I suspect I’m opening a big can of worms, but here goes…
Location A: hAPax3 that serves as router connected to cable internet and AP. The hAPax3 is wired (ether4) to a Cube60Pro.
Location B: Cube60Pro as slave to Cube60Pro at location A, wired to another hAPax3.
I would like to keep the traffic at these locations completely separate. No need for any traffic at location A to traverse the Cubes except for internet access to the devices and users at location B. (And, no need for any traffic at location B to traverse the Cubes other than internet access destined for location A.)
What’s the best way to do this (and yet not mind-numbingly complex)?
I thought about just setting up firewall rules, but it seems like that would be increasing the various device’s work (by dropping all those packets), and that a bridge or routing (or even my dreaded vlans) solution might be better.
Is location B connected to internet some other way? If so why connect the two Cubes.
If not then the hapax3 at location B is simply an AP/Switch on the network.
For me it should be viewed as a simple case of setting a bridge and vlans at location A for the router.
As many vlans as you need to separate traffic accordingly.
Location A
a. one trusted vlan (home vlan)
b. if home vlan is not trusted then separate management vlan
c. guest wifi vlan
Location B
a. trusted vlan is the only vlan to be identifed with interface bridge. (rest of vlans are simply shunted from ether1 (trunk to cube) to the approriate etherport or WLAN
b. only trusted vlan needs to be tagged to the bridge, rest only to ether1 and the applicable etheport or wlan
Location B does not have a connection to the Internet. The goal of using the pair of Cubes is to avoid another $60/month charge. The cubes are about 650’ apart (200 meters).
So, yes, the hAP can be configured as an AP/Switch.
Unfortunately, I attempted to learn VLANs before and failed.
Can this be done with just setting up a bridge at location A? Or some other way that avoids VLANs?
So, I understand that VLAN are virtual LANs, which can be considered to be a collection of devices as if they were all on a single switch (i.e., same broadcast domain; often same IP subnet; hearing each other’s packets on any of the ethernet cables connected to any of the switch’s ports).
I also understand (basically) that packets have VLAN tags attached and those tags identify the packets as belonging to a specific VLAN (i.e., VLAN 1, 10, 20, 100, etc.), and that devices can be configured to add tags, remove tags, allow only packets with tags of a certain value, etc.
I also understand that there are Access ports and Trunk ports, but I’m sure I do not have a full understanding of how they work.
With my caveat…
^^^My advice is not to config/copy pcunite’s formats verbatim from the first link above, its stilted and confusing. Instead simply using winbox, work through the Configuration Steps logically.
FIRST though, take one etherport and configure it so that it is accessible off the bridge to avoid getting locked out!!. SEE PARA A. above!!!
Add Bridge (or modify default Bridge as required)
Add VLANS with the parent interface being the Bridge
Create Subnet Structure for each VLAN (and likely modify the default subnet to be one of the VLANs)
Construct /interface bridge ports ( etherports and WLANs as applicable )
Construct /interface bridge vlans ( tagged and untagged **** Should match up with /interface bridge ports as a cross-check )
Make Changes to LAN Interface List ( remove bridge and add all vlans typically)
Add Management/Base Interface List & applicable members (Base Vlan and off bridge etherport for example)
Adjust Firewall Rules as necessary (Base List to Input Chain, LAN List to Input Chain for DNS, etc. ( required router services ))
Go to CLI and run export and see if any errors crop up.
Turn on bridge vlan filtering.
+++++++++++++++++++++++++++++++++++++++++++
FIRST though I recommend setting up one port could be temporary if you have no spare ports for example.
After the default setup, ethe1 WAN, ports 2-5 on bridge, take ether port 5 off the bridge.
Then follow this guide. The idea we are creating a safe spot to config the router and its bridge without hiccups. https://forum.mikrotik.com/viewtopic.php?t=181718
