e9572ae166
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup - docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan - docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach - docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary VLANs implemented: - VLAN 10: Management (192.168.10.0/24) - port-based - VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based - VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based - VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based - VLAN 40: Catch-All (192.168.1.0/24) - default Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
8.2 KiB
8.2 KiB
VLAN Setup Plan v3 - Safe Mode Approach
Created: 2026-01-31 Status: PLANNING Approach: Safe Mode with atomic commands for auto-rollback protection
Lessons Learned from Previous Failures
- IP on bridge stops working when VLAN filtering is enabled
- Duplicate same IP on bridge + VLAN interface causes routing confusion
- VLAN interface doesn't receive traffic until VLAN filtering is enabled
- Solution: Use Safe Mode + atomic script execution
Prerequisites
- Router: MikroTik hAP ax³
- Current IP: 192.168.1.1/24 on bridge
- Access: WinBox connected via MAC address (not IP!)
- CAPsMAN: Already configured and working
Phase 1: Preparation (No Risk)
Step 1.1: Backup Current Configuration
/system backup save name=before-vlan-v3
/export file=before-vlan-v3
Download both files from WinBox → Files.
Step 1.2: Verify Current State
/ip address print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip dhcp-server print
Expected:
- IP 192.168.1.1/24 on bridge
- VLAN filtering = no
- No bridge VLANs configured
Phase 2: Create VLAN Infrastructure (Safe - No Filtering Yet)
Step 2.1: Create VLAN 40 Interface
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
Verify:
/interface vlan print
Step 2.2: Add VLAN 40 to Bridge Table
All LAN ports untagged, bridge tagged (for CPU access):
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,ether4,ether5,wifi1,wifi2
Verify:
/interface bridge vlan print detail
Step 2.3: Set PVID on All LAN Ports
/interface bridge port set [find interface=ether2] pvid=40
/interface bridge port set [find interface=ether3] pvid=40
/interface bridge port set [find interface=ether4] pvid=40
/interface bridge port set [find interface=ether5] pvid=40
/interface bridge port set [find interface=wifi1] pvid=40
/interface bridge port set [find interface=wifi2] pvid=40
Verify:
/interface bridge port print
Expected: All ports show PVID=40
Step 2.4: Add IP to VLAN Interface
This creates a "duplicate" IP temporarily:
/ip address add address=192.168.1.1/24 interface=vlan40-catchall comment="VLAN40-Management"
Verify:
/ip address print
Expected: Two entries for 192.168.1.1 (bridge and vlan40-catchall)
Step 2.5: Create VLAN40 DHCP Pool (if not exists)
/ip pool add name=pool-vlan40 ranges=192.168.1.10-192.168.1.250
Step 2.6: Verify Everything Before Critical Step
:put "=== VLAN Interface ==="
/interface vlan print
:put "=== Bridge VLANs ==="
/interface bridge vlan print detail
:put "=== Bridge Ports (check PVID) ==="
/interface bridge port print
:put "=== IP Addresses ==="
/ip address print
:put "=== Ping Test ==="
/ping 8.8.8.8 count=2
STOP HERE if anything is wrong!
Phase 3: Enable VLAN Filtering (Critical - Use Safe Mode)
Step 3.1: Enter Safe Mode in WinBox
- In WinBox, press Ctrl+X
- You'll see "Safe Mode" indicator in title bar
- All changes will auto-rollback if connection is lost
Step 3.2: Create the Activation Script
Create a script that does everything atomically:
/system script add name=activate-vlan source={
# Enable VLAN filtering
/interface bridge set bridge vlan-filtering=yes
# Move DHCP server to VLAN interface
/ip dhcp-server set [find name~"defconf"] interface=vlan40-catchall
# Wait 2 seconds for changes to apply
:delay 2s
# Remove duplicate IP from bridge (keep only VLAN interface IP)
/ip address remove [find interface=bridge and address~"192.168.1.1"]
:put "VLAN activation complete"
}
Step 3.3: Run the Script (While in Safe Mode!)
/system script run activate-vlan
Step 3.4: Verify Immediately
/ping 8.8.8.8 count=3
/ip address print
/interface bridge print
Step 3.5: If Everything Works - Exit Safe Mode
Press Ctrl+X again to confirm and save changes.
Step 3.6: If Connection Lost
- Wait up to 10 minutes
- Router will auto-rollback to previous state
- Reconnect via WinBox (MAC address)
Phase 4: Verification
Step 4.1: Check All Settings
:put "=== Bridge VLAN Filtering ==="
/interface bridge print where name=bridge
:put "=== IP Addresses ==="
/ip address print
:put "=== DHCP Server ==="
/ip dhcp-server print
:put "=== Internet Test ==="
/ping 8.8.8.8 count=3
Expected:
- vlan-filtering=yes on bridge
- IP 192.168.1.1/24 ONLY on vlan40-catchall
- DHCP server on vlan40-catchall
- Internet working
Step 4.2: Test Client Connectivity
From a device on the network:
- Disconnect and reconnect WiFi
- Check if you get IP from 192.168.1.x range
- Test internet access
Phase 5: Add Additional VLANs (After VLAN40 is Stable)
Wait 24-48 hours to ensure VLAN40 is stable before adding more VLANs.
VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|---|---|---|---|---|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based (ether4,5) |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 40 | Catch-All | 192.168.1.0/24 | Default/Unknown | Default |
Step 5.1: Create VLAN 10 (Management)
# Create VLAN interface
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
# Add IP
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
# Add to bridge VLAN table - ether4/5 untagged for Unraid
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Update PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
# Remove ether4/5 from VLAN40
/interface bridge vlan set [find vlan-ids=40] untagged=ether2,ether3,wifi1,wifi2
# Create DHCP for VLAN10
/ip pool add name=pool-vlan10 ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-vlan10 interface=vlan10-mgmt name=dhcp-vlan10 disabled=no
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
Step 5.2: Add Static Leases for VLAN10
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-vlan10
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-vlan10
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="Unraid" server=dhcp-vlan10
Rollback Commands
Emergency: Disable VLAN Filtering
/interface bridge set bridge vlan-filtering=no
Full Rollback: Restore Backup
/system backup load name=before-vlan-v3
Factory Reset (Last Resort)
Hold reset button while powering on until LEDs flash.
Safe Mode Quick Reference
| Action | WinBox | CLI |
|---|---|---|
| Enter Safe Mode | Ctrl+X | Ctrl+X |
| Exit & Save | Ctrl+X | Ctrl+X |
| Exit & Discard | Close WinBox | Ctrl+D |
| Auto-rollback | ~10 minutes | ~10 minutes |
Important: Safe Mode only protects while you're connected. If disconnected, changes rollback automatically.
Checklist Before Enabling VLAN Filtering
- Backup saved and downloaded
- WinBox connected via MAC (not IP)
- VLAN interface created
- Bridge tagged in VLAN table
- All ports have correct PVID
- IP added to VLAN interface
- Safe Mode entered (Ctrl+X)
- Ready to run activation script
Troubleshooting
Lost Connection After Enabling Filtering
- Wait 10 minutes for Safe Mode rollback
- If no rollback: Connect via WinBox MAC discovery
- Run:
/interface bridge set bridge vlan-filtering=no
DHCP Not Working
Check DHCP server interface:
/ip dhcp-server print
Should show interface=vlan40-catchall
Internet Not Working
Check NAT:
/ip firewall nat print
Should have masquerade rule for WAN.
Devices Not Getting IP
- Check bridge VLAN table has ports as untagged
- Check ports have correct PVID
- Check DHCP pool has available addresses