been a couple of hours that i’ve been tryin to accomplish my task, without luck tho. I’m most definitely a newbie in terms of rOS but i simply can’t get my theory to work
I have RB2011Ui that is connected to network behind with firewall, with one ip address for DMZ (so I can route everything myself and set up some vpn’s). Current goal is to achieve a setup like this:
dhcp meaning that every vlan has its own address pool
Obviously, the reason I want these VLANs is to basically separate things into 3 isolated networks, using my router as an exit (which leads to stripping the headers of vlan on the way out, I presume)
Probably, once figured out how to implement the above structure further modifications would come way easier. I’d love to get some precise tips/explanations or even script fragments. Having theoretical knowledge but lack of practice/experience on rOS platform (which still is quite the stuff honestly ) kinda bugs me and I’ve seen too many approaches accross the net already which eventually ended up with me being confused and annoyed
I know this may sound ridiculous but in the moment of rage i dumped the config and started from scratch so I cant paste anything right now, but:
At first I wanted to try if single vlan would work the way I expect it to, and by that I mean adding vlanid to all of these ports + vap and bridging them all together (that was one of solutions I came across on this forum) so I can hook it up with a dhcp and separate address pool - that was unfortunately a no go. I also tried bridging eth2 + vap, with 3/4/5 having eth2 as a master port, so I can use the advantage of hardware switching - no go either. My gut tells me this might have something to do with header adding/stripping, although I have tried a couple of setups without luck. Generally, after setting this up, I could connect to the network, but that was it - no address assigned by dhcp.
In the meantime I also tried ‘regular’ subnets, that means 3 bridges with assigned ip addresses and dhcp servers + pools. That works in terms of connectivity and DHCP addresses, but, since the gateway interface (ether1) is not bridged with any of these I have no outside connection - I am aware this pretty much results in a double nat and requires mascarade and some niffty routing but honestly I’m not sure how to tackle this right now, between bridges and stuff ;S
Generally I am interested what should be the way to go in terms of configuration such a network on the mikrotik. In terms of ‘safety’ I would rather go for VLANs, that we probly can agree on.
If the vlans will only reside on your routerboard, they are not needed. Just create a bridge with ether2-5 + vap. Put IP addres and DHCP server on it. Then create additional vaps with dedicated ip addresses and DHCP servers.
At this moment, writing this post, my previous one is not accepted yet. Rufos, I also tried that solution except im not really sure how to ‘route between’ the bridges. Addresing and connectivity worked locally and that’s it. Moreover, as you pointed out, I would like to see an opinion about usability of vlans in that case since they are most def ‘safer’ than regular subnets with rules.
