Hybrid ports and VLAN for tagged and untagged connections.

hugovalencia · August 7, 2024, 12:26am

Hi everyone, I created this account recently, I’m a genuine beginner and I’m doing my best to try to understand how to tackle this.
I have a physical setup which I believe is mostly simple to understand.

      
       ┌─────────────────────────────────────────────────────────────────┐                                   
       │                                                     VLAN Support│                                   
       │ ┌───┐    ┌──┐                            VLAN1 LAN   ┌───────┐  │                                   
       │ │ISP│    │PC│                           ┌────────────┤WifiAP1│  │                                   
       │ └─┬─┘    └┬─┘                           │VLAN20 IOT  ├───────┤  │                                   
       │   │Ether1 │Ether2(Untagged)             ├────────────┤WifiAP2│  │                                   
       │   │       │                 ┌─────────┐ │            └───────┘  │                                   
       │   │       │   VLAN1+VLAN20  │         ├─┘           No Support  │                                   
       │  ┌┴───────┴┐    Untagged    │   POE   │  Untagged    ┌───────┐  │                                   
       │  │ MK L009 ├────────────────┤ Switch  ├──────────────┤Camera1│  │                                   
       │  └─────────┘     Ether4     │Unmanaged│              └───────┘  │                                   
       │                             │         ├─┐           No Support  │                                   
       │                             └─────────┘ │Untagged    ┌───────┐  │                                   
       │                                         └────────────┤Camera2│  │                                   
       │                                                      └───────┘  │                                   
       │                                                                 │                                   
       └─────────────────────────────────────────────────────────────────┘  
       The Virtual Goal 
 ┌────────────────────────────────────┐                                                                      
 │                                    │                                                                      
 │                          ┌───────┐ │                                                                      
 │                        ┌─┤WifiAP2│ │                                                                      
 │                        │ └───────┘ │                                                                      
 │                        │           │                                                                      
 │                        │ ┌───────┐ │                                                                      
 │          VLAN20     ┌──┼─┤Camera1│ │                                                                      
 │        ┌─────────┐  │  │ └───────┘ │                                                                      
 │ ┌───┐  │ MK L009 ├──┘  │           │                                                                      
 │ │ISP├──┼─────────┤     │ ┌───────┐ │                                                                      
 │ └───┘  │ MK L009 ├──┐  └─┤Camera1│ │                                                                      
 │        └─────────┘  │    └───────┘ │                                                                      
 │          VLAN1      │              │                                                                      
 │                     │ ┌───────┐    │                                                                      
 │                     ├─┤WifiAP1│    │                                                                      
 │                     │ └───────┘    │                                                                      
 │                     │              │                                                                      
 │                     │ ┌──┐         │                                                                      
 │                     └─┤PC│         │                                                                      
 │                       └──┘         │                                                                      
 │                                    │                                                                      
 └────────────────────────────────────┘

My goal here is to separate my IOT devices from my normal network, on a different subnet as well, I still have my other devices connected, but this is a simplification of what I’m looking for.
I’m not sure the best way to approach this, but from what I understand I need to create a Hybrid port that accepts tagged frames as well as untagged frames.
My current configuration is as follows.

/interface bridge
add admin-mac=78:9A:18:62:46:66 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes

/interface vlan
add interface=bridge name=VLAN_20 vlan-id=20

/ip pool
add name=dhcp ranges=10.0.0.102-10.0.0.254
add name=dhcp_pool4 ranges=10.20.20.2-10.20.20.254

/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool4 interface=VLAN_20 name=WIFI_VLAN_20

/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=20

/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=20

Currently this works for the devices on WifiAP1 and WifiAP2
However Camera1 and Camera2 both Register on the default VLAN1 which isn’t ideal.
I can change the bridge port on Ether4 to PVID 20, that way the cameras end up on the correct VLAN, which is true in the ARP List, but suddenly I can no longer access WifiAP1 as well as devices on VLAN20.
I can ping between my phone and computer on the WifiAP2 (VLAN20) wifi, but pinging between my phone and the cameras fails.
I feel like there’s something dumb simple I am missing however this is the best I could do with my current knowledge
What would be the best way to setup the goal configuration and what makes it more ideal?
I would also like to understand the flaw in my logic here.

Thanks in advance anyone reading this, I understand this forum probably gets a lot of these.

rplant · August 7, 2024, 1:34am

A problem is that out of your switch, every port has both the tagged and the untagged vlans coming out of it and going into it.

One Possible option would be to make vlan 1 something else other than 1. eg. 10
Then you could have vlan 20 as the untagged vlan, and vlan 10 as the tagged vlan going to the poe switch,
(with vlan 10 untagged on ether 2)
Your iot devices can still see and use the tagged vlan 1/10 traffic if they want too.

Another (somewhat better) option would be to have a managed poe switch, with certain ports having vlan20 coming out
(untagged) and other ports having vlan1 coming out (untagged), and some hybrid ports with
vlan 20 tagged and vlan 1/10 tagged or untagged on them.

