I think you’ve received all sorts of advice, most of it valid. You have to recognize that you have a list of requirements (not at all unreasonable) and you’ll have to learn quite a bit about networking in general, and some if Mikrotik’s idiosyncracies as well.
Good luck! I think it would be useful if you could spare some time to periodically update us. This could make it easier for others to assess what they are getting themselves into.
Definitely go with vlans from the start. It’s a bit if a pain initially, but it really pays off.
It's not. It's pushed at people who want to configure VLANs on MT gear.
It seems like you're asking a XXX car manufacturer to provide full driving course to their new customers. In real world (at least in the part I live in) it doesn't happen, there are (3rd party) driving courses which teach driving basics (and even advanced things in "safe driving" courses) without regard to a particular car vendor and model. And then it's up to each user to correctly apply acquired knowledge to the particular car they are driving at any moment. Which is where car manual comes into the picture.
So what we expect from users reading such tutorial on this forum is that they already know basic road regulations (e.g. which side of road to drive on, who's got priority on the crossroads, etc.) before asking about how to drive a ROS car on those roads. And we may give some hints on what to do when going off-road (e.g. switch into 4WD mode).
To be honest, and I am certainly in the minority on this forum, but I also would not refer forum beginners to the @pcunite's VLAN guide. The reason is that because when I knew nothing about VLAN in RouterOS, I read that thread too, and I felt really confused reading it. With all the green, blue, purple, etc... (really, just saying VLAN 100, VLAN 120, ... is easier to follow and remember than blue VLAN and purple VLAN, because when the commands need to be written, you write 100 and 120, not blue and purple, fewer mental translation steps needed). And it was on the old forum, in the beginning, I didn't even notice that there were config files as attachment (I didn't have an account and guest visitors saw no attachments on the old phpBB forum). And then once I had access to the .rsc files, it caused even more confusions, because the config files contains many things, like DHCP server config or router identity and firewalling that dilute the VLAN parts.
I would prefer that the guide presents the core VLAN configuration parts inline (just the relevant /interface bridge, /interface bridge port, /interface bridge vlan part). Then you can have separate posts or threads, where the inter-VLAN routing/filtering with firewall can be addressed, instead of repeating that in every .rsc file. Same with Management access / Management VLAN, should be as a separate post.
What I also don't like is the need for putting 24 ethernet ports and how many SFP ports in the example .rsc, it just bloats the configuration unnecessarily. Why the need to see PVID 30 set on 8 ports for example? There are too many repetitions that don't improve the teaching.
In the end I found that MikroTik's own documentation is much easier to follow and to apply, the examples starting from this section:
Because those examples have just what I wanted, just the relevant commands presented inline, with short descriptions, for concrete Trunk / Access / Hybrid / InterVLANs / Management configurations. And I find the illustrations on MikroTik's page easier to follow too.
It's good to be in the minority sometimes, I have read that article/thread several times and I am still very confused about it. It is obviously not pcunite's fault, as he tried its best and objectively the contents are very good, but somehow that whole post is unreadable, or requires a level of abstraction that no new user will have.
I don't believe that it is me, as when you, Lurker88 or Sindy (to make some examples) explain things I usually understand them, but that VLAN guide remains way above my (current) level.
Glad I am not alone on this. Having moved on a bit in my vLAN journey, I am seeing some value in the document. I have not rubbished it, but I have made 2 -constructive- criticisms of it up thread which has resulted in a negative reaction from people who seem to have the attitude that if it was hard for them to learn, they are not going to let others have it any easier. Which is out of place on a beginner forum
What I also don't like is the need for putting 24 ethernet ports and how many SFP ports in the example .rsc, it just bloats the configuration unnecessarily. Why the need to see PVID 30 set on 8 ports for example? There are too many repetitions that don't improve the teaching.
Yes, it is definitely deficient there, requiring some isolated examples of the different port types. As you provided the link for:
Thanks for that link. It addresses one of my concerns completely. And I think if the pcunite link is posted, that linl should be posted too. perhaps @pcunite would consider including it in his document?
The problem is that the pcunite's article is the only one that squezzes that topic in one big post.
Yes, he could change it but anyone could write the "new better" article on that using the "better" wording and the fresh new point of view. The point of view that let anyone to understand the problem easier. I'm not the fan of that very usefull article, I just link it.
If anyone would write the better I would be recommending it but I do not like complains like:
If no one complained, nothing would be improved. I have never wanted it not linked. But when it is linked, I would like to see some acceptance that it may not provide the stepping stone that an inexperienced poster may need.
The fixes which I can see are:
A rewrite of the “Welcome” paragraph, to acknowledge that it will be hard for a noob. Text such as “Follow along the light reading material … “ is depressing when you read the document for a second time.
