ec9659d0cb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Major documentation cleanup after VLAN migration completion: - Archive 12 VLAN project docs to archive/vlan-migration/ - Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup) - Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN - Renumber docs to clean 01-09 sequence with merged CHANGELOG - Update all active docs from stale 192.168.31.x to current VLAN 10 IPs - Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory - Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
13 KiB
13 KiB
VLAN Setup Plan v2 - Critical Approach
Created: 2026-01-28 Status: PLANNING Approach: Step-by-step with verification before each change
CRITICAL RULES
- NO CHANGES WITHOUT EXPLICIT USER APPROVAL
- VERIFY current state before each step
- TEST after each step before proceeding
- HAVE ROLLBACK ready for each step
- STOP and assess if anything unexpected happens
Prerequisites
- Router: MikroTik hAP ax³ (freshly reset to factory defaults)
- Current IP: 192.168.88.1 (factory default)
- Access: WinBox or physical console available for recovery
Phase 1: Basic Router Setup
Step 1.1: Create User xtrm
Action:
/user add name=xtrm password=M0stW4nt3d@xtrm group=full
Verification:
/user print
Expected Result:
- User
xtrmexists with groupfull
Rollback:
/user remove xtrm
Step 1.2: Change SSH Port to 2222
Action:
/ip service set ssh port=2222
Verification:
/ip service print where name=ssh
Expected Result:
- SSH service on port 2222
Rollback:
/ip service set ssh port=22
Test: SSH to router on port 2222
Step 1.3: Import SSH Key for User xtrm
Prerequisite: Upload mikrotik_key.pub to router via WinBox Files
Action:
/user ssh-keys import public-key-file=mikrotik_key.pub user=xtrm
Verification:
/user ssh-keys print
Expected Result:
- SSH key associated with user
xtrm
Test: SSH with key authentication (no password)
Phase 2: WiFi & CAPsMAN Setup
Step 2.1: Create Security Profiles
Action:
# For XTRM (5GHz) - High security
/interface wifi security add name=sec-xtrm authentication-types=wpa2-psk,wpa3-psk passphrase=M0stW4nt3d@home
# For XTRM2 (2.4GHz) - IoT compatibility
/interface wifi security add name=sec-xtrm2 authentication-types=wpa-psk,wpa2-psk passphrase=M0stW4nt3d@IoT
Verification:
/interface wifi security print
Expected Result:
sec-xtrm: WPA2-PSK + WPA3-PSKsec-xtrm2: WPA-PSK + WPA2-PSK (for old devices)
Step 2.2: Create Configuration Profiles
Action:
/interface wifi configuration add name=cfg-xtrm ssid=XTRM security=sec-xtrm country=Bulgaria
/interface wifi configuration add name=cfg-xtrm2 ssid=XTRM2 security=sec-xtrm2 country=Bulgaria
Verification:
/interface wifi configuration print
Step 2.3: Apply WiFi to Local Radios
Action:
# wifi1 = 5GHz radio → XTRM
/interface wifi set wifi1 configuration=cfg-xtrm configuration.ssid=XTRM disabled=no
# wifi2 = 2.4GHz radio → XTRM2
/interface wifi set wifi2 configuration=cfg-xtrm2 configuration.ssid=XTRM2 disabled=no
Verification:
/interface wifi print
Test: Connect a device to each SSID, verify internet works
Step 2.4: Enable CAPsMAN
Action:
/interface wifi capsman set enabled=yes interfaces=bridge
Verification:
/interface wifi capsman print
Step 2.5: Create CAPsMAN Provisioning Rules
Action:
# For 5GHz radios → XTRM
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm supported-bands=5ghz-a,5ghz-n,5ghz-ac
# For 2.4GHz radios → XTRM2
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm2 supported-bands=2ghz-g,2ghz-n
Verification:
/interface wifi provisioning print
Step 2.6: Configure CAP to Join CAPsMAN
On CAP device (192.168.88.250 or via WinBox):
/interface wifi cap set enabled=yes discovery-interfaces=bridge caps-man-addresses=""
Verification on HAP:
/interface wifi capsman remote-cap print
/interface wifi radio print
Expected Result:
- CAP appears as connected
- CAP radios show up (cap-wifi1, cap-wifi2)
Test: Connect device to XTRM/XTRM2 via CAP, verify internet
Phase 3: Install Additional Packages
Step 3.1: Install User Manager and Container Packages
Action:
- Download packages from MikroTik website (arm64, version 7.21.1)
- Upload to router via WinBox:
user-manager-7.21.1-arm64.npkcontainer-7.21.1-arm64.npk(if not already installed)
- Reboot router
Verification after reboot:
/system package print
Expected Result:
user-managerpackage listedcontainerpackage listed
Phase 4: Network Reconfiguration (CRITICAL)
Step 4.0: Pre-Change Verification
Before ANY changes, verify current state:
echo "=== CURRENT STATE ==="
/ip address print
/ip pool print
/ip dhcp-server print
/ip dhcp-server network print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip firewall nat print
Document the output before proceeding!
Step 4.1: Change Network to 192.168.31.0/24
Current: 192.168.88.0/24 (factory default) Target: 192.168.31.0/24
Action (all in one command block to minimize disruption):
/ip address set [find where address~"192.168.88"] address=192.168.31.1/24
/ip pool set [find where name="default-dhcp"] ranges=192.168.31.100-192.168.31.254
/ip dhcp-server network set [find where address="192.168.88.0/24"] address=192.168.31.0/24 gateway=192.168.31.1 dns-server=8.8.8.8
After change: Reconnect to WiFi to get new IP
Verification:
/ip address print
/ip pool print
/ip dhcp-server network print
/ping 8.8.8.8 count=2
Test: Browse internet from connected device
Step 4.2: Create VLAN40 Interface (Catch-All)
IMPORTANT: Do NOT move IP to VLAN interface yet!
Action:
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
Verification:
/interface vlan print
Expected Result:
vlan40-catchallinterface exists- Network still works (IP still on bridge)
Step 4.3: Add VLAN40 to Bridge VLAN Table
Action:
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,wifi1,wifi2
Verification:
/interface bridge vlan print detail
Step 4.4: Create VLAN40 DHCP Infrastructure
Action:
# Create pool for VLAN40
/ip pool add name=pool-vlan40 ranges=192.168.31.100-192.168.31.254
# Add IP to VLAN40 interface (SECOND IP - keep bridge IP!)
/ip address add address=192.168.31.1/24 interface=vlan40-catchall
# This will show warning about duplicate - that's expected for now
Verification:
/ip address print
Expected: TWO entries for 192.168.31.1 (bridge AND vlan40)
Step 4.5: STOP AND VERIFY
Before enabling VLAN filtering:
- Can you ping 192.168.31.1?
- Can you access router via SSH?
- Can you access router via WinBox?
- Is internet working?
If ANY answer is NO - STOP and troubleshoot!
