My company has two sites across a highway from each other. Site “A” is our main offices, etc and is also where our company’s internet connection resides. Site “B” is a manufacturing plant on the other side of the highway. It is company policy beyond my control that our ERP (Enterprise Resource Planning) server and network be physically isolated from the primary LAN. The way things are now, we have separate fiber optic feeds under the highway to keep them separate, but because of a state construction project we are going to lose those.
I am proposing to use a pair of MikroTik Cube 60 Pro AC’s to give a line of site point to point connection but somehow have to merge these isolated LAN’s from each other. My thought is to run a connection from each LAN into a router as a VLAN access port, then run a VLAN trunk across the Cubes. I have limited experience with VLAN’s so my question is, is this a feasible to accomplish this? If so, could someone give me a an outline on how to do it? Thanks.
Before you do anything you really need to nail down the requirements.
What access do devices and users including admin from the MAIN office need to the PLANT?
What access do devices and users including admin from the PLANT need to access (originate traffic to) the MAIN office?
Where does each get its internet from, if both have internet and all the questions that ensue from sharing, or primary failover etc..
Think of the cube60 as just an ethernet cable between the two locations.
Will you have one main router or not etc…
What kind of backups do you need… router, switches, internet, power supply.
Will you have cube60 spares on hand in case of failure?
The main concern from management is not so much internal access to the ERP system as that has it’s own access controls. Employees at both sites need access. Management is concerned that the ERP system not be visible or accessible from the internet. Yes, I know that can be done other ways better, but as I said, it is outside of my control. Internet for both sites comes from Site “A” and is accessible from what I have labeled as the primary LAN. My main question is on how to set up the VLANs to trunk across to the other site.
We are going to get this set up before the construction begins to prove out the concept. If it works we will definitely keep backups on hand.
Should be fairly easy, all in the forward chain rules.
a. allowing subnet to access devices or devices/users to access subnets etc…
whole subnets use src or dst address, list of users use firewall address lists
more than one whole subnet create interface list names.
(for example inteface list name = Internet, all subnets except machine subnet etc..
