jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add VLAN setup documentation - complete implementation

Browse Source 
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup
- docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan
- docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach
- docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary

VLANs implemented:
- VLAN 10: Management (192.168.10.0/24) - port-based
- VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based
- VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based
- VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based
- VLAN 40: Catch-All (192.168.1.0/24) - default

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Kaloyan Danchev
2026-01-31 10:40:58 +02:00
parent 380dc84d61
commit e9572ae166
5 changed files with 1691 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/04-HARDWARE-INVENTORY.md
View File

@@ -1,6 +1,6 @@
# Hardware Inventory
**Last Updated:** 2026-01-25
**Last Updated:** 2026-01-27
---
@@ -38,8 +38,10 @@
| **Location** | 19" Rack U1 |
| **IP** | 192.168.31.9 |
| **MAC** | F4:1E:57:C9:BD:09 |
| **OS** | SwOS |
| **OS** | SwOS 2.16 |
| **Serial** | - |
| **Docs** | https://help.mikrotik.com/docs/spaces/UM/pages/17498168/CSS326-24G-2S+RM |
| **Web UI** | http://192.168.31.9 |
**Ports:** 24x 1G RJ45, 2x 10G SFP+
- SFP1: 10G DAC to ZX1

409
docs/12-VLAN-SETUP-PROGRESS.md Normal file
View File

@@ -0,0 +1,409 @@
# VLAN Setup Progress
**Created:** 2026-01-28
**Status:** IN PROGRESS
**Last Updated:** 2026-01-28
---
## CRITICAL WARNING
**ALWAYS ASK FOR EXPLICIT CONFIRMATION BEFORE:**
1. Enabling VLAN filtering (`/interface bridge set bridge vlan-filtering=yes`)
2. Changing bridge port PVID values
3. Modifying bridge VLAN table
**Reason:** When VLAN filtering was enabled on 2026-01-28, the entire network lost connectivity:
- WiFi devices: No DHCP, no internet
- Wired devices on CSS326 (not VLAN 10): No DHCP, no internet
- Even with manual IP/DNS/gateway assignment: No internet
- Only VLAN 10 devices (Unraid on ether4/5) continued working
**Root Cause (suspected):** Bridge VLAN table or NAT/masquerade configuration issue for VLAN 1 traffic.
**Recovery:** User had to manually troubleshoot and fix the configuration.
---
## Current Network State
### Hardware Topology
```
Internet (62.73.120.142)
┌──────────────────────────────────────────────────────────────┐
│ HAP1 | MikroTik hAP ax³ │
│ IP: 192.168.88.1 │
│ RouterOS: 7.21.1 │
│ │
│ Ports: │
│ ├── ether1: WAN (DHCP from ISP) │
│ ├── ether2: CAP XL ac (via PP1) │
│ ├── ether3: CSS326 switch │
│ ├── ether4: Unraid eth1 ──┐ VLAN 10 (PVID=10) │
│ ├── ether5: Unraid eth2 ──┘ │
│ ├── wifi1: XTRM (5GHz) │
│ └── wifi2: XTRM2 (2.4GHz) │
│ │
│ Installed Packages: routeros, wifi-qcom, container, │
│ user-manager │
└──────────────────────────────────────────────────────────────┘
│ ether2
┌──────────────────────────────────────────────────────────────┐
│ CAP | MikroTik cAP XL ac │
│ IP: 192.168.88.250 │
│ RouterOS: 7.21.1 │
│ CAPsMAN managed by HAP1 │
│ │
│ WiFi (provisioned via CAPsMAN): │
│ ├── cap-wifi1: XTRM2 (2.4GHz) │
│ └── cap-wifi2: XTRM (5GHz) │
└──────────────────────────────────────────────────────────────┘
│ ether3
┌──────────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ │
│ IP: 192.168.88.254 │
│ SwOS │
│ (VLAN config pending) │
└──────────────────────────────────────────────────────────────┘
```
### SSH Access
| Device | IP | Port | User | Auth |
|--------|-----|------|------|------|
| HAP1 | 192.168.88.1 | 22 | xtrm | SSH key (~/.ssh/mikrotik_key) |
| CAP | 192.168.88.250 | 2222 | xtrm | SSH key (~/.ssh/mikrotik_key) |
| Unraid | 192.168.10.20 (pending) | 422 | root | SSH key (~/.ssh/id_ed25519_unraid) |
### WiFi Configuration
| SSID | Band | Password | Security |
|------|------|----------|----------|
| XTRM | 5GHz | M0stW4nt3d@home | WPA2/WPA3 |
| XTRM2 | 2.4GHz | M0stW4nt3d@IoT | WPA2 |
---
## VLAN Architecture (Planned)
| VLAN ID | Name | Subnet | Gateway | Purpose | Assignment Method |
|---------|------|--------|---------|---------|-------------------|
| 1 | Default | 192.168.88.0/24 | 192.168.88.1 | Current LAN (transition) | Default |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Port-based |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices | RADIUS MAC auth |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | RADIUS MAC auth |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | RADIUS MAC auth |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Port-based |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Services | Port-based |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Unknown/Guest devices | RADIUS default |
### Assignment Strategy
- **Port-based:** Wired devices with dedicated ports (Unraid, cameras)
- **RADIUS MAC auth:** WiFi devices - MikroTik User Manager assigns VLAN based on MAC
