I’m trying to setup a logically separated IoT network on my hAP lite. I have just successfully created two bridge interfaces, so they represent my needs when it comes to eth/wlan interfaces for home/iot usage.
Interface: bridge
wlan1 (physical) ssid: home
ether2-master
Interface: bridge-iot
ether3
ether4
wlan2 (virtual) ssid: IOT
Right now I can connect to either home or IOT Wi-Fi however there is no logical separation between them on the ethernet level.
I’m totally new to VLANs and I know there were some changes on RouterOS 6.41. I’m running v6.46.1. How should I proceed with VLANs in my case?
If the actual device config follows your explanation, then you already have L2 separation. However, devices running ROS are routers and will forward packets between different connected subnets unless that’s forbidden by firewall filter rules. So how did you determine that there isn’t any separation between the two L2 networks?
Or is your question actually about how to recreate your setup but using single bridge with VLANs configured?
I’m connected to my IoT WiFi at the moment and I can still access resources in the home network.
$ ifconfig | grep wlan0 -A 2 | grep "inet addr"
inet addr:192.168.100.199 Bcast:192.168.100.255 Mask:255.255.255.0
$ nmap -sP 192.168.1.0/24
Starting Nmap 7.01 ( https://nmap.org ) at 2020-01-12 21:24 CET
Nmap scan report for 192.168.1.10
Host is up (0.071s latency).
Nmap scan report for 192.168.1.14
Host is up (0.035s latency).
Nmap scan report for 192.168.1.103
Host is up (0.060s latency).
However at the same time my arp table is limited to my IoT network devices only.
$ arp -a
one.one.one.one (1.1.1.1) at <incomplete> on wlan0
? (192.168.100.10) at xx:xx:xx:xx:xx:xx [ether] on wlan0
? (192.168.100.50) at xx:xx:xx:xx:xx:xx [ether] on wlan0
If I understand your comment correctly it means the actual L2 isolation exists, however packets are allowed on L3 and it’s my job now to create appropriate FW rules in order to prevent that?
To spoil your enthusiasm : if traceroute shows your router in the path, this doesn’t necessarily mean that both subnets are separated on L2 … it only means they are separated on L3 (by using different network address/mask combination), both hosts could still be in same L2 domain. One of ways to verify L2 separation is that you connect PC to ethernet port, meant for home devices, statically configure it with an IP address from IoT subnet and IoT’s gateway address as default gateway, and try to communicate with both IoT devices and usual home devices. If any communication works (apart from communication with router itself, it seems to respond to any of local addresses regardless the ingress port), then both subnets are not L2 separated.
: if traceroute shows your router in the path, this doesn’t necessarily mean that both subnets are separated on L2 … it only means they are separated on L3 (by using different network address/mask combination), both hosts could still be in same L2 domain. One of ways to verify L2 separation is that you connect PC to ethernet port, meant for home devices, statically configure it with an IP address from IoT subnet and IoT’s gateway address as default gateway, and try to communicate with both IoT devices and usual home devices. If any communication works (apart from communication with router itself, it seems to respond to any of local addresses regardless the ingress port), then both subnets are not L2 separated.