# VLAN Migration Plan **Created:** 2026-01-25 **Status:** Planning **Risk Level:** High (DNS/Network critical) --- ## Overview Migrate from flat 192.168.31.0/24 network to segmented VLANs while maintaining service continuity. ### Critical Dependencies - **Unraid (192.168.31.2)** - Hosts 40+ Docker containers including AdGuard - **AdGuard Unraid (192.168.31.4)** - Secondary DNS server - **AdGuard MikroTik (172.17.0.2)** - Primary DNS server (container on router) --- ## Phase 1: Pre-Migration Setup (No Downtime) ### 1.1 Enable REST API on MikroTik ```routeros /ip service set www-ssl disabled=no /ip service set api-ssl disabled=no ``` ### 1.2 Create VLAN Interfaces on Router ```routeros # Create VLANs on bridge /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 add interface=bridge name=vlan20-trusted vlan-id=20 add interface=bridge name=vlan25-kids vlan-id=25 add interface=bridge name=vlan30-iot vlan-id=30 add interface=bridge name=vlan35-cameras vlan-id=35 add interface=bridge name=vlan40-servers vlan-id=40 add interface=bridge name=vlan50-guest vlan-id=50 ``` ### 1.3 Assign Gateway IPs to VLANs ```routeros /ip address add address=192.168.10.1/24 interface=vlan10-mgmt add address=192.168.20.1/24 interface=vlan20-trusted add address=192.168.25.1/24 interface=vlan25-kids add address=192.168.30.1/24 interface=vlan30-iot add address=192.168.35.1/24 interface=vlan35-cameras add address=192.168.40.1/24 interface=vlan40-servers add address=192.168.50.1/24 interface=vlan50-guest ``` ### 1.4 Create DHCP Pools ```routeros /ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200 add name=pool-trusted ranges=192.168.20.100-192.168.20.200 add name=pool-kids ranges=192.168.25.100-192.168.25.200 add name=pool-iot ranges=192.168.30.100-192.168.30.200 add name=pool-cameras ranges=192.168.35.100-192.168.35.200 add name=pool-servers ranges=192.168.40.100-192.168.40.200 add name=pool-guest ranges=192.168.50.100-192.168.50.200 ``` ### 1.5 Create DHCP Servers ```routeros /ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted add address-pool=pool-kids interface=vlan25-kids name=dhcp-kids add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot add address-pool=pool-cameras interface=vlan35-cameras name=dhcp-cameras add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest /ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.10 add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.10.10 add address=192.168.25.0/24 gateway=192.168.25.1 dns-server=192.168.10.10 add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.10.10 add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.10.10 add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.10.10 add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.10.10 ``` --- ## Phase 2: Static DHCP Leases (Pre-Migration) Create static leases for all known devices BEFORE enabling VLANs. ### VLAN 10 - Management ```routeros /ip dhcp-server lease add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt add address=192.168.10.4 mac-address=1C:2A:A3:1E:78:67 comment="ZX1" server=dhcp-mgmt add address=192.168.10.200 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt ``` ### VLAN 20 - Trusted ```routeros /ip dhcp-server lease add address=192.168.20.10 mac-address=82:6D:FB:D9:E0:47 comment="Nora MacBook" server=dhcp-trusted add address=192.168.20.11 mac-address=AA:ED:8B:2A:40:F1 comment="Kaloyan S25" server=dhcp-trusted add address=192.168.20.13 mac-address=82:EC:EF:B5:F2:AF comment="Kaloyan MacBook WiFi" server=dhcp-trusted add address=192.168.20.16 mac-address=08:92:04:C6:07:C5 comment="Kaloyan MacBook LAN" server=dhcp-trusted add address=192.168.20.17 mac-address=1C:83:41:32:F3:AF comment="Kaloyan Gaming