jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
infrastructure/docs/archive/VLAN-SEGMENTATION.md
Kaloyan Danchev ec9659d0cb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Restructure docs: archive VLAN migration, update IPs to VLAN 10 
Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 12:45:16 +02:00

143 lines
3.4 KiB
Markdown
Raw Permalink Blame History

# VLAN Network Segmentation
**Status:** 📋 PLANNED
**Priority:** Medium
**Risk:** HIGH (network disruption during implementation)
---
## Overview
Segment flat 192.168.31.0/24 network into VLANs for security isolation.
---
## Proposed VLANs
| VLAN | Name | Subnet | Gateway | Purpose |
|------|------|--------|---------|---------|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
---
## WiFi SSID Mapping
| SSID | VLAN | Purpose |
|------|------|---------|
| XTRM | 10 | Primary (trusted devices) |
| XTRM-IoT | 20 | IoT devices |
| XTRM-Kids | 30 | Kids devices |
| XTRM-Guest | 40 | Guest access |
---
## Device Assignments
### VLAN 10 - Secure
| Device | Current IP | New IP |
|--------|------------|--------|
| XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 |
| Nobara PC | 192.168.31.95 | 192.168.10.10 |
| MacBook | 192.168.31.99 | 192.168.10.15 |
| S25 Ultra | 192.168.31.98 | 192.168.10.20 |
### VLAN 20 - IoT
| Device | Current IP | New IP |
|--------|------------|--------|
| Home Assistant | 192.168.31.102 | 192.168.20.2 |
| Chromecast | 192.168.31.134 | 192.168.20.10 |
| Roborock S7 | 192.168.31.104 | 192.168.20.11 |
| Reolink Doorbell | 192.168.31.68 | 192.168.20.13 |
| HP Printer | 192.168.31.19 | 192.168.20.20 |
### VLAN 30 - Kids
| Device | Current IP | New IP |
|--------|------------|--------|
| Nora MacBook | 192.168.31.79 | 192.168.30.10 |
| Kimi Notebook | 192.168.31.108 | 192.168.30.11 |
| Dancho iPhone | 192.168.31.114 | 192.168.30.13 |
---
## Cross-VLAN Access Requirements
### S25 → Chromecast (Casting)
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
dst-port=8008,8009,8443 protocol=tcp action=accept
```
### Secure → Home Assistant
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.2 \
dst-port=8123 protocol=tcp action=accept
```
### mDNS Reflector (Device Discovery)
```routeros
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
```
---
## Implementation Steps
### Phase 1: Router (HAP1)
1. Create VLAN interfaces
2. Assign IP addresses
3. Create DHCP servers per VLAN
4. Configure firewall rules
### Phase 2: Switch (CSS326)
1. Enable VLAN mode in SwOS
2. Configure trunk port (to HAP1)
3. Assign access VLANs to ports
4. Set PVIDs
### Phase 3: WiFi (CAPsMAN)
1. Create VLAN-tagged SSIDs
2. Update provisioning rules
3. Apply to CAP
---
## Risks
| Risk | Impact | Mitigation |
|------|--------|------------|
| All devices lose connectivity | HIGH | Schedule maintenance window |
| Docker br0 containers break | MEDIUM | Reconfigure macvlan |
| Static IPs need updating | LOW | Pre-configure DHCP reservations |
---
## Rollback
Disable VLAN filtering immediately:
```routeros
/interface/bridge/set bridge vlan-filtering=no
```
---
## Prerequisites
- [ ] Map CSS326 switch ports to devices
- [ ] Backup MikroTik config
- [ ] Schedule maintenance window (30-60 min)
- [ ] Decide WiFi passwords for new SSIDs
- [ ] Console/serial access to router (in case of lockout)
---
## References
- Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md`
- Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`
Reference in New Issue View Git Blame Copy Permalink