Hi, I just got a hEX router and am trying to setup a VLAN with it.
my current network setup looks something like this
ISP fiberbox → hEX → unmanaged 8 port switch(basically port expander?) → NAS,PC,gaming console, wifi,IOT stuff/etc
I want to assign each physical ethernet port(so 4 vlans?) seperate lan addresses for use with IOT(no access to wan) /// guest wifi,gaming console(no access to lan) /// family wifi, NAS,PC(no restriction) /// expreimental server linux stuff
All the diagrams showed a vlan aware switch in between which had untagged inputs and tagged output to router.
For my setup ,with only hEX being vlan aware, do i tag the ports coming in from devices(unmanaged switch) or untag them? and what about the WAN port(ether1)?
If the rest of LAN gear doesn’t support VLANs, then quite probably introducing VLANs on hEX won’t do any good.
If you want to separate devices into several LAN subnets, you can’t have different subnets behind same unmanaged switch because that device alone will allow end devices to communicate directly and router can’t prevent it.
Please explain your plans in plain English so we can advise you how to proceed towards your goal.
Good advice all around.
VLANS
1 trunk port can carry multiple vlans, heading towards another smart device that can read vlan tags
2 access port can carry only one vlan and its untagged, heading towards a dumb device that cannot reat vlan tags
3. hybrid port, can carry only one untagged vlan but as many tagged vlans as needed, heading to a smart device as in 1, or a device that requires hybrid incoming.
THus in your case you will have all your ports untagged and each port will only be able to carry untagged one vlan.
Therefore you could also configure the router by assigning subnets directly to each etherport for example.
Vlans are useful in terms of configuring firewall rules and because generally speaking, due to the cheap prices of managed switches most people gravitate to getting them to solve the issues you are trying to solve…
@anav, didn’t you mean
3. hybrid port, can carry one untagged vlan but as many tagged vlans as needed, heading to a smart device as in 1, or a device that requires hybrid incoming.
Sorry for late response, had a major outages here and there…
Sorry language is not my strong suite…
What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these ‘dumb’ switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces. Of course I will not try to interconnect the dumb switches to each other…
If there is no major downsides of using only a untagged one vlan on each non-wan port I would not mind. what I was wondering was if it even was possible to seperate the lans without additional vlan-aware equipment.
I am guessing the 'Router-Switch-AP (all in one)’ scenario is the closest to my situation from your link-recursion to vlan explanation post?
I did skim over that post before but was confused on whether the ‘dumb’ switches would cause any trouble in the link.
If this is so, then use router’s ports as completely independent interfaces (no VLANs needed whatsoever):
decide which ethernet port will carry LAN which will be used for management. For sake of this exercise let’s say it will be ether2.
connect to router via any of LAN ports except for the future management port, let’s say you’ll use ether3 this time
remove ether2 from bridge. Configure IP address (different subnet from what you currently have), add DHCP server (complete with pool etc.)
Configure firewall filter rules. If your current firewall is still largely based on default, then add ether2 interface to interface list LAN
connect to router via ether2. Enter safe mode (google it if you don’t know how to enter it)
remove all remaining ether ports from bridge. Remove IP address from bridge, remove any other IP setup (DHCP server, …) which binds to bridge. Remove bridge from interface list LAN.
finally remove bridge.
if management connection didn’t break (meaning you didn’t do anything excessively wrong), exit safe mode.
Now you have etherX ports which can be configured as separate interfaces, each with different VLAN subnet.
Note that default firewall filter isn’t exactly made for multiple LAN subnets, so you’ll have to do something about it. E.g. by default, firewall lets all LAN subnets to communicate with each other. If that’s not what you want, you’ll have to add firewall filter rules (or firewall raw rules, but I suggest filter rules if you don’t know exactly what you’re doing) which will selectively block some of those communication. Etc. Also note that interface list LAN is slightly special in default firewall setup as it allows (unlimited) connectivity to router itself. You probably don’t want to allow it from all of subnets, so don’t blindly add all subnets to LAN interface list.
