Multiple subnets on one eth

ezamora · September 2, 2020, 1:33pm

Hi. I want to subdivide the network by sectors (to apply firewall rules by group / address list)
Is there a problem with creating +20 subnets in a single interface? slow, overload, collision, blah blah? (Is a RB760iGS)
My ip address print:

ADDRESS NETWORK INTERFACE

0 ;;; datacenter
192.168.4.1/24 192.168.4.0 ether3
1 ;;; dhcp, ap
192.168.5.1/24 192.168.5.0 ether3
2 ;;; wan, telefonica
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ether1
3 ;;; laboratorio
192.168.10.1/24 192.168.10.0 ether3
4 ;;; informatica
192.168.60.1/24 192.168.60.0 ether3
…etc
I clarify that I do not want to use vlan because there are many switches in the network that do not support it
Thanks in advance.

anav · September 2, 2020, 3:31pm

How will the router know what IP address to assign to devices that connect to the etherport 3??

jarda · September 2, 2020, 3:44pm

Could be by direct fixed assignment of ip address at the client or by dhcp according to known mac address of the client.

jarda · September 2, 2020, 3:48pm

But without vlans… Not a smart idea. Clients could talk together on L2 easily or decide to use other ip address on their own.

There is no security provided by this solution.

ezamora · September 2, 2020, 5:14pm

It is right, by fixed ip address. No one can change network settings without knowing the root password.

jarda · September 2, 2020, 5:44pm

If you believe so…

anav · September 2, 2020, 6:08pm

Agree with you Jarda I would do it with vlans for sure.
Mind you if DHCP is turned off that would also be useful in this scenario?

jarda · September 2, 2020, 6:40pm

I think it is not important how a device gets its ip address in this case. There are also other non-ip protocols… And whoever can connect whatever device at one single place which could be configured how he wants. Its just not secure at all. There is false presumption that the router could somehow block a communication that does not pass thru it. It can not.

anav · September 3, 2020, 11:45am

Thanks for the clarification, concur its a bogus setup.

ezamora · September 3, 2020, 12:01pm

The router blocks communications from the lan to the internet, and to the servers that are on another router’s ethernet.
I was just asking if there was a hardware problem. It wasn’t that hard.
Anyway the switches do not allow me to configure vlans at the moment.

jarda · September 3, 2020, 4:34pm

There is no hardware problem at all.

But you wanted to apply firewall rules to it, so I noted to you that such idea is not secure and the devices could easily have other ip addresses, or do other things that you cannot catch by the firewall in such scenario.

ezamora · September 3, 2020, 5:57pm

Yes, I understand. It is only supposed to be a temporary setup, because I don’t have manageable switches or enough eth on the router (can multiple vlans be configured on a single interface?)
I will have to do a purchase order…

jarda · September 3, 2020, 6:26pm

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

anav · September 3, 2020, 8:56pm

Or another way of tackling vlans on router (probably not best for switches only).
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

mkx · September 4, 2020, 5:23am

Yes. That’s the whole point of using VLANs.

anav · September 4, 2020, 11:50am

Not necessarily for all interfaces but if you have one that requires multiple its a no-brainer.
If in doubt VLAN IT lol (sob will hate that one!!)

jarda · September 4, 2020, 2:51pm

Guys, I hope that ezamora could at least read few senteces from the mikrotik VLAN manual pages I provided him above. Then he can return back with additional questions if whatever was not clear.