jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f56a43741d5cdd455e13a96e310fd417be4deded
infrastructure/docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md
Kaloyan Danchev e9572ae166 Add VLAN setup documentation - complete implementation 
- docs/12-VLAN-SETUP-PROGRESS.md: Progress tracking during setup
- docs/13-VLAN-SETUP-PLAN-V2.md: Initial VLAN plan
- docs/14-VLAN-SETUP-PLAN-V3-SAFE-MODE.md: Safe mode approach
- docs/15-VLAN-SETUP-COMPLETE-2026-01-31.md: Final session summary

VLANs implemented:
- VLAN 10: Management (192.168.10.0/24) - port-based
- VLAN 20: Trusted (192.168.20.0/24) - WiFi MAC-based
- VLAN 25: Kids (192.168.25.0/24) - WiFi MAC-based
- VLAN 30: IoT (192.168.30.0/24) - WiFi MAC-based
- VLAN 40: Catch-All (192.168.1.0/24) - default

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 13:05:33 +02:00

353 lines
8.2 KiB
Markdown
Raw Blame History

# VLAN Setup Plan v3 - Safe Mode Approach
**Created:** 2026-01-31
**Status:** PLANNING
**Approach:** Safe Mode with atomic commands for auto-rollback protection
---
## Lessons Learned from Previous Failures
1. **IP on bridge stops working** when VLAN filtering is enabled
2. **Duplicate same IP** on bridge + VLAN interface causes routing confusion
3. **VLAN interface doesn't receive traffic** until VLAN filtering is enabled
4. **Solution**: Use Safe Mode + atomic script execution
---
## Prerequisites
- Router: MikroTik hAP ax³
- Current IP: 192.168.1.1/24 on bridge
- Access: WinBox connected via **MAC address** (not IP!)
- CAPsMAN: Already configured and working
---
## Phase 1: Preparation (No Risk)
### Step 1.1: Backup Current Configuration
```routeros
/system backup save name=before-vlan-v3
/export file=before-vlan-v3
```
Download both files from WinBox → Files.
### Step 1.2: Verify Current State
```routeros
/ip address print
/interface bridge print
/interface bridge port print
/interface bridge vlan print
/ip dhcp-server print
```
**Expected:**
- IP 192.168.1.1/24 on bridge
- VLAN filtering = no
- No bridge VLANs configured
---
## Phase 2: Create VLAN Infrastructure (Safe - No Filtering Yet)
### Step 2.1: Create VLAN 40 Interface
```routeros
/interface vlan add interface=bridge name=vlan40-catchall vlan-id=40
```
**Verify:**
```routeros
/interface vlan print
```
### Step 2.2: Add VLAN 40 to Bridge Table
All LAN ports untagged, bridge tagged (for CPU access):
```routeros
/interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,ether4,ether5,wifi1,wifi2
```
**Verify:**
```routeros
/interface bridge vlan print detail
```
### Step 2.3: Set PVID on All LAN Ports
```routeros
/interface bridge port set [find interface=ether2] pvid=40
/interface bridge port set [find interface=ether3] pvid=40
/interface bridge port set [find interface=ether4] pvid=40
/interface bridge port set [find interface=ether5] pvid=40
/interface bridge port set [find interface=wifi1] pvid=40
/interface bridge port set [find interface=wifi2] pvid=40
```
**Verify:**
```routeros
/interface bridge port print
```
**Expected:** All ports show PVID=40
### Step 2.4: Add IP to VLAN Interface
This creates a "duplicate" IP temporarily:
```routeros
/ip address add address=192.168.1.1/24 interface=vlan40-catchall comment="VLAN40-Management"
```
**Verify:**
```routeros
/ip address print
```
**Expected:** Two entries for 192.168.1.1 (bridge and vlan40-catchall)
### Step 2.5: Create VLAN40 DHCP Pool (if not exists)
```routeros
/ip pool add name=pool-vlan40 ranges=192.168.1.10-192.168.1.250
```
### Step 2.6: Verify Everything Before Critical Step
```routeros
:put "=== VLAN Interface ==="
/interface vlan print
:put "=== Bridge VLANs ==="
/interface bridge vlan print detail
:put "=== Bridge Ports (check PVID) ==="
/interface bridge port print
:put "=== IP Addresses ==="
/ip address print
:put "=== Ping Test ==="
/ping 8.8.8.8 count=2
```
**STOP HERE if anything is wrong!**
---
## Phase 3: Enable VLAN Filtering (Critical - Use Safe Mode)
### Step 3.1: Enter Safe Mode in WinBox
1. In WinBox, press **Ctrl+X**
2. You'll see "Safe Mode" indicator in title bar
3. All changes will auto-rollback if connection is lost
### Step 3.2: Create the Activation Script
Create a script that does everything atomically:
```routeros
/system script add name=activate-vlan source={
# Enable VLAN filtering
/interface bridge set bridge vlan-filtering=yes
# Move DHCP server to VLAN interface
/ip dhcp-server set [find name~"defconf"] interface=vlan40-catchall
# Wait 2 seconds for changes to apply
:delay 2s
