I have been watching the Mikrotik forums for a while, because I need a more advanced setup at my home. I wanted to get a full OMADA setup and I have actually made a post about how to set that up on their forum, but I don’t know if they actually give a shit about their users. I have a asuswrt merlin AC87U with a FTTH 920/800 PPOE fiber connection.
I will keep things simple, here is my network setup:
Is the network logic ok?
How hard is to setup this using winbox? (please no CLI, I have seen that users post the code of the configuration and while I could some portions of it, it is too advanced for my level.
RB4011 has two swtich chips, I should use just the first 5 ports, or it is better to keep wan on port 1 and the rest of clients on 6-10 ports?
Regarding firewall and INTER VLAN networking:
could the clients on IOT VLAN be seen and controlled by the private vlan clients? basically IOT clients cannot access private vlan, but the connections established from private to be allowed.
can I connect to clients such as chromecasts? I have seen that they require mDNS Service in order to be located, can I locate a chromecast on the IOT lan and giving him comands from the Private VLAN?
what ports do I need to keep open in order fot my smart tv located on the IOT VLAN, be able to acces a samba share from my desktop private vlan? (kodi service)
if I want to block inter VLAN communication and also want to block the router interface from all VLANS except the native VLAN1, is it ok if I have my desktop connected on a switch port with vlan1 only?
is there a guide for best practices regarding the firewall rules (attack filtering, url filtering) and port forwarding (ports for xbox and plex in my case)
I have read viewtopic.php?f=23&t=143620 and regarding my questions, I want to know if it is doable and where can I find resources to acomplish that using a user interface (router os or winbox)
Just FYI: basic configuration structure (tree if you want) is mostly the same both in GUI (either winbox or webfig) and in CLI. It’s much easier and more readable to exchange configuration bits in CLI format, but if somebody gives you configuration instructions in CLI it’s pretty easy to make necessary steps in GUI. It’s also much easier to review actual configuration in ASCII export format than by studying tens of screenshots.
Concur I use winbox to mostly config the router/ aka tweak.
However I read the config files (text) put out by the terminal comman /export to review work. Much easier.
Sometimes one needs screenshots aka for example sometimes routes are also best viewed my jpeg.
The text script is extremely useful too, via the Terminal window when replacing config or porting it.
Imagine all I have to do is copy every DHCP lease (could be a hundred) and paste into terminal window and DONE…
What you are proposing is fairly straight forward. It is no problem to set up firewall rules so that either all or selected devices on your private or management VLAN can get to either IoT or Kids VLAN devices to manage them, but those two VLANs for example can only get to the internet - I do that all the time. In RouterOS, it’s very easy to allow or block specific devices from communicating between VLANs
My son run Chromecast all the time and required nothing special to be set up to make it work. I don’t know about that if you try to do so from a different VLAN. My son’s Chromecast and phone are on the same VLAN.
Sorry, I have no information on ports for your Kodi service - but I assume an internet search should help there.
As for CLI vs GUI interface. As stated, it is far easier to share data via CLI, and you should be able to figure out the formats pretty easily so you can read what someone is sending you. Then you can put that data into WinBox. I personally do almost all of my configuration in WinBox,