Using “physical subnets” approach, as outlined above, has its merits (more straight-forward physical infrastructure), but also lacks flexibility - leading to need for more physical infrastructure, e.g. need for multiple parallel cables towards “remote” switches, need for more switches (one per LAN), also more physical work when one wants to move a device from one LAN to other one. In today’s world, using VLANs in such scenarios is more common.
Special consideration of LAN interface list is only due to firewall settings (default) and tools mac-server. Otherwise LAN interface list is no magic. Well, perhaps the “detect internet” does something about it, this one is magic to everybody, it’s just not clear if it’s a good magic or black magic (many lean towards the later).
What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these ‘dumb’ switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces
For the scenario that skelder talks about, where each phyiscal port will have its own subnet, the suggestion by mkx is the most straight forward.
It could also be done with a vlan-filtering bridge device where each bridge port was configured as an access port. This would be identical in functionality, the only difference being the naming of the interfaces.
The only time a vlan-aware switch would be needed is if you wanted to have access to two different subnets from the far end of a trunk link.
But connecting dumb switches to access ports is never a problem. And with most dumb switches made in the last 15 years, they are vlan-transparent. They just don’t care what is in the ethertype field after the src mac address. So if you plug a dumb switch into a trunk port, you will get an identical trunk prot coming out of the other switch ports on the dumb switch. Not a recommendation, just an observation.
Use at own risk
I’m a novice at this stuff so,
do not know if firewall rules are right, they are just default*,
do not know if lans are isolated.
someone else may know better.
Four subnets
Gives 4 networks, networks 20, 30, 40 amd 50, one on each lan port, dhcp 253 addresses each network.
This is tested and works with dumb switch.
Gives 4 networks, networks 20, 30, 40 amd 50, one on each lan port. dhcp 253 addresses each network.
Reset with no default config and paste into terminal
/interface bridge
add name=bridge
add name=bridge20_network
add name=bridge30_network
add name=bridge40_network
add name=bridge50_network
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool4 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool5 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge20_network name=dhcp20_network
add address-pool=dhcp_pool3 disabled=no interface=bridge30_network name=dhcp30_network
add address-pool=dhcp_pool4 disabled=no interface=bridge40_network name=dhcp40_network
add address-pool=dhcp_pool5 disabled=no interface=bridge50_network name=dhcp50_network
/interface bridge port
add bridge=bridge20_network interface=ether2
add bridge=bridge30_network interface=ether3
add bridge=bridge40_network interface=ether4
add bridge=bridge50_network interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.20.1/24 interface=bridge20_network network=192.168.20.0
add address=192.168.30.1/24 interface=bridge30_network network=192.168.30.0
add address=192.168.40.1/24 interface=bridge40_network network=192.168.40.0
add address=192.168.50.1/24 interface=bridge50_network network=192.168.50.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Pacific/Auckland
Use at own risk
I’m a novice at this stuff so,
do not know if firewall rules are right, they are just default*,
do not know if lans are isolated.
someone else may know better.
Four subnets
Gives 4 networks, networks default, 30, 40 amd 50, one on each lan port, dhcp 253 addresses each network.
This is tested and works with dumb switch.
Connect to router using ether2
Reset with default config
login in and remove ethers 3, 4 and 5 from Bridge>Ports
Router is only accessible by connecting through ether 2
after the below is pasted into terminal.
/interface bridge
add name=bridge30_network
add name=bridge40_network
add name=bridge50_network
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool4 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool5 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridge30_network name=dhcp30_network
add address-pool=dhcp_pool4 disabled=no interface=bridge40_network name=dhcp40_network
add address-pool=dhcp_pool5 disabled=no interface=bridge50_network name=dhcp50_network
/interface bridge port
add bridge=bridge30_network interface=ether3
add bridge=bridge40_network interface=ether4
add bridge=bridge50_network interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.30.1/24 interface=bridge30_network network=192.168.30.0
add address=192.168.40.1/24 interface=bridge40_network network=192.168.40.0
add address=192.168.50.1/24 interface=bridge50_network network=192.168.50.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Pacific/Auckland
