jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08b5258aa2bc45cd16fb0b0476363767949f9918
infrastructure/docs/10-VLAN-NETWORK-SEGMENTATION.md
jazzymc 72d4f52637
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add VLAN segmentation plan and CSS326 switch documentation 
- Created 10-VLAN-NETWORK-SEGMENTATION.md with full VLAN plan
- Added CSS326-24G-2S+ SwOS switch to 00-CURRENT-STATE.md
- Documented switch credentials and web UI access
- Proposed 4 VLANs: Secure (10), IoT (20), Kids (30), Guest (40)
- Included cross-VLAN solution for S25 accessing IoT devices
- Added SwOS configuration steps for port VLAN assignments

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-18 22:20:17 +02:00

445 lines
18 KiB
Markdown
Raw Blame History

# VLAN Network Segmentation Plan
**Document Created:** 2026-01-18
**Status:** PLANNING
---
## Current Network Analysis
### Network Devices
| Device | IP | Role |
|--------|-----|------|
| MikroTik hAP ax³ | 192.168.31.1 | Router, CAPsMAN, VLAN gateway |
| CSS326-24G-2S+ | 192.168.31.9 | Managed switch (24 port + 2 SFP) |
| cAP ac | 192.168.31.6 | Managed AP (CAPsMAN) |
### Current Device Inventory
**Secure Devices (should be isolated):**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Unraid Server | 192.168.31.2 | - | Main server |
| Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | xtrm-pc via Dell KVM |
| Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc |
| Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | xtrm-pc |
| Kaloyan MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Mac |
| Kaloyan S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | S25-Ultra |
| Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | KVM access |
**IoT Devices:**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Smart home hub |
| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Streaming |
| Roborock S7 | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum |
| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Kitchen |
| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Security |
| HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer |
| Unknown IoT 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya? |
| Unknown IoT 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya? |
| Unknown IoT 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya? |
| Unknown IoT 4 | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Smart device? |
| lwip0 devices | 192.168.31.100-101 | 38:A5:C9:44:7B:xx | ESP/Tuya |
**Kids/Guest Devices:**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Nora MacBook | 192.168.31.79 | 82:6D:FB:D9:E0:47 | MacBookAir |
| Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi-Notebook |
| Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | iPhone |
| Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | iPhone |
| Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | iPad |
---
## Proposed VLAN Architecture
### VLAN Assignments
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Network infrastructure only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras, IoT |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
### WiFi SSID to VLAN Mapping
| SSID | VLAN | Security | Purpose |
|------|------|----------|---------|
| XTRM | 10 (Secure) | WPA2/WPA3 | Main network for trusted devices |
| XTRM-IoT | 20 (IoT) | WPA2 | IoT devices |
| XTRM-Kids | 30 (Kids) | WPA2 | Kids devices |
| XTRM-Guest | 40 (Guest) | WPA2 | Guest access |
---
## The S25 Challenge: Cross-VLAN Access
### Requirements
Your S25 needs to:
1. Be in Secure VLAN (192.168.10.x) for server management
2. Discover and cast to Chromecast (IoT VLAN)
3. Control Tuya smart devices
4. Access Home Assistant
### Solution Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ VLAN 10 (Secure) │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Unraid │ │ Nobara │ │ MacBook │ │ S25 │ │
│ │ Server │ │ PC │ │ │ │ Ultra │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │ │
└───────┼────────────┼────────────┼────────────┼───────────────────────┘
│ │ │ │
│ │ │ │ Firewall Rules +
│ │ │ │ mDNS Reflector
│ │ │ ▼
┌───────┼────────────┼────────────┼────────────────────────────────────┐
│ │ │ │ VLAN 20 (IoT) │
│ │ │ │ │
│ ┌────▼────┐ ┌────┴────┐ ┌───┴────┐ ┌──────────┐ ┌───────────┐ │
│ │ Home │ │ Printer │ │Chromec.│ │ Tuya │ │ Roborock │ │
│ │Assistant│◄─┤ │ │ TV │ │ Devices │ │ S7 │ │
│ └─────────┘ └─────────┘ └────────┘ └──────────┘ └───────────┘ │
│ ▲ │
│ │ Controls all IoT │
└───────┼──────────────────────────────────────────────────────────────┘
HA manages IoT locally,
accessible from Secure VLAN
```
### Cross-VLAN Solutions
#### 1. Home Assistant as IoT Bridge (Recommended)
- Home Assistant stays in **IoT VLAN** (can directly communicate with IoT devices)
- Firewall allows Secure VLAN → Home Assistant (port 8123)
- S25 controls everything through Home Assistant UI
- No direct IoT access from S25, but full control via HA
#### 2. mDNS Reflector for Chromecast Discovery
MikroTik can reflect mDNS between VLANs:
```
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
```
This allows S25 to discover Chromecast for casting.
