infrastructure/docs/03-VLAN-DEVICE-ASSIGNMENT.md

# VLAN Device Assignment Map

**Last Updated:** 2026-01-25  
**Status:** Phase 1 Complete - Ready for Switch Configuration
**Purpose:** Complete inventory of all network devices with VLAN assignments

---

## VLAN Summary

| VLAN | Name | Subnet | Gateway | Purpose | Devices |
|------|------|--------|---------|---------|---------|
| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated |
| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | 6 |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | 9 |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | Kids devices | 6 |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | 14 |
| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | 1 |
| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | 1 |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | 7 |
| **Total** | | | | | **44** |

---

## VLAN 10 - Management (Infrastructure)

| Target IP | MAC Address | Device | Notes |
|-----------|-------------|--------|-------|
| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router - Gateway for all VLANs |
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | Access point - CAPsMAN managed |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch - Room distribution |
| 192.168.10.4 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch - Server rack |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS server (Unraid Docker) |
| 192.168.10.11 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM - IPMI alternative |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server - Docker host, NAS |

**Note:** Router containers (AdGuard MikroTik 172.17.0.2, Tailscale 172.17.0.3) are on containers-br bridge, not VLANs.

---

## VLAN 20 - Trusted (Family Devices)

| Target IP | MAC Address | Device | Owner |
|-----------|-------------|--------|-------|
| 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora |
| 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan |
| 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho |
| 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan |
| 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi |
| 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi |
| 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan |
| 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan |
| 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg |

---

## VLAN 25 - Kids (Parental Controls)

| Target IP | MAC Address | Device | Owner |
|-----------|-------------|--------|-------|
| 192.168.25.12 | F2:B8:14:61:C8:27 | iPhone | Dancho |
| 192.168.25.13 | 70:85:C2:75:64:E5 | Windows Device | Dancho |
| 192.168.25.14 | 90:91:64:70:0D:86 | Notebook | Kimi |
| 192.168.25.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi |
| 192.168.25.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg |
| 192.168.25.19 | CC:5E:F8:D3:37:D3 | XTRM-Ally | Kids Gaming |

**Note:** Some devices appear in both VLAN 20 and 25 - assignment depends on which SSID/port they connect to.

---

## VLAN 30 - IoT (Smart Home)

| Target IP | MAC Address | Device | Location |
|-----------|-------------|--------|----------|
| 192.168.30.10 | 50:2C:C6:7A:55:39 | GREE Air Conditioner | Living Room |
| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV (LAN) | Living Room |
| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV (WiFi) | Living Room |
| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room |
| 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room |
| 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen |
| 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen |
| 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom |
| 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device 1 | - |
| 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device 2 | - |
| 192.168.30.33 | 38:A5:C9:44:7B:80 | IoT lwip0 Device 1 | - |
| 192.168.30.34 | 38:A5:C9:44:7B:F1 | IoT lwip0 Device 2 | - |
| 192.168.30.38 | D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - |
| 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - |

---

## VLAN 35 - Cameras (Security)

| Target IP | MAC Address | Device | Location |
|-----------|-------------|--------|----------|
| 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door |

---

## VLAN 40 - Servers (Services)

| Target IP | MAC Address | Device | Purpose |
|-----------|-------------|--------|---------|
| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer |

---

## VLAN 50 - Guest (Isolated)

| Target IP | MAC Address | Device | Notes |
|-----------|-------------|--------|-------|
| 192.168.50.10 | AC:87:A3:77:8F:BD | Apple Device | Unknown owner |
| 192.168.50.11 | 22:4C:7F:1D:85:8E | Unknown Device | Privacy MAC |
| 192.168.50.12 | D0:C9:07:92:1A:8E | Unknown Device | Private vendor |
| 192.168.50.13 | D0:C9:07:8C:C9:46 | Unknown Device | Private vendor |
| 192.168.50.14 | C6:2A:59:AD:17:90 | Unknown Device | Random MAC |
| 192.168.50.15 | E6:17:3D:D3:96:D3 | Unknown Device | Random MAC |
| 192.168.50.16 | 72:F5:14:2D:F0:18 | Unknown Device | Stale |