Yet another option is to have 2 unmanaged poe switches, one for vlan1/10 traffic, the other for vlan 20 traffic.
(Each using a port on the L009)

anav · August 7, 2024, 3:00pm

Also you probably should consider setting up a guest wifi network, since you dont want kids friends on your trusted network etc..
Concur, first step is to get a managed switch.

jaclaz · August 7, 2024, 3:47pm

Depending on the type and speed of connection (and possible future updates), it may be an idea to re-use the L009 as switch and get a faster router.

The L009 as a switch should have more than enough power/speed for Wi-Fi and cameras, whilst as a router it should top at around 300 Mbps.
An Ax2 or Ax3 (if wi-fi not needed with radio disabled) would be faster as a router, with a list price of $99.00/139.00.
Or if the internet connection is (and is expected to remain) slower than what the L009 can manage, then another L009 would do, list price $119.00.
Or if 5 ports are enough and SWOS is not an issue a RB260GSP would save some money, list price $55.95. (but there are cheaper managed switches around for less).

hugovalencia · August 7, 2024, 8:59pm

Yet another option is to have 2 unmanaged poe switches, one for vlan1/10 traffic, the other for vlan 20 traffic.
(Each using a port on the L009)

I would like to solve this logically if possible/reasonable. but I understand it may be in my best interest to just buy hardware to handle the complications. I feel like at this rate I may end up owning a mini rack. I’ll see about trying your first suggestion.

Also you probably should consider setting up a guest wifi network, since you dont want kids friends on your trusted network etc..

My AP supports a guest connection with client isolation, I would like to create a silly guest login portal someday, but that’s a project for another day.

The L009 as a switch should have more than enough power/speed for Wi-Fi and cameras, whilst as a router it should top at around 300 Mbps.

I do have a gigabit ISP link, Is the L009UiGS-RM not sufficient for this task? I prefer Microtik hardware, if you have more recommendations I’d be open to them, maybe I should get a mini rack. Lol

anav · August 7, 2024, 10:18pm

Yeah the L1009 probably between 300-500Mbps depending upon firewall filter rules.
Look at a hapax3, for the cheapest path to 1 gig, or the RB5009 which is future proof to a 2.5 gig connection.

jaclaz · August 7, 2024, 10:54pm

Yep, if you have a 1 GB connection the L009 as router is a bottleneck.
Check the official pages test results of the mentioned devices.
For routing an approximate speed you can achieve is the value for 512 bytes packets with 25 firewall rules.
The RB5009 is possibly even too fast for what you have now, and It lists at $219.00.
Unless you know for sure that your ISP Is going to provide soon a faster connection, an Ax3 costs less, and can always be re-used as AP, of course if the 5 ports are enough.

hugovalencia · August 29, 2024, 10:06pm

Okay! So after Awhile I picked up a brand new RB5009Pr that powers the L009, (POE is awesome)
But now my setup is much more complicated, however, with two devices I should be able to figure something out.
I also have another ask.
Would it be possible to have the RBL009 to take care of Vlan20’s Subnet, DHCP-n-all, while the RB5009 handles the normal LanLocal addresses? Or is this not ideal?
And if it is ideal, what would be the most optimal setup in terms of performance?

Below is my setup
*Edit: I realize now the DNS would need to be visible to both VLANs if i want to use it, though, it’s running Linux so I may just change the interface to be on both.

      RB5009 IP 10.0.0.1                                                                 
(VLAN1)LanLocal 10.0.0.0/24                                                              
           DHCP 10.0.0.100-10.0.0.254                                                    
                           │   ┌───┐       RBL009 IP 10.0.0.2                            
                           │ ┌─┤PC2│          VLAN20 10.20.20.0/24                       
                           │ │ └───┘              IP 10.20.00.1                          
                           ▼ │Eth4              DHCP 10.20.20.100-10.20.20.254           
              ┌───┐  Eth1┌───┴──┐Eth2     ┌──────┐               │                       
              │ISP├──────┤RB5009├─────────┤RBL009│  ◄────────────┘                       
              └───┘      └┬─┬───┴──┐  Eth1└──┬───┘                                       
             ┌────────────┘ │Eth6  │         │Eth8               Handled Subnet Traffic?      
             │              │      │         │                VLAN1     VLAN20     Both  
         Eth3│          ┌───┴───┐ ┌┴──┐    ┌─┴─┐             ─────────────────────────── 
           ┌─┴┐   VLAN1 │WifiAP1│ │DNS│    │POE│ UnManaged              RBL009     RB5009
     ┌────►│PC│         ├───────┤ └───┘    └─┬─┘              WifiAP1   Cam1       PC    
     │     └──┘  VLAN20 │WifiAP2│  ▲     ┌───┴────┐           PC2       Cam2       ISP   
Lets Assume             └───────┘  │  ┌──┴─┐   ┌──┴─┐                   WifiAP2    DNS   
No VLAN Support                    │  │Cam1│   │Cam2│                                    
(for management)          10.0.0.101  └────┘   └────┘                                    
                               Eth8

Thanks in advance
I’m looking forward to hearing your guys’ feedback, I’ve been learning a lot this past month, but I still end up kicking myself off my own network every now and then haha.

hugovalencia · August 29, 2024, 10:11pm

Unless you know for sure that your ISP Is going to provide soon a faster connection

Funnily enough, I checked with my ISP and they offered up to 6gig symmetrical (wild), even more with a business account.
Though I honestly don’t need anything more than 1gig symmetrical at this time, maybe if I start hosting things in the future, but as of now, anything more is superfluous.

hugovalencia · August 30, 2024, 9:47pm

I am going insane.

