I apologize for obvious (for someone) question:
I'll add Mikrotik wAP LTE on the roof. It will be connected to PowerBox Pro and it won't be on dedicated LAN port. What is the proper procedure to incorporate it into network ? Is it via VLAN or something else ?
Thanks in advance !
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
I'd have to see a diagram of your network to be certain. VLANs can be used for WAN connections if necessary.
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
Yes, it can be done. This example isn't 100% the same as yours but it should be similar.
I made a mAP-lite (1 ethernet port) into my home router by using the physical ethernet interface as the WAN link, and a VLAN interface on top of the physical interface as the internal facing network. Just as an exercise. I didn't contemplate all security implications. I turned off any discovery protocols on the external interface.
You need a VLAN aware switch attached.
Vlan 2 (on the switch) is the external interface. It's the ether1 interface with dhcp client on the MIkrotik:
Vlan 3 is the internal facing network, 192.168.x.x
I used a Cisco switch but it should be possible to use anything. A hAP-lite or mini would be a very cheap way to do it. The "native" interface would be vlan 2, the trunked (tagged) part is vlan 3. Cisco stuff:
In my case I added a bridge for the WiFi interface and vlan 3 so I could use the WiFi internally as well. Not sure if that's relevant to you.
There are lots of combinations of how you could do this with VLANS, this is just one of them.
Would like to hear what the security implications of doing this are in general and for a MikroTik in particular from someone who has been around longer than I have.
I made a mAP-lite (1 ethernet port) into my home router by using the physical ethernet interface as the WAN link, and a VLAN interface on top of the physical interface as the internal facing network. Just as an exercise. I didn't contemplate all security implications. I turned off any discovery protocols on the external interface.
You need a VLAN aware switch attached.
Vlan 2 (on the switch) is the external interface. It's the ether1 interface with dhcp client on the MIkrotik:
Code: Select all
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1Code: Select all
/interface vlan
add interface=ether1 name=vlan3 vlan-id=3
/ip address
add address=192.168.x.1/24 interface=vlan3 network=192.168.x.0
(I use a separate DHCP server but the default one should work if you change it's interface to the bridge)
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=vlan3Code: Select all
int port f0/1 (facing internet)
switchport access vlan 2
int port f0/2 (facing router)
switchport trunk allowed vlan 2,3
switchport trunk native vlan 2
switchport mode trunk
int port f0/3 (connected to your internal network)
switchport access vlan 3There are lots of combinations of how you could do this with VLANS, this is just one of them.
Would like to hear what the security implications of doing this are in general and for a MikroTik in particular from someone who has been around longer than I have.
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
I apologize for late reply, thanks for your replies.
Here's the basic layout of my network, at least the part we are interested in for this problem:
In words:
- Single LAN cable to roof
- QRT on the roof that's working as PtP device to connect remote area to my network
- I planned to add wAP LTE and PowerBox Pro on the roof
- Under roof, second floor, LAN cable goes to gigabit switch. Connected to that switch I have hAP AC and several other devices (TV, media player, etc.). I can put here some Mikrotik device instead of plain switch if needed.
- From second floor LAN cable goes to basement and is connected to LAN-3 on RB-3011
- LAN1 AND LAN2 on RB-3011 are WAN ports with vDSL modems connected to it.
Can it be done this way ?
Thanks !
Here's the basic layout of my network, at least the part we are interested in for this problem:
In words:
- Single LAN cable to roof
- QRT on the roof that's working as PtP device to connect remote area to my network
- I planned to add wAP LTE and PowerBox Pro on the roof
- Under roof, second floor, LAN cable goes to gigabit switch. Connected to that switch I have hAP AC and several other devices (TV, media player, etc.). I can put here some Mikrotik device instead of plain switch if needed.
- From second floor LAN cable goes to basement and is connected to LAN-3 on RB-3011
- LAN1 AND LAN2 on RB-3011 are WAN ports with vDSL modems connected to it.
Can it be done this way ?
Thanks !
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
A little more explanation about what your goal is with all of this would be nice.
Assuming the LTE is "just another" WAN connection in addition to the 2 you already have:
(This is off the top of my head, I don't even know if this is possible)
Make a tunnel interface on the LTE router going back to the 3011. Handle the routing in the 3011. I'm not 100% sure on how I would accomplish this because I've never used LTE on a MikroTik, but I really want to at some point. Maybe an EoIP tunnel? Someone more experienced would have to chime in.
Alternately, get a "real" switch on your second floor and you can just vlan it through the power box and back to your 3011. I just picked up a gigabit Juniper with PoE off Ebay for $100 shipped. Too bad MikroTik devices are passive PoE for the most part... A MikroTik switch would work as well of course. Before the Juniper I was using a Cisco 2960 10/100 with gigabit uplinks for $45 shipped to my door. It's quieter, I might go back to it.
Assuming the LTE is "just another" WAN connection in addition to the 2 you already have:
(This is off the top of my head, I don't even know if this is possible)
Make a tunnel interface on the LTE router going back to the 3011. Handle the routing in the 3011. I'm not 100% sure on how I would accomplish this because I've never used LTE on a MikroTik, but I really want to at some point. Maybe an EoIP tunnel? Someone more experienced would have to chime in.
Alternately, get a "real" switch on your second floor and you can just vlan it through the power box and back to your 3011. I just picked up a gigabit Juniper with PoE off Ebay for $100 shipped. Too bad MikroTik devices are passive PoE for the most part... A MikroTik switch would work as well of course. Before the Juniper I was using a Cisco 2960 10/100 with gigabit uplinks for $45 shipped to my door. It's quieter, I might go back to it.
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
My goal is wAP LTE to be WAN-3, plain and simple. 
Can you give me an example of Mikrotik switch I would need to be able to VLAN thorugh ?
Thanks
Can you give me an example of Mikrotik switch I would need to be able to VLAN thorugh ?
Thanks
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
Someone smarter about MikroTik switches should answer before you listen to me.
I haven't ever owned a MikroTik switch unfortunately. I've never touched SwOS. I want to at some point. They have a 5 port one for $40 but I doubt that is going to cover you.
If it was me, I'd probably go for this one:
https://mikrotik.com/product/CSS326-24G-2SplusRM
24 gigabit ports + 2 SFP+ (10 gig). Nice for the price.
I was trying to decode which one would support PoE so you could eliminate your power box and power the roof devices directly from the switch, but it started to get complicated.
Pretty sure you could accomplish what you're trying to do with a tunnel interface between the LTE router and the 3011, then the routing could be handled at the 3011. You wouldn't have to buy anything else. You should try it. Have you?
I haven't ever owned a MikroTik switch unfortunately. I've never touched SwOS. I want to at some point. They have a 5 port one for $40 but I doubt that is going to cover you.
If it was me, I'd probably go for this one:
https://mikrotik.com/product/CSS326-24G-2SplusRM
24 gigabit ports + 2 SFP+ (10 gig). Nice for the price.
I was trying to decode which one would support PoE so you could eliminate your power box and power the roof devices directly from the switch, but it started to get complicated.
Pretty sure you could accomplish what you're trying to do with a tunnel interface between the LTE router and the 3011, then the routing could be handled at the 3011. You wouldn't have to buy anything else. You should try it. Have you?
Re: Adding 3rd WAN but no dedicated LAN port - is VLAN solution ?
I still haven't received wAP LTE, it should be available for delivery by end of this month. I was asking in advance to see if it can be done with 1 LAN cable.
As soon as I get it I'll try it.
As soon as I get it I'll try it.