Hi, i’m new to vlan creation, before i managed to make everything i need with firewall rules, but i think now vlans are the better sollution.
Simplified topology:
vlan10 - PC,Phone,Laptop,Server
vlan20 - IoT Devices - Smart TV, Yamaha Speaker(WiFi)
When all in one net i can:
Send request from phone on speaker to play music from Spotify
Send request from phone on TV to play YouTube video
When in different vlans:
Spotify and YouTube do not see devices from vlan20
i can reach all devices by IP from different networks (I know it can be limited with forwarding in firewall)
Needed make devices from vlan20 discoverable(do not mess with achievable, it allready is) to vlan10 (one way)
To clarify - i want to have acces to IoT devices from main network without allowing IoT devices anything local, only internet way out.
If somebody have ideas how to make it, please share.
I have only hAP device, but it is not a problem to extend my device park if it is nessesary)
or use source-address= vlanMain subnet and destination-address=vlanIOT subnet
Or create firewall address list (on either side to dictate exactly what list of IPs have access to another list of IPs (by source and destination address lists).
Note: this is only one way, return traffic is allowed but nothing initiated on the IOT side would reach the Main side.
(assumes you have a drop all else rule at the end of the forward chain)
That’s what you get with separate networks. If discovery depends on broadcasts, they don’t pass between subnets. If multicast would be used, it can be better, RouterOS can handle that. I’m not sure how well, because I never really used it, but it does have something (https://wiki.mikrotik.com/wiki/Manual:Routing/Multicast).
Thanks for reply, i tried it exactly with subnets, and yesterday tried with in/out interface, as i said, i can access it by IP but problem is in broadcast, so youtube and spotify cannot find it, so at the moment i used your second suggestion, just with firewall lists, works good with 5 devices that i want to limit. If there where more of them i think it could significaly deduce performance, but for now it’s best solution.
I dont have a pim option, guess it needs an “addon” installation or another hardware, maybe controlled switch, so for now as i said above, i’ll manage it with firefall lists, and for the next HW update i’ll get more advanced device)
There’s separate package “multicast”, you can get it as part of “Extra packages” from https://mikrotik.com/download. I can’t say it it can help you, but you can experiment.