A rewrite of the “Why vLAN” paragraph to reduce the boosterish statement “but VLAN is never a wrong choice.“ and incorporate the limitation that you only use a vLAN if you can see a need for a Single Broadcast Domain
After the 3 types of port are introduced, the link introduced by@CGGXANNX is required
So we have something like:
Fix1
Welcome:
This article is for system integrators, network administrators, and product enthusiasts looking for the definitive guide on how to design and setup VLAN networks using MikroTik. The text and diagrams give an introduction to vLANs. It is appreciated that this can be a difficult topic for a newcomer to the subject, so take your time to read through and perhaps consult other sources to get the broadest perspective. See the theory and then deep dive into the actual commands to implement it all. We'll discuss Access, Trunk and Hybrid ports, switching and routing, and guest access into our networks. NB You need logged into the forum to see the configuration files for the examples.
Fix 2
Why VLAN?
If you have a need to partition and isolate networks and devices from each other using the same physical hardware, you maybe a good candidate for VLAN. If you have IoT devices, IP cameras, guests who need to use your WiFi, and a need to QoS who gets what, VLAN can make your network simpler to reason about. In micro-sized networks, it is possible to use other methods besides VLAN, but anywhere you can identify a need for a Single Broadcast Domain will be a good candidate for implementation as a vLAN. This should give you the confidence to learn the VLAN concept knowing it will scale as your network and the number of devices grow.
Note: A Single Broadcast Domain is a portion of a network consisting on 1 [or maybe more] complete IP subnets, typically supported by a DHCP server, where Address Resolution Protocol enables the connected devices to communicate on Layer 2 by means of MAC address
Fix 3 - Right After this
Access Ports:
These ports define the entry into your VLAN. They represent groups of devices that need access to each other but not other networks. You will group them by ID. In this documentation we use colors like Blue, Green, and Red to help us to visualize the ID numbers. Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied. The egress (outgoing) packets (that are replying back to whatever was plugged in) get tags removed.
Trunk Ports:
These ports are what carry everything you care about between VLANs. If Access ports represent groups of things, think of Trunk ports as what enables these groups to get to places they need to go, like other areas of the switch or network. Trunk ports are configured such that ingress packets must have tags and egress packets will have tags.
Hybrid Ports:
These ports are for special situations and requirements. They share qualities and behaviors of Access and Trunk ports. Basically, they function as an Access port for ingress traffic without tags. When incoming traffic is tagged, and the tag is on the allowed list, it will then function as a Trunk port.
When designing your VLAN, you'll have reached your first step when you can logically think about Access port grouping and Trunk port interconnections. How many VLANs and devices will you need to work with? Who gets access to what? Don't rush this step. Take time to diagram your VLAN
Continue with
The implementations of these port types are shown as small examples in this Mikrotik help page
I’m an industrial electrician by trade, though as you surmised from my handle, I used to build performance engines.
I prepared the network diagram, using visio. I’m brand new to that software, and I’m certain that there is a better way of assembling it, but it has served its purpose so far. Putting that together was the best way for my neighbors (whose network this will be) and I to discuss what is needed, and how to arrange everything.
In order to get a better understanding of the fundamentals of networking, I have begun watching the CCNA study courses that are readily available on YT. This has already paid dividends, in that I am able to understand what you are saying here:
That said, obviously the way Cisco and MikroTik do things is slightly different, but I figure if I actually learn the Cisco way, I will better understand the documentation that MT has put out.
Given that you have a technical background, you should have less trouble picking up networking than someone without a technical background. You probably already have learned how to troubleshoot, and the same techniques work in networking as in electrical or mechanical work.
Once you understand the difference between Layer 2 (switching) and Layer 3 (Routing), and understand what vlans are (just a mechanism to share physical resources (switches and wires) for different logically separate networks), then it is just a matter of learning the different networking dialects used by different vendors. The Cisco SG300 supports vlans, and there are good examples of how to configure vlans on the internet, so as long as you understand what vlans are you should be able to configure a trunk link between the RB3011 and the SG300 that will carry the three vlans. All traffic between the vlans will have to be routed by the RB3011, and sent back down the same trunk using a different vlan. Then the firewall on the RB3011 will be what will limit what devices can initiate a connetion between the vlans.
Also, your stated attitude is appropriate, and I think you will find people here willing to help as long as you are willing to put in the effort to learn.
As long a you are not expecting "spoon feeding" and you are willing to put in the effort to learn, I think you will find people here willing to help.
But that assumes that the requirements can be given correctly. And that there will not be changes needed in the future.
And finding someone that will do it right with the equipment that already exists will probably not be cheap. The RB3011 uses two QCA8337 switch chips that don't have support for HW offloading when using the "modern" vlan-filtered bridge, so to be able to extend the vlans between the Cisco SG200 and the RB3011 will require the more complex vlan setup using the /interface/ethernet/switch method instead of vlan-filtering bridge if you want to have the vlan processing done by the switch chip at wire-speed instead of using the CPU (which consumes processing from the CPU and is also slower). This is only needed if you want to be able to use ports on the RB3011 as switch-ports.
If you want to be able to support it, you will need to understand it. You could hire someone, but unless you work with them, you will have to keep going back to the well when something changes. From your initial post, it sounds like this is something you are doing as favor/hobby, and not for a business, where spending the money for a professional setup would probably make more sense.
The easier to configure and if the SG200 has sufficient ports for all devices, would be to let the SG200 do all the L2 switching, and have the RB3011 be only for routing.
While I agree with everybody (including @Buckeye) regarding performance details of RB3011, my recommendation to a newbie to ROS world would be:
don't bother with most performant setup until you're intimately familiar with ROS. Just go with mainstream setup, which is single bridge (with VLAN filtering enabled if VLANs are in the mix). Just beware that some devices won't perform nearly close to their maximum this way
After things start to work and one discovers that there's a performance bottleneck, either start playing with performance-optimized setup or just go ahead and purchase a more appropriate device.
ROS can be overwhelming for a newbie, but when one has to throw in an uncommon setup (RB3011 running ROS v7 is, let's face it, a rarity) things quickly spiral out of control. And we don't really want that to happen to a new user, specially since many experienced (and "experienced") users wanting to help don't have experience with such rarities themselves.
I would add that - judging from the configurations sometimes posted on the forum by users that report having them created by a professional, not all professional are actually professional, so it seems not so easy to find one that knows where his/her towel is.
@Enginebuilder your diagram shows SG200-24P as the Cisco switch model. I don't see that as a model in Cisco's 200 Product Family Model Comparison; there is the SF200-24P (but that's a 10/100 PoE 24 port switch), and the SG200-26P with 24 PoE RJ45 port plus two SFP ports. Hopefully what you have is the SG Gigabit model.
Configuring vlans on the SG200 looks reasonably straight forward. See this google search
If you don't want to configure vlans on the RB3011, you could just remove 3 ether interfaces from the bridge, add the interfaces to the LAN list, add ip addresses (each in a separate subnet) to the ethernet interfaces, and create dhcp servers for the three subnets. Then you could configure all the SG200 with three vlans, add switch ports as access ports for each of the three vlans and then after you confirm that everything is working, then configure the firewall so you can limit traffic between the different subnets/vlans. This may have been what @DuctView was implying in this post.
Or you could configure three vlan interfaces either using a single ethernet port as the parent and avoid the use of the bridge on the RB3011 (with for example, ether1 configured as the WAN and ether6 configured as the trunk port ot the SG200 switch). Then if you need more ethernet ports than the SG200 provides, you could configure the extra ports on the RB3011 in a bridge configuration (and if you want best intra-vlan performance, learn the switch method. But if you are using only two ports on the RB200, you won't notice a difference in performance because all the traffic will be routed anyway, and that will be done by the CPU anyway. Theoretically you may be able to get slightly better performance inter-vlan performance if you used a separate ether ports, each connected to a separate vlan access port on the switch, because then the single trunk link would not be a potential bottleneck. But with the RB3011, I am not sure that the CPU wouldn't be a bottleneck before the trunk link. I don't have any RB with two switch chips (I have only an RB760iGs and a RB5009).
@Buckeye Thank you for the thorough response(s). I’ve been working my way through the Cisco Certified Networking Associate study information, which has taught me a TON about networking that I did not know. I’m only just now getting to the information regarding subnetting and VLANs, so I have a bit more work to do before I comprehend exactly what it is that I’m trying to accomplish here.
As you noted, the network diagram includes a typo wrt the Cisco SG200 switch. It is in fact an SG200-26P.
Unfortunately, the information from Cisco regarding how to set up VLANs on the SG200 have been scrubbed from their support site, in keeping with their policy of removing information related to EOL devices. “For security purposes, upon retirement of a product, Cisco Systems purposely removes documentation, downloads, and product pages from the Cisco.com website” Thankfully, The Internet Archive exists, and I was able to find an earlier version of that page.
This is exactly correct- I am doing this as a favor for good friends/neighbors; the secondary reason is to learn how to set something like this up.
From my current understanding, what I am looking at is the creation of (3) VLANs:
Home PC’s = VLAN 1
Living room TV & PS5 = VLAN 2
Network Video Recorder = VLAN 3
Wireless Access Points VLAN 2 & 1
Anything on VLAN 1 should be able to access the WAN, and VLAN 3
VLAN 2 should access only the WAN.
