jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cdb961f9435ea15522187cffd02f6097b8b7d439
infrastructure/docs/archive/VLAN-PROPOSAL.md
Kaloyan Danchev ec9659d0cb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Restructure docs: archive VLAN migration, update IPs to VLAN 10 
Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 12:45:16 +02:00

333 lines
11 KiB
Markdown
Raw Blame History

# WIP: VLAN Network Segmentation Proposal
**Status:** Planning
**Created:** 2026-01-25
**Updated:** 2026-01-25
---
## Decisions Made
- ✅ Separate Camera VLAN (VLAN 35)
- ✅ Guest WiFi: Password only (no captive portal)
- ✅ Keep 192.168.31.0/24 during transition (VLAN 1)
---
## Current State
Single flat network: `192.168.31.0/24` (will become transition VLAN)
---
## Proposed VLAN Architecture
```
┌─────────────────┐
│ INTERNET │
└────────┬────────┘
┌────────▼────────┐
│ MikroTik hAP │
│ (Router/FW) │
└────────┬────────┘
┌───────────┬───────────┬───────────┬───┴───┬───────────┬───────────┐
│ │ │ │ │ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌▼────────┐ ┌▼────────┐ ┌▼────────┐
│ VLAN 1 │ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │ VLAN 35 │ │ VLAN 40 │ │ VLAN 50 │
│ Legacy │ │ Mgmt │ │ Trusted │ │ IoT │ │ Cameras │ │ Servers │ │ Guest │
│.31.0/24 │ │.10.0/24 │ │.20.0/24 │ │.30.0/24 │ │.35.0/24 │ │.40.0/24 │ │.50.0/24 │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
```
---
## VLAN Definitions
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------|
| 1 | Legacy/Transition | 192.168.31.0/24 | .31.1 | Current network (temporary) |
| 10 | Management | 192.168.10.0/24 | .10.1 | Infrastructure admin |
| 20 | Trusted | 192.168.20.0/24 | .20.1 | Personal devices |
| 30 | IoT | 192.168.30.0/24 | .30.1 | Smart home devices |
| 35 | Cameras | 192.168.35.0/24 | .35.1 | Security cameras (isolated) |
| 40 | Servers | 192.168.40.0/24 | .40.1 | Exposed services |
| 50 | Guest | 192.168.50.0/24 | .50.1 | Visitor WiFi |
---
## VLAN 1: Legacy/Transition
**Purpose:** Current network - devices migrate from here
| Device | IP | Target VLAN |
|--------|-----|-------------|
| MikroTik | 192.168.31.1 | VLAN 10 |
| Unraid | 192.168.31.2 | VLAN 10 |
| AdGuard | 192.168.31.4 | VLAN 40 |
| LG TV | 192.168.31.100 | VLAN 30 |
**Note:** This VLAN will be deprecated after migration.
---
## VLAN 10: Management
**Purpose:** Infrastructure administration only
| Device | IP | Description |
|--------|-----|-------------|
| MikroTik | 192.168.10.1 | Router/Gateway |
| Unraid | 192.168.10.2 | Server management |
| CSS326 | 192.168.10.3 | Switch management |
| cAP ac | 192.168.10.4 | AP management |
**Access Rules:**
- ✅ Full access to all VLANs
- ✅ SSH, Web UI, API access
- ❌ No access FROM other VLANs (except established)
---
## VLAN 20: Trusted
**Purpose:** Personal/family devices
| Device Type | DHCP Range | Static Range |
|-------------|------------|--------------|
| Reserved | - | .20.10-.50 |
| Laptops | .20.100-.130 | - |
| Phones | .20.131-.160 | - |
| Tablets | .20.161-.180 | - |
| Other | .20.181-.220 | - |
**Access Rules:**
- ✅ Internet access
- ✅ Access to Servers VLAN
- ✅ Access to IoT VLAN (control devices)
- ✅ Access to Cameras VLAN (view feeds)
- ❌ No access to Management VLAN
- ❌ No access from Guest VLAN
---
## VLAN 30: IoT
**Purpose:** Smart home devices (isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Smart TVs | .30.100-.110 | LG TV, Apple TV |
| Speakers | .30.111-.130 | Sonos, HomePod |
| Hubs | .30.131-.150 | Zigbee, Z-Wave |
| Sensors | .30.151-.180 | Motion, temp |
| Other | .30.181-.220 | Plugs, lights |
**Access Rules:**
- ✅ Internet access (filtered)
- ✅ Local DNS (AdGuard)
- ✅ mDNS relay from Trusted
- ❌ No access to Management
- ❌ No access to Cameras
- ❌ No access to Servers (except specific)
- ❌ Cannot initiate to Trusted
---
## VLAN 35: Cameras
**Purpose:** Security cameras (highly isolated)
| Device Type | DHCP Range | Examples |
|-------------|------------|----------|
| Indoor | .35.100-.120 | - |
| Outdoor | .35.121-.140 | - |
| NVR | .35.10 | Recording server |
**Access Rules:**
- ⚠️ Limited internet (firmware updates only)
- ✅ Access to NVR only
- ✅ Trusted can VIEW (no control)
- ❌ No access to any other VLAN
- ❌ No inter-camera communication
- ❌ Blocked: China, Russia IPs (common camera callback)
---
## VLAN 40: Servers/DMZ
**Purpose:** Services accessible externally
| Service | IP | Ports | Description |
|---------|-----|-------|-------------|
| Traefik | 192.168.40.2 | 80,443 | Reverse proxy |
| AdGuard | 192.168.40.4 | 53,853,443 | DNS server |
| Gitea | 192.168.40.10 | 3000 | Git hosting |
| Woodpecker | 192.168.40.11 | 8000 | CI/CD |
