Recommendations on integrating my employer-issued MikroTik into my existing network.

My home network consists of about a dozen VLANs. I have a dedicated (non-MikroTik) router, with each interface dedicated to a separate VLAN. Each interface serves DHCP from a subnet dedicated to that particular VLAN, and enforces various firewall rules controlling access between each of these subnets. I also have a (also non-MikoTik) switch with ports divided into access ports for each of the VLANs, and into this switch are plugged various virtualization servers, network appliances, and misc “home lab” devices around my house.

One of my VLANs is dedicated to my employment. I work from home, and my field is somewhat sensitive (cybersecurity), so my employer has a rule that any work-related devices must be connected to a dedicated, isolated network, away from e.g. family cellphones, laptops, IoT devices etc.

Here is a diagram of how it is currently set up (note the “work-laptop” at the bottom, outside of the dotted lines):

I’ve shown this diagram to my work’s network team and they’re satisfied with it.


Recently, my employer has decided to backhaul some work-related traffic via an OpenVPN network. They are attempting to make this as painless as possible for their employees, so they shipped out a pre-configured Mikrotik router to each employee, with the VPN pre-configured, as well as various logging/firewall rules. The expectation was that most employees (who probably generally have a simpler network topology than I do) could just unplug their work laptop from wherever it is currently plugged in, and put ether1 from this new Mikrotik in its place. The MT would then pull a DHCP address from upstream, and the laptop would then plug into one of the Mikrotik’s other ports, which are configured as a switch.


I would like to continue using my current DHCP+firewall+VLAN setup, and their network guys have given me permission to reconfigure this MikroTik as I desire, so long as the VPN still connects and respects their pre-configured firewall/routing rules. I have reconfigured it to use ether1 as a trunk port, and ether2-ether10 as various Access ports. This setup allows me to keep this new work-issued MikroTik at my desk and also (conveniently) lets me have several access ports to other VLANs right at my desk.


This config looks like the following:

## Add bridge1

/interface bridge add name=bridge1 vlan-filtering=yes

## Bridge Trunk port

/interface bridge port add comment="TRUNK" bridge=bridge1 interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged

## Bridge Access ports

/interface bridge port
add comment="ACCESS" bridge=bridge1 interface=ether2     pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether3     pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether4     pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether5     pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether6     pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether7     pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether8     pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether9     pvid=22 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add comment="ACCESS" bridge=bridge1 interface=ether10    pvid=99 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged


## Bridge VLANs

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=11
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=22
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=33
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=44
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=55
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=66
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=77
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=88
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99

## IP interfaces

### MGMT

/interface vlan add interface=bridge1 name=VLAN_MGMT vlan-id=99
/ip address add address=10.99.0.10/16 interface=VLAN_MGMT

### WORK

/interface vlan add interface=bridge1 name=VLAN_WORK vlan-id=11
/ip address add address=10.11.0.10/16 interface=VLAN_WORK
/ip route add distance=1 gateway=10.10.0.1

So swapping the MikroTik inline with my work-laptop, it currently looks like this:

The OpenVPN is connecting fine, and I can use tools on the MikroTik to ping resources on the other side of the OpenVPN tunnel just fine. My work laptop also pulls an IP address from the 10.11.0.0/16 subnet just fine (just as it did before). Here is the MikroTik’s current IP/routing, including the dynamic routes set up by the OpenVPN:

[admin@mikrotik-router] /> /ip/route/print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY    DISTANCE
0  As 0.0.0.0/0        10.11.0.1         1
  DAv 10.8.0.1/32      10.8.5.1          1
  DAc 10.8.5.1/32      ovpn-work         0
  DAc 10.11.0.0/16     VLAN_WORK         0
  DAc 10.99.0.0/16     VLAN_MGMT         0
  DAv 10.255.255.0/24  10.8.5.1          1
  DAv 172.22.0.0/24    10.8.5.1          1
  DAv 172.46.0.0/24    10.8.5.1          1
  
[admin@mikrotik-router] /> /ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS        NETWORK    INTERFACE
0   10.99.0.10/16  10.99.0.0  VLAN_MGMT
1   10.11.0.10/16  10.11.0.0  VLAN_WORK
2 D 10.8.5.2/32    10.8.5.1   ovpn-work

However, with this current setup I cannot hit the work resources from my work-laptop as I can directly from the MikroTik via ping. It makes SENSE to me that I cannot hit them yet, because the L2 VLAN-tagging is making my work-laptop traffic think it’s plugged into my personal switch just like it’s been all along. However what I do not know is the right way to approach solving this. I would like the MikroTik to route traffic intended for the other end of the OpenVPN appropriately, but with it’s current configuration, that traffic is currently VLAN-tagged “11” while it’s on the bridge, and that’s not stripped off of the packets until after they are sent up and out the trunk port.

