infrastructure/docs/11-VLAN-IMPLEMENTATION.md

VLAN Network Segmentation

Last Updated: 2026-01-25 Status: Phase 1 Complete - MikroTik Configured

Overview

Network segmentation using VLANs for security isolation between device types.

VLAN Architecture

VLAN ID	Name	Subnet	Gateway	Purpose	Devices
1	Legacy	192.168.31.0/24	192.168.31.1	Default/Legacy network (transition)	-
10	Management	192.168.10.0/24	192.168.10.1	Network infrastructure	6
20	Trusted	192.168.20.0/24	192.168.20.1	Family devices (phones, laptops)	9
25	Kids	192.168.25.0/24	192.168.25.1	Kids devices (parental controls)	6
30	IoT	192.168.30.0/24	192.168.30.1	Smart home devices	14
35	Cameras	192.168.35.0/24	192.168.35.1	Security cameras (isolated)	1
40	Servers	192.168.40.0/24	192.168.40.1	Printers, services	1
50	Guest	192.168.50.0/24	192.168.50.1	Guest network (internet only)	7
Total					44

Current Status: PHASE 1 COMPLETE

MikroTik hAP ax³ Configuration ✅

Completed:

• VLAN interfaces created (vlan10-mgmt through vlan50-guest, including vlan25-kids)
• IP addresses assigned to all VLAN interfaces
• DHCP servers for each VLAN (7 servers)
• DHCP pools configured (7 pools)
• Static DHCP leases with MAC-to-IP mappings (44 devices)
• Bridge VLAN table entries for all VLANs
• WiFi ports PVID=20 (Trusted)
• Firewall rules for inter-VLAN isolation
• Firewall address lists for all VLANs

Pending:

• VLAN filtering enabled on bridge (requires switch config first)

CSS326 Switch Configuration ⏳

Required before VLAN activation:

• VLAN configuration via SwOS web interface
• Port assignments per device

Network Diagram

Internet
    │
    ▼
┌───────────────────────────────────────────────────────────┐
│                   MikroTik hAP ax³                        │
│                                                           │
│  Bridge (vlan-filtering=no)                               │
│  ├── 192.168.31.1/24 (Legacy - VLAN 1 untagged)          │
│  ├── vlan10-mgmt    192.168.10.1/24  (6 devices)         │
│  ├── vlan20-trusted 192.168.20.1/24  (9 devices)         │
│  ├── vlan25-kids    192.168.25.1/24  (6 devices)         │
│  ├── vlan30-iot     192.168.30.1/24  (14 devices)        │
│  ├── vlan35-cameras 192.168.35.1/24  (1 device)          │
│  ├── vlan40-servers 192.168.40.1/24  (1 device)          │
│  └── vlan50-guest   192.168.50.1/24  (7 devices)         │
│                                                           │
│  Ports:                                                   │
│  ├── eth3_CSS326_Uplink → Trunk (tagged all VLANs)       │
│  ├── hap-wifi1 → PVID=20 (untagged VLAN 20)              │
│  └── hap-wifi2 → PVID=20 (untagged VLAN 20)              │
└───────────────────────────────────────────────────────────┘
              │
              │ Trunk (VLANs 1,10,20,25,30,35,40,50)
              ▼
┌───────────────────────────────────────────────────────────┐
│                   CSS326-24G-2S+                          │
│                   192.168.31.9 (SwOS)                     │
│                                                           │
│  Requires VLAN configuration via web interface            │
│  - Port 1: Uplink to MikroTik (Trunk)                    │
│  - Other ports: Access ports per VLAN                     │
└───────────────────────────────────────────────────────────┘

Bridge VLAN Table

VLAN	Tagged	Untagged
1	bridge, eth3_CSS326_Uplink	eth2, eth4, ether5
10	bridge, eth3_CSS326_Uplink	-
20	bridge, eth3_CSS326_Uplink	hap-wifi1, hap-wifi2
25	bridge, eth3_CSS326_Uplink	-
30	bridge, eth3_CSS326_Uplink	-
35	bridge, eth3_CSS326_Uplink	-
40	bridge, eth3_CSS326_Uplink	-
50	bridge, eth3_CSS326_Uplink	-

DHCP Configuration

VLAN	Server	Pool	Range	Lease Time
10	dhcp-mgmt	pool-mgmt	192.168.10.100-200	30m
20	dhcp-trusted	pool-trusted	192.168.20.100-220	30m
25	dhcp-kids	pool-kids	192.168.25.100-200	30m
30	dhcp-iot	pool-iot	192.168.30.100-220	30m
35	dhcp-cameras	pool-cameras	192.168.35.100-150	30m
40	dhcp-servers	pool-servers	192.168.40.100-150	30m
50	dhcp-guest	pool-guest	192.168.50.100-220	4h

Static DHCP Leases Summary

VLAN	Devices	Examples
10 - Mgmt	6	CAP XL ac, CSS326, ZX1, AdGuard, NanoKVM, Unraid
20 - Trusted	9	Nora MacBook, Kaloyan devices, family phones
25 - Kids	6	Dancho iPhone/Windows, Kimi devices, XTRM-Ally
30 - IoT	14	GREE AC, LG TVs, Bosch appliances, Tuya, Xiaomi
35 - Cameras	1	Reolink Doorbell
40 - Servers	1	HP LaserJet
50 - Guest	7	Unknown/unidentified devices

Firewall Rules (Active)

Inter-VLAN firewall rules are configured:

Allow Rules

Source	Destination	Access
Management (10)	All VLANs	Full access
Legacy (31)	All VLANs	Full access (transition)
Trusted (20)	IoT (30)	Full access
Trusted (20)	Cameras (35)	Ports 80,443,554,8080,8554
Trusted (20)	Servers (40)	Full access
Trusted (20)	Legacy (31)	Full access
Kids (25)	IoT (30)	Full access
Kids (25)	Legacy (31)	Full access
IoT/Cameras/Guest/Kids	DNS	Port 53 to 192.168.31.1

Block Rules

Source	Destination	Action
Guest (50)	All internal	Drop
Cameras (35)	All VLANs	Drop
IoT (30)	Management (10)	Drop
IoT (30)	Trusted (20)	Drop

Activation Steps

Step 1: Configure CSS326 Switch (REQUIRED FIRST)

Access SwOS at http://192.168.31.9 and configure:

1. Enable VLAN mode
2. Create VLANs: 1, 10, 20, 25, 30, 35, 40, 50
3. Port 1 (Uplink to MikroTik): Trunk mode, tagged all VLANs
4. Other ports: Access mode, assign PVID per connected device

Step 2: Enable VLAN Filtering on MikroTik

# CAUTION: This may cause temporary connectivity loss
/interface bridge set [find name=bridge] vlan-filtering=yes

Step 3: Verify Connectivity

# From Unraid
ping 192.168.31.1  # MikroTik Legacy
ping 192.168.10.1  # MikroTik Mgmt VLAN
ping 8.8.8.8       # Internet

Rollback (If Needed)

/interface bridge set [find name=bridge] vlan-filtering=no

Related Documents

• 03-VLAN-DEVICE-ASSIGNMENT.md - Device inventory
• 04-VLAN-MIGRATION-PLAN.md - Migration phases