Community discussions

 
yerzhl
just joined
Topic Author
Posts: 22
Joined: Thu Sep 22, 2016 9:37 am

Can help me to configure this networking scheme?

Thu Sep 22, 2016 10:40 am

Hello, i just got my RB951G-2HND yesterday and totally blind about scripting or setup mikrotik.

This is the network plan
scheme.jpg
Here is the route:
Cable modem to Mikrotik via LAN
Mikrotik to router 1 (optional and not always available) via LAN
Mikrotik to router 2 via LAN
Mikrotik or router 1 to home devices (both group A and B) via WLAN
Router 2 to home devices via LAN not WLAN as descripted
Router 2 to guest devices via WLAN (sometimes some home devices may connect to router 2 via WLAN for some purposes)

And for the rules:
1. I want to limit the bandwidth and block some websites or video streaming, download etc of Guest devices which connected via router 2 WLAN. If some of home devices also connected to WLAN of router 2, is it possible to prevent these home devices from the rules? I don't want to make a list of guest devices because I have to add IP/MAC address every new device connect to my network. For rule number 1, it's better if you could show the script to block website, media content (video and audio), stream and download.
2. For home devices, sometimes some devices need more bandwidth. Let say group A devices are used to play game which their bandwidth can't be disturb (example one of the device from group B is streaming video and group A got high ping). Is it possible to setup the bandwidth and also block group B from streaming,downloading etc? For this rule, I don't want make it permanent. If possible, I just want to select it enable or disable. So when I need this rule active, I just like tick a checkbox or select enable.
3.As you can see, router 2 have CCTV, TV and other media devices. Is it possible to block guest devices to connect to my media devices let say TV? But home devices still connect to the media devices even from router 1 or mikrotik.

And for the last, can you explain me which is the best way to configure the IP?
So far without mikrotik, I configure my router 1 with ip 192.168.1.1 and router 2 ip 192.168.1.2. For the route, the internet comes from modem to router 1 via LAN through internet port, router 1 to router 2 via LAN through Ethernet port.

What I want from the reply is the script that can configure the rules above.
A big thanks and really appreciate for your help :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Can help me to configure this networking scheme?

Fri Sep 23, 2016 10:38 am

Thanks for your detailed requirements around your required solution. I would suggest that you may want to get in contact with your local consultant to assist you as this solution does require a number of configuration aspects.
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
yerzhl
just joined
Topic Author
Posts: 22
Joined: Thu Sep 22, 2016 9:37 am

Re: Can help me to configure this networking scheme?

Sat Sep 24, 2016 8:20 pm

Thanks for your detailed requirements around your required solution. I would suggest that you may want to get in contact with your local consultant to assist you as this solution does require a number of configuration aspects.
Thanks for the response. I thought this requirement is simple. But thanks for the advice.
 
magchiel
Member Candidate
Member Candidate
Posts: 124
Joined: Mon Jan 06, 2014 2:13 pm

Re: Can help me to configure this networking scheme?

Sun Sep 25, 2016 2:23 pm

Thanks for the response. I thought this requirement is simple. But thanks for the advice.
The requirement itself is, the solution less so.

May I ask: why the two routers? This can be done much simpler (i.e.: centrally managed) with just the RB951, a couple of VLAN capable switches and MT-based access points (e.g. hAP/wAP).
 
yerzhl
just joined
Topic Author
Posts: 22
Joined: Thu Sep 22, 2016 9:37 am

Re: Can help me to configure this networking scheme?

Sun Sep 25, 2016 8:21 pm

Thanks for the response. I thought this requirement is simple. But thanks for the advice.
The requirement itself is, the solution less so.

May I ask: why the two routers? This can be done much simpler (i.e.: centrally managed) with just the RB951, a couple of VLAN capable switches and MT-based access points (e.g. hAP/wAP).
Router 2 can be used as AP if wifi range from RB951 can't be reached or to separate network from home users and guest. Also guest wifi coverage can is less than home users coverage.
I know RB951 can setup its wifi range but the position of these two routers are different. RB951 on 3th floor and router 2 on 1st floor.
 
magchiel
Member Candidate
Member Candidate
Posts: 124
Joined: Mon Jan 06, 2014 2:13 pm

Re: Can help me to configure this networking scheme?

Sun Sep 25, 2016 9:08 pm

I know RB951 can setup its wifi range but the position of these two routers are different. RB951 on 3th floor and router 2 on 1st floor.
That's not what I meant. You can still use multiple devices at different locations but you use CAPsMAN to manage them from the RB951 (together with your routing, firewall etc).
Using multiple routers in such a setup I find adding unnecessary complexity by introducing things like double NATting (unless you plan to just use the switch plane of the router in which case I was put on the wrong track by your scheme).
Anyway, I second the suggestion made above to find a local consultant to help translate and configure your requirements into a working solution.
 
yerzhl
just joined
Topic Author
Posts: 22
Joined: Thu Sep 22, 2016 9:37 am

Re: Can help me to configure this networking scheme?

Mon Sep 26, 2016 7:34 am

I know RB951 can setup its wifi range but the position of these two routers are different. RB951 on 3th floor and router 2 on 1st floor.
That's not what I meant. You can still use multiple devices at different locations but you use CAPsMAN to manage them from the RB951 (together with your routing, firewall etc).
Using multiple routers in such a setup I find adding unnecessary complexity by introducing things like double NATting (unless you plan to just use the switch plane of the router in which case I was put on the wrong track by your scheme).
Anyway, I second the suggestion made above to find a local consultant to help translate and configure your requirements into a working solution.
Actually I'm a bit confuse which is better between just use the switch plane of the router (so it will work as a switcher or LAN port extender) or make it as a router which IP let say 192.168.2.1.
For multiple routers, just ignore router 1. The main network is only the RB951 and router 2.
For CAPsMAN thing, I will try this method. Thanks for the advice.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Can help me to configure this networking scheme?

Mon Sep 26, 2016 6:44 pm

You should use the switch plane, and only have router functionality on the main Mikrotik.

You do this with VLANs.

I assume that group A / group B is the same as home devices / guest devices on router 2..... if not, then you'll just need to add two more vlans for the groups and handle them in the same way as the guest wlan at router2....

On the main mikrotik, keep all of your LAN settings just as they are.
Create a new IP network by adding a vlan interface to the existing lan bridge (I assume it's a bridge. If you have no "bridge-local" interfcae, just substitute the master lan ethernet interface)
Name the vlan interface something descriptive like "guest-vlan" and set the vlan-id to something unique. Let's say 10.
Add a new IP range to this interface, say 192.168.10.1/24
Configure dhcp server on this interface.
Configure your NAT rules so that they will also work for the guest vlan. (usually, the only srcnat rule in the router is configured to match out-interfcae=wan, which is perfect for your setup. If your srcnat rules match based on src-address, then you'll either need to add more rules for the guest vlan, or just modify the existing rule to use out-interfcae instead of src-address - I recommend this)
Later, you can configure rules in the forward chain of the firewall filter table to limit the guest network's access to the regular LAN.

That's pretty much all you need to do on the main router.

On the routers 1 and 2, you can do things pretty easily.
Make sure they have a LAN bridge which is connected to the ethernet master interface and to the wlan1 interface.
Create a virtual-AP interface for your guest vlan, and set the SSID however you like, and configure it to use whatever security profile you like.
Set the vlan-id on the Virtual AP to 10, so that its lan-side traffic will be placed in the guest VLAN.

If you want group A and group B to be separate networks as well, just repeat these steps and use a new IP range for each new vlan.

If you want to put any physical interfaces on router1/router2 into the guest vlan, then you'll need to either use the vlan switch configuration or else you can remove the desired port(s) from the switch master, making them into stand-alone ports. Then create a second bridge (guest-bridge) and add a guest-vlan VLAN interface to the main bridge (set vlan-id=10). Then connect guest-vlan and the stand-alone ethernet interfaces to this guest bridge.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
magchiel
Member Candidate
Member Candidate
Posts: 124
Joined: Mon Jan 06, 2014 2:13 pm

Re: Can help me to configure this networking scheme?

Fri Sep 30, 2016 12:26 am

Above setup works for the basics under the precondition that the other routers support VLANs. There is no information on the router 1 and 2, but I assume them to be non-Mikrotik.

The three specials here can be bit tricky also depending on the other hardware:
  • blocking specific websites and content is becoming increasingly difficult with HTTPS
  • the QoS -> unclear whether bandwidth requirement is for ISP, wireless or both. Could be done based on MAC and/or source address/subnet with utilising queue trees and WMM. Synchronising wireless QoS on AP hardware from different manufacturers I can imagine be more tricky.
  • the guest isolation from the other groups, which requires at least two VLANs from router 2 and the wireless not to be untagged on the switch plane for it to be firewalled at mikrotik with exception from guest to TV IP. Potential more difficult things to configure properly are broadcast/multicast applications (bonjour, DLNA, ...) if that is why access from guest network to TV is a requirement.

Who is online

Users browsing this forum: No registered users and 30 guests