# VLAN Network Segmentation

**Last Updated:** 2026-01-26
**Status:** Phase 1 Complete, Phase 2 Complete - VLAN Filtering ACTIVE

## Overview

Network segmentation using VLANs for security isolation between device types.

## VLAN Architecture

| VLAN ID | Name | Subnet | Gateway | Purpose | Devices |
|---------|------|--------|---------|---------|---------|
| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Default/Legacy network (transition) | - |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Network infrastructure | 6 |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices (phones, laptops) | 9 |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices (parental controls) | 6 |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras (isolated) | 1 |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Printers, services | 1 |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 |
| **Total** | | | | | **44** |

## Current Status

### MikroTik hAP ax³ ✅ READY
- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50)
- [x] IP addresses assigned to all VLANs
- [x] DHCP servers for each VLAN
- [x] DHCP pools configured
- [x] Static DHCP leases (44 devices)
- [x] Bridge VLAN table entries
- [x] **DHCP DNS set to each VLAN gateway** (fixed 2026-01-26)
- [x] **VLAN interfaces added to LAN list** (fixed 2026-01-26)
- [x] **DNS redirect rules for all VLANs** (fixed 2026-01-26)
- [x] **NAT masquerade for VLAN→AdGuard** (fixed 2026-01-26)
- [x] Firewall rules for inter-VLAN isolation
- [x] VLAN filtering enabled (ACTIVE since 2026-01-26)

### CSS326 Switch ✅ CONFIGURED
- [x] VLAN mode enabled
- [x] VLANs created (1, 10, 20, 25, 30, 35, 40, 50)
- [x] Port 1 - Trunk to router (tagged all VLANs)
- [x] Port 2 - Access VLAN 10 (NanoKVM)
- [x] Port 17-18 - Access VLAN 25 (Kids rooms)
- [x] Port 19-21 - Access VLAN 20 (Main bedroom)
- [x] Port 22-24 - Access VLAN 30 (Living room)
- [x] SFP1 - Trunk to ZX1 (tagged all VLANs)

### Backup Created ✅
- MikroTik backup: `/mnt/user/appdata/backups/mikrotik/backup-before-vlan-filtering-20260125-213635.rsc`

## DHCP Configuration

| VLAN | Server | Pool | DNS Server | Lease |
|------|--------|------|------------|-------|
| 10 | dhcp-mgmt | 192.168.10.100-200 | 192.168.10.1 | 30m |
| 20 | dhcp-trusted | 192.168.20.100-220 | 192.168.20.1 | 30m |
| 25 | dhcp-kids | 192.168.25.100-200 | 192.168.25.1 | 30m |
| 30 | dhcp-iot | 192.168.30.100-220 | 192.168.30.1 | 30m |
| 35 | dhcp-cameras | 192.168.35.100-150 | 192.168.35.1 | 30m |
| 40 | dhcp-servers | 192.168.40.100-150 | 192.168.40.1 | 30m |
| 50 | dhcp-guest | 192.168.50.100-220 | 192.168.50.1 | 4h |

**DNS Flow:** Device → VLAN Gateway → NAT Redirect → AdGuard (172.17.0.2) → Internet

## Issues Fixed (2026-01-26)

### Problem: Internet broke when VLAN filtering enabled
**Root Causes:**
1. DHCP DNS pointed to 192.168.31.1 (legacy) - unreachable from VLANs
2. DNS redirect rules only covered 192.168.31.0/24
3. VLAN interfaces not in LAN firewall list
4. No NAT masquerade for VLAN→AdGuard traffic

**Fixes Applied:**
```routeros
# 1. DHCP DNS now points to each VLAN gateway
/ip dhcp-server network set [find address=192.168.20.0/24] dns-server=192.168.20.1
# ... repeated for all VLANs

# 2. DNS redirect for all VLANs
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address-list=all-vlans dst-port=53

# 3. VLAN interfaces in LAN list
/interface list member add list=LAN interface=vlan20-trusted
# ... repeated for all VLANs

# 4. NAT masquerade for VLAN DNS
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address-list=all-vlans dst-address=172.17.0.2 dst-port=53
```

## Activation Steps (When Ready)

### Step 1: Enable VLAN Filtering
```routeros
/interface bridge set bridge vlan-filtering=yes
```

### Step 2: Force DHCP Renewal on Devices
Devices need new IP from their VLAN DHCP:
- **Windows:** `ipconfig /release && ipconfig /renew`
- **Mac:** System Preferences → Network → Renew DHCP
- **Linux:** `sudo dhclient -r && sudo dhclient`
- **Phones/IoT:** Toggle WiFi off/on

### Rollback (If Needed)
```routeros
/interface bridge set bridge vlan-filtering=no
```

## CSS326 Port Assignment

| Port | Connection | VLAN | Mode |
|------|------------|------|------|
| 1 | HAP1 Router | All | Trunk |
| 2 | NanoKVM | 10 | Access |
| 3-16 | Unused | - | - |
| 17 | Boys Room B2 | 25 | Access |
| 18 | Boys Room B1 | 25 | Access |
| 19 | Main Bedroom M1 | 20 | Access |
| 20 | Main Bedroom M2 | 20 | Access |
| 21 | Main Bedroom M3 | 20 | Access |
| 22 | Living Room L1 | 30 | Access |
| 23 | Living Room L2 | 30 | Access |
| 24 | Living Room L3 | 30 | Access |
| SFP1 | ZX1 10G | All | Trunk |
| SFP2 | Unused | - | - |

## Related Documents

- [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory (44 devices)
- [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Original migration plan