jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f56a43741d5cdd455e13a96e310fd417be4deded
infrastructure/docs/13-VLAN-SETUP-PLAN-V2.md
Kaloyan Danchev e9572ae166 Add VLAN setup documentation - complete implementation 
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup
- docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan
- docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach
- docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary

VLANs implemented:
- VLAN 10: Management (192.168.10.0/24) - port-based
- VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based
- VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based
- VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based
- VLAN 40: Catch-All (192.168.1.0/24) - default

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 13:05:33 +02:00

595 lines
13 KiB
Markdown
Raw Blame History

# VLAN Setup Plan v2 - Critical Approach
**Created:** 2026-01-28
**Status:** PLANNING
**Approach:** Step-by-step with verification before each change
---
## CRITICAL RULES
1. **NO CHANGES WITHOUT EXPLICIT USER APPROVAL**
2. **VERIFY current state before each step**
3. **TEST after each step before proceeding**
4. **HAVE ROLLBACK ready for each step**
5. **STOP and assess if anything unexpected happens**
---
## Prerequisites
- Router: MikroTik hAP ax³ (freshly reset to factory defaults)
- Current IP: 192.168.88.1 (factory default)
- Access: WinBox or physical console available for recovery
---
## Phase 1: Basic Router Setup
### Step 1.1: Create User `xtrm`
**Action:**
```routeros
/user add name=xtrm password=M0stW4nt3d@xtrm group=full
```
**Verification:**
```routeros
/user print
```
**Expected Result:**
- User `xtrm` exists with group `full`
**Rollback:**
```routeros
/user remove xtrm
```
---
### Step 1.2: Change SSH Port to 2222
**Action:**
```routeros
/ip service set ssh port=2222
```
**Verification:**
```routeros
/ip service print where name=ssh
```
**Expected Result:**
- SSH service on port 2222
**Rollback:**
```routeros
/ip service set ssh port=22
```
**Test:** SSH to router on port 2222
---
### Step 1.3: Import SSH Key for User `xtrm`
**Prerequisite:** Upload `mikrotik_key.pub` to router via WinBox Files
**Action:**
```routeros
/user ssh-keys import public-key-file=mikrotik_key.pub user=xtrm
```
**Verification:**
```routeros
/user ssh-keys print
```
**Expected Result:**
- SSH key associated with user `xtrm`
**Test:** SSH with key authentication (no password)
---
## Phase 2: WiFi & CAPsMAN Setup
### Step 2.1: Create Security Profiles
**Action:**
```routeros
# For XTRM (5GHz) - High security
/interface wifi security add name=sec-xtrm authentication-types=wpa2-psk,wpa3-psk passphrase=M0stW4nt3d@home
# For XTRM2 (2.4GHz) - IoT compatibility
/interface wifi security add name=sec-xtrm2 authentication-types=wpa-psk,wpa2-psk passphrase=M0stW4nt3d@IoT
```
**Verification:**
```routeros
/interface wifi security print
```
**Expected Result:**
- `sec-xtrm`: WPA2-PSK + WPA3-PSK
- `sec-xtrm2`: WPA-PSK + WPA2-PSK (for old devices)
---
### Step 2.2: Create Configuration Profiles
**Action:**
```routeros
/interface wifi configuration add name=cfg-xtrm ssid=XTRM security=sec-xtrm country=Bulgaria
/interface wifi configuration add name=cfg-xtrm2 ssid=XTRM2 security=sec-xtrm2 country=Bulgaria
```
**Verification:**
```routeros
/interface wifi configuration print
