How to properly configure this network?

RouterOS General
1

Hello!

I just got my Mikrotik and I want to create a network shown on the image below. It’s my first time doing it, specially with Mikrotik and I would be very happy if I could get some help:)

So here is what I want to achieve…

VLAN10 and VLAN12 are separate networks.
Ether3 is also a separate network.
VLAN12 is DMZ and firewalled
VLAN10 is also firewalled, but can also access some PCs or ports on server in VLAN12
Access point on Ether3 has no access to VLAN10, but has access to web/mail/… servers on DMZ
VPN has, by default, full access to VLAN10,12 and Ether3.

What I have done so far:

  • I removed master/slave from all ports in Mikrotik
  • Create 2 VLAN-s(10 and 12) under Interfaces-VLAN and attached them to Ether2. If I understand correctly, ether2 now acts as a TRUNK port.
  • ether2 is connected to trunk port on switch
  • as far as some quick testing goes, it looks like ethernet separation and trunking is working. If I ping from VLAN10 to VLAN12, I see traffic under Interfaces, so that looks like it’s working…
  • ESX is also working
  • I set pptp server with IP 10.10.19.x. Clients have ips in the same subnet and I can see everything in VLAN10 and 12 from VPN.

Questions:

  • why can I access VLAN10 and 12 from VPN by default? Shouldn’t those two subnet be unreachable? Is router doing routing by default to that networks?
  • Why can I access VLAN12 from VLAN10 and vice versa by default? How to disable access and only enable what I want?
  • I plugged WIFI AP to ether3 port, set an IP on Mikrotik to 10.10.13.1 for ether3 interface. I can access AP from Mikrotik, but not from VLAN10 or 12. Why is that?
  • How is VLAN under interfaces different from VLANs under Switch?

I guess this post have no head or tail, but I hope you’ll make out what I want to achieve:) So again in short:

  • VLAN10 has no access to VLAN12, except servers and ports I want
  • VLAN12 has no access to VLAN10, except the ones I allow(web,mail,network shares,…)
  • WIFI on Ether3 has no access to VLAN10, but has some access to VLAN12(certain servers)
  • VPN has access to everything…

What do I have to do or what are the right steps…

Matej

2

Yes - all networks are routed by default. By applying filters in the forwarding chain you can block the forwarding behaviour.

If you are using the device as a firewall you should configure IP Firewall. The following might be useful:

http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

3

How come I cant see or access WIFI AP on Ether3 port from VLAN10 or VLAN12, but I can access it from Mikrotik?

Matej

4

It could be a number of reasons but check the default gateway settings on the AP.

5

Yea, I just wanted to write that it seems like my default route on AP is set to the wrong IP.

Matej

6

Hello,

I am trying to setup my network with exactly the same topology and config.

I am more concerned with how you setup ether2 for trunking as I cant reach my VM’s that are on different networks behind the ESXi host

Thanks,

B