# WIP: VLAN Network Segmentation Proposal **Status:** Planning **Created:** 2026-01-25 --- ## Current State Single flat network: `192.168.31.0/24` - All devices on same broadcast domain - No traffic isolation between IoT, guests, and trusted devices - Security risk: compromised IoT device can access entire network --- ## Proposed VLAN Architecture ``` ┌─────────────────┐ │ INTERNET │ └────────┬────────┘ │ ┌────────▼────────┐ │ MikroTik hAP │ │ 192.168.31.1 │ │ (Router/FW) │ └────────┬────────┘ │ ┌──────────────┬───────────────┼───────────────┬──────────────┐ │ │ │ │ │ ┌────────▼────────┐ ┌───▼───────┐ ┌─────▼─────┐ ┌───────▼───────┐ ┌────▼────┐ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ VLAN 50 │ │ Management │ │ Trusted │ │ IoT │ │ Servers │ │ Guest │ │ 192.168.10.0/24 │ │ .20.0/24 │ │ .30.0/24 │ │ .40.0/24 │ │.50.0/24 │ └─────────────────┘ └───────────┘ └───────────┘ └───────────────┘ └─────────┘ ``` --- ## VLAN Definitions | VLAN ID | Name | Subnet | Purpose | Gateway | |---------|------|--------|---------|---------| | 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 | | 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 | | 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 | | 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 | | 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 | --- ## VLAN 10: Management **Purpose:** Infrastructure administration only | Device | IP | Description | |--------|-----|-------------| | MikroTik | 192.168.10.1 | Router/Gateway | | Unraid | 192.168.10.2 | Server management | | Switch | 192.168.10.3 | CSS326 management | | AP | 192.168.10.4 | cAP ac management | **Access Rules:** - ✅ Full access to all VLANs (admin only) - ✅ SSH, Web UI access - ❌ No internet access (optional, security hardening) - ❌ No access FROM other VLANs --- ## VLAN 20: Trusted **Purpose:** Personal/family devices with full access | Device Type | DHCP Range | Examples | |-------------|------------|----------| | Laptops | .20.100-.150 | MacBooks, Windows PCs | | Phones | .20.151-.200 | iPhones, Android | | Tablets | .20.201-.220 | iPads | | Static | .20.10-.50 | Reserved | **Access Rules:** - ✅ Internet access - ✅ Access to Servers VLAN (Plex, services) - ✅ Access to IoT VLAN (control devices) - ❌ No access to Management VLAN - ❌ No access from Guest VLAN --- ## VLAN 30: IoT **Purpose:** Smart home devices (isolated) | Device Type | DHCP Range | Examples | |-------------|------------|----------| | Smart TV | .30.100-.110 | LG TV, Apple TV | | Speakers | .30.111-.130 | Sonos, HomePod | | Sensors | .30.131-.180 | Zigbee hubs, motion | | Cameras | .30.181-.200 | Security cameras | | Static | .30.10-.50 | Reserved | **Access Rules:** - ✅ Internet access (restricted destinations) - ✅ Access to local DNS (AdGuard) - ✅ mDNS/Bonjour relay from Trusted - ❌ No inter-device communication (optional) - ❌ No access to Management - ❌ No access to Servers (except specific ports) - ❌ Cannot initiate to Trusted (Trusted can initiate) --- ## VLAN 40: Servers/DMZ **Purpose:** Services accessible from internet | Service | IP | Ports | Description | |---------|-----|-------|-------------| | Traefik | 192.168.40.2 | 80,443 | Reverse proxy | | AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) | | Gitea | 192.168.40.10 | 3000 | Git hosting | | Plex | 192.168.40.20 | 32400 | Media server | **Access Rules:** - ✅ Internet access - ✅ Inbound from WAN (via NAT) - ✅ Access from Trusted VLAN - ❌ Cannot initiate to Management - ❌ Cannot initiate to Trusted - ❌ No access from Guest --- ## VLAN 50: Guest **Purpose:** Visitor WiFi with internet only | Setting | Value | |---------|-------| | DHCP Range | 192.168.50.100-.200 | | Lease Time | 4 hours | | Bandwidth Limit | 50 Mbps | | Client Isolation | Yes | **Access Rules:** - ✅ Internet access only - ❌ No access to any internal VLAN - ❌ No inter-client communication - ❌ Captive portal (optional) --- ## Firewall Rules Summary ``` ┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐ │ From \ To │ Mgmt │ Trusted │ IoT │ Servers │ Guest │ ├─────────────┼──────┼─────────┼─────┼─────────┼───────┤ │ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ │ Trusted │ ❌ │ ✅ │ ✅ │ ✅ │ ❌ │ │ IoT │ ❌ │ ❌ │ ⚠️ │ ⚠️ │ ❌ │ │ Servers │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ │ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ │ Internet │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ └─────────────┴──────┴─────────┴─────┴─────────┴───────┘ ✅ = Full access ❌ = Blocked ⚠️ = Limited/Specific ports only ``` --- ## DNS Configuration | VLAN | DNS Server | Purpose | |------|------------|---------| | 10 Management | 192.168.10.1 | MikroTik DNS | | 20 Trusted | 192.168.40.4 | AdGuard (full filtering) | | 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) | | 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS | | 50 Guest | 192.168.40.4 | AdGuard (strict filtering) | **Enforce DNS:** NAT redirect all port 53 traffic to designated DNS per VLAN. --- ## WiFi SSID Mapping | SSID | VLAN | Security | Notes | |------|------|----------|-------| | Home | 20 | WPA3 | Trusted devices | | Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) | | Home-Guest | 50 | WPA2 | Visitors | | (hidden) Admin | 10 | WPA3 | Management only | --- ## MikroTik Implementation ### 1. Create VLANs on Bridge ```routeros /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 add interface=bridge name=vlan20-trusted vlan-id=20 add interface=bridge name=vlan30-iot vlan-id=30 add interface=bridge name=vlan40-servers vlan-id=40 add interface=bridge name=vlan50-guest vlan-id=50 ``` ### 2. IP Addresses ```routeros /ip address add address=192.168.10.1/24 interface=vlan10-mgmt add address=192.168.20.1/24 interface=vlan20-trusted add address=192.168.30.1/24 interface=vlan30-iot add address=192.168.40.1/24 interface=vlan40-servers add address=192.168.50.1/24 interface=vlan50-guest ``` ### 3. DHCP Servers ```routeros /ip pool add name=pool-trusted ranges=192.168.20.100-192.168.20.200 add name=pool-iot ranges=192.168.30.100-192.168.30.200 add name=pool-servers ranges=192.168.40.100-192.168.40.150 add name=pool-guest ranges=192.168.50.100-192.168.50.200 /ip dhcp-server add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest ``` ### 4. Inter-VLAN Firewall (Example) ```routeros /ip firewall filter # Allow established/related add chain=forward action=accept connection-state=established,related # Management can access all add chain=forward action=accept src-address=192.168.10.0/24 # Trusted to IoT add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 # Trusted to Servers add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24 # Block all other inter-VLAN add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16 ``` --- ## Migration Plan ### Phase 1: Preparation - [ ] Document all current static IPs - [ ] List all devices and target VLANs - [ ] Configure switch for VLAN trunking - [ ] Test VLAN setup on isolated port ### Phase 2: Infrastructure - [ ] Create VLANs on MikroTik - [ ] Configure DHCP per VLAN - [ ] Move Unraid to VLAN 10 (management) - [ ] Move AdGuard to VLAN 40 (servers) - [ ] Update DNS redirect rules ### Phase 3: Devices - [ ] Configure WiFi SSIDs per VLAN - [ ] Move trusted devices to VLAN 20 - [ ] Move IoT devices to VLAN 30 - [ ] Test inter-VLAN access rules ### Phase 4: Hardening - [ ] Implement firewall rules - [ ] Enable DNS enforcement per VLAN - [ ] Set up guest captive portal (optional) - [ ] Document final configuration --- ## Considerations ### Pros - Security isolation between device types - Compromised IoT cannot access trusted devices - Guest cannot snoop on internal traffic - Granular firewall control - Better traffic management ### Cons - Increased complexity - mDNS/Bonjour requires relay configuration - Some IoT devices may have issues - Initial migration effort ### Services Requiring Special Attention - **Plex:** Needs access from Trusted to Servers - **Sonos/AirPlay:** Requires mDNS relay - **Chromecast:** Needs multicast between VLANs - **Printers:** May need access from multiple VLANs --- ## Questions to Decide 1. Should Management VLAN have internet access? 2. IoT device discovery - enable mDNS relay or use static configs? 3. Guest WiFi - captive portal or just password? 4. Camera VLAN - separate from IoT or combined? 5. Keep legacy 192.168.31.0/24 for transition period?