# VLAN Network Segmentation **Last Updated:** 2026-01-25 **Status:** Phase 1 Complete - MikroTik Configured ## Overview Network segmentation using VLANs for security isolation between device types. ## VLAN Architecture | VLAN ID | Name | Subnet | Gateway | Purpose | Devices | |---------|------|--------|---------|---------|---------| | 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Default/Legacy network (transition) | - | | 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Network infrastructure | 6 | | 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices (phones, laptops) | 9 | | 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices (parental controls) | 6 | | 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 | | 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras (isolated) | 1 | | 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Printers, services | 1 | | 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 | | **Total** | | | | | **44** | ## Current Status: PHASE 1 COMPLETE ### MikroTik hAP ax³ Configuration ✅ **Completed:** - [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids) - [x] IP addresses assigned to all VLAN interfaces - [x] DHCP servers for each VLAN (7 servers) - [x] DHCP pools configured (7 pools) - [x] Static DHCP leases with MAC-to-IP mappings (44 devices) - [x] Bridge VLAN table entries for all VLANs - [x] WiFi ports PVID=20 (Trusted) - [x] Firewall rules for inter-VLAN isolation - [x] Firewall address lists for all VLANs **Pending:** - [ ] VLAN filtering enabled on bridge (requires switch config first) ### CSS326 Switch Configuration ⏳ **Required before VLAN activation:** - [ ] VLAN configuration via SwOS web interface - [ ] Port assignments per device ## Network Diagram ``` Internet │ ▼ ┌───────────────────────────────────────────────────────────┐ │ MikroTik hAP ax³ │ │ │ │ Bridge (vlan-filtering=no) │ │ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │ │ ├── vlan10-mgmt 192.168.10.1/24 (6 devices) │ │ ├── vlan20-trusted 192.168.20.1/24 (9 devices) │ │ ├── vlan25-kids 192.168.25.1/24 (6 devices) │ │ ├── vlan30-iot 192.168.30.1/24 (14 devices) │ │ ├── vlan35-cameras 192.168.35.1/24 (1 device) │ │ ├── vlan40-servers 192.168.40.1/24 (1 device) │ │ └── vlan50-guest 192.168.50.1/24 (7 devices) │ │ │ │ Ports: │ │ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │ │ ├── hap-wifi1 → PVID=20 (untagged VLAN 20) │ │ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │ └───────────────────────────────────────────────────────────┘ │ │ Trunk (VLANs 1,10,20,25,30,35,40,50) ▼ ┌───────────────────────────────────────────────────────────┐ │ CSS326-24G-2S+ │ │ 192.168.31.9 (SwOS) │ │ │ │ Requires VLAN configuration via web interface │ │ - Port 1: Uplink to MikroTik (Trunk) │ │ - Other ports: Access ports per VLAN │ └───────────────────────────────────────────────────────────┘ ``` ## Bridge VLAN Table | VLAN | Tagged | Untagged | |------|--------|----------| | 1 | bridge, eth3_CSS326_Uplink | eth2, eth4, ether5 | | 10 | bridge, eth3_CSS326_Uplink | - | | 20 | bridge, eth3_CSS326_Uplink | hap-wifi1, hap-wifi2 | | 25 | bridge, eth3_CSS326_Uplink | - | | 30 | bridge, eth3_CSS326_Uplink | - | | 35 | bridge, eth3_CSS326_Uplink | - | | 40 | bridge, eth3_CSS326_Uplink | - | | 50 | bridge, eth3_CSS326_Uplink | - | ## DHCP Configuration | VLAN | Server | Pool | Range | Lease Time | |------|--------|------|-------|------------| | 10 | dhcp-mgmt | pool-mgmt | 192.168.10.100-200 | 30m | | 20 | dhcp-trusted | pool-trusted | 192.168.20.100-220 | 30m | | 25 | dhcp-kids | pool-kids | 192.168.25.100-200 | 30m | | 30 | dhcp-iot | pool-iot | 192.168.30.100-220 | 30m | | 35 | dhcp-cameras | pool-cameras | 192.168.35.100-150 | 30m | | 40 | dhcp-servers | pool-servers | 192.168.40.100-150 | 30m | | 50 | dhcp-guest | pool-guest | 192.168.50.100-220 | 4h | ## Static DHCP Leases Summary | VLAN | Devices | Examples | |------|---------|----------| | 10 - Mgmt | 6 | CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid | | 20 - Trusted | 9 | Nora MacBook, Kaloyan devices, family phones | | 25 - Kids | 6 | Dancho iPhone/Windows, Kimi devices, XTRM-Ally | | 30 - IoT | 14 | GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi | | 35 - Cameras | 1 | Reolink Doorbell | | 40 - Servers | 1 | HP LaserJet | | 50 - Guest | 7 | Unknown/unidentified devices | ## Firewall Rules (Active) Inter-VLAN firewall rules are configured: ### Allow Rules | Source | Destination | Access | |--------|-------------|--------| | Management (10) | All VLANs | Full access | | Legacy (31) | All VLANs | Full access (transition) | | Trusted (20) | IoT (30) | Full access | | Trusted (20) | Cameras (35) | Ports 80,443,554,8080,8554 | | Trusted (20) | Servers (40) | Full access | | Trusted (20) | Legacy (31) | Full access | | Kids (25) | IoT (30) | Full access | | Kids (25) | Legacy (31) | Full access | | IoT/Cameras/Guest/Kids | DNS | Port 53 to 192.168.31.1 | ### Block Rules | Source | Destination | Action | |--------|-------------|--------| | Guest (50) | All internal | Drop | | Cameras (35) | All VLANs | Drop | | IoT (30) | Management (10) | Drop | | IoT (30) | Trusted (20) | Drop | ## Activation Steps ### Step 1: Configure CSS326 Switch (REQUIRED FIRST) Access SwOS at http://192.168.31.9 and configure: 1. **Enable VLAN mode** 2. **Create VLANs:** 1, 10, 20, 25, 30, 35, 40, 50 3. **Port 1 (Uplink to MikroTik):** Trunk mode, tagged all VLANs 4. **Other ports:** Access mode, assign PVID per connected device ### Step 2: Enable VLAN Filtering on MikroTik ```routeros # CAUTION: This may cause temporary connectivity loss /interface bridge set [find name=bridge] vlan-filtering=yes ``` ### Step 3: Verify Connectivity ```bash # From Unraid ping 192.168.31.1 # MikroTik Legacy ping 192.168.10.1 # MikroTik Mgmt VLAN ping 8.8.8.8 # Internet ``` ### Rollback (If Needed) ```routeros /interface bridge set [find name=bridge] vlan-filtering=no ``` ## Related Documents - [03-VLAN-DEVICE-ASSIGNMENT.md](03-VLAN-DEVICE-ASSIGNMENT.md) - Device inventory - [04-VLAN-MIGRATION-PLAN.md](04-VLAN-MIGRATION-PLAN.md) - Migration phases