infrastructure/docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md

# VLAN Setup Complete - Session Summary

**Date:** 2026-01-31
**Status:** COMPLETED
**Backup:** `vlan-setup-complete-2026-01-31.backup` and `.rsc` on router

---

## Executive Summary

Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with:
- Port-based VLAN assignment for wired infrastructure
- MAC-based dynamic VLAN assignment for WiFi devices via access-list
- CAPsMAN configured for CAP XL ac management

---

## Current Network Configuration

### Router Access

| Method | IP | Port | User | Notes |
|--------|-----|------|------|-------|
| WinBox | 192.168.10.1 | 8291 | xtrm | Primary management |
| WebFig | 192.168.10.1 | 80 | xtrm | Web interface |
| SSH (Mac) | 192.168.10.1 | **2222** | xtrm | Key: ~/.ssh/mikrotik_key |
| SSH (Unraid) | 192.168.10.1 | **2222** | unraid | Key: ~/.ssh/id_ed25519 |
| WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 |
| WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 |

**Important:** SSH is on port **2222**, not 22!

### VLAN Structure (Implemented)

| VLAN | Name | Subnet | Gateway | DHCP Pool | Status |
|------|------|--------|---------|-----------|--------|
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | .100-.200 | ✅ Working |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | .100-.200 | ✅ Working |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | .100-.200 | ✅ Configured |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | .100-.200 | ✅ Configured |
| 40 | Catch-All | 192.168.1.0/24 | 192.168.1.1 | .10-.250 | ✅ Default |

### Port Assignments

```
HAP ax³ Ports:
├── ether1: WAN (ISP DHCP)
├── ether2: CAP XL ac → VLAN 10 (PVID=10)
├── ether3: CSS326 switch → VLAN 10 (PVID=10)
├── ether4: Unraid eth1 → VLAN 10 (PVID=10)
├── ether5: Unraid eth2 → VLAN 10 (PVID=10)
├── wifi1: XTRM (5GHz) → Tagged VLANs 20,25,30,40
└── wifi2: XTRM2 (2.4GHz) → Tagged VLANs 20,25,30,40
```

### Bridge VLAN Table

```routeros
# VLAN 10 - Management (port-based)
vlan-ids=10 tagged=bridge untagged=ether2,ether3,ether4,ether5

# VLAN 20 - Trusted (WiFi MAC-based)
vlan-ids=20 tagged=bridge,wifi1,wifi2

# VLAN 25 - Kids (WiFi MAC-based)
vlan-ids=25 tagged=bridge,wifi1,wifi2

# VLAN 30 - IoT (WiFi MAC-based)
vlan-ids=30 tagged=bridge,wifi1,wifi2

# VLAN 40 - Catch-All (WiFi default)
vlan-ids=40 tagged=bridge untagged=wifi1,wifi2
```

---

## WiFi Configuration

### SSIDs

| SSID | Band | Interface | Password | Security |
|------|------|-----------|----------|----------|
| XTRM | 5GHz | wifi1 | M0stW4nt3d@home | WPA2/WPA3 |
| XTRM2 | 2.4GHz | wifi2 | M0stW4nt3d@IoT | WPA2 |

### WiFi Datapath (Critical for VLAN)

```routeros
/interface wifi datapath
add name=dp-vlan bridge=bridge

/interface wifi configuration
set cfg-xtrm datapath=dp-vlan
set cfg-xtrm2 datapath=dp-vlan
```

