Best Practice for VLANs or Subnets

I have a complex setup and I am pretty new to router OS. My current system works OK most of the time, but I would like to setup a reliable remote management strategy. I travel for work and when the internet goes down, I hear about it and I don’t want the Fam (or sections of it) to go without until I can get back. I downloaded GNS3 to try to simulate my network, but TP-Link does not have any virtual devices available to simulate my equipment.

I have 3 homes on my network. We live in a very rural area and my In-laws live next door and my step son lives behind us (diagram shows relative geographical positions). My home is only about 30m off the street, but theirs are both about 1000m off the street. This means that I have access to wired internet and they do not have any access at all. It would be cost prohibitive to have the infrastructure put in for them. However, using Wi-Fi links, I can provide them both with internet. Below is my current network structure. I have 3 Mikrotik hAP routers one in each home. I have used the quick set to set them all as “Home AP”. The below diagram is from memory and may vary slightly from the actual setup, but is representative. I have tried to setup remote access, but have been unsuccessful so far.

I would like to learn during this process and am willing to do my own research, but I have watched a ton of videos and am not sure what is the best way to do things. I have a few questions:

1. Could one of you experts point me in the right direction as far as industry best practice to either VLAN this or use subnets to segregate the different building’s networks? If I use VLAN, would the Wi-Fi links be included?
2. I believe the way I have it setup now my router (ax3) appears as the internet to the other two routers. However, the firewalls prevent me from managing these routers as if they are on the same network. Should I move the ethernet cables from the eth1 port to eth2 so that they are on the same LAN?
3. What is the best way to distribute the work load across the three routers?

I appreciate any guidance here. I am traveling for work currently and can post the configurations as soon as I get home (after Easter).

hello.

1. well, i am not an expert by any means. i just thought maybe you opened for some help.

I downloaded GNS3 to try to simulate my network, but TP-Link does not have any virtual devices available to simulate my equipment

unless your daily work as technician with those keep changing environment, i think we could just spend a little time reading the manual and visit this forum to ask some expertise from beloved members, don’t you think?

2. congratulations, you have built yourself a campus network topology

device management really depends on you as the network manager.

if you trust those other 2 houses for having their internet transiting your router, then bridge mode are easier to manage. if not, go with routing mode.

if you go with bridge mode, if you don’t trust the other network, you could go with vlans.

but i think, vlan is not necessary for your hub and spoke setup, which later will give you another useless time and efforts.

or, … just go with the routing mode and separate with subnets. gives you better control for all network ie. management, filtering etc.

3. network diameter distance,

if below 100 meters, you could just hook it up with utp stp wires.

if above 100 to about 150, you could do wireless bridge client. i think mikrotik or ubiquity wiki has example for that. just need to understand the basic concept.

if beyond that 150 meters, like you said, 1000 meters, the same above concept applied but with different materials ie. targeted antenna and more hardware power. better to ask help from your local contractor.

for the long term, spend some optical wire will give you better result.

hope this helps.

You just need to add a rule allowing access through winbox to ac2 and ac3
/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=tcp dst-port=8291
ps
It is also better to assign a separate subnet for radio bridges
On AX3 exclude the ether2 port from the bridge. Assign to it an address from a separate network e.g. 192.168.111.1/24 and assign addresses from this network to all CPE of ac2 and ac3 instead of 192.168.0.0/24 and set your gateway to the address of ах3.

For remote connectivity wireguard should work and if that doesnt for some reason there is always zerotier.
Is your WANIP a publicly accessible WANIP?

I don’t think he was asking advice for that, and he actually doesn’t need zerotier or wireguard.
As far as I’ve understood he asked for some help about network segregation best practices, according to his needs.

Of course its perfectly doable.
Of course vlans at each location makes sense
Of course he can distribute the internet to each device, (private IP on a subnet).

THere is no question, its just a matter of doing/planning.
The diagrams are a good help.
Now the OP simply needs to config each router.
They will look strikingly the same.

The only question I have in my mind if its better to simply use the other devices as AP/switches and only have one ROUTER, handing out all DHCP etc…
One can still make separate vlans for each family on the one router.

On the surface it would appear to be better to minimize traffic across the links so each being its own router handing out DCHP is probably better.
Wifi strictly for internet traffic (no broadcast other router type traffic)

Thanks for the advice. I tried this in the past and could not make it work. Maybe I was doing it incorrectly. I will give this another shot.

When I do this, do you mean that I should set the WAN IP addresses of the ac2 and ac3 to 192.168.111.x/24? If I do this, will I be able to log into the CPE 710 setup pages? The TP Link stuff does not have a tool like winbox that I can use to access the configuration page.

How do you access the TP link for example when connected to the AX3?
Does it need to have its own subnet. A bit more on this part will be helpful to understand how to best config RoS.

