jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e9572ae166ef14939ac9be35e1cc76cde9d2e6a5
infrastructure/docs/12-VLAN-SETUP-PROGRESS.md
Kaloyan Danchev e9572ae166 Add VLAN setup documentation - complete implementation 
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup
- docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan
- docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach
- docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary

VLANs implemented:
- VLAN 10: Management (192.168.10.0/24) - port-based
- VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based
- VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based
- VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based
- VLAN 40: Catch-All (192.168.1.0/24) - default

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 13:05:33 +02:00

15 KiB
Raw Blame History

VLAN Setup Progress

Created: 2026-01-28 Status: IN PROGRESS Last Updated: 2026-01-28

CRITICAL WARNING

ALWAYS ASK FOR EXPLICIT CONFIRMATION BEFORE:

  1. Enabling VLAN filtering (/interface bridge set bridge vlan-filtering=yes)
  2. Changing bridge port PVID values
  3. Modifying bridge VLAN table

Reason: When VLAN filtering was enabled on 2026-01-28, the entire network lost connectivity:

  • WiFi devices: No DHCP, no internet
  • Wired devices on CSS326 (not VLAN 10): No DHCP, no internet
  • Even with manual IP/DNS/gateway assignment: No internet
  • Only VLAN 10 devices (Unraid on ether4/5) continued working

Root Cause (suspected): Bridge VLAN table or NAT/masquerade configuration issue for VLAN 1 traffic.

Recovery: User had to manually troubleshoot and fix the configuration.

Current Network State

Hardware Topology

Internet (62.73.120.142)
    │
    ▼
┌──────────────────────────────────────────────────────────────┐
│                    HAP1 | MikroTik hAP ax³                   │
│                    IP: 192.168.88.1                          │
│                    RouterOS: 7.21.1                          │
│                                                              │
│  Ports:                                                      │
│  ├── ether1: WAN (DHCP from ISP)                            │
│  ├── ether2: CAP XL ac (via PP1)                            │
│  ├── ether3: CSS326 switch                                  │
│  ├── ether4: Unraid eth1 ──┐ VLAN 10 (PVID=10)             │
│  ├── ether5: Unraid eth2 ──┘                                │
│  ├── wifi1: XTRM (5GHz)                                     │
│  └── wifi2: XTRM2 (2.4GHz)                                  │
│                                                              │
│  Installed Packages: routeros, wifi-qcom, container,        │
│                      user-manager                            │
└──────────────────────────────────────────────────────────────┘
         │
         │ ether2
         ▼
┌──────────────────────────────────────────────────────────────┐
│                    CAP | MikroTik cAP XL ac                  │
│                    IP: 192.168.88.250                        │
│                    RouterOS: 7.21.1                          │
│                    CAPsMAN managed by HAP1                   │
│                                                              │
│  WiFi (provisioned via CAPsMAN):                            │
│  ├── cap-wifi1: XTRM2 (2.4GHz)                              │
│  └── cap-wifi2: XTRM (5GHz)                                 │
└──────────────────────────────────────────────────────────────┘

         │ ether3
         ▼
┌──────────────────────────────────────────────────────────────┐
│                    CSS326-24G-2S+                            │
│                    IP: 192.168.88.254                        │
│                    SwOS                                      │
│                    (VLAN config pending)                     │
└──────────────────────────────────────────────────────────────┘

SSH Access

Device IP Port User Auth
HAP1 192.168.88.1 22 xtrm SSH key (~/.ssh/mikrotik_key)
CAP 192.168.88.250 2222 xtrm SSH key (~/.ssh/mikrotik_key)
Unraid 192.168.10.20 (pending) 422 root SSH key (~/.ssh/id_ed25519_unraid)

WiFi Configuration

SSID Band Password Security
XTRM 5GHz M0stW4nt3d@home WPA2/WPA3
XTRM2 2.4GHz M0stW4nt3d@IoT WPA2

