# VLAN Setup Plan v2 - Critical Approach

**Created:** 2026-01-28
**Status:** PLANNING
**Approach:** Step-by-step with verification before each change

---

## CRITICAL RULES

1. **NO CHANGES WITHOUT EXPLICIT USER APPROVAL**
2. **VERIFY current state before each step**
3. **TEST after each step before proceeding**
4. **HAVE ROLLBACK ready for each step**
5. **STOP and assess if anything unexpected happens**

---

## Prerequisites

- Router: MikroTik hAP ax³ (freshly reset to factory defaults)
- Current IP: 192.168.88.1 (factory default)
- Access: WinBox or physical console available for recovery

---

## Phase 1: Basic Router Setup

### Step 1.1: Create User `xtrm`

**Action:**
```routeros
/user add name=xtrm password=M0stW4nt3d@xtrm group=full
```

**Verification:**
```routeros
/user print
```

**Expected Result:**
- User `xtrm` exists with group `full`

**Rollback:**
```routeros
/user remove xtrm
```

---

### Step 1.2: Change SSH Port to 2222

**Action:**
```routeros
/ip service set ssh port=2222
```

**Verification:**
```routeros
/ip service print where name=ssh
```

**Expected Result:**
- SSH service on port 2222

**Rollback:**
```routeros
/ip service set ssh port=22
```

**Test:** SSH to router on port 2222

---

### Step 1.3: Import SSH Key for User `xtrm`

**Prerequisite:** Upload `mikrotik_key.pub` to router via WinBox Files

**Action:**
```routeros
/user ssh-keys import public-key-file=mikrotik_key.pub user=xtrm
```

**Verification:**
```routeros
/user ssh-keys print
```

**Expected Result:**
- SSH key associated with user `xtrm`

**Test:** SSH with key authentication (no password)

---

## Phase 2: WiFi & CAPsMAN Setup

### Step 2.1: Create Security Profiles

**Action:**
```routeros
# For XTRM (5GHz) - High security
/interface wifi security add name=sec-xtrm authentication-types=wpa2-psk,wpa3-psk passphrase=M0stW4nt3d@home

# For XTRM2 (2.4GHz) - IoT compatibility
/interface wifi security add name=sec-xtrm2 authentication-types=wpa-psk,wpa2-psk passphrase=M0stW4nt3d@IoT
```

**Verification:**
```routeros
/interface wifi security print
```

**Expected Result:**
- `sec-xtrm`: WPA2-PSK + WPA3-PSK
- `sec-xtrm2`: WPA-PSK + WPA2-PSK (for old devices)

---

### Step 2.2: Create Configuration Profiles

**Action:**
```routeros
/interface wifi configuration add name=cfg-xtrm ssid=XTRM security=sec-xtrm country=Bulgaria
/interface wifi configuration add name=cfg-xtrm2 ssid=XTRM2 security=sec-xtrm2 country=Bulgaria
```

**Verification:**
```routeros
/interface wifi configuration print
```

---

### Step 2.3: Apply WiFi to Local Radios

**Action:**
```routeros
# wifi1 = 5GHz radio → XTRM
/interface wifi set wifi1 configuration=cfg-xtrm configuration.ssid=XTRM disabled=no

# wifi2 = 2.4GHz radio → XTRM2
/interface wifi set wifi2 configuration=cfg-xtrm2 configuration.ssid=XTRM2 disabled=no
```

**Verification:**
```routeros
/interface wifi print
```

**Test:** Connect a device to each SSID, verify internet works

---

### Step 2.4: Enable CAPsMAN

**Action:**
```routeros
/interface wifi capsman set enabled=yes interfaces=bridge
```

**Verification:**
```routeros
/interface wifi capsman print
```

---

### Step 2.5: Create CAPsMAN Provisioning Rules

**Action:**
```routeros
# For 5GHz radios → XTRM
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm supported-bands=5ghz-a,5ghz-n,5ghz-ac

# For 2.4GHz radios → XTRM2
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm2 supported-bands=2ghz-g,2ghz-n
```

**Verification:**
```routeros
/interface wifi provisioning print
```

---

### Step 2.6: Configure CAP to Join CAPsMAN

**On CAP device (192.168.88.250 or via WinBox):**
```routeros
/interface wifi cap set enabled=yes discovery-interfaces=bridge caps-man-addresses=""
```

**Verification on HAP:**
```routeros
/interface wifi capsman remote-cap print
/interface wifi radio print
```

**Expected Result:**
- CAP appears as connected
- CAP radios show up (cap-wifi1, cap-wifi2)

**Test:** Connect device to XTRM/XTRM2 via CAP, verify internet

---

## Phase 3: Install Additional Packages

### Step 3.1: Install User Manager and Container Packages

**Action:**
1. Download packages from MikroTik website (arm64, version 7.21.1)
2. Upload to router via WinBox:
   - `user-manager-7.21.1-arm64.npk`
   - `container-7.21.1-arm64.npk` (if not already installed)
3. Reboot router

**Verification after reboot:**
```routeros
/system package print
```

**Expected Result:**
- `user-manager` package listed
- `container` package listed

---

## Phase 4: Network Reconfiguration (CRITICAL)

### Step 4.0: Pre-Change Verification

**Before ANY changes, verify current state:**
```routeros
echo "=== CURRENT STATE ==="
/ip address print
/ip pool print
/ip dhcp-server print
/ip dhcp-server network print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip firewall nat print
```

**Document the output before proceeding!**

---

### Step 4.1: Change Network to 192.168.31.0/24

**Current:** 192.168.88.0/24 (factory default)
**Target:** 192.168.31.0/24

**Action (all in one command block to minimize disruption):**
```routeros
/ip address set [find where address~"192.168.88"] address=192.168.31.1/24
/ip pool set [find where name="default-dhcp"] ranges=192.168.31.100-192.168.31.254
/ip dhcp-server network set [find where address="192.168.88.0/24"] address=192.168.31.0/24 gateway=192.168.31.1 dns-server=8.8.8.8
```

**After change:** Reconnect to WiFi to get new IP

**Verification:**
```routeros
/ip address print
/ip pool print
/ip dhcp-server network print
/ping 8.8.8.8 count=2
```

**Test:** Browse internet from connected device

---

### Step 4.2: Create VLAN40 Interface (Catch-All)

**IMPORTANT:** Do NOT move IP to VLAN interface yet!

**Action:**
```routeros
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
```

**Verification:**
```routeros
/interface vlan print
```

**Expected Result:**
- `vlan40-catchall` interface exists
- Network still works (IP still on bridge)

---

### Step 4.3: Add VLAN40 to Bridge VLAN Table

**Action:**
```routeros
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,wifi1,wifi2
```

**Verification:**
```routeros
/interface bridge vlan print detail
```

---

### Step 4.4: Create VLAN40 DHCP Infrastructure

**Action:**
```routeros
# Create pool for VLAN40
/ip pool add name=pool-vlan40 ranges=192.168.31.100-192.168.31.254

# Add IP to VLAN40 interface (SECOND IP - keep bridge IP!)
/ip address add address=192.168.31.1/24 interface=vlan40-catchall

# This will show warning about duplicate - that's expected for now
```

**Verification:**
```routeros
/ip address print
```

**Expected:** TWO entries for 192.168.31.1 (bridge AND vlan40)

---

### Step 4.5: STOP AND VERIFY

**Before enabling VLAN filtering:**

1. Can you ping 192.168.31.1?
2. Can you access router via SSH?
3. Can you access router via WinBox?
4. Is internet working?

**If ANY answer is NO - STOP and troubleshoot!**

---

### Step 4.6: Enable VLAN Filtering (REQUIRES EXPLICIT USER APPROVAL)

⚠️ **THIS STEP REQUIRES USER TO TYPE "APPROVED" BEFORE EXECUTION** ⚠️

**Pre-flight checks:**
```routeros
/interface bridge vlan print detail
/interface bridge port print
```

**Ensure:**
- VLAN 40 has all current ports as untagged
- Bridge is tagged in VLAN 40

**Action:**
```routeros
/interface bridge set bridge vlan-filtering=yes
```

**Immediate verification:**
```routeros
/ping 8.8.8.8 count=2
```

**If ping fails - IMMEDIATELY rollback:**
```routeros
/interface bridge set bridge vlan-filtering=no
```

---

### Step 4.7: Post-Activation Cleanup

**Only after confirming VLAN filtering works:**

1. Move DHCP server to VLAN40 interface:
```routeros
/ip dhcp-server set defconf interface=vlan40-catchall
```

2. Remove duplicate IP from bridge:
```routeros
/ip address remove [find where interface=bridge and address~"192.168.31"]
```