#### 3. Firewall Rules for Casting
Allow specific traffic from Secure → IoT:
```
# Allow Chromecast (mDNS + casting ports)
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=32768-61000 protocol=udp action=accept
# Allow Home Assistant access
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.102 dst-port=8123 protocol=tcp action=accept
```
#### 4. Tuya Devices (Cloud-Based)
Tuya devices communicate via cloud, so they work from any VLAN with internet access. No special rules needed.
---
## Implementation Plan
### Phase 1: Router Configuration
#### 1.1 Create VLAN Interfaces
```
/interface/vlan/add name=vlan10-secure interface=bridge vlan-id=10
/interface/vlan/add name=vlan20-iot interface=bridge vlan-id=20
/interface/vlan/add name=vlan30-kids interface=bridge vlan-id=30
/interface/vlan/add name=vlan40-guest interface=bridge vlan-id=40
```
#### 1.2 Assign IP Addresses
```
/ip/address/add address=192.168.10.1/24 interface=vlan10-secure
/ip/address/add address=192.168.20.1/24 interface=vlan20-iot
/ip/address/add address=192.168.30.1/24 interface=vlan30-kids
/ip/address/add address=192.168.40.1/24 interface=vlan40-guest
```
#### 1.3 Create DHCP Servers
```
/ip/pool/add name=pool-secure ranges=192.168.10.100-192.168.10.200
/ip/pool/add name=pool-iot ranges=192.168.20.100-192.168.20.200
/ip/pool/add name=pool-kids ranges=192.168.30.100-192.168.30.200
/ip/pool/add name=pool-guest ranges=192.168.40.100-192.168.40.200
/ip/dhcp-server/add name=dhcp-secure interface=vlan10-secure address-pool=pool-secure
/ip/dhcp-server/add name=dhcp-iot interface=vlan20-iot address-pool=pool-iot
/ip/dhcp-server/add name=dhcp-kids interface=vlan30-kids address-pool=pool-kids
/ip/dhcp-server/add name=dhcp-guest interface=vlan40-guest address-pool=pool-guest
/ip/dhcp-server/network/add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.4
```
### Phase 2: Bridge VLAN Filtering
#### 2.1 Enable VLAN Filtering
```
/interface/bridge/set bridge vlan-filtering=yes
```
#### 2.2 Configure Bridge VLANs
```
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=10
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=20
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=30
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=40
```
### Phase 3: Switch Configuration (CSS326-24G-2S+ SwOS)
**Switch Access:**
- Web UI: http://192.168.31.9/index.html
- Model: CSS326-24G-2S+ (24 Gigabit ports + 2 SFP)
- OS: SwOS (MikroTik Switch OS)
- Username: `admin`
- Password: `M0stW4nt3d@xtrm`
#### 3.1 SwOS VLAN Configuration
Access the switch at http://192.168.31.9 and configure:
**Step 1: Enable VLAN Mode**
- Go to **VLAN** tab
- Set VLAN Mode to **Enabled**
**Step 2: Create VLANs**
| VLAN ID | Name |
|---------|------|
| 1 | Management |
| 10 | Secure |
| 20 | IoT |
| 30 | Kids |
| 40 | Guest |
**Step 3: Port VLAN Assignments**
| Port | Device | VLAN Mode | VLAN ID | Tagged VLANs |
|------|--------|-----------|---------|--------------|
| 1 | Uplink to hAP ax³ | Trunk | 1 | 10,20,30,40 |
| 2 | Unraid Server | Access | 10 | - |
| 3 | Nobara PC (LAN) | Access | 10 | - |
| 4 | Game Machine | Access | 10 | - |
| 5-8 | Reserved Secure | Access | 10 | - |
| 9-16 | IoT Devices | Access | 20 | - |
| 17-20 | Kids Devices | Access | 30 | - |
| 21-24 | Guest/Unused | Access | 40 | - |
| SFP1 | Unused | - | - | - |
| SFP2 | Unused | - | - | - |
**Step 4: PVID Settings**
For each access port, set PVID (Port VLAN ID) to match the access VLAN.
