Help/guidance on homelab network design

RouterOS General
1

Hi folks,

I’m trying to figure out how to rework my network since I now have the luxury of having multiple cheap (<35 USD per month!) 10Gbps FTTH connections to my home.

In my current setup, I have a CCR1009-8G-1S-1S+PC that sits in a rack in my home office alongside all my other homelab gear. The ISP modem(s) terminate in another room and are connected via Cat6A copper to my rack. I had both ISP connections going into separate 1GbE interfaces on my CCR-1009. This was not a problem till recently since I only had 1Gbps FTTH connections. However, with the latest speed upgrades my current network setup is no longer setup to take advantage of the increased speeds. Hence I’m trying to plan out an upgrade to my core switch(es) and router.

However, I’m a little bit unsure how to proceed due to a couple of points:

  • Previously I had a separate physical interface for each ISP connection on my CCR-1009


  • If I want to retain this setup where I have 2 separate 10Gbe connections for WAN plus 10Gbe connection for LAN, the only options I could find was the CCR2004-1G-12S+2XS (which has a very poor reputation on the forum) or a CCR2116-12G-4S+ (which is going to be very noisy in a home office unless I void the warranty on day one to mod the fans)

There is also the CCR2004-16G-2S+PC but I thought that I would not able to use this device since it has only 2 SFP+ ports. However, I then came across a Reddit forum thread where it was mentioned that you could also assign VLAN devices for WAN. This seemed like the answer to how I could use the CCR2004-16G-2S+PC for my planned setup. Here’s a diagram of my proposed design:

I was thinking that if I configure the WAN connections to be on separate VLAN’s (assume VLAN 1000 & VLAN 1001), then I just need to tag the ports appropriately in the various switches and then with a router-on-a-stick approach I can pass the VLAN’s to the CCR2004 to setup the WAN DHCP clients.

However, I am unsure how exactly the configuration for such a setup would like in ROS. The way I’ve been using VLAN’s so far is that they would be tagged to the ports in the Bridge to allow inter-VLAN routing:

/interface bridge vlan
add bridge="All Ports Bridge" comment="Clients network" tagged="All Ports Bridge,ether1-switch master,ether2,ether3,ether4,sfp1,sfp-sfpplus1,bond-ether5_ether6" vlan-ids=104
add bridge="All Ports Bridge" comment="Server Network" tagged="All Ports Bridge,ether1-switch master,ether2,ether3,ether4,sfp1,sfp-sfpplus1,bond-ether5_ether6" vlan-ids=20

In the above configuration ether7 & ether8 are the WAN connections and hence are excluded from the Bridge. Hence, my thought was that I should not be adding an entry for the vlan-id’s (1000/1001) that I configure for use with the WAN connections here since that would bypass the firewall? But if I do not add the VLAN ID’s here then perhaps the DHCP clients would not receive the traffic at all?

I’m a bit confused now and am probably not approaching this the right way. Would appreciate any advice/feedback on how to go about this.

2

hello,

your home lab diagram looks good :+1:t2:

The way I’ve been using VLAN’s so far is that they would be tagged to the ports in the Bridge to allow inter-VLAN routing:

yes. that’s correct. also there are many ways in doing vlan setup in mikrotik which you can tweak to your requirements. mt wiki.

as for dedicated vlans for wan links - that is a good idea, except that troubleshooting layer 2 filtering and nat is a little bit hard to predict the results.

have a great lab time and good luck :+1:t2:

3

Yup each WAN incoming to the switch1 (in room1 ) is an access port to a different vlan.
Then trunk port carrying both vlans and any other vlans that need to go to room1, are added to this trunk heading to switch 2
At switch 2, trunk to the router carrying both WAN vlans, any vlans from Room1 and Any vlans from room2.

These all go to the signle trunk port on the router,
Unless for some reason you are using dual fiber one for trunk of wans and other trunk for ROOM1 vlans and ROOM2 vlans,
That also works and is probably better. So basically into one port on the router are all VLANs, in the other trunk port from switch2, are simply the two vlans for WAN.

4

I will think about whether I want to use this approach - thanks for the suggestion anav!

However, I’m still unsure about two things:

  • Should I be tagging the VLAN’s for the WAN in my bridge configuration i.e., under Bridge>VLAN, on the Router?
  • For the NAT rules, should I be changing my existing rules in IP>Firewall to use the VLAN interfaces? Or should I be creating the rules in Bridge>NAT?
5

The vlans for the wans are created on the router, but do not require any subnet information.
They are terminated on either IPDHCP client settings, or pppoe settings or even straight address on the router.
The nice thing about splitting the rest of the vlans on a different port is you dont have the mess of bringing them all in on the same bridge port..
The bridge now no longer needs to include those two vlans, although its a minor inconvenience that can seem daunting to configure properly.
Just assign both vlans to the trunk port directly.

If you are doing all vlans in one port between switch2 and router,
The vlans would be tagged on the port yes, and then simply terminated as noted above.