XTRM-Unraid
5982e4c444
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Issues fixed after first activation attempt: - DHCP DNS now points to each VLAN gateway - DNS redirect rules cover all VLANs - VLAN interfaces added to LAN firewall list - NAT masquerade for VLAN→AdGuard traffic CSS326 switch configured via SwOS. MikroTik backup saved. Ready to enable VLAN filtering when convenient.
5.0 KiB
5.0 KiB
VLAN Network Segmentation
Last Updated: 2026-01-26 Status: Phase 1 Complete, Phase 2 Partial - CSS326 Configured, Awaiting Activation
Overview
Network segmentation using VLANs for security isolation between device types.
VLAN Architecture
| VLAN ID | Name | Subnet | Gateway | Purpose | Devices |
|---|---|---|---|---|---|
| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Default/Legacy network (transition) | - |
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | Network infrastructure | 6 |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family devices (phones, laptops) | 9 |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices (parental controls) | 6 |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras (isolated) | 1 |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Printers, services | 1 |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest network (internet only) | 7 |
| Total | 44 |
Current Status
MikroTik hAP ax³ ✅ READY
- VLAN interfaces created (10, 20, 25, 30, 35, 40, 50)
- IP addresses assigned to all VLANs
- DHCP servers for each VLAN
- DHCP pools configured
- Static DHCP leases (44 devices)
- Bridge VLAN table entries
- DHCP DNS set to each VLAN gateway (fixed 2026-01-26)
- VLAN interfaces added to LAN list (fixed 2026-01-26)
- DNS redirect rules for all VLANs (fixed 2026-01-26)
- NAT masquerade for VLAN→AdGuard (fixed 2026-01-26)
- Firewall rules for inter-VLAN isolation
- VLAN filtering enabled (PENDING - ready to activate)
CSS326 Switch ✅ CONFIGURED
- VLAN mode enabled
- VLANs created (1, 10, 20, 25, 30, 35, 40, 50)
- Port 1 - Trunk to router (tagged all VLANs)
- Port 2 - Access VLAN 10 (NanoKVM)
- Port 17-18 - Access VLAN 25 (Kids rooms)
- Port 19-21 - Access VLAN 20 (Main bedroom)
- Port 22-24 - Access VLAN 30 (Living room)
- SFP1 - Trunk to ZX1 (tagged all VLANs)
Backup Created ✅
- MikroTik backup:
/mnt/user/appdata/backups/mikrotik/backup-before-vlan-filtering-20260125-213635.rsc
DHCP Configuration
| VLAN | Server | Pool | DNS Server | Lease |
|---|---|---|---|---|
| 10 | dhcp-mgmt | 192.168.10.100-200 | 192.168.10.1 | 30m |
| 20 | dhcp-trusted | 192.168.20.100-220 | 192.168.20.1 | 30m |
| 25 | dhcp-kids | 192.168.25.100-200 | 192.168.25.1 | 30m |
| 30 | dhcp-iot | 192.168.30.100-220 | 192.168.30.1 | 30m |
| 35 | dhcp-cameras | 192.168.35.100-150 | 192.168.35.1 | 30m |
| 40 | dhcp-servers | 192.168.40.100-150 | 192.168.40.1 | 30m |
| 50 | dhcp-guest | 192.168.50.100-220 | 192.168.50.1 | 4h |
DNS Flow: Device → VLAN Gateway → NAT Redirect → AdGuard (172.17.0.2) → Internet
Issues Fixed (2026-01-26)
Problem: Internet broke when VLAN filtering enabled
Root Causes:
- DHCP DNS pointed to 192.168.31.1 (legacy) - unreachable from VLANs
- DNS redirect rules only covered 192.168.31.0/24
- VLAN interfaces not in LAN firewall list
- No NAT masquerade for VLAN→AdGuard traffic
Fixes Applied:
# 1. DHCP DNS now points to each VLAN gateway
/ip dhcp-server network set [find address=192.168.20.0/24] dns-server=192.168.20.1
# ... repeated for all VLANs
# 2. DNS redirect for all VLANs
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp src-address-list=all-vlans dst-port=53
# 3. VLAN interfaces in LAN list
/interface list member add list=LAN interface=vlan20-trusted
# ... repeated for all VLANs
# 4. NAT masquerade for VLAN DNS
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address-list=all-vlans dst-address=172.17.0.2 dst-port=53
Activation Steps (When Ready)
Step 1: Enable VLAN Filtering
/interface bridge set bridge vlan-filtering=yes
Step 2: Force DHCP Renewal on Devices
Devices need new IP from their VLAN DHCP:
- Windows:
ipconfig /release && ipconfig /renew - Mac: System Preferences → Network → Renew DHCP
- Linux:
sudo dhclient -r && sudo dhclient - Phones/IoT: Toggle WiFi off/on
Rollback (If Needed)
/interface bridge set bridge vlan-filtering=no
CSS326 Port Assignment
| Port | Connection | VLAN | Mode |
|---|---|---|---|
| 1 | HAP1 Router | All | Trunk |
| 2 | NanoKVM | 10 | Access |
| 3-16 | Unused | - | - |
| 17 | Boys Room B2 | 25 | Access |
| 18 | Boys Room B1 | 25 | Access |
| 19 | Main Bedroom M1 | 20 | Access |
| 20 | Main Bedroom M2 | 20 | Access |
| 21 | Main Bedroom M3 | 20 | Access |
| 22 | Living Room L1 | 30 | Access |
| 23 | Living Room L2 | 30 | Access |
| 24 | Living Room L3 | 30 | Access |
| SFP1 | ZX1 10G | All | Trunk |
| SFP2 | Unused | - | - |
Related Documents
- 03-VLAN-DEVICE-ASSIGNMENT.md - Device inventory (44 devices)
- 04-VLAN-MIGRATION-PLAN.md - Original migration plan