Community discussions

 
ehbowen
newbie
Topic Author
Posts: 43
Joined: Tue Sep 05, 2017 6:13 am
Location: Houston, Texas
Contact:

Brand New to MikroTik

Tue Sep 05, 2017 7:06 am

In the "Lemons to Lemonade" department: I live in Houston, Texas...you may have heard of the recent unpleasantness...and currently my small church has the bottom 18" of wallboard cut out all through the property. I was struck by the notion that this would be an excellent opportunity to wire the 60+ year old building for modern data and internet. I've just (today) ordered an RB3011UiAS-RM to be the gateway to the new system.

The ultimate goal is to network a handful of PCs (office, pastor, sound booth) but also have data drops in each classroom where a Raspberry Pi or similar could be hooked up as a media client, connect about 6 IP security webcams, transition to a modern VoIP phone system, install about four Wi-fi access points located around the complex (dual-band AC mode preferred), and use a Synology RackStation RS816 as the brains of the system for NAS storage, media server, and surveillance monitor.

I've used DD-WRT around the house and am currently using an ASUS RT-N66U router (with stock firmware), so I have at least some familiarity with the basics. But this will be the first time I have ever dealt with a commercial-grade router. I'm asking for some pointers for setting up the following objectives:
  • For Wi-fi, I want to have [at least] four separate networks: A guest network (secured, but with a simple password) with filtered access and time limits (no one should be accessing the guest network at a church after midnight!) which cannot reach the church computers or server; a regular network for teachers and staff and such which can access media and church data; a hidden admin network; and an IoT network with a strong password for smart thermostats and the like.
  • I want to put the surveillance cameras (physical wired PoE) on their own VLAN which can only access specific, restricted ports on the NAS and which CANNOT "phone home" to China.
  • I want to set up a VPN with certificate access only (I don't trust passwords) which is to be the only way that anyone (including myself) can access administrative functions while outside the physical LAN.
  • Our Internet service, at first, is going to be bare-bones basic business class...which I'm funding out of my own pocket; we currently have neither Internet or telephone. I'll need to prioritize the VoIP addresses accordingly. Also, I want to restrict excessive usage, especially from the guest network.
  • I also want to filter inappropriate websites and content...this is a church, after all!
  • Finally, I want to restrict the physical LAN so that someone cannot just, for example, sneak into an unused classroom and plug in and access sensitive data. We should have a set list of authorized computers.
Finally, all this stuff at present exists only in the back of my own mind. I've ordered the server rack and some of the hardware (and will order more once the next paycheck comes in), but I haven't started running wiring or anything yet. My assets include about 300' of Cat 5e interior cable and a new, unbroken 1000' box of Cat 6 exterior-grade; I also have the tools and cable tester and am comfortable running the physical wiring. But if anyone can make any suggestions at this stage which will make the job easier or leave possibilities open for future expansion, I'd like to hear them now.

Thanks!
Image There are very few problems which cannot be solved by a suitable application of high explosives....
 
Tdaddysimi
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Wed Sep 28, 2016 4:37 pm
Location: Minnesota

Re: Brand New to MikroTik

Wed Sep 06, 2017 9:19 pm

For only letting certain things on and limiting all else, simple queues will be the go to answer, configured easily inside the mikrotik. its mainly used for QoS and limiting user's speed. On my network, I have my file servers and what not with unlimited access, but of course when my younger cousins stay over and what not, I need to make sure they aren't on the internet at 4 in the morning. Using the queues, you can easily select an IP range in a rule, and set the allotted time they can have bandwidth. You have to study simple queues some to figure out how to mark packets and then create the queues around them, but that part of things will be easy for you! Mikrotik does a great job of it.

Don't forget to check out the Mikrotik Wiki, where you will literally get flooded with information. (too soon?)
Hope that helps one of your problems!
Tom
 
lambert
Long time Member
Long time Member
Posts: 532
Joined: Fri Jul 23, 2010 1:09 am

Re: Brand New to MikroTik

Thu Sep 07, 2017 6:49 am

Doing all of this on a new to you platform is going to involve a steep learning curve. That's great if you have the time. If you know how to do all of this with something else, you may want to go that direction, even if it costs more. If you have to learn how to do this for any platform you might use, the MikroTik gear is probably close to the most cost effective platform to learn on.

I hope you have access to a good cordless drill and sharp bits...
I've just (today) ordered an RB3011UiAS-RM to be the gateway to the new system.
  • For Wi-fi, I want to have [at least] four separate networks: A guest network (secured, but with a simple password) with filtered access and time limits (no one should be accessing the guest network at a church after midnight!) which cannot reach the church computers or server; a regular network for teachers and staff and such which can access media and church data; a hidden admin network; and an IoT network with a strong password for smart thermostats and the like.
RouterOS can handle all the VLANs you want. It can also isolate the VLANs however you need. RouterOS can have a lot SSIDs in different VLANs on each physical AP. You can hide the SSIDs on any vAPs you want. With CAPSMan you can even avoid having to build the Virtual APs on each AP. cAPs, hAPs, and wAPs are all useful as APs. WIth the AC models, you can have 5GHz and 2.4 GHz which helps share the load in dense environments. I'm not sure how heavily you expect your people to be using devices during services. There seem to be a lot of ways they are being integrated into the services these days.

Filtering and time limits are easier with the multiple VLANs. You're headed in the right direction there.

When installing several APs in a dense area, you want to hide the APs from one another as much as possible. That usually means using bags of water, human bodies, to block/absorb the signals from other APs. That sometimes means you want to mount the APs under the pews. You definitely do not want them in the rafters.
  • I want to put the surveillance cameras (physical wired PoE) on their own VLAN which can only access specific, restricted ports on the NAS and which CANNOT "phone home" to China.
Easy firewall rules, possible only 2 rules. Allow what you want and deny anything else.
  • I want to set up a VPN with certificate access only (I don't trust passwords) which is to be the only way that anyone (including myself) can access administrative functions while outside the physical LAN.
Probably at least two options:

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Keys

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP

OpenVPN can probably use certs also. OpenVPN support seems not to be a priority in RouterOS.

  • Our Internet service, at first, is going to be bare-bones basic business class...which I'm funding out of my own pocket; we currently have neither Internet or telephone. I'll need to prioritize the VoIP addresses accordingly. Also, I want to restrict excessive usage, especially from the guest network.
Bare bones business class is probably all you need. With the IP cloud dynamic DNS feature of RouterOS, a static IP is less necessary these days. If you can do without a static IP it may save some monthly money. You can easily point a CNAME from your own domain, if you have one, at the ip cloud hostname.

VoIP in a VLAN/subnet of its own. Use Queues, probably just the simple queues will be sufficient.

https://wiki.mikrotik.com/wiki/Manual:Queue

Use the queues for fair share of remaining resources on the guest network also with the PCQ up and down queue types.
  • I also want to filter inappropriate websites and content...this is a church, after all!
This is more interesting, aka hard to do yourself. I'd probably just use some DNS servers which try to do that for you. There are several which are free to use for non-profits and home users. OpenDNS, Norton ConnectSafe, McAfee, SafeDNS, Untangle, and Dyn for a quick survey. Just set them up under IP DNS. You may want to also have firewall rules which redirect tcp/udp dst 53 to your MikroTik's cacheing DNS server.
  • Finally, I want to restrict the physical LAN so that someone cannot just, for example, sneak into an unused classroom and plug in and access sensitive data. We should have a set list of authorized computers.
There are probably a few ways to deal with this. I might authorize users rather than devices. MAC cloning might be less useful that way. Your data is going to require strong credentials to access and not be transferred in the clear anyway, right? Right? I thought so. The LAN in your environment is as hostile as the open Internet. You'll have devices moving in and out of your network and won't know what they've caught on someone else's network. BYOD brings the sewer inside...

I don't think RouterOS supports 802.1x for wired devices. You might want switches which do support it. It depends on your level of paranoia.

Otherwise,

https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

Maybe use static ARP entries. Have DHCP add ARP entries. Set your interfaces' ARP setting to "reply-only" instead of "enabled". Static ARP entries are going to be a hassle long term. It might be less hassle to use static DHCP leases for anything that needs a static IP. At least you only have to make the change in one place when a device is replaced.
Finally, all this stuff at present exists only in the back of my own mind. I've ordered the server rack and some of the hardware (and will order more once the next paycheck comes in), but I haven't started running wiring or anything yet. My assets include about 300' of Cat 5e interior cable and a new, unbroken 1000' box of Cat 6 exterior-grade; I also have the tools and cable tester and am comfortable running the physical wiring. But if anyone can make any suggestions at this stage which will make the job easier or leave possibilities open for future expansion, I'd like to hear them now.

Thanks!
If you can leave things in the wall, conduit, pull-strings, whatever, so that you can run fiber at some point in the future, it might be helpful. That could be as expensive as putting the fiber in now. It is possible to order pre-built fiber