jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructure docs: archive VLAN migration, update IPs to VLAN 10
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kaloyan Danchev
2026-02-06 12:45:16 +02:00
parent 81f2f03400
commit ec9659d0cb
34 changed files with 1145 additions and 631 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
docs/wip/DNS-REDIRECT-RULES-BACKUP.md
View File

@@ -1,56 +0,0 @@
# DNS Redirect Rules Backup
**Date:** 2026-01-27
**Reason:** Temporarily disabled during VLAN migration
**Status:** DISABLED - to be re-enabled after VLAN setup complete
## NAT Rules (dstnat)
| # | Comment | Chain | Action | Src Address | Dst Port | To Address | To Port |
|---|---------|-------|--------|-------------|----------|------------|---------|
| 3 | Allow MikroTik AdGuard outbound DNS | dstnat | accept | 172.17.0.0/24 | 53/udp | - | - |
| 25 | Allow Unraid AdGuard outbound DNS | dstnat | accept | 192.168.31.4 | 53/udp | - | - |
| 26 | Allow Unraid AdGuard outbound DNS TCP | dstnat | accept | 192.168.31.4 | 53/tcp | - | - |
| 27 | Redirect DNS to MikroTik AdGuard | dstnat | dst-nat | 192.168.31.0/24 | 53/udp | 172.17.0.2 | 53 |
| 28 | Redirect DNS to MikroTik AdGuard TCP | dstnat | dst-nat | 192.168.31.0/24 | 53/tcp | 172.17.0.2 | 53 |
| 30 | DNS over TLS (DoT) | dstnat | dst-nat | in-interface=eth1_WAN | 853/tcp | 172.17.0.2 | 853 |
| 31 | DNS over HTTPS (DoH) | dstnat | dst-nat | in-interface=eth1_WAN | 8443/tcp | 172.17.0.2 | 443 |
| 32 | Redirect VLAN DNS to AdGuard | dstnat | dst-nat | src-address-list=all-vlans | 53/udp | 172.17.0.2 | 53 |
| 33 | Redirect VLAN DNS to AdGuard TCP | dstnat | dst-nat | src-address-list=all-vlans | 53/tcp | 172.17.0.2 | 53 |
## NAT Rules (srcnat - masquerade)
| # | Comment | Chain | Action | Src Address | Dst Address | Dst Port |
|---|---------|-------|--------|-------------|-------------|----------|
| 8 | Masquerade DNS to MikroTik AdGuard | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/udp |
| 9 | Masquerade DNS to MikroTik AdGuard TCP | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/tcp |
| 34 | Masquerade VLAN DNS to AdGuard | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/udp |
| 35 | Masquerade VLAN DNS to AdGuard TCP | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/tcp |
## Filter Rules (forward - allow DNS)
| # | Comment | Chain | Action | Src Address List | Dst Address | Dst Port |
|---|---------|-------|--------|------------------|-------------|----------|
| 12 | VLAN: IoT to DNS | forward | accept | vlan-iot | 192.168.31.1 | 53/udp |
| 14 | VLAN: IoT to DNS TCP | forward | accept | vlan-iot | 192.168.31.1 | 53/tcp |
| 16 | VLAN: Cameras to DNS | forward | accept | vlan-cameras | 192.168.31.1 | 53/udp |
| 18 | VLAN: Guest to DNS | forward | accept | vlan-guest | 192.168.31.1 | 53/udp |
| 51 | VLAN: Kids to DNS | forward | accept | vlan-kids | 192.168.31.1 | 53/udp |
## Re-enable Commands
When ready to restore DNS redirect to AdGuard:
```routeros
# Enable NAT redirect rules
/ip firewall nat enable [find comment~"Redirect DNS" or comment~"Masquerade DNS"]
# Note: Filter rules (VLAN to DNS) should remain enabled - they just allow traffic
```
## Notes
- Rules 27, 28, 32, 33 are the main redirect rules that force DNS through AdGuard
- Rules 8, 9, 34, 35 are masquerade rules needed for AdGuard container to work
- Rules 3, 25, 26 allow AdGuard containers to make outbound DNS queries
- Filter rules 12, 14, 16, 18, 51 allow VLAN devices to reach DNS - these are OK to keep