Step 4.6: Enable VLAN Filtering (REQUIRES EXPLICIT USER APPROVAL)
⚠️ THIS STEP REQUIRES USER TO TYPE "APPROVED" BEFORE EXECUTION ⚠️
Pre-flight checks:
/interface bridge vlan print detail
/interface bridge port print
Ensure:
- VLAN 40 has all current ports as untagged
- Bridge is tagged in VLAN 40
Action:
/interface bridge set bridge vlan-filtering=yes
Immediate verification:
/ping 8.8.8.8 count=2
If ping fails - IMMEDIATELY rollback:
/interface bridge set bridge vlan-filtering=no
Step 4.7: Post-Activation Cleanup
Only after confirming VLAN filtering works:
- Move DHCP server to VLAN40 interface:
/ip dhcp-server set defconf interface=vlan40-catchall
- Remove duplicate IP from bridge:
/ip address remove [find where interface=bridge and address~"192.168.31"]
Verification:
/ip address print
/ip dhcp-server print
Phase 5: Create VLAN10 (Management - Port Based)
Step 5.1: Create VLAN10 Interface
Action:
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
Step 5.2: Create VLAN10 DHCP
Action:
/ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
Step 5.3: Create VLAN10 Static Leases
Action:
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt
add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt
add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt
Step 5.4: Configure Bridge for VLAN10
Action:
# Add VLAN10 to bridge table - ether4/ether5 as untagged (Unraid ports)
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Set PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
Step 5.5: STOP AND TEST VLAN10
⚠️ REQUIRES USER APPROVAL TO PROCEED ⚠️
Test:
- Unraid should get IP 192.168.10.20
- Unraid should have internet access
- Other devices still work on VLAN40
Phase 6: Create Remaining VLANs
VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|---|---|---|---|---|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 35 | Cameras | 192.168.35.0/24 | Security | Port-based |
| 40 | Catch-All | 192.168.31.0/24 | Default/Unknown | Default |
Step 6.1-6.4: Create Each VLAN
Repeat for each VLAN (20, 25, 30, 35):
# Create interface
/interface vlan add interface=bridge name=vlanXX-name vlan-id=XX
# Add IP
/ip address add address=192.168.XX.1/24 interface=vlanXX-name
# Create pool
/ip pool add name=pool-vlanXX ranges=192.168.XX.100-192.168.XX.200
# Create DHCP server
/ip dhcp-server add address-pool=pool-vlanXX interface=vlanXX-name name=dhcp-vlanXX
# Create DHCP network
/ip dhcp-server network add address=192.168.XX.0/24 gateway=192.168.XX.1 dns-server=8.8.8.8
# Add to bridge VLAN table (tagged only - RADIUS will assign)
/interface bridge vlan add bridge=bridge vlan-ids=XX tagged=bridge
Phase 7: Configure User Manager (RADIUS)
Step 7.1: Enable User Manager
/user-manager set enabled=yes
Step 7.2: Add Router as RADIUS Client
/user-manager router add name=local address=127.0.0.1 shared-secret=radius-secret
Step 7.3: Add MAC-VLAN Mappings
For each device, add user with MAC and VLAN attribute:
# Example for trusted device
/user-manager user add name=AA:ED:8B:2A:40:F1 password="" shared-users=1
/user-manager user set [find name=AA:ED:8B:2A:40:F1] attributes="Tunnel-Type:VLAN,Tunnel-Medium-Type:IEEE-802,Tunnel-Private-Group-Id:20"
Step 7.4: Configure WiFi for RADIUS
/interface wifi security set sec-xtrm radius=yes
/interface wifi security set sec-xtrm2 radius=yes
Phase 8: Activation Plan
Step 8.1: Final Pre-Activation Checklist
- All VLAN interfaces created
- All DHCP servers configured
- All static leases added
- User Manager configured with all MACs
- WiFi configured for RADIUS
- WinBox access verified
- Rollback command ready
Step 8.2: Staged Activation
- Test VLAN10 only (port-based, Unraid)
- Verify 24 hours
- Test VLAN20 (one trusted device via RADIUS)
- Verify 24 hours
- Enable remaining VLANs
Rollback Commands
Disable VLAN filtering (emergency):
/interface bridge set bridge vlan-filtering=no
Reset to factory:
/system reset-configuration no-defaults=no
Device Inventory Reference
See: docs/03-VLAN-DEVICE-ASSIGNMENT.md
Verification Commands
# Check VLAN status
/interface vlan print
/interface bridge vlan print detail
/interface bridge port print
# Check DHCP
/ip dhcp-server print
/ip dhcp-server lease print
# Check connectivity
/ping 8.8.8.8 count=3
/ping 192.168.31.1 count=3
# Check User Manager
/user-manager user print
/user-manager router print