### WiFi Access-List (MAC-based VLAN Assignment)

The access-list assigns VLANs based on client MAC address:

```routeros
/interface wifi access-list

# VLAN 20 - Trusted devices
add action=accept mac-address=AA:ED:8B:2A:40:F1 vlan-id=20 comment="Samsung S25 Ultra - Kaloyan"
add action=accept mac-address=CE:B8:11:EA:8D:55 vlan-id=20 comment="MacBook - Kaloyan"
add action=accept mac-address=BE:A7:95:87:19:4A vlan-id=20 comment="MacBook 5GHz - Kaloyan"

# VLAN 25 - Kids devices
add action=accept mac-address=F2:B8:14:61:C8:27 vlan-id=25 comment="iPhone - Dancho"
add action=accept mac-address=90:91:64:70:0D:86 vlan-id=25 comment="Notebook - Kimi"
add action=accept mac-address=2A:2B:BA:86:D4:AF vlan-id=25 comment="iPhone - Kimi"

# VLAN 30 - IoT devices
add action=accept mac-address=D0:E7:82:F7:65:DD vlan-id=30 comment="Chromecast"
add action=accept mac-address=94:27:70:1E:0C:EE vlan-id=30 comment="Bosch Oven"
add action=accept mac-address=C8:5C:CC:52:EA:53 vlan-id=30 comment="Xiaomi Air Purifier"
add action=accept mac-address=18:DE:50:5B:C8:A6 vlan-id=30 comment="Tuya Device 1"
add action=accept mac-address=38:1F:8D:04:6F:E4 vlan-id=30 comment="Tuya Device 2"
add action=accept mac-address=D4:AD:FC:BE:13:B0 vlan-id=30 comment="Intellirocks"

# Default - VLAN 40 for unknown devices (MUST be last!)
add action=accept vlan-id=40 comment="Default - VLAN40"
```

**Important:** The default rule (no MAC specified) must be LAST in the list!

---

## VLAN 10 Verified Devices

| IP | MAC | Device | Status |
|----|-----|--------|--------|
| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP ax³ (Gateway) | ✅ |
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ✅ |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified |
| 192.168.10.200 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ |

---

## CAPsMAN Configuration

```routeros
/interface wifi capsman
set enabled=yes interfaces=wifi1,wifi2 package-path="" upgrade-policy=suggest-same-version

/interface wifi provisioning
add action=create-enabled master-configuration=cfg-xtrm name-format=identity slave-configurations=cfg-xtrm2 supported-bands=5ghz-ax
add action=create-enabled master-configuration=cfg-xtrm2 name-format=identity slave-configurations=cfg-xtrm supported-bands=2ghz-ax
```

---

## Critical Lessons Learned

### 1. VLAN Filtering Breaks IP on Bridge
When you enable `vlan-filtering=yes` on the bridge:
- IP address on the bridge interface **stops working**
- You **must** have IP on the VLAN interface instead
- Never have same IP on both bridge and VLAN interface simultaneously

### 2. Correct Order of Operations
```
1. Create VLAN interfaces
2. Add IPs to VLAN interfaces (can have temporary duplicate)
3. Configure bridge VLAN table
4. Set port PVIDs
5. Add VLAN interfaces to firewall interface lists (LAN)
6. Enable VLAN filtering
7. Remove IP from bridge (if any duplicate)
8. Move DHCP server to VLAN interface
```

### 3. WiFi VLAN Assignment
- **Do NOT use** `action=query-radius` without configured RADIUS users
- **Use** WiFi datapath with `bridge=bridge`
- **Use** access-list with `vlan-id=XX` for MAC-based assignment
- WiFi interfaces must be **tagged** in bridge VLAN table for dynamic VLANs

### 4. Firewall Interface Lists
After creating VLAN interfaces, add them to the LAN list:
```routeros
/interface list member add list=LAN interface=vlan10-mgmt
/interface list member add list=LAN interface=vlan20-trusted
/interface list member add list=LAN interface=vlan25-kids
/interface list member add list=LAN interface=vlan30-iot
/interface list member add list=LAN interface=vlan40-catchall
```

### 5. Safe Mode
- Enter with **Ctrl+X** in WinBox
- Changes auto-rollback if connection lost (~10 minutes)
- Exit and save with **Ctrl+X** again

---

## Useful Commands

### Verify VLAN Status
```routeros
/interface bridge print where name=bridge
/interface bridge vlan print detail
/interface bridge port print
/ip address print
```