VLAN Architecture (Planned)

VLAN ID Name Subnet Gateway Purpose Assignment Method
1 Default 192.168.88.0/24 192.168.88.1 Current LAN (transition) Default
10 Management 192.168.10.0/24 192.168.10.1 Infrastructure devices Port-based
20 Trusted 192.168.20.0/24 192.168.20.1 Family devices RADIUS MAC auth
25 Kids 192.168.25.0/24 192.168.25.1 Kids devices RADIUS MAC auth
30 IoT 192.168.30.0/24 192.168.30.1 Smart home devices RADIUS MAC auth
35 Cameras 192.168.35.0/24 192.168.35.1 Security cameras Port-based
40 Servers 192.168.40.0/24 192.168.40.1 Services Port-based
50 Guest 192.168.50.0/24 192.168.50.1 Unknown/Guest devices RADIUS default

Assignment Strategy

  • Port-based: Wired devices with dedicated ports (Unraid, cameras)
  • RADIUS MAC auth: WiFi devices - MikroTik User Manager assigns VLAN based on MAC
  • Default VLAN 50: Unknown devices get internet-only access

Current Configuration Status

VLAN 10 - Management (IN PROGRESS)

Status: Configured, waiting for Unraid to renew DHCP

What's Done:

  • VLAN interface created: vlan10-mgmt
  • IP assigned: 192.168.10.1/24
  • DHCP pool: 192.168.10.100-192.168.10.200
  • DHCP server: dhcp-mgmt (DNS: 8.8.8.8)
  • Static leases created for VLAN 10 devices
  • Bridge VLAN table configured
  • ether4/ether5 PVID set to 10
  • VLAN filtering enabled on bridge

What's Pending:

  • Unraid needs to renew DHCP to get 192.168.10.20
  • Verify Unraid connectivity on new IP
  • Update Unraid SSH connection string in CLAUDE.md

Bridge VLAN Table:

VLAN 1:  tagged=bridge, untagged=ether2,ether3,wifi1,wifi2
VLAN 10: tagged=bridge, untagged=ether4,ether5

Bridge Ports:

ether2: PVID=1  (CAP)
ether3: PVID=1  (CSS326)
ether4: PVID=10 (Unraid)
ether5: PVID=10 (Unraid)
wifi1:  PVID=1  (XTRM 5GHz)
wifi2:  PVID=1  (XTRM2 2.4GHz)

VLAN 10 Static Leases

IP MAC Device Status
192.168.10.2 18:FD:74:54:3D:BC CAP XL ac Waiting
192.168.10.3 F4:1E:57:C9:BD:09 CSS326 Waiting
192.168.10.10 02:42:C0:A8:1F:04 AdGuard (Unraid) Waiting
192.168.10.11 48:DA:35:6F:BE:50 NanoKVM Waiting
192.168.10.20 A8:B8:E0:02:B6:15 XTRM-U Unraid Waiting

User Manager (Installed, Not Configured)

Status: Package installed, not enabled

Purpose: RADIUS server for MAC-based VLAN assignment on WiFi

Next Steps:

  1. Enable User Manager
  2. Add router as RADIUS client (NAS)
  3. Create user entries with MAC addresses and VLAN attributes
  4. Configure WiFi for RADIUS MAC authentication
  5. Set default VLAN 50 for unknown MACs

Device Inventory by VLAN

VLAN 10 - Management (5 devices)

Target IP MAC Device Connection
192.168.10.2 18:FD:74:54:3D:BC CAP XL ac ether2 via PP1
192.168.10.3 F4:1E:57:C9:BD:09 CSS326 ether3
192.168.10.10 02:42:C0:A8:1F:04 AdGuard (Unraid) Container
192.168.10.11 48:DA:35:6F:BE:50 NanoKVM CSS326 port
192.168.10.20 A8:B8:E0:02:B6:15 XTRM-U Unraid ether4/5