Do I need to somehow make the ovpn-work interface itself aware of vlan-tagging? Or maybe somehow setting static routes on my laptop would let my laptop know where to send those packets for routing?

Hello,

I think that you need to play with static routes on yours home and ovpn router.

1. on your home router you need add static route towards ovpn router
2. on your home ovpn router you need add static route towards your employers networks over ovpn tunnel. On employers side they should also add static route towards your network, if it’s not possible, then you can use NAT towards employers networks.

Don’t forget to tune your firewalls.

BR,
Dmitri

Interesting setup.
The requirement is not quite clear as you have not said a more directed statement such as:

I would l like to be able to, from my home WORK VLAN, access the OVPN tunnel, without having to move my laptop ethernet cable around.
It does seem as though you want to also reconfigure their router so that your other vans are accessible in the rest of their ports… Not sure why though.
Access across vlans is easily accomplished via firewall rules and thus not sure why ports are needed.

This leads me to a question about the config. I dont see any internet ISP connections?
Which them makes your multi-router setup seem incomplete. Does each router gets its own WANIP from different providers?
Do you have a switch between the ISP modem and all the routers and each one gets a different public IP?
Finally, why bother with separate routers if you can assign separate vlans from the single MT at the top??
(seems overly complicated for no discernible reason)

Thanks for the suggestions - I will play around with static routing. Appreciate your time!

@anav: Thank you very much for your time. I appreciate it! I’ve answered to my best ability below. Let me know if any other info I can provide.

(Answering all three of these bits in a single block, because the explanation is a bit related.)

I technically could accomplish this via a single router. My employer is not backhauling our laptop’s entire internet connection - only some specific work-related traffic. The intent of this new router is to be a pre-configured, “drop-in” replacement for our existing home router, which automatically routes certain traffic over OpenVPN, and some default logging/firewall rules.

The primary reason I’m interested in fiddling with the router they sent me is that I would like to keep using my existing DHCP server+fw rules on the diagram’s upper router for controlling access to/between my other vlans/etc, and continue managing them all in one place for convenience. However I also need to integrate the work-provided connectivity. I feel like I’m already “pushing my luck” a bit with my employer’s IT dept, who have kindly agreed to let me keep using my own router setup, as long as I can still integrate their router/config into my network for firewall/logging purposes.

What would be great is if I could just establish the same OpenVPN connection from my own router, and route/fw/log per their specs - it would be functionally identical, but then I would have to move their OpenVPN config/auth. certs/etc from their Mikrotik onto my other router (which btw is not even a Mikrotik), which I don’t think they would like - I anticipate at some point of customization they might just say “You know what - nevermind. This is too much trouble. Just use our router the way we originally asked you to.”

The fact that I’m using the other ports is incidental to the rest - I just thought it was convenient to have direct ports into each of my vlans sitting at my desk (I do a lot of tinkering with homelab type stuff on these other vlans, so it’s great to have direct ports without having to go open up fw rules).

Aah, I should have included that in the diagrams. I have a single ISP, and the provider’s modem is connected to a port on the upper router in the diagram (the one in the box labeled "my infrastructure).

The upper router (in the box labeled “my infrastructure”) is the only router in the mix which receives a WAN IP. The “OpenVPN” connection in the diagram is misleading - that connection is actually routed out through the upper router’s WANIP, through my ISP.

No - it’s more like this:

      [ISP]
        ^
        *
        *
        *
+-------*------[my infrastructure]--------------+
|       *                                       |
|       *                                       |
|       V                                       |
|     [personal router]                         |
|           ^                                   |
|           *                                   |
|           *                                   |
|           *                                   |
|           V                                   |
|     [personal switch]                         |
|                ^                              |
|                *                              |
|                *                              |
+----------------*------------------------------+
                 *      
                 *      
              (trunk)   
                 *      
                 *      
                 V      
              [work router]

It definitely wouldn’t be the first time I’ve over-complicated something due to incomplete understanding!

Thank you again for your time.

If your isp’s modem is in bridged mode, or can be put into bridged mode, you may be able to pull a second public ip.

Most isp modems have more than one ethernet port now.

It would be a simple solution.