# VLAN Network Segmentation Plan **Document Created:** 2026-01-18 **Status:** PLANNING --- ## Current Network Analysis ### Network Devices | Device | IP | Role | |--------|-----|------| | MikroTik hAP ax³ | 192.168.31.1 | Router, CAPsMAN, VLAN gateway | | CSS326-24G-2S+ | 192.168.31.9 | Managed switch (24 port + 2 SFP) | | cAP ac | 192.168.31.6 | Managed AP (CAPsMAN) | ### Current Device Inventory **Secure Devices (should be isolated):** | Device | IP | MAC | Notes | |--------|-----|-----|-------| | Unraid Server | 192.168.31.2 | - | Main server | | Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | xtrm-pc via Dell KVM | | Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc | | Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | xtrm-pc | | Kaloyan MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Mac | | Kaloyan S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | S25-Ultra | | Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | KVM access | **IoT Devices:** | Device | IP | MAC | Notes | |--------|-----|-----|-------| | Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Smart home hub | | Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Streaming | | Roborock S7 | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum | | Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Kitchen | | Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Security | | HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer | | Unknown IoT 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya? | | Unknown IoT 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya? | | Unknown IoT 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya? | | Unknown IoT 4 | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Smart device? | | lwip0 devices | 192.168.31.100-101 | 38:A5:C9:44:7B:xx | ESP/Tuya | **Kids/Guest Devices:** | Device | IP | MAC | Notes | |--------|-----|-----|-------| | Nora MacBook | 192.168.31.79 | 82:6D:FB:D9:E0:47 | MacBookAir | | Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi-Notebook | | Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | iPhone | | Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | iPhone | | Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | iPad | --- ## Proposed VLAN Architecture ### VLAN Assignments | VLAN ID | Name | Subnet | Gateway | Purpose | |---------|------|--------|---------|---------| | 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Network infrastructure only | | 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers | | 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras, IoT | | 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices | | 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi | ### WiFi SSID to VLAN Mapping | SSID | VLAN | Security | Purpose | |------|------|----------|---------| | XTRM | 10 (Secure) | WPA2/WPA3 | Main network for trusted devices | | XTRM-IoT | 20 (IoT) | WPA2 | IoT devices | | XTRM-Kids | 30 (Kids) | WPA2 | Kids devices | | XTRM-Guest | 40 (Guest) | WPA2 | Guest access | --- ## The S25 Challenge: Cross-VLAN Access ### Requirements Your S25 needs to: 1. Be in Secure VLAN (192.168.10.x) for server management 2. Discover and cast to Chromecast (IoT VLAN) 3. Control Tuya smart devices 4. Access Home Assistant ### Solution Architecture ``` ┌─────────────────────────────────────────────────────────────────────┐ │ VLAN 10 (Secure) │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ Unraid │ │ Nobara │ │ MacBook │ │ S25 │ │ │ │ Server │ │ PC │ │ │ │ Ultra │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ │ │ │ └───────┼────────────┼────────────┼────────────┼───────────────────────┘ │ │ │ │ │ │ │ │ Firewall Rules + │ │ │ │ mDNS Reflector │ │ │ ▼ ┌───────┼────────────┼────────────┼────────────────────────────────────┐ │ │ │ │ VLAN 20 (IoT) │ │ │ │ │ │ │ ┌────▼────┐ ┌────┴────┐ ┌───┴────┐ ┌──────────┐ ┌───────────┐ │ │ │ Home │ │ Printer │ │Chromec.