137
docs/wip/FOSSORIAL-TUNNELS.md
View File

@@ -1,137 +0,0 @@
# Fossorial Tunnel Stack (Pangolin + Gerbil)
**Status:** 💡 IDEA
**Priority:** Low
**Depends On:** Hardware upgrade (XTRM-N1 for resilience)
---
## Overview
Self-hosted tunnel solution for exposing services without Cloudflare/VPS dependency.
| Component | Purpose |
|-----------|---------|
| **Pangolin** | Central controller/dashboard |
| **Gerbil** | WireGuard peer manager |
| **Newt** | Tunnel connector agent |
---
## Why Fossorial?
Current state uses Traefik + Cloudflare DNS for external access.
Fossorial would provide:
- Independent tunneling (no Cloudflare dependency)
- Self-healing WireGuard connections
- Web-based tunnel management
- Potential for MikroTik container fallback
---
## Architecture
```
Internet (62.73.120.142)
▼ UDP 51820
┌─────────────────────┐
│ Gerbil (WG Manager) │
│ :51820 WireGuard │
│ :8080 API │
└─────────┬───────────┘
┌─────────▼───────────┐
│ Pangolin (Dashboard)│
│ :3000 Web UI │
└─────────┬───────────┘
┌─────────▼───────────┐
│ Newt (Connector) │
│ Dials out to peers │
└─────────────────────┘
```
---
## Prerequisites
- [ ] Port 51820/UDP forwarded on MikroTik
- [ ] `fossorial` Docker network created
- [ ] Secret key generated
---
## Deployment Steps
### 1. Create Network
```bash
docker network create --driver bridge fossorial
```
### 2. Deploy Pangolin
```bash
docker run -d \
--name pangolin \
--network fossorial \
-p 3000:3000 \
-v /mnt/user/appdata/pangolin/data:/app/data \
-e PANGOLIN_BASE_URL=https://pangolin.xtrm-lab.org \
-e PANGOLIN_SECRET_KEY=$(openssl rand -hex 32) \
fossoriumtech/pangolin:latest
```
### 3. Deploy Gerbil
```bash
docker run -d \
--name gerbil \
--network fossorial \
--cap-add=NET_ADMIN \
-p 51820:51820/udp \
-p 8080:8080 \
-v /mnt/user/appdata/gerbil:/app/data \
-e GERBIL_PUBLIC_IP=62.73.120.142 \
-e GERBIL_PUBLIC_PORT=51820 \
fossoriumtech/gerbil:latest
```
### 4. Deploy Newt
```bash
docker run -d \
--name newt \
--network fossorial \
-v /mnt/user/appdata/newt:/app/data \
-e NEWT_PANGOLIN_URL=https://pangolin.xtrm-lab.org \
-e NEWT_ENDPOINT=62.73.120.142:51820 \
fossoriumtech/newt:latest
```
### 5. MikroTik NAT
```routeros
/ip/firewall/nat add chain=dstnat \
action=dst-nat to-addresses=192.168.31.2 to-ports=51820 \
protocol=udp dst-port=51820 \
comment="Fossorial WireGuard"
```
---
## Current WireGuard (Not Affected)
Existing back-to-home-vpn uses port **59188**, completely separate.
---
## Decision Points
1. **Is this needed?** Tailscale + Traefik already provides external access
2. **When to implement?** After XTRM-N1 survival node for fallback option
3. **Use case?** If Cloudflare/Tailscale goes down
---
## References
- Original planning: `archive/02-PHASE2-FOSSORIAL-STACK.md`
- GitHub: https://github.com/fossoriumtech

2
docs/wip/GITOPS-CONTAINERS.md
View File

@@ -104,7 +104,7 @@ pipeline:
when:
path: configs/xtrm-n5/**
commands:
- ssh root@192.168.31.2 "cd /path && docker compose up -d"
- ssh root@192.168.10.20 "cd /path && docker compose up -d"
secrets: [ssh_key]
deploy-n1:

169
docs/wip/LOCAL-AI-STACK.md
View File

@@ -1,169 +0,0 @@
# Local AI Stack on Unraid
**Status:** ✅ Deployed
**Last Updated:** 2026-01-26
---
## Current Deployment
| Component | Status | URL/Port |
|-----------|--------|----------|
| Ollama | ✅ Running | http://192.168.31.2:11434 |
| Open WebUI | ✅ Running | http://192.168.31.2:3080 |
| Intel GPU | ✅ Enabled | /dev/dri passthrough |
### Models Installed
| Model | Size | Type |
|-------|------|------|
| qwen2.5-coder:7b | 4.7 GB | Base coding LLM |
| unraid-assistant | 4.7 GB | Custom model with infrastructure knowledge |
---
## Custom Model: unraid-assistant
A fine-tuned system prompt model that knows the xtrm-lab.org infrastructure:
### Knowledge Included
- **Network topology**: All VLANs (10,20,25,30,31,35,40,50), IPs, gateways
- **45+ Docker containers**: Names, images, ports, purposes
- **RouterOS 7**: Commands, VLAN patterns, firewall rules
- **Traefik**: Labels, routing, SSL configuration
- **Authentik**: SSO middleware, provider setup
- **External URLs**: All xtrm-lab.org services
### Usage
```bash
# Terminal (SSH to Unraid)
ai "How do I add a device to the IoT VLAN?"
ai "What port is gitea running on?"
ai "Show me Traefik labels for a new app with Authentik"
# Interactive mode
ai
```
### Rebuild Model
If infrastructure changes, update and rebuild:
```bash
# Edit the Modelfile
nano /mnt/user/appdata/ollama/Modelfile-unraid
# Rebuild
docker exec ollama ollama create unraid-assistant -f /root/.ollama/Modelfile-unraid
```
---
## Hardware
| Component | Spec |
|-----------|------|
| CPU | Intel N100 (4 cores) |
| RAM | 16GB (shared with Docker) |
| GPU | Intel UHD (iGPU via /dev/dri) |
| Storage | 1.7TB free on array |
### Performance
- ~1 token/sec with 7B models
- Responses take 30-90 seconds
- Suitable for occasional use, not real-time chat
---
## Containers Stopped for RAM
To free ~4.8GB for AI workloads:
| Container | RAM Freed | Purpose |
|-----------|-----------|---------|
| karakeep | 1.68 GB | Bookmark manager |
| unimus | 1.62 GB | Network backup |
| homarr | 686 MB | Dashboard |
| netdisco-web | 531 MB | Network discovery UI |
| netdisco-backend | 291 MB | Network discovery |
To restart if needed:
```bash
docker start karakeep unimus homarr netdisco-web netdisco-backend
```
---
## Docker Configuration
### Ollama
```bash
docker run -d \
--name ollama \
--restart unless-stopped \
--device /dev/dri \
-v /mnt/user/appdata/ollama:/root/.ollama \
-p 11434:11434 \
ollama/ollama
```
### Open WebUI
```bash
docker run -d \
--name open-webui \
--restart unless-stopped \
-p 3080:8080 \
-e OLLAMA_BASE_URL=http://192.168.31.2:11434 \
-v /mnt/user/appdata/open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:main
```
### AI Command Helper
```bash
# /usr/local/bin/ai
#\!/bin/bash
MODEL="unraid-assistant"
if [ $# -eq 0 ]; then
docker exec -it ollama ollama run $MODEL
else
docker exec ollama ollama run $MODEL "$*"
fi
```
---
## Open WebUI RAG Setup
For detailed documentation beyond system prompt:
1. Go to http://192.168.31.2:3080
2. **Workspace****Knowledge****+ Create**
3. Name: `Infrastructure`
4. Upload docs from `/mnt/user/appdata/open-webui/docs/`
Infrastructure docs are pre-copied to that location.
---
## Future: N5 Air (Ryzen AI 5 255) Upgrade
Planning to migrate AI stack to N5 Air with Ryzen AI 5 255:
| Metric | N100 (current) | Ryzen AI 5 255 |
|--------|----------------|--------------|
| Speed | ~1 tok/s | ~5-8 tok/s |
| Max model | 7B | 14B-32B |
| Response time | 30-90s | 5-15s |
Features XDNA NPU (16 TOPS) for potential AI acceleration. DDR5 + 6c/12t CPU will significantly improve inference.
---
## Files
| File | Purpose |
|------|---------|
| /mnt/user/appdata/ollama/Modelfile-unraid | Custom model definition |
| /usr/local/bin/ai | Terminal helper command |
| /mnt/user/appdata/open-webui/docs/ | RAG documents |

