Trunk / Hybrid port - private VLAN for 1 VLAN only

RouterOS General
1

Hello,
I have the following simplified situation:
_To clarify what I mean by “Private VLAN”: https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-PrivateVLAN_

There are 3 VLANs (like 4) in the network:

  1. VLAN1 - Untagged management
  2. VLAN10 - Private
  3. VLAN20 - VR
  4. VLAN30 - Guests

These VLANs are used by 3 separate SSIDs on 4x cAP ac:

  1. PrivateAP - VLAN10
  2. VRAP - VLAN20
  3. GuestAP - VLAN30

My goal is to achieve that when a client connects to the “GuestAP” Wi-Fi network, it will be blocked from all communication on L2 between clients and can only “talk” to the main router (RB4011).
If a client connects to the SSID “PrivateAP” or “VRAP”, it must have working L2 communication!

I was able to achieve the desired result by using bridge filters on switches, however this is not realistically deployable as I lose hardware offloading. So I need to somehow come up with a solution that is compatible with Hardware offloading on switches (CRS326-24G-2S+ switches)

What do I expect as a result?

  • VLAN 30 (for guests) will have isolated clients at the L2 (Layer 2) level, whether they are connected on the same AP or on different APs.
  • On VLAN 10 and VLAN 20, communication between devices will remain fully functional.
  • Hardware offloading will remain active and high switch performance will be maintained.

The network interconnection is as follows:

  • A cable runs from the router (port “ether10”) to SW1 (port “ether1”). 2 cables run from the switch (from ports “ether24” and “ether23”) to switches SW-A and SW-B (ports “ether1” on both).
    1. and 2. cAP acs are connected to the “ether24” and “ether23” ports of the “SW-A” switch.
    1. and 4. cAP acs are connected to the “ether24” and “ether23” ports of the “SW-B” switch.

nacrt_site.png
Thank you very much for any advice. If you have a better solution, I would be happy to hear it.
As long as I was using legacy drivers it was easy thanks to tunneling, but with wifi-qcom-ac it’s more complicated.

2

Intervlan communication can be blocked on a router. By default it will be accepted.
What router are you using?

Please consider not using VLAN ID 1, better assign a VLAN ID explicitely (except for ID 1).

3

I need to block communication within one VLAN on data link layer. This is not a problem on L3, I have firewall on both IPv4 and IPv6.

Sorry for the confusion, I don't use VLAN ID 1, this is untagged traffic that is referred to as VLAN 1 on a competing switch.
Management is untagged, the rest are tagged VLANs (VLANs for client devices).

This is a school where students are trying to make a mess (ARP spoofing, fake DHCP servers and equivalent IPv6 attacks, etc.).
I don't blame them, it's the ex admin's fault for not securing it. I'm actually glad for the attacks, at least they can see the "holes in the system".

I have temporarily "solved" this by allowing traffic from clients only to uplink on the switches, but this applies to all VLANs and e.g. VR headset is now unusable.

Of course there is no money for better HW, so I have to work with what I have. The sketch is very simplified, the network is much bigger, but the concept remains the same.

4

Has no one really addressed such a request?

So far I have “solved” it by running the SSID for VR on a separate AP. I dug up a test Huawei AP361 that has 802.11ax. I was surprised that even with the AX AP set to 802.11ac, it runs much better on the same frequency and bandwidth. Now I’m sad, I don’t want to change APs :smiley: