jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7feabbbedfd785ab82695ee37fe9da78ae7034ff
infrastructure/docs/11-VLAN-IMPLEMENTATION.md
XTRM-Unraid 84b3952891
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
Add VLAN implementation documentation and scripts 
- docs/11-VLAN-IMPLEMENTATION.md: Complete VLAN setup documentation
- scripts/mikrotik-vlan-setup.rsc: Full VLAN configuration script
- scripts/mikrotik-vlan-enable.rsc: VLAN filtering activation script

VLAN configuration is prepared but NOT YET ACTIVE.
Requires CSS326 switch configuration before enabling VLAN filtering.

VLANs configured:
- VLAN 1: Legacy (192.168.31.0/24)
- VLAN 10: Management (192.168.10.0/24)
- VLAN 20: Trusted (192.168.20.0/24)
- VLAN 30: IoT (192.168.30.0/24)
- VLAN 35: Cameras (192.168.35.0/24)
- VLAN 40: Servers (192.168.40.0/24)
- VLAN 50: Guest (192.168.50.0/24)
2026-01-25 16:20:59 +02:00

216 lines
7.8 KiB
Markdown
Raw Blame History

# VLAN Network Segmentation
## Overview
Network segmentation using VLANs for security isolation between device types.
## VLAN Architecture
| VLAN ID | Name | Subnet | Purpose |
|---------|------|--------|---------|
| 1 | Legacy | 192.168.31.0/24 | Default/Legacy network (transition) |
| 10 | Management | 192.168.10.0/24 | Network infrastructure |
| 20 | Trusted | 192.168.20.0/24 | Family devices (phones, laptops) |
| 30 | IoT | 192.168.30.0/24 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | Unraid, services |
| 50 | Guest | 192.168.50.0/24 | Guest network (internet only) |
## Current Status: PREPARED (Not Active)
VLAN filtering is **NOT YET ENABLED** on the bridge. Configuration is ready but requires:
1. CSS326 switch VLAN configuration
2. Final activation
### What's Configured
**MikroTik hAP ax³:**
- [x] VLAN interfaces created (vlan10-mgmt through vlan50-guest)
- [x] IP addresses assigned to VLAN interfaces
- [x] DHCP servers for each VLAN
- [x] DHCP pools configured
- [x] Static DHCP leases with MAC-to-IP mappings
- [x] Bridge VLAN table entries
- [x] WiFi ports PVID=20 (Trusted)
- [x] Firewall rules for inter-VLAN isolation
- [x] Address lists for firewall rules
- [ ] VLAN filtering enabled on bridge (PENDING)
**CSS326 Switch:**
- [ ] VLAN configuration (REQUIRES MANUAL CONFIG via SwOS)
## Network Diagram
```
Internet
┌───────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ │
│ │
│ Bridge (vlan-filtering=no) │
│ ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged) │
│ ├── vlan10-mgmt 192.168.10.1/24 │
│ ├── vlan20-trusted 192.168.20.1/24 │
│ ├── vlan30-iot 192.168.30.1/24 │
│ ├── vlan35-cameras 192.168.35.1/24 │
│ ├── vlan40-servers 192.168.40.1/24 │
│ └── vlan50-guest 192.168.50.1/24 │
│ │
│ Ports: │
│ ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs) │
│ ├── hap-wifi1 → PVID=20 (untagged VLAN 20) │
│ └── hap-wifi2 → PVID=20 (untagged VLAN 20) │
└───────────────────────────────────────────────────────────┘
│ Trunk (VLANs 1,10,20,30,35,40,50)
┌───────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ │
│ 192.168.31.9 (SwOS) │
│ │
│ Requires VLAN configuration via web interface │
│ - Port 1: Uplink to MikroTik (Trunk) │
│ - Other ports: Access ports per VLAN │
└───────────────────────────────────────────────────────────┘
```
## Bridge VLAN Table
```
VLAN Tagged Untagged
---- ------ --------
1 bridge,eth3_CSS326_Uplink eth2,eth4,ether5
10 bridge,eth3_CSS326_Uplink -
20 bridge,eth3_CSS326_Uplink hap-wifi1,hap-wifi2
30 bridge,eth3_CSS326_Uplink -
35 bridge,eth3_CSS326_Uplink -
40 bridge,eth3_CSS326_Uplink -
50 bridge,eth3_CSS326_Uplink -
```
## WiFi VLAN Assignment
Since both SSIDs (XTRM/XTRM2) remain on the same bridge:
- **All WiFi clients → VLAN 20 (Trusted) by default**
- MAC-based filtering via firewall rules for additional restrictions
Note: True per-device VLAN assignment on WiFi requires Dynamic VLAN via RADIUS (not configured).
## Device Assignments (via Static DHCP Leases)
### VLAN 20 - Trusted (192.168.20.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | Nora MacBookAir |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Kaloyan S25-Ultra |
| 192.168.20.12 | F2:B8:14:61:C8:27 | Dancho iPhone |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | Kaloyan MacBook WiFi |
| 192.168.20.14 | 90:91:64:70:0D:86 | Kimi Notebook |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | Kimi iPhone |
| 192.168.20.16 | 08:92:04:C6:07:C5 | Kaloyan MacBook LAN |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Kaloyan Game PC |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | Compusbg iPad |
### VLAN 30 - IoT (192.168.30.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.30.10 | B0:37:95:79:AF:9B | LG TV |
| 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast |
| 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock Vacuum |
| 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Oven |
| 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier |
| 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer |
### VLAN 35 - Cameras (192.168.35.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell |
### VLAN 10 - Management (192.168.10.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac |
| 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326 Switch |
### VLAN 40 - Servers (192.168.40.x)
| IP | MAC | Device |
|----|-----|--------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet |
## Firewall Rules (Active)
Inter-VLAN firewall rules are **ALREADY ACTIVE** even without VLAN filtering:
```
# Allow rules
- Management → All VLANs (full access)
- Legacy → All VLANs (full access during transition)
- Trusted → IoT (can control smart devices)
- Trusted → Cameras (ports 80,443,554,8080,8554 only)
- Trusted → Servers (full access)
- Trusted → Legacy (full access)
- IoT/Cameras/Guest → DNS only (192.168.31.1:53)
# Block rules
- Guest → All internal (isolated, internet only)
- Cameras → All VLANs (upload only, no lateral movement)
- IoT → Management (cannot access network devices)
- IoT → Trusted (cannot access family devices)
```
## Activation Steps
### Step 1: Configure CSS326 Switch (REQUIRED FIRST)
Access SwOS at http://192.168.31.9 and configure:
1. **VLAN settings:**
- Enable VLAN mode
- Create VLANs: 1, 10, 20, 30, 35, 40, 50
2. **Port 1 (Uplink to MikroTik):**
- VLAN Mode: Trunk
- Tagged VLANs: 1, 10, 20, 30, 35, 40, 50
3. **Port for Unraid:**
- VLAN Mode: Access
- PVID: 1 (Legacy) or 40 (Servers)
4. **Other ports:**
- Assign access VLAN based on connected device
### Step 2: Enable VLAN Filtering on MikroTik
```routeros
# CAUTION: This may cause temporary connectivity loss
# Have WinBox ready on 192.168.31.1:8291 as backup
/interface bridge set [find name=bridge] vlan-filtering=yes
```
### Step 3: Verify Connectivity
```bash
# From Unraid
ping 192.168.31.1 # MikroTik Legacy
ping 192.168.20.1 # MikroTik Trusted VLAN
ping 8.8.8.8 # Internet
```
### Rollback (If Needed)
```routeros
/interface bridge set [find name=bridge] vlan-filtering=no
```
## Scripts
- `scripts/mikrotik-vlan-setup.rsc` - Full VLAN configuration (run once)
- `scripts/mikrotik-vlan-enable.rsc` - Enable VLAN filtering (after switch config)
## Related Documents
- [VLAN-PROPOSAL.md](wip/VLAN-PROPOSAL.md) - Original planning document
- [00-CURRENT-STATE.md](00-CURRENT-STATE.md) - Network overview
Reference in New Issue View Git Blame Copy Permalink