- **Default VLAN 50:** Unknown devices get internet-only access
---
## Current Configuration Status
### VLAN 10 - Management (IN PROGRESS)
**Status:** Configured, waiting for Unraid to renew DHCP
**What's Done:**
- [x] VLAN interface created: `vlan10-mgmt`
- [x] IP assigned: `192.168.10.1/24`
- [x] DHCP pool: `192.168.10.100-192.168.10.200`
- [x] DHCP server: `dhcp-mgmt` (DNS: 8.8.8.8)
- [x] Static leases created for VLAN 10 devices
- [x] Bridge VLAN table configured
- [x] ether4/ether5 PVID set to 10
- [x] VLAN filtering enabled on bridge
**What's Pending:**
- [ ] Unraid needs to renew DHCP to get 192.168.10.20
- [ ] Verify Unraid connectivity on new IP
- [ ] Update Unraid SSH connection string in CLAUDE.md
**Bridge VLAN Table:**
```
VLAN 1: tagged=bridge, untagged=ether2,ether3,wifi1,wifi2
VLAN 10: tagged=bridge, untagged=ether4,ether5
```
**Bridge Ports:**
```
ether2: PVID=1 (CAP)
ether3: PVID=1 (CSS326)
ether4: PVID=10 (Unraid)
ether5: PVID=10 (Unraid)
wifi1: PVID=1 (XTRM 5GHz)
wifi2: PVID=1 (XTRM2 2.4GHz)
```
### VLAN 10 Static Leases
| IP | MAC | Device | Status |
|----|-----|--------|--------|
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Waiting |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | Waiting |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Waiting |
| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Waiting |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | Waiting |
### User Manager (Installed, Not Configured)
**Status:** Package installed, not enabled
**Purpose:** RADIUS server for MAC-based VLAN assignment on WiFi
**Next Steps:**
1. Enable User Manager
2. Add router as RADIUS client (NAS)
3. Create user entries with MAC addresses and VLAN attributes
4. Configure WiFi for RADIUS MAC authentication
5. Set default VLAN 50 for unknown MACs
---
## Device Inventory by VLAN
### VLAN 10 - Management (5 devices)
| Target IP | MAC | Device | Connection |
|-----------|-----|--------|------------|
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ether2 via PP1 |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | ether3 |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Container |
| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | CSS326 port |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | ether4/5 |
### VLAN 20 - Trusted (5 devices)
| Target IP | MAC | Device | Owner |
|-----------|-----|--------|-------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan |
| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan |
### VLAN 25 - Kids (4 devices)
| Target IP | MAC | Device | Owner |
|-----------|-----|--------|-------|
| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho |
| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi |
| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi |
| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg |
### VLAN 30 - IoT (12 devices)
| Target IP | MAC | Device |
|-----------|-----|--------|
| 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE AC |
| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) |
| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) |
| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast |
| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Oven |
| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher |
| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer |
| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Device 1 |
| 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Device 2 |
| 192.168.30.38 | D4:AD:FC:BE:13:B0 | Intellirocks |
| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
### VLAN 35 - Cameras (1 device)
| Target IP | MAC | Device |
|-----------|-----|--------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |
### VLAN 40 - Servers (1 device)
| Target IP | MAC | Device |
|-----------|-----|--------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |
### VLAN 50 - Guest/Unknown (4 devices)
| Target IP | MAC | Notes |
|-----------|-----|-------|
| 192.168.50.10 | AC:87:A3:77:8F:BD | Unknown Apple device |
| 192.168.50.11 | 22:4C:7F:1D:85:8E | Random MAC (privacy) |
| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown |
| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown |
---
## Useful Commands
### Check VLAN Status
```routeros
/interface vlan print
/interface bridge vlan print detail
/interface bridge port print
/interface bridge print where name=bridge
```
### Check DHCP Leases
```routeros
/ip dhcp-server lease print
/ip dhcp-server lease print where server=dhcp-mgmt
```
### Check User Manager
```routeros
/user-manager print
/user-manager user print
/user-manager router print
```
### Rollback VLAN Filtering
```routeros
/interface bridge set bridge vlan-filtering=no
```
### Force DHCP Renewal on Unraid
```bash
# On Unraid terminal
/etc/rc.d/rc.inet1 restart
# Or
dhclient -r eth0 && dhclient eth0
```
---
## Next Steps (In Order)
1. **Complete VLAN 10 Setup**