**Step 5: Uplink Port Configuration**
Port 1 (uplink to router) must be configured as trunk:
- VLAN Receive: Any
- Default VLAN ID: 1
- Tagged VLANs: 10, 20, 30, 40
- Force VLAN ID: No
#### 3.2 SwOS Web Interface Navigation
```
┌─────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ SwOS │
├─────────────────────────────────────────────────────────┤
│ Tabs: Link | VLAN | VLANs | Isolation | Statistics │
│ │
│ VLAN Tab: │
│ ┌─────┬──────────┬──────┬────────┬─────────┐ │
│ │Port │VLAN Mode │ PVID │ Tagged │ Untagged│ │
│ ├─────┼──────────┼──────┼────────┼─────────┤ │
│ │ 1 │ Trunk │ 1 │10,20,30│ 1 │ │
│ │ 2 │ Access │ 10 │ - │ 10 │ │
│ │ ... │ ... │ ... │ ... │ ... │ │
│ └─────┴──────────┴──────┴────────┴─────────┘ │
└─────────────────────────────────────────────────────────┘
```
#### 3.3 Current Port Mapping (TO BE FILLED)
**Please identify which device is connected to which switch port:**
| Port | Cable Color/Label | Connected Device |
|------|-------------------|------------------|
| 1 | | Uplink to hAP ax³ (eth4_CCS324_Uplink) |
| 2 | | |
| 3 | | |
| 4 | | |
| 5 | | |
| 6 | | |
| 7 | | |
| 8 | | |
| 9 | | |
| 10 | | |
| 11 | | |
| 12 | | |
| ... | | |
> **Note:** You can identify ports by checking the **Link** tab in SwOS - it shows which ports have active links and their speed.
### Phase 4: WiFi VLAN Configuration
#### 4.1 Create WiFi Configurations
```
/interface/wifi/configuration/add name=cfg-secure ssid="XTRM" \
security.authentication-types=wpa2-psk,wpa3-psk \
security.passphrase="M0stW4nt3d@home" \
datapath.bridge=bridge datapath.vlan-id=10
/interface/wifi/configuration/add name=cfg-iot ssid="XTRM-IoT" \
security.authentication-types=wpa2-psk \
security.passphrase="M0stW4nt3d@IoT" \
datapath.bridge=bridge datapath.vlan-id=20
/interface/wifi/configuration/add name=cfg-kids ssid="XTRM-Kids" \
security.authentication-types=wpa2-psk \
security.passphrase="KidsPassword123" \
datapath.bridge=bridge datapath.vlan-id=30
/interface/wifi/configuration/add name=cfg-guest ssid="XTRM-Guest" \
security.authentication-types=wpa2-psk \
security.passphrase="GuestPassword123" \
datapath.bridge=bridge datapath.vlan-id=40
```
### Phase 5: Firewall Rules
#### 5.1 Inter-VLAN Firewall
```
# Allow established/related
/ip/firewall/filter/add chain=forward connection-state=established,related action=accept
# Secure VLAN can access everything (management)
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 action=accept
# IoT VLAN - Internet only, no inter-VLAN
/ip/firewall/filter/add chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/16 action=accept
# Kids VLAN - Internet only
/ip/firewall/filter/add chain=forward src-address=192.168.30.0/24 dst-address=!192.168.0.0/16 action=accept
# Guest VLAN - Internet only, strict isolation
/ip/firewall/filter/add chain=forward src-address=192.168.40.0/24 dst-address=!192.168.0.0/16 action=accept
# Drop all other inter-VLAN traffic
/ip/firewall/filter/add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
```
#### 5.2 Special Rules for Casting/mDNS
```
# Allow Secure to access Chromecast
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept \
comment="Chromecast from Secure"