18
docs/wip/README.md
View File

@@ -8,9 +8,9 @@ Planned changes, evaluations, and ideas not yet implemented.
| Status | Meaning |
|--------|---------|
| 📋 PLANNED | Approved, waiting for resources/time |
| 🔬 EVALUATING | Under investigation/research |
| 💡 IDEA | Concept, needs further definition |
| PLANNED | Approved, waiting for resources/time |
| EVALUATING | Under investigation/research |
| IDEA | Concept, needs further definition |
---
@@ -20,24 +20,24 @@ Planned changes, evaluations, and ideas not yet implemented.
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | 📋 PLANNED | High | N5 Air + N100 server migration |
| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | 💡 IDEA | Medium | Container config in Git with CI/CD |
| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | PLANNED | High | N5 Air + N100 server migration |
| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | IDEA | Medium | Container config in Git with CI/CD |
### Network
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [VLAN-SEGMENTATION.md](VLAN-SEGMENTATION.md) | 📋 PLANNED | Medium | Network segmentation (Secure/IoT/Kids/Guest) |
| [FOSSORIAL-TUNNELS.md](FOSSORIAL-TUNNELS.md) | 💡 IDEA | Low | Self-hosted Pangolin/Gerbil tunnels |
| [CONSOLE-PORT-ETHER5.md](CONSOLE-PORT-ETHER5.md) | EVALUATING | Low | Console/serial port on HAP1 ether5 |
| [KVM-SWITCH-MAC-NOBARA.md](KVM-SWITCH-MAC-NOBARA.md) | EVALUATING | Medium | Software KVM for Mac/Nobara switching |
### Applications
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [REMOTE-GAMING.md](REMOTE-GAMING.md) | 🔬 EVALUATING | Low | Sunshine + Moonlight game streaming |
| [REMOTE-GAMING.md](REMOTE-GAMING.md) | EVALUATING | Low | Sunshine + Moonlight game streaming |
---
## Completed Items
Move to main docs or archive when done. Update `05-CHANGELOG.md` with major completions.
Move to main docs or archive when done. Update `CHANGELOG.md` with major completions.

