XTRM-Unraid
c1dca8526a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- 5 VLANs: Management, Trusted, IoT, Servers, Guest - Complete firewall rules matrix - MikroTik implementation commands - DNS per-VLAN configuration - WiFi SSID mapping - Migration plan phases
10 KiB
10 KiB
WIP: VLAN Network Segmentation Proposal
Status: Planning
Created: 2026-01-25
Current State
Single flat network: 192.168.31.0/24
- All devices on same broadcast domain
- No traffic isolation between IoT, guests, and trusted devices
- Security risk: compromised IoT device can access entire network
Proposed VLAN Architecture
┌─────────────────┐
│ INTERNET │
└────────┬────────┘
│
┌────────▼────────┐
│ MikroTik hAP │
│ 192.168.31.1 │
│ (Router/FW) │
└────────┬────────┘
│
┌──────────────┬───────────────┼───────────────┬──────────────┐
│ │ │ │ │
┌────────▼────────┐ ┌───▼───────┐ ┌─────▼─────┐ ┌───────▼───────┐ ┌────▼────┐
│ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 40 │ │ VLAN 50 │
│ Management │ │ Trusted │ │ IoT │ │ Servers │ │ Guest │
│ 192.168.10.0/24 │ │ .20.0/24 │ │ .30.0/24 │ │ .40.0/24 │ │.50.0/24 │
└─────────────────┘ └───────────┘ └───────────┘ └───────────────┘ └─────────┘
VLAN Definitions
| VLAN ID | Name | Subnet | Purpose | Gateway |
|---|---|---|---|---|
| 10 | Management | 192.168.10.0/24 | Infrastructure management | .10.1 |
| 20 | Trusted | 192.168.20.0/24 | Personal devices | .20.1 |
| 30 | IoT | 192.168.30.0/24 | Smart home devices | .30.1 |
| 40 | Servers | 192.168.40.0/24 | Exposed services | .40.1 |
| 50 | Guest | 192.168.50.0/24 | Visitor WiFi | .50.1 |
VLAN 10: Management
Purpose: Infrastructure administration only
| Device | IP | Description |
|---|---|---|
| MikroTik | 192.168.10.1 | Router/Gateway |
| Unraid | 192.168.10.2 | Server management |
| Switch | 192.168.10.3 | CSS326 management |
| AP | 192.168.10.4 | cAP ac management |
Access Rules:
- ✅ Full access to all VLANs (admin only)
- ✅ SSH, Web UI access
- ❌ No internet access (optional, security hardening)
- ❌ No access FROM other VLANs
VLAN 20: Trusted
Purpose: Personal/family devices with full access
| Device Type | DHCP Range | Examples |
|---|---|---|
| Laptops | .20.100-.150 | MacBooks, Windows PCs |
| Phones | .20.151-.200 | iPhones, Android |
| Tablets | .20.201-.220 | iPads |
| Static | .20.10-.50 | Reserved |
Access Rules:
- ✅ Internet access
- ✅ Access to Servers VLAN (Plex, services)
- ✅ Access to IoT VLAN (control devices)
- ❌ No access to Management VLAN
- ❌ No access from Guest VLAN
VLAN 30: IoT
Purpose: Smart home devices (isolated)
| Device Type | DHCP Range | Examples |
|---|---|---|
| Smart TV | .30.100-.110 | LG TV, Apple TV |
| Speakers | .30.111-.130 | Sonos, HomePod |
| Sensors | .30.131-.180 | Zigbee hubs, motion |
| Cameras | .30.181-.200 | Security cameras |
| Static | .30.10-.50 | Reserved |
Access Rules:
- ✅ Internet access (restricted destinations)
- ✅ Access to local DNS (AdGuard)
- ✅ mDNS/Bonjour relay from Trusted
- ❌ No inter-device communication (optional)
- ❌ No access to Management
- ❌ No access to Servers (except specific ports)
- ❌ Cannot initiate to Trusted (Trusted can initiate)
VLAN 40: Servers/DMZ
Purpose: Services accessible from internet
| Service | IP | Ports | Description |
|---|---|---|---|
| Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS (DoT/DoH) |
| Gitea | 192.168.40.10 | 3000 | Git hosting |
| Plex | 192.168.40.20 | 32400 | Media server |
Access Rules:
- ✅ Internet access
- ✅ Inbound from WAN (via NAT)
- ✅ Access from Trusted VLAN
- ❌ Cannot initiate to Management
- ❌ Cannot initiate to Trusted
- ❌ No access from Guest
VLAN 50: Guest
Purpose: Visitor WiFi with internet only
| Setting | Value |
|---|---|
| DHCP Range | 192.168.50.100-.200 |
| Lease Time | 4 hours |
| Bandwidth Limit | 50 Mbps |
| Client Isolation | Yes |
Access Rules:
- ✅ Internet access only
- ❌ No access to any internal VLAN