# Remove duplicate IP from bridge (keep only VLAN interface IP)
/ip address remove [find interface=bridge and address~"192.168.1.1"]
:put "VLAN activation complete"
}
```
### Step 3.3: Run the Script (While in Safe Mode!)
```routeros
/system script run activate-vlan
```
### Step 3.4: Verify Immediately
```routeros
/ping 8.8.8.8 count=3
/ip address print
/interface bridge print
```
### Step 3.5: If Everything Works - Exit Safe Mode
Press **Ctrl+X** again to confirm and save changes.
### Step 3.6: If Connection Lost
- Wait up to 10 minutes
- Router will auto-rollback to previous state
- Reconnect via WinBox (MAC address)
---
## Phase 4: Verification
### Step 4.1: Check All Settings
```routeros
:put "=== Bridge VLAN Filtering ==="
/interface bridge print where name=bridge
:put "=== IP Addresses ==="
/ip address print
:put "=== DHCP Server ==="
/ip dhcp-server print
:put "=== Internet Test ==="
/ping 8.8.8.8 count=3
```
**Expected:**
- vlan-filtering=yes on bridge
- IP 192.168.1.1/24 ONLY on vlan40-catchall
- DHCP server on vlan40-catchall
- Internet working
### Step 4.2: Test Client Connectivity
From a device on the network:
1. Disconnect and reconnect WiFi
2. Check if you get IP from 192.168.1.x range
3. Test internet access
---
## Phase 5: Add Additional VLANs (After VLAN40 is Stable)
Wait 24-48 hours to ensure VLAN40 is stable before adding more VLANs.
### VLAN Overview
| VLAN | Name | Subnet | Purpose | Assignment |
|------|------|--------|---------|------------|
| 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based (ether4,5) |
| 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS |
| 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS |
| 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS |
| 40 | Catch-All | 192.168.1.0/24 | Default/Unknown | Default |
### Step 5.1: Create VLAN 10 (Management)
```routeros
# Create VLAN interface
/interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10
# Add IP
/ip address add address=192.168.10.1/24 interface=vlan10-mgmt
# Add to bridge VLAN table - ether4/5 untagged for Unraid
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5
# Update PVID on Unraid ports
/interface bridge port set [find interface=ether4] pvid=10
/interface bridge port set [find interface=ether5] pvid=10
# Remove ether4/5 from VLAN40
/interface bridge vlan set [find vlan-ids=40] untagged=ether2,ether3,wifi1,wifi2
# Create DHCP for VLAN10
/ip pool add name=pool-vlan10 ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add address-pool=pool-vlan10 interface=vlan10-mgmt name=dhcp-vlan10 disabled=no
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8
```
### Step 5.2: Add Static Leases for VLAN10
```routeros
/ip dhcp-server lease
add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-vlan10
add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-vlan10
add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="Unraid" server=dhcp-vlan10
```
---
## Rollback Commands
### Emergency: Disable VLAN Filtering
```routeros
/interface bridge set bridge vlan-filtering=no
```
### Full Rollback: Restore Backup
```routeros
/system backup load name=before-vlan-v3
```
### Factory Reset (Last Resort)
Hold reset button while powering on until LEDs flash.
---
## Safe Mode Quick Reference
| Action | WinBox | CLI |
|--------|--------|-----|
| Enter Safe Mode | Ctrl+X | Ctrl+X |
| Exit & Save | Ctrl+X | Ctrl+X |
| Exit & Discard | Close WinBox | Ctrl+D |
| Auto-rollback | ~10 minutes | ~10 minutes |
**Important:** Safe Mode only protects while you're connected. If disconnected, changes rollback automatically.
---
## Checklist Before Enabling VLAN Filtering
- [ ] Backup saved and downloaded
- [ ] WinBox connected via MAC (not IP)
- [ ] VLAN interface created
- [ ] Bridge tagged in VLAN table
- [ ] All ports have correct PVID
- [ ] IP added to VLAN interface
- [ ] Safe Mode entered (Ctrl+X)
- [ ] Ready to run activation script
---
## Troubleshooting
### Lost Connection After Enabling Filtering
1. Wait 10 minutes for Safe Mode rollback
2. If no rollback: Connect via WinBox MAC discovery
3. Run: `/interface bridge set bridge vlan-filtering=no`
### DHCP Not Working
Check DHCP server interface:
```routeros
/ip dhcp-server print
```
Should show `interface=vlan40-catchall`
### Internet Not Working
Check NAT:
```routeros
/ip firewall nat print
```
Should have masquerade rule for WAN.
### Devices Not Getting IP
1. Check bridge VLAN table has ports as untagged
2. Check ports have correct PVID
3. Check DHCP pool has available addresses
Reference in New Issue View Git Blame Copy Permalink