I have recently bought hEX PoE 6.39.1 with CPU MIPS 74Kc V5.0, 800MHz and 128 MB of memory and it looks much more complex compared to both Cisco and HP network devices. I went through a lot of Mikrotik docs and some things still seem not that easy to understand.
I found two articles about creating VLANs - one includes bridges, the second one does not mention anything about bridges and they both work. When is bridge required in the context of VLAN configuration? When I create VLAN either in Cisco or HP, bridge is not considered to be an element of this configuration at all.
Does VLAN interface need to be assigned to ethernet port or not? What if I assign a bridge port to VLAN?
Can I assign DHCP server to VLAN interface? Currently I have ethernet port assigned to my vlan-dedicated DHCP server and it’s working, nonetheless I would like to create another one for another VLAN on the same port. Two dhcp servers on the same ethernet port? - not possible I guess.
I created new VLAN interface based on ethernet port, network, gateway, pool and dhcp server - is this new network reachable automatically - it seems so. So to separate this new network from default vlan1 do I have to add proper firewall rule?
In general I still have problems with what should be assigned to what (in terms of interfaces). I finally created configuration which is working, nonetheless I would like to have better understanding of this and create two VLANS (on the same port) for Wireless network purposes (Private and Public-Guest).
Bridge is optional- it let’s you merge different interfaces (like ethernet, pptp, vlan, wlan etc). So it’s up to your requirements, if you set it up or not.
No. And you cannot assign a bridge to vlan. You can add vlan as part of a bridge, tho:)
Your guess is correct- kind of. Technically you could set two dhcp servers on same interface, but they would require different relays… and what would you expect of having two dhcp servers anyway? I mean: you can put dhcp server on the bridge you’re about to configure, then just make the vlan and the ethernet part of it. There’re many ways of accomplishing same result, but i’m not sure what you’re trying to get here, so before i confuse you more- could you specify?
4.The whole point of vlans is that they are isloated from each other (or at least from part of a bigger network they’re set in) unless you specify otherwise…
Are you sure that vlans are actually the solution you’re looking for in your case?
It’s also important to understand that certain model have switch chips that allow accelerated layer 2 performance. The hex does not have this as the documentation indicates. There is generally 2 ways you can configure VLANs depending on which makes the most sense to you.
I prefer to create a bridge for each VLAN, I then add VLAN interfaces for each port I want tagged traffic. I then apply all VLAN wide settings there, IP, DHCP server, etc…
You can create a bridge and add VLAN interfaces to it with the “interface” of the VLAN interface command set to the bridge. This means the VLAN traffic will be tagged on that bridge. Any Ethernet ports you add to that bridge then pass all those VLANs tagged. This is an easier way to create a set of “trunk” ports. I find it less flexible personally but that’s largely just me and my brain.
By default, inter-VLAN traffic is permitted. Think a Cisco ISR. It doesn’t block any traffic out of the box. The MIkroTik is nearly the same except the default configuration takes into account a WAN and LAN perspective. By default everything is LAN.
So my goal was to create 2 wireless networks: private and guest using Wis Networks WIS-CM2300L AP and ethernet5 on my Mikrotik device. So I have one physical port (Mikrotik) and additional device that is able to provide more that one wireless network.
ethernet5 is a part of default bridge - nothing changes here. I do not create another bridge.
I create two VLANs, both attached to ethernet5.
I create two new addresses (IP - Addresses) for these two VLANs and they become default gateways - addresses are attached to VLAN interfaces.
I create two dhcp pools.
I create two dhcp servers, one attached to first VLAN (private) and second attached to another VLAN (guest) - proper dhcp pools are attached to proper dhcp server.
I create proper firewall rules - in my case I don’t want communication from guest vlan to my default, etc.
I configure my Wis device.
So far so good, above configuration seems good. I’m gonna make a short video and upload it probably on Youtube soon. I will put a link to the video here when ready. Thanks once again for Your clues.
Or maybe one more question: if bridge is transparent then why in default configuration there is a default dhcp server attached to it?
Because ‘default’ configuration is for someone who just want to ‘plug and play’ mikrotik. So dhcp server has to be operational in case he/she doesnt know how IPs work:)