ArgoBox
ArgoBox Infrastructure & Automation
user@argobox:~/journal/2025-06-08-the-vlan-for-the-surveillance-phone
$ cat entry.md

The VLAN for the Surveillance Phone

[Sunday, June 8, 2025] MOOD: DEBUGGING RouterOS
○ NOT REVIEWED

The VLAN for the Surveillance Phone

Date: 2025-06-08 Duration: About 3 hours of network plumbing Issue: Work phone not landing on the quarantine VLAN Root Cause: Connected to the wrong WiFi network

The Goal

I have a work phone with MDM (Mobile Device Management). Corporate surveillance baked into the device. I wanted to capture its traffic — see what it phones home, when, and to where.

The plan: isolate the phone on its own VLAN. Monitor everything through OPNsense. Keep it completely separated from my personal network.

The Network Architecture

The MikroTik switch handles VLANs. OPNsense is the firewall/router. Each VLAN is a separate subnet:

  • LAN: 10.42.0.0/24 — Main network
  • Quarantine: 10.42.90.0/24 — Isolation zone
  • ether17 on the MikroTik — Designated as the quarantine access port

The idea: plug a basic WAP into ether17. Any device connecting to that WAP lands on the quarantine network. Completely isolated from everything else.

The MikroTik Configuration

In the MikroTik switch, set up the bridge VLAN:

Bridge > VLANs
VLAN ID: 90
Tagged: ether1-FIREWALL (trunk to OPNsense)
Untagged: ether17 (access port for quarantine devices)

Set the port’s PVID:

Bridge > Ports
ether17: PVID = 90

That should make ether17 an access port. Any untagged traffic coming in gets tagged with VLAN 90 and sent to OPNsense.

The OPNsense Side

Created the DHCP scope for the quarantine network:

Interface: Quarantine (vlan0.90)
Range: 10.42.90.100 - 10.42.90.200

Added a static reservation:

MAC: ee:4a:fc:07:6f:c3
IP: 10.42.90.101
Description: Work phone - MDM surveillance device

The phone should get 10.42.90.101 every time. Easy to find in logs.

The Problem

Connected the phone. Checked OPNsense DHCP leases.

Quarantine: (nothing)
LAN: 10.42.0.194 - ee:4a:fc:07:6f:c3 - Pixel-6

The phone was on the main LAN. Not quarantine. Not isolated. Full access to my personal network.

The Investigation

Checked the MikroTik interface:

ether17: running, designated port, PVID 90

The port was configured correctly. Traffic coming in should be tagged VLAN 90.

Checked the ASUS router’s DHCP leases:

Guest Network - 3: 10.42.0.194 - ee:4a:fc:07:6f:c3

Wait. Guest Network - 3?

I had connected the phone to the ASUS router’s guest network. Not to the WAP plugged into ether17.

The phone was on the wrong WiFi network entirely.

The WAP Situation

Grabbed a TP-Link WAP. Plugged it into ether17. Factory reset it.

Couldn’t find its SSID. Couldn’t find its IP.

Checked ether17 on the MikroTik — it showed traffic going out but nothing coming back. The WAP was receiving data but not responding.

Moved the WAP to a regular LAN port to configure it. It got IP 10.42.0.169. Accessed the admin interface. Set up the SSID and password. Moved it back to ether17.

The Final Test

Connected the work phone to the TP-Link WAP’s SSID.

Checked OPNsense DHCP leases:

Quarantine: 10.42.90.101 - ee:4a:fc:07:6f:c3 - Pixel-6-Work

There it is. The phone landed on the quarantine network. Completely isolated from the main LAN.

The Monitoring Setup

With the phone on its own VLAN, I could now:

  • Watch all traffic in OPNsense’s live log
  • See which domains the MDM contacts
  • Block outbound connections if needed
  • Capture packets for deeper analysis

The phone can’t see any of my personal devices. It can’t probe the local network. It’s just a surveillance box in a sandbox.

What I Learned

VLANs don’t help if you connect to the wrong network. The quarantine VLAN was perfect. The phone just wasn’t using it.

Check the DHCP leases first. They show exactly where a device landed. Saves hours of switch debugging.

WAPs need configuration on a working network first. Plugging a factory-reset WAP into a VLAN access port doesn’t work — it can’t get an IP to configure itself.

Path cost 19 vs 10 doesn’t matter. I worried about spanning tree metrics. They’re auto-calculated and don’t affect basic access port operation.

The Monitoring Results

After a few hours on the quarantine network, the phone’s traffic patterns became clear. MDM check-ins every few minutes. Telemetry to multiple cloud endpoints. Location services running constantly.

All visible. All logged. All isolated from anything that matters.

Work wanted surveillance on the phone. Now I have surveillance on the surveillance.