VLANs and MGMT VLAN

broderick · February 20, 2022, 10:34am

Hi,
I have been studying VLANs on Mikrotik, and trying to figure out what would be the best way to go for it according to my needs, even though it is going to be for learning purpose basically at the beginning at least.
As suggested I took a look at this article:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
the “Router-Switch-AP (all in one)” part in particular, since I got a Hap Ac2 mikrotik device.

(For the record, I’m going to set my Hap ac2 up the same way as in the “Router-Switch-AP (all in one)” more or less. When I buy a second Mikrotik device, I’ll set a trunk port on the HAp ac2 and plug the new Mk on it to extend my network. Of course on the second one will be set the same VLANs.)

I read this article too:
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

As you can see, it also talked about such a vlan99, the management port which is not mentioned in the former post I linked above.
So, I was wondering if and/or when we real need it. Your thought, please. Thanks

nettnuts · February 20, 2022, 12:18pm

The purpose of dividing a network into VLANs is, among other things, to control the access rights of certain devices and their users via the firewall.
This also includes access to the network devices themselves, which should be set as restrictively as possible.

broderick · February 20, 2022, 12:36pm

So, would that be the purpose of having a Vlan 99? To set more restrictive rules to access the Mikrotik device itself? Thanks

nettnuts · February 20, 2022, 12:55pm

So, would that be the purpose of having a Vlan 99? To set more restrictive rules to access the Mikrotik device itself?

I think yes, because access to the network devices and their configuration should definitely be limited to the administrator.

404Network · February 20, 2022, 3:13pm

Yes, think of a vlan99 as the trusted subnet.

(1) In a business, that VLAN should only be accessible to the Admins. All attached smart devices should get their IPs from this vlan.

(2) In a home, the home LAN could be the trusted subnet, or it could be a subnet that the admin is on all the time (convenience). If you wanted to get really sticky with best practices, still have a vlan 99 and a managed switch at your desk and every time you want to config the router or any smart device on the network plug your ethernet cable into a different switch port to access vlan99.

The trusted subnet should be an interface list entry with appropriate interface list member(s).
Its should the only interface that can have one interface member (as interface list power is being able to combine interfaces for rules etc.).

The IP TOOLS MAC WINMAC server should also be set to this interface.
The IP neighbours discovery should be also set to this interface.

As for Vlan, correct there is no need for VLANS if the number of subnets does not exceed the number of ports, if it does, then vlans make sense. As you have noted, the other common case is if you need to send multiple subnets down a port, typically to another smart device that can read vlan tags.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

If your concerned about proper vlan config and security then carry this through to the input chain rules which is access to the router. Most default configs have some variation of
add chain=input action=accept in-interface-list=LAN

This does allow all users access to commonly required services such as DNS, or even NTP, however it also allows all users (including guests) to possibly access the router.
Better is:
add chain=input action=accept in-interface-list=Manage (or BASE etc…)
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=drop comment=“drop all else”

Even better is:
add chain=input action=accept in-interface-list=Manage src-address-list=authorized { narrow it further by IP addresses }
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking/troubleshooting LAN issues}
add action=drop chain=input comment=“drop all else”

broderick · February 20, 2022, 3:59pm

thanks @404Network. Something to work on.

As I said in one of my previous threads, I actually don’t need VLANs in my home LAN network. Just two subnets (a main and a guest one) would probably get the job done, and I would be happy with that eventually.
If I set up any VLANs it would be for learning purpose only now.
I’ll probably go for using two subnets (I’ll separate an ethernet port from the bridge and set an Ip adress..and all that jazz on it) at the beginning, then see how it works out and if it feets my needs.
The guest network is going to be allowed to access internet only, and my smart tv, which is on the same guest subnet because plugged to the same ‘Not VLAN-capable’ switch/AP as the guests, to access my plex server only. So, I think I’ll need a few firewall rules as well.
Thanks

404Network · February 20, 2022, 4:17pm

I use vlans to separate many things.
Two, work from home networks, IOT devices, media, cameras, hvac device, guests, and a few more.