XTRM-Unraid
b250493d5a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
New Structure: - 01-NETWORK-MAP.md - Network topology, IPs, Docker networks, services - 02-SERVICES-CRITICAL.md - DNS, Auth, Routing (P0/P1 services) - 03-SERVICES-OTHER.md - All non-critical services - 04-HARDWARE-INVENTORY.md - Physical devices and specs - 05-CHANGELOG.md - Major events only New Folders: - docs/archive/ - Legacy docs (read-only reference) - docs/wip/ - Planned changes and ideas - UPGRADE-2026-HARDWARE.md - N5 Air + N100 migration plan - GITOPS-CONTAINERS.md - Phase 2 container GitOps Changes: - Moved all 22 legacy docs to archive/ - Consolidated container IPs, physical map, and services into single network map - Extracted critical vs non-critical service classification - Simplified changelog to major events only Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
18 KiB
18 KiB
VLAN Network Segmentation Plan
Document Created: 2026-01-18 Status: PLANNING
Current Network Analysis
Network Devices
| Device | IP | Role |
|---|---|---|
| MikroTik hAP ax³ | 192.168.31.1 | Router, CAPsMAN, VLAN gateway |
| CSS326-24G-2S+ | 192.168.31.9 | Managed switch (24 port + 2 SFP) |
| cAP ac | 192.168.31.6 | Managed AP (CAPsMAN) |
Current Device Inventory
Secure Devices (should be isolated):
| Device | IP | MAC | Notes |
|---|---|---|---|
| Unraid Server | 192.168.31.2 | - | Main server |
| Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | xtrm-pc via Dell KVM |
| Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc |
| Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | xtrm-pc |
| Kaloyan MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Mac |
| Kaloyan S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | S25-Ultra |
| Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | KVM access |
IoT Devices:
| Device | IP | MAC | Notes |
|---|---|---|---|
| Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Smart home hub |
| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Streaming |
| Roborock S7 | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum |
| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Kitchen |
| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Security |
| HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer |
| Unknown IoT 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya? |
| Unknown IoT 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya? |
| Unknown IoT 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya? |
| Unknown IoT 4 | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Smart device? |
| lwip0 devices | 192.168.31.100-101 | 38:A5:C9:44:7B:xx | ESP/Tuya |
Kids/Guest Devices:
| Device | IP | MAC | Notes |
|---|---|---|---|
| Nora MacBook | 192.168.31.79 | 82:6D:FB:D9:E0:47 | MacBookAir |
| Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi-Notebook |
| Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | iPhone |
| Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | iPhone |
| Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | iPad |
Proposed VLAN Architecture
VLAN Assignments
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---|---|---|---|---|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Network infrastructure only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras, IoT |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
WiFi SSID to VLAN Mapping
| SSID | VLAN | Security | Purpose |
|---|---|---|---|
| XTRM | 10 (Secure) | WPA2/WPA3 | Main network for trusted devices |
| XTRM-IoT | 20 (IoT) | WPA2 | IoT devices |
| XTRM-Kids | 30 (Kids) | WPA2 | Kids devices |
| XTRM-Guest | 40 (Guest) | WPA2 | Guest access |
The S25 Challenge: Cross-VLAN Access
Requirements
Your S25 needs to:
- Be in Secure VLAN (192.168.10.x) for server management
- Discover and cast to Chromecast (IoT VLAN)
- Control Tuya smart devices
- Access Home Assistant
Solution Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ VLAN 10 (Secure) │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Unraid │ │ Nobara │ │ MacBook │ │ S25 │ │
│ │ Server │ │ PC │ │ │ │ Ultra │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │ │
└───────┼────────────┼────────────┼────────────┼───────────────────────┘
│ │ │ │
│ │ │ │ Firewall Rules +
│ │ │ │ mDNS Reflector
│ │ │ ▼
┌───────┼────────────┼────────────┼────────────────────────────────────┐
│ │ │ │ VLAN 20 (IoT) │
│ │ │ │ │
│ ┌────▼────┐ ┌────┴────┐ ┌───┴────┐ ┌──────────┐ ┌───────────┐ │
│ │ Home │ │ Printer │ │Chromec.│ │ Tuya │ │ Roborock │ │
│ │Assistant│◄─┤ │ │ TV │ │ Devices │ │ S7 │ │
│ └─────────┘ └─────────┘ └────────┘ └──────────┘ └───────────┘ │
│ ▲ │
│ │ Controls all IoT │
└───────┼──────────────────────────────────────────────────────────────┘
│
HA manages IoT locally,
accessible from Secure VLAN
Cross-VLAN Solutions
1. Home Assistant as IoT Bridge (Recommended)
- Home Assistant stays in IoT VLAN (can directly communicate with IoT devices)
- Firewall allows Secure VLAN → Home Assistant (port 8123)
- S25 controls everything through Home Assistant UI
- No direct IoT access from S25, but full control via HA
2. mDNS Reflector for Chromecast Discovery
MikroTik can reflect mDNS between VLANs:
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
This allows S25 to discover Chromecast for casting.