### Check WiFi Clients and VLAN Assignment
```routeros
/interface wifi registration-table print
/interface wifi access-list print
```

### Check DHCP Leases per VLAN
```routeros
/ip dhcp-server lease print where server=dhcp-vlan10
/ip dhcp-server lease print where server=dhcp-vlan20
```

### Add New Device to Access-List
```routeros
/interface wifi access-list add action=accept mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 comment="Device Name" place-before=[find comment="Default - VLAN40"]
```

### Emergency Rollback
```routeros
/interface bridge set bridge vlan-filtering=no
```

### Restore from Backup
```routeros
/system backup load name=vlan-setup-complete-2026-01-31
```

---

## Pending Tasks

1. **Configure CAP XL ac to join CAPsMAN**
   - CAP is on VLAN 10 at 192.168.10.2
   - Needs provisioning to extend WiFi coverage

2. **Configure CSS326 for VLAN Trunking**
   - Switch is on VLAN 10 at 192.168.10.3
   - Needs VLAN configuration for room distribution

3. **Add Remaining Devices to Access-List**
   - As devices connect, add their MACs to appropriate VLANs

4. **Configure Inter-VLAN Firewall Rules**
   - Management → All (full access)
   - Trusted → IoT (control smart home)
   - IoT → Internet only (isolated)
   - Guest → Internet only (isolated)

5. **Test VLAN 25 (Kids) and VLAN 30 (IoT)**
   - Connect devices and verify DHCP/internet

---

## Connection Commands Reference

### SSH to Unraid (VLAN 10)
```bash
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
```

### SSH to MikroTik (port 2222!)

From Mac:
```bash
ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1
```

From Unraid:
```bash
ssh -p 2222 unraid@192.168.10.1
```

### Quick Status from Unraid
```bash
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'"
```

---

## Backup Files on Router

| File | Size | Description |
|------|------|-------------|
| vlan-setup-complete-2026-01-31.backup | 177.6 KiB | Binary backup (full restore) |
| vlan-setup-complete-2026-01-31.rsc | 12.5 KiB | Script export (readable) |

**Download via:** WinBox → Files → Select file → Download

---

## Network Diagram (Current)

```
                    Internet
                        │
                        ▼
┌───────────────────────────────────────────────────────────────┐
│                 HAP ax³ (192.168.10.1)                        │
│                 RouterOS 7.21.1                               │
│                                                               │
│  VLAN 10: 192.168.10.0/24 (Management)                       │
│  VLAN 20: 192.168.20.0/24 (Trusted)                          │
│  VLAN 25: 192.168.25.0/24 (Kids)                             │
│  VLAN 30: 192.168.30.0/24 (IoT)                              │
│  VLAN 40: 192.168.1.0/24  (Catch-All/Default)                │
│                                                               │
│  ether2 ─┬─ CAP XL ac (192.168.10.2)                         │
│  ether3 ─┼─ CSS326 (192.168.10.3) ─── NanoKVM (.199)         │
│  ether4 ─┼─ Unraid (192.168.10.20)                           │
│  ether5 ─┘                                                    │
│                                                               │
│  wifi1 (XTRM 5GHz)  ──┬── VLAN 20/25/30/40 via access-list  │
│  wifi2 (XTRM2 2.4GHz)─┘                                      │
└───────────────────────────────────────────────────────────────┘
```

---

## Session Timeline

1. **CAPsMAN Setup** - Configured WiFi profiles (cfg-xtrm, cfg-xtrm2) and security
2. **Research** - Studied MikroTik forums for correct VLAN approach
3. **VLAN Infrastructure** - Created VLANs 10, 20, 25, 30, 40 with DHCP
4. **Safe Mode Implementation** - Used atomic script for VLAN filtering
5. **WiFi VLAN** - Configured datapath and access-list for MAC-based assignment
6. **Verification** - Tested connectivity on all VLANs
7. **Backup** - Created `vlan-setup-complete-2026-01-31`

---

**Document Version:** 1.0
**Last Updated:** 2026-01-31