Sanity check for hybrid router setup with vlans

RouterOS Beginner Basics
1

Howdy ya’ll, new to the community and the Mikrotik ecosystem.

Basically just a sanity check to see if I’m on the right course or if I’m in the wrong ballpark.
I have two network devices. RB5009UPr router (named conduit) and cAP Lite wireless access point (named prism)
I have the router in a hybrid router/bridge setup.

  • Created a bridge on the RB5009 for ethernet ports 5-8 and that is “acting as my LAN switch”. I have 4 computers throughout the property wired to a patch panel and then plugged into any of those 4 ports.
  • The cAP Lite wireless device is connected to ethernet port 2 over PoE.
  • Will be using the sfp+ port for the connection to the internet.
  • Will be using one other ethernet port as a dedicated service port to the router.

The goal is to have the wireless traffic from the cAP Lite and the ethernet traffic on the 4 bridged ports on the router to be on separate vlans and subnets and not be able see eachother while being served dhcp from the router and all being able to reach the internet.

I drew up a little diagram and attached the configs for both Mikrotik devices. I haven’t touched firewall rules except for the default config as I’m trying to figure out if I’m even in the right ballpark before I start setting up firewall rules. Curently the two networks, wireless and lan, are getting the correct dhcp addresses and are able to access the RB5009 router (conduit)
conduit_config.rsc (9.38 KB)
prism_config.rsc (3.11 KB)
netnet.jpg

2

how’dy down under :waving_hand:t2:

everything looks great. you are good to go :+1:t2:

on rb5009,

  • make a single bridge.
  • make 2 vlan iface : ip 10.0/24 and 200.0/24
  • put ether2, 5-8 on the bridge. do bridge vlan filters.

how to guide available on MT wiki bridge vlan.

  • make your ap in bridge mode. plug in ether2 vlan 200. if you want to use the captive portal - the how to also available on wiki.

  • firewalls… no vlan 200 to 10 and vice versa except to the internet :
    i think I have already wrote it somewhere in this forum not so long ago, i will post it later.

— edit.

maybe this post will help you with that vlan firewalls.

http://forum.mikrotik.com/t/block-between-vlans-in-the-same-bridge/167886/1

hope this helps.

3

When you run out of ports on the 5009 just put a managed switch at the patch panel, one connection from router. :slight_smile:
As for settting up the AP…
https://forum.mikrotik.com/viewtopic.php?t=182276

4

Ya’ll are fantastic. Thank you so much for taking time out of your day to help out as well as providing links to those other posts; a lot of great MikroTips!


Should there ever be a need to expand into more ports that would definitely be what I would do. I was kind of hoping down the road it would be neat if Mikrotik considered a small form factor switch that can be mounted in the same 1U profile with the 5009.