I have an Ethernet socket next to my couch where sometimes I plug in my personal computer or sometimes a work computer. Based on which device gets plugged in, I want it to be assigned either to my Guest or my Home vlan and get a corresponding IP address.
I already have 4 vlans working correctly on my hAP ax2. This is the main router with ether1 being WAN and ether2 connected to a Cisco SG200-series switch. This switch is wired to the (among other things) socket next to my couch; so the same port on the switch will sometimes see traffic that should go to vlan10 sometimes to vlan 20. I am guessing this should be possible using device MAC addresses, but being a networking novice I do not know where to look to start. Each “guide” I seem to have found, presented a different way how to achieve this or explained associated security risks.
I guess the relevant part of my hAP ax2 setup is this, with only the ether2 port being relevant for this issue.
A rule on port ether2 on the router to assign a specific mac address to a vlan. Didn’t work.
A static MAC address assignment to a PVID on the cisco switch. Didn’t work.
(Attempting) to turn ether2 into a trunk port by tagging traffic coming from the switch, as per the config above. Didn’t work.
On the hAP ax2 setting a static IP address (IP/DHCP server/Leases) to the MAC address in question, in the IP range that matches the vlan. Didn’t work.
I looked at MACVLAN on the router, but this doesn’t sound like what I am looking for.
I feel like going in loops, likely due to missing some basic knowledge. Could I have some help where to look for info or what feature I should look into on the router/switch?
Thanks in advance!
P.S. I am new to RouterOS. I am not a networking expert, as the question suggests as well.
As far as I know, there is no way to do that (I could be wrong on that). However what you could do is make the port to the couch a VLAN trunk and put a simple VLAN aware managed switch at the couch. Set that up so one port (to the rest of your network) is the VLAN trunk, and two of the other ports are each of the two VLANs. If it were me, I would use a CSS106-5G-1S (I have several). You could also have a couple other ports on whatever VLANs you want.
I’m with K6… simple managed switch or hex type device acting as a switch, send vlans from router to switch ( will need one for wall, leaving four different vlans could be served up)
So you mean to have several ports at the couch and I decide (manually) where to plug in which device?
At least I can stop going mad not being able to figure this one out!
Related question, could "switch rules" do in this ROS? Seems to me that it could match a device MAC as an input and action rewrite a new VLAN ID. So, could I accomplish my goal without having a Cisco switch and using just my hAP ax2 router? I only tried this with the switch in between so far, which as per above, did not work.
It depends on the capabilities of the switch chip. Certainly the CRS1xx/2xx devices support MAC-based VLANs, the CRS3xx/CRS5xx devices do too but probably not in a suitable way for your use case.
Dot1x would probably work, the port connected to the device at the couch would be set up to use your home VLAN if whatever is plugged in does not authenticate successfully, and the work VLAN if MAC-based auth is successful. IIRC the usermanager in ROS v7 supports this, with v6 to need an external RADIUS server.
In other words,s a 15 minute trip to staples or best buy, and 15 min back, and your done for the most part. TDW’s route will lead to graying or loss of hair.
This is the sort of scenario 802.1X was designed for. There may be wrinkles in the Mikrotik implementation, which would be addressed with more use and feedback, but with FreeRADIUS and HP switches 16 years ago it was fine. (Odd silvering appeared before that, but no loss.)
Well, the built-in User Manager will support 802.1X, and UM is not that complex to setup. You can then set the VLAN on user using a RADIUS attribute. The 802.1X does work between RouterOS, and even MacOS. I’m sure there are odd corners that may not work (i.e. 802.1X likely won’t help with VLAN assignment with wifi-qcom-ac wireless, and IDK if other cases).