- ❌ No inter-client communication
- ❌ Captive portal (optional)
Firewall Rules Summary
┌─────────────┬──────┬─────────┬─────┬─────────┬───────┐
│ From \ To │ Mgmt │ Trusted │ IoT │ Servers │ Guest │
├─────────────┼──────┼─────────┼─────┼─────────┼───────┤
│ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
│ Trusted │ ❌ │ ✅ │ ✅ │ ✅ │ ❌ │
│ IoT │ ❌ │ ❌ │ ⚠️ │ ⚠️ │ ❌ │
│ Servers │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │
│ Internet │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴──────┴─────────┴─────┴─────────┴───────┘
✅ = Full access
❌ = Blocked
⚠️ = Limited/Specific ports only
DNS Configuration
| VLAN | DNS Server | Purpose |
|---|---|---|
| 10 Management | 192.168.10.1 | MikroTik DNS |
| 20 Trusted | 192.168.40.4 | AdGuard (full filtering) |
| 30 IoT | 192.168.40.4 | AdGuard (IoT blocklist) |
| 40 Servers | 8.8.8.8, 1.1.1.1 | External DNS |
| 50 Guest | 192.168.40.4 | AdGuard (strict filtering) |
Enforce DNS: NAT redirect all port 53 traffic to designated DNS per VLAN.
WiFi SSID Mapping
| SSID | VLAN | Security | Notes |
|---|---|---|---|
| Home | 20 | WPA3 | Trusted devices |
| Home-IoT | 30 | WPA2 | Smart devices (2.4GHz) |
| Home-Guest | 50 | WPA2 | Visitors |
| (hidden) Admin | 10 | WPA3 | Management only |
MikroTik Implementation
1. Create VLANs on Bridge
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
2. IP Addresses
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest
3. DHCP Servers
/ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.200
add name=pool-iot ranges=192.168.30.100-192.168.30.200
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200
/ip dhcp-server
add address-pool=pool-trusted interface=vlan20-trusted name=dhcp-trusted
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-servers interface=vlan40-servers name=dhcp-servers
add address-pool=pool-guest interface=vlan50-guest name=dhcp-guest
4. Inter-VLAN Firewall (Example)
/ip firewall filter
# Allow established/related
add chain=forward action=accept connection-state=established,related
# Management can access all
add chain=forward action=accept src-address=192.168.10.0/24
# Trusted to IoT
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24
# Trusted to Servers
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.40.0/24
# Block all other inter-VLAN
add chain=forward action=drop src-address=192.168.10.0/16 dst-address=192.168.10.0/16
Migration Plan
Phase 1: Preparation
- Document all current static IPs
- List all devices and target VLANs
- Configure switch for VLAN trunking
- Test VLAN setup on isolated port
Phase 2: Infrastructure
- Create VLANs on MikroTik
- Configure DHCP per VLAN
- Move Unraid to VLAN 10 (management)
- Move AdGuard to VLAN 40 (servers)
- Update DNS redirect rules
Phase 3: Devices
- Configure WiFi SSIDs per VLAN
- Move trusted devices to VLAN 20
- Move IoT devices to VLAN 30
- Test inter-VLAN access rules
Phase 4: Hardening
- Implement firewall rules
- Enable DNS enforcement per VLAN
- Set up guest captive portal (optional)
- Document final configuration
Considerations
Pros
- Security isolation between device types
- Compromised IoT cannot access trusted devices
- Guest cannot snoop on internal traffic
- Granular firewall control
- Better traffic management
Cons
- Increased complexity
- mDNS/Bonjour requires relay configuration
- Some IoT devices may have issues
- Initial migration effort
Services Requiring Special Attention
- Plex: Needs access from Trusted to Servers
- Sonos/AirPlay: Requires mDNS relay
- Chromecast: Needs multicast between VLANs
- Printers: May need access from multiple VLANs
Questions to Decide
- Should Management VLAN have internet access?
- IoT device discovery - enable mDNS relay or use static configs?
- Guest WiFi - captive portal or just password?
- Camera VLAN - separate from IoT or combined?
- Keep legacy 192.168.31.0/24 for transition period?