```
---
### Step 2.3: Apply WiFi to Local Radios
**Action:**
```routeros
# wifi1 = 5GHz radio → XTRM
/interface wifi set wifi1 configuration=cfg-xtrm configuration.ssid=XTRM disabled=no
# wifi2 = 2.4GHz radio → XTRM2
/interface wifi set wifi2 configuration=cfg-xtrm2 configuration.ssid=XTRM2 disabled=no
```
**Verification:**
```routeros
/interface wifi print
```
**Test:** Connect a device to each SSID, verify internet works
---
### Step 2.4: Enable CAPsMAN
**Action:**
```routeros
/interface wifi capsman set enabled=yes interfaces=bridge
```
**Verification:**
```routeros
/interface wifi capsman print
```
---
### Step 2.5: Create CAPsMAN Provisioning Rules
**Action:**
```routeros
# For 5GHz radios → XTRM
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm supported-bands=5ghz-a,5ghz-n,5ghz-ac
# For 2.4GHz radios → XTRM2
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=cfg-xtrm2 supported-bands=2ghz-g,2ghz-n
```
**Verification:**
```routeros
/interface wifi provisioning print
```
---
### Step 2.6: Configure CAP to Join CAPsMAN
**On CAP device (192.168.88.250 or via WinBox):**
```routeros
/interface wifi cap set enabled=yes discovery-interfaces=bridge caps-man-addresses=""
```
**Verification on HAP:**
```routeros
/interface wifi capsman remote-cap print
/interface wifi radio print
```
**Expected Result:**
- CAP appears as connected
- CAP radios show up (cap-wifi1, cap-wifi2)
**Test:** Connect device to XTRM/XTRM2 via CAP, verify internet
---
## Phase 3: Install Additional Packages
### Step 3.1: Install User Manager and Container Packages
**Action:**
1. Download packages from MikroTik website (arm64, version 7.21.1)
2. Upload to router via WinBox:
- `user-manager-7.21.1-arm64.npk`
- `container-7.21.1-arm64.npk` (if not already installed)
3. Reboot router
**Verification after reboot:**
```routeros
/system package print
```
**Expected Result:**
- `user-manager` package listed
- `container` package listed
---
## Phase 4: Network Reconfiguration (CRITICAL)
### Step 4.0: Pre-Change Verification
**Before ANY changes, verify current state:**
```routeros
echo "=== CURRENT STATE ==="
/ip address print
/ip pool print
/ip dhcp-server print
/ip dhcp-server network print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip firewall nat print
```
**Document the output before proceeding!**
---
### Step 4.1: Change Network to 192.168.31.0/24
**Current:** 192.168.88.0/24 (factory default)
**Target:** 192.168.31.0/24
**Action (all in one command block to minimize disruption):**
```routeros
/ip address set [find where address~"192.168.88"] address=192.168.31.1/24
/ip pool set [find where name="default-dhcp"] ranges=192.168.31.100-192.168.31.254
/ip dhcp-server network set [find where address="192.168.88.0/24"] address=192.168.31.0/24 gateway=192.168.31.1 dns-server=8.8.8.8
```
**After change:** Reconnect to WiFi to get new IP
**Verification:**
```routeros
/ip address print
/ip pool print
/ip dhcp-server network print
/ping 8.8.8.8 count=2
```
**Test:** Browse internet from connected device
---
### Step 4.2: Create VLAN40 Interface (Catch-All)
**IMPORTANT:** Do NOT move IP to VLAN interface yet!
**Action:**
```routeros
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
```
**Verification:**
```routeros
/interface vlan print
```
**Expected Result:**
- `vlan40-catchall` interface exists
- Network still works (IP still on bridge)
