Hi everyone! I’m not a professional DevOps but am not new to IT either. I’m setting up my home network with MikroTik devices and wanted to share my experience while asking for some advice from more experienced users.
Review
Here’s a simplified network topology:
VLANs:
- VLAN-main (ID 10):
• Purpose: This is the primary network for all personal devices (computers, smartphones, tablets, etc.). It’s the main family network that ensures high security while allowing internet access and internal communication between devices.
• Address Range:
192.168.10.0/25
- VLAN-guest (ID 20):
• Purpose: This VLAN is used for guest devices, isolating them from the main network for security. Guests can access the internet but cannot communicate with devices in other VLANs.
• Address Range:
172.16.0.0/24
- VLAN-iot (ID 30):
• Purpose: Dedicated for IoT devices such as smart home gadgets, printers, Chromecasts, and cameras. Isolated from other networks to protect more sensitive devices in the main network.
• Address Range:
10.0.0.0/24
- VLAN-mgmt (ID 40):
• Purpose: This VLAN is reserved for management purposes only. It’s used to control and access the router, access points, and other network infrastructure. Only trusted devices and admins have access to this VLAN.
• Address Range:
192.168.40.0/24
IP Pools:
Each VLAN has a pool of IP addresses for dynamic DHCP, as well as a dedicated range for static IPs for critical devices like NAS, printers, etc. I’ve left certain address ranges purely for static IPs for those devices that must not change their addresses.
mDNS Integration:
On this same forum, I found a solution for enabling mDNS traffic between VLANs, allowing me to connect printers and other IoT devices (like Chromecast) from the VLAN-iot to the VLAN-main. By using MACVLAN and bridge filtering, I was able to set up a workaround to make mDNS work between VLANs, enabling devices in the main network to see printers and other IoT devices.
CAPsMAN and Wi-Fi Networks
In my home network, I use MikroTik CAPsMAN (Controlled Access Point System Manager) for centralized management of all wireless access points (APs). This allows me to manage multiple access points from a single device (MikroTik HAP_ax3), maintaining consistent configurations and providing seamless handover for clients between access points. For wireless network management, I have set up three distinct SSIDs, each operating on separate VLANs:
- Main Wi-Fi (vlan-10-main): This is the primary network for all personal devices. It uses WPA2/WPA3 security and is connected to mobile devices, laptops, and other personal devices.
- Guest Wi-Fi (vlan-20-guest): A guest network with client isolation to ensure security. This network provides access to the internet without granting access to internal resources and is used for temporary guest connections.
- IoT Wi-Fi (vlan-30-iot): A network for smart devices and IoT. Devices like Chromecast, smart bulbs, and other IoT gadgets are isolated here. The network is secured with minimal internal access, while providing controlled access from the main network for configuration purposes.
- Management Wi-Fi (vlan-40-mgmt): Used for managing CAPsMAN devices, with access limited to administrators for configuring access points and other network devices.
All access points are configured on CAP_ax_1 and CAP_ax_2, with the SSID and channel configuration synchronized through CAPsMAN on HAP_ax_3. This setup ensures seamless roaming between access points without connection drops, which is especially important when moving around the house with devices like smartphones or laptops.
My Configs:
hAP_ax3
# 2024-09-11 13:18:41 by RouterOS 7.15.3
# software id = <SOFTWARE_ID>
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = <SERIAL_NUMBER>
/interface bridge
add name=BridgemDNS protocol-mode=none
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=bridge-local name=vlan-10-main vlan-id=10
add interface=bridge-local name=vlan-20-guest vlan-id=20
add interface=bridge-local name=vlan-30-iot vlan-id=30
add interface=bridge-local name=vlan-40-mgmt vlan-id=40
add interface=ether1 name=vlan300 vlan-id=300
/interface macvlan
add interface=vlan-10-main mac-address=<MAC_ADDRESS_1> name=macvlan10
add interface=vlan-30-iot mac-address=<MAC_ADDRESS_2> name=macvlan30
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax name=channel_24Ghz_ax width=20/40mhz
add band=2ghz-n name=channel_24Ghz_n width=20mhz
add band=5ghz-ac name=channel_5Ghz_ac skip-dfs-channels=all width=20/40/80mhz
add band=5ghz-ax name=channel_5Ghz_ax skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-local name=datapath_main vlan-id=10
add bridge=bridge-local client-isolation=yes name=datapath_guest vlan-id=20
add bridge=bridge-local name=datapath_iot vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-mobility-domain=0x100 ft-over-ds=yes management-protection=required name=security_main
add authentication-types=wpa2-psk ft=yes ft-mobility-domain=0x200 ft-over-ds=yes name=security_iot
add authentication-types=wpa2-psk ft=yes ft-mobility-domain=0x300 ft-over-ds=yes name=security_guest
/interface wifi configuration
add channel=channel_24Ghz_ax country=Netherlands datapath=datapath_guest disabled=no mode=ap name=<SSID_GUEST_2_AX> security=security_guest ssid=<SSID_GUEST>
add channel=channel_24Ghz_n country=Netherlands datapath=datapath_guest disabled=no mode=ap name=<SSID_GUEST_2_N> security=security_guest ssid=<SSID_GUEST>
add channel=channel_5Ghz_ax country=Netherlands datapath=datapath_main mode=ap name=<SSID_MAIN_5_AX> security=security_main ssid=<SSID_MAIN>
add channel=channel_24Ghz_n country=Netherlands datapath=datapath_main mode=ap name=<SSID_MAIN_2_N> security=security_main ssid=<SSID_MAIN>
add channel=channel_5Ghz_ac country=Netherlands datapath=datapath_main mode=ap name=<SSID_MAIN_5_AC> security=security_main ssid=<SSID_MAIN>
add channel=channel_5Ghz_ax country=Netherlands datapath=datapath_iot disabled=no mode=ap name=<SSID_IOT_5_AX> security=security_iot ssid=<SSID_IOT>
add channel=channel_24Ghz_ax country=Netherlands datapath=datapath_iot disabled=no mode=ap name=<SSID_IOT_2_AX> security=security_iot ssid=<SSID_IOT>
add channel=channel_24Ghz_n country=Netherlands datapath=datapath_iot disabled=no mode=ap name=<SSID_IOT_2_N> security=security_iot ssid=<SSID_IOT>
add channel=channel_5Ghz_ac country=Netherlands datapath=datapath_iot disabled=no mode=ap name=<SSID_IOT_5_AC> security=security_iot ssid=<SSID_IOT>
add channel=channel_5Ghz_ax country=Netherlands datapath=datapath_guest disabled=no mode=ap name=<SSID_GUEST_5_AX> security=security_guest ssid=<SSID_GUEST>
add channel=channel_5Ghz_ac country=Netherlands datapath=datapath_guest disabled=no mode=ap name=<SSID_GUEST_5_AC> security=security_guest ssid=<SSID_GUEST>
add channel=channel_24Ghz_ax country=Netherlands datapath=datapath_main disabled=no mode=ap name=<SSID_MAIN_2_AX> security=security_main ssid=<SSID_MAIN>
/interface wifi
add configuration=<SSID_MAIN_5_AX> disabled=no name=cap-wifi1 radio-mac=<RADIO_MAC_1>
add configuration=<SSID_GUEST_5_AX> disabled=no mac-address=<MAC_ADDRESS_3> master-interface=cap-wifi1 name=cap-wifi2
add configuration=<SSID_IOT_5_AX> disabled=no mac-address=<MAC_ADDRESS_4> master-interface=cap-wifi1 name=cap-wifi3
add configuration=<SSID_MAIN_2_AX> disabled=no name=cap-wifi4 radio-mac=<RADIO_MAC_2>
add configuration=<SSID_GUEST_2_AX> disabled=no mac-address=<MAC_ADDRESS_5> master-interface=cap-wifi4 name=cap-wifi5