**Verification:**
```routeros
/ip address print
/ip dhcp-server print
```

---

## Phase 5: Create VLAN10 (Management - Port Based)

### Step 5.1: Create VLAN10 Interface

**Action:**
```routeros
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
```

---

### Step 5.2: Create VLAN10 DHCP

**Action:**
```routeros
/ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
```

---

### Step 5.3: Create VLAN10 Static Leases

**Action:**
```routeros
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt
add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt
add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt
```

---

### Step 5.4: Configure Bridge for VLAN10

**Action:**
```routeros
# Add VLAN10 to bridge table - ether4/ether5 as untagged (Unraid ports)
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5

# Set PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
```

---

### Step 5.5: STOP AND TEST VLAN10

⚠️ **REQUIRES USER APPROVAL TO PROCEED** ⚠️

**Test:**
1. Unraid should get IP 192.168.10.20
2. Unraid should have internet access
3. Other devices still work on VLAN40

---

## Phase 6: Create Remaining VLANs

### VLAN Overview

| VLAN | Name | Subnet | Purpose | Assignment |
|------|------|--------|---------|------------|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 35 | Cameras | 192.168.35.0/24 | Security | Port-based |
| 40 | Catch-All | 192.168.31.0/24 | Default/Unknown | Default |

### Step 6.1-6.4: Create Each VLAN

**Repeat for each VLAN (20, 25, 30, 35):**

```routeros
# Create interface
/interface vlan add interface=bridge name=vlanXX-name vlan-id=XX

# Add IP
/ip address add address=192.168.XX.1/24 interface=vlanXX-name

# Create pool
/ip pool add name=pool-vlanXX ranges=192.168.XX.100-192.168.XX.200

# Create DHCP server
/ip dhcp-server add address-pool=pool-vlanXX interface=vlanXX-name name=dhcp-vlanXX

# Create DHCP network
/ip dhcp-server network add address=192.168.XX.0/24 gateway=192.168.XX.1 dns-server=8.8.8.8

# Add to bridge VLAN table (tagged only - RADIUS will assign)
/interface bridge vlan add bridge=bridge vlan-ids=XX tagged=bridge
```

---

## Phase 7: Configure User Manager (RADIUS)

### Step 7.1: Enable User Manager

```routeros
/user-manager set enabled=yes
```

### Step 7.2: Add Router as RADIUS Client

```routeros
/user-manager router add name=local address=127.0.0.1 shared-secret=radius-secret
```

### Step 7.3: Add MAC-VLAN Mappings

**For each device, add user with MAC and VLAN attribute:**

```routeros
# Example for trusted device
/user-manager user add name=AA:ED:8B:2A:40:F1 password="" shared-users=1
/user-manager user set [find name=AA:ED:8B:2A:40:F1] attributes="Tunnel-Type:VLAN,Tunnel-Medium-Type:IEEE-802,Tunnel-Private-Group-Id:20"
```

### Step 7.4: Configure WiFi for RADIUS

```routeros
/interface wifi security set sec-xtrm radius=yes
/interface wifi security set sec-xtrm2 radius=yes
```

---

## Phase 8: Activation Plan

### Step 8.1: Final Pre-Activation Checklist

- [ ] All VLAN interfaces created
- [ ] All DHCP servers configured
- [ ] All static leases added
- [ ] User Manager configured with all MACs
- [ ] WiFi configured for RADIUS
- [ ] WinBox access verified
- [ ] Rollback command ready

### Step 8.2: Staged Activation

1. **Test VLAN10 only** (port-based, Unraid)
2. **Verify 24 hours**
3. **Test VLAN20** (one trusted device via RADIUS)
4. **Verify 24 hours**
5. **Enable remaining VLANs**

---

## Rollback Commands

**Disable VLAN filtering (emergency):**
```routeros
/interface bridge set bridge vlan-filtering=no
```

**Reset to factory:**
```routeros
/system reset-configuration no-defaults=no
```

---

## Device Inventory Reference

See: `docs/03-VLAN-DEVICE-ASSIGNMENT.md`

---

## Verification Commands

```routeros
# Check VLAN status
/interface vlan print
/interface bridge vlan print detail
/interface bridge port print

# Check DHCP
/ip dhcp-server print
/ip dhcp-server lease print

# Check connectivity
/ping 8.8.8.8 count=3
/ping 192.168.31.1 count=3

# Check User Manager
/user-manager user print
/user-manager router print
```