jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ca4b7051cb54a3165dc678bec5e441e29c241cd
infrastructure/docs/wip/VLAN-SEGMENTATION.md
XTRM-Unraid de42738775
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add WIP docs for incomplete planned items 
New WIP documents:
- FOSSORIAL-TUNNELS.md - Pangolin/Gerbil self-hosted tunnels (not deployed)
- VLAN-SEGMENTATION.md - Network segmentation plan (not implemented)
- REMOTE-GAMING.md - Sunshine/Moonlight streaming (in progress)

Changes:
- Renamed 05-CHANGELOG.md → 00-CHANGELOG.md
- Updated wip/README.md with all planned items

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 11:25:46 +02:00

3.4 KiB
Raw Blame History

VLAN Network Segmentation

Status: 📋 PLANNED Priority: Medium Risk: HIGH (network disruption during implementation)

Overview

Segment flat 192.168.31.0/24 network into VLANs for security isolation.

Proposed VLANs

VLAN Name Subnet Gateway Purpose
1 Management 192.168.31.0/24 192.168.31.1 Infrastructure devices only
10 Secure 192.168.10.0/24 192.168.10.1 Trusted devices, servers
20 IoT 192.168.20.0/24 192.168.20.1 Smart home, cameras
30 Kids 192.168.30.0/24 192.168.30.1 Kids devices
40 Guest 192.168.40.0/24 192.168.40.1 Guest WiFi

WiFi SSID Mapping

SSID VLAN Purpose
XTRM 10 Primary (trusted devices)
XTRM-IoT 20 IoT devices
XTRM-Kids 30 Kids devices
XTRM-Guest 40 Guest access

Device Assignments

VLAN 10 - Secure

Device Current IP New IP
XTRM-U/N5 192.168.31.2 192.168.10.2
Nobara PC 192.168.31.95 192.168.10.10
MacBook 192.168.31.99 192.168.10.15
S25 Ultra 192.168.31.98 192.168.10.20

VLAN 20 - IoT

Device Current IP New IP
Home Assistant 192.168.31.102 192.168.20.2
Chromecast 192.168.31.134 192.168.20.10
Roborock S7 192.168.31.104 192.168.20.11
Reolink Doorbell 192.168.31.68 192.168.20.13
HP Printer 192.168.31.19 192.168.20.20

VLAN 30 - Kids

Device Current IP New IP
Nora MacBook 192.168.31.79 192.168.30.10
Kimi Notebook 192.168.31.108 192.168.30.11
Dancho iPhone 192.168.31.114 192.168.30.13

Cross-VLAN Access Requirements

S25 → Chromecast (Casting)

/ip/firewall/filter add chain=forward \
    src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
    dst-port=8008,8009,8443 protocol=tcp action=accept

Secure → Home Assistant

/ip/firewall/filter add chain=forward \
    src-address=192.168.10.0/24 dst-address=192.168.20.2 \
    dst-port=8123 protocol=tcp action=accept

mDNS Reflector (Device Discovery)

/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20

Implementation Steps

Phase 1: Router (HAP1)

  1. Create VLAN interfaces
  2. Assign IP addresses
  3. Create DHCP servers per VLAN
  4. Configure firewall rules

Phase 2: Switch (CSS326)

  1. Enable VLAN mode in SwOS
  2. Configure trunk port (to HAP1)
  3. Assign access VLANs to ports
  4. Set PVIDs

Phase 3: WiFi (CAPsMAN)

  1. Create VLAN-tagged SSIDs
  2. Update provisioning rules
  3. Apply to CAP

Risks

Risk Impact Mitigation
All devices lose connectivity HIGH Schedule maintenance window
Docker br0 containers break MEDIUM Reconfigure macvlan
Static IPs need updating LOW Pre-configure DHCP reservations

Rollback

Disable VLAN filtering immediately:

/interface/bridge/set bridge vlan-filtering=no

Prerequisites

  • Map CSS326 switch ports to devices
  • Backup MikroTik config
  • Schedule maintenance window (30-60 min)
  • Decide WiFi passwords for new SSIDs
  • Console/serial access to router (in case of lockout)

References

  • Full planning document: archive/10-VLAN-NETWORK-SEGMENTATION.md
  • Device inventory: archive/11-NETWORK-ASSET-INVENTORY.md
Reference in New Issue View Git Blame Copy Permalink