Why use a management vlan?

RouterOS Beginner Basics
1

I have questions about the need for a management vlan and DNS subnet when using multiple vlans.

Like most inexperienced users, I am struggling with vlans. Have been locked out, broke my internet access, bloodied my knees, lost sleep, etc. Have found backups are invaluable.

Use case:

  • Home network

Goals:

  • Isolate IOT devices from my trusted devices.

  • Set up a vlan for trusted devices.

    Note: No need for guest vlan

Setup:

  • Router: hAP ax3
  • Switch: RB260GS
  • AP: Asus wifi AX — no vlan functionality
  • On router: Wireguard. Nginx container. File server.

Asus is connected to hAP via ethernet. Has both trusted devices and not yet isolated IOT devices. (Will be deal with once vlans configured. Will need a vlan capable switch/AP.)

Other Stuff:

  • IOT vlan is set up
  • Trusted devices are on one subnet, not on a vlan
  • DNS is on same subnet as trusted devices
  • Adlist is being used. (Want to configure IOT vlan to use it too.)

Questions:

  1. What benefit would a management vlan add? Why use one?
  2. Does a management vlan require a specific port reservation (eg ether 5) or can if be accessed via any interface? Should I put it on the bridge or an individual port (eg ether 5)?
  3. Can it and the IOT vlan use the same DNS (with Adlist) as my trusted devices?
2

Just remove one of the ports from the bridge and use that as your management port it doesn’t need to be separate VLAN for management unless you have big setup

The purpose of a management VLAN is to provide a dedicated, isolated network path for managing network devices such as switches, routers, access points, firewalls, and servers. This VLAN is not used for regular user or data traffic, helping improve both security and network organization, usually in office setup this is where the IT people assigned to because they can reach every devices in the organization

To make it easier for you to do this since you have a handy of devices just dedicate one port for each devices you have then plug them on your Asus Router if it has available ports to accommodate this or if you have spare unmanage switch that would be a lot better while you are learning VLAN in MT

I know this can be hard at first to grasp the concept because the implementation is not abstracted or very verbose compare to other system but it’s not that hard, there were lots of article on this in this forum to start with, good luck

3

I’ve downloaded a confg file from the Using RouterOS to VLAN your network thread for guidance. Will read through it then make changes manually.

Is there a particular subnet I should use for my DNS (Adlist) server? Should it be separate from my trusted devices and IOT vlans?

4

If the inter-vlan routing is handled by your router which happen that it was also the adlist server then it’s not necessary

5

I removed ether5 from the hAP bridge then added it as standalone. However, I cannot connect to the router via that port. Any recommendations? Do I need to make changes to the firewall?

My router’s IP is 10.0.2.1

Followed these steps:

  1. Remove ether5 from the Bridge

    1. Bridge > Ports tab
    2. Select Interface = ether5
    3. Click Remove to remove it from the bridge.

  2. Make ether5 Standalone
    Assign a Static IP to ether5
    1. Go to IP > Addresses
    2. New to add a new IP
    3. Address: 10.0.1.1/24
    4. Interface: select ether5

  3. Set Up a DHCP Server on ether5 to assign IP automatically.
    1. IP > DHCP Server
    2. DHCP Setup button
    3. Interface = ether5
    4. Follow the wizard:
    5. Network = 10.0.1.0/24
    6. Gateway = 10.0.1.1
    7. IP Pool = 10.0.1.2 - 10.0.1.20
    8. DNS Server = 9.9.9.9 (also tried my local DNS server)

6

Adding a firewall rule allowed me to connect to the router via solated ether5 working.

chain = input
Src. address = 10.0.1.0/24 (ether5 subnet)
action = accept

Placed it below the fastback connection firewall rule.

Next step is to convert my trusted subnet into a vlan. Hopefully, with ether5 isolated and not on a vlan, I won’t get locked out when enabling vlan filtering on the bridge.

7

to make it sure you won’t lock out remove ether5 for the time being on the bridge and used that as a management port before you turn vlan-filtering to ensure you have backdoor access on the device

8

If you have (as you should have) the default firewall rules instead of adding that rule you should be able to get connection by categorizing correctly ether5 in interface list members.
See:

There Is normally a rule in input chain that drops anything that comes from anything BUT LAN, so if ether5 belongs to LAN (besides MGMT) that rule won’t prevent connection

9

Thanks. I learned the hard way. Originally had the ether5 rule below the drop anything-but-LAN rule, so couldn’t connect. Moved the rule above that to get it working.

10

The need for management vlan becomes apparent when you start having multiple MT devices ( managed switches ( or router acting as a managed switch), APs etc…
In this case its easy and smart to assign a subnet where all the devices get their IP from and only the admin has access.
In some cases one can use a trusted subnet instead to make things simpler, however, only the admin should have access ( input chain main router ) to config the main router or any device for that matter.