# VLAN Setup Progress **Created:** 2026-01-28 **Status:** IN PROGRESS **Last Updated:** 2026-01-28 --- ## CRITICAL WARNING **ALWAYS ASK FOR EXPLICIT CONFIRMATION BEFORE:** 1. Enabling VLAN filtering (`/interface bridge set bridge vlan-filtering=yes`) 2. Changing bridge port PVID values 3. Modifying bridge VLAN table **Reason:** When VLAN filtering was enabled on 2026-01-28, the entire network lost connectivity: - WiFi devices: No DHCP, no internet - Wired devices on CSS326 (not VLAN 10): No DHCP, no internet - Even with manual IP/DNS/gateway assignment: No internet - Only VLAN 10 devices (Unraid on ether4/5) continued working **Root Cause (suspected):** Bridge VLAN table or NAT/masquerade configuration issue for VLAN 1 traffic. **Recovery:** User had to manually troubleshoot and fix the configuration. --- ## Current Network State ### Hardware Topology ``` Internet (62.73.120.142) │ ▼ ┌──────────────────────────────────────────────────────────────┐ │ HAP1 | MikroTik hAP ax³ │ │ IP: 192.168.88.1 │ │ RouterOS: 7.21.1 │ │ │ │ Ports: │ │ ├── ether1: WAN (DHCP from ISP) │ │ ├── ether2: CAP XL ac (via PP1) │ │ ├── ether3: CSS326 switch │ │ ├── ether4: Unraid eth1 ──┐ VLAN 10 (PVID=10) │ │ ├── ether5: Unraid eth2 ──┘ │ │ ├── wifi1: XTRM (5GHz) │ │ └── wifi2: XTRM2 (2.4GHz) │ │ │ │ Installed Packages: routeros, wifi-qcom, container, │ │ user-manager │ └──────────────────────────────────────────────────────────────┘ │ │ ether2 ▼ ┌──────────────────────────────────────────────────────────────┐ │ CAP | MikroTik cAP XL ac │ │ IP: 192.168.88.250 │ │ RouterOS: 7.21.1 │ │ CAPsMAN managed by HAP1 │ │ │ │ WiFi (provisioned via CAPsMAN): │ │ ├── cap-wifi1: XTRM2 (2.4GHz) │ │ └── cap-wifi2: XTRM (5GHz) │ └──────────────────────────────────────────────────────────────┘ │ ether3 ▼ ┌──────────────────────────────────────────────────────────────┐ │ CSS326-24G-2S+ │ │ IP: 192.168.88.254 │ │ SwOS │ │ (VLAN config pending) │ └──────────────────────────────────────────────────────────────┘ ``` ### SSH Access | Device | IP | Port | User | Auth | |--------|-----|------|------|------| | HAP1 | 192.168.88.1 | 22 | xtrm | SSH key (~/.ssh/mikrotik_key) | | CAP | 192.168.88.250 | 2222 | xtrm | SSH key (~/.ssh/mikrotik_key) | | Unraid | 192.168.10.20 (pending) | 422 | root | SSH key (~/.ssh/id_ed25519_unraid) | ### WiFi Configuration | SSID | Band | Password | Security | |------|------|----------|----------| | XTRM | 5GHz | M0stW4nt3d@home | WPA2/WPA3 | | XTRM2 | 2.4GHz | M0stW4nt3d@IoT | WPA2 | --- ## VLAN Architecture (Planned) | VLAN ID | Name | Subnet | Gateway | Purpose | Assignment Method | |---------|------|--------|---------|---------|-------------------| | 1 | Default | 192.168.88.0/24 | 192.168.88.1 | Current LAN (transition) | Default | | 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Port-based | | 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices | RADIUS MAC auth | | 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | RADIUS MAC auth | | 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | RADIUS MAC auth | | 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Port-based | | 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Services | Port-based | | 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Unknown/Guest devices | RADIUS default | ### Assignment Strategy - **Port-based:** Wired devices with dedicated ports (Unraid, cameras) - **RADIUS MAC auth:** WiFi devices - MikroTik User Manager assigns VLAN based on MAC - **Default VLAN 50:** Unknown devices get internet-only access --- ## Current Configuration Status ### VLAN 10 - Management (IN PROGRESS) **Status:** Configured, waiting for Unraid to renew DHCP **What's Done:** - [x] VLAN interface created: `vlan10-mgmt` - [x] IP assigned: `192.168.10.1/24` - [x] DHCP pool: `192.168.10.100-192.168.10.200` - [x] DHCP server: `dhcp-mgmt` (DNS: 8.8.8.8) - [x] Static leases created for VLAN 10 devices - [x] Bridge VLAN table configured - [x] ether4/ether5 PVID set to 10 - [x] VLAN filtering enabled on bridge **What's Pending:** - [ ] Unraid needs to renew DHCP to get 192.168.10.20 - [ ] Verify Unraid connectivity on new IP - [ ] Update Unraid SSH connection string in CLAUDE.md **Bridge VLAN Table:** ``` VLAN 1: tagged=bridge, untagged=ether2,ether3,wifi1,wifi2 VLAN 10: tagged=bridge, untagged=ether4,ether5 ``` **Bridge Ports:** ``` ether2: PVID=1 (CAP) ether3: PVID=1 (CSS326) ether4: PVID=10 (Unraid) ether5: PVID=10 (Unraid) wifi1: PVID=1 (XTRM 5GHz) wifi2: PVID=1 (XTRM2 2.4GHz) ``` ### VLAN 10 Static Leases | IP | MAC | Device | Status | |----|-----|--------|--------| | 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Waiting | | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | Waiting | | 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Waiting | | 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | Waiting | | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | Waiting | ### User Manager (Installed, Not Configured) **Status:** Package installed, not enabled **Purpose:** RADIUS server for MAC-based VLAN assignment on WiFi **Next Steps:** 1. Enable User Manager 2. Add router as RADIUS client (NAS) 3. Create user entries with MAC addresses and VLAN attributes 4. Configure WiFi for RADIUS MAC authentication 5. Set default VLAN 50 for unknown MACs --- ## Device Inventory by VLAN ### VLAN 10 - Management (5 devices) | Target IP | MAC | Device | Connection | |-----------|-----|--------|------------| | 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ether2 via PP1 | | 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 | ether3 | | 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | Container | | 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | CSS326 port | | 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U Unraid | ether4/5 | ### VLAN 20 - Trusted (5 devices) | Target IP | MAC | Device | Owner | |-----------|-----|--------|-------| | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | ### VLAN 25 - Kids (4 devices) | Target IP | MAC | Device | Owner | |-----------|-----|--------|-------| | 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | ### VLAN 30 - IoT (12 devices) | Target IP | MAC | Device | |-----------|-----|--------| | 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE AC | | 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) | | 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) | | 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock Vacuum | | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Oven | | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Device 1 | | 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Device 2 | | 192.168.30.38 | D4:AD:FC:BE:13:B0 | Intellirocks | | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | ### VLAN 35 - Cameras (1 device) | Target IP | MAC | Device | |-----------|-----|--------| | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | ### VLAN 40 - Servers (1 device) | Target IP | MAC | Device | |-----------|-----|--------| | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | ### VLAN 50 - Guest/Unknown (4 devices) | Target IP | MAC | Notes | |-----------|-----|-------| | 192.168.50.10 | AC:87:A3:77:8F:BD | Unknown Apple device | | 192.168.50.11 | 22:4C:7F:1D:85:8E | Random MAC (privacy) | | 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown | | 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown | --- ## Useful Commands ### Check VLAN Status ```routeros /interface vlan print /interface bridge vlan print detail /interface bridge port print /interface bridge print where name=bridge ``` ### Check DHCP Leases ```routeros /ip dhcp-server lease print /ip dhcp-server lease print where server=dhcp-mgmt ``` ### Check User Manager ```routeros /user-manager print /user-manager user print /user-manager router print ``` ### Rollback VLAN Filtering ```routeros /interface bridge set bridge vlan-filtering=no ``` ### Force DHCP Renewal on Unraid ```bash # On Unraid terminal /etc/rc.d/rc.inet1 restart # Or dhclient -r eth0 && dhclient eth0 ``` --- ## Next Steps (In Order) 1. **Complete VLAN 10 Setup** - Restart network on Unraid to get new IP (192.168.10.20) - Verify connectivity - Update CLAUDE.md with new Unraid IP 2. **Configure User Manager for RADIUS** - Enable User Manager - Add router as NAS (RADIUS client) - Configure WiFi for MAC authentication 3. **Create Other VLANs** - VLAN 20 (Trusted) - interface, DHCP, firewall - VLAN 25 (Kids) - interface, DHCP, firewall - VLAN 30 (IoT) - interface, DHCP, firewall - VLAN 35 (Cameras) - interface, DHCP, firewall - VLAN 40 (Servers) - interface, DHCP, firewall - VLAN 50 (Guest) - interface, DHCP, firewall (default for unknown) 4. **Add MAC-VLAN Mappings to User Manager** - Add all trusted device MACs → VLAN 20 - Add all kids device MACs → VLAN 25 - Add all IoT device MACs → VLAN 30 - Default (no match) → VLAN 50 5. **Configure Inter-VLAN Firewall Rules** - Management → All (full access) - Trusted → IoT, Cameras, Servers (control) - Kids → Limited (parental controls) - IoT → Internet only - Cameras → Isolated - Guest → Internet only 6. **Test and Verify** - Test each VLAN connectivity - Test inter-VLAN access rules - Test unknown device goes to VLAN 50 --- ## Firewall Rules (Planned) ```routeros # Allow established/related /ip firewall filter add chain=forward connection-state=established,related action=accept # Management can access everything /ip firewall filter add chain=forward src-address=192.168.10.0/24 action=accept # Trusted can access IoT, Cameras, Servers /ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept /ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept /ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept # IoT - Internet only (block inter-VLAN) /ip firewall filter add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop # Cameras - Isolated /ip firewall filter add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop # Guest - Internet only /ip firewall filter add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop # Drop all other inter-VLAN /ip firewall filter add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop ``` --- ## Incident Log ### 2026-01-28: Network Outage After VLAN Filtering Enabled **Timeline:** 1. VLAN 10 interface, DHCP, static leases configured 2. Bridge VLAN table configured (VLAN 1 and VLAN 10) 3. ether4/ether5 PVID set to 10 4. VLAN filtering enabled 5. **Result:** All non-VLAN 10 devices lost connectivity **Symptoms:** - WiFi devices: No DHCP assignment - CSS326 connected devices: No DHCP assignment - Manual IP configuration: Still no internet - VLAN 10 devices (Unraid): Working correctly **Suspected Cause:** - Bridge VLAN table may not have been properly configured for VLAN 1 - NAT masquerade may not have been applied to VLAN 1 traffic - Possible missing egress tagging configuration **Resolution:** Manual fix by user (details TBD) **Lessons Learned:** 1. **ALWAYS** test VLAN config on a single device first before enabling filtering 2. **ALWAYS** ask for explicit user confirmation before enabling VLAN filtering 3. Have rollback command ready: `/interface bridge set bridge vlan-filtering=no` 4. Keep WinBox/MAC-based access available for recovery 5. Document exact state before making changes --- ## Pre-Change Checklist (MANDATORY) Before enabling VLAN filtering, verify: - [ ] Bridge VLAN table has VLAN 1 with all non-VLAN ports as untagged - [ ] Bridge itself is tagged in all VLANs - [ ] NAT masquerade rule covers all internal networks - [ ] DHCP servers exist for all active VLANs - [ ] Static routes/addresses configured if needed - [ ] WinBox or MAC-based access available for recovery - [ ] User has confirmed they are ready for potential outage - [ ] Rollback command documented: `/interface bridge set bridge vlan-filtering=no` --- ## Reference Documents - `docs/03-VLAN-DEVICE-ASSIGNMENT.md` - Full device inventory - `docs/04-VLAN-MIGRATION-PLAN.md` - Original migration plan - `docs/11-VLAN-IMPLEMENTATION.md` - VLAN architecture overview - `docs/wip/VLAN-PROPOSAL.md` - Initial proposal