jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e58a3f663e28d0e1f3fba83267210ae94ecb527
infrastructure/docs/wip/VLAN-PROPOSAL.md
XTRM-Unraid 2e58a3f663
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Update VLAN proposal with decisions 
- Added VLAN 35 for Cameras (isolated)
- Guest WiFi: password only, no captive portal
- Keep VLAN 1 (192.168.31.0/24) for transition
- Added camera geo-blocking rules
- Updated firewall matrix with camera view-only access
- Added rollback plan
2026-01-25 15:51:01 +02:00

11 KiB
Raw Blame History

WIP: VLAN Network Segmentation Proposal

Status: Planning
Created: 2026-01-25
Updated: 2026-01-25

Decisions Made

  • Separate Camera VLAN (VLAN 35)
  • Guest WiFi: Password only (no captive portal)
  • Keep 192.168.31.0/24 during transition (VLAN 1)

Current State

Single flat network: 192.168.31.0/24 (will become transition VLAN)

Proposed VLAN Architecture

                                    ┌─────────────────┐
                                    │    INTERNET     │
                                    └────────┬────────┘
                                             │
                                    ┌────────▼────────┐
                                    │  MikroTik hAP   │
                                    │   (Router/FW)   │
                                    └────────┬────────┘
                                             │
     ┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐
     │           │           │           │       │           │           │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌▼────────┐
│ VLAN 1  │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │
│ Legacy  │ │  Mgmt   │ │ Trusted │ │   IoT   │ │ Cameras │ │ Servers │ │  Guest  │
│.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 │ │.35.0/24 │ │.40.0/24 │ │.50.0/24 │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘

VLAN Definitions

VLAN ID Name Subnet Gateway Purpose
1 Legacy/Transition 192.168.31.0/24 .31.1 Current network (temporary)
10 Management 192.168.10.0/24 .10.1 Infrastructure admin
20 Trusted 192.168.20.0/24 .20.1 Personal devices
30 IoT 192.168.30.0/24 .30.1 Smart home devices
35 Cameras 192.168.35.0/24 .35.1 Security cameras (isolated)
40 Servers 192.168.40.0/24 .40.1 Exposed services
50 Guest 192.168.50.0/24 .50.1 Visitor WiFi

VLAN 1: Legacy/Transition

Purpose: Current network - devices migrate from here

Device IP Target VLAN
MikroTik 192.168.31.1 VLAN 10
Unraid 192.168.31.2 VLAN 10
AdGuard 192.168.31.4 VLAN 40
LG TV 192.168.31.100 VLAN 30

Note: This VLAN will be deprecated after migration.

VLAN 10: Management

Purpose: Infrastructure administration only

Device IP Description
MikroTik 192.168.10.1 Router/Gateway
Unraid 192.168.10.2 Server management
CSS326 192.168.10.3 Switch management
cAP ac 192.168.10.4 AP management

Access Rules:

  • Full access to all VLANs
  • SSH, Web UI, API access
  • No access FROM other VLANs (except established)

VLAN 20: Trusted

Purpose: Personal/family devices

Device Type DHCP Range Static Range
Reserved - .20.10-.50
Laptops .20.100-.130 -
Phones .20.131-.160 -
Tablets .20.161-.180 -
Other .20.181-.220 -

Access Rules:

  • Internet access
  • Access to Servers VLAN
  • Access to IoT VLAN (control devices)
  • Access to Cameras VLAN (view feeds)
  • No access to Management VLAN
  • No access from Guest VLAN

VLAN 30: IoT

Purpose: Smart home devices (isolated)

Device Type DHCP Range Examples
Smart TVs .30.100-.110 LG TV, Apple TV
Speakers .30.111-.130 Sonos, HomePod
Hubs .30.131-.150 Zigbee, Z-Wave
Sensors .30.151-.180 Motion, temp
Other .30.181-.220 Plugs, lights

Access Rules:

  • Internet access (filtered)
  • Local DNS (AdGuard)
  • mDNS relay from Trusted
  • No access to Management
  • No access to Cameras
  • No access to Servers (except specific)
  • Cannot initiate to Trusted

VLAN 35: Cameras

Purpose: Security cameras (highly isolated)

Device Type DHCP Range Examples
Indoor .35.100-.120 -
Outdoor .35.121-.140 -
NVR .35.10 Recording server

Access Rules:

  • ⚠️ Limited internet (firmware updates only)
  • Access to NVR only
  • Trusted can VIEW (no control)
  • No access to any other VLAN
  • No inter-camera communication
  • Blocked: China, Russia IPs (common camera callback)

