# VLAN Network Segmentation

## Overview

Network segmentation using VLANs for security isolation between device types.

## VLAN Architecture

| VLAN ID | Name | Subnet | Purpose |
|---------|------|--------|---------|
| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) |
| 10 | Management | 192.168.10.0/24 | Network infrastructure |
| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) |
| 30 | IoT | 192.168.30.0/24 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | Unraid, services |
| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) |

## Current Status: PREPARED (Not Active)

VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires:
1. CSS326 switch VLAN configuration
2. Final activation

### What's Configured

**MikroTik hAP ax³:**
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest)
- [x] IP addresses assigned to VLAN interfaces
- [x] DHCP servers for each VLAN
- [x] DHCP pools configured
- [x] Static DHCP leases with MAC-to-IP mappings
- [x] Bridge VLAN table entries
- [x] WiFi ports PVID=20 (Trusted)
- [x] Firewall rules for inter-VLAN isolation
- [x] Address lists for firewall rules
- [ ] VLAN filtering enabled on bridge (PENDING)

**CSS326 Switch:**
- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)

## Network Diagram

```
Internet
    │
    ▼
┌───────────────────────────────────────────────────────────┐
│                   MikroTik hAP ax³                        │
│                                                           │
│  Bridge (vlan-filtering=no)                               │
│  ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged)          │
│  ├── vlan10-mgmt    192.168.10.1/24                       │
│  ├── vlan20-trusted 192.168.20.1/24                       │
│  ├── vlan30-iot     192.168.30.1/24                       │
│  ├── vlan35-cameras 192.168.35.1/24                       │
│  ├── vlan40-servers 192.168.40.1/24                       │
│  └── vlan50-guest   192.168.50.1/24                       │
│                                                           │
│  Ports:                                                   │
│  ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs)       │
│  ├── hap-wifi1 → PVID=20 (untagged VLAN 20)              │
│  └── hap-wifi2 → PVID=20 (untagged VLAN 20)              │
└───────────────────────────────────────────────────────────┘
              │
              │ Trunk (VLANs 1,10,20,30,35,40,50)
              ▼
┌───────────────────────────────────────────────────────────┐
│                   CSS326-24G-2S+                          │
│                   192.168.31.9 (SwOS)                     │
│                                                           │
│  Requires VLAN configuration via web interface            │
│  - Port 1: Uplink to MikroTik (Trunk)                    │
│  - Other ports: Access ports per VLAN                     │
└───────────────────────────────────────────────────────────┘
```

## Bridge VLAN Table

```
VLAN  Tagged                         Untagged
----  ------                         --------
1     bridge,eth3_CSS326_Uplink      eth2,eth4,ether5
10    bridge,eth3_CSS326_Uplink      -
20    bridge,eth3_CSS326_Uplink      hap-wifi1,hap-wifi2
30    bridge,eth3_CSS326_Uplink      -
35    bridge,eth3_CSS326_Uplink      -
40    bridge,eth3_CSS326_Uplink      -
50    bridge,eth3_CSS326_Uplink      -
```

## WiFi VLAN Assignment

Since both SSIDs (XTRM/XTRM2) remain on the same bridge:
- **All WiFi clients → VLAN 20 (Trusted) by default**
- MAC-based filtering via firewall rules for additional restrictions

Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).

## Device Assignments (via Static DHCP Leases)

### VLAN 20 - Trusted (192.168.20.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra |
| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi |
| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone |
| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad |

### VLAN 30 - IoT (192.168.30.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV |
| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast |
| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven |
| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer |

### VLAN 35 - Cameras (192.168.35.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |

### VLAN 10 - Management (192.168.10.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac |
| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch |

### VLAN 40 - Servers (192.168.40.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |

## Firewall Rules (Active)

Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:

```
# Allow rules
- Management → All VLANs (full access)
- Legacy → All VLANs (full access during transition)
- Trusted → IoT (can control smart devices)
- Trusted → Cameras (ports 80,443,554,8080,8554 only)
- Trusted → Servers (full access)
- Trusted → Legacy (full access)
- IoT/Cameras/Guest → DNS only (192.168.31.1:53)

# Block rules
- Guest → All internal (isolated, internet only)
- Cameras → All VLANs (upload only, no lateral movement)
- IoT → Management (cannot access network devices)
- IoT → Trusted (cannot access family devices)
```

## Activation Steps

### Step 1: Configure CSS326 Switch (REQUIRED FIRST)

Access SwOS at http://192.168.31.9 and configure:

1. **VLAN settings:**
   - Enable VLAN mode
   - Create VLANs: 1, 10, 20, 30, 35, 40, 50
   
2. **Port 1 (Uplink to MikroTik):**
   - VLAN Mode: Trunk
   - Tagged VLANs: 1, 10, 20, 30, 35, 40, 50
   
3. **Port for Unraid:**
   - VLAN Mode: Access
   - PVID: 1 (Legacy) or 40 (Servers)
   
4. **Other ports:**
   - Assign access VLAN based on connected device

### Step 2: Enable VLAN Filtering on MikroTik

```routeros
# CAUTION: This may cause temporary connectivity loss
# Have WinBox ready on 192.168.31.1:8291 as backup

/interface bridge set [find name=bridge] vlan-filtering=yes
```

### Step 3: Verify Connectivity

```bash
# From Unraid
ping 192.168.31.1  # MikroTik Legacy
ping 192.168.20.1  # MikroTik Trusted VLAN
ping 8.8.8.8       # Internet
```

### Rollback (If Needed)

```routeros
/interface bridge set [find name=bridge] vlan-filtering=no
```

## Scripts

- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once)
- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config)

## Related Documents

- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document
- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview