jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
infrastructure/scripts/mikrotik-vlan-setup.rsc
XTRM-Unraid 84b3952891
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
Add VLAN implementation documentation and scripts 
- docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation
- scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script
- scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script

VLAN configuration is prepared but NOT YET ACTIVE.
Requires CSS326 switch configuration before enabling VLAN filtering.

VLANs configured:
- VLAN 1: Legacy (192.168.31.0/24)
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)
2026-01-25 16:20:59 +02:00

131 lines
6.7 KiB
Plaintext
Raw Permalink Blame History

# MikroTik VLAN Setup Script
# Run this once to configure VLAN infrastructure
# NOTE: Does NOT enable VLAN filtering - see mikrotik-vlan-enable.rsc
# ===========================================
# VLAN Interfaces
# ===========================================
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10 comment="Management VLAN"
add interface=bridge name=vlan20-trusted vlan-id=20 comment="Trusted VLAN"
add interface=bridge name=vlan30-iot vlan-id=30 comment="IoT VLAN"
add interface=bridge name=vlan35-cameras vlan-id=35 comment="Cameras VLAN"
add interface=bridge name=vlan40-servers vlan-id=40 comment="Servers VLAN"
add interface=bridge name=vlan50-guest vlan-id=50 comment="Guest VLAN"
# ===========================================
# IP Addresses for VLANs
# ===========================================
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt comment="Management VLAN"
add address=192.168.20.1/24 interface=vlan20-trusted comment="Trusted VLAN"
add address=192.168.30.1/24 interface=vlan30-iot comment="IoT VLAN"
add address=192.168.35.1/24 interface=vlan35-cameras comment="Cameras VLAN"
add address=192.168.40.1/24 interface=vlan40-servers comment="Servers VLAN"
add address=192.168.50.1/24 interface=vlan50-guest comment="Guest VLAN"
# ===========================================
# DHCP Pools
# ===========================================
/ip pool
add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.150
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.220
# ===========================================
# DHCP Servers
# ===========================================
/ip dhcp-server
add name=dhcp-mgmt interface=vlan10-mgmt address-pool=pool-mgmt lease-time=30m
add name=dhcp-trusted interface=vlan20-trusted address-pool=pool-trusted lease-time=30m
add name=dhcp-iot interface=vlan30-iot address-pool=pool-iot lease-time=30m
add name=dhcp-cameras interface=vlan35-cameras address-pool=pool-cameras lease-time=30m
add name=dhcp-servers interface=vlan40-servers address-pool=pool-servers lease-time=30m
add name=dhcp-guest interface=vlan50-guest address-pool=pool-guest lease-time=4h
# ===========================================
# DHCP Networks
# ===========================================
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.1 comment="Management VLAN"
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.1 comment="Trusted VLAN"
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.1 comment="IoT VLAN"
add address=192.168.35.0/24 gateway=192.168.35.1 dns-server=192.168.31.1 comment="Cameras VLAN"
add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.1 comment="Servers VLAN"
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.31.1 comment="Guest VLAN"
# ===========================================
# Bridge VLAN Table
# ===========================================
/interface bridge vlan
add bridge=bridge vlan-ids=1 tagged=bridge,eth3_CSS326_Uplink untagged=eth2_CAPac_Uplink,eth4_ZX-SWTGW218AS_Uplink,ether5 comment="Legacy VLAN"
add bridge=bridge vlan-ids=10 tagged=bridge,eth3_CSS326_Uplink comment="Management VLAN"
add bridge=bridge vlan-ids=20 tagged=bridge,eth3_CSS326_Uplink untagged=hap-wifi1,hap-wifi2 comment="Trusted VLAN"
add bridge=bridge vlan-ids=30 tagged=bridge,eth3_CSS326_Uplink comment="IoT VLAN"
add bridge=bridge vlan-ids=35 tagged=bridge,eth3_CSS326_Uplink comment="Cameras VLAN"
add bridge=bridge vlan-ids=40 tagged=bridge,eth3_CSS326_Uplink comment="Servers VLAN"
add bridge=bridge vlan-ids=50 tagged=bridge,eth3_CSS326_Uplink comment="Guest VLAN"
# ===========================================
# Bridge Port PVIDs
# ===========================================
/interface bridge port
set [find interface=hap-wifi1] pvid=20
set [find interface=hap-wifi2] pvid=20
# ===========================================
# Firewall Address Lists
# ===========================================
/ip firewall address-list
add list=vlan-mgmt address=192.168.10.0/24
add list=vlan-trusted address=192.168.20.0/24
add list=vlan-iot address=192.168.30.0/24
add list=vlan-cameras address=192.168.35.0/24
add list=vlan-servers address=192.168.40.0/24
add list=vlan-guest address=192.168.50.0/24
add list=vlan-legacy address=192.168.31.0/24
add list=all-vlans address=192.168.10.0/24
add list=all-vlans address=192.168.20.0/24
add list=all-vlans address=192.168.30.0/24
add list=all-vlans address=192.168.35.0/24
add list=all-vlans address=192.168.40.0/24
add list=all-vlans address=192.168.50.0/24
add list=all-vlans address=192.168.31.0/24
# ===========================================
# Inter-VLAN Firewall Rules
# ===========================================
/ip firewall filter
# Allow rules
add chain=forward action=accept src-address-list=vlan-mgmt dst-address-list=all-vlans comment="VLAN: Mgmt to All"
add chain=forward action=accept src-address-list=vlan-legacy dst-address-list=all-vlans comment="VLAN: Legacy to All"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-iot comment="VLAN: Trusted to IoT"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-cameras dst-port=80,443,554,8080,8554 protocol=tcp comment="VLAN: Trusted to Cameras (view)"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-servers comment="VLAN: Trusted to Servers"
add chain=forward action=accept src-address-list=vlan-trusted dst-address-list=vlan-legacy comment="VLAN: Trusted to Legacy"
# DNS access for isolated VLANs
add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: IoT to DNS"
add chain=forward action=accept src-address-list=vlan-iot dst-address=192.168.31.1 dst-port=53 protocol=tcp comment="VLAN: IoT to DNS TCP"
add chain=forward action=accept src-address-list=vlan-cameras dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Cameras to DNS"
add chain=forward action=accept src-address-list=vlan-guest dst-address=192.168.31.1 dst-port=53 protocol=udp comment="VLAN: Guest to DNS"
# Block rules
add chain=forward action=drop src-address-list=vlan-guest dst-address-list=all-vlans comment="VLAN: Block Guest to internal"
add chain=forward action=drop src-address-list=vlan-cameras dst-address-list=all-vlans comment="VLAN: Block Cameras to VLANs"
add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-mgmt comment="VLAN: Block IoT to Mgmt"
add chain=forward action=drop src-address-list=vlan-iot dst-address-list=vlan-trusted comment="VLAN: Block IoT to Trusted"
Reference in New Issue View Git Blame Copy Permalink