VLAN 40: Servers/DMZ

Purpose: Services accessible externally

Service IP Ports Description
Traefik 192.168.40.2 80,443 Reverse proxy
AdGuard 192.168.40.4 53,853,443 DNS server
Gitea 192.168.40.10 3000 Git hosting
Woodpecker 192.168.40.11 8000 CI/CD
Plex 192.168.40.20 32400 Media

Access Rules:

  • Internet access
  • Inbound from WAN (via NAT)
  • Access from Trusted
  • Cannot initiate to other VLANs

VLAN 50: Guest

Purpose: Visitor WiFi (password protected, no captive portal)

Setting Value
DHCP Range 192.168.50.100-.200
Lease Time 4 hours
Bandwidth 50 Mbps limit
Client Isolation Enabled

Access Rules:

  • Internet access only
  • No access to ANY internal VLAN
  • No inter-client communication

Firewall Matrix

┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────┐
│ From \ To   │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │
├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────┤
│ Legacy      │   ✅   │  ✅  │   ✅    │ ✅  │   ✅    │   ✅    │  ✅   │
│ Management  │   ✅   │  ✅  │   ✅    │ ✅  │   ✅    │   ✅    │  ✅   │
│ Trusted     │   ✅   │  ❌  │   ✅    │ ✅  │   👁️    │   ✅    │  ❌   │
│ IoT         │   ❌   │  ❌  │   ❌    │ ⚠️  │   ❌    │   ⚠️    │  ❌   │
│ Cameras     │   ❌   │  ❌  │   ❌    │ ❌  │   ⚠️    │   ❌    │  ❌   │
│ Servers     │   ❌   │  ❌  │   ❌    │ ❌  │   ❌    │   ✅    │  ❌   │
│ Guest       │   ❌   │  ❌  │   ❌    │ ❌  │   ❌    │   ❌    │  ⚠️   │
│ Internet    │   ❌   │  ❌  │   ❌    │ ❌  │   ❌    │   ✅    │  ❌   │
└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘

✅ = Full access
❌ = Blocked  
⚠️ = Limited (specific ports/IPs)
👁️ = View only (cameras: RTSP/HTTP streams)

DNS Configuration

VLAN DNS Server Filtering Level
1 Legacy 192.168.31.1 Current setup
10 Management 192.168.10.1 Minimal
20 Trusted 192.168.40.4 Standard
30 IoT 192.168.40.4 IoT blocklist
35 Cameras 192.168.40.4 Strict + geo-block
40 Servers 8.8.8.8/1.1.1.1 None (external)
50 Guest 192.168.40.4 Strict

WiFi SSID Mapping

SSID VLAN Band Security Hidden
Home 20 2.4+5 GHz WPA3 No
Home-IoT 30 2.4 GHz WPA2 No
Home-Guest 50 2.4+5 GHz WPA2 No
Admin 10 5 GHz WPA3 Yes

MikroTik Implementation

1. Create VLANs

/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50

2. IP Addresses

/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest

3. DHCP Pools

/ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.140
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200

4. Camera Geo-Blocking

/ip firewall address-list
add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges"

/ip firewall filter
add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries

Migration Plan

Phase 1: Preparation (No Downtime)

  • Document all static IPs and MAC addresses
  • Create device inventory with target VLANs
  • Configure VLANs on MikroTik (inactive)
  • Configure switch trunk ports
  • Test on isolated port

Phase 2: Infrastructure (Brief Downtime)

  • Create VLAN interfaces and IPs
  • Configure DHCP per VLAN
  • Move Unraid management to VLAN 10
  • Move AdGuard to VLAN 40
  • Update container networks

Phase 3: WiFi (Rolling)

  • Create new SSIDs per VLAN
  • Move personal devices to VLAN 20
  • Move IoT devices to VLAN 30
  • Test mDNS/Bonjour relay

Phase 4: Cameras & Security

  • Move cameras to VLAN 35
  • Implement geo-blocking
  • Test camera isolation
  • Verify Trusted can view feeds

Phase 5: Cleanup

  • Implement all firewall rules
  • Enable DNS enforcement
  • Migrate remaining devices from VLAN 1
  • Document final configuration
  • Deprecate VLAN 1 (keep for emergency)

Rollback Plan

If issues occur:

  1. All devices can temporarily use VLAN 1 (legacy)
  2. MikroTik remains accessible on 192.168.31.1
  3. Keep VLAN 1 DHCP active during transition
Reference in New Issue View Git Blame Copy Permalink