# WIP: VLAN Network Segmentation Proposal **Status:** Planning **Created:** 2026-01-25 **Updated:** 2026-01-25 --- ## Decisions Made - ✅ Separate Camera VLAN (VLAN 35) - ✅ Guest WiFi: Password only (no captive portal) - ✅ Keep 192.168.31.0/24 during transition (VLAN 1) --- ## Current State Single flat network: `192.168.31.0/24` (will become transition VLAN) --- ## Proposed VLAN Architecture ``` ┌─────────────────┐ │ INTERNET │ └────────┬────────┘ │ ┌────────▼────────┐ │ MikroTik hAP │ │ (Router/FW) │ └────────┬────────┘ │ ┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐ │ │ │ │ │ │ │ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌▼────────┐ │ VLAN 1 │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │ │ Legacy │ │ Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │ │.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 │ │.35.0/24 │ │.40.0/24 │ │.50.0/24 │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ ``` --- ## VLAN Definitions | VLAN ID | Name | Subnet | Gateway | Purpose | |---------|------|--------|---------|---------| | 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) | | 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin | | 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices | | 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices | | 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) | | 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services | | 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi | --- ## VLAN 1: Legacy/Transition **Purpose:** Current network - devices migrate from here | Device | IP | Target VLAN | |--------|-----|-------------| | MikroTik | 192.168.31.1 | VLAN 10 | | Unraid | 192.168.31.2 | VLAN 10 | | AdGuard | 192.168.31.4 | VLAN 40 | | LG TV | 192.168.31.100 | VLAN 30 | **Note:** This VLAN will be deprecated after migration. --- ## VLAN 10: Management **Purpose:** Infrastructure administration only | Device | IP | Description | |--------|-----|-------------| | MikroTik | 192.168.10.1 | Router/Gateway | | Unraid | 192.168.10.2 | Server management | | CSS326 | 192.168.10.3 | Switch management | | cAP ac | 192.168.10.4 | AP management | **Access Rules:** - ✅ Full access to all VLANs - ✅ SSH, Web UI, API access - ❌ No access FROM other VLANs (except established) --- ## VLAN 20: Trusted **Purpose:** Personal/family devices | Device Type | DHCP Range | Static Range | |-------------|------------|--------------| | Reserved | - | .20.10-.50 | | Laptops | .20.100-.130 | - | | Phones | .20.131-.160 | - | | Tablets | .20.161-.180 | - | | Other | .20.181-.220 | - | **Access Rules:** - ✅ Internet access - ✅ Access to Servers VLAN - ✅ Access to IoT VLAN (control devices) - ✅ Access to Cameras VLAN (view feeds) - ❌ No access to Management VLAN - ❌ No access from Guest VLAN --- ## VLAN 30: IoT **Purpose:** Smart home devices (isolated) | Device Type | DHCP Range | Examples | |-------------|------------|----------| | Smart TVs | .30.100-.110 | LG TV, Apple TV | | Speakers | .30.111-.130 | Sonos, HomePod | | Hubs | .30.131-.150 | Zigbee, Z-Wave | | Sensors | .30.151-.180 | Motion, temp | | Other | .30.181-.220 | Plugs, lights | **Access Rules:** - ✅ Internet access (filtered) - ✅ Local DNS (AdGuard) - ✅ mDNS relay from Trusted - ❌ No access to Management - ❌ No access to Cameras - ❌ No access to Servers (except specific) - ❌ Cannot initiate to Trusted --- ## VLAN 35: Cameras **Purpose:** Security cameras (highly isolated) | Device Type | DHCP Range | Examples | |-------------|------------|----------| | Indoor | .35.100-.120 | - | | Outdoor | .35.121-.140 | - | | NVR | .35.10 | Recording server | **Access Rules:** - ⚠️ Limited internet (firmware updates only) - ✅ Access to NVR only - ✅ Trusted can VIEW (no control) - ❌ No access to any other VLAN - ❌ No inter-camera communication - ❌ Blocked: China, Russia IPs (common camera callback) --- ## VLAN 40: Servers/DMZ **Purpose:** Services accessible externally | Service | IP | Ports | Description | |---------|-----|-------|-------------| | Traefik | 192.168.40.2 | 80,443 | Reverse proxy | | AdGuard | 192.168.40.4 | 53,853,443 | DNS server | | Gitea | 192.168.40.10 | 3000 | Git hosting | | Woodpecker | 192.168.40.11 | 8000 | CI/CD | | Plex | 192.168.40.20 | 32400 | Media | **Access Rules:** - ✅ Internet access - ✅ Inbound from WAN (via NAT) - ✅ Access from Trusted - ❌ Cannot initiate to other VLANs --- ## VLAN 50: Guest **Purpose:** Visitor WiFi (password protected, no captive portal) | Setting | Value | |---------|-------| | DHCP Range | 192.168.50.100-.200 | | Lease Time | 4 hours | | Bandwidth | 50 Mbps limit | | Client Isolation | Enabled | **Access Rules:** - ✅ Internet access only - ❌ No access to ANY internal VLAN - ❌ No inter-client communication --- ## Firewall Matrix ``` ┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────┐ │ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │ ├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────┤ │ Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ │ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ │ Trusted │ ✅ │ ❌ │ ✅ │ ✅ │ 👁️ │ ✅ │ ❌ │ │ IoT │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ⚠️ │ ❌ │ │ Cameras │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ❌ │ │ Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ │ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ │ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │ └─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘ ✅ = Full access ❌ = Blocked ⚠️ = Limited (specific ports/IPs) 👁️ = View only (cameras: RTSP/HTTP streams) ``` --- ## DNS Configuration | VLAN | DNS Server | Filtering Level | |------|------------|-----------------| | 1 Legacy | 192.168.31.1 | Current setup | | 10 Management | 192.168.10.1 | Minimal | | 20 Trusted | 192.168.40.4 | Standard | | 30 IoT | 192.168.40.4 | IoT blocklist | | 35 Cameras | 192.168.40.4 | Strict + geo-block | | 40 Servers | 8.8.8.8/1.1.1.1 | None (external) | | 50 Guest | 192.168.40.4 | Strict | --- ## WiFi SSID Mapping | SSID | VLAN | Band | Security | Hidden | |------|------|------|----------|--------| | Home | 20 | 2.4+5 GHz | WPA3 | No | | Home-IoT | 30 | 2.4 GHz | WPA2 | No | | Home-Guest | 50 | 2.4+5 GHz | WPA2 | No | | Admin | 10 | 5 GHz | WPA3 | Yes | --- ## MikroTik Implementation ### 1. Create VLANs ```routeros /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 add interface=bridge name=vlan20-trusted vlan-id=20 add interface=bridge name=vlan30-iot vlan-id=30 add interface=bridge name=vlan35-cameras vlan-id=35 add interface=bridge name=vlan40-servers vlan-id=40 add interface=bridge name=vlan50-guest vlan-id=50 ``` ### 2. IP Addresses ```routeros /ip address add address=192.168.10.1/24 interface=vlan10-mgmt add address=192.168.20.1/24 interface=vlan20-trusted add address=192.168.30.1/24 interface=vlan30-iot add address=192.168.35.1/24 interface=vlan35-cameras add address=192.168.40.1/24 interface=vlan40-servers add address=192.168.50.1/24 interface=vlan50-guest ``` ### 3. DHCP Pools ```routeros /ip pool add name=pool-trusted ranges=192.168.20.100-192.168.20.220 add name=pool-iot ranges=192.168.30.100-192.168.30.220 add name=pool-cameras ranges=192.168.35.100-192.168.35.140 add name=pool-servers ranges=192.168.40.100-192.168.40.150 add name=pool-guest ranges=192.168.50.100-192.168.50.200 ``` ### 4. Camera Geo-Blocking ```routeros /ip firewall address-list add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges" /ip firewall filter add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries ``` --- ## Migration Plan ### Phase 1: Preparation (No Downtime) - [ ] Document all static IPs and MAC addresses - [ ] Create device inventory with target VLANs - [ ] Configure VLANs on MikroTik (inactive) - [ ] Configure switch trunk ports - [ ] Test on isolated port ### Phase 2: Infrastructure (Brief Downtime) - [ ] Create VLAN interfaces and IPs - [ ] Configure DHCP per VLAN - [ ] Move Unraid management to VLAN 10 - [ ] Move AdGuard to VLAN 40 - [ ] Update container networks ### Phase 3: WiFi (Rolling) - [ ] Create new SSIDs per VLAN - [ ] Move personal devices to VLAN 20 - [ ] Move IoT devices to VLAN 30 - [ ] Test mDNS/Bonjour relay ### Phase 4: Cameras & Security - [ ] Move cameras to VLAN 35 - [ ] Implement geo-blocking - [ ] Test camera isolation - [ ] Verify Trusted can view feeds ### Phase 5: Cleanup - [ ] Implement all firewall rules - [ ] Enable DNS enforcement - [ ] Migrate remaining devices from VLAN 1 - [ ] Document final configuration - [ ] Deprecate VLAN 1 (keep for emergency) --- ## Rollback Plan If issues occur: 1. All devices can temporarily use VLAN 1 (legacy) 2. MikroTik remains accessible on 192.168.31.1 3. Keep VLAN 1 DHCP active during transition