Newbie needs help on Mikrotik RB2011UAS-2HnD-in and VLAN

RouterOS Beginner Basics
1

Hi

I have purchased a Mikrotik RB2011UAS-2HnD-in, but quickly realized that my knowledge on networking is poor and my situation as a family father is such that there is no time to dive deep enough into the networking world to be able to solve my problem on my own…

I’m trying to achieve the following:

One internet-connection shall be shared between us (homeowners) and the guy renting the basement. If I have understood it correctly the path to follow is VLANs. One for us, and one for the basement-guy. This way we can both access internet, but will not be able to connect to each others computers.

So far I have put our ISPs router into bridge-mode (this router also facilitates TV - so i need it in place), and out of the box the Mikrotik works fine. I have tried to make some two different VLANs, and bridged them to the two ports. But when connecting our PC to a port that was assigned to a VLAN I couldn’t get connection to neither the internet, nor the 192.168.88.1. I don’t think the PC would receive an IP-adress…?I would like to go on trying for myself - but as previously stated - time is scarce…

  • Can anyone walk me trough what needs to be done? This is our network at the time beeing:

ISP router in bridgemode
|
|
Ether1
Mikrotik RB2011UAS-2HnD-in
Ether2 Ether3
| |
| |
Our PC Basement cheap switch


Regards GManSkat

Edit: Trying to make ASCII-art wasn’t very successfull…
Ether1: ISP router in bridgemode
Ether2: Our PC
Ether3: Basement cheap switch

2

If the wiring between the basement and the rest of the home is already separate then you don’t really need VLANs. You could simply make a second 192.168.x.y subnet, assign an IP address and DHCP server for that subnet and then modify the forward chain filter rules to allow the second subnet to access the internet but ensure that the two LAN subnets cannot communicate via the router. This assumes that the wiring from the basement presents at the router in such a manner that you can assign the second LAN subnet to a port and then connect the basement wiring to that port.

3

So there are several ways of reaching my target…

Yes, the wiring for the basement is separate. Which of the 2 ways is safer when it comes to preventing the two networks to be able to reach each other?

Does this “new” solution also accommodate possibilities as port-forwarding (yesterday the basement-guy told me that he was unable to play his Xbox) and QoS (I want to be able to keep some of the bandwidth to ourselves)?

4

VLANs present as (sub) interfaces in RouterOS. If you can provide separation of the physical cabling such that the various network present on distinct physical Ethernet interfaces that might actually be more secure compared to depending on distinct VLANs on a common physical layer.

The filters in the forwarding table define which network can route to where so no difference there.