VLAN 3 should only be able to communicate with VLAN 1.
VLAN 1 needs to have (3) ports on the switch assigned to it, one for each PC.
VLAN 2 needs to have (3) ports on the switch, one for the unmanaged switch handling the TV & PS5, and two for the WIFI access points.
VLAN 3 needs to have (1) port.*
One further port on the switch needs to be assigned/configured as a Trunk port, funneling traffic between the switch and the router.
That’s a total of (8) ports being utilized, out of 26 on the switch, with only one port on the router being used for internal network communications, and the other configured for PPOE WAN.
*= I’m not certain that the NVR needs to be on its own VLAN. I would think? that the router would be able to block traffic from the NVR to the internet (and vice versa), thus limiting its communication to only those devices within VLAN 1, which means it could be a member of VLAN 1, but be locked out from the WAN at the router level.
As I said, I’m very new to this, and I’m only just now learning about VLANs, so I’m not certain about how that works.
It was there last week, so it must have just been scrubbed. Long live the wayback machine, it has saved me many times.
Just curious which CCNA study information did you use? There are several free ones, plus some paid ones.
Suggestion: First get vlans configured and working, then tackle the firewall. The firewall in the defconf will allow traffic between vlans via the vlan interfaces that are added to the LAN list.
After you get subnet to subnet traffic working, then you can learn about established,related statefull firewall rules that allow return traffic once a connection has been established. Then you will need to limit what can establish new connetions, and to where. If you can not get pings to work between subnets, make sure that it isn't due to the windows firewall. The other thing is that you need to make sure each subnet has a dhcp server that is setting the correct interface as a default gateway for the subnet. Once a packet gets to the RB3011, the RB3011 router should be able to forward to any connected subnets (a subnet that the connected interface belongs to). There are good youtube videos explaining firewall configuration on MikroTik ROS. Here's one: How to protect and restrict VLAN traffic on MikroTik.
Are the cameras ip based with ethernet connections or coax video cables. Your diagram shows the camera connections to the NVR, but that may just be "logical" vs "physical" diagram.
I would put the NVR on its own vlan/subnet and if the cameras are also ip based, I would put them on the same vlan. Then you can limit what the NVR can access. Is there any reason it needs initiate communications with any other local devices? If the NVR/cameras are on the same vlan as other devices, there isn't any way to prevent other things on the same vlan from accessing other things in the same vlan; so the NVR that traffic will be direct between the host on the vlan, the router won't even be involved, so its firewall won't have a chance to block anything. If you don't care if the NVR has access to your trusted network (e.g. scan it), then you wouldn't have to have a separate vlan just for it, but having it on its own lan will give you the ability to limit what it can communicate with.
Then you can allow access to the NVR vlan from the trusted network via a firewall rule that allows the trusted network to create new connnections to the NVR lan. And allow the return traffic via the established,related rule. The NVR vlan should then be blocked from creating new connections to any other network (you don't want them to establish a connection to either the trusted or the internet. The established,related policy/rule will allow the return traffic once a connection has been established. The Network Berg's video linked in my previous post shows some hints about troubleshooting, etc. I would watch the whole thing once, then go back and on the subsequent viewings you should try some things yourself. You may want to create some extra vlans just to do testing/playing with that you can test firewall operations on. That way you are less likely to affect other things. But while you are learning, it is safest to do from a lab (where the lab is protected from the internet by another upstream router, even a basic ISP provided one). If what is labelled as a "fiber modem" is not really a router, then it would provide any protection if you make mistakes when working with the firewall. Be sure you have a non-trivial password configured on the RB3011, just in case it is accidentally exposed to the internet (although nat masquerade will provide a bit of protection from the outside to hosts on the inside, it won't protect the router itself, so the firewall is what is protecting the router from malicious hosts on the internet).
The cameras are IP based, and are POE. The SG200 switch has insufficient POE capability to power the cameras, so they have to go direct to the NVR, which has an 8 port POE switch built in.
I’ve been watching the Jeremy’s IT Lab CCNA videos on Youtube. He has also made scenarios based on the lesson, for use in Cisco’s Packet Tracer. That has provided needed hands-on experience with how to do the things, and it has proven very helpful so far.
My biggest hangup (so far) has been binary, and subnetting. Much time has been spent trying to get that right. (in the cisco packet tracer scenarios)
In the future, the goal is to utilize a VPN to access the cameras, NAS, etc. That isn’t a priority though, and the security concerns related to the NVR having access to the internet outweigh (for them) the inconvenience of not being able to (at this time) remotely view their security cameras.