---

## MAC Address Quick Reference

### VLAN 10 - Management
```
78:9A:18:2C:A5:48  HAP1 Router
18:FD:74:54:3D:BC  CAP XL ac
F4:1E:57:C9:BD:09  CSS326 Switch
1C:2A:A3:1E:78:67  ZX1 Switch
02:42:C0:A8:1F:04  AdGuard Home
48:DA:35:6F:BE:50  NanoKVM
A8:B8:E0:02:B6:15  XTRM-U Unraid
```

### VLAN 20 - Trusted
```
82:6D:FB:D9:E0:47  Nora MacBook
AA:ED:8B:2A:40:F1  Kaloyan S25
F2:B8:14:61:C8:27  Dancho iPhone
82:EC:EF:B5:F2:AF  Kaloyan MacBook WiFi
90:91:64:70:0D:86  Kimi Notebook
2A:2B:BA:86:D4:AF  Kimi iPhone
08:92:04:C6:07:C5  Kaloyan MacBook LAN
1C:83:41:32:F3:AF  Kaloyan Gaming PC
A4:D1:D2:7B:52:BE  Compusbg iPad
```

### VLAN 25 - Kids
```
F2:B8:14:61:C8:27  Dancho iPhone
70:85:C2:75:64:E5  Dancho Windows
90:91:64:70:0D:86  Kimi Notebook
2A:2B:BA:86:D4:AF  Kimi iPhone
A4:D1:D2:7B:52:BE  Compusbg iPad
CC:5E:F8:D3:37:D3  XTRM-Ally
```

### VLAN 30 - IoT
```
50:2C:C6:7A:55:39  GREE AC
B0:37:95:79:AF:9B  LG TV (LAN)
DC:03:98:6B:5A:3A  LG TV (WiFi)
D0:E7:82:F7:65:DD  Chromecast
B0:4A:39:3F:9A:14  Roborock Vacuum
94:27:70:1E:0C:EE  Bosch Oven
C8:D7:78:40:65:40  Bosch Dishwasher
C8:D7:78:D6:DC:FC  Bosch Washer
18:DE:50:5B:C8:A6  Tuya Device 1
38:1F:8D:04:6F:E4  Tuya Device 2
38:A5:C9:44:7B:80  lwip0 Device 1
38:A5:C9:44:7B:F1  lwip0 Device 2
D4:AD:FC:BE:13:B0  Intellirocks
C8:5C:CC:52:EA:53  Xiaomi Air Purifier
```

### VLAN 35 - Cameras
```
48:9E:9D:0E:16:F7  Reolink Doorbell
```

### VLAN 40 - Servers
```
64:4E:D7:D8:43:3E  HP LaserJet
```

### VLAN 50 - Guest
```
AC:87:A3:77:8F:BD  Unknown Apple
22:4C:7F:1D:85:8E  Unknown Random MAC
D0:C9:07:92:1A:8E  Unknown Private 1
D0:C9:07:8C:C9:46  Unknown Private 2
C6:2A:59:AD:17:90  Unknown .138
E6:17:3D:D3:96:D3  Unknown .250
72:F5:14:2D:F0:18  Unknown Stale
```

---

## Configuration Status

### MikroTik hAP ax³ ✅
- [x] VLAN interfaces created (10, 20, 25, 30, 35, 40, 50)
- [x] IP addresses assigned to all VLANs
- [x] DHCP servers configured for all VLANs
- [x] DHCP pools configured
- [x] Static DHCP leases (44 devices)
- [x] Bridge VLAN table entries
- [x] Firewall rules for inter-VLAN isolation
- [ ] VLAN filtering enabled (pending switch config)

### CSS326 Switch ⏳
- [ ] VLAN configuration via SwOS
- [ ] Port assignments

### Next Steps
1. Configure CSS326 switch VLANs via SwOS (http://192.168.31.9)
2. Enable VLAN filtering on MikroTik bridge
3. Test connectivity