- Restart network on Unraid to get new IP (192.168.10.20)
- Verify connectivity
- Update CLAUDE.md with new Unraid IP
2. **Configure User Manager for RADIUS**
- Enable User Manager
- Add router as NAS (RADIUS client)
- Configure WiFi for MAC authentication
3. **Create Other VLANs**
- VLAN 20 (Trusted) - interface, DHCP, firewall
- VLAN 25 (Kids) - interface, DHCP, firewall
- VLAN 30 (IoT) - interface, DHCP, firewall
- VLAN 35 (Cameras) - interface, DHCP, firewall
- VLAN 40 (Servers) - interface, DHCP, firewall
- VLAN 50 (Guest) - interface, DHCP, firewall (default for unknown)
4. **Add MAC-VLAN Mappings to User Manager**
- Add all trusted device MACs → VLAN 20
- Add all kids device MACs → VLAN 25
- Add all IoT device MACs → VLAN 30
- Default (no match) → VLAN 50
5. **Configure Inter-VLAN Firewall Rules**
- Management → All (full access)
- Trusted → IoT, Cameras, Servers (control)
- Kids → Limited (parental controls)
- IoT → Internet only
- Cameras → Isolated
- Guest → Internet only
6. **Test and Verify**
- Test each VLAN connectivity
- Test inter-VLAN access rules
- Test unknown device goes to VLAN 50
---
## Firewall Rules (Planned)
```routeros
# Allow established/related
/ip firewall filter add chain=forward connection-state=established,related action=accept
# Management can access everything
/ip firewall filter add chain=forward src-address=192.168.10.0/24 action=accept
# Trusted can access IoT, Cameras, Servers
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept
# IoT - Internet only (block inter-VLAN)
/ip firewall filter add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop
# Cameras - Isolated
/ip firewall filter add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop
# Guest - Internet only
/ip firewall filter add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop
# Drop all other inter-VLAN
/ip firewall filter add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
```
---
## Incident Log
### 2026-01-28: Network Outage After VLAN Filtering Enabled
**Timeline:**
1. VLAN 10 interface, DHCP, static leases configured
2. Bridge VLAN table configured (VLAN 1 and VLAN 10)
3. ether4/ether5 PVID set to 10
4. VLAN filtering enabled
5. **Result:** All non-VLAN 10 devices lost connectivity
**Symptoms:**
- WiFi devices: No DHCP assignment
- CSS326 connected devices: No DHCP assignment
- Manual IP configuration: Still no internet
- VLAN 10 devices (Unraid): Working correctly
**Suspected Cause:**
- Bridge VLAN table may not have been properly configured for VLAN 1
- NAT masquerade may not have been applied to VLAN 1 traffic
- Possible missing egress tagging configuration
**Resolution:** Manual fix by user (details TBD)
**Lessons Learned:**
1. **ALWAYS** test VLAN config on a single device first before enabling filtering
2. **ALWAYS** ask for explicit user confirmation before enabling VLAN filtering
3. Have rollback command ready: `/interface bridge set bridge vlan-filtering=no`
4. Keep WinBox/MAC-based access available for recovery
5. Document exact state before making changes
---
## Pre-Change Checklist (MANDATORY)
Before enabling VLAN filtering, verify:
- [ ] Bridge VLAN table has VLAN 1 with all non-VLAN ports as untagged
- [ ] Bridge itself is tagged in all VLANs
- [ ] NAT masquerade rule covers all internal networks
- [ ] DHCP servers exist for all active VLANs
- [ ] Static routes/addresses configured if needed
- [ ] WinBox or MAC-based access available for recovery
- [ ] User has confirmed they are ready for potential outage
- [ ] Rollback command documented: `/interface bridge set bridge vlan-filtering=no`
---
## Reference Documents
- `docs/03-VLAN-DEVICE-ASSIGNMENT.md` - Full device inventory
- `docs/04-VLAN-MIGRATION-PLAN.md` - Original migration plan
- `docs/11-VLAN-IMPLEMENTATION.md` - VLAN architecture overview
- `docs/wip/VLAN-PROPOSAL.md` - Initial proposal

594
docs/13-VLAN-SETUP-PLAN-V2.md Normal file
View File

@@ -0,0 +1,594 @@
# VLAN Setup Plan v2 - Critical Approach
**Created:** 2026-01-28
**Status:** PLANNING
**Approach:** Step-by-step with verification before each change
---
## CRITICAL RULES
1. **NO CHANGES WITHOUT EXPLICIT USER APPROVAL**
2. **VERIFY current state before each step**
3. **TEST after each step before proceeding**
4. **HAVE ROLLBACK ready for each step**
5. **STOP and assess if anything unexpected happens**
---
## Prerequisites
- Router: MikroTik hAP ax³ (freshly reset to factory defaults)
- Current IP: 192.168.88.1 (factory default)
- Access: WinBox or physical console available for recovery
---
## Phase 1: Basic Router Setup
### Step 1.1: Create User `xtrm`
**Action:**
```routeros
/user add name=xtrm password=M0stW4nt3d@xtrm group=full
```
**Verification:**
```routeros
/user print
```
**Expected Result:**
- User `xtrm` exists with group `full`
**Rollback:**
```routeros
/user remove xtrm
```
---
### Step 1.2: Change SSH Port to 2222
**Action:**
```routeros
