Files

Kaloyan Danchev ec9659d0cb

ci/woodpecker/push/woodpecker Pipeline was successful

Details

Restructure docs: archive VLAN migration, update IPs to VLAN 10

Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-06 12:45:16 +02:00

3.4 KiB

Raw Blame History

VLAN Network Segmentation

Status: 📋 PLANNED Priority: Medium Risk: HIGH (network disruption during implementation)

Overview

Segment flat 192.168.31.0/24 network into VLANs for security isolation.

Proposed VLANs

VLAN	Name	Subnet	Gateway	Purpose
1	Management	192.168.31.0/24	192.168.31.1	Infrastructure devices only
10	Secure	192.168.10.0/24	192.168.10.1	Trusted devices, servers
20	IoT	192.168.20.0/24	192.168.20.1	Smart home, cameras
30	Kids	192.168.30.0/24	192.168.30.1	Kids devices
40	Guest	192.168.40.0/24	192.168.40.1	Guest WiFi

WiFi SSID Mapping

SSID	VLAN	Purpose
XTRM	10	Primary (trusted devices)
XTRM-IoT	20	IoT devices
XTRM-Kids	30	Kids devices
XTRM-Guest	40	Guest access

Device Assignments

VLAN 10 - Secure

Device	Current IP	New IP
XTRM-U/N5	192.168.31.2	192.168.10.2
Nobara PC	192.168.31.95	192.168.10.10
MacBook	192.168.31.99	192.168.10.15
S25 Ultra	192.168.31.98	192.168.10.20

VLAN 20 - IoT

Device	Current IP	New IP
Home Assistant	192.168.31.102	192.168.20.2
Chromecast	192.168.31.134	192.168.20.10
Roborock S7	192.168.31.104	192.168.20.11
Reolink Doorbell	192.168.31.68	192.168.20.13
HP Printer	192.168.31.19	192.168.20.20

VLAN 30 - Kids

Device	Current IP	New IP
Nora MacBook	192.168.31.79	192.168.30.10
Kimi Notebook	192.168.31.108	192.168.30.11
Dancho iPhone	192.168.31.114	192.168.30.13

Cross-VLAN Access Requirements

S25 → Chromecast (Casting)

/ip/firewall/filter add chain=forward \
    src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
    dst-port=8008,8009,8443 protocol=tcp action=accept

Secure → Home Assistant

/ip/firewall/filter add chain=forward \
    src-address=192.168.10.0/24 dst-address=192.168.20.2 \
    dst-port=8123 protocol=tcp action=accept

mDNS Reflector (Device Discovery)

/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20

Implementation Steps

Phase 1: Router (HAP1)

Create VLAN interfaces
Assign IP addresses
Create DHCP servers per VLAN
Configure firewall rules

Phase 2: Switch (CSS326)

Enable VLAN mode in SwOS
Configure trunk port (to HAP1)
Assign access VLANs to ports
Set PVIDs

Phase 3: WiFi (CAPsMAN)

Create VLAN-tagged SSIDs
Update provisioning rules
Apply to CAP

Risks

Risk	Impact	Mitigation
All devices lose connectivity	HIGH	Schedule maintenance window
Docker br0 containers break	MEDIUM	Reconfigure macvlan
Static IPs need updating	LOW	Pre-configure DHCP reservations

Rollback

Disable VLAN filtering immediately:

/interface/bridge/set bridge vlan-filtering=no

Prerequisites

Map CSS326 switch ports to devices
Backup MikroTik config
Schedule maintenance window (30-60 min)
Decide WiFi passwords for new SSIDs
Console/serial access to router (in case of lockout)

References

Full planning document: archive/10-VLAN-NETWORK-SEGMENTATION.md
Device inventory: archive/11-NETWORK-ASSET-INVENTORY.md

3.4 KiB Raw Blame History