Community discussions

MUM Europe 2020
 
likufanele
just joined
Topic Author
Posts: 4
Joined: Fri Dec 11, 2015 8:22 pm

Help with VLAN configuration

Wed Mar 23, 2016 3:31 pm

Hello.

In our company we have a pretty simple network based on CRS125-24G-1S - everything in the same subnet (192.168.1.0/24) and one Internet connection; ether1 port is WAN and all other are slaved to the master port ether2; DHCP Server set on ether2. Pretty standard stuff as you can see:
/interface ethernet
set ether1 comment="WAN"
set ether2 comment="master"
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
set ether6 master-port=ether2
set ether7 master-port=ether2
set ether8 master-port=ether2
set ether9 master-port=ether2
set ether10 master-port=ether2
set ether11 master-port=ether2
set ether12 master-port=ether2
set ether13 master-port=ether2
set ether14 master-port=ether2
set ether15 master-port=ether2
set ether16 master-port=ether2
set ether17 master-port=ether2
set ether18 master-port=ether2
set ether19 master-port=ether2
set ether20 master-port=ether2
set ether21 master-port=ether2
set ether22 master-port=ether2
set ether23 master-port=ether2
set ether24 master-port=ether2
set sfp1 master-port=ether2

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1

/ip pool
add name=dhcp_pool1 ranges=192.168.1.220-192.168.1.254

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
current_network.png
As you can see in the image one "leg" of the network extends to another building and handles IP CCTV and local wireless AP. Now, we need to splice the cable between the other building and the CRS and create another subnet (192.168.5.0/24) that should be completely isolated from our main subnet, handle it's own DHCP and have access to the Internet.

Here's what I came up with:
/interface ethernet
set ether1 comment="WAN"
set ether2 comment="master"
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
set ether6 master-port=ether2
set ether7 master-port=ether2
set ether8 master-port=ether2
set ether9 master-port=ether2
set ether10 master-port=ether2
set ether11 master-port=ether2
set ether12 master-port=ether2
set ether13 master-port=ether2
set ether14 master-port=ether2
set ether15 master-port=ether2
set ether16 master-port=ether2
set ether17 comment="new subnet"
set ether18 master-port=ether2
set ether19 master-port=ether2
set ether20 master-port=ether2
set ether21 master-port=ether2
set ether22 master-port=ether2
set ether23 master-port=ether2
set ether24 master-port=ether2
set sfp1 master-port=ether2

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.5.1/24 interface=ether17 network=192.168.5.0

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether17 name=dhcp2

/ip pool
add name=dhcp_pool1 ranges=192.168.1.220-192.168.1.254
add name=dhcp_pool2 ranges=192.168.5.220-192.168.5.254

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.5.0/24 gateway=192.168.5.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
new_network.png
Now the problem is that I lost the connection between the DVR and the IP cameras. I'm assuming I would have to configure some kind of switched tagged VLAN between the 'Simple SOHO Wireless Router' that's connected to the cameras and CRS so that all those devices can keep their IP numbers in the 192.168.1.0/24 subnet, which is important for us. As you probably can see I'm a newbie when it comes to Mikrotik, RouterOS, VLANs and networking in general, so I'm asking for any kind of help you can give me on how to achieve what we need. I googled extensively and have read the Manual on VLANs but still can't wrap my head around it just yet.

So to sum up, here's the TL;DR version of what we need:
- configure a VLAN "over" the 192.168.5.0/24 subnet
- retain IPs in 192.168.1.0/24 subnet inside the VLAN
- completely isolate the 192.168.5.0/24 subnet from our main network, but allow Internet connection

Thanks in advance for any suggestions.
You do not have the required permissions to view the files attached to this post.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: Help with VLAN configuration

Thu Mar 24, 2016 12:34 pm

If your Soho switch is not vlan capable you can not use trunk port.You have to connect cable to 5.0/24 directly to mikrotik to isolate that network. Post your firewall rules in forward and your routes, becouse in this config your cameras should connect to dvr by routing.
To isolate .5.0/24 network you have to either use a managed switch or connect that network directly to

Who is online

Users browsing this forum: No registered users and 18 guests