add configuration=<SSID_IOT_2_AX> disabled=no mac-address=<MAC_ADDRESS_6> master-interface=cap-wifi4 name=cap-wifi6
add configuration=<SSID_MAIN_5_AX> disabled=no name=cap-wifi7 radio-mac=<RADIO_MAC_3>
add configuration=<SSID_GUEST_5_AX> disabled=no mac-address=<MAC_ADDRESS_7> master-interface=cap-wifi7 name=cap-wifi8
add configuration=<SSID_IOT_5_AX> disabled=no mac-address=<MAC_ADDRESS_8> master-interface=cap-wifi7 name=cap-wifi9
add configuration=<SSID_MAIN_2_AX> disabled=no name=cap-wifi10 radio-mac=<RADIO_MAC_4>
add configuration=<SSID_GUEST_2_AX> disabled=no mac-address=<MAC_ADDRESS_9> master-interface=cap-wifi10 name=cap-wifi11
add configuration=<SSID_IOT_2_AX> disabled=no mac-address=<MAC_ADDRESS_10> master-interface=cap-wifi10 name=cap-wifi12
set [ find default-name=wifi1 ] configuration=<SSID_MAIN_5_AX> disabled=no
add configuration=<SSID_GUEST_5_AX> disabled=no mac-address=<MAC_ADDRESS_11> master-interface=wifi1 name=wifi2
set [ find default-name=wifi2 ] configuration=<SSID_MAIN_2_AX> disabled=no
add configuration=<SSID_IOT_5_AX> disabled=no mac-address=<MAC_ADDRESS_12> master-interface=wifi1 name=wifi3
add configuration=<SSID_GUEST_2_AX> disabled=no mac-address=<MAC_ADDRESS_13> master-interface=wifi2 name=wifi4
add configuration=<SSID_IOT_2_AX> disabled=no mac-address=<MAC_ADDRESS_14> master-interface=wifi2 name=wifi5
/ip pool
add name=dhcp_pool0 ranges=192.168.10.20-192.168.10.126
add name=dhcp_pool1 ranges=172.16.0.2-172.16.0.254
add name=dhcp_pool2 ranges=10.0.0.20-10.0.0.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan-10-main name=dhcp-vlan-10
add address-pool=dhcp_pool1 interface=vlan-20-guest name=dhcp-vlan-20
add address-pool=dhcp_pool2 interface=vlan-30-iot name=dhcp-vlan-30
add address-pool=dhcp_pool3 interface=vlan-40-mgmt name=dhcp-vlan-40
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS only" dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp mac-protocol=ip out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward comment="Drop all other L2 traffic" in-bridge=BridgemDNS out-bridge=BridgemDNS
/interface bridge nat
add action=src-nat chain=srcnat comment="SNAT to Primary VLAN bridge" dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=<BRIDGE_MAC_ADDRESS>
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4 pvid=10
add bridge=bridge-local interface=ether5 pvid=30
add bridge=BridgemDNS interface=macvlan10
add bridge=BridgemDNS interface=macvlan30
/interface bridge vlan
add bridge=bridge-local tagged=bridge-local,ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge-local tagged=bridge-local,ether2,ether3 vlan-ids=20
add bridge=bridge-local tagged=bridge-local,ether2,ether3 untagged=ether5 vlan-ids=30
add bridge=bridge-local tagged=bridge-local,ether2,ether3 vlan-ids=40
/interface list member
add interface=ether1 list=WAN
add interface=bridge-local list=LAN
add interface=vlan300 list=WAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan-40-mgmt package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=<SSID_MAIN_5_AX> slave-configurations=<SSID_GUEST_5_AX>,<SSID_IOT_5_AX> supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=<SSID_MAIN_5_AC> slave-configurations=<SSID_GUEST_5_AC>,<SSID_IOT_5_AC> supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=<SSID_MAIN_2_AX> slave-configurations=<SSID_GUEST_2_AX>,<SSID_IOT_2_AX> supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=<SSID_MAIN_2_N> slave-configurations=<SSID_GUEST_2_N>,<SSID_IOT_2_N> supported-bands=2ghz-n
add action=none disabled=no
/ip address
add address=192.168.10.1/25 interface=vlan-10-main network=192.168.10.0
add address=172.16.0.1/24 interface=vlan-20-guest network=172.16.0.0
add address=10.0.0.1/24 interface=vlan-30-iot network=10.0.0.0
