e9572ae166
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup - docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan - docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach - docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary VLANs implemented: - VLAN 10: Management (192.168.10.0/24) - port-based - VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based - VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based - VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based - VLAN 40: Catch-All (192.168.1.0/24) - default Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
11 KiB
11 KiB
VLAN Setup Complete - Session Summary
Date: 2026-01-31
Status: COMPLETED
Backup: vlan-setup-complete-2026-01-31.backup and .rsc on router
Executive Summary
Successfully implemented VLAN network segmentation on MikroTik hAP ax³ with:
- Port-based VLAN assignment for wired infrastructure
- MAC-based dynamic VLAN assignment for WiFi devices via access-list
- CAPsMAN configured for CAP XL ac management
Current Network Configuration
Router Access
| Method | IP | Port | User | Notes |
|---|---|---|---|---|
| WinBox | 192.168.10.1 | 8291 | xtrm | Primary management |
| WebFig | 192.168.10.1 | 80 | xtrm | Web interface |
| SSH | 192.168.10.1 | 2222 | xtrm | Key: ~/.ssh/mikrotik_key |
| WinBox | 192.168.1.1 | 8291 | xtrm | Via VLAN 40 |
| WinBox | 192.168.20.1 | 8291 | xtrm | Via VLAN 20 |
Important: SSH is on port 2222, not 22!
VLAN Structure (Implemented)
| VLAN | Name | Subnet | Gateway | DHCP Pool | Status |
|---|---|---|---|---|---|
| 10 | Management | 192.168.10.0/24 | 192.168.10.1 | .100-.200 | ✅ Working |
| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | .100-.200 | ✅ Working |
| 25 | Kids | 192.168.25.0/24 | 192.168.25.1 | .100-.200 | ✅ Configured |
| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | .100-.200 | ✅ Configured |
| 40 | Catch-All | 192.168.1.0/24 | 192.168.1.1 | .10-.250 | ✅ Default |
Port Assignments
HAP ax³ Ports:
├── ether1: WAN (ISP DHCP)
├── ether2: CAP XL ac → VLAN 10 (PVID=10)
├── ether3: CSS326 switch → VLAN 10 (PVID=10)
├── ether4: Unraid eth1 → VLAN 10 (PVID=10)
├── ether5: Unraid eth2 → VLAN 10 (PVID=10)
├── wifi1: XTRM (5GHz) → Tagged VLANs 20,25,30,40
└── wifi2: XTRM2 (2.4GHz) → Tagged VLANs 20,25,30,40
Bridge VLAN Table
# VLAN 10 - Management (port-based)
vlan-ids=10 tagged=bridge untagged=ether2,ether3,ether4,ether5
# VLAN 20 - Trusted (WiFi MAC-based)
vlan-ids=20 tagged=bridge,wifi1,wifi2
# VLAN 25 - Kids (WiFi MAC-based)
vlan-ids=25 tagged=bridge,wifi1,wifi2
# VLAN 30 - IoT (WiFi MAC-based)
vlan-ids=30 tagged=bridge,wifi1,wifi2
# VLAN 40 - Catch-All (WiFi default)
vlan-ids=40 tagged=bridge untagged=wifi1,wifi2
WiFi Configuration
SSIDs
| SSID | Band | Interface | Password | Security |
|---|---|---|---|---|
| XTRM | 5GHz | wifi1 | M0stW4nt3d@home | WPA2/WPA3 |
| XTRM2 | 2.4GHz | wifi2 | M0stW4nt3d@IoT | WPA2 |
WiFi Datapath (Critical for VLAN)
/interface wifi datapath
add name=dp-vlan bridge=bridge
/interface wifi configuration
set cfg-xtrm datapath=dp-vlan
set cfg-xtrm2 datapath=dp-vlan
WiFi Access-List (MAC-based VLAN Assignment)
The access-list assigns VLANs based on client MAC address:
/interface wifi access-list
# VLAN 20 - Trusted devices
add action=accept mac-address=AA:ED:8B:2A:40:F1 vlan-id=20 comment="Samsung S25 Ultra - Kaloyan"
