jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7feabbbedfd785ab82695ee37fe9da78ae7034ff
infrastructure/docs/11-VLAN-IMPLEMENTATION.md
XTRM-Unraid 84b3952891
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
Add VLAN implementation documentation and scripts 
- docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation
- scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script
- scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script

VLAN configuration is prepared but NOT YET ACTIVE.
Requires CSS326 switch configuration before enabling VLAN filtering.

VLANs configured:
- VLAN 1: Legacy (192.168.31.0/24)
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)
2026-01-25 16:20:59 +02:00

7.8 KiB
Raw Blame History

VLAN Network Segmentation

Overview

Network segmentation using VLANs for security isolation between device types.

VLAN Architecture

VLAN ID Name Subnet Purpose
1 Legacy 192.168.31.0/24 Default/Legacy network (transition)
10 Management 192.168.10.0/24 Network infrastructure
20 Trusted 192.168.20.0/24 Family devices (phones, laptops)
30 IoT 192.168.30.0/24 Smart home devices
35 Cameras 192.168.35.0/24 Security cameras (isolated)
40 Servers 192.168.40.0/24 Unraid, services
50 Guest 192.168.50.0/24 Guest network (internet only)

Current Status: PREPARED (Not Active)

VLAN filtering is NOT YET ENABLED on the bridge. Configuration is ready but requires:

  1. CSS326 switch VLAN configuration
  2. Final activation

What's Configured

MikroTik hAP ax³:

  • VLAN interfaces created (vlan10-mgmt through vlan50-guest)
  • IP addresses assigned to VLAN interfaces
  • DHCP servers for each VLAN
  • DHCP pools configured
  • Static DHCP leases with MAC-to-IP mappings
  • Bridge VLAN table entries
  • WiFi ports PVID=20 (Trusted)
  • Firewall rules for inter-VLAN isolation
  • Address lists for firewall rules
  • VLAN filtering enabled on bridge (PENDING)

CSS326 Switch:

  • VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)

Network Diagram

Internet
    │
    ▼
┌───────────────────────────────────────────────────────────┐
│                   MikroTik hAP ax³                        │
│                                                           │
│  Bridge (vlan-filtering=no)                               │
│  ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged)          │
│  ├── vlan10-mgmt    192.168.10.1/24                       │
│  ├── vlan20-trusted 192.168.20.1/24                       │
│  ├── vlan30-iot     192.168.30.1/24                       │
│  ├── vlan35-cameras 192.168.35.1/24                       │
│  ├── vlan40-servers 192.168.40.1/24                       │
│  └── vlan50-guest   192.168.50.1/24                       │
│                                                           │
│  Ports:                                                   │
│  ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs)       │
│  ├── hap-wifi1 → PVID=20 (untagged VLAN 20)              │
│  └── hap-wifi2 → PVID=20 (untagged VLAN 20)              │
└───────────────────────────────────────────────────────────┘
              │
              │ Trunk (VLANs 1,10,20,30,35,40,50)
              ▼
┌───────────────────────────────────────────────────────────┐
│                   CSS326-24G-2S+                          │
│                   192.168.31.9 (SwOS)                     │
│                                                           │
│  Requires VLAN configuration via web interface            │
│  - Port 1: Uplink to MikroTik (Trunk)                    │
│  - Other ports: Access ports per VLAN                     │
└───────────────────────────────────────────────────────────┘

Bridge VLAN Table

VLAN  Tagged                         Untagged
----  ------                         --------
1     bridge,eth3_CSS326_Uplink      eth2,eth4,ether5
10    bridge,eth3_CSS326_Uplink      -
20    bridge,eth3_CSS326_Uplink      hap-wifi1,hap-wifi2
30    bridge,eth3_CSS326_Uplink      -
35    bridge,eth3_CSS326_Uplink      -
40    bridge,eth3_CSS326_Uplink      -
50    bridge,eth3_CSS326_Uplink      -

WiFi VLAN Assignment

Since both SSIDs (XTRM/XTRM2) remain on the same bridge:

  • All WiFi clients → VLAN 20 (Trusted) by default
  • MAC-based filtering via firewall rules for additional restrictions

Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).

