VLAN and network segregation. So many questions.

blueduck · November 6, 2023, 6:33am

The scenario is a multi-apartment building where each apartment runs their own wifi AP, and should be self contained and unable to access any of the other apartments at a network level (if they want to share their wifi passwords, that’s on them). I have a gigabit fibre internet connection to invisibly share between them. There are cables from this router to each AP. DHCP is passed through the APs back to this router to manage.

My networks are:
5A 192.168.2.0 (vlan id:2) ether2
5B 192.168.3.0 (vlan id:3) ether3
5A 192.168.4.0 (vlan id:4) ether4
and the default 192.168.88.0 on ether5 and both wifi interfaces

ether1 is WAN.

All should be able to access WAN, none should be able to access the other networks.

The openwrt router that was managing this is progressively failing, and I have a hap ax2 to replace it.

I’ve spent most of the day reading articles, trying configs etc and have got to the point now where I’m a bit stuck knowing where to proceed.

First, do I even need VLAN for this kind of isolation, or is it sufficient just to bridge ether2 to WAN, ether3 to WAN etc?

If I enable vlan_filtering on a bridge with an attached access port ether2 with pvid=2 on both bridge and port, I can successfully DHCP handshake from a client device, BUT.. torch doesn’t show a VLAN Id for that connection. Is that expected? (or have I perhaps got my tagged/untagged around the wrong way perhaps?)

Is it the correct approach to add the relevant ether port, and the WAN to each bridge? Given that the mikrotik default is for everything to be able to access everything internally to the router, does that mean that my networks aren’t actually segregated at all? How do I fix that? Firewall looks like a fairly intimidating prospect to my novice eye!

I see that this may be possible to implement at the switch level as an alternate (maybe with hardware offload??), but I think we’d lose the DHCP service if we do that?

So yeah, I’m a bit lost with all the options without understanding any of the implications or implementations deeply enough to know which way to turn next.

Thanks in advance for any guidance you can offer.

anav · November 6, 2023, 2:26pm

YOu want to isolate the apartments you have two reasonable options.

a. if you have enough ports no bridge and assign vlans to etherport is fine.
The rest is up to your firewall rules mostly.

This is probably the easiest approach without any need to invoke bridge vlan filtering.

blueduck · November 6, 2023, 9:07pm

@anav - what’s reasonable option B?

I have one etherport spare currently.

anav · November 6, 2023, 9:17pm

Bridge vlan filtering - http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

In both cases ensure you use drop all else rule at end of forward chain.

https://forum.mikrotik.com/viewtopic.php?t=180838

jvanhambelgium · November 6, 2023, 9:42pm

and QoS … what contract/agreeement/service do you promise/sell ? You don’t want 1 appartement to blast away all the bandwidth all the time. Some policing & shaping for sure needs to be done.