Hello,
I plan to buy a Hex S (RB760iGS) wiht two switches (RB260GS) and one Cap AX (cAPGi-5HaxD2HaxD).
I would like to split network on each port to know who is connected on each port.
But I need all clients connected to the Cap can discuss with connected devices on one swtich.
The second switch, will be isolated of the local network. It's destined to have some ports open on the web.
To identify easily who client is connected or who client discuss which eatch other, I need to assign subnet of each router ethernet port. Or, each switch have his own DHCP Server to identify the network where is the equipment
In my attachment, you see the network map I would like to implement.
I would is it possible or if is a good practice to do that ?
I read some posts on this forum is not very recommended to use split bridge on each network but instead use vlan. But I would like if is true and if there is not a way to have multiple network ?
Other topics : viewtopic.php?p=1028402&hilit=multiple+dhcp#p1028402
or viewtopic.php?t=87458
Configure mulitple DHCP Server on each ethernet port
You do not have the required permissions to view the files attached to this post.
Re: Configure mulitple DHCP Server on each ethernet port
I also think it's better to use VLAN for better isolation between the subnets. A pro of it would be that you could use differents VLANs on the different Wi-Fis and one or two could be configured for management purposes. Example config on how to setup Bridge VLAN (for ROS 7.1 and higher) on the hEX S provided you use the bridge from the default config:
On the cAP ax you could do the following configuration provided you use the default config bridge and ROS 7.13 and higher:
Code: Select all
/interface vlan
add name=MGMT interface=bridge vlan-id=99
add name=VLAN30 interface=bridge vlan-id=30
add name=VLAN40 interface=bridge vlan-id=40
add name=VLAN50 interface=bridge vlan-id=50
/ip address
add address=10.16.2.1/24 network=10.16.2.0 interface=MGMT
add address=10.16.3.1/24 network=10.16.3.0 interface=VLAN30
add address=10.16.4.1/24 network=10.16.4.0 interface=VLAN40
add address=10.16.5.1/24 network=10.16.5.0 interface=VLAN50
/ip pool
add ranges=10.16.2.2-10.16.2.254 name=pool_MGMT
add ranges=10.16.3.2-10.16.3.254 name=pool_VLAN30
add ranges=10.16.4.2-10.16.4.254 name=pool_VLAN40
add ranges=10.16.5.2-10.16.5.254 name=pool_VLAN50
/ip dhcp-server network
add address=10.16.2.0/24 gateway=10.16.2.1
add address=10.16.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.3.1
add address=10.16.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.4.1
add address=10.16.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.5.1
/ip dhcp-server
add address-pool=pool_MGMT interface=MGMT name=dhcp_MGMT
add address-pool=pool_VLAN30 interface=VLAN30 name=dhcp_VLAN30
add address-pool=pool_VLAN40 interface=VLAN40 name=dhcp_VLAN40
add address-pool=pool_VLAN50 interface=VLAN50 name=dhcp_VLAN50
/interface bridge port set [find interface=ether2] pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=99
add bridge=bridge tagged=bridge,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,ether4 vlan-ids=40
add bridge=bridge tagged=bridge,ether5 vlan-ids=50
/interface bridge set bridge vlan-filtering=yes
/ip firewall filter add action=accept chain=forward in-interface=VLAN50 out-interface=VLAN30Code: Select all
/interface wifi
set wifi1 disabled=no configuration.ssid=Private5 datapath.bridge=bridge security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=securepassword123
set wifi2 disabled=no configuration.ssid=Private2 datapath.bridge=bridge security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=securepassword123
add name=wifi3 master-interface=wifi1 configuration.ssid=Guest2 datapath.vlan-id=50 security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=password123
add name=wifi4 master-interface=wifi2 configuration.ssid=Guest5 datapath.vlan-id=50 security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=password123
/interface vlan add name=MGMT interface=bridge vlan-id=99
/ip dhcp-client add interface=MGMT
/interface bridge port
set [find interface=ether2] pvid=50,99
set [find interface=wifi1] pvid=50,99
set [find interface=wifi2] pvid=50,99
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=50
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface bridge set bridge vlan-filtering=yes
Last edited by TheCat12 on Sun Mar 24, 2024 9:48 am, edited 1 time in total.