# Allow mDNS (for device discovery)
/ip/firewall/filter/add chain=input dst-port=5353 protocol=udp action=accept comment="mDNS"
/ip/firewall/filter/add chain=forward dst-port=5353 protocol=udp action=accept comment="mDNS forward"
```
---
## Static IP Reservations (New Subnets)
### VLAN 10 - Secure (192.168.10.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Unraid Server | 192.168.10.2 | (current MAC) |
| Pi-hole (Unraid) | 192.168.10.4 | (current MAC) |
| Unbound (Unraid) | 192.168.10.5 | (current MAC) |
| Nobara PC (LAN) | 192.168.10.10 | 08:92:04:C6:07:C5 |
| Nobara PC (WiFi) | 192.168.10.11 | 22:4C:7F:1D:85:8E |
| Game Machine | 192.168.10.12 | 1C:83:41:32:F3:AF |
| MacBook (Kaloyan) | 192.168.10.15 | 82:EC:EF:B5:F2:AF |
| S25 Ultra | 192.168.10.20 | AA:ED:8B:2A:40:F1 |
### VLAN 20 - IoT (192.168.20.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Home Assistant | 192.168.20.2 | AC:87:A3:77:8F:BD |
| Chromecast | 192.168.20.10 | D0:E7:82:F7:65:DD |
| Roborock S7 | 192.168.20.11 | B0:4A:39:3F:9A:14 |
| Bosch Oven | 192.168.20.12 | 94:27:70:1E:0C:EE |
| Reolink Doorbell | 192.168.20.13 | 48:9E:9D:0E:16:F7 |
| HP Printer | 192.168.20.20 | 64:4E:D7:D8:43:3E |
### VLAN 30 - Kids (192.168.30.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Nora MacBook | 192.168.30.10 | 82:6D:FB:D9:E0:47 |
| Kimi Notebook | 192.168.30.11 | 90:91:64:70:0D:86 |
| Kimi iPhone | 192.168.30.12 | 2A:2B:BA:86:D4:AF |
| Dancho iPhone | 192.168.30.13 | F2:B8:14:61:C8:27 |
---
## Risks & Considerations
### Service Interruption
- **HIGH RISK**: Enabling VLAN filtering will temporarily disrupt all devices
- **Mitigation**: Perform during maintenance window, have console access ready
### Device Re-configuration
- All devices will get new IPs from new DHCP pools
- Static IP reservations should be configured before migration
- Some devices may need manual WiFi reconnection
### Unraid Considerations
- Unraid needs to be on VLAN 10 (secure)
- Docker containers with br0 (192.168.31.x) need reconfiguration
- Pi-hole and Unbound IPs will change
### Home Assistant
- Will be on IoT VLAN
- Integrations may need reconfiguration for new IP ranges
- Traefik routing may need adjustment
---
## Rollback Plan
If issues occur, disable VLAN filtering:
```
/interface/bridge/set bridge vlan-filtering=no
```
This immediately returns to flat network mode.
---
## Questions Before Implementation
1. **WiFi passwords for new SSIDs** - What should Kids and Guest passwords be?
2. **Printer access** - Should Kids be able to print? (Requires firewall rule)
3. **Home Assistant location** - IoT VLAN (recommended) or Secure VLAN?
4. **Unraid Docker networks** - br0 containers need VLAN assignment decision
5. **Switch port mapping** - Need to know which CSS326 ports connect to which devices
---
## Next Steps
1. [ ] Confirm device categorization is correct
2. [ ] Decide on WiFi passwords for new SSIDs
3. [ ] Map CSS326 switch ports to devices
4. [ ] Schedule maintenance window for implementation
5. [ ] Backup MikroTik and switch configs before changes
6. [ ] Implement in phases with testing between each
Reference in New Issue View Git Blame Copy Permalink