---
### Step 4.3: Add VLAN40 to Bridge VLAN Table
**Action:**
```routeros
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,wifi1,wifi2
```
**Verification:**
```routeros
/interface bridge vlan print detail
```
---
### Step 4.4: Create VLAN40 DHCP Infrastructure
**Action:**
```routeros
# Create pool for VLAN40
/ip pool add name=pool-vlan40 ranges=192.168.31.100-192.168.31.254
# Add IP to VLAN40 interface (SECOND IP - keep bridge IP!)
/ip address add address=192.168.31.1/24 interface=vlan40-catchall
# This will show warning about duplicate - that's expected for now
```
**Verification:**
```routeros
/ip address print
```
**Expected:** TWO entries for 192.168.31.1 (bridge AND vlan40)
---
### Step 4.5: STOP AND VERIFY
**Before enabling VLAN filtering:**
1. Can you ping 192.168.31.1?
2. Can you access router via SSH?
3. Can you access router via WinBox?
4. Is internet working?
**If ANY answer is NO - STOP and troubleshoot!**
---
### Step 4.6: Enable VLAN Filtering (REQUIRES EXPLICIT USER APPROVAL)
⚠️ **THIS STEP REQUIRES USER TO TYPE "APPROVED" BEFORE EXECUTION** ⚠️
**Pre-flight checks:**
```routeros
/interface bridge vlan print detail
/interface bridge port print
```
**Ensure:**
- VLAN 40 has all current ports as untagged
- Bridge is tagged in VLAN 40
**Action:**
```routeros
/interface bridge set bridge vlan-filtering=yes
```
**Immediate verification:**
```routeros
/ping 8.8.8.8 count=2
```
**If ping fails - IMMEDIATELY rollback:**
```routeros
/interface bridge set bridge vlan-filtering=no
```
---
### Step 4.7: Post-Activation Cleanup
**Only after confirming VLAN filtering works:**
1. Move DHCP server to VLAN40 interface:
```routeros
/ip dhcp-server set defconf interface=vlan40-catchall
```
2. Remove duplicate IP from bridge:
```routeros
/ip address remove [find where interface=bridge and address~"192.168.31"]
```
**Verification:**
```routeros
/ip address print
/ip dhcp-server print
```
---
## Phase 5: Create VLAN10 (Management - Port Based)
### Step 5.1: Create VLAN10 Interface
**Action:**
```routeros
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
```
---
### Step 5.2: Create VLAN10 DHCP
**Action:**
```routeros
/ip pool add name=pool-mgmt ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-mgmt interface=vlan10-mgmt name=dhcp-mgmt
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
```
---
### Step 5.3: Create VLAN10 Static Leases
**Action:**
```routeros
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-mgmt
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-mgmt
add address=192.168.10.10 mac-address=02:42:C0:A8:1F:04 comment="AdGuard Unraid" server=dhcp-mgmt
add address=192.168.10.11 mac-address=48:DA:35:6F:BE:50 comment="NanoKVM" server=dhcp-mgmt
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="XTRM-U Unraid" server=dhcp-mgmt
```
---
### Step 5.4: Configure Bridge for VLAN10
**Action:**
```routeros
# Add VLAN10 to bridge table - ether4/ether5 as untagged (Unraid ports)
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Set PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
```
---
### Step 5.5: STOP AND TEST VLAN10
⚠️ **REQUIRES USER APPROVAL TO PROCEED** ⚠️
**Test:**
1. Unraid should get IP 192.168.10.20
2. Unraid should have internet access
3. Other devices still work on VLAN40
---
## Phase 6: Create Remaining VLANs
### VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|------|------|--------|---------|------------|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 35 | Cameras | 192.168.35.0/24 | Security | Port-based |
| 40 | Catch-All | 192.168.31.0/24 | Default/Unknown | Default |
### Step 6.1-6.4: Create Each VLAN
**Repeat for each VLAN (20, 25, 30, 35):**
```routeros
# Create interface
/interface vlan add interface=bridge name=vlanXX-name vlan-id=XX
# Add IP
/ip address add address=192.168.XX.1/24 interface=vlanXX-name
# Create pool
/ip pool add name=pool-vlanXX ranges=192.168.XX.100-192.168.XX.200
# Create DHCP server
/ip dhcp-server add address-pool=pool-vlanXX interface=vlanXX-name name=dhcp-vlanXX
# Create DHCP network
/ip dhcp-server network add address=192.168.XX.0/24 gateway=192.168.XX.1 dns-server=8.8.8.8
# Add to bridge VLAN table (tagged only - RADIUS will assign)
/interface bridge vlan add bridge=bridge vlan-ids=XX tagged=bridge
```
---
## Phase 7: Configure User Manager (RADIUS)
### Step 7.1: Enable User Manager
```routeros
/user-manager set enabled=yes
```
### Step 7.2: Add Router as RADIUS Client
```routeros
/user-manager router add name=local address=127.0.0.1 shared-secret=radius-secret
```
### Step 7.3: Add MAC-VLAN Mappings
**For each device, add user with MAC and VLAN attribute:**
```routeros
# Example for trusted device
/user-manager user add name=AA:ED:8B:2A:40:F1 password="" shared-users=1
/user-manager user set [find name=AA:ED:8B:2A:40:F1] attributes="Tunnel-Type:VLAN,Tunnel-Medium-Type:IEEE-802,Tunnel-Private-Group-Id:20"
```
### Step 7.4: Configure WiFi for RADIUS
```routeros
/interface wifi security set sec-xtrm radius=yes
/interface wifi security set sec-xtrm2 radius=yes
```
---
## Phase 8: Activation Plan
### Step 8.1: Final Pre-Activation Checklist
- [ ] All VLAN interfaces created
- [ ] All DHCP servers configured
- [ ] All static leases added
- [ ] User Manager configured with all MACs
- [ ] WiFi configured for RADIUS
- [ ] WinBox access verified
- [ ] Rollback command ready
### Step 8.2: Staged Activation
1. **Test VLAN10 only** (port-based, Unraid)
2. **Verify 24 hours**
3. **Test VLAN20** (one trusted device via RADIUS)
4. **Verify 24 hours**
5. **Enable remaining VLANs**
---
## Rollback Commands
**Disable VLAN filtering (emergency):**
```routeros
/interface bridge set bridge vlan-filtering=no
```
**Reset to factory:**
```routeros
/system reset-configuration no-defaults=no
```
---
## Device Inventory Reference
See: `docs/03-VLAN-DEVICE-ASSIGNMENT.md`
---
## Verification Commands
```routeros
# Check VLAN status
/interface vlan print
/interface bridge vlan print detail
/interface bridge port print
# Check DHCP
/ip dhcp-server print
/ip dhcp-server lease print
# Check connectivity
/ping 8.8.8.8 count=3
/ping 192.168.31.1 count=3
# Check User Manager
/user-manager user print
/user-manager router print
```
Reference in New Issue View Git Blame Copy Permalink