VLAN Isolated Guest Network with Internet Only Access

urknall · December 29, 2020, 7:41am

Hi everybody,

i am trying to setup up a VLAN isolated guest network with internet only access. The red home network in the diagram is already created but i am competely new to VLAN.
Could anyone point me in the right direction or have a tutorial with a similar setup i can follow?

Thanks in advance,

Cheers Reiner

mkx · December 29, 2020, 11:01am

Have a look at this nice VLAN tutorial. It will give you overall idea about VLAN setup in RouterOS.

It’s a bit unfortunate that you have CRS125 used as main router. The problem with configuration done according to linked tutorial is that all the traffic is handled by device’s main CPU (on vast majority of Mikrotiks) and CRS125’s CPU is not fast enough to do stuff wirespeed. Which means that after you get acquainted with VLANs, you will want to reconfigure it according to this manual. Or you can directly start off configuring things this way, I recommend reading the tutorial first anyway as it explains some basics (in case you don’t know them already).

Keep in mind that router by default will pass traffic in any direction (including between guest and home LAN) and you have to block it using firewall rules (either statefull in firewall filter section or simpky in firewall raw section).

If at any point you need advice, come back and post current configuration (output of /export hide-sensitive, pasted into [__code] [/code] environment).

urknall · December 29, 2020, 12:00pm

Thanks for the information, will first read all that stuff…

I just want to vlan the guest network (internet access only) in the first step, my old crs125 should handle that.
Maybe later when things are growing i will replace the crs with another device…

mkx · December 29, 2020, 1:55pm

The problem which occurs with introduction of VLANs is that also “normal” (non-tagged) traffic starts to be handled by CPU … if you don’t configure CRS carefully. It’s not that you can easily add VLANs while the rest of config just works as it did before. And the cleanest approach IMHO is to go “all-VLAN” … even though all (but APs) LAN devices will be untagged. This approach makes CRS configuration a tad more straight-forward, otherwise it’s easier to screw things up (and that mostly means resetting device to factory defaults and re-doing config again).

urknall · December 29, 2020, 6:55pm

I already read a bit about the vlan stuff in the links you posted…

So i cannot simply add a vlan interface with vlan tag 20 for example on the virtual guest wlan interface
and set the guest wlan interface with VLAN Mode: use tag / VLAN ID: 20.

The following i am not sure what would be the right way, add the VLAN 20 to the interface physical port on the ap
which is connected to the crs or add the VLAN 20 on the bridge that is connected to the port (same on crs of course).

Anyways you said it is not possible to configure the port to handle the home network traffic as it is without getting handled
by cpu and just tag the guest wlan stuff with vlan tag to isolate it.

urknall · December 29, 2020, 7:28pm

One more thing, if i replace the CRS125 by CRS328-24P-4S+RM to handle the vlan and routing stuff, would it last for wirespeed or
would i have to set the CRS328 as switch and let a bigger router handle the routing?

mkx · December 29, 2020, 8:47pm

Currently none of CRS (regardless the series) can do routing anywhere near wire speed. With ROS v7 (ETA unknown) some CRS3xx will be able to offload some of routing to hardware and with that those devices will be able to do wirespeed routing. You can read more about the feature in this wiki page. CRS328 is not currently on the list of devices with L3HW offload capability.

The problem with simply adding VLANs to your current CRS125 config would be that it might actually work (tagged traffic would get delivered to router’s CPU), but traffic would not be separated from non-tagged ports at all. Which would allow VLAN traffic to bleed to non-VLAN ports, potentially malicious user could make itself a member of that VLAN, etc. Still you could try do do it, perhaps this way it would work:

keep AP-connecting ports members of same bridge
create VLAN interface and anchor it to bridge

/interface vlan
add interface=bridge name=vlan20 vlan-id=20

configure IP address on interface vlan20 (/ip address add interface=vlan20 address=192.168.25.1)
configure the rest of needed services on interface vlan20 (DHCP server with appropriate pool, network settings, …)
configure firewall restricting allowed connections in chain=input with in-interface=vlan20 to bare minimum (perhaps DNS if router is forwarding clients’ requests) and restricting connections initiated from that interface and targeting anything but WAN interface: add chain=forward action=drop in-interface=vlan20 out-interface-list=!WAN … needs to be pushed pretty high on rule list, possibly right after the accept established,related rule

You definitely have to adapt the firewall rules to match the rest of firewall setup … I’m assuming your firewall filter rules are pretty much default (recent ROS version) when constructing the examples.

The setup above doesn’t block communication between devices in Guest LAN. If you don’t want to allow that, you have to set forwarding=no on Guest-wifi interface on both APs and you have to use separate VLAN for each AP guest vlan. If you use same VLAN, then clients from one AP will be able to communicate with clients on the other AP. You could possibly block that communication with some clever switch chip configuration, but if switch chip is not configured for VLANs, then the settings will apply both to tagged and untagged traffic (not sure if you want that or not).

I still think it would be better to convert CRS125 config to proper VLAN-aware one …