3. Firewall Rules for Casting
Allow specific traffic from Secure → IoT:
# Allow Chromecast (mDNS + casting ports)
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=32768-61000 protocol=udp action=accept
# Allow Home Assistant access
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.102 dst-port=8123 protocol=tcp action=accept
4. Tuya Devices (Cloud-Based)
Tuya devices communicate via cloud, so they work from any VLAN with internet access. No special rules needed.
Implementation Plan
Phase 1: Router Configuration
1.1 Create VLAN Interfaces
/interface/vlan/add name=vlan10-secure interface=bridge vlan-id=10
/interface/vlan/add name=vlan20-iot interface=bridge vlan-id=20
/interface/vlan/add name=vlan30-kids interface=bridge vlan-id=30
/interface/vlan/add name=vlan40-guest interface=bridge vlan-id=40
1.2 Assign IP Addresses
/ip/address/add address=192.168.10.1/24 interface=vlan10-secure
/ip/address/add address=192.168.20.1/24 interface=vlan20-iot
/ip/address/add address=192.168.30.1/24 interface=vlan30-kids
/ip/address/add address=192.168.40.1/24 interface=vlan40-guest
1.3 Create DHCP Servers
/ip/pool/add name=pool-secure ranges=192.168.10.100-192.168.10.200
/ip/pool/add name=pool-iot ranges=192.168.20.100-192.168.20.200
/ip/pool/add name=pool-kids ranges=192.168.30.100-192.168.30.200
/ip/pool/add name=pool-guest ranges=192.168.40.100-192.168.40.200
/ip/dhcp-server/add name=dhcp-secure interface=vlan10-secure address-pool=pool-secure
/ip/dhcp-server/add name=dhcp-iot interface=vlan20-iot address-pool=pool-iot
/ip/dhcp-server/add name=dhcp-kids interface=vlan30-kids address-pool=pool-kids
/ip/dhcp-server/add name=dhcp-guest interface=vlan40-guest address-pool=pool-guest
/ip/dhcp-server/network/add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.4
Phase 2: Bridge VLAN Filtering
2.1 Enable VLAN Filtering
/interface/bridge/set bridge vlan-filtering=yes
2.2 Configure Bridge VLANs
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=10
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=20
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=30
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=40
Phase 3: Switch Configuration (CSS326-24G-2S+ SwOS)
Switch Access:
- Web UI: http://192.168.31.9/index.html
- Model: CSS326-24G-2S+ (24 Gigabit ports + 2 SFP)
- OS: SwOS (MikroTik Switch OS)
- Username:
admin - Password:
M0stW4nt3d@xtrm
3.1 SwOS VLAN Configuration
Access the switch at http://192.168.31.9 and configure:
Step 1: Enable VLAN Mode
- Go to VLAN tab
- Set VLAN Mode to Enabled
Step 2: Create VLANs
| VLAN ID | Name |
|---|---|
| 1 | Management |
| 10 | Secure |
| 20 | IoT |
| 30 | Kids |
| 40 | Guest |
Step 3: Port VLAN Assignments
| Port | Device | VLAN Mode | VLAN ID | Tagged VLANs |
|---|---|---|---|---|
| 1 | Uplink to hAP ax³ | Trunk | 1 | 10,20,30,40 |
| 2 | Unraid Server | Access | 10 | - |
| 3 | Nobara PC (LAN) | Access | 10 | - |
| 4 | Game Machine | Access | 10 | - |
| 5-8 | Reserved Secure | Access | 10 | - |
| 9-16 | IoT Devices | Access | 20 | - |
| 17-20 | Kids Devices | Access | 30 | - |
| 21-24 | Guest/Unused | Access | 40 | - |
| SFP1 | Unused | - | - | - |
| SFP2 | Unused | - | - | - |
Step 4: PVID Settings For each access port, set PVID (Port VLAN ID) to match the access VLAN.
