ArgoBox
ArgoBox Journal AI Systems, Homelab, and Control Plane
Ctrl+K
Back to Journal
user@argobox:~/journal/2025-06-08-the-vlan-for-the-surveillance-phone
$ cat entry.md

The Quarantine VLAN for a Managed Phone

[Sunday, June 8, 2025] MOOD: DEBUGGING RouterOS
○ NOT REVIEWED

The Quarantine VLAN for a Managed Phone

Date: 2025-06-08 Duration: About 3 hours of network plumbing Issue: Work phone not landing on the quarantine VLAN Root Cause: Connected to the wrong WiFi network

The Goal

I have a work phone with MDM (Mobile Device Management). I wanted it isolated from personal devices and observable enough to verify that the network boundary was working.

The plan: isolate the phone on its own VLAN. Monitor everything through OPNsense. Keep it completely separated from my personal network.

The Network Architecture

The MikroTik switch handles VLANs. OPNsense is the firewall/router. Each VLAN is a separate subnet:

  • LAN: main network
  • Quarantine: isolated device network
  • Dedicated access port on the MikroTik for quarantine devices

The idea: plug a basic WAP into ether17. Any device connecting to that WAP lands on the quarantine network. Completely isolated from everything else.

The MikroTik Configuration

In the MikroTik switch, set up the bridge VLAN:

Bridge > VLANs
VLAN ID: <quarantine-vlan>
Tagged: firewall trunk
Untagged: quarantine access port

Set the port's PVID:

Bridge > Ports
quarantine access port: PVID = <quarantine-vlan>

That should make the port an access port. Any untagged traffic coming in gets tagged with the quarantine VLAN and sent to OPNsense.

The OPNsense Side

Created the DHCP scope for the quarantine network:

Interface: Quarantine
Range: quarantine DHCP pool

Added a static reservation:

MAC: device MAC
IP: reserved quarantine address
Description: Managed work phone

The phone should get the reserved quarantine address every time. Easy to find in logs.

The Problem

Connected the phone. Checked OPNsense DHCP leases.

Quarantine: (nothing)
LAN: managed phone lease

The phone was on the main LAN. Not quarantine. Not isolated. Full access to my personal network.

The Investigation

Checked the MikroTik interface:

quarantine access port: running, designated port, expected PVID

The port was configured correctly. Traffic coming in should be tagged VLAN 90.

Checked the ASUS router's DHCP leases:

Guest Network: managed phone lease

Wait. Guest Network - 3?

I had connected the phone to the ASUS router's guest network. Not to the WAP plugged into ether17.

The phone was on the wrong WiFi network entirely.

The WAP Situation

Grabbed a TP-Link WAP. Plugged it into ether17. Factory reset it.

Couldn't find its SSID. Couldn't find its IP.

Checked ether17 on the MikroTik — it showed traffic going out but nothing coming back. The WAP was receiving data but not responding.

Moved the WAP to a regular LAN port to configure it. It got a temporary management address. Accessed the admin interface, set up the SSID and password, then moved it back to the quarantine access port.

The Final Test

Connected the work phone to the TP-Link WAP's SSID.

Checked OPNsense DHCP leases:

Quarantine: reserved quarantine lease - managed phone

There it is. The phone landed on the quarantine network. Completely isolated from the main LAN.

The Monitoring Setup

With the phone on its own VLAN, I could now:

  • Watch quarantine traffic in OPNsense's live log
  • Confirm which external services the device contacts
  • Block outbound connections if needed
  • Capture packets for deeper analysis

The phone can't see any of my personal devices. It can't probe the local network. It's a managed device in a sandbox.

What I Learned

VLANs don't help if you connect to the wrong network. The quarantine VLAN was perfect. The phone just wasn't using it.

Check the DHCP leases first. They show exactly where a device landed. Saves hours of switch debugging.

WAPs need configuration on a working network first. Plugging a factory-reset WAP into a VLAN access port doesn't work — it can't get an IP to configure itself.

Path cost 19 vs 10 doesn't matter. I worried about spanning tree metrics. They're auto-calculated and don't affect basic access port operation.

The Monitoring Results

After a few hours on the quarantine network, the phone's traffic patterns became clear enough to validate the boundary and document expected managed-device behavior.

All visible. All logged. All isolated from anything that matters.

Work wanted surveillance on the phone. Now I have surveillance on the surveillance.

Older The BIOS That Wouldn't Show Newer The Build That Panicked