I’m stuck with a bit of a dilemma. My entire in-house network was destroyed by a flood recently and I’ve had to replace all my network equipment. Unfortunately, as a long retired IT guy with near-exclusive Cisco experience (and formerly free, retired gear), I’m at a bit of a loss. Recreating the attached network map with my old 2600 series router and PIX firewall would be trivial but alas budget requires me to replace it with a Mikrotik RB750Gr and a TP-Link TL-SG1016DE switch.
Needless to say, the router management interface is quite a bit different than what I am used to with Cisco IOS, although the 15 years of rust on my skills may be significantly contributing to this.
All these networks should be available on any port of a single 16 port managed switch although port-based VLANs may be part of the solution to segmenting things. This new gear is a big step down from my 20 year old Cisco enterprise hardware and a whole different world as far as configuring it. Not a lot of examples of configurations for me to hack. Pointers in that direction would be appreciated
I’m having difficulty setting up routing and apparently firewall rules to enable routing across my various subnets. I have Starlink as my Internet connection and I bypass the provided router/WiFi. Network assignments are:
192.168.200.x/24 - Admin interfaces for all network hardware, NAS storage and printers - STATIC (All access)
192.168.201.x/24 - WiFi connected devices (phones, laptops and a couple cloud-connected devices) DHCP (All access)
192.168.202.x/24 - Surveillance cameras DHCP (only should have access to the other subnets, no Internet)
192.168.203.x/24 - All internal wired PC’s DHCP (All access)
192.168.204.x/24 - TV’s and Blu-Ray/4K smart entertainment devices (Only Internet access - no internal network access)
Oh yeah, almost forgot, I need to access the 192.168.100.0/24 subnet on the ether1 (WAN) port from all but the 202 and 204 subnets. (Have to talk to my Dishy)
your router is aware only of 192.168.200.x/24 addresses as it has 192.168.200.1 assigned. All others are ignored.
Try to assign 192.168.20N.1/24 to the interface where 200.1 is assigned and look for results.
It’d be easier to help if you can share your configuration. Use:
/export file=anyname
and remove all private data.
I do not know how configured access to Internet so the advice could not be enough to let all networks/devices access “the outside world”.
It should be a fairly simple configuration. You need to set up 5 VLANs under bridge on hEX (assuming you have the default configuration there now with the bridge). Your router supports hardware-offloaded bridge VLAN filtering which makes things easier (as MikroTik has several ways to configure VLANs depending on the hardware). Avoid using VLAN 1.
Make sure you use Safe Mode to avoid locking yourself out and enable VLAN filtering on the bridge at the last step when everything is configured. Some people advise taking one physical port out of the bridge at least temporarily to use as the management port without risking of losing access to the router.
For each of your VLANs where you want DHCP, you need to configure DHCP server. In RouterOS you need to set up each component separately: static IP on the VLAN interface, DHCP network, DHCP pool, DHCP server. There is a wizard for this as shown in the documentation, but I haven’t used it, not sure if it works well.
Are you saying to assign multiple IP’s to the same interface? (Eth2 in this case) What about DHCP? Gateways?
One thing I don’t understand is why can’t I just use a /16 netmask (255.255.0.0) and have all subnets see each other or act like they are on the same network? Call me clueless here.
The problem is that when you explain what you want, you refer to alternatives interchangeably: you
either want a single subnet, that means the /16 netmask: in this case you have one subnet, where every device can access every other directly (no firewalling between them), the only distinction being that you assign different addresses to devices based on their MAC addresses. In this case the distinction between 192.168.201.x and 192.168.202.x is only in your head. You also have to resign yourself to adding every unknown-MAC device to a given range.
You really have separate subnets, with netmasks /24. In this case these can only communicate through your firewall, you will have separate dhcp servers for each, etc. Yes, you have to have different interfaces for them, which are usually vlans.
Yes, I do. There is no being “clueless”, we just disscuss and show different solutions that may be used.
As Lurker888 wrote, you can use /16 netmask but with minimal set of information from the OP it was IMHO the fastest way to get it working just to check. The next step would be optimization.
VLAN’s in the MT world are not easy to configure and adding their complexity at the very beggining would be a showstopper in my opinion. Small steps, working v1 of configuration and then trim, baste, frustrate, trim, patch up, staple, v2, trim, new bale of fabric, scissors, frustration, staples, v3 …
@WMusselman, if you want to keep it simple, there is no need for VLANs like others said. You did list 5 subnets, all /24, which is why I started talking about VLANs above. Unless you are looking to isolate different segments of your network, you are better off without VLANs. In fact, putting your NAS and PCs in different subnets will make this traffic routed (as opposed to switched) and might get a performance hit depending on fast your NAS is.
Is there any particular reason why you want each segment to have a different IP range—192.168.200.x, 201.x and so on? For anything requiring static IP you can just use DHCP static leases. The rest doesn’t really matter what IP it gets.
I suppose it all goes back to my days as a corporate IT architect and network God. I kept the servers on one subnet, the wireless on another, and each department in the main building and each location on their own subnets. Old habits die hard I guess and back in my day (2000’s), with Cisco gear and a CCIE, this was the way it was done - frequently with Layer 3 switching and a bunch of VLANs… Certainly far too complicated for my own somewhat complicated home network. I forgot the IoT subnet in the map to be sure. This RouterOS thing is all new to me and the rust on my skills/knowledge turns out to be pretty damn thick.
There is definitely nothing unreasonable with having VLANs even on small networks. It all depends on how much time you want to invest into it. A lot of people struggle to understand VLANs, because they lack theoretical knowledge about networks, OSI model, layers etc. With your CCIE, no small feat, it should be only a matter of learning RouterOS concepts. The links I posted above cover this topic pretty well. It’s the switch chip VLAN method (the “old” way) that may get confusing for some, but you don’t have to worry about it with your router.
By the way, that TP-Link has its quirks with VLAN configuration, so watch out for them.
In the meantime, the default hEX configuration should just work for you.
I’m not happy with this router interface to be honest. Being a Cisco guy, I have a crapload of premade configs I can edit as needed and just load up and fiddle with. Not so with RouterOS. Again, 15 years of rust on my skills since I “retired”* doesn’t help.
If you’re a hands-on tech guy, don’t count on being employed over 50 - You become one of the “Overs” - over-qualified, over-experienced, over-paid and over 50.
You can do the same with RouterOS. I have a lot of pre-made configs myself. Of course, it uses a totally different syntax, just like you can’t take RouterOS config and apply to Cisco.
If you don’t have time or desire to learn CLI syntax (I don’t blame you), WinBox is fairly intuitive for someone familiar with network concepts.