/ip service set ssh port=2222
```
**Verification:**
```routeros
/ip service print where name=ssh
```
**Expected Result:**
- SSH service on port 2222
**Rollback:**
```routeros
/ip service set ssh port=22
```
**Test:** SSH to router on port 2222
---
### Step 1.3: Import SSH Key for User `xtrm`
**Prerequisite:** Upload `mikrotik_key.pub` to router via WinBox Files
**Action:**
```routeros
/user ssh-keys import public-key-file=mikrotik_key.pub user=xtrm
```
**Verification:**
```routeros
/user ssh-keys print
```
**Expected Result:**
- SSH key associated with user `xtrm`
**Test:** SSH with key authentication (no password)
---
## Phase 2: WiFi & CAPsMAN Setup
### Step 2.1: Create Security Profiles
**Action:**
```routeros
# For XTRM (5GHz) - High security
/interface wifi security add name=sec-xtrm authentication-types=wpa2-psk,wpa3-psk passphrase=M0stW4nt3d@home
# For XTRM2 (2.4GHz) - IoT compatibility
/interface wifi security add name=sec-xtrm2 authentication-types=wpa-psk,wpa2-psk passphrase=M0stW4nt3d@IoT
```
**Verification:**
```routeros
/interface wifi security print
```
**Expected Result:**
- `sec-xtrm`: WPA2-PSK + WPA3-PSK
- `sec-xtrm2`: WPA-PSK + WPA2-PSK (for old devices)
---
### Step 2.2: Create Configuration Profiles
**Action:**
```routeros
/interface wifi configuration add name=cfg-xtrm ssid=XTRM security=sec-xtrm country=Bulgaria
/interface wifi configuration add name=cfg-xtrm2 ssid=XTRM2 security=sec-xtrm2 country=Bulgaria
```
**Verification:**
```routeros
/interface wifi configuration print
```
---
### Step 2.3: Apply WiFi to Local Radios
**Action:**
```routeros
# wifi1 = 5GHz radio → XTRM
/interface wifi set wifi1 configuration=cfg-xtrm configuration.ssid=XTRM disabled=no
# wifi2 = 2.4GHz radio → XTRM2
/interface wifi set wifi2 configuration=cfg-xtrm2 configuration.ssid=XTRM2 disabled=no
```
**Verification:**
```routeros
/interface wifi print
```
**Test:** Connect a device to each SSID, verify internet works
---
### Step 2.4: Enable CAPsMAN
**Action:**
```routeros
/interface wifi capsman set enabled=yes interfaces=bridge
```
**Verification:**
```routeros
/interface wifi capsman print
```
---
### Step 2.5: Create CAPsMAN Provisioning Rules
**Action:**
```routeros
# For 5GHz radios → XTRM
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm supported-bands=5ghz-a,5ghz-n,5ghz-ac
# For 2.4GHz radios → XTRM2
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm2 supported-bands=2ghz-g,2ghz-n
```
**Verification:**
```routeros
/interface wifi provisioning print
```
---
### Step 2.6: Configure CAP to Join CAPsMAN
**On CAP device (192.168.88.250 or via WinBox):**
```routeros
/interface wifi cap set enabled=yes discovery-interfaces=bridge caps-man-addresses=""
```
**Verification on HAP:**
```routeros
/interface wifi capsman remote-cap print
/interface wifi radio print
```
**Expected Result:**
- CAP appears as connected
- CAP radios show up (cap-wifi1, cap-wifi2)
**Test:** Connect device to XTRM/XTRM2 via CAP, verify internet
---
## Phase 3: Install Additional Packages
### Step 3.1: Install User Manager and Container Packages
**Action:**
1. Download packages from MikroTik website (arm64, version 7.21.1)
2. Upload to router via WinBox:
- `user-manager-7.21.1-arm64.npk`
- `container-7.21.1-arm64.npk` (if not already installed)
3. Reboot router
**Verification after reboot:**
```routeros
/system package print
```
**Expected Result:**
- `user-manager` package listed
- `container` package listed
---
## Phase 4: Network Reconfiguration (CRITICAL)
### Step 4.0: Pre-Change Verification
**Before ANY changes, verify current state:**
```routeros
echo "=== CURRENT STATE ==="
/ip address print
/ip pool print
/ip dhcp-server print
/ip dhcp-server network print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip firewall nat print
```
**Document the output before proceeding!**
---
### Step 4.1: Change Network to 192.168.31.0/24
**Current:** 192.168.88.0/24 (factory default)
**Target:** 192.168.31.0/24
**Action (all in one command block to minimize disruption):**
```routeros
/ip address set [find where address~"192.168.88"] address=192.168.31.1/24
/ip pool set [find where name="default-dhcp"] ranges=192.168.31.100-192.168.31.254
/ip dhcp-server network set [find where address="192.168.88.0/24"] address=192.168.31.0/24 gateway=192.168.31.1 dns-server=8.8.8.8
```
**After change:** Reconnect to WiFi to get new IP
**Verification:**
```routeros
/ip address print
/ip pool print
/ip dhcp-server network print
/ping 8.8.8.8 count=2
```
**Test:** Browse internet from connected device
---
### Step 4.2: Create VLAN40 Interface (Catch-All)
**IMPORTANT:** Do NOT move IP to VLAN interface yet!
**Action:**
```routeros
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
```
**Verification:**
```routeros
/interface vlan print
```
**Expected Result:**
- `vlan40-catchall` interface exists
- Network still works (IP still on bridge)