               <RB5009 IP 10.0.0.1>                                                                                  
        VLAN69 Management 10.0.0.0/24                                                                                
                   STATIC 10.0.0.1                                                                                   
                          10.0.0.2            ((DISABLE VLAN1))                                                      
                          10.0.0.125                                      Security considerations                    
                          10.0.0.101                               ──────────────────────────────────────────        
                          10.0.0.111                               DNS Should only be managed by VLAN69              
           VLAN10 Trusted 10.10.10.0/24                            WifiAP-M/1/2 Should only be managed by VLAN69     
                     DHCP 10.10.10.150-10.0.0.254                  Make Sure RBL009 Can't be managed by ISP          
                   STATIC 10.10.10.125                                                                               
                          10.10.10.101             <RBL009 IP 10.0.0.2>                                              
                          10.10.10.111             VLAN20 IOT 10.20.20.0/24                                          
                              │   ┌───┐                  DHCP 10.20.20.150-10.20.20.254                PC1           
                              │ ┌─┤PC2│                STATIC 10.20.20.125                      ───────────────────  
                              │ │ └───┘                       10.20.20.101                        10.0.0.125 VLAN69  
                              ▼ │Eth4                         10.20.20.111                      10.10.10.125 VLAN10  
                 ┌───┐  Eth1┌───┴──┐Eth2     ┌──────┐               │                           10.20.20.125 VLAN20  
                 │ISP├──────┤RB5009├─────────┤RBL009│◄──────────────┘                                                
                 └───┘      └┬─┬───┴──┐  Eth1└──┬───┘                                                  WifiAP        
                ┌────────────┘ │Eth6  │         │Eth8                    Isolation              ───────────────────  
                │              │      │Eth8     │                VLAN69    VLAN20    VLAN10       10.0.0.111 VLAN69  
            Eth3│          ┌───┴───┐ ┌┴──┐    ┌─┴─┐              ──────────────────────────     10.10.10.111 VLAN10  
              ┌─┴─┐  VLAN1 │WifiAP1│ │DNS│    │POE│ UnManaged    RB5009    ISP       ISP        10.20.20.111 VLAN20  
        ┌────►│PC1│      M ├───────┤ └───┘    └─┬─┘              RBL009    RB5009    RB5009                          
        │     └───┘ VLAN20 │WifiAP2│  ▲     ┌───┴────┐           WifiAP-M  RBL009    WifiAP1                         
   10.0.0.125              └───────┘  │  ┌──┴─┐   ┌──┴─┐         DNS       WifiAP2   DNS                DNS          
(Tagged for All)            ▲         │  │Cam1│   │Cam2│         PC1       DNS       PC1        ───────────────────  
                   ┌────────┘10.0.0.101  └────┘   └────┘                   PC1       PC2          10.0.0.101 VLAN69  
                   └      (Tagged for All)                                 POE                  10.10.10.101 VLAN10  
           10.0.0.111                                                      Cam1                 10.20.20.101 VLAN20  
       (Tagged for All)                                                    Cam2                                      
                           RB5009                                                      RBL009                        
VLAN69-Tag-Ingress   VLAN69-Untag-Egress   Already-Tagged   VLAN69-Tag-Ingress   VLAN69-Untag-Egress   Already-Tagged
─────────────────────────────────────────────────────────   ─────────────────────────────────────────────────────────
                                           Eth3 Eth8                                                   Eth1          
                                           Eth6                                        RBL009                        
                           RB5009                           VLAN10-Tag-Ingress   VLAN10-Untag-Egress   Already-Tagged
VLAN10-Tag-Ingress   VLAN10-Untag-Egress   Already-Tagged   ─────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────   Drop                 Drop                  Drop          
Eth1                 Eth1                  Eth6  Eth3                                  RBL009                        
                                           Eth8             VLAN20-Tag-Ingress   VLAN20-Untag-Egress   Already-Tagged
                           RB5009                           ─────────────────────────────────────────────────────────
VLAN20-Tag-Ingress   VLAN20-Untag-Egress   Already-Tagged   Eth8                 Eth8                  Eth1          
─────────────────────────────────────────────────────────                                                            
Eth1                 Eth1                  Eth6  Eth2                                                                
                                           Eth8  Eth3                                                                
                    Trunks RB5009                                                                                    
          Eth1  Eth2   Eth3   Eth6   Eth8                                                                            
          ─────────────────────────────────                                                                          
          None  VLAN69 VLAN69 VLAN69 VLAN69                                                                          
                VLAN20 VLAN10 VLAN10 VLAN10                                                                          
                       VLAN20 VLAN20 VLAN20

anav · August 31, 2024, 1:49am

/export file=anynameyouwish ( minus router serial number, any public wanip information, keys, etc.)