PC" server=dhcp-trusted ``` ### VLAN 25 - Kids ```routeros /ip dhcp-server lease add address=192.168.25.12 mac-address=F2:B8:14:61:C8:27 comment="Dancho iPhone" server=dhcp-kids add address=192.168.25.14 mac-address=90:91:64:70:0D:86 comment="Kimi Notebook" server=dhcp-kids add address=192.168.25.15 mac-address=2A:2B:BA:86:D4:AF comment="Kimi iPhone" server=dhcp-kids add address=192.168.25.18 mac-address=A4:D1:D2:7B:52:BE comment="Compusbg iPad" server=dhcp-kids ``` ### VLAN 30 - IoT ```routeros /ip dhcp-server lease add address=192.168.30.10 mac-address=50:2C:C6:7A:55:39 comment="GREE AC" server=dhcp-iot add address=192.168.30.11 mac-address=B0:37:95:79:AF:9B comment="LG TV LAN" server=dhcp-iot add address=192.168.30.12 mac-address=DC:03:98:6B:5A:3A comment="LG TV WiFi" server=dhcp-iot add address=192.168.30.13 mac-address=D0:E7:82:F7:65:DD comment="Chromecast" server=dhcp-iot add address=192.168.30.14 mac-address=B0:4A:39:3F:9A:14 comment="Roborock Vacuum" server=dhcp-iot add address=192.168.30.20 mac-address=94:27:70:1E:0C:EE comment="Bosch Oven" server=dhcp-iot add address=192.168.30.21 mac-address=C8:D7:78:40:65:40 comment="Bosch Dishwasher" server=dhcp-iot add address=192.168.30.22 mac-address=C8:D7:78:D6:DC:FC comment="Bosch Washer" server=dhcp-iot add address=192.168.30.31 mac-address=18:DE:50:5B:C8:A6 comment="Tuya Device 1" server=dhcp-iot add address=192.168.30.32 mac-address=38:1F:8D:04:6F:E4 comment="Tuya Device 2" server=dhcp-iot add address=192.168.30.38 mac-address=D4:AD:FC:BE:13:B0 comment="Intellirocks" server=dhcp-iot add address=192.168.30.39 mac-address=C8:5C:CC:52:EA:53 comment="Xiaomi Air Purifier" server=dhcp-iot ``` ### VLAN 35 - Cameras ```routeros /ip dhcp-server lease add address=192.168.35.10 mac-address=48:9E:9D:0E:16:F7 comment="Reolink Doorbell" server=dhcp-cameras ``` ### VLAN 40 - Servers ```routeros /ip dhcp-server lease add address=192.168.40.19 mac-address=64:4E:D7:D8:43:3E comment="HP LaserJet" server=dhcp-servers ``` ### VLAN 50 - Guest ```routeros /ip dhcp-server lease add address=192.168.50.10 mac-address=AC:87:A3:77:8F:BD comment="Unknown Apple" server=dhcp-guest add address=192.168.50.11 mac-address=22:4C:7F:1D:85:8E comment="Unknown Random MAC" server=dhcp-guest add address=192.168.50.12 mac-address=D0:C9:07:92:1A:8E comment="Unknown Private 1" server=dhcp-guest add address=192.168.50.13 mac-address=D0:C9:07:8C:C9:46 comment="Unknown Private 2" server=dhcp-guest ``` --- ## Phase 3: Switch Configuration ### 3.1 CSS326 VLAN Setup **Port Assignments:** | Port | Device | VLAN | Mode | |------|--------|------|------| | 1 | Uplink to HAP1 | Trunk | Tagged (all VLANs) | | 2-8 | Room ports | TBD | Access | | SFP1 | ZX1 Backbone | Trunk | Tagged (all VLANs) | ### 3.2 ZX1 VLAN Setup **Port Assignments:** | Port | Device | VLAN | Mode | |------|--------|------|------| | 1 | CSS326 Backbone | Trunk | Tagged (all VLANs) | | 2 | Unraid | 10 | Access (Mgmt) | | 3-8 | Other servers | TBD | Access | --- ## Phase 4: Unraid Migration (CRITICAL) ### The Challenge - Unraid has IP 192.168.31.2 (will become 192.168.10.20) - AdGuard container has IP 192.168.31.4 (will become 192.168.10.10) - Many services reference these IPs - DNS must remain functional throughout ### Migration Strategy #### Option A: Dual-Stack Transition (Recommended) 1. Keep 192.168.31.0/24 network active during migration 2. Add VLAN 10 IP to Unraid as secondary 3. Update DNS/services to use new IP 4. Remove old IP after validation #### Option B: Big Bang (Risky) 1. Pre-configure everything 2. Enable VLAN filtering on switch 3. Pray everything works ### Recommended Steps (Option A) **Step 1: Add secondary IP to Unraid** ```bash # On Unraid, temporarily add