add action=accept mac-address=CE:B8:11:EA:8D:55 vlan-id=20 comment="MacBook - Kaloyan"
add action=accept mac-address=BE:A7:95:87:19:4A vlan-id=20 comment="MacBook 5GHz - Kaloyan"
# VLAN 25 - Kids devices
add action=accept mac-address=F2:B8:14:61:C8:27 vlan-id=25 comment="iPhone - Dancho"
add action=accept mac-address=90:91:64:70:0D:86 vlan-id=25 comment="Notebook - Kimi"
add action=accept mac-address=2A:2B:BA:86:D4:AF vlan-id=25 comment="iPhone - Kimi"
# VLAN 30 - IoT devices
add action=accept mac-address=D0:E7:82:F7:65:DD vlan-id=30 comment="Chromecast"
add action=accept mac-address=94:27:70:1E:0C:EE vlan-id=30 comment="Bosch Oven"
add action=accept mac-address=C8:5C:CC:52:EA:53 vlan-id=30 comment="Xiaomi Air Purifier"
add action=accept mac-address=18:DE:50:5B:C8:A6 vlan-id=30 comment="Tuya Device 1"
add action=accept mac-address=38:1F:8D:04:6F:E4 vlan-id=30 comment="Tuya Device 2"
add action=accept mac-address=D4:AD:FC:BE:13:B0 vlan-id=30 comment="Intellirocks"
# Default - VLAN 40 for unknown devices (MUST be last!)
add action=accept vlan-id=40 comment="Default - VLAN40"
Important: The default rule (no MAC specified) must be LAST in the list!
VLAN 10 Verified Devices
| IP | MAC | Device | Status |
|---|---|---|---|
| 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP ax³ (Gateway) | ✅ |
| 192.168.10.2 | 18:FD:74:54:3D:BC | CAP XL ac | ✅ |
| 192.168.10.3 | F4:1E:57:C9:BD:09 | CSS326 Switch | ✅ |
| 192.168.10.10 | 02:42:C0:A8:1F:04 | AdGuard (Unraid) | ✅ |
| 192.168.10.20 | A8:B8:E0:02:B6:15 | Unraid Server | ✅ Verified |
| 192.168.10.199 | 48:DA:35:6F:BE:50 | NanoKVM | ✅ |
CAPsMAN Configuration
/interface wifi capsman
set enabled=yes interfaces=wifi1,wifi2 package-path="" upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled master-configuration=cfg-xtrm name-format=identity slave-configurations=cfg-xtrm2 supported-bands=5ghz-ax
add action=create-enabled master-configuration=cfg-xtrm2 name-format=identity slave-configurations=cfg-xtrm supported-bands=2ghz-ax
Critical Lessons Learned
1. VLAN Filtering Breaks IP on Bridge
When you enable vlan-filtering=yes on the bridge:
- IP address on the bridge interface stops working
- You must have IP on the VLAN interface instead
- Never have same IP on both bridge and VLAN interface simultaneously
2. Correct Order of Operations
1. Create VLAN interfaces
2. Add IPs to VLAN interfaces (can have temporary duplicate)
3. Configure bridge VLAN table
4. Set port PVIDs
5. Add VLAN interfaces to firewall interface lists (LAN)
6. Enable VLAN filtering
7. Remove IP from bridge (if any duplicate)
8. Move DHCP server to VLAN interface
3. WiFi VLAN Assignment
- Do NOT use
action=query-radiuswithout configured RADIUS users - Use WiFi datapath with
bridge=bridge - Use access-list with
vlan-id=XXfor MAC-based assignment - WiFi interfaces must be tagged in bridge VLAN table for dynamic VLANs
4. Firewall Interface Lists
After creating VLAN interfaces, add them to the LAN list:
/interface list member add list=LAN interface=vlan10-mgmt
/interface list member add list=LAN interface=vlan20-trusted
/interface list member add list=LAN interface=vlan25-kids
/interface list member add list=LAN interface=vlan30-iot
/interface list member add list=LAN interface=vlan40-catchall
