UPDATE:
The attached .rsc file:
micro-soho-vlans-20250629.rsc (5.5 KB)
is a basic router / switch / wifi access point configuration but splits physical ports into two networks using VLANs like:
ether1 <DhcpAssignedIp> WAN
ether2 192.168.88.1/24 HOME-VLAN
ether3 192.168.88.1/24 HOME-VLAN
ether4 10.11.11.1/24 OFFICE-VLAN
ether5 10.11.11.1/24 OFFICE-VLAN
wifi1 192.168.88.1/24 HOME-VLAN
wifi2 192.168.88.1/24 HOME-VLAN
Devices in HOME-VLAN are (should be) completely isolated from devices in OFFICE-VLAN.
Only devices in the OFFICE-VLAN can connect to the MikroTik using WinBox or WebFig.
This config was created by taking the default config of the hAPax2 running RouterOS 7.18.2 and modifying it to factor in the VLAN directives from the RouterSwitchAp.rsc example.
To install this file, first change:
- The admin-mac (get this from your default config by looking at
/exportoutput) - The wifi1 and wifi2 SSIDs
- The wifi1 and wifi2 PSK passphrases
- The
OFFICE-POOLstarting address (default is .32 to leave room for servers with static IPs) - Change names, addresses and vlan-ids as desired to make unique
- time-zone-name (although probably best done later in the UI to get the right name)
Login to the MikroTik, go to Files and upload the .rsc file.
Select System > Reset Configuration > No Default Configuration, Run After Reset, select the .rsc file and Reset Configuration.
Wait 2 minutes and, using a port on the OFFICE-VLAN, try to login as admin with a BLANK password (apparently Reset Configuration resets the password to “” and not the factory password).
If you cannot connect, presumably the config failed.
Try to figure out why and make chages / revert things.
Use the hardware Reset Button and login with the factory password and try again.
Rinse and repeat.
Note that if you export a config and modify it, you will need to re-add the wifi passphrases.
And make sure that either vlan-filtering=yes at the top or add /interface bridge set bridge vlan-filtering=yes at the bottom (you will get locked out if vlan-filtering is not enabled).
–
OP:
I just got a hAPax2 for a micro SOHO.
I want to split the physical ports into different networks:
PORT INTERFACE COMMENT
ether1 WAN Internet for all
ether2 HOME tv
ether3 HOME potentially hostile guest device
ether4 OFFICE unmanged switch 1
ether5 OFFICE unmanged switch 2
wifi1 HOME more potentially hostile devices
wifi2 HOME
The HOME and OFFICE networks MUST be completely isolated from each other.
They would not even be sharing a printer or time service.
The HOME network should be hardened as much as reasonably possible (no management access, ..)
I have little experience with lower level network configuration or mikrotik devices but I am very comfortable with (and much prefer) text configuration.
I have recorded the
/print default-configuration print
of the unmodified device and after selecting “Remove Configuration” and found the two configuations to be identical.
I have recorded the
/export file=outfile
of the unmodified device and found it to be a derivative additional “layer” of configuration and that after performing the “Remove Configuration” is almost completely removed.
So my first question is, given the overall objective, should I apply my changes as one .rsc script to the default configuration or “Remove Configuration” and create a .rsc script that rebuilds everything?
After scanning over the various documents on help.mikrotik.com and posts on forum.mikrotik.com, this “Using RouterOS to VLAN your network” document seems like it could be relevant:
https://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/
I am still trying to absorb everything but my vague thoughts are to create two VLANs with a single bridge with a DHCP server with two address ranges (like 192.168.88.1/24 for HOME and 10.11.11.1/24 for OFFICE) for the two completely isolated networks.
But can anyone recommend a general plan?
Which pitfalls should I look out for?