---
### Step 4.3: Add VLAN40 to Bridge VLAN Table
**Action:**
```routeros
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,wifi1,wifi2
```
**Verification:**
```routeros
/interface bridge vlan print detail
```
---
### Step 4.4: Create VLAN40 DHCP Infrastructure
**Action:**
```routeros
# Create pool for VLAN40
/ip pool add name=pool-vlan40 ranges=192.168.31.100-192.168.31.254
# Add IP to VLAN40 interface (SECOND IP - keep bridge IP!)
/ip address add address=192.168.31.1/24 interface=vlan40-catchall
# This will show warning about duplicate - that's expected for now
```
**Verification:**
```routeros
/ip address print
```
**Expected:** TWO entries for 192.168.31.1 (bridge AND vlan40)
---
### Step 4.5: STOP AND VERIFY
**Before enabling VLAN filtering:**
1. Can you ping 192.168.31.1?
2. Can you access router via SSH?
3. Can you access router via WinBox?
4. Is internet working?
**If ANY answer is NO - STOP and troubleshoot!**
---
### Step 4.6: Enable VLAN Filtering (REQUIRES EXPLICIT USER APPROVAL)
⚠️ **THIS STEP REQUIRES USER TO TYPE "APPROVED" BEFORE EXECUTION** ⚠️
**Pre-flight checks:**
```routeros
/interface bridge vlan print detail
/interface bridge port print
```
**Ensure:**
- VLAN 40 has all current ports as untagged
- Bridge is tagged in VLAN 40
**Action:**
```routeros
/interface bridge set bridge vlan-filtering=yes
```
**Immediate verification:**
```routeros
/ping 8.8.8.8 count=2
```
**If ping fails - IMMEDIATELY rollback:**
```routeros
/interface bridge set bridge vlan-filtering=no
```
---
### Step 4.7: Post-Activation Cleanup
**Only after confirming VLAN filtering works:**
1. Move DHCP server to VLAN40 interface:
```routeros
/ip dhcp-server set defconf interface=vlan40-catchall
```
2. Remove duplicate IP from bridge:
```routeros
/ip address remove [find where interface=bridge and address~"192.168.31"]
```
**Verification:**
```routeros
/ip address print
/ip dhcp-server print
```
---
## Phase 5: Create VLAN10 (Management - Port Based)
### Step 5.1: Create VLAN10 Interface
**Action:**
```routeros
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
```
---
### Step 5.2: Create VLAN10 DHCP
**Action:**
```routeros
/ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
```
---
### Step 5.3: Create VLAN10 Static Leases
**Action:**
```routeros
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt
add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt
add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt
```
---
### Step 5.4: Configure Bridge for VLAN10
**Action:**
```routeros
# Add VLAN10 to bridge table - ether4/ether5 as untagged (Unraid ports)
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Set PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
```
---
### Step 5.5: STOP AND TEST VLAN10
⚠️ **REQUIRES USER APPROVAL TO PROCEED** ⚠️
**Test:**
1. Unraid should get IP 192.168.10.20
2. Unraid should have internet access
3. Other devices still work on VLAN40
---
## Phase 6: Create Remaining VLANs
### VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|------|------|--------|---------|------------|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 35 | Cameras | 192.168.35.0/24 | Security | Port-based |
| 40 | Catch-All | 192.168.31.0/24 | Default/Unknown | Default |
### Step 6.1-6.4: Create Each VLAN
**Repeat for each VLAN (20, 25, 30, 35):**
```routeros
# Create interface
/interface vlan add interface=bridge name=vlanXX-name vlan-id=XX
# Add IP
/ip address add address=192.168.XX.1/24 interface=vlanXX-name
# Create pool
/ip pool add name=pool-vlanXX ranges=192.168.XX.100-192.168.XX.200
# Create DHCP server
/ip dhcp-server add address-pool=pool-vlanXX interface=vlanXX-name name=dhcp-vlanXX
# Create DHCP network
/ip dhcp-server network add address=192.168.XX.0/24 gateway=192.168.XX.1 dns-server=8.8.8.8
# Add to bridge VLAN table (tagged only - RADIUS will assign)
/interface bridge vlan add bridge=bridge vlan-ids=XX tagged=bridge
```
---
## Phase 7: Configure User Manager (RADIUS)
### Step 7.1: Enable User Manager
```routeros
/user-manager set enabled=yes
```
### Step 7.2: Add Router as RADIUS Client
```routeros
/user-manager router add name=local address=127.0.0.1 shared-secret=radius-secret
```
### Step 7.3: Add MAC-VLAN Mappings
**For each device, add user with MAC and VLAN attribute:**
```routeros
# Example for trusted device
/user-manager user add name=AA:ED:8B:2A:40:F1 password="" shared-users=1
/user-manager user set [find name=AA:ED:8B:2A:40:F1] attributes="Tunnel-Type:VLAN,Tunnel-Medium-Type:IEEE-802,Tunnel-Private-Group-Id:20"
```
### Step 7.4: Configure WiFi for RADIUS
```routeros
/interface wifi security set sec-xtrm radius=yes
/interface wifi security set sec-xtrm2 radius=yes
```
---
## Phase 8: Activation Plan
### Step 8.1: Final Pre-Activation Checklist
- [ ] All VLAN interfaces created
- [ ] All DHCP servers configured
- [ ] All static leases added
- [ ] User Manager configured with all MACs
- [ ] WiFi configured for RADIUS
- [ ] WinBox access verified
- [ ] Rollback command ready
### Step 8.2: Staged Activation
1. **Test VLAN10 only** (port-based, Unraid)
2. **Verify 24 hours**
3. **Test VLAN20** (one trusted device via RADIUS)
4. **Verify 24 hours**
5. **Enable remaining VLANs**
---
## Rollback Commands
**Disable VLAN filtering (emergency):**
```routeros
/interface bridge set bridge vlan-filtering=no
```
**Reset to factory:**
```routeros
/system reset-configuration no-defaults=no
```
---
## Device Inventory Reference
See: `docs/03-VLAN-DEVICE-ASSIGNMENT.md`
---
## Verification Commands
```routeros
# Check VLAN status
/interface vlan print
/interface bridge vlan print detail
/interface bridge port print
# Check DHCP
/ip dhcp-server print
/ip dhcp-server lease print
# Check connectivity
/ping 8.8.8.8 count=3
/ping 192.168.31.1 count=3
# Check User Manager
/user-manager user print
/user-manager router print
```

352
docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md Normal file
View File

@@ -0,0 +1,352 @@
# VLAN Setup Plan v3 - Safe Mode Approach
**Created:** 2026-01-31
**Status:** PLANNING
**Approach:** Safe Mode with atomic commands for auto-rollback protection
---
## Lessons Learned from Previous Failures
1. **IP on bridge stops working** when VLAN filtering is enabled
2. **Duplicate same IP** on bridge + VLAN interface causes routing confusion
3. **VLAN interface doesn't receive traffic** until VLAN filtering is enabled
4. **Solution**: Use Safe Mode + atomic script execution
---
## Prerequisites
- Router: MikroTik hAP ax³
- Current IP: 192.168.1.1/24 on bridge
- Access: WinBox connected via **MAC address** (not IP!)
- CAPsMAN: Already configured and working
---
## Phase 1: Preparation (No Risk)
### Step 1.1: Backup Current Configuration
```routeros
/system backup save name=before-vlan-v3
/export file=before-vlan-v3
```
Download both files from WinBox → Files.
