Lots of VLANs need internet access via 1 internet gateway

RouterOS Beginner Basics
1

Hello guys,

I need help with Company network setup upgrade.
Current network scheme is attached, no VLANs exist. Diffrent managable devices have statically assigned diffrent /24 network addresses for security purposes. But there is a big problem, all devices not participating in 192.168.1.0/24 does not have internet at all, and internet is needed for NTP sync, some firmware updates, and sometime remote management.

I have a Mikrotik Router which I want to integrate between internet router and first Cisco switch to be able to provide internet gateways for diffrent VLANs, to be able to have multiples DHCP pools for diffrent VLANs and so on. Consider that all APs (guests’ and companys’) are in Bridge mode as well as Ubiquity AP + BS. No network hardware has internet access being not in 192.168.1.0/24 subnet

I would like:

  1. Assign diffrent VLANs for diffrent /24 networks (Cisco switches in VLAN 10, Ubiquity bridge AP + BS in VLAN 20, Guests’ APs in VLAN 30 and so on)
  2. Create VLANs with rispective DHCP separated pools for guests connecting to wifi via guests’ APs, employees connecting to company APs + company coputers should share the same VLAN + pool to be able to print wirelessly on company printer (should have static IP inside same company VLAN)
  3. Separated VLAN with separated dhcp pool for company IP phones in both buildings.
  4. All VLANs should be able to access internet via 192.168.1.1 (starlink router)

Few questions:

  1. Would the above 1-4 addons improve network security?
  2. Will Mikrotik router like hEx be able to create numerous internet gateway interfaces to give each VLAN internet access?
  3. Does Mikrotik routers support traffic for diffrent VLANs passing thru one port (sub-interfaces) so should i connect only one ethernet cable between Mikrotik and Cisco switch or maybe multiple are better (for failover or maybe for load balancing etc)?
  4. Should i use starlink router bypass mode and setup Mikrotik as main router or its better to use Mikrotik as 192.168.1.2 and than route all VLANs via 192.168.1.2 to starlink router?
  5. Do you have any other suggestions how to improve current setup in terms of security and manageability?

Currently if i connect in any network termination i’m able to access every single device setting on control pc proper addresses for each subnet on single ethernet card. I would like to have the same possibility with new setup. Does VLAN support vlan autoassignment based on MAC address? So connecting my device to any network endpoint, guest AP or any network port , my network card would instantly be granted access to all VLANs where networks devices reside?

Thank you in advance for your kind help.


ECO PARCO.drawio.pdf (44.7 KB)

2

Regarding your questions:

  1. Whether it will improve network security depends on how you configure the switches and routers in the path. If you freely allow routing traffic between VLANs the security benefits are very little.
  2. Yes. You would use VLAN interfaces on the Mikrotik side for this.
  3. Yes, you can use VLAN tagging to transport multiple VLANs over one link. You can also use different SSIDs on your Wireless access points to separate Company users and guests on the wireless side as well.
  4. I would recommend using the Starlink router in bypass mode and letting the Mikrotik router handle routing. It will make the setup simpler and prevent layering NATs on top of each other.
  5. One thing that would improve manageability would be reducing the number of different vendors you use in the network.
    Last, unnumbered question: No, VLANs are not automatically assigned based on MAC addresses. Generally, you would designate ports to certain VLANs. But this would mean that anyone that can physically access the port can access the VLAN is is assigned.
    You can technically use switch rules to achieve MAC based VLAN tagging, but it is very insecure as MAC addresses can be very easily spoofed.
    For WiFi clients the selection of the VLAN would be based on which SSID the client connects to. This is a function of the wireless APs and/or their controller.
    For LAN clients you could use network authentication through 802.1X to have the switch dynamically assign the VLAN upon authentication. This would be a function of your switches that need to support this. Note that this would also require an authentication backend (such as an Active Directory or LDAP Server) which can provide the assigned VLAN as part of the user attributes.
3

you are mentioningHEX, but looking at your pdf it looks that your environment is quite big andlooks like a kind of medium/large company.
Perhaps you should consider another model because using the HEX you can put it under too much pressure in case of several clients and also considering that to reach security you might start to use it also for complex firewall rules or QoS.

About security.
VLANs alone are not adding security.
VLANs are useful segment traffic and create different broadcast domain to keep your network more efficient. So as long you stay at L2 (swithcing) your subnet will not speak, but as soon you go to L3 (routing) your VLANs will speak to each other (unless not setup differently to prevent inter vlan routing).
My suggestion here is to map and document all your needs and “who needs to have access to what” and start to design a clear firewall strategy for your organization.

And if I may, Iadd my two cents. Personally on a design for and medium/large company, I would not put my core/distribution layer on the edge router but I would keep it separated for better reliability and security.

4

Hello guys again and thank you for your opinion.
They are extremely useful for me.

So these are key points which should be archived adding router/firewall from Mikrotik.

  1. No interVLAN routing required, except companys’ APs VLAN should be able to access (so interVLAN routing required) only to companys’ PCs VLAN to be able to print from cell devices on network printers which would be part of PCs VLAN.
  2. Each VLAN should have internet access for NTP time sync, e-mail notifications, firmware updates.
  3. Guests’ VLAN should not have access in any way to all other VLANs.
  4. Guests’ APs should handle traffic/SSIDs only for guests, while Company APs should handle exclusively companys’ traffic/SSIDs
  5. I have to be able to access every device/VLAN in network preferably at least via one predefined companys’ AP (so basically from certain cisco switch port) or directly connected to Cisco predifined port via ethernet cable.
  6. Noone of guest should be able to connect to guests’ Wifi, add ip address to his wifi adapter from any of companys’ subnets and being able to scan/access any of companys equipment in any case even thought all equipment is already protected with 10^100 complexity passwords.

Thank you very very much for all of you guys for your input, suggestions, 2 cents and so on. I extremely appreciate it!