Please help by checking user reqs and suggesting technical solution (not the actual setup of the MT, I’ll attempt on my own after confirming my functional reqs here).
Fresh start after failing first attempts in limited spare time to learn MT.
Yes I’ve read New user pathway to success but though I’d start over by getting user reqs right first. Please suggest.
Devices:
Network: Mikrotik hEX S with RouterOS 7.6, 2 x Unifi AC Lite (vlan aware WAP’s, support max 4 SSID’s), 2 x netgear ‘smart’ switches (not truly managed, but smart enough for vlan), 1 x RPi with unifi controller and PiHole
“Admin devices” (trusted. mine): wired desktop, laptop, phone,
“Other user devices”: 2 x RPi, laptops, phones, tablets
“Kid’s devices”: laptops, phones, tablets
“Untrusted / IoT”: lighting devices and other home automation - printer also here?
What I’d like:
Segregated networks (I’m assuming VLAN’s?) for:
“Admin” for management of network devices (as recommended per MT forum). Contains management interfaces of network devices and my personal devices. My personal devices should have access to internet and all other VLAN’s. Wifi and wired access.
User devices ‘DNS unfiltered’: for “other user devices”, unrestriced access to internet, access to other VLAN’s EXCEPT “Admin”. Wifi and wired access.
3, User devices ‘DNS filtered’: for “other devices”, PiHole filtered access to internet, access to other VLAN’s EXCEPT “Admin”. Wifi and wired access.
Untrusted / IoT devices: access to internet but NO access to any other VLAN. Wifi and wired access.
Preferably a seperate VLAN for Kids devices with filtered internet access and NO access to any other VLAN … but then I’d exceed 4 SSID’s in my current imagined setup. So add these to group 3.?
No seperate VLAN’s required for TV receivers or IP phones, as we don’t have these devices.
Other user reqs:
a. user devices can choose filtered (phiole) and unfiltered internet via SSID (required because adblocking can “break” sites and users need easy way of switching between filtered and unfiltered DNS)
b. PPPoE access through VLAN 6 (ISP delivers internet on VLAN 6)
c. two ports used on the hEX S: 1 x WAN, 1 x LAN. Switching left to the switches as much as possible.
d. LAN on ether1 so the MT can be powered by PoE switch
Functional reqs?
Please help define. So what will be basic setup… 5 VLAN’s (1 WAN, 4 x LAN) ? I understand there’s different ways to go about this in RouterOS - what would be most suitable way for me?
Define all the group of users.
FOR EACH, tHen give all the should be able, and should not be able to…
things to consider
a. internet
b. wired
c. wifi
d. force dns
e. force adguard
f. access to user groups a, b,c ( which also tells which ones not allowed to)
g. access to specific shared device ( ie printer - note dont put it on untrusted IOT LAN )
For instance I didnt see an entry for guest wifi users …dont have relatives or friends ?
Admin: internet (unfiltered DNS); wired+wifi; access to: all
2: Users unfiltered: internet (unfiltered DNS); wired+wifi; access to: all except Admin
Users adblocked: internet (adblocked DNS); wired+wifi; access to: all except Admin
Guests: internet (unfiltered DNS); wifi; access to: none
Kids: internet (filtered DNS); wifi; access to: none
Printer/scanner: no internet (I guess?), wired, access to: none
IoT / “smart” home automation: internet (unfiltered), wired+wifi, access to: none
Comments / constraints:
Access to = access to other user groups
Users group 2 + 3: should be able to choose adblocked or unfiltered by SSID, as some sites break when adblocking
Above = ideal, except In doubt about printer access (use scan-to-device function of the printer/scanner on a fairly regular basis)
WAP’s have a limit of 4 SSID’s (can go to eight if I turn off some functionality but Unifi users seem to advise against for my particular WAP’s). WAP’s are connected by wire to switches on different floors
In doubt about which group belongs: printer, RPi (with pihole, unifi controller, but also home automation/information (e.g. energy consumption, control of ‘smart’ lights) software that only needs to be accessed from LAN)
vlan10 admin ( will serve as both wired and wifi network, unfilitered )
vlan20 home1- (unfiltered LAN and unfiltered WIFI) SSID=FREE
vlan30 home2- (filtered LAN and filtered WIFI ) SSID=FILT
vlan40 kids (filtered LAN and WIFI) SSID=KIDS
vlan50 wifi-guests (unfiltered) SSID=GUESTS
vlan60 IOT (unflitered wired and WIFI)
vlan70 shared devices (unfiltered)
Which vlan should I put the combined device [pihole + unifi controller] in? It’s currently vlan10 (Admin), but will that work with how we configure the other VLAN’s? (i.e., other VLAN’s shouldn’t connect to VLAN10, so I’m guessing it won’t work, but also because of the unifi controller, you’d still want it in VLAN10, no?)
I’ll try to make ether5 = off-bridge port for management access on the Mikrotik
Yes it’s a Raspberry Pi 3b with unifi and pihole as main use.
But come to think of it, I use that little machine for a few more purposes, which makes me further doubt which VLAN it should be in
Also…
“media downloading activities” (I’m old fashioned)
app that provides some custom lighting routine for Philips Hue (seperate “smart” lighting device, that control lighting in our home, which will reside on VLAN 60)
“home automation app” that I only use to record electricity and gas consumption and statistics from our central heating unit;
(no need to connect from outside home LAN)
Would doing it the “right” way require me to split the functionalities so that the network functionality (unifi controller/pihole) could reside on VLAN 10 and the other stuff I just listed on a separate device on VLAN 60?
draw.io’s “network” shapes don’t include a “IoT device” so naturally I thought it would be appropriate to use the “supercomputer” one. You might well be older than me but I did recognize the shape as a cray from 80’s magazines.