Device Assignments (via Static DHCP Leases)

VLAN 20 - Trusted (192.168.20.x)

IP MAC Device
192.168.20.10 82:6D:FB:D9:E0:47 Nora MacBookAir
192.168.20.11 AA:ED:8B:2A:40:F1 Kaloyan S25-Ultra
192.168.20.12 F2:B8:14:61:C8:27 Dancho iPhone
192.168.20.13 82:EC:EF:B5:F2:AF Kaloyan MacBook WiFi
192.168.20.14 90:91:64:70:0D:86 Kimi Notebook
192.168.20.15 2A:2B:BA:86:D4:AF Kimi iPhone
192.168.20.16 08:92:04:C6:07:C5 Kaloyan MacBook LAN
192.168.20.17 1C:83:41:32:F3:AF Kaloyan Game PC
192.168.20.18 A4:D1:D2:7B:52:BE Compusbg iPad

VLAN 30 - IoT (192.168.30.x)

IP MAC Device
192.168.30.10 B0:37:95:79:AF:9B LG TV
192.168.30.11 D0:E7:82:F7:65:DD Chromecast
192.168.30.12 B0:4A:39:3F:9A:14 Roborock Vacuum
192.168.30.13 94:27:70:1E:0C:EE Bosch Oven
192.168.30.14 C8:5C:CC:52:EA:53 Xiaomi Air Purifier
192.168.30.15 C8:D7:78:D6:DC:FC Bosch Washer

VLAN 35 - Cameras (192.168.35.x)

IP MAC Device
192.168.35.10 48:9E:9D:0E:16:F7 Reolink Doorbell

VLAN 10 - Management (192.168.10.x)

IP MAC Device
192.168.10.6 18:FD:74:54:3D:BC CAP XL ac
192.168.10.9 F4:1E:57:C9:BD:09 CSS326 Switch

VLAN 40 - Servers (192.168.40.x)

IP MAC Device
192.168.40.19 64:4E:D7:D8:43:3E HP LaserJet

Firewall Rules (Active)

Inter-VLAN firewall rules are ALREADY ACTIVE even without VLAN filtering:

# Allow rules
- Management → All VLANs (full access)
- Legacy → All VLANs (full access during transition)
- Trusted → IoT (can control smart devices)
- Trusted → Cameras (ports 80,443,554,8080,8554 only)
- Trusted → Servers (full access)
- Trusted → Legacy (full access)
- IoT/Cameras/Guest → DNS only (192.168.31.1:53)

# Block rules
- Guest → All internal (isolated, internet only)
- Cameras → All VLANs (upload only, no lateral movement)
- IoT → Management (cannot access network devices)
- IoT → Trusted (cannot access family devices)

Activation Steps

Step 1: Configure CSS326 Switch (REQUIRED FIRST)

Access SwOS at http://192.168.31.9 and configure:

  1. VLAN settings:

    • Enable VLAN mode
    • Create VLANs: 1, 10, 20, 30, 35, 40, 50

  2. Port 1 (Uplink to MikroTik):

    • VLAN Mode: Trunk
    • Tagged VLANs: 1, 10, 20, 30, 35, 40, 50

  3. Port for Unraid:

    • VLAN Mode: Access
    • PVID: 1 (Legacy) or 40 (Servers)

  4. Other ports:

    • Assign access VLAN based on connected device

Step 2: Enable VLAN Filtering on MikroTik

# CAUTION: This may cause temporary connectivity loss
# Have WinBox ready on 192.168.31.1:8291 as backup

/interface bridge set [find name=bridge] vlan-filtering=yes

Step 3: Verify Connectivity

# From Unraid
ping 192.168.31.1  # MikroTik Legacy
ping 192.168.20.1  # MikroTik Trusted VLAN
ping 8.8.8.8       # Internet

Rollback (If Needed)

/interface bridge set [find name=bridge] vlan-filtering=no

Scripts

  • scripts/mikrotik-vlan-setup.rsc - Full VLAN configuration (run once)
  • scripts/mikrotik-vlan-enable.rsc - Enable VLAN filtering (after switch config)

Related Documents

Reference in New Issue View Git Blame Copy Permalink