# VLANs

## VLAN Summary

| VLAN ID | Name           | Subnet           | Gateway       | Interface | Purpose                    |
|---------|----------------|------------------|---------------|-----------|----------------------------|
| Native  | LAN            | 192.168.0.0/22   | 192.168.0.1   | igc1      | Management / main LAN      |
| 20      | INTERNAL       | 10.0.20.0/24     | 10.0.20.1     | igc1.20   | Infrastructure devices     |
| 999     | 999GuruTestNet | 10.0.99.0/28     | 10.0.99.1     | igc1.999  | Test/lab network           |

## Room VLANs

Each room gets its own VLAN with a /28 subnet (14 usable IPs). All on igc1 trunk.

**Addressing Pattern:** `10.[floor].[room_number].0/28` with gateway at `.1`

### Floor 1 (44 rooms)
Rooms: 101-112, 115-138, 140, 142-149
Missing rooms (no VLAN): 113, 114, 139, 141
Example: Room 101 = VLAN 101, subnet 10.1.1.0/28, gateway 10.1.1.1

### Floor 2 (46 rooms)
Rooms: 201-212, 215-238, 240-249
Missing: 213, 214, 239
Example: Room 201 = VLAN 201, subnet 10.2.1.0/28, gateway 10.2.1.1

### Floor 3 (48 rooms)
Rooms: 301-312, 315-350
Missing: 313, 314
Note: Room339 may not be enabled
Example: Room 301 = VLAN 301, subnet 10.3.1.0/28, gateway 10.3.1.1

### Floor 4 (47 rooms)
Rooms: 401-412, 415-449
Missing: 413, 414
Example: Room 401 = VLAN 401, subnet 10.4.1.0/28, gateway 10.4.1.1

### Floor 5 (21 rooms)
Rooms: 501-512, 514-522
Missing: 513
Example: Room 501 = VLAN 501, subnet 10.5.1.0/28, gateway 10.5.1.1

### Floor 6 (29 rooms)
Rooms: 603-631
Missing: 601, 602
Example: Room 603 = VLAN 603, subnet 10.6.3.0/28, gateway 10.6.3.1

**Total room VLANs: ~236**

## Inter-VLAN Routing
- Performed by: pfSense (pfsense.cascades.local)
- All inter-VLAN routing handled by the firewall

## Interface Groups
| Group Name        | Members                              | Purpose                    |
|-------------------|--------------------------------------|----------------------------|
| ResidentsGroup    | All room interfaces (opt2-opt237)    | All resident room VLANs    |
| All_Networks      | LAN + opt1-opt238                    | Every internal interface   |
| Wan_Group_Inter   | wan + opt240 (WANCOAX)               | Both WAN interfaces        |

## Migration Plan — VLAN Changes (Phase 1.1)

### New: VLAN 50 — Guest WiFi

| VLAN ID | Name | Subnet | Gateway | Interface | Purpose |
|---------|------|--------|---------|-----------|---------|
| 50 | GUEST | 10.0.50.0/24 | 10.0.50.1 | igc1.50 | Isolated guest WiFi (internet only) |

- DHCP: 10.0.50.50 - 10.0.50.239, DNS 10.0.50.1
- Firewall: block all RFC1918, pass to internet only
- Guest SSID reassigned from Default LAN to this VLAN
- See `migration/phase1-network.md` for full setup

### Remove: VLAN 10 — CSC Internal Network

VLAN 10 "CSC Internal Network" in UniFi appears orphaned (pfSense uses VLAN 20 for INTERNAL). Verify unused and delete from UniFi.

## Notes
- Guest isolation: Each room is on its own /28, rooms cannot communicate with each other
- Floating firewall rule passes all IPv4 - rooms CAN reach the internet (to be replaced with scoped rules)
- DHCP range per room: x.x.x.2 through x.x.x.14 (13 addresses)