I’m sorry, my drawing skills suck, the diagram below reflects what has been discussed above:
Here Mikrotik hAP ac have a wireless network that most of the devices are connected to, this is on 192.168.88.* as described above in the thread.
The patch panel carries Ethernet cables around the house, and this is how wired connection for many devices are done.
Port 4 on Mikrotik hAP ac and Port 4 on Mikrotik hEX represent physical devices plugged in strait to router.
The powerage box used to be a homelab. It ran hypervisor used to have management and VMs separate ports, and another one was idrac port for power management. I do not have the powerage any longer but I’m going to replace it with a single Ethernet port workstation that will also run hypervisor. It’s single Ethernet port will be shared by VMs and management.
I also have currently L2TP VPN setup on the Mikrotik hAP ac thanks to this thread.
What I want to achieve:
I want to isolate the hypervisor and VMs into a separate (192.168.89.) network.
I want internet / DNS (which is on 192.168.88.1 now) be accessible from 192.168.89. I do NOT want 192.168.88.* be normally accessible from 192.168.89..
However I want to be able to access 192.168.89. from 192.168.88.* where I need to, and of course I need to have a way to forward particular ports open to internet on 192.168.88.1 to various 192.168.89.* VMs.
I have some special DNS requirements (which are working to my satisfaction right now) that all DNS queries (port 53) no matter what external IP they are sent to, are sent to IP that I have configured instead. I do not want to lose this property, and this should be true for both 192.168.88.* and 192.168.89.*.
/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
The above was mostly working with my old setup (described in this thread), but I had a little bit less isolation that I wanted to (see discussion above re: connection-less access). I think it’s time to do VLAN setup, if it can solve it.
I also want to have different VPN users, some of them have full access like right now, and some of them are limited by 192.168.89.* only. This way I can give access to someone to play with the hypervisor and VMs but not to the rest of my home network.
This post gives a general reference and context to what I’m doing. At the moment, as per my previous post, I’m trying to understand how and why VLAN is going to help me, that is why it can achieve more that the current setup without VLAN.
I’m guessing that I’ll be aproaching setting up VLAN based on this:
When you get to configure routerboards, there are a few settings to be done:
- first you need to configure selected ethernet ports with allowed set of VLAN IDs.
- then you need to add “vlan interfaces” … these are special devices that will allow you to configure certain functionality of routerboard to select VLANs. When those “vlan interfaces” are created, you configure stuff just as on any other interfaces (ethernet, wlan, …). E.g. you will set separate IP address to that device (and routerboard will be accessible through this IP address from devices that will belong to selected VLAN), you will probably run DNS server on vlan device. You could have run DHCP server as well, but you mentioned your virtual servers all have addresses set statically.
- there are a few details to be done for current (i.e. untagged) network to keep it working after the next step
- at the end, you enable vlan-filtering on the bridge, so that bridge will kind of transform from being “dumb switch” to being “smart switch”.
You will have to do similar VLAN-related setup on both routerboards. Afterwards hAP ac Lite will act more or less as smart switch (again), all the routing and firewalling (now for two LAN segments) will be done by main router.
I’m going to need to fill in some missing details here, but I’ll do that one step a time once I understand the overall idea.