tl;dr: I’m not sure of the packet flow to allow a port with tagged VLAN 14 access to my LAN bridge DHCP server, while still firewalling VLAN 14 from my LAN bridge…
I already have a DHCP server on my LAN bridge, but I would like to give addresses from my LAN /24 DHCP server to clients on VLAN 14. I am confused as the how this should be configured. I don’t want this VLAN to route to my LAN, only to recieve DHCP addresses from the router. My goal is by having a single /24 split between several VLANS, where I can give IP cameras DHCP addresses while only allowing those VLANS access to certain ports on my 802.1Q managed switch. ie the cameras can only reach the NVR and the router, while the NVR is still accessable to the LAN (a seperate challenge). The point being to allow the cameras access directly to the NVR through a managed switch, without needing to be routed to a different subnet on a seperate VLAN
This goal is in direct contradiction with what IP (L3) subnet really means … it means all hosts are directly reachable between them and that underlying L2 infrastructure allows it. VLAN here is a part of L2 infrastructure.
The goal might be realistic (I’m not going to dive into details) but you’d have to deploy a few workarounds which, I guess, are out of your expertise.
You might want to revise your goal into: having a few /24 subnets, separated into several VLANs, with some connectivity allowed by router/firewall rules.
Yep I realise it is tricky, I was hoping to use 802.1Q to allow me to share a NVR with my LAN subnet and a camera subnet, thinking a single subnet could be possible with some tricky VLAN settings on the 802.1Q switch.. I may have to settle for normal VLANs with their own routed subnet.. much simpler but will require routing LAN traffic to the NVR VLAN I guess.. spent a day trying to figure this out.. probably should settle for the easy option… Still wondering though if playing around with PVIDs and multiple VLANs makes it possible…
Concur, many ways to skin a mickrotik trainer… either
a. setup vlan subnets as per a ‘normal’ setup and then create firewall rules to allow traffic between them as required, or
b. have everything accessible on one lan and forget about vlans.
If you’re not using some higher-end RB, then you won’t gain anything performance-wise … usual SOHO-class devices could filter traffic between devices in same subnet, but you’d have to force traffic through RB’s CPU … routed traffic travels the same path.
Sorry didn’t explain 802.1Q on two external managed switches.
I have basically given up on this idea due to it being outside of the standard of use case, but I’m wondering if I have 2 devices say: device A, VPID 16, VLAN 14 & 16 untagged. and device B VPID 14, VLAN 14 & 16 untagged, both in the same subnet… can they communicate as if they were on a single LAN?
I bet you’re using D-Link switches and their “asymmetrical VLAN” feature.
Well, if your switch allows you to define unrelated VLAN IDs on a port for ingress and egress, and is willing to untag more than one VID, then yes … pig can fly Been there, done that.