│ │ Tuya │ │ Roborock │ │ │ │Assistant│◄─┤ │ │ TV │ │ Devices │ │ S7 │ │ │ └─────────┘ └─────────┘ └────────┘ └──────────┘ └───────────┘ │ │ ▲ │ │ │ Controls all IoT │ └───────┼──────────────────────────────────────────────────────────────┘ │ HA manages IoT locally, accessible from Secure VLAN ``` ### Cross-VLAN Solutions #### 1. Home Assistant as IoT Bridge (Recommended) - Home Assistant stays in **IoT VLAN** (can directly communicate with IoT devices) - Firewall allows Secure VLAN → Home Assistant (port 8123) - S25 controls everything through Home Assistant UI - No direct IoT access from S25, but full control via HA #### 2. mDNS Reflector for Chromecast Discovery MikroTik can reflect mDNS between VLANs: ``` /ip/dns/set mdns-repeat-ifaces=vlan10,vlan20 ``` This allows S25 to discover Chromecast for casting. #### 3. Firewall Rules for Casting Allow specific traffic from Secure → IoT: ``` # Allow Chromecast (mDNS + casting ports) /ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept /ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ dst-address=192.168.20.0/24 dst-port=32768-61000 protocol=udp action=accept # Allow Home Assistant access /ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \ dst-address=192.168.20.102 dst-port=8123 protocol=tcp action=accept ``` #### 4. Tuya Devices (Cloud-Based) Tuya devices communicate via cloud, so they work from any VLAN with internet access. No special rules needed. --- ## Implementation Plan ### Phase 1: Router Configuration #### 1.1 Create VLAN Interfaces ``` /interface/vlan/add name=vlan10-secure interface=bridge vlan-id=10 /interface/vlan/add name=vlan20-iot interface=bridge vlan-id=20 /interface/vlan/add name=vlan30-kids interface=bridge vlan-id=30 /interface/vlan/add name=vlan40-guest interface=bridge vlan-id=40 ``` #### 1.2 Assign IP Addresses ``` /ip/address/add address=192.168.10.1/24 interface=vlan10-secure /ip/address/add address=192.168.20.1/24 interface=vlan20-iot /ip/address/add address=192.168.30.1/24 interface=vlan30-kids /ip/address/add address=192.168.40.1/24 interface=vlan40-guest ``` #### 1.3 Create DHCP Servers ``` /ip/pool/add name=pool-secure ranges=192.168.10.100-192.168.10.200 /ip/pool/add name=pool-iot ranges=192.168.20.100-192.168.20.200 /ip/pool/add name=pool-kids ranges=192.168.30.100-192.168.30.200 /ip/pool/add name=pool-guest ranges=192.168.40.100-192.168.40.200 /ip/dhcp-server/add name=dhcp-secure interface=vlan10-secure address-pool=pool-secure /ip/dhcp-server/add name=dhcp-iot interface=vlan20-iot address-pool=pool-iot /ip/dhcp-server/add name=dhcp-kids interface=vlan30-kids address-pool=pool-kids /ip/dhcp-server/add name=dhcp-guest interface=vlan40-guest address-pool=pool-guest /ip/dhcp-server/network/add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.4 /ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.4 /ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.4 /ip/dhcp-server/network/add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.4 ``` ### Phase 2: Bridge VLAN Filtering #### 2.1 Enable VLAN Filtering ``` /interface/bridge/set bridge vlan-filtering=yes ``` #### 2.2 Configure Bridge VLANs ``` /interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=10 /interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=20 /interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=30 /interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=40 ``` ### Phase 3: Switch Configuration (CSS326-24G-2S+ SwOS) **Switch Access:** - Web UI: http://192.168.31.9/index.html - Model: CSS326-24G-2S+ (24 Gigabit ports + 2 SFP) - OS: SwOS (MikroTik Switch OS) - Username: `admin` - Password: `M0stW4nt3d@xtrm` #### 3.1 SwOS VLAN Configuration Access the switch at http://192.168.31.9 and configure: **Step 1: Enable VLAN Mode** - Go to **VLAN** tab - Set VLAN Mode to **Enabled** **Step 2: Create VLANs** | VLAN ID | Name | |---------|------| | 1 | Management | | 10 | Secure | | 20 | IoT | | 30 | Kids | | 40 | Guest | **Step 3: Port VLAN Assignments** | Port | Device | VLAN Mode | VLAN ID | Tagged VLANs | |------|--------|-----------|---------|--------------| | 1 | Uplink to hAP ax³ | Trunk | 1 | 10,20,30,40 | | 2 | Unraid Server | Access | 10 | - | | 3 | Nobara PC (LAN) | Access | 10 | - | | 4 | Game Machine | Access | 10 | - | | 5-8 | Reserved Secure | Access | 10 | - | | 9-16 | IoT Devices | Access | 20 | - | | 17-20 | Kids Devices | Access | 30 | - | | 21-24 | Guest/Unused | Access | 40 | - | | SFP1 | Unused | - | - | - | | SFP2 | Unused | - | - | - | **Step 4: PVID Settings** For each access port, set PVID (Port VLAN ID) to match the access VLAN. **Step 5: Uplink Port Configuration** Port 1 (uplink to router) must be configured as trunk: - VLAN Receive: Any - Default VLAN ID: 1 - Tagged VLANs: 10, 20, 30, 40 - Force VLAN ID: No #### 3.2 SwOS Web Interface Navigation ``` ┌─────────────────────────────────────────────────────────┐ │ CSS326-24G-2S+ SwOS │ ├─────────────────────────────────────────────────────────┤ │ Tabs: Link | VLAN | VLANs | Isolation | Statistics │ │ │ │ VLAN Tab: │ │ ┌─────┬──────────┬──────┬────────┬─────────┐ │ │ │Port │VLAN Mode │ PVID │ Tagged │ Untagged│ │ │ ├─────┼──────────┼──────┼────────┼─────────┤ │ │ │ 1 │ Trunk │ 1 │10,20,30│ 1 │ │ │ │ 2 │ Access │ 10 │ - │ 10 │ │ │ │ ... │ ... │ ... │ ... │ ... │ │ │ └─────┴──────────┴──────┴────────┴─────────┘ │ └─────────────────────────────────────────────────────────┘ ``` #### 3.3 Current Port Mapping (TO BE FILLED) **Please identify which device is connected to which switch port:** | Port | Cable Color/Label | Connected Device | |------|-------------------|------------------| | 1 | | Uplink to hAP ax³ (eth4_CCS324_Uplink) | | 2 | | | | 3 | | | | 4 | | | | 5 | | | | 6 | | | | 7 | | | | 8 | | | | 9 | | | | 10 | | | | 11 | | | | 12 | | | | ... | | | > **Note:** You can identify ports by checking the **Link** tab in SwOS - it shows which ports have active links and their speed. ### Phase 4: WiFi VLAN Configuration #### 4.1 Create WiFi Configurations ``` /interface/wifi/configuration/add name=cfg-secure ssid="XTRM" \ security.authentication-types=wpa2-psk,wpa3-psk \ security.passphrase="M0stW4nt3d@home" \ datapath.bridge=bridge datapath.vlan-id=10 /interface/wifi/configuration/add name=cfg-iot ssid="XTRM-IoT" \ security.authentication-types=wpa2-psk \ security.passphrase="M0stW4nt3d@IoT" \ datapath.bridge=bridge datapath.vlan-id=20 /interface/wifi/configuration/add name=cfg-kids ssid="XTRM-Kids" \ security.authentication-types=wpa2-psk \ security.passphrase="KidsPassword123" \ datapath.bridge=bridge datapath.vlan-id=30 /interface/wifi/configuration/add name=cfg-guest ssid="XTRM-Guest" \ security.authentication-types=wpa2-psk \ security.passphrase="GuestPassword123" \ datapath.bridge=bridge datapath.vlan-id=40 ``` ### Phase 5: Firewall Rules #### 5.1 Inter-VLAN Firewall ``` # Allow established/related /ip/firewall/filter/add chain=forward connection-state=established,related action=accept # Secure VLAN can access everything (management) /ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 action=accept # IoT VLAN - Internet only, no inter-VLAN /ip/firewall/filter/add chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/16 action=accept # Kids VLAN - Internet