332
docs/wip/VLAN-PROPOSAL.md
View File

@@ -1,332 +0,0 @@
# WIP: VLAN Network Segmentation Proposal
**Status:** Planning
**Created:** 2026-01-25
**Updated:** 2026-01-25
---
## Decisions Made
- ✅ Separate Camera VLAN (VLAN 35)
- ✅ Guest WiFi: Password only (no captive portal)
- ✅ Keep 192.168.31.0/24 during transition (VLAN 1)
---
## Current State
Single flat network: `192.168.31.0/24` (will become transition VLAN)
---
## Proposed VLAN Architecture
```
┌─────────────────┐
│ INTERNET │
└────────┬────────┘
┌────────▼────────┐
│ MikroTik hAP │
│ (Router/FW) │
└────────┬────────┘
┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐
│ │ │ │ │ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌▼────────┐
│ VLAN 1 │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │
│ Legacy │ │ Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │
│.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 │ │.35.0/24 │ │.40.0/24 │ │.50.0/24 │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
```
---
## VLAN Definitions
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------|
| 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) |
| 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin |
| 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices |
| 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services |
| 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi |
---
## VLAN 1: Legacy/Transition
**Purpose:** Current network - devices migrate from here
| Device | IP | Target VLAN |
|--------|-----|-------------|
| MikroTik | 192.168.31.1 | VLAN 10 |
| Unraid | 192.168.31.2 | VLAN 10 |
| AdGuard | 192.168.31.4 | VLAN 40 |
| LG TV | 192.168.31.100 | VLAN 30 |
**Note:** This VLAN will be deprecated after migration.
---
## VLAN 10: Management
**Purpose:** Infrastructure administration only
| Device | IP | Description |
|--------|-----|-------------|
| MikroTik | 192.168.10.1 | Router/Gateway |
| Unraid | 192.168.10.2 | Server management |
| CSS326 | 192.168.10.3 | Switch management |
| cAP ac | 192.168.10.4 | AP management |
**Access Rules:**
- ✅ Full access to all VLANs
- ✅ SSH, Web UI, API access
- ❌ No access FROM other VLANs (except established)
---
## VLAN 20: Trusted
**Purpose:** Personal/family devices
| Device Type | DHCP Range | Static Range |
|-------------|------------|--------------|
| Reserved | - | .20.10-.50 |
| Laptops | .20.100-.130 | - |
| Phones | .20.131-.160 | - |
| Tablets | .20.161-.180 | - |
| Other | .20.181-.220 | - |
**Access Rules:**
- ✅ Internet access
- ✅ Access to Servers VLAN
- ✅ Access to IoT VLAN (control devices)
- ✅ Access to Cameras VLAN (view feeds)
- ❌ No access to Management VLAN
- ❌ No access from Guest VLAN
---
## VLAN 30: IoT
**Purpose:** Smart home devices (isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Smart TVs | .30.100-.110 | LG TV, Apple TV |
| Speakers | .30.111-.130 | Sonos, HomePod |
| Hubs | .30.131-.150 | Zigbee, Z-Wave |
| Sensors | .30.151-.180 | Motion, temp |
| Other | .30.181-.220 | Plugs, lights |
**Access Rules:**
- ✅ Internet access (filtered)
- ✅ Local DNS (AdGuard)
- ✅ mDNS relay from Trusted
- ❌ No access to Management
- ❌ No access to Cameras
- ❌ No access to Servers (except specific)
- ❌ Cannot initiate to Trusted
---
## VLAN 35: Cameras
**Purpose:** Security cameras (highly isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Indoor | .35.100-.120 | - |
| Outdoor | .35.121-.140 | - |
| NVR | .35.10 | Recording server |
**Access Rules:**
- ⚠️ Limited internet (firmware updates only)
- ✅ Access to NVR only
- ✅ Trusted can VIEW (no control)
- ❌ No access to any other VLAN
- ❌ No inter-camera communication
- ❌ Blocked: China, Russia IPs (common camera callback)
---
## VLAN 40: Servers/DMZ
**Purpose:** Services accessible externally
| Service | IP | Ports | Description |
|---------|-----|-------|-------------|
| Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS server |
| Gitea | 192.168.40.10 | 3000 | Git hosting |
| Woodpecker | 192.168.40.11 | 8000 | CI/CD |
| Plex | 192.168.40.20 | 32400 | Media |
**Access Rules:**
- ✅ Internet access
- ✅ Inbound from WAN (via NAT)
- ✅ Access from Trusted
- ❌ Cannot initiate to other VLANs
---
## VLAN 50: Guest
**Purpose:** Visitor WiFi (password protected, no captive portal)
| Setting | Value |
|---------|-------|
| DHCP Range | 192.168.50.100-.200 |
| Lease Time | 4 hours |
| Bandwidth | 50 Mbps limit |
| Client Isolation | Enabled |
**Access Rules:**
- ✅ Internet access only
- ❌ No access to ANY internal VLAN
- ❌ No inter-client communication
---
## Firewall Matrix
```
┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────┐
│ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │
├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────┤
│ Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
│ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
│ Trusted │ ✅ │ ❌ │ ✅ │ ✅ │ 👁️ │ ✅ │ ❌ │
│ IoT │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ⚠️ │ ❌ │
│ Cameras │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ❌ │
│ Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │
│ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘
✅ = Full access
❌ = Blocked
⚠️ = Limited (specific ports/IPs)
👁️ = View only (cameras: RTSP/HTTP streams)
```
---
## DNS Configuration
| VLAN | DNS Server | Filtering Level |
|------|------------|-----------------|
| 1 Legacy | 192.168.31.1 | Current setup |
| 10 Management | 192.168.10.1 | Minimal |
| 20 Trusted | 192.168.40.4 | Standard |
| 30 IoT | 192.168.40.4 | IoT blocklist |
| 35 Cameras | 192.168.40.4 | Strict + geo-block |
| 40 Servers | 8.8.8.8/1.1.1.1 | None (external) |
| 50 Guest | 192.168.40.4 | Strict |
---
## WiFi SSID Mapping
| SSID | VLAN | Band | Security | Hidden |
|------|------|------|----------|--------|
| Home | 20 | 2.4+5 GHz | WPA3 | No |
| Home-IoT | 30 | 2.4 GHz | WPA2 | No |
| Home-Guest | 50 | 2.4+5 GHz | WPA2 | No |
| Admin | 10 | 5 GHz | WPA3 | Yes |
---
## MikroTik Implementation
### 1. Create VLANs
```routeros
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
```
### 2. IP Addresses
```routeros
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest
```
### 3. DHCP Pools
```routeros
/ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.140
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200
```
### 4. Camera Geo-Blocking
```routeros
/ip firewall address-list
add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges"
/ip firewall filter
add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries
```
---
## Migration Plan
### Phase 1: Preparation (No Downtime)
- [ ] Document all static IPs and MAC addresses
- [ ] Create device inventory with target VLANs
- [ ] Configure VLANs on MikroTik (inactive)
- [ ] Configure switch trunk ports
- [ ] Test on isolated port
### Phase 2: Infrastructure (Brief Downtime)
- [ ] Create VLAN interfaces and IPs
- [ ] Configure DHCP per VLAN
- [ ] Move Unraid management to VLAN 10
- [ ] Move AdGuard to VLAN 40
- [ ] Update container networks
### Phase 3: WiFi (Rolling)
- [ ] Create new SSIDs per VLAN
- [ ] Move personal devices to VLAN 20
- [ ] Move IoT devices to VLAN 30
- [ ] Test mDNS/Bonjour relay
### Phase 4: Cameras & Security
- [ ] Move cameras to VLAN 35
- [ ] Implement geo-blocking
- [ ] Test camera isolation
- [ ] Verify Trusted can view feeds
### Phase 5: Cleanup
- [ ] Implement all firewall rules
- [ ] Enable DNS enforcement
- [ ] Migrate remaining devices from VLAN 1
- [ ] Document final configuration
- [ ] Deprecate VLAN 1 (keep for emergency)
---
## Rollback Plan
If issues occur:
1. All devices can temporarily use VLAN 1 (legacy)
2. MikroTik remains accessible on 192.168.31.1
3. Keep VLAN 1 DHCP active during transition