Re: Configure mulitple DHCP Server on each ethernet port
Before doing any configuring lets make sense of what you are doing.
A. All connections to the smart devices ( capac, and assuming smart switches ), means that you should have a managment subnet where all smart devices get their IP address from and are connected and accessible only by admin. One can use a trusted subnet as well.......
B. The APs should not have a single subnet coming at it, as you will probably have two different SSIDs, possibly home wifi, guest wifi, iot wifi, media wifi etc...............
So it should be fed how many vlans needed, normally equating to the number of wifi ssids you need.
C. same concept with the switches, they need the number of vlans commensurate with the number of differnent subnet you may wish to attach to the switch.
D. A single subnet coming out of the hex ports is termed an access port going to a dumb device that cannot read vlan tags, ( the others above are called trunk ports - with two or more vlans going to smart devices that can read vlan tags. ) The ethe2 going to the PC is a good example.
Since you dont have many ports to play with at the router, its a good idea to maximize the use of VLANS and switches .........
A. All connections to the smart devices ( capac, and assuming smart switches ), means that you should have a managment subnet where all smart devices get their IP address from and are connected and accessible only by admin. One can use a trusted subnet as well.......
B. The APs should not have a single subnet coming at it, as you will probably have two different SSIDs, possibly home wifi, guest wifi, iot wifi, media wifi etc...............
So it should be fed how many vlans needed, normally equating to the number of wifi ssids you need.
C. same concept with the switches, they need the number of vlans commensurate with the number of differnent subnet you may wish to attach to the switch.
D. A single subnet coming out of the hex ports is termed an access port going to a dumb device that cannot read vlan tags, ( the others above are called trunk ports - with two or more vlans going to smart devices that can read vlan tags. ) The ethe2 going to the PC is a good example.
Since you dont have many ports to play with at the router, its a good idea to maximize the use of VLANS and switches .........
Re: Configure mulitple DHCP Server on each ethernet port
Maybe it'll be good from my side too to explain what configuration I've suggested. Based on the fact that you want four different isolated subnets I have given you an example configuration on how to setup VLANs for each different network where VLAN 99 will act as a management network (hence the name MGMT), VLAN 30 will be for the 10.16.3.0 network, VLAN 40 for the 10.16.4.0 network and VLAN 50 for the 10.16.5.0 network with each network having a DHCP server. The first 5 blocks of commands are for setting up the Layer3 side of the VLAN (DHCP, addresses, routing, etc.). The next commands are for the Layer2 (the actual; switching) VLAN. As @anav promptly explained, ports for VLAN non-aware and on which there isn't any VLAN tagging are access ports and ether2, as the same said, is an example for such one, thus giving it in the configuration a pvid of 99 (management network). Due to the switches and the cAP ax being VLAN aware the ports on which they are connected could be set up as trunk ports (ports with VLAN traffic). In the example config under /interface bridge vlan you could see that ether3, ether4 and ether5 are trunk ports for the VLAN 99 and every other VLAN is configured for its port as per the diagram. The bridge figures in every VLAN entry because here we're talking about inter-VLAN routing (Layer3 VLAN). The firewall rule which you can see at the end of the hEX S example configuration allows communication between the 3.0 and the 5.0 networks as you requested.
In my first post I brought up as a advantage of the VLAN that you could configure different VLANs on the different Wi-Fis of the cAP. That's what I did in the example config. Firstly, I made the master (private) Wi-Fis part of the bridge through datapath.bridge and didn't setup vlan-id on them so that I can do it in the Bridge VLAN settings and make them access ports, so to speak, of the management VLAN and the VLAN 50 because it's not possible through the former menu. However, on the slave WI-Fis (Guest Wi-Fis) I set it up because they should only access the VLAN 50 and the 5.0 subnet (at least in my opinion). The only Layer3 VLAN on the cAP would be the management one so that it could get an address through DHCP and the rest is on Layer2. Also ether2 is the same case as the Master Wi-Fis - access port for both VLAN 50 and 99
In my first post I brought up as a advantage of the VLAN that you could configure different VLANs on the different Wi-Fis of the cAP. That's what I did in the example config. Firstly, I made the master (private) Wi-Fis part of the bridge through datapath.bridge and didn't setup vlan-id on them so that I can do it in the Bridge VLAN settings and make them access ports, so to speak, of the management VLAN and the VLAN 50 because it's not possible through the former menu. However, on the slave WI-Fis (Guest Wi-Fis) I set it up because they should only access the VLAN 50 and the 5.0 subnet (at least in my opinion). The only Layer3 VLAN on the cAP would be the management one so that it could get an address through DHCP and the rest is on Layer2. Also ether2 is the same case as the Master Wi-Fis - access port for both VLAN 50 and 99
Re: Configure mulitple DHCP Server on each ethernet port
Hi,
Thank you for your reply.
As I can see, you advise me to use VLAN whatever happens.
I understand the principle of a VLAN and also the fact that it can be broadcast through devices such as the CAP AX and switches. It's very userfull for the network managment.
I bought the devices and try somes configurations.
I'm trying to do the same without VLAN, just the bridge to see if that can work too.
I just need to add a few rules to the bridges to partition the bridges from each other or let certain rules pass.
Since RouterOS allows it, I tell myself that VLANs are not hardly necessary.
Here is my true network map. I have just two VLAN for the IoT and external access (opened to Internet). Currently, I have two bridge for the WiFi, one dedicated for the LAN to work with the switch and another for the guest network. In the future, I make the guest network with a VLAN, I think.
All bridge have a DHCP Server and a IP range addresses dedicated.
It seems to work like this.
The question remains whether it is better for me to turn to VLANs to do all this or if I can stay with multiple bridges?
Likewise from a performance point of view, I am afraid that partitioning with VLANs will be more efficient and less resource-intensive for the router than doing that with bridges. Tell me what you think ?
Thank you for your reply.
As I can see, you advise me to use VLAN whatever happens.
I understand the principle of a VLAN and also the fact that it can be broadcast through devices such as the CAP AX and switches. It's very userfull for the network managment.
I bought the devices and try somes configurations.
I'm trying to do the same without VLAN, just the bridge to see if that can work too.
I just need to add a few rules to the bridges to partition the bridges from each other or let certain rules pass.
Since RouterOS allows it, I tell myself that VLANs are not hardly necessary.
Here is my true network map. I have just two VLAN for the IoT and external access (opened to Internet). Currently, I have two bridge for the WiFi, one dedicated for the LAN to work with the switch and another for the guest network. In the future, I make the guest network with a VLAN, I think.
All bridge have a DHCP Server and a IP range addresses dedicated.
It seems to work like this.
The question remains whether it is better for me to turn to VLANs to do all this or if I can stay with multiple bridges?
Likewise from a performance point of view, I am afraid that partitioning with VLANs will be more efficient and less resource-intensive for the router than doing that with bridges. Tell me what you think ?
You do not have the required permissions to view the files attached to this post.
Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Looking at the intricacy of the network diagram I still find it better and easier for management to use VLAN because if you use multiple bridges you'll have to think of numerous scenarions and thus firewall rules. Looking at the true network diagram I'll repost an edited for your needs config provided you want to use the same IP addresses for ether4 and ether5:
Code: Select all
#hex s
/interface vlan
add name=MGMT interface=bridge vlan-id=99
add name=VLAN10 interface=bridge vlan-id=10
add name=VLAN20 interface=bridge vlan-id=20
add name=VLAN30 interface=bridge vlan-id=30
add name=VLAN_Guest interface=bridge vlan-id=40
/ip address
add address=10.16.99.1/24 network=10.16.99.0 interface=MGMT
add address=10.16.10.1/24 network=10.16.10.0 interface=VLAN10
add address=10.16.20.1/24 network=10.16.20.0 interface=VLAN20
add address=10.16.30.1/24 network=10.16.30.0 interface=VLAN30
add address=10.16.40.1/24 network=10.16.40.0 interface=VLAN_Guest
/ip pool
add ranges=10.16.99.2-10.16.99.254 name=pool_MGMT
add ranges=10.16.10.2-10.16.10.254 name=pool_VLAN10
add ranges=10.16.20.2-10.16.20.254 name=pool_VLAN20
add ranges=10.16.30.2-10.16.30.254 name=pool_VLAN30
add ranges=10.16.40.2-10.16.40.254 name=pool_VLAN40
/ip dhcp-server network
add address=10.16.99.0/24 gateway=10.16.99.1
add address=10.16.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.10.1
add address=10.16.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.20.1
add address=10.16.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.30.1
add address=10.16.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.16.40.1
/ip dhcp-server
add address-pool=pool_MGMT interface=MGMT name=dhcp_MGMT
add address-pool=pool_VLAN10 interface=VLAN10 name=dhcp_VLAN10
add address-pool=pool_VLAN20 interface=VLAN20 name=dhcp_VLAN20
add address-pool=pool_VLAN30 interface=VLAN30 name=dhcp_VLAN30
add address-pool=pool_VLAN40 interface=VLAN_Guest name=dhcp_VLAN40
/interface bridge port set [find interface=ether2] pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=99
add bridge=bridge tagged=bridge,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 vlan-ids=30
add bridge=bridge tagged=bridge,ether5 vlan-ids=40
/interface bridge set bridge vlan-filtering=yes
/ip firewall filter add action=accept chain=forward in-interface=VLAN_Guest out-interface=VLAN30
#cap ax
/interface wifi
set wifi1 disabled=no configuration.ssid=Private5 datapath.bridge=bridge .vlan-id=30 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=securepassword123
set wifi2 disabled=no configuration.ssid=Private2 datapath.bridge=bridge .vlan-id=30 security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=securepassword123
add name=wifi3 master-interface=wifi1 configuration.ssid=Guest5 datapath.vlan-id=40 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=password123
add name=wifi4 master-interface=wifi2 configuration.ssid=Guest2 datapath.vlan-id=40 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=password123
add name=wifi5 master-interface=wifi1 configuration.ssid=Private5_MGMT datapath.vlan-id=99 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=verysecurepassword123
add name=wifi6 master-interface=wifi2 configuration.ssid=Private2_MGMT datapath.vlan-id=99 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=verysecurepassword123
/interface vlan add name=MGMT interface=bridge vlan-id=99
/ip dhcp-client add interface=MGMT
/interface bridge port set [find interface=ether2] pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,wifi1,wifi2 vlan-ids=30
add bridge=bridge tagged=bridge,ether1,wifi3,wifi4 vlan-ids=40
add bridge=bridge tagged=bridge,ether1,wifi5,wifi6 vlan-ids=99
/interface bridge set bridge vlan-filtering=yes
Last edited by TheCat12 on Fri Mar 29, 2024 5:23 pm, edited 7 times in total.
Re: Configure mulitple DHCP Server on each ethernet port
Thanks @TheCat12.
Finally, after some efforts, I will follow your recommandations and I'll switch to VLAN.
As you said, it's better to manage the network globally.
Above all I have the impression that there is a bug on the bridge filters which do not work. The filter works on Firewall but on /bridge filter, only interface are filtered. I don't know why.
But it doesn't matter I'm going to change the entire configuration with vlans.
Finally, after some efforts, I will follow your recommandations and I'll switch to VLAN.
As you said, it's better to manage the network globally.
Above all I have the impression that there is a bug on the bridge filters which do not work. The filter works on Firewall but on /bridge filter, only interface are filtered. I don't know why.
But it doesn't matter I'm going to change the entire configuration with vlans.
You do not have the required permissions to view the files attached to this post.
Re: Configure mulitple DHCP Server on each ethernet port
FYI, I've made some changes to the config (removed typos and misconfigurations) so please double-check before you apply the settings
Re: Configure mulitple DHCP Server on each ethernet port
Also, most probably the bridge filter rules weren't working due to the setting "Use Firewall IP" being turned on