Hello, I’m very new to RouterOS. I’m managing a LAN with about 200 devices (more than 256 to come soon), distributed on 23 level-2 switchs (NetGear GS724T, where VLAN management is available but not yet activated). For security reason and ease of management, I’d like to cut this LAN in about 40 VLANs with their own subnet for each. Is this possible to handle this with RouterOS, with an independent DHCP zone for each subnet? I’ve read elsewhere that RouterOS is managing inter-VLAN connections by default.
Thanks for your help,
Vincent Florin - HeapSys (France)
vflorin,
We currently run roughly 30+ vlans over 20 switches nationwide. We are slowly integrating mikrotik wireless AP’s and replacing all of our older AP’s, using vlan’s doing just what your asking. This is our setup off the top of my head:
I run an RB435G as our main controller for one of the buildings, all 3 ethernet interfaces (granted a single one would work and just creating a vlan interface, giving it an ip address in the mikrotik). Then I create a vlan inside the mikrotik and assign it the vlan that I’ve given for each group (wireless-mgmnt, wireless-guest, wireless-employee). Each ethernet port (ether1, ether2, ether3) is assigned the separate vlans and I’ve assigned addresses to each one. On the switch they are attached to I’ve given ‘helper addresses’ to the vlan which point to a primary DHCP server (instead of the mikrotik, thus offloading the dhcp functionality, and saving some cpu cycles). The hotspots listen on ether2 and ether3, with ether1 as mgmnt. Wireless AP’s are setup throughout the building that point their traffic to the xxx.xxx.xxx.xxx interface for said hotspot. They get vlanned, sent to the dhcp server and given an ip address from the dhcp server. This offloads pools from the AP’s and hotspot, as everything is managed by the central dhcp server.
So does it work? oh yes it works. Employee’s can log in from anywhere in the building and hit the hotspot portal, hotspot portal sits in the vlan for wireless-employee’s, forwards traffic to the main controller’s ethernet address that sit’s on that specific untagged port on the switch, sends dhcp traffic, life is grand. Employee’s now have access to whatever vlanned traffic I have authorized. Guests on the otherhand are restricted via the central hotspot manager’s firewall. Guests use the Usermanager for authentication and Employees use microsoft NPS radius authentication on an AD server.
If you browse the forums enough you will see that people have setup something similar in the past. It was a nightmare to figure out with our network, but it works.