Hello,
I am new to Mikrotik devices. I need to rebuild a Hotel network, and I don’t want to make mistakes, security holes and so. Thus, I am wondering if someone could help me build a rock solid configuration to achieve this :
The Office VLAN100 should be highly secured. From the office VLAN100 it should be possible to access the DVR system on VLAN200. I ultimately would like to be able to limit the bandwidth available per client on the public VLAN300.
Thanks in advance.
here is the link which is going to help you start with VLAN setup on a MK device:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I came up with this setup on GNS3 (a virtual environment); maybe it can be of some help:
Thank you for the easy to follow diagram. Read the links broderick has provided. Access from Office to Cam is as simple as a firewall rule in forward chain, in interface is Office, out interface is Cam, connection state is New, and action is accept.
VLANs are perfectly useless as security measure, if you don’t use more than a single VLAN per port… (ignoring bridge VLAN configuration)
what separates the office network and the guest network are physically two separate ethernets, but logically they are the firewall rules, even using different VLANs, if the IPs are reachable from each other, they are in any case, precisely, reachable between they.
also “split” ether6 from another switch is a wrog decision, for one use, is better same switch group, for reach wire speed
better use 1+2 for ADSL, 3+4+5 for office, 6 survelliance, 7+8+9 for public network, 10 for admin access only.
What do you exactly mean here?
Thanks
What he means is that if you only have one Subnet per port, why use vlans?
There is no gain in doing so.
Even still I would do vlans because it irks both rextended and Sob, but besides that is because one always eventually trips up and discovers they need to send two or more subnets on a single port and rather then make a huge change later to a config, start with vlans so adding another vlan is just dirt simple.
Either way is legit.
He is also correct in that one should make use of the two hardware switches in the RB4011 and thus group like users on the same switch port series.
(lets say ether1 is WAN bridge1 could cover 2-5 and bridge2 could cover 6-10, and duplicates of vlans on same bridge… (or if no bridge on same set of port groupings)
I agree with @anav. It is better to design vlans in at the start, than to have to “remodel” later. That’s true when building a house or configuring a network, it is much easier to add network cables or conduit into the walls when building the walls than to add after you have the drywall in place. Same with vlans. Yes, it is marginally more complex to set up, but it is much easier than retrofitting later.
About the only time I don’t start with vlan-aware/vlan-filtering is when vlans are not hardware assisted by a switch chip. Because if you have a software bridge, it isn’t “free” performance wise.
Yes right, just to make sure that I had got it right. It is actually my setup at home. For the time being, I practise with VLANs only in a virtual environment.
Anyway, I remember that I read a few articles and watched videos by people who claim that they do without VLANs when possible for security reasons.
It must be so for environment where security is paramount, I guess
sorry for my English,
simply that VLANs by themselves are not a sufficient security measure if they end up on a router that forwards between all VLANs,
so using VLANs alone does not mean securing the network.
I hope you understand. (@anav help 
)
That for sure!
yes, I've understood it now. Thanks
If that were the case there would be 200 port routers and 1000 port switches LOL…
Ignore crap advice…
I think they simply meant that “when you don’t strictly need them just don’t use them” since they can have some downsides with the security matter
WHAT PHUCKING downsides… stop spreading BS…
Let’s put a stop to this thing:
Using VLANs has no downsides,
what has downsides is using VLANs and thinking that only that is enough to secure the network.
Okay so when a grey canadian llama says it, its not valid until confirmed by a black Italian cat… Egads this smacks of ethnic animal egocentrism…
I don’t think so, it was just a misunderstanding 
Not my BS. I just told you what I heard around.
Not good enough at Computer Networking to tell whether they are right.
Stay on facebook, tiktok, twitter if you are not interested in facts!
I have never had a twitter, tiktok, or instagram account, and barely use facebook every once in a while,
and if I weren’t interested in facts (the mk “facts” at least) I wouldn’t be here on the official mk forum.
Agree?
There are a lot of people that use vlans without understanding, and that’s where the vulnerabilities exist. In security, humans are the weakest link.
For example plugging a trunk port into a dumb switch and “cloning” the trunk to many exposed ports, all of which now have access to all the tagged vlans in addition to the untagged vlan. If you have a Raspberry Pi, you can easily verify what I am saying, just load the vlan package and you can create vlan interfaces on the Pi in every vlan. And with tools like scapy, that can be a powerful hacking tool. And with ZeroTier, it can easily be accessed remotely. Tom Lawrence has a youtube video where he explains how this can be setup to allow authorized access at a client, How To Access a Raspberry Pi Running Kali Linux Anywhere with ZeroTier.
There are tag stacking attacks against the native vlan, that can sometimes allow someone to send traffic to another vlan (depending on the switch and its configuration and if the native vlan on the trunk port is allowed on any access port on the switch), but I don’t know of any current vulnerabilities that allow “bidirectional” vlan hopping, so it is of limited use (and there are usually much easier ways to break security, humans are the weak link). If you want an example in “Nova/Horizon” style presentation, see David Bombal’s They said this doesn’t work 
Hacking networks with VLAN hopping and Python and for lecture style in Trainonic youtube video VLAN Hopping Explained - What is VLAN Hopping Attack?.