Subnet/VLAN on sfp1 - RB2011

RouterOS Beginner Basics
1

Here is a quick question that hopefully someone can help me out with. On my RB 2011, I am connecting the SFP port via 1000base-SX to a switch that will be used exclusively for surveillance cameras. I would like this switch and everything connected to it to be on a separately addressed VLAN with its own DHCP server.

So how do I set this up so that the RB 2011 dedicates the SFP port to a separate subnet on its own VLAN and DHCP space? The Routerboard, obviously, will need to route traffic between the two subnets.
I have the incoming Internet connection on eth1 and all the other ports are currently bridged.


Many thanks,

2

Do you simply want a different subnet - or do you actually want a VLAN?

You can create a different subnet on any interface simply by ensuring that the interface is not slaved and giving it its own IP/Mask.

If you want a VLAN you can create a VLAN interface on the SFP port - then give it an IP/mask like you would a raw Ethernet interface.

3

Here’s a little bit more information. I think I want a VLAN because I want to partly isolate the cameras and their recording server (NVR) from the rest of the network.
The cameras will all be connected to their own switch, a 3Com 4500 series located in the attic. This switch I believe is level 3 capable.

All my other equipment is located in the basement. The RB2011 router has my incoming internet connection and is connected to a Procurve 1800 switch which is level 2 but not 3 capable. Currently all other devices - PCs, access points, servers, IP phones, home automation, etc. are plugged in to the ProCurve which is running in unconfigured mode.

The NVR software is running in a virtual machine on one of the servers currently connected to the ProCurve. This virtual machine has its own dedicated network card so I can connect it either to the router or the ProCurve Switch, but not to the switch that runs the cameras.

The cameras and the NVR need internet access, and I also need to connect to them from web browsers on a couple of PCs. The NVR server is a member of my Windows domain and stores its recordings on another Windows server so it cannot lose its connection to the domain. Can a Windows domain span VLANs and/or subnets?

Here’s what it looks like now, and with the proposed members of the VLAN circled:

I have made some experiments. I first tried with just a subnet on the SFP port, using these instructions:

http://networkingforintegrators.com/2013/01/how-to-run-multiple-networks-from-a-mikrotik/

This almost worked. The 3Com switch picked up a DHCP address and so did the cameras connected to it. I could reach the router from both subnets and also log into the cameras’ web interfaces. However the web interface of the 3Com switch was unreachable and the camera live video feeds were not displayed in the browser.

When I set up a VLAN according to these instructions:

http://networkingforintegrators.com/2012/12/mikrotik-basic-vlan-example/

The result was less encouraging. The 3com switch and the cameras could never contact the DHCP server and they were unreachable from outside the VLAN. The router was still reachable though.

So I don’t think I got this setup right. Further guidance would be much appreciated.