142
docs/wip/VLAN-SEGMENTATION.md
View File

@@ -1,142 +0,0 @@
# VLAN Network Segmentation
**Status:** 📋 PLANNED
**Priority:** Medium
**Risk:** HIGH (network disruption during implementation)
---
## Overview
Segment flat 192.168.31.0/24 network into VLANs for security isolation.
---
## Proposed VLANs
| VLAN | Name | Subnet | Gateway | Purpose |
|------|------|--------|---------|---------|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
---
## WiFi SSID Mapping
| SSID | VLAN | Purpose |
|------|------|---------|
| XTRM | 10 | Primary (trusted devices) |
| XTRM-IoT | 20 | IoT devices |
| XTRM-Kids | 30 | Kids devices |
| XTRM-Guest | 40 | Guest access |
---
## Device Assignments
### VLAN 10 - Secure
| Device | Current IP | New IP |
|--------|------------|--------|
| XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 |
| Nobara PC | 192.168.31.95 | 192.168.10.10 |
| MacBook | 192.168.31.99 | 192.168.10.15 |
| S25 Ultra | 192.168.31.98 | 192.168.10.20 |
### VLAN 20 - IoT
| Device | Current IP | New IP |
|--------|------------|--------|
| Home Assistant | 192.168.31.102 | 192.168.20.2 |
| Chromecast | 192.168.31.134 | 192.168.20.10 |
| Roborock S7 | 192.168.31.104 | 192.168.20.11 |
| Reolink Doorbell | 192.168.31.68 | 192.168.20.13 |
| HP Printer | 192.168.31.19 | 192.168.20.20 |
### VLAN 30 - Kids
| Device | Current IP | New IP |
|--------|------------|--------|
| Nora MacBook | 192.168.31.79 | 192.168.30.10 |
| Kimi Notebook | 192.168.31.108 | 192.168.30.11 |
| Dancho iPhone | 192.168.31.114 | 192.168.30.13 |
---
## Cross-VLAN Access Requirements
### S25 → Chromecast (Casting)
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
dst-port=8008,8009,8443 protocol=tcp action=accept
```
### Secure → Home Assistant
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.2 \
dst-port=8123 protocol=tcp action=accept
```
### mDNS Reflector (Device Discovery)
```routeros
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
```
---
## Implementation Steps
### Phase 1: Router (HAP1)
1. Create VLAN interfaces
2. Assign IP addresses
3. Create DHCP servers per VLAN
4. Configure firewall rules
### Phase 2: Switch (CSS326)
1. Enable VLAN mode in SwOS
2. Configure trunk port (to HAP1)
3. Assign access VLANs to ports
4. Set PVIDs
### Phase 3: WiFi (CAPsMAN)
1. Create VLAN-tagged SSIDs
2. Update provisioning rules
3. Apply to CAP
---
## Risks
| Risk | Impact | Mitigation |
|------|--------|------------|
| All devices lose connectivity | HIGH | Schedule maintenance window |
| Docker br0 containers break | MEDIUM | Reconfigure macvlan |
| Static IPs need updating | LOW | Pre-configure DHCP reservations |
---
## Rollback
Disable VLAN filtering immediately:
```routeros
/interface/bridge/set bridge vlan-filtering=no
```
---
## Prerequisites
- [ ] Map CSS326 switch ports to devices
- [ ] Backup MikroTik config
- [ ] Schedule maintenance window (30-60 min)
- [ ] Decide WiFi passwords for new SSIDs
- [ ] Console/serial access to router (in case of lockout)
---
## References
- Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md`
- Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`