VLAN'ising an existing configuration without disrupting service

RouterOS Beginner Basics
21

No, there are no shortcuts. Adding VLANs is the same as building a completely new physical network (including laying cables and adding switches). Even worse, you have to break things “to make space” for new setup.

When doing that, it’s hard to keep things working without disruptions. I’m not saying it’s impossible, but it’s very hard and one has to know both current and new layout to tiniest details. So I wouldn’t expect anybody on this forum to provide extensive help free of charge.

22

Understood! How about another tack: I may have jumped to conclusions re: VLANs. Perhaps it’s possible to just add a new virtual/slave AP for the Internet Of Shit critters and fence that off the main subnet with a few firewall rules?

23

Like you, I have something of an aversion to videos, but 2 of the most important issues I have confronted with Mikrotik have been resolved by videos. I think that what you are looking for for your IoT stuff is effectively equivalent to a wireless guest network. This was solved for me with this video from Cat5tv: https://www.youtube.com/watch?v=gcwbhncwPug which I condensed into notes as I was watching. So here are my notes, which don’t explain the things I don’t need explained:

  • [Wireless → Security Profile] Add new Guest security profile and set password.
  • [Wireless → WiFi interfaces] Add new virtual wifi interface, set SSID and security profile.
  • [Bridge → Add Bridge] Add a new bridge.
  • •[Bridge → Ports] Assign ports to new bridge. Associate virtual wifi interface with new bridge, both created above.
  • [IP → Addresses] Set up Guest IP address block assigned to new bridge
    This sets up a named block of IP addresses in IP →Pool, which can be appropriately renamed.
  • [IP → DHCP Server] Rename defconf server and disable or remove if necessary. Add new DHCP server
    To this stage should be sufficient to get an IP address
  • [IP → Firewall] Add {Forward → Drop} rule to prevent Guest Network accessing Local Network. Set this ahead of all {Forward} rules

Obviously if my notes are not good enough, then you’ll have to watch the video, but it is definitely one of the better videos out there. In terms of vlan, it does not set out to do that, it sets up a virtual wireless interface which can have its own IP range etc. You can more or less set this up with the system running for the most part and then move your IoT stuff onto the new wireless when you are ready

24

FTR, I just went with this: https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs, specifically the “Quick Set Alternative” using bridge filtering (modulo Capsman and not actually using Quick Set, of course).

At least one niggle remains: IoT devices can still connect to the router itself. EDIT: akshuelly not quite, it’s still possible to lock things down somewhat. On the “input” bridge filtering chain, accept from the guest interface(s):

  • ARP
  • DHCP (UDP 67)
  • DNS (UDP 53), if your router advertises itself via DHCP as the DNS server
  • TCP 443, for whatever reason (otherwise clients will decide they are not connected to the Internet)
    Drop everything else.