Hi,
I currently have a very basic flat network, only 1 LAN 192.168.1.0/24. I would like to move my servers to a separate VLAN, for example 802.1q vlan id 2 and network 192.168.2.0/24. All my devices are connected to a Netgear managed switch, so all VLAN traffic should be tagged to this switch via a single port on the L009. How should I accomplish this and do I have to immediately setup VLANs for all else traffic and all existing networks like 1 VLAN for home and 1 VLAN for management traffic? Should I first configure the switch or the router? Do I need to setup firewall rules to allow any traffic between VLAN and LAN or is everything routed by default and I only have to add rules to block traffic? I already read the basic VLAN tutorial on this forum, however I still didnt get the grasp.
So, if I have understood properly, here are the basic steps I should do:
create VLAN interface(s) on interface bridge and add VLAN ID(s)
add IPs, DHCP servers and DNS servers to aforementioned VLANs
turn on vlan-filtering on the bridge?
But, at which point do I choose the port I want to send all this VLAN traffic over (the tagged port)? Do I need to create a new bridge, when I already have the defconf one? And will I be kicked out of the management https while doing this modification?
Hi,
yes I already read through that thread. However, the configuration there is vastly different, for example the config in that thread includes a separate management VLAN. I would just like to add one additional VLAN without touching the existing LAN config. And the tutorial only includes config files, which are quite different compared to the one I got by extracting the base config from my L009 router. Could it be possible to only add one extra VLAN and have rest of the traffic on existing LAN network? Can I lock myself out of the system very easily if i add one VLAN to the bridge and enable bridge VLAN filtering? Should I first configure my switch with 802.1Q tagged traffic or just begin from the router? And also, is traffic blocked by default between VLANs in RouterOS 7, or does RouterOS always try to route between different networks?
Adapt, so you have two vlans and no management vlan, still you should have at least a trusted vlan then, where the admin usually works and no nefarious users or devices lurk??
That in effect becomes your base vlan in concept.
One bridge, identify all vlans to the bridge,
If you are worried about locking yourself out, use SAFEMODE lots and for me the best approach is to take one port completely off the bridge and do all my configuring from there more safely. https://forum.mikrotik.com/viewtopic.php?t=181718
Ok I understood that. However, I meant that now when I just have 1 LAN and I would like to move to a segmented network with VLANs and different subnets, do I immediately have to implement a management VLAN? Or could I have my original base config LAN and just add VLANs to that? I would believe that the LAN would then be associated with VLAN id 1. Or is it that if you implement VLANs you have to move all networks to utilize VLANs? And im not very familiar with these RouterOS devices, do you setup a certain IP address for the router itself or how does the management VLAN work? In basic setup, the user setups DHCP server and LAN network address and then the connection to the router is made by that gateway IP. Can you theoretically connect to the router from any network if the firewall allows so?
Correct just add another vlan!
No it would be vlanid=XX ANY NUMBER BUT ONE, did you not read the article??
The IP for the router is the WANIP,
Each subnet and in this case VLAN gets an IP address, dhcp server, dhcp-server network IP pool.
Each vlan upon creation has interface bridge.
Yes default firewall rules are great for the initial setup afterwards its better to adjust them