add address=192.168.40.1/24 interface=vlan-40-mgmt network=192.168.40.0
/ip dhcp-client
add interface=vlan300
/ip dhcp-server lease
add address=10.0.0.10 client-id=1:c8:5a:cf:8c:32:7d mac-address=<DHCP_LEASE_MAC> server=dhcp-vlan-30
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=172.16.0.0/24 gateway=172.16.0.1
add address=192.168.10.0/25 gateway=192.168.10.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip firewall address-list
add address=192.168.10.0/24 list=Local-Networks
add address=192.168.40.0/24 list=Local-Networks
add address=10.0.0.0/24 list=Local-Networks
add address=172.16.0.0/24 list=Local-Networks
add address=10.0.0.11 list=shared-iot
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packages" connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="accept ICMP" packet-size=0-128 protocol=icmp
add action=accept chain=input comment="accept from main network" in-interface=vlan-10-main
add action=accept chain=input comment="accept from mgmt network" in-interface=vlan-40-mgmt
add action=drop chain=input comment="drop all other connections"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan300
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=<ROUTER_NAME>
/system note
set show-at-login=no
cAP_ax
# 2024-09-11 13:26:54 by RouterOS 7.15.3
# software id = <SOFTWARE_ID>
#
# model = cAPGi-5HaxD2HaxD
# serial number = <SERIAL_NUMBER>
/interface bridge
add comment=defconf name=bridge-local vlan-filtering=yes
/interface vlan
add interface=bridge-local name=vlan-40-mgmt vlan-id=40
/interface wifi datapath
add bridge=bridge-local comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: <SSID_MAIN>, channel: 5745/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: <SSID_MAIN>, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
datapath=capdp disabled=no
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether1
add bridge=bridge-local comment=defconf interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridge-local tagged=bridge-local,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-local tagged=bridge-local,ether1 vlan-ids=20
add bridge=bridge-local tagged=bridge-local,ether1 vlan-ids=30
add bridge=bridge-local tagged=bridge-local,ether1 vlan-ids=40
/interface wifi cap
set caps-man-addresses=192.168.40.1 discovery-interfaces="" enabled=yes \
slaves-datapath=capdp
/ip dhcp-client
add interface=vlan-40-mgmt
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=<CAP_AX_2>
/system note
set show-at-login=no
Questions:
- How does this setup impact network performance?
The use of MACVLAN and bridge filtering may add some CPU load. Are there any suggestions for monitoring and optimizing this for a home network? - Security of mDNS between VLANs:
While I’ve isolated VLANs, opening mDNS traffic between the main network and IoT VLAN may introduce some risks. Is there a more secure way to achieve this? - CAPsMAN and seamless roaming:
I have multiple floors in my house with access points managed via CAPsMAN, and I need to adjust the antenna power for each floor to ensure optimal signal coverage and seamless roaming:
• Ground floor (HAP_ax_3): I want the strongest signal possible to cover the entire area.
• Second floor (CAP_ax_1): I need a moderate signal strength to prevent interference with the ground floor access point.
• Third floor (CAP_ax_2): I want a weaker signal to avoid overshooting the third floor and interfering with the second-floor signal.
Is there a recommended way to configure TX Power or Antenna Gain for each AP to achieve the best roaming experience and prevent interference across floors?
This should guide you in fine-tuning the antenna power for seamless performance across all floors. - FastTrack optimization:
FastTrack is enabled for improving performance. Are there any scenarios where it’s better not to use FastTrack?