I am attempting to configure a home Iot using the hEX PoE (RB960PGS) using the router on a stick/ inter-vlan topology and I am confused as to whether or not on the router if I still have configure the vlans in a bridge. I have configured the vlans on the individual Mikrotik switches (RB260GS) for each subnet and only need the router to route the traffic to the internet while keeping all vlans isolated from each other at layer 3. I would like to use a management vlan so that I can manage the network. I am attaching the drawing and would appreciate anyone’s input/ advise on the best way to go about this. Thanks in advance for your kind reply.
Router-on-a-stick means that router uses only a single physical connection for all network connections (both WAN and VLAN). And hEX in your chart being centere of a star-like topology is not router-on-a-stick. If there was a device where you ploted the brick wall (firewall) which would route between VLANs … that would be sort of a router-on-a-stick.
If you actually intend to use router with one LAN subnet per physical port … then no, you don’t have to use bridge and neither you need VLANs unless you intend to run VLANs throughout your physical network due to some other reason.
Thank you for the reply. To clarify my diagram a bit the firewall pictured is the Mikrotik hEX PoE router and I created a trunk port on port 5 of the router to expand the ports of the router. Port 5 is then connected to a Mikrotik RB260GS switch and to that I connected the individual RB260GS switches for the four individual subnets. You stated that I could use each port of the router for the different subnets but if I did that would each port be isolated from each other by default or would firewall rules be needed to keep them from communicating with each other? Also to manage the router as well as the individual switches would a VLAN need to be created to access the devices?
Mikrotik devices (apart from switch only CSS family) have two personalities:
router
Will forward traffic between any interface with IP (or IPv6) address unless blocked by routing rules. Interfaces are any type of interfaces (physical, VLAN, Point2Point, …), the only prerequisite for routing is IP address set.
firewall
Will block traffic between interfaces according to rules.
So, either way (VLANs or one interface per subnet) you’ll have to construct some rules which will block unwanted traffic between different subnets. While routing rules are pretty effective, firewall filter rules are much more flexible and it’s firewall rules which are used to (selectively) block traffic between subnets.
The idea behind assigning individual port to individual LAN is not to bridge ports used in this manner. If ports on ROS devices are not bridged, then they’re L2 isolated and can (and must) be individually configured with L3 setup (IP and/or IPv6 address, …).
The last question is more about LAN infrastructure security … if you kind of distrust users of your network, then surely you have to secure LAN devices … and indeed the easiest way is to dedicate a VLAN for management functions.
And that VLAN has to extend to all LAN devices which in turn means that the best approach is to pass all traffic tagged between LAN infrastructure devices and only create access ports on LAN perimeter. In your case that would mean to use trunk ports between all RB260GS switches and to RB960PGS router … and create access ports (ports which untag traffic on egress and tag on ingress) on ports connecting users’ devices. If you go for all-tagged approach, you might as well use hEX PoE other ports for LAN (either trunk or access, whatever you see fit) … it’s got decent switch chip built in so why not use the real estate you already have.
Thank you for your previous response. Based upon your explanation I configured the Mikrotik hEX PoE as followed:
Port 1 WAN
Port 2 Main LAN
Port 3 LAN 2
Port 4 LAN 3
Port 5 VLAN TRUNK ( 2 other subnets to Mikrotik RB260 Switches)
I did not use a bridge as it was not needed but I do need to isolate all the LAN ports from each other and after trying several rule combinations to isolate the the ports from each other I was still able to ping from one subnet to the other. I read through a lot of posts on previous forums however none of them is clear on a specific rule set to use in order to accomplish port isolation. Here are some of the rules I’ve tried:
add address=192.168.1.0/24 comment=“SUBNETS Main LAN” list=Subnets
add address=192.168.2.0/24 comment=“SUBNETS LAN 2” list=Subnets
add address=192.168.3.0/24 comment=“SUBNETS LAN 3” list=Subnets
add address=192.168.4.0/24 comment=“SUBNETS Access Point vlan10” list=Subnets
add address=192.168.5.0/24 comment=“SUBNETS IoT Access Point vlan20” list=Subnets
I created an address list to avoid creating a lot of rules unnecessarily but it resulted in the pings sometime being successful and other times not between the subnets. I just found these set of rule example but I have not tried it as yet:
add action=drop chain=forward comment=
“Block all traffic on .201 from accessing .204” in-interface=E3-p5_201
out-interface=E4-p7_204
add action=drop chain=forward comment=
“Block all traffic on .204 from accessing .201” in-interface=E4-p7_204
out-interface=E3-p5_201
What I noticed was that these rules are utilizing the “in-interface” and “out-interface” . Can you please assist me in figuring out what firewall rule set would properly accomplish blocking the communication between subnets as well as stopping pings between the subnets as well.
