Hi,
I just received 2x 951G 2HnD and I have some questions regarding a setup I would like to create.
Currently I have the following:
Internet
|
Firewall (including wireless) / DHCP server
|
Switch
|
Ports to the different rooms (Vlan 100)
As my firewalls wireless is on the other side of the house I bought those 2 units to have wireless upstairs and downstairs.
Would the following be possible?
- Disable wireless on firewall
- Connect other interface from firewall to Switch (vlan 200) for splitting up local lan and wireless
- Connect Trunks (Vlan 100 and 200) from the switch to the 2 rooms (for connection of the 951G 2HnD devices on int1)
- Have the wireless run in Vlan 200 and use the DHCP server from the firewall (subnet 10.0.200.0/24)
- Have the local 4 ports act as a switch in Vlan 100 and use the DHCP server from the firewall (subnet 10.0.100.0/24)
- Have wireless roaming for the 2 devices (potentially additional devices for outside wireless)
This would allow me to have two different networks connecting over the devices and allowing me to firewall traffic between the subnets. Some wireless devices will have access to certain locations (printer, NAS, …) in the vlan 100.
In addition I also would like to have a 3rd subnet / vlan for guest wireless where I would like to use a hotspot and have a different firewall policy.
Regards,
Hardy
Yes. Set them both up as bridges, and don’t worry about anything to do with IP/firewall except the management address.
Create a bridge interface for each VLAN they participate with, create a virtual AP for each vlan, and a vlan sub-interface for each VLAN on the ether1 port.
Connect the vlan subinterface and the vap each to their appropriate bridge.
Put the management IP address on the appropriate bridge.
Set the default GW to be the router’s LAN address.
Open a beer.
close to open the beer but I cannot get my second network connecting.
Setup is as follows (simplified)
Firewall has uplink to the internet + DHCP scopes enabled for both LAN and Wifi network
Switch:
Switch port 1 (access - vlan 10) = link to firewall for LAN network
Switch port 2 (access - vlan 99) = link to firewall for Wifi network
Switch port 3 (trunk - vlan 10 and vlan 99) = link to mikrotik router on int1
Mikrotik:
- Created 2 bridges: bridge-vlan-lan and bridge-vlan-wireless
- Created 2 VLAN interfaces and bound to int1: vlan-lan and vlan-wireless
- Configured original wireless (wifi-dmq) and added 1 VAP: Wifi-guest
- Added interfaces to bridges:
— Bridge-vlan-lan contains: int2, int3, int4, int5, wifi-dmq and vlan-lan
— Bridge-vlan-wireless contains: wifi-guest and vlan-wireless
- Added route for subnet wireless with default gw bridge-vlan-wireless
- Mgmt IP on bridge-vlan-lan
Remark: I did not add int1 to the bridge as this is a trunk and cannot be in both bridges.
But is seems not to be working completely.
From the mikrotik device I can ping both interfaces on the firewall when static routes are present.
But i cannot have any other ip communication in this wireless subnet.
What am I doing wrong?
time for a beer… fixed it 
Wrong config of my trunk for the 2nd vlan.