| Plex | 192.168.40.20 | 32400 | Media |
**Access Rules:**
- ✅ Internet access
- ✅ Inbound from WAN (via NAT)
- ✅ Access from Trusted
- ❌ Cannot initiate to other VLANs
---
## VLAN 50: Guest
**Purpose:** Visitor WiFi (password protected, no captive portal)
| Setting | Value |
|---------|-------|
| DHCP Range | 192.168.50.100-.200 |
| Lease Time | 4 hours |
| Bandwidth | 50 Mbps limit |
| Client Isolation | Enabled |
**Access Rules:**
- ✅ Internet access only
- ❌ No access to ANY internal VLAN
- ❌ No inter-client communication
---
## Firewall Matrix
```
┌─────────────┬────────┬──────┬─────────┬─────┬─────────┬─────────┬───────┐
│ From \ To │ Legacy │ Mgmt │ Trusted │ IoT │ Cameras │ Servers │ Guest │
├─────────────┼────────┼──────┼─────────┼─────┼─────────┼─────────┼───────┤
│ Legacy │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
│ Management │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │ ✅ │
│ Trusted │ ✅ │ ❌ │ ✅ │ ✅ │ 👁️ │ ✅ │ ❌ │
│ IoT │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ⚠️ │ ❌ │
│ Cameras │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │ ❌ │ ❌ │
│ Servers │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
│ Guest │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ⚠️ │
│ Internet │ ❌ │ ❌ │ ❌ │ ❌ │ ❌ │ ✅ │ ❌ │
└─────────────┴────────┴──────┴─────────┴─────┴─────────┴─────────┴───────┘
✅ = Full access
❌ = Blocked
⚠️ = Limited (specific ports/IPs)
👁️ = View only (cameras: RTSP/HTTP streams)
```
---
## DNS Configuration
| VLAN | DNS Server | Filtering Level |
|------|------------|-----------------|
| 1 Legacy | 192.168.31.1 | Current setup |
| 10 Management | 192.168.10.1 | Minimal |
| 20 Trusted | 192.168.40.4 | Standard |
| 30 IoT | 192.168.40.4 | IoT blocklist |
| 35 Cameras | 192.168.40.4 | Strict + geo-block |
| 40 Servers | 8.8.8.8/1.1.1.1 | None (external) |
| 50 Guest | 192.168.40.4 | Strict |
---
## WiFi SSID Mapping
| SSID | VLAN | Band | Security | Hidden |
|------|------|------|----------|--------|
| Home | 20 | 2.4+5 GHz | WPA3 | No |
| Home-IoT | 30 | 2.4 GHz | WPA2 | No |
| Home-Guest | 50 | 2.4+5 GHz | WPA2 | No |
| Admin | 10 | 5 GHz | WPA3 | Yes |
---
## MikroTik Implementation
### 1. Create VLANs
```routeros
/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-trusted vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan35-cameras vlan-id=35
add interface=bridge name=vlan40-servers vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
```
### 2. IP Addresses
```routeros
/ip address
add address=192.168.10.1/24 interface=vlan10-mgmt
add address=192.168.20.1/24 interface=vlan20-trusted
add address=192.168.30.1/24 interface=vlan30-iot
add address=192.168.35.1/24 interface=vlan35-cameras
add address=192.168.40.1/24 interface=vlan40-servers
add address=192.168.50.1/24 interface=vlan50-guest
```
### 3. DHCP Pools
```routeros
/ip pool
add name=pool-trusted ranges=192.168.20.100-192.168.20.220
add name=pool-iot ranges=192.168.30.100-192.168.30.220
add name=pool-cameras ranges=192.168.35.100-192.168.35.140
add name=pool-servers ranges=192.168.40.100-192.168.40.150
add name=pool-guest ranges=192.168.50.100-192.168.50.200
```
### 4. Camera Geo-Blocking
```routeros
/ip firewall address-list
add list=blocked-countries address=0.0.0.0/8 comment="CN/RU blocks - add actual ranges"
/ip firewall filter
add chain=forward action=drop src-address=192.168.35.0/24 dst-address-list=blocked-countries
```
---
## Migration Plan
### Phase 1: Preparation (No Downtime)
- [ ] Document all static IPs and MAC addresses
- [ ] Create device inventory with target VLANs
- [ ] Configure VLANs on MikroTik (inactive)
- [ ] Configure switch trunk ports
- [ ] Test on isolated port
### Phase 2: Infrastructure (Brief Downtime)
- [ ] Create VLAN interfaces and IPs
- [ ] Configure DHCP per VLAN
- [ ] Move Unraid management to VLAN 10
- [ ] Move AdGuard to VLAN 40
- [ ] Update container networks
### Phase 3: WiFi (Rolling)
- [ ] Create new SSIDs per VLAN
- [ ] Move personal devices to VLAN 20
- [ ] Move IoT devices to VLAN 30
- [ ] Test mDNS/Bonjour relay
### Phase 4: Cameras & Security
- [ ] Move cameras to VLAN 35
- [ ] Implement geo-blocking
- [ ] Test camera isolation
- [ ] Verify Trusted can view feeds
### Phase 5: Cleanup
- [ ] Implement all firewall rules
- [ ] Enable DNS enforcement
- [ ] Migrate remaining devices from VLAN 1
- [ ] Document final configuration
- [ ] Deprecate VLAN 1 (keep for emergency)
---
## Rollback Plan
If issues occur:
1. All devices can temporarily use VLAN 1 (legacy)
2. MikroTik remains accessible on 192.168.31.1
3. Keep VLAN 1 DHCP active during transition
Reference in New Issue View Git Blame Copy Permalink