Step 5: Uplink Port Configuration Port 1 (uplink to router) must be configured as trunk:
- VLAN Receive: Any
- Default VLAN ID: 1
- Tagged VLANs: 10, 20, 30, 40
- Force VLAN ID: No
3.2 SwOS Web Interface Navigation
┌─────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ SwOS │
├─────────────────────────────────────────────────────────┤
│ Tabs: Link | VLAN | VLANs | Isolation | Statistics │
│ │
│ VLAN Tab: │
│ ┌─────┬──────────┬──────┬────────┬─────────┐ │
│ │Port │VLAN Mode │ PVID │ Tagged │ Untagged│ │
│ ├─────┼──────────┼──────┼────────┼─────────┤ │
│ │ 1 │ Trunk │ 1 │10,20,30│ 1 │ │
│ │ 2 │ Access │ 10 │ - │ 10 │ │
│ │ ... │ ... │ ... │ ... │ ... │ │
│ └─────┴──────────┴──────┴────────┴─────────┘ │
└─────────────────────────────────────────────────────────┘
3.3 Current Port Mapping (TO BE FILLED)
Please identify which device is connected to which switch port:
| Port | Cable Color/Label | Connected Device |
|---|---|---|
| 1 | Uplink to hAP ax³ (eth4_CCS324_Uplink) | |
| 2 | ||
| 3 | ||
| 4 | ||
| 5 | ||
| 6 | ||
| 7 | ||
| 8 | ||
| 9 | ||
| 10 | ||
| 11 | ||
| 12 | ||
| ... |
Note: You can identify ports by checking the Link tab in SwOS - it shows which ports have active links and their speed.
Phase 4: WiFi VLAN Configuration
4.1 Create WiFi Configurations
/interface/wifi/configuration/add name=cfg-secure ssid="XTRM" \
security.authentication-types=wpa2-psk,wpa3-psk \
security.passphrase="M0stW4nt3d@home" \
datapath.bridge=bridge datapath.vlan-id=10
/interface/wifi/configuration/add name=cfg-iot ssid="XTRM-IoT" \
security.authentication-types=wpa2-psk \
security.passphrase="M0stW4nt3d@IoT" \
datapath.bridge=bridge datapath.vlan-id=20
/interface/wifi/configuration/add name=cfg-kids ssid="XTRM-Kids" \
security.authentication-types=wpa2-psk \
security.passphrase="KidsPassword123" \
datapath.bridge=bridge datapath.vlan-id=30
/interface/wifi/configuration/add name=cfg-guest ssid="XTRM-Guest" \
security.authentication-types=wpa2-psk \
security.passphrase="GuestPassword123" \
datapath.bridge=bridge datapath.vlan-id=40
Phase 5: Firewall Rules
5.1 Inter-VLAN Firewall
# Allow established/related
/ip/firewall/filter/add chain=forward connection-state=established,related action=accept
# Secure VLAN can access everything (management)
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 action=accept
# IoT VLAN - Internet only, no inter-VLAN
/ip/firewall/filter/add chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/16 action=accept
# Kids VLAN - Internet only
/ip/firewall/filter/add chain=forward src-address=192.168.30.0/24 dst-address=!192.168.0.0/16 action=accept
# Guest VLAN - Internet only, strict isolation
/ip/firewall/filter/add chain=forward src-address=192.168.40.0/24 dst-address=!192.168.0.0/16 action=accept
# Drop all other inter-VLAN traffic
/ip/firewall/filter/add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
5.2 Special Rules for Casting/mDNS
# Allow Secure to access Chromecast
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept \
