I’m considering buying a Mikrotik switch but first I’d like to know how to configure VLANs. So I have 8 devices in my local network. I would like to isolate ports 1-7 (port 1 is where my PFSense community edition runs). All devices connected to port 1-7 should not be able to communicate with another apart from port 1 which has PFSense as I mentioned. Now, port 8 I would like to have access to ALL other devices/ports so I can easily control them or ssh into a box….
Is this doable with a Mikrotik switch? If so can you please explain how to get this done? Can you also recommend a Mikrotik switch model? I am looking for a switch with 16 ports or over.
I don't see why it shouldn't be doable, but you will first need to make a choice.
Mikrotik switches come in two "flavours".
The less powerful ones (in CPU and storage/RAM) are CSS.
The more powerful ones (in CPU and storage/RAM) are CRS.
CSS devices run a (GUI only) operating system called SWOS, simpler and with ONLY switch related features.
CRS devices are routers/switch (actually good switches with marginal routing capabilities) and can usually run EITHER of SWOS or RouterOS (the "real" Mikrotik OS, more powerful but needing more memory).
CSS are cheaper than CRS, but people using also other Mikrotik devices (routers, access points, etc.) usually prefer to spend something more to have the same OS everywhere and other advantages, like Winbox access, easy exporting and modifying the configuration via command line, etc. that SWOS simply has not.
This means more power but also more complexity, check: https://tangentsoft.com/mikrotik/wiki?name=Run+RouterOS+on+Your+Switch
If on the contrary you only want a switch, SWOS is fine (and easier) for that.
Which speed is your LAN running at? I mean 1 Gbit, right?
How many different subnets are you planning to have?
I assume you are using your pfSense as the router, so it has access to the internet via another interface?
Do you want all devices on 2-7 to be in the same subnet with the pfsense box as their gateway?
Without knowing more about how these will be connected (at layer 2), it is hard to make any recommendation. What is the purpose of the "isolation" of ports 1-7?
Assuming you want all "client" devices connected to ports 2-7 to have "client isolation" but still be in the same subnet, all with the pfsense box as their gateway, then see port isolation. This can be done with either SwOS (the "minimalistic switch only os") or with RourterOS on the more capable CRS devices. RouterOS is gives you a lot more flexibility with the switch, but it is also a lot more complex. You should be able to do what you want with CSS SwOS switch, as long as you can do any inter-vlan routing with the pfsense box. The CPU's in the lower end CRS switches are not intended for using it as a router, they for example the CPU in the CRS326-24G-2S is roughly equivalent to the cpu in the RB750gr3, so ok for a ~300 Mbps internet connection. Your pfsense box is probably beefier, and having all routing/firewalling done in one place simplifies things considerably. So whether you get the CRS or CSS switch, I would not use the switch for routing. ROS does have other advantages (See tangent's Run RouterOS on Your Switch for his argument) However, if the only thing you will use it for is as a switch, and it is in a home environment, SwOS is considerably easier to configure, although there is less information about it. The MikroTik SwOS documentation isn't bad, and it has examples, which I would recommend looking at. If you have other RouterOS devices, then I would recommend ROS, but since you are using pfsense as your router, unless you really want to learn MikroTik router OS, I would recommend using SwOS. If you can afford the extra for a CRS switch that can use either SwOS or RouterOS, that would be the best option, as it would give you the flexibility of trying out ROS and if it is too complex, you can fall back to SwOS. The CRS has a better CPU and more memory than the CSS326. Some users prefer SwOS for switching, for example see Install SwOS on RouterOS - #11 by k6ccc
You mention vlans, but I am not sure that is the feature you want to use (other than for port 8, which would then be in another subnet, and all routing between it an the devices on port 2-7 would be done by the pfsense box.
You say you have 8 LAN devices, but you want a switch with 16 or more ports. What is the plan for the other ports?
Can you make a sketch showing how you want these to be connected? Either with a drawing package (or if you have never used one, a photo of a hand drawn sketch). Then to upload you can use either the upload or optionally paste from clipboard.
What I would do if I understand what you want:
Configure two vlans on your pfsense box (for LANs) both using same physical port on pfsense box. One vlan for guests (the isolated clients that have only access to internet), the other for trusted devices (which will be used by port 8), e.g. vlan 80 for guests and vlan 90 for trusted. The two vlans will have separate ip subnets (e.g. 192.168.80.0/24 for guests, and 192.168.90.0/24) for trusted devices. Assign ip addresses to each vlan interface on the pfsense router, and create dhcp servers for both subnets.
Configure port 1 of switch as trunk carrying both vlans 80 and 90 as tagged traffic.
Configure ports 2-7 as access ports for vlan 80.
Configure ports 2-7 so they can forward only to port 1. In the default config, port 1 can forward to all other ports and this is what you want. (this provides the client isolation; i.e. it prevents port 2 from sending traffic to port 5 (or any other port except for 1 (this includes port 8, but we will allow traffic from port 8 via the pfsense box through port 1)
Configure port 8 as an access port for vlan 90.