VLAN 20 - Trusted (5 devices)

Target IP MAC Device Owner
192.168.20.10 82:6D:FB:D9:E0:47 MacBook Air Nora
192.168.20.11 AA:ED:8B:2A:40:F1 Samsung S25 Ultra Kaloyan
192.168.20.13 82:EC:EF:B5:F2:AF MacBook Pro (WiFi) Kaloyan
192.168.20.16 08:92:04:C6:07:C5 MacBook Pro (LAN) Kaloyan
192.168.20.17 1C:83:41:32:F3:AF Gaming PC Kaloyan

VLAN 25 - Kids (4 devices)

Target IP MAC Device Owner
192.168.25.12 F2:B8:14:61:C8:27 iPhone Dancho
192.168.25.14 90:91:64:70:0D:86 Notebook Kimi
192.168.25.15 2A:2B:BA:86:D4:AF iPhone Kimi
192.168.25.18 A4:D1:D2:7B:52:BE iPad Compusbg

VLAN 30 - IoT (12 devices)

Target IP MAC Device
192.168.30.10 50:2C:C6:7A:55:39 GREE AC
192.168.30.11 B0:37:95:79:AF:9B LG TV (LAN)
192.168.30.12 DC:03:98:6B:5A:3A LG TV (WiFi)
192.168.30.13 D0:E7:82:F7:65:DD Chromecast
192.168.30.14 B0:4A:39:3F:9A:14 Roborock Vacuum
192.168.30.20 94:27:70:1E:0C:EE Bosch Oven
192.168.30.21 C8:D7:78:40:65:40 Bosch Dishwasher
192.168.30.22 C8:D7:78:D6:DC:FC Bosch Washer
192.168.30.31 18:DE:50:5B:C8:A6 Tuya Device 1
192.168.30.32 38:1F:8D:04:6F:E4 Tuya Device 2
192.168.30.38 D4:AD:FC:BE:13:B0 Intellirocks
192.168.30.39 C8:5C:CC:52:EA:53 Xiaomi Air Purifier

VLAN 35 - Cameras (1 device)

Target IP MAC Device
192.168.35.10 48:9E:9D:0E:16:F7 Reolink Doorbell

VLAN 40 - Servers (1 device)

Target IP MAC Device
192.168.40.19 64:4E:D7:D8:43:3E HP LaserJet

VLAN 50 - Guest/Unknown (4 devices)

Target IP MAC Notes
192.168.50.10 AC:87:A3:77:8F:BD Unknown Apple device
192.168.50.11 22:4C:7F:1D:85:8E Random MAC (privacy)
192.168.50.12 D0:C9:07:92:1A:8E Unknown
192.168.50.13 D0:C9:07:8C:C9:46 Unknown

Useful Commands

Check VLAN Status

/interface vlan print
/interface bridge vlan print detail
/interface bridge port print
/interface bridge print where name=bridge

Check DHCP Leases

/ip dhcp-server lease print
/ip dhcp-server lease print where server=dhcp-mgmt

Check User Manager

/user-manager print
/user-manager user print
/user-manager router print

Rollback VLAN Filtering

/interface bridge set bridge vlan-filtering=no

Force DHCP Renewal on Unraid

# On Unraid terminal
/etc/rc.d/rc.inet1 restart
# Or
dhclient -r eth0 && dhclient eth0

Next Steps (In Order)

  1. Complete VLAN 10 Setup

    • Restart network on Unraid to get new IP (192.168.10.20)
    • Verify connectivity
    • Update CLAUDE.md with new Unraid IP

  2. Configure User Manager for RADIUS

    • Enable User Manager
    • Add router as NAS (RADIUS client)
    • Configure WiFi for MAC authentication

  3. Create Other VLANs

    • VLAN 20 (Trusted) - interface, DHCP, firewall
    • VLAN 25 (Kids) - interface, DHCP, firewall
    • VLAN 30 (IoT) - interface, DHCP, firewall
    • VLAN 35 (Cameras) - interface, DHCP, firewall
    • VLAN 40 (Servers) - interface, DHCP, firewall
    • VLAN 50 (Guest) - interface, DHCP, firewall (default for unknown)

  4. Add MAC-VLAN Mappings to User Manager

    • Add all trusted device MACs → VLAN 20
    • Add all kids device MACs → VLAN 25
    • Add all IoT device MACs → VLAN 30
    • Default (no match) → VLAN 50

  5. Configure Inter-VLAN Firewall Rules

    • Management → All (full access)
    • Trusted → IoT, Cameras, Servers (control)
    • Kids → Limited (parental controls)
    • IoT → Internet only
    • Cameras → Isolated
    • Guest → Internet only

  6. Test and Verify

    • Test each VLAN connectivity
    • Test inter-VLAN access rules
    • Test unknown device goes to VLAN 50

Firewall Rules (Planned)

# Allow established/related
/ip firewall filter add chain=forward connection-state=established,related action=accept

# Management can access everything
/ip firewall filter add chain=forward src-address=192.168.10.0/24 action=accept

# Trusted can access IoT, Cameras, Servers
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.30.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.35.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.40.0/24 action=accept

# IoT - Internet only (block inter-VLAN)
/ip firewall filter add chain=forward src-address=192.168.30.0/24 dst-address=192.168.0.0/16 action=drop

# Cameras - Isolated
/ip firewall filter add chain=forward src-address=192.168.35.0/24 dst-address=192.168.0.0/16 action=drop

# Guest - Internet only
/ip firewall filter add chain=forward src-address=192.168.50.0/24 dst-address=192.168.0.0/16 action=drop

# Drop all other inter-VLAN
/ip firewall filter add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop

Incident Log

2026-01-28: Network Outage After VLAN Filtering Enabled

Timeline:

  1. VLAN 10 interface, DHCP, static leases configured
  2. Bridge VLAN table configured (VLAN 1 and VLAN 10)
  3. ether4/ether5 PVID set to 10
  4. VLAN filtering enabled
  5. Result: All non-VLAN 10 devices lost connectivity

Symptoms:

  • WiFi devices: No DHCP assignment
  • CSS326 connected devices: No DHCP assignment
  • Manual IP configuration: Still no internet
  • VLAN 10 devices (Unraid): Working correctly

Suspected Cause:

  • Bridge VLAN table may not have been properly configured for VLAN 1
  • NAT masquerade may not have been applied to VLAN 1 traffic
  • Possible missing egress tagging configuration

Resolution: Manual fix by user (details TBD)

Lessons Learned:

  1. ALWAYS test VLAN config on a single device first before enabling filtering
  2. ALWAYS ask for explicit user confirmation before enabling VLAN filtering
  3. Have rollback command ready: /interface bridge set bridge vlan-filtering=no
  4. Keep WinBox/MAC-based access available for recovery
  5. Document exact state before making changes

Pre-Change Checklist (MANDATORY)

Before enabling VLAN filtering, verify:

  • Bridge VLAN table has VLAN 1 with all non-VLAN ports as untagged
  • Bridge itself is tagged in all VLANs
  • NAT masquerade rule covers all internal networks
  • DHCP servers exist for all active VLANs
  • Static routes/addresses configured if needed
  • WinBox or MAC-based access available for recovery
  • User has confirmed they are ready for potential outage
  • Rollback command documented: /interface bridge set bridge vlan-filtering=no

Reference Documents

  • docs/03-VLAN-DEVICE-ASSIGNMENT.md - Full device inventory
  • docs/04-VLAN-MIGRATION-PLAN.md - Original migration plan
  • docs/11-VLAN-IMPLEMENTATION.md - VLAN architecture overview
  • docs/wip/VLAN-PROPOSAL.md - Initial proposal
Reference in New Issue View Git Blame Copy Permalink