### Step 1.2: Verify Current State
```routeros
/ip address print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip dhcp-server print
```
**Expected:**
- IP 192.168.1.1/24 on bridge
- VLAN filtering = no
- No bridge VLANs configured
---
## Phase 2: Create VLAN Infrastructure (Safe - No Filtering Yet)
### Step 2.1: Create VLAN 40 Interface
```routeros
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
```
**Verify:**
```routeros
/interface vlan print
```
### Step 2.2: Add VLAN 40 to Bridge Table
All LAN ports untagged, bridge tagged (for CPU access):
```routeros
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,ether4,ether5,wifi1,wifi2
```
**Verify:**
```routeros
/interface bridge vlan print detail
```
### Step 2.3: Set PVID on All LAN Ports
```routeros
/interface bridge port set [find interface=ether2] pvid=40
/interface bridge port set [find interface=ether3] pvid=40
/interface bridge port set [find interface=ether4] pvid=40
/interface bridge port set [find interface=ether5] pvid=40
/interface bridge port set [find interface=wifi1] pvid=40
/interface bridge port set [find interface=wifi2] pvid=40
```
**Verify:**
```routeros
/interface bridge port print
```
**Expected:** All ports show PVID=40
### Step 2.4: Add IP to VLAN Interface
This creates a "duplicate" IP temporarily:
```routeros
/ip address add address=192.168.1.1/24 interface=vlan40-catchall comment="VLAN40-Management"
```
**Verify:**
```routeros
/ip address print
```
**Expected:** Two entries for 192.168.1.1 (bridge and vlan40-catchall)
### Step 2.5: Create VLAN40 DHCP Pool (if not exists)
```routeros
/ip pool add name=pool-vlan40 ranges=192.168.1.10-192.168.1.250
```
### Step 2.6: Verify Everything Before Critical Step
```routeros
:put "=== VLAN Interface ==="
/interface vlan print
:put "=== Bridge VLANs ==="
/interface bridge vlan print detail
:put "=== Bridge Ports (check PVID) ==="
/interface bridge port print
:put "=== IP Addresses ==="
/ip address print
:put "=== Ping Test ==="
/ping 8.8.8.8 count=2
```
**STOP HERE if anything is wrong!**
---
## Phase 3: Enable VLAN Filtering (Critical - Use Safe Mode)
### Step 3.1: Enter Safe Mode in WinBox
1. In WinBox, press **Ctrl+X**
2. You'll see "Safe Mode" indicator in title bar
3. All changes will auto-rollback if connection is lost
### Step 3.2: Create the Activation Script
Create a script that does everything atomically:
```routeros
/system script add name=activate-vlan source={
# Enable VLAN filtering
/interface bridge set bridge vlan-filtering=yes
# Move DHCP server to VLAN interface
/ip dhcp-server set [find name~"defconf"] interface=vlan40-catchall
# Wait 2 seconds for changes to apply
:delay 2s
# Remove duplicate IP from bridge (keep only VLAN interface IP)
/ip address remove [find interface=bridge and address~"192.168.1.1"]
:put "VLAN activation complete"
}
```
### Step 3.3: Run the Script (While in Safe Mode!)
```routeros
/system script run activate-vlan
```
### Step 3.4: Verify Immediately
```routeros
/ping 8.8.8.8 count=3
/ip address print
/interface bridge print
```
### Step 3.5: If Everything Works - Exit Safe Mode
Press **Ctrl+X** again to confirm and save changes.
### Step 3.6: If Connection Lost
- Wait up to 10 minutes
- Router will auto-rollback to previous state
- Reconnect via WinBox (MAC address)
---
## Phase 4: Verification
### Step 4.1: Check All Settings
```routeros
:put "=== Bridge VLAN Filtering ==="
/interface bridge print where name=bridge
:put "=== IP Addresses ==="
/ip address print
:put "=== DHCP Server ==="
/ip dhcp-server print
:put "=== Internet Test ==="
/ping 8.8.8.8 count=3
```
**Expected:**
- vlan-filtering=yes on bridge
- IP 192.168.1.1/24 ONLY on vlan40-catchall
- DHCP server on vlan40-catchall
- Internet working
### Step 4.2: Test Client Connectivity
From a device on the network:
1. Disconnect and reconnect WiFi
2. Check if you get IP from 192.168.1.x range
3. Test internet access
---
## Phase 5: Add Additional VLANs (After VLAN40 is Stable)
Wait 24-48 hours to ensure VLAN40 is stable before adding more VLANs.
### VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|------|------|--------|---------|------------|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based (ether4,5) |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 40 | Catch-All | 192.168.1.0/24 | Default/Unknown | Default |
### Step 5.1: Create VLAN 10 (Management)
```routeros
# Create VLAN interface
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
# Add IP
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
# Add to bridge VLAN table - ether4/5 untagged for Unraid
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Update PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
# Remove ether4/5 from VLAN40
/interface bridge vlan set [find vlan-ids=40] untagged=ether2,ether3,wifi1,wifi2
# Create DHCP for VLAN10
/ip pool add name=pool-vlan10 ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-vlan10 interface=vlan10-mgmt name=dhcp-vlan10 disabled=no
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
```
### Step 5.2: Add Static Leases for VLAN10
```routeros
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-vlan10
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-vlan10
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="Unraid" server=dhcp-vlan10
```
---
## Rollback Commands
### Emergency: Disable VLAN Filtering
```routeros
/interface bridge set bridge vlan-filtering=no
```
### Full Rollback: Restore Backup
```routeros
/system backup load name=before-vlan-v3
```
### Factory Reset (Last Resort)
Hold reset button while powering on until LEDs flash.
---
## Safe Mode Quick Reference
| Action | WinBox | CLI |
|--------|--------|-----|
| Enter Safe Mode | Ctrl+X | Ctrl+X |
| Exit & Save | Ctrl+X | Ctrl+X |
| Exit & Discard | Close WinBox | Ctrl+D |
| Auto-rollback | ~10 minutes | ~10 minutes |
**Important:** Safe Mode only protects while you're connected. If disconnected, changes rollback automatically.
---
## Checklist Before Enabling VLAN Filtering
- [ ] Backup saved and downloaded
- [ ] WinBox connected via MAC (not IP)
- [ ] VLAN interface created
- [ ] Bridge tagged in VLAN table
- [ ] All ports have correct PVID
- [ ] IP added to VLAN interface
- [ ] Safe Mode entered (Ctrl+X)
- [ ] Ready to run activation script
---
## Troubleshooting
### Lost Connection After Enabling Filtering
1. Wait 10 minutes for Safe Mode rollback
2. If no rollback: Connect via WinBox MAC discovery
3. Run: `/interface bridge set bridge vlan-filtering=no`
### DHCP Not Working
Check DHCP server interface:
```routeros
/ip dhcp-server print
```
Should show `interface=vlan40-catchall`
### Internet Not Working
Check NAT:
```routeros
/ip firewall nat print
```
Should have masquerade rule for WAN.
