+add action=accept mac-address=C8:5C:CC:52:EA:53 vlan-id=30 comment="Xiaomi Air Purifier"
+add action=accept mac-address=18:DE:50:5B:C8:A6 vlan-id=30 comment="Tuya Device 1"
+add action=accept mac-address=38:1F:8D:04:6F:E4 vlan-id=30 comment="Tuya Device 2"
+add action=accept mac-address=D4:AD:FC:BE:13:B0 vlan-id=30 comment="Intellirocks"
+
+# Default - VLAN 40 for unknown devices (MUST be last!)
+add action=accept vlan-id=40 comment="Default - VLAN40"
+```
+
+**Important:** The default rule (no MAC specified) must be LAST in the list!
+
+---
+
+## VLAN 10 Verified Devices
+
+| IP | MAC | Device | Status |
+|----|-----|--------|--------|
+| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP ax³ (Gateway) | ✅ |
+| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ✅ |
+| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ |
+| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ |
+| 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified |
+| 192.168.10.199 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ |
+
+---
+
+## CAPsMAN Configuration
+
+```routeros
+/interface wifi capsman
+set enabled=yes interfaces=wifi1,wifi2 package-path="" upgrade-policy=suggest-same-version
+
+/interface wifi provisioning
+add action=create-enabled master-configuration=cfg-xtrm name-format=identity slave-configurations=cfg-xtrm2 supported-bands=5ghz-ax
+add action=create-enabled master-configuration=cfg-xtrm2 name-format=identity slave-configurations=cfg-xtrm supported-bands=2ghz-ax
+```
+
+---
+
+## Critical Lessons Learned
+
+### 1. VLAN Filtering Breaks IP on Bridge
+When you enable `vlan-filtering=yes` on the bridge:
+- IP address on the bridge interface **stops working**
+- You **must** have IP on the VLAN interface instead
+- Never have same IP on both bridge and VLAN interface simultaneously
+
+### 2. Correct Order of Operations
+```
+1. Create VLAN interfaces
+2. Add IPs to VLAN interfaces (can have temporary duplicate)
+3. Configure bridge VLAN table
+4. Set port PVIDs
+5. Add VLAN interfaces to firewall interface lists (LAN)
+6. Enable VLAN filtering
+7. Remove IP from bridge (if any duplicate)
+8. Move DHCP server to VLAN interface
+```
+
+### 3. WiFi VLAN Assignment
+- **Do NOT use** `action=query-radius` without configured RADIUS users
+- **Use** WiFi datapath with `bridge=bridge`
+- **Use** access-list with `vlan-id=XX` for MAC-based assignment
+- WiFi interfaces must be **tagged** in bridge VLAN table for dynamic VLANs
+
+### 4. Firewall Interface Lists
+After creating VLAN interfaces, add them to the LAN list:
+```routeros
+/interface list member add list=LAN interface=vlan10-mgmt
+/interface list member add list=LAN interface=vlan20-trusted
+/interface list member add list=LAN interface=vlan25-kids
+/interface list member add list=LAN interface=vlan30-iot
+/interface list member add list=LAN interface=vlan40-catchall
+```
+
+### 5. Safe Mode
+- Enter with **Ctrl+X** in WinBox
+- Changes auto-rollback if connection lost (~10 minutes)
+- Exit and save with **Ctrl+X** again
+
+---
+
+## Useful Commands
+
+### Verify VLAN Status
+```routeros
+/interface bridge print where name=bridge
+/interface bridge vlan print detail
+/interface bridge port print
+/ip address print
+```
+
+### Check WiFi Clients and VLAN Assignment
+```routeros
+/interface wifi registration-table print
+/interface wifi access-list print
+```
+
+### Check DHCP Leases per VLAN
+```routeros
+/ip dhcp-server lease print where server=dhcp-vlan10
+/ip dhcp-server lease print where server=dhcp-vlan20
+```
+
+### Add New Device to Access-List
+```routeros
+/interface wifi access-list add action=accept mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 comment="Device Name" place-before=[find comment="Default - VLAN40"]
+```
+
+### Emergency Rollback
+```routeros
+/interface bridge set bridge vlan-filtering=no
+```
+
+### Restore from Backup
+```routeros
+/system backup load name=vlan-setup-complete-2026-01-31
+```
+
+---
+
+## Pending Tasks
+
+1. **Configure CAP XL ac to join CAPsMAN**
+   - CAP is on VLAN 10 at 192.168.10.2
+   - Needs provisioning to extend WiFi coverage
+
+2. **Configure CSS326 for VLAN Trunking**
+   - Switch is on VLAN 10 at 192.168.10.3
+   - Needs VLAN configuration for room distribution
+
+3. **Add Remaining Devices to Access-List**
+   - As devices connect, add their MACs to appropriate VLANs
+
+4. **Configure Inter-VLAN Firewall Rules**
+   - Management → All (full access)
+   - Trusted → IoT (control smart home)
+   - IoT → Internet only (isolated)
+   - Guest → Internet only (isolated)
+
+5. **Test VLAN 25 (Kids) and VLAN 30 (IoT)**
+   - Connect devices and verify DHCP/internet
+
+---
+
+## Connection Commands Reference
+
+### SSH to Unraid (VLAN 10)
+```bash
+ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
+```
+
+### SSH to MikroTik (port 2222!)
+```bash
+ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1
+```
+
+### Quick Status from Unraid
+```bash
+ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'"
+```
+
+---
+
+## Backup Files on Router
+
+| File | Size | Description |
+|------|------|-------------|
+| vlan-setup-complete-2026-01-31.backup | 177.6 KiB | Binary backup (full restore) |
+| vlan-setup-complete-2026-01-31.rsc | 12.5 KiB | Script export (readable) |
+
+**Download via:** WinBox → Files → Select file → Download
+
+---
+
+## Network Diagram (Current)
+
+```
+                    Internet
+                        │
+                        ▼
+┌───────────────────────────────────────────────────────────────┐
+│                 HAP ax³ (192.168.10.1)                        │
+│                 RouterOS 7.21.1                               │
+│                                                               │
+│  VLAN 10: 192.168.10.0/24 (Management)                       │
+│  VLAN 20: 192.168.20.0/24 (Trusted)                          │
+│  VLAN 25: 192.168.25.0/24 (Kids)                             │
+│  VLAN 30: 192.168.30.0/24 (IoT)                              │
+│  VLAN 40: 192.168.1.0/24  (Catch-All/Default)                │
+│                                                               │
+│  ether2 ─┬─ CAP XL ac (192.168.10.2)                         │
+│  ether3 ─┼─ CSS326 (192.168.10.3) ─── NanoKVM (.199)         │
+│  ether4 ─┼─ Unraid (192.168.10.20)                           │
+│  ether5 ─┘                                                    │
+│                                                               │
+│  wifi1 (XTRM 5GHz)  ──┬── VLAN 20/25/30/40 via access-list  │
+│  wifi2 (XTRM2 2.4GHz)─┘                                      │
+└───────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Session Timeline
+
+1. **CAPsMAN Setup** - Configured WiFi profiles (cfg-xtrm, cfg-xtrm2) and security
+2. **Research** - Studied MikroTik forums for correct VLAN approach
+3. **VLAN Infrastructure** - Created VLANs 10, 20, 25, 30, 40 with DHCP
+4. **Safe Mode Implementation** - Used atomic script for VLAN filtering
+5. **WiFi VLAN** - Configured datapath and access-list for MAC-based assignment
+6. **Verification** - Tested connectivity on all VLANs
+7. **Backup** - Created `vlan-setup-complete-2026-01-31`
+
+---
+
+**Document Version:** 1.0
+**Last Updated:** 2026-01-31