RB750Gr3 Vlan scenario advice

RouterOS General
1

Hello there,

I’m quite new to ROS so not sure how to go about this following issue:

I’ve got a RB750Gr3 device that needs to do the following:
Port 1: Should be able to communicate with Port 2, 3 & 4 but not port 5
Port 5: Should be able to communicate with Port 2, 3 & 4 but not port 1

The reason being is I have cameras on Ports 2, 3 & 4 that needs to go to the Security Company (Port 1) but the client himself would also like to see his cameras (Port 5).

I don’t want anyone to do the work for me. I’ve got a test unit to play around with. Would just like to know how to go about this as the VLAN on ROS seems rather foreign to me.

Kind regards,

Appeltert

2

Good Morning,

If you want to learn about Mikrotik and VLAN
I recommend the Forum-Bible -->> http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

But i am not sure if VLAN will solve your Problem…
We need more information about your Network

Is the RB750 the only Network-Device?
Are you already using VLAN’s in your Network ?
where does ether1 (port1) connect to ?

3

You can get this done using bridge packet filters (use in-interface and out-interface properties … or in-interface-list / out-interface-list). It only works if HW offload is disabled, so expect higher CPU utilization. Device should be able to do it wirespeed if it’s not performing too many other tasks.

4

Easy peasy

VLAN 10 is assigned to ports 2,3,4
Vlan 11 is assigned to port 1
vlan12 is assigned to port 5

firewall rules forward chain
allow vlan11 access to vlan10
allow vlan12 access to vlan10
Drop all else.

Would need to know what is physically attached on each port.
If its a PC (dumb device) it gets a pvid number of the valid vlan (access port)
If its a Switch (managed device) it does not (trunk port)

For example below lets say each goes to a PC.

add bridge
/interface bridge port
add bridge=bridgehome interface=ether1 pvid=11
Add bridge=bridgehome inteface=ether2 pvid=10
add bridge=bridgehome interface=ether3 pvid=10
add brdige=brdigehome interface=ether4 pvid=10
add bridge=bridgehome interface=ether5 pvid=12

/interface bridge vlan
add bridge=bridgehome untagged=ether1 vlan-ids=11
add bridge=bridgehome untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridgehome untagged=ether5 vlan-ids=12

5

What if @OP wants to have same IP subnet on all involved ports (e.g. because management SW expects cameras to reside in same broadcast domain), he just wants to block certain communication paths?

6

I reread what was posted, and it is not clear whether the cameras need to be able to send information unsolicited to the security company or the security company needs access to the cameras.
My firewall rules assume the latter.

What you are stated may be true but at a level lower than perhaps the OP imagined need be considered. Lets wait and see.

7

Hi, thanks for the reply.

Got everything setup like this, but I’m struggling with the Firewall filters on the VLAN IDs. Not sure where to find the VLAN ID list. If you can point me in the right direction.

*Edit. To be more clear, I setup the VLANs, Bridge etc. It’s only the Firewall Rules I’m not getting right.

8

Think of it as the VLAN interfaces rather than the IDs. You can firewall on the in and out interfaces or even interface lists if you want to.

9

Please post your config
/export hide-sensitive file=anynameyouwish

10

Thank you managed to get it right. Works like a charm on the test bench.

11

Got it right. Thanks for your help!