VLAN interface ip link add link eth0 name eth0.10 type vlan id 10 ip addr add 192.168.10.20/24 dev eth0.10 ip link set eth0.10 up ``` **Step 2: Configure ZX1 port for Unraid as trunk (temporarily)** - Allow both untagged (VLAN 1) and tagged (VLAN 10) - Unraid can then communicate on both networks **Step 3: Update AdGuard container** ```bash # Update container to bind to new IP docker network connect --ip 192.168.10.10 vlan10 adguardhome ``` **Step 4: Test connectivity** - Ping 192.168.10.20 from router - Ping 192.168.10.10 (AdGuard) - Test DNS resolution via 192.168.10.10 **Step 5: Update DNS references** - Update MikroTik DNS settings - Update DHCP server DNS settings - Update any hardcoded references **Step 6: Switch Unraid to access mode** - Change ZX1 port to access mode VLAN 10 - Unraid now only on VLAN 10 **Step 7: Remove old IP** ```bash ip addr del 192.168.31.2/24 dev eth0 ip link del eth0.10 ``` --- ## Phase 5: Inter-VLAN Routing & Firewall ### Default Policy - All VLANs can reach Internet - Management (10) can reach all VLANs - Trusted (20) can reach IoT (30), Cameras (35), Servers (40) - Kids (25) limited access (parental controls via AdGuard) - IoT (30) isolated - Internet only - Cameras (35) isolated - only NVR access - Guest (50) isolated - Internet only ### Firewall Rules (MikroTik) ```routeros # Allow established/related /ip firewall filter add chain=forward connection-state=established,related action=accept # Management can access everything add chain=forward src-address=192.168.10.0/24 action=accept # Trusted can access IoT, Cameras, Servers add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept # IoT to Internet only (drop inter-VLAN) add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop # Cameras to NVR only (future: add NVR IP) add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop # Guest to Internet only add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop # Drop everything else between VLANs add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop ``` --- ## Rollback Plan If migration fails: 1. Disable VLAN filtering on CSS326/ZX1 2. All ports return to untagged VLAN 1 3. Network returns to flat 192.168.31.0/24 4. Restore original Unraid IP if changed ### Quick Rollback Commands ```routeros # Disable VLAN filtering (emergency) /interface bridge set bridge vlan-filtering=no ``` --- ## Pre-Migration Checklist - [ ] Backup MikroTik configuration - [ ] Backup CSS326 configuration - [ ] Backup ZX1 configuration - [ ] Document current Unraid network config - [ ] Test REST API access to router - [ ] Verify all MAC addresses in device list - [ ] Create all VLAN interfaces (disabled) - [ ] Create all DHCP pools (disabled) - [ ] Create all static leases - [ ] Plan maintenance window (low usage time) --- ## Migration Order 1. **Night 1: Router Setup** - Create VLANs, IPs, DHCP (all disabled) - Create static leases - Test with single device on VLAN 10 2. **Night 2: Switch Setup** - Configure CSS326 VLANs (filtering off) - Configure ZX1 VLANs (filtering off) - Test trunk links 3. **Night 3: Unraid Migration** - Add VLAN 10 interface to Unraid - Migrate AdGuard to new IP - Update DNS references - Test extensively 4. **Night 4: Enable VLAN Filtering** - Enable on CSS326 - Enable on ZX1 - Monitor for issues 5. **Day 5+: Device Migration** - Migrate devices VLAN by VLAN - Start with IoT (least critical) - End with Trusted (most critical) --- ## Verification Tests After each phase, verify: - [ ] DNS resolution works (nslookup google.com) - [ ] Internet access works (ping 8.8.8.8) - [ ] Local services accessible (Unraid web UI) - [ ] DHCP working (release/renew gets expected IP) - [ ] Inter-VLAN routing as expected