comment="Chromecast from Secure"
# Allow mDNS (for device discovery)
/ip/firewall/filter/add chain=input dst-port=5353 protocol=udp action=accept comment="mDNS"
/ip/firewall/filter/add chain=forward dst-port=5353 protocol=udp action=accept comment="mDNS forward"
Static IP Reservations (New Subnets)
VLAN 10 - Secure (192.168.10.0/24)
| Device | IP | MAC |
|---|---|---|
| Unraid Server | 192.168.10.2 | (current MAC) |
| Pi-hole (Unraid) | 192.168.10.4 | (current MAC) |
| Unbound (Unraid) | 192.168.10.5 | (current MAC) |
| Nobara PC (LAN) | 192.168.10.10 | 08:92:04:C6:07:C5 |
| Nobara PC (WiFi) | 192.168.10.11 | 22:4C:7F:1D:85:8E |
| Game Machine | 192.168.10.12 | 1C:83:41:32:F3:AF |
| MacBook (Kaloyan) | 192.168.10.15 | 82:EC:EF:B5:F2:AF |
| S25 Ultra | 192.168.10.20 | AA:ED:8B:2A:40:F1 |
VLAN 20 - IoT (192.168.20.0/24)
| Device | IP | MAC |
|---|---|---|
| Home Assistant | 192.168.20.2 | AC:87:A3:77:8F:BD |
| Chromecast | 192.168.20.10 | D0:E7:82:F7:65:DD |
| Roborock S7 | 192.168.20.11 | B0:4A:39:3F:9A:14 |
| Bosch Oven | 192.168.20.12 | 94:27:70:1E:0C:EE |
| Reolink Doorbell | 192.168.20.13 | 48:9E:9D:0E:16:F7 |
| HP Printer | 192.168.20.20 | 64:4E:D7:D8:43:3E |
VLAN 30 - Kids (192.168.30.0/24)
| Device | IP | MAC |
|---|---|---|
| Nora MacBook | 192.168.30.10 | 82:6D:FB:D9:E0:47 |
| Kimi Notebook | 192.168.30.11 | 90:91:64:70:0D:86 |
| Kimi iPhone | 192.168.30.12 | 2A:2B:BA:86:D4:AF |
| Dancho iPhone | 192.168.30.13 | F2:B8:14:61:C8:27 |
Risks & Considerations
Service Interruption
- HIGH RISK: Enabling VLAN filtering will temporarily disrupt all devices
- Mitigation: Perform during maintenance window, have console access ready
Device Re-configuration
- All devices will get new IPs from new DHCP pools
- Static IP reservations should be configured before migration
- Some devices may need manual WiFi reconnection
Unraid Considerations
- Unraid needs to be on VLAN 10 (secure)
- Docker containers with br0 (192.168.31.x) need reconfiguration
- Pi-hole and Unbound IPs will change
Home Assistant
- Will be on IoT VLAN
- Integrations may need reconfiguration for new IP ranges
- Traefik routing may need adjustment
Rollback Plan
If issues occur, disable VLAN filtering:
/interface/bridge/set bridge vlan-filtering=no
This immediately returns to flat network mode.
Questions Before Implementation
- WiFi passwords for new SSIDs - What should Kids and Guest passwords be?
- Printer access - Should Kids be able to print? (Requires firewall rule)
- Home Assistant location - IoT VLAN (recommended) or Secure VLAN?
- Unraid Docker networks - br0 containers need VLAN assignment decision
- Switch port mapping - Need to know which CSS326 ports connect to which devices
Next Steps
- Confirm device categorization is correct
- Decide on WiFi passwords for new SSIDs
- Map CSS326 switch ports to devices
- Schedule maintenance window for implementation
- Backup MikroTik and switch configs before changes
- Implement in phases with testing between each