[Edit: please read carefully, I need additional hardware for testing and therefore I stop investigating]
Dear all,
I am migrating my home network with VLANs to a Mikrotik router and a Mikrotik switch :
CCR2004-1G-12S+2XS
CRS312-4C+8XG
My present setup has isolaged VLANs but some communication is allowed.
Each ethernet port is on a seperate VLAN to avoid data leak.
Sometimes I also allow a communication from VLAN-A to VLAN-B but the converse is not allowed.
Filtering is based on source IP range. For example this allow me to reach my printer on a separate VLAN but the printer cannot reach me.
All is done on the firewall.
I already replaced my old 1GB switch with a 10GB Mikrotik switch.
Now I need to replace the firewall (router).
How do I achieve inter VLAN filtering with a Mikrotik router?
Can it be done at wire speed?
L3-Offloading is a nice solution in ROuterOS 7.X to increase performance
Alternatively for RouterOS 6.X:
Basic exemple how you can filter VLAN communication on your ROUTER via Firewall
In this exemple VLAN-A can ICMP and RDP TO VLAN-B, but the reverse isn’t true.
Not sure what is going on here but for the router this is
an excellent guide for the router setup to get your vlans to the switch,
After that, I am out of my element wrt to switch optimization.
To make sure I understand, I should not stick to Level2 on the switch rather move to Level3hw routing.
There should be a direct cable from switch to the Internet fiber box (this is a home setup).
Also, my router becomes useless except for VPN access and providing DHCP and DNS.
Depends on the requirements!
If you need to move a lot of traffic between devices on a network then a powerful switch is a great idea.
If you dont and most of the traffic is between device on the network and the internet you dont need a powerful switch but a honking router.
In other words, IMHO, if your traffic (the majority of traffic) will need to pass through the router for permission to go from one vlan to another, then a powerful switch is a waste.
If somehow one can use the Router for DHCP and DNS, AND MOVE THE LAYER 3 firewall rules to the switch, that may be useful… but at somepoint traffic will have to be evaluated when crossing vlans/subnets.
I have found this conundrum confusing most of the time so perhaps someone can point out where my thinking as gone off the beaten path.
What is the point of a powerful switch with weak routing capabilities - more the norm I think (router + switch scenario)
What is the point of a powerful switch with strong routing capabilities - most expensive. (switch only scenario)
@Anav
hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3 switch to provide routing services. Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.
So when inter-vlan communication is desirable no sense having the Router do the work when L3 on the switch can do the job better at line speeds. But of course the switch must be L3 capable and have the ASIC in place that allows line speed forwarding. TP Link have very reasonable priced switches that will do line speed routing …. With v7 of RoS some Tik switches will have the capability to do NEAR line speed forwarding … unfortunately the switch then OP SELECTED CANNOT DO IT.
As per initial post of this thread: OP wants some limitations on connectivity between VLANs. Which means firewall (with fairly simple rules) is involved. While CRS can do fasttracking in hardware, it comes with some serious limitations. If they get hit, performance drop will be dramatic and in this case letting router route between VLANs would give more consistent results. If that doesn’t happen, then CCR is there only as border gateway / firewall device (performing NAT as well). Since CCR isn’t part of all VLANs, it can’t be DHCP server for those subnets … unless CRS runs DHCP relay. Probably CRS can do all DHCP servers just fine.
I see, I have to make the question simple to get a clear answer!!
Easy question 1: How does one get traffic to pass from one vlan to another on a switch, without access the parent router to do so!!
Easy question 2: In the above case, to what extent does the router provide any vlan interactions or services?
(example… does the router still provide dhcp services, identify and create the vlans (give Ip address and assign to interface)??
Easy question 1: How does one get traffic to pass from one vlan to another on a switch, without access the parent router to do so!!
Simple, it won’t pass… A Router is needed for traffic to be routed between VLANs.. If one VLAN could access another VLAN in the Layer 2, then what would be the point of VLANs ?
VLANs create separate broadcast domains…
(example… does the router still provide dhcp services, identify and create the vlans (give Ip address and assign to interface)??
That’s what a Router does, provides Layer 3 services and more…
So, when communication between different VLANs is needed, a router must be used …
What @zacharias wants to hide from @anav (by not saying it out loud) is the fact that any device running ROS can be a router. This includes switch CRS312-4C+8XG … which can do (limited set of) L3 tasks wirespeed if running v7.1. I guess that (accompanied with a glass of Canadian rye) is making @anav’s head spin.
No that would clarify my mind LOL… ( clarity or bad liver…hard choices)
But I think inadvertently you are on the cusp of reaching the nexus of the situation.
Do pray tell which L3 limited features could the Switch do with RoS7, that would offload the router…
