I’m looking into setting up a handful of IP cameras. I’d like to have them in a vlan. Ideally, this vlan would only be able to access devices on that specific vlan; however I will settle for just blocking internet access on their port(s). I attempted to add the rules from http://forum.mikrotik.com/t/block-internet-access-on-specific-physical-port/109302/1 but neither set of rules work as intended (first doesn’t catch any packets, second one catches a few every few seconds).
Network currently looks like this;
Internet <-> Router <-> MikroTik CRS354-48G-4S+2Q+RM <-|
|->|Server #1 Proxmox 6.4-13
| |->VM #1 Ubuntu 20.04
| |->VM #2 Ubuntu 20.04
| |->VM #3 Ubuntu 20.04
|->|Server #2 Proxmox 6.4-13
| |->VM #1 Windows 10
| |->VM #2 Windows 10
|---->|VM #3 Ubuntu 20.04 (testing vlans/ip camera handler)
| |-> Dedicated 1G NIC for vlans, to simulate an IP camera
#Planned
|-> TP-Link TL-SG1005P (poe switch) -> up to 4x ip cameras
I intend to have the Mikrotik switch function as the router, however that has to wait until I’m moved out this weekend.
My switch has all ports (except vlans) bridged, this includes my internet uplink. I’m able to change port designation as needed. I’m quite new to this so I’m not entirely sure how to get the settings to my liking. Any help would be much appreciated.
Speaking about the solution and the config doesnt help for example to state the vlan has to have access to vlan devices is redundant and not useful as all user/devices within a vlan are connected at L2.
So, state clearly what are the use cases.
identify the user/device or groups of users/devices
identify what they should be able to do
identify what they should NOT be able to do.
A network diagram helps us see what equipment you have what is attached to the ports and where the traffic flows are conceptually going to go.
Typically with a drop rule at the end of the forward chain and input chain, all traffic is blocked and one just needs to have the traffic they want to happen explicitly stated.
I don’t think you quite understood my post. I want devices on a specific vlan to only access devices on that vlan. Apologies for not making that clear.
identify the user/device or groups of users/devices
4x IP Cameras (for now I have a test VM)
identify what they should be able to do
Connect to NVR - that’s it
identify what they should NOT be able to do.
Connect to the internet, other local devices (with the exception of the NVR)
I did describe my network, although not in perfect detail its not entirely relevant, also a bit tedious to show a network topology in text.
Edit: I managed to figure out a solution without using vlans for the time being. By making a second bridge and setting up a DHCP server on the switch, I was able to isolate multiple ports to each other. I will leave the post unanswered since I would like to optimize the network, performance on the second bridge is terrible.
You cannot realistically block other devices on the same vlan as the cameras or the NVR.
So suggesting you put the cameras and NVR on the same VLAN.
Then you allow certain IPs access to the NVR from a safe vlan.
Just one bridge with as many vlans as you need assigned to the bridge.
I’m genuinely confused how you came to this conclusion after I’ve clarified it a second time.
I want a single vlan, we’ll call it vlan-10. Vlan-10 will include all my IP cameras and the NVR. Devices on vlan-10 should not be able to access the internet, or devices that are not on vlan-10.
I want devices on a specific vlan to only access devices on that vlan
If you don’t want a specific VLAN to access devices on another VLAN, you block that through the Firewall…
Or if you have a drop all rule, then you accept the type of traffic you want before that rule as @anav already said…
In general, when you have InterVLAN routing, the firewall is what enables or disables communication between VLANs…
My current issue is with the vlan itself, the clients on the vlan won’t get anything from dhcp. When I assign a static IP to them, they can ping other clients but not the gateway.
That is totally different…
Can you provide a network diagram of the Topology ?
And export with hide-sensitive the configuration of the CRS… Also manually remove serials, Public IPs etc if any visible on the config export…
As requested, I put together a network diagram and exported the switch’s config. See attached.
Edit: The folks over on the Homelab discord helped me figure out the issue. My tagged section in the vlan table needed to include the bridge itself. Once I did that and switched my vlan interface back to the bridge, the clients immediately grabbed DHCP. I attempted to connect to my main local subnet via one of the vlan clients and was unable to. I didn’t add any filters or firewall rules, I assume this is because I never added a route to that subnet.
I got it working the way I want it to, thanks for your guy’s help! switchworking.rsc (8.49 KB)