### Devices Not Getting IP
1. Check bridge VLAN table has ports as untagged
2. Check ports have correct PVID
3. Check DHCP pool has available addresses

332
docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md Normal file
View File

@@ -0,0 +1,332 @@
# VLAN Setup Complete - Session Summary
**Date:** 2026-01-31
**Status:** COMPLETED
**Backup:** `vlan-setup-complete-2026-01-31.backup` and `.rsc` on router
---
## Executive Summary
Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with:
- Port-based VLAN assignment for wired infrastructure
- MAC-based dynamic VLAN assignment for WiFi devices via access-list
- CAPsMAN configured for CAP XL ac management
---
## Current Network Configuration
### Router Access
| Method | IP | Port | User | Notes |
|--------|-----|------|------|-------|
| WinBox | 192.168.10.1 | 8291 | xtrm | Primary management |
| WebFig | 192.168.10.1 | 80 | xtrm | Web interface |
| SSH | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key |
| WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 |
| WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 |
**Important:** SSH is on port **2222**, not 22!
### VLAN Structure (Implemented)
| VLAN | Name | Subnet | Gateway | DHCP Pool | Status |
|------|------|--------|---------|-----------|--------|
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | .100-.200 | ✅ Working |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | .100-.200 | ✅ Working |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | .100-.200 | ✅ Configured |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | .100-.200 | ✅ Configured |
| 40 | Catch-All | 192.168.1.0/24 | 192.168.1.1 | .10-.250 | ✅ Default |
### Port Assignments
```
HAP ax³ Ports:
├── ether1: WAN (ISP DHCP)
├── ether2: CAP XL ac → VLAN 10 (PVID=10)
├── ether3: CSS326 switch → VLAN 10 (PVID=10)
├── ether4: Unraid eth1 → VLAN 10 (PVID=10)
├── ether5: Unraid eth2 → VLAN 10 (PVID=10)
├── wifi1: XTRM (5GHz) → Tagged VLANs 20,25,30,40
└── wifi2: XTRM2 (2.4GHz) → Tagged VLANs 20,25,30,40
```
### Bridge VLAN Table
```routeros
# VLAN 10 - Management (port-based)
vlan-ids=10 tagged=bridge untagged=ether2,ether3,ether4,ether5
# VLAN 20 - Trusted (WiFi MAC-based)
vlan-ids=20 tagged=bridge,wifi1,wifi2
# VLAN 25 - Kids (WiFi MAC-based)
vlan-ids=25 tagged=bridge,wifi1,wifi2
# VLAN 30 - IoT (WiFi MAC-based)
vlan-ids=30 tagged=bridge,wifi1,wifi2
# VLAN 40 - Catch-All (WiFi default)
vlan-ids=40 tagged=bridge untagged=wifi1,wifi2
```
---
## WiFi Configuration
### SSIDs
| SSID | Band | Interface | Password | Security |
|------|------|-----------|----------|----------|
| XTRM | 5GHz | wifi1 | M0stW4nt3d@home | WPA2/WPA3 |
| XTRM2 | 2.4GHz | wifi2 | M0stW4nt3d@IoT | WPA2 |
### WiFi Datapath (Critical for VLAN)
```routeros
/interface wifi datapath
add name=dp-vlan bridge=bridge
/interface wifi configuration
set cfg-xtrm datapath=dp-vlan
set cfg-xtrm2 datapath=dp-vlan
```
### WiFi Access-List (MAC-based VLAN Assignment)
The access-list assigns VLANs based on client MAC address:
```routeros
/interface wifi access-list
# VLAN 20 - Trusted devices
add action=accept mac-address=AA:ED:8B:2A:40:F1 vlan-id=20 comment="Samsung S25 Ultra - Kaloyan"
add action=accept mac-address=CE:B8:11:EA:8D:55 vlan-id=20 comment="MacBook - Kaloyan"
add action=accept mac-address=BE:A7:95:87:19:4A vlan-id=20 comment="MacBook 5GHz - Kaloyan"
# VLAN 25 - Kids devices
add action=accept mac-address=F2:B8:14:61:C8:27 vlan-id=25 comment="iPhone - Dancho"
add action=accept mac-address=90:91:64:70:0D:86 vlan-id=25 comment="Notebook - Kimi"
add action=accept mac-address=2A:2B:BA:86:D4:AF vlan-id=25 comment="iPhone - Kimi"
# VLAN 30 - IoT devices
add action=accept mac-address=D0:E7:82:F7:65:DD vlan-id=30 comment="Chromecast"
add action=accept mac-address=94:27:70:1E:0C:EE vlan-id=30 comment="Bosch Oven"
add action=accept mac-address=C8:5C:CC:52:EA:53 vlan-id=30 comment="Xiaomi Air Purifier"
add action=accept mac-address=18:DE:50:5B:C8:A6 vlan-id=30 comment="Tuya Device 1"
add action=accept mac-address=38:1F:8D:04:6F:E4 vlan-id=30 comment="Tuya Device 2"
add action=accept mac-address=D4:AD:FC:BE:13:B0 vlan-id=30 comment="Intellirocks"
# Default - VLAN 40 for unknown devices (MUST be last!)
add action=accept vlan-id=40 comment="Default - VLAN40"
