I’m a beginner when it comes to networking and I have the following situation:
I want to isolate an Access point that will be used to connect an untrusted surveillance camera, from the rest of the network.
I have a Mikrotik RB450G as the router and 2 consumer wifi routers as access points.
The switch is unmanaged.
Everything is already configured and working properly, except for the AP that will be used to connect the surveillance camera.
Can you guys please give me a short guideline on how to approach this situation?
The only practical solution I see is to wire the untrusted AP directly to the router and bypass the switch, keeping the switch for all trusted traffic.
If not possible then consider getting a cheap managed switch. Even then your access points being consumer and not able to read vlan tags would only be able to serve one set of users, either untrusted, or trusted.
Ok, so I ordered the managed switch and the surveillance camera.
I guess that I’ll have to:
-create another subnet(the untrusted subnet) for the same eth port on Mikrotik?
-configure 2 VLANs in the Mikrotik router
-another DHCP server for the second AP that will be used to connect only untrusted devices
-assign these 2 VLANs to each subnet(local PCs subnet, untrusted devices subnet)
-configure the VLAN port limitation for the switch
-configure the 2nd router to work as an AP
-block traffic between these 2 VLANs(where should this be configured?)
Did I miss something?
I’ve never used VLANs before, and it took me a while, some years ago, to manage to configure my WiFi router to be used as an AP with my existing Mikrotik.
It will be less complicated than you think.
The router will do all the dhcp etc… all the rest of the devices will be accepting and pushing out the vlans as required.
Yes, I happen to have d-stink, netsheite, tp-stink as well as zyxle and MT switches…
VLAN1 (in that display what you should see is…)
a. ALL TRUNK PORTS ARE TAGGED FOR VLAN1
b. ALL ACCESS PORTS have no ENTRY either tagged or untagged.
VLAN XX
a. tagged for applicable Trunk ports (passing through that port going to smart devices that will read the vlans)
b. untagged for any access ports (going to dumb devices)
Under VLAN settings (at least what I have on mine)
each port should be identified as ingress checking ENABLED,
all trunk ports - ADMIT ALL
all access ports - untagged only
When you look at VLAN detail
Trunk port example,
Number of Port: etherXX
Vlan mode: trunk
Vlan Native: Vlan1
Trunk Allowed VLans: a,b,c as applicable
ingress checking: enabled
Allowed Frames: admit all
ACCESS PORT EXAMPLE
Number of POrt : etherYY
Vlan mode: Access
Access VLAN: VlanZ
ingress checking: enabled
Allowed Frames: admit all.
Your variant may be different but setting the PVID number to Vlanz for that etherport may the way you have to do it.
Thank you for your reply, but I still don’t know what should I do. The switch doesn’t specify all those things that you mention.
It only has a VID creation list and some PVID settings.
I don’t know what are the implications of having that default VID 1 with all the ports assigned to it. Do I have to deleted, do I leave it, do I remove some ports from it?
The Mikrotik router will be connected on port 1, port 2-6 will be for PC’s, port 7 for the safer Wifi and port 8 for the unsafe Wifi.
What I don’t know:
Do I go for 802.1Q VLAN or port-based VLAN?(These are the 2 options that this switch has) Do I have to use port-based VLANS with port tagging/untagging?
What happens with default VID 1? Do I alter it, after I create extra VLANs? or I leave it as it is?
Do I create 3 VLANs one containing port 1,7 and one containing port 1,8 and one containing port 1,2,3,4,5,6?
Yes 802.1Q
Default VLAN, pvid1 stays with trunk ports only and is replaced by the pVID of the vlan for untagged ports
Think of vlans needing to traverse ports, if they dont then its not identified to that port by the various means…
Okay I have a dgs1100-24 and I dont have any pvid menus as its one step up the food chain in setup or its just older, who knows..
In any case I have provided a setup I use on one of my netgear smart switches that mimicks your choices.
To give you context FIRST PICTURE Trunk Ports are 1,3,7,8
1 goes to capac AP smart
3 goes to Tplink AP smart
7 goes to Main Router
8 goes to Backup to main router in case ether7 port fails…
Access Ports are 2,4,5,6
2 goes to a dumb iot device
4 goes to a dumb switch
5 goes to another dumb iot device
6 is a spare port where I can hook up my laptop (dumb device).
PICTURES2-4
These show the tagging and untagging of various VLANS assigned to the switch.
As you can see the default PVID for every port is VLAN1 UNTAGGED, since we dont change PVID for trunk ports then each trunk port should have an untagged entry.
All access ports should have NO entry for vlan1 (tagged or untagged) as the pvid entry for the specific port removes vlan1 from the equation.
The 2nd picture shows the relationships of vlan1 to the ports (default vlan)
The 3rd/4th picture show the relationships of normal VLAN that comes in on trunk port and goes out both trunk and access ports (tagged for all trunk ports and untagged for access ports)
…
So on port coming from Router lets call it ether1
Its a trunk port, It should show untagged for VLAN1, dont touch pvid or anything else.
The only thing you need to do here is tag vlanX and vlanY - assuming X is home and Y is guest.
Then lets say ether2 is to AP for home users
Then you will need to PVID port 2, with VLANnumber X, and the port is also UNTAGGED for VLANX
Then lets say ether3 is for the PC you use
Then you will need to set PVID port3 with VLANnuberX, and the port is also UNTAGGED for VLANX
Then lets say ether4 is for the GUEST AP.
Then you you will need to set PVID port 4 with VLANnumberY and the port is also UNTAGGED for VLANY.
+++++++++++++++++++++++++++++++++++
So in that computer screen layout picture you showed, it would look like
VLAN1: Untagged → (should only be trunk ports = 1 and any unassigned ports on the switch) / Tagged (NONE).
VLAN2: WIFI1 (assuming homewifi) Untagged–> (Should be ether2 and ether3) / Tagged=ether1
VLAN3: WIF2 (assuming guest wifi) Untagged → (should be ether4) / Tagged=ether1
+++++++++++++++++++++++++++++++++++++++++++++
That should be enough info to get you where you need to be. Fill it in as you need it specific to your setup and then post all the pics here and I will have a look.