At this point port 8 will be isolated from 1-7 because it is in a different vlan, and the firewall on the pfsense box will block the traffic (by default).
You will need to configure a firewall rule on pfsense that allows traffic from the 192.168.90.0/24 to establish new connections to 192.168.80.0/24. If you don't know how to do that, search the internet. Or see Basic Setup and Configuring pfsense Firewall Rules For Home by Tom Lawrence
Yes, this is definitely doable with a MikroTik switch using VLANs and proper port isolation. You can place each device on ports 2–7 into separate VLANs while keeping port 1 (pfSense) as a trunk/router interface, and configure port 8 as a management port with access to all VLANs. For 16+ ports, models like the CRS326 series are quite popular and flexible for setups like this.
What fun would it be to copy and paste the answers written by Artificial Deficiency?
There are some concrete clues, even in this user's only previous post.
It is true that a user may have done some research before creating an account to post a question.
However, since new user's first posts must evidently be approved by a moderator, I would have expected the user to have spent more than 2 minutes reading the forum and looking for a possible answer.
I tend the agree with the previous 11 items listed.
However, if they want an "immediate" answer, without the need to adequately explain the problem, an LLM will be happy to provide a plausible sounding answer given with an autoritative tone.
Just for fun, I pasted the OP into the free chatgpt and it's response started with:
"Yes — this is absolutely doable with a MikroTik switch, and it’s actually one of the easier platforms for implementing this kind of setup."
That will work, having a single client in each of 6 vlans (e.g. vlans 2-7, with the only other host member of each vlan being the vlan interface on the pfsense box) will provide isolation for host devices connected to ports 2-7, but the configuration will be much longer and more complex than using L2 port isolation in the switch, because when using L2 isolation you only need a single vlan to support all 6 "isolated" hosts, and the associated vlan interface, (and possibly dhcp server for each vlan).
Using vlans only for isolation:
7 vlans (six for "isolated hosts", one for each of ports ports 2-7, with port one also being a member of each vlan), and one for the "management" port 8. 7 vlan interfaces on the pfsense box. possibly 7 dhcp pools on the pfsense box, if the host need to be configured with dhcp. firewall on pfsense will be more complex too.
Advantage of above solution: it will work over multiple switches.
Using L2 port isolation on the switch will allow for the clients on 2-7 to be isolated from each other, while still sharing the same ip subnet, dhcp server and pfsense firewall rules. So the same effect can be achived using only 2 vlans, one for the "isolated" devices connected to ports 2-7, and a second for the "trusted" device connected to port 8.
Disadvantage of this solution: the L2 isolation only works for ports on the same switch.
Given the requirements listed in the first post, I think the second (utilizing L2 isolation on the single switch) is the better solution. But only @raven18 can decide which is best for her(?) situation.
Thank you very much for taking a look at my post/replying.
I managed to get this done with a current switch I have which has 8 ports only. I configured PFSense port 8 as a trunk port and assigned VLANs to all other ports but 7 which is a maintenance port. Each VLAN has its own subnet which is based on the port number (192.168.$PORT.10).
I am considering buying a Mikrotik CRS326-24G-2S+RM and use Switch OS since I already have PFSense as a firewall.
If your current 8 port switch happens to be a TP-Link SG108E, it has a "VLAN" mode called MTU VLAN (Multi-Tenant Unit) which you can configure with a single "uplink" port (the port going to your pfsense router) and all the other ports are able to only communicate with the uplink port. But with MTU mode, you can't allow for another port in a different vlan. It isn't as flexible as SwOS (or ROS).
That's the only lowend "smart switch" I am aware of that has a "client port isolation" mode preconfigured.
A bad thing about the TP-Link SG108E is that the password is the only thing protecting access to the switch management. Even the "isolated" ports still have access to the management, as long as they can guess the ip address.
But if you have it working with separate vlans for each port, other than the increased complexity, it will work fine, and will work with any vlan-aware switch.
SwOS will allow for individual vlans (like you are using), as well as supporting port isolation (and it is a lot more flexible than the TP-Link SG108E's MTU mode). Each row in the forward matrix is a source port, and you can configure what other ports the port is allowed to forward to. You need to configure both sides, i.e. if you want port 1 to be able to forward to all other ports, the row will have every box but the one for itself selected. If you want port 2 to be only able to send to port 1, there will be only one box checked (column 1), for row 2. That indicates that port 2 is allowed to forward to port 1 only.
I think you will like the CRS326, then if you outgrow SwOS, you will have the ability to use the more powerful RouterOS without needing to swap out the hardware. Note well: although the CRS can boot either SwOS or ROS, there is nothing to convert the configurations for SwOS to ROS or visa versa. Just like you can boot either Windows or Linux on a PC, there isn't anything to convert your windows setup to run under linux, or visa versa.
