# VLAN Network Segmentation **Status:** 📋 PLANNED **Priority:** Medium **Risk:** HIGH (network disruption during implementation) --- ## Overview Segment flat 192.168.31.0/24 network into VLANs for security isolation. --- ## Proposed VLANs | VLAN | Name | Subnet | Gateway | Purpose | |------|------|--------|---------|---------| | 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only | | 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers | | 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras | | 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices | | 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi | --- ## WiFi SSID Mapping | SSID | VLAN | Purpose | |------|------|---------| | XTRM | 10 | Primary (trusted devices) | | XTRM-IoT | 20 | IoT devices | | XTRM-Kids | 30 | Kids devices | | XTRM-Guest | 40 | Guest access | --- ## Device Assignments ### VLAN 10 - Secure | Device | Current IP | New IP | |--------|------------|--------| | XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 | | Nobara PC | 192.168.31.95 | 192.168.10.10 | | MacBook | 192.168.31.99 | 192.168.10.15 | | S25 Ultra | 192.168.31.98 | 192.168.10.20 | ### VLAN 20 - IoT | Device | Current IP | New IP | |--------|------------|--------| | Home Assistant | 192.168.31.102 | 192.168.20.2 | | Chromecast | 192.168.31.134 | 192.168.20.10 | | Roborock S7 | 192.168.31.104 | 192.168.20.11 | | Reolink Doorbell | 192.168.31.68 | 192.168.20.13 | | HP Printer | 192.168.31.19 | 192.168.20.20 | ### VLAN 30 - Kids | Device | Current IP | New IP | |--------|------------|--------| | Nora MacBook | 192.168.31.79 | 192.168.30.10 | | Kimi Notebook | 192.168.31.108 | 192.168.30.11 | | Dancho iPhone | 192.168.31.114 | 192.168.30.13 | --- ## Cross-VLAN Access Requirements ### S25 → Chromecast (Casting) ```routeros /ip/firewall/filter add chain=forward \ src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \ dst-port=8008,8009,8443 protocol=tcp action=accept ``` ### Secure → Home Assistant ```routeros /ip/firewall/filter add chain=forward \ src-address=192.168.10.0/24 dst-address=192.168.20.2 \ dst-port=8123 protocol=tcp action=accept ``` ### mDNS Reflector (Device Discovery) ```routeros /ip/dns/set mdns-repeat-ifaces=vlan10,vlan20 ``` --- ## Implementation Steps ### Phase 1: Router (HAP1) 1. Create VLAN interfaces 2. Assign IP addresses 3. Create DHCP servers per VLAN 4. Configure firewall rules ### Phase 2: Switch (CSS326) 1. Enable VLAN mode in SwOS 2. Configure trunk port (to HAP1) 3. Assign access VLANs to ports 4. Set PVIDs ### Phase 3: WiFi (CAPsMAN) 1. Create VLAN-tagged SSIDs 2. Update provisioning rules 3. Apply to CAP --- ## Risks | Risk | Impact | Mitigation | |------|--------|------------| | All devices lose connectivity | HIGH | Schedule maintenance window | | Docker br0 containers break | MEDIUM | Reconfigure macvlan | | Static IPs need updating | LOW | Pre-configure DHCP reservations | --- ## Rollback Disable VLAN filtering immediately: ```routeros /interface/bridge/set bridge vlan-filtering=no ``` --- ## Prerequisites - [ ] Map CSS326 switch ports to devices - [ ] Backup MikroTik config - [ ] Schedule maintenance window (30-60 min) - [ ] Decide WiFi passwords for new SSIDs - [ ] Console/serial access to router (in case of lockout) --- ## References - Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md` - Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`