```
**Important:** The default rule (no MAC specified) must be LAST in the list!
---
## VLAN 10 Verified Devices
| IP | MAC | Device | Status |
|----|-----|--------|--------|
| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP ax³ (Gateway) | ✅ |
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ✅ |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified |
| 192.168.10.199 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ |
---
## CAPsMAN Configuration
```routeros
/interface wifi capsman
set enabled=yes interfaces=wifi1,wifi2 package-path="" upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled master-configuration=cfg-xtrm name-format=identity slave-configurations=cfg-xtrm2 supported-bands=5ghz-ax
add action=create-enabled master-configuration=cfg-xtrm2 name-format=identity slave-configurations=cfg-xtrm supported-bands=2ghz-ax
```
---
## Critical Lessons Learned
### 1. VLAN Filtering Breaks IP on Bridge
When you enable `vlan-filtering=yes` on the bridge:
- IP address on the bridge interface **stops working**
- You **must** have IP on the VLAN interface instead
- Never have same IP on both bridge and VLAN interface simultaneously
### 2. Correct Order of Operations
```
1. Create VLAN interfaces
2. Add IPs to VLAN interfaces (can have temporary duplicate)
3. Configure bridge VLAN table
4. Set port PVIDs
5. Add VLAN interfaces to firewall interface lists (LAN)
6. Enable VLAN filtering
7. Remove IP from bridge (if any duplicate)
8. Move DHCP server to VLAN interface
```
### 3. WiFi VLAN Assignment
- **Do NOT use** `action=query-radius` without configured RADIUS users
- **Use** WiFi datapath with `bridge=bridge`
- **Use** access-list with `vlan-id=XX` for MAC-based assignment
- WiFi interfaces must be **tagged** in bridge VLAN table for dynamic VLANs
### 4. Firewall Interface Lists
After creating VLAN interfaces, add them to the LAN list:
```routeros
/interface list member add list=LAN interface=vlan10-mgmt
/interface list member add list=LAN interface=vlan20-trusted
/interface list member add list=LAN interface=vlan25-kids
/interface list member add list=LAN interface=vlan30-iot
/interface list member add list=LAN interface=vlan40-catchall
```
### 5. Safe Mode
- Enter with **Ctrl+X** in WinBox
- Changes auto-rollback if connection lost (~10 minutes)
- Exit and save with **Ctrl+X** again
---
## Useful Commands
### Verify VLAN Status
```routeros
/interface bridge print where name=bridge
/interface bridge vlan print detail
/interface bridge port print
/ip address print
```
### Check WiFi Clients and VLAN Assignment
```routeros
/interface wifi registration-table print
/interface wifi access-list print
```
### Check DHCP Leases per VLAN
```routeros
/ip dhcp-server lease print where server=dhcp-vlan10
/ip dhcp-server lease print where server=dhcp-vlan20
```
### Add New Device to Access-List
```routeros
/interface wifi access-list add action=accept mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 comment="Device Name" place-before=[find comment="Default - VLAN40"]
```
### Emergency Rollback
```routeros
/interface bridge set bridge vlan-filtering=no
```
### Restore from Backup
```routeros
/system backup load name=vlan-setup-complete-2026-01-31
```
---
## Pending Tasks
1. **Configure CAP XL ac to join CAPsMAN**
- CAP is on VLAN 10 at 192.168.10.2
- Needs provisioning to extend WiFi coverage
2. **Configure CSS326 for VLAN Trunking**
- Switch is on VLAN 10 at 192.168.10.3
- Needs VLAN configuration for room distribution
3. **Add Remaining Devices to Access-List**
- As devices connect, add their MACs to appropriate VLANs
4. **Configure Inter-VLAN Firewall Rules**
- Management → All (full access)
- Trusted → IoT (control smart home)
- IoT → Internet only (isolated)
- Guest → Internet only (isolated)
5. **Test VLAN 25 (Kids) and VLAN 30 (IoT)**
- Connect devices and verify DHCP/internet
---
## Connection Commands Reference
### SSH to Unraid (VLAN 10)
```bash
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
```
### SSH to MikroTik (port 2222!)
```bash
ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1
```
### Quick Status from Unraid
```bash
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'"
```
---
## Backup Files on Router
| File | Size | Description |
|------|------|-------------|
| vlan-setup-complete-2026-01-31.backup | 177.6 KiB | Binary backup (full restore) |
| vlan-setup-complete-2026-01-31.rsc | 12.5 KiB | Script export (readable) |
**Download via:** WinBox → Files → Select file → Download
---
## Network Diagram (Current)
```
Internet
┌───────────────────────────────────────────────────────────────┐
│ HAP ax³ (192.168.10.1) │
│ RouterOS 7.21.1 │
│ │
│ VLAN 10: 192.168.10.0/24 (Management) │
│ VLAN 20: 192.168.20.0/24 (Trusted) │
│ VLAN 25: 192.168.25.0/24 (Kids) │
│ VLAN 30: 192.168.30.0/24 (IoT) │
│ VLAN 40: 192.168.1.0/24 (Catch-All/Default) │
│ │
│ ether2 ─┬─ CAP XL ac (192.168.10.2) │
│ ether3 ─┼─ CSS326 (192.168.10.3) ─── NanoKVM (.199) │
│ ether4 ─┼─ Unraid (192.168.10.20) │
│ ether5 ─┘ │
│ │
│ wifi1 (XTRM 5GHz) ──┬── VLAN 20/25/30/40 via access-list │
│ wifi2 (XTRM2 2.4GHz)─┘ │
└───────────────────────────────────────────────────────────────┘
```
---
## Session Timeline
1. **CAPsMAN Setup** - Configured WiFi profiles (cfg-xtrm, cfg-xtrm2) and security
2. **Research** - Studied MikroTik forums for correct VLAN approach
3. **VLAN Infrastructure** - Created VLANs 10, 20, 25, 30, 40 with DHCP
4. **Safe Mode Implementation** - Used atomic script for VLAN filtering
5. **WiFi VLAN** - Configured datapath and access-list for MAC-based assignment
6. **Verification** - Tested connectivity on all VLANs
7. **Backup** - Created `vlan-setup-complete-2026-01-31`
---
**Document Version:** 1.0
**Last Updated:** 2026-01-31