only /ip/firewall/filter/add chain=forward src-address=192.168.30.0/24 dst-address=!192.168.0.0/16 action=accept # Guest VLAN - Internet only, strict isolation /ip/firewall/filter/add chain=forward src-address=192.168.40.0/24 dst-address=!192.168.0.0/16 action=accept # Drop all other inter-VLAN traffic /ip/firewall/filter/add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop ``` #### 5.2 Special Rules for Casting/mDNS ``` # Allow Secure to access Chromecast /ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 \ dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept \ comment="Chromecast from Secure" # Allow mDNS (for device discovery) /ip/firewall/filter/add chain=input dst-port=5353 protocol=udp action=accept comment="mDNS" /ip/firewall/filter/add chain=forward dst-port=5353 protocol=udp action=accept comment="mDNS forward" ``` --- ## Static IP Reservations (New Subnets) ### VLAN 10 - Secure (192.168.10.0/24) | Device | IP | MAC | |--------|-----|-----| | Unraid Server | 192.168.10.2 | (current MAC) | | Pi-hole (Unraid) | 192.168.10.4 | (current MAC) | | Unbound (Unraid) | 192.168.10.5 | (current MAC) | | Nobara PC (LAN) | 192.168.10.10 | 08:92:04:C6:07:C5 | | Nobara PC (WiFi) | 192.168.10.11 | 22:4C:7F:1D:85:8E | | Game Machine | 192.168.10.12 | 1C:83:41:32:F3:AF | | MacBook (Kaloyan) | 192.168.10.15 | 82:EC:EF:B5:F2:AF | | S25 Ultra | 192.168.10.20 | AA:ED:8B:2A:40:F1 | ### VLAN 20 - IoT (192.168.20.0/24) | Device | IP | MAC | |--------|-----|-----| | Home Assistant | 192.168.20.2 | AC:87:A3:77:8F:BD | | Chromecast | 192.168.20.10 | D0:E7:82:F7:65:DD | | Roborock S7 | 192.168.20.11 | B0:4A:39:3F:9A:14 | | Bosch Oven | 192.168.20.12 | 94:27:70:1E:0C:EE | | Reolink Doorbell | 192.168.20.13 | 48:9E:9D:0E:16:F7 | | HP Printer | 192.168.20.20 | 64:4E:D7:D8:43:3E | ### VLAN 30 - Kids (192.168.30.0/24) | Device | IP | MAC | |--------|-----|-----| | Nora MacBook | 192.168.30.10 | 82:6D:FB:D9:E0:47 | | Kimi Notebook | 192.168.30.11 | 90:91:64:70:0D:86 | | Kimi iPhone | 192.168.30.12 | 2A:2B:BA:86:D4:AF | | Dancho iPhone | 192.168.30.13 | F2:B8:14:61:C8:27 | --- ## Risks & Considerations ### Service Interruption - **HIGH RISK**: Enabling VLAN filtering will temporarily disrupt all devices - **Mitigation**: Perform during maintenance window, have console access ready ### Device Re-configuration - All devices will get new IPs from new DHCP pools - Static IP reservations should be configured before migration - Some devices may need manual WiFi reconnection ### Unraid Considerations - Unraid needs to be on VLAN 10 (secure) - Docker containers with br0 (192.168.31.x) need reconfiguration - Pi-hole and Unbound IPs will change ### Home Assistant - Will be on IoT VLAN - Integrations may need reconfiguration for new IP ranges - Traefik routing may need adjustment --- ## Rollback Plan If issues occur, disable VLAN filtering: ``` /interface/bridge/set bridge vlan-filtering=no ``` This immediately returns to flat network mode. --- ## Questions Before Implementation 1. **WiFi passwords for new SSIDs** - What should Kids and Guest passwords be? 2. **Printer access** - Should Kids be able to print? (Requires firewall rule) 3. **Home Assistant location** - IoT VLAN (recommended) or Secure VLAN? 4. **Unraid Docker networks** - br0 containers need VLAN assignment decision 5. **Switch port mapping** - Need to know which CSS326 ports connect to which devices --- ## Next Steps 1. [ ] Confirm device categorization is correct 2. [ ] Decide on WiFi passwords for new SSIDs 3. [ ] Map CSS326 switch ports to devices 4. [ ] Schedule maintenance window for implementation 5. [ ] Backup MikroTik and switch configs before changes 6. [ ] Implement in phases with testing between each