5. Safe Mode
- Enter with Ctrl+X in WinBox
- Changes auto-rollback if connection lost (~10 minutes)
- Exit and save with Ctrl+X again
Useful Commands
Verify VLAN Status
/interface bridge print where name=bridge
/interface bridge vlan print detail
/interface bridge port print
/ip address print
Check WiFi Clients and VLAN Assignment
/interface wifi registration-table print
/interface wifi access-list print
Check DHCP Leases per VLAN
/ip dhcp-server lease print where server=dhcp-vlan10
/ip dhcp-server lease print where server=dhcp-vlan20
Add New Device to Access-List
/interface wifi access-list add action=accept mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 comment="Device Name" place-before=[find comment="Default - VLAN40"]
Emergency Rollback
/interface bridge set bridge vlan-filtering=no
Restore from Backup
/system backup load name=vlan-setup-complete-2026-01-31
Pending Tasks
-
Configure CAP XL ac to join CAPsMAN
- CAP is on VLAN 10 at 192.168.10.2
- Needs provisioning to extend WiFi coverage
-
Configure CSS326 for VLAN Trunking
- Switch is on VLAN 10 at 192.168.10.3
- Needs VLAN configuration for room distribution
-
Add Remaining Devices to Access-List
- As devices connect, add their MACs to appropriate VLANs
-
Configure Inter-VLAN Firewall Rules
- Management → All (full access)
- Trusted → IoT (control smart home)
- IoT → Internet only (isolated)
- Guest → Internet only (isolated)
-
Test VLAN 25 (Kids) and VLAN 30 (IoT)
- Connect devices and verify DHCP/internet
Connection Commands Reference
SSH to Unraid (VLAN 10)
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422
SSH to MikroTik (port 2222!)
ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.1
Quick Status from Unraid
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.10.20 -p 422 "docker ps -a --format 'table {{.Names}}\t{{.Status}}'"
Backup Files on Router
| File | Size | Description |
|---|---|---|
| vlan-setup-complete-2026-01-31.backup | 177.6 KiB | Binary backup (full restore) |
| vlan-setup-complete-2026-01-31.rsc | 12.5 KiB | Script export (readable) |
Download via: WinBox → Files → Select file → Download
Network Diagram (Current)
Internet
│
▼
┌───────────────────────────────────────────────────────────────┐
│ HAP ax³ (192.168.10.1) │
│ RouterOS 7.21.1 │
│ │
│ VLAN 10: 192.168.10.0/24 (Management) │
│ VLAN 20: 192.168.20.0/24 (Trusted) │
│ VLAN 25: 192.168.25.0/24 (Kids) │
│ VLAN 30: 192.168.30.0/24 (IoT) │
│ VLAN 40: 192.168.1.0/24 (Catch-All/Default) │
│ │
│ ether2 ─┬─ CAP XL ac (192.168.10.2) │
│ ether3 ─┼─ CSS326 (192.168.10.3) ─── NanoKVM (.199) │
│ ether4 ─┼─ Unraid (192.168.10.20) │
│ ether5 ─┘ │
│ │
│ wifi1 (XTRM 5GHz) ──┬── VLAN 20/25/30/40 via access-list │
│ wifi2 (XTRM2 2.4GHz)─┘ │
└───────────────────────────────────────────────────────────────┘
Session Timeline
- CAPsMAN Setup - Configured WiFi profiles (cfg-xtrm, cfg-xtrm2) and security
- Research - Studied MikroTik forums for correct VLAN approach
- VLAN Infrastructure - Created VLANs 10, 20, 25, 30, 40 with DHCP
- Safe Mode Implementation - Used atomic script for VLAN filtering
- WiFi VLAN - Configured datapath and access-list for MAC-based assignment
- Verification - Tested connectivity on all VLANs
- Backup - Created
vlan-setup-complete-2026-01-31
Document Version: 1.0 Last Updated: 2026-01-31