Also is it one CPE710 feeding two of them or two pairs ( 2 at your place etc…)
Hard to find actual practical range on these kits??



Looks like device(s)? at AX3 will be access point mode and at far end houses client mode.

The devices are expecting to be on a LAN subnet
Therefore create one for each house if you have two cpe710s
192.168.50.0/24 for house1
192.168.100.0/24 for house 2.

If not only need one network to serve single CPE at own house.
CPE at house static IP 192.168.50.2
CPE at house static IP 192.168.100.2
CPE at home1 192.168.50.3
CPE at home2 192.168.100.3
or
CPE at house 192.168.50.2
CPE at home1 192.168.50.3
CPE at home2 192.168.50.4

Suggesting on bridge on AXE, you have either an access port or hybrid port to CPE ports.
Hybrid because these units are expecting a managment vlan if you have one.
Which would be ideal actually.
/interface bridge port
add bridge=bridge interface=ether1-home1 pvid=30
add bridge=bridge interface=ether2-home2 pvid=40
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-home1,ether2-home2 vlan-ids=10 ( management/trusted vlan)
add bridge=bridge tagged=bridge untagged=ether1-home1 vlan-id=30
add bridge=bridge tagged=bridge untagged=ether2-home2 vlan-id=40

Or if only one CPE at home.
/interface bridge port
add bridge=bridge interface=ether1-home1+2 pvid=30
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-home1+2 vlan-ids=10 ( management/trusted vlan)
add bridge=bridge tagged=bridge untagged=ether1-home1+2 vlan-id=30

On the ax3
add inteface=bridge name=managment-vlan vlan-id=10

interface list
name=MGMT

interface list members
add interface=management-vlan list=MGMT
add interface=wireguard1 list=MGMT
etc…

/ip neighbours discovery
interface-list=MGMT

/ip tools mac-server win-mac server
interface-list=MGMT
++++++++++++++++++++++++++++++++++++++++

Thanks for your answer. I agree that it is doable, but my day job is not a network engineer. Also, I do not have any extra devices to play with. If I start experimenting with these, my family is gonna be super upset with no internet. As I said, we are very rural and cellular coverage is spotty at best. We use the internet to do wifi calling on our cell phones, so a long outage is not an option.
I downloaded GNS3 to play around with different configs, but again I don’t know how to simulate the Wi-Fi links.

Latency on those has been an issue, so I like Ca6ko’s idea of putting the Wi-Fi links on a separate subnet. If I understand correctly, this would cut down on unnecessary traffic.

That is what I though from my previous research. My major issue currently is that when I access the network via the VPN when I travel, I cannot connect to any of the Mikrotiks except the ax3. I can access the Wi-Fi links (I assume because they are currently on the same subnet?), but that is not a good solution. If one of the in-laws or my step son calls saying they are having issues, I cannot check the current state of their router.

If I can add firewall rules and get access with winbox over the VPN, this may satisfy the need currently.

Is there a way to have the Wi-Fi links on a separate subnet and still access the config pages from my home lan and/or the VPN?

Looks like you posted this while I was writing my reply to your first answer. Currently, I just use a browser to access through the local IP (192.168.0.15 for the one at my home).

There is one CPE710 at my home and one each at the others. The one on my end is configured as an AP and the others as Clients. TP Link has a protocol called MAXstream that is supposed to decrease latency and increase throughput across these links. I am currently using this setting. This means that only TP Link devices can access the AP.

Yes, the CPE 710 at my home is set as AP and the CPE 710s at their places are set as clients. These work pretty well. As I said earlier, the only issue on these is latency. This is only occasional and I assume has to do with environmental conditions beyond my control.

Yes we can glue things together such that it does…
The starting point is all three configs exported,.

Its not clear if you have four CPEs or 3? Im assuming four as its likely the antenna is not designed to spread that much as one loses range rapidly if so… but this equipment is an unknown.

THe idea is to be able to use winbox to access all three devices easily.
The next step is to ensure via firewall rules that all TP link devices are accessible both locally (from your home router) and from any WG connection.
This should be easy peasy…

Three configs and a good network diagram will make it all cleaar… as to what needs to be done. Aka a starting point.
Understood about minimizing down time.

Thus the first thing I would do on the ax3 is take a port off bridge and do all configuration there.
https://forum.mikrotik.com/viewtopic.php?t=181718

I am still digesting the rest of your last post and will read the thread linked in this post.

It will be next weekend before I can get home. I am currently out of town on business and my trip was just extended into next week, so I will not have physical access and be able to export the configs until then.

Thank you again for all of your help.

I don’t think you need to learn/configure the Vlan.
Putting the radio bridges on a separate network will reduce some unnecessary traffic over the radio. It will also ease the work of the CPE themselves. Access to the devices will be by IP.

Everything will work properly. The IP addresses on the CPE should also be from this separate network.
.
Right now you have the CPE on your home operating in point to multipoint mode. The antenna has an angle of about 7 degrees. I don’t think both client points are spaced out to fall into that angle.
It would be more correct to buy another CPE point and use them in point-to-point mode.

When you write that there is no access to the router behind the radio bridge it may really not be because of problems on the radio at that point.
Increased latency indicates a problem on the radio. Could be interference or lack of bandwidth. Splitting the traffic between the two radio bridges will greatly improve their performance.

Just some comments based on your diagram.

Consider using different (less used) private lan address blocks. 192.168.1.0/24 and 192.168.0.0/24 are the most commonly used rfc1918 addresses (since they are the defaults for many vendors). Even 192.168.2 is much more used than something like 192.168.213.0/24 (or even better 10.153.145.0/24). While they will work, when it becomes a problem is when you want to connect to your home with vpn from another network using the same subnet as you use at home, as the client will be confused as to which 192.168.1.0/24 is being referenced. There is a large rfc1918 address space, use some of the “less used” part, it will save you problems later when you want to remotely access your home. See this post on the UI forum which has this info:

The Top 33 subnets to avoid, as they are the most frequently used router defaults or subnets from "examples".  Avoid them!     

     54  192.168.1
     35  192.168.0
     19  10.0.0
     18  192.168.2
      8  192.168.10
      5  192.168.254
      4  192.168.15
      4  192.168.100
      4  192.168.123
      2  10.1.1
      2  192.168.3
      2  192.168.4
      2  192.168.8
      2  192.168.16
      2  192.168.20
      1  10.0.1
      1  10.1.10
      1  10.10.1
      1  10.10.10
      1  172.16.0
      1  172.16.1
      1  10.90.90
      1  192.168.11
      1  192.168.30
      1  192.168.50
      1  192.168.55
      1  192.168.62
      1  192.168.86
      1  192.168.88
      1  192.168.102
      1  192.168.168
      1  192.168.223
      1  192.168.251

When choosing from the remaining subnets, avoid starting and ending ranges of the blocks, 
as these tend to be used more frequently as well.
For example:  avoid 192.168.x, 10.x.x, 172.16.x and 172.31.x where x < 11 or x > 249

You need 4 CPE710 (one pair for each remote home). Those have highly directional antennas 23db parabolic. This will require a second ethernet port on your home’s hap ax3 (eg ether2 to CPE710 to parents, ether3 to CPE710 to son). This may require you to get a switch to expand the ports on your hap ax3 (but these are cheap, you can even get “vlan aware” 8 port switches for around $30 from the same vendor as the CPE710).

If I were you I would remove the ports going to the CPE710’s from the bridge (e.g. ether2 and ether3) and assign them their own transit subnet. This will help isolate broadcast (and possibly multicast) traffic from the radio links.

Since your hap ax3 is currently the only link to the internet, there isn’t a requirement the the hap routers in the other two homes use nat masquerade, as the only requirement for that is to share a single globally routed ip address with multiple clients. If you don’t use nat at the remote routers, your hap ax3 will need to have routes to all subnets for both houses. Static routes is the easy way with the number of routers you have and with only a single exit point. But if there is ever an LTE backup put in at one of the other homes, you will probably need to migrate to a dynamic routing protocol (like ospf, but that is relatively complex and not something to worry about at this point, in my opinion).

And GNS3 should still be useful for learning. You won’t be able to simulate the radios, but once they are set up they should “act like” a link. You are not going to be able to emulate the hap devices either, just a generic ROS device. But for things like understanding routing, static routes, etc., this shouldn’t be a problem. If you want to learn dynamic routing protocols like ospf, then it will come in handy.

Interesting. I was totally unaware of this possible issue. I’m wondering how and when it may happen. Thanks

Disagree buckeye.
The less traffic required between the users and the hOME BASE device the better.
Such traffic should be limited to internet access only if possible.

What specifically are you disagreeing with?

Because I agree with your last two sentences, but don’t understand what I said that was incompatible with them. So please enlighten me.

How do devices get IP addresses/leases if the hapacs are not local routers for example?

The only thing i said was the the routers in the other two houses didn’t need to have NAT between them and the hap ax3. This eliminates one layer of NAT and makes accessing devices in the other home easier as long as the firewall allows it, no port forwarding necessary.

Like this:

@wgilthorpe I have never used the TP-Link CPE710 devices, but apparently they can be set up to be vlan-transparent if you do not enable Multi-SSID in the AP mode. Then the link between the two radios should act as a “ethernet” link. The best manual for the device is from the FCC site. https://fccid.io/TE7CPE710/User-Manual/14-User-Manual-4634396.pdf

Also see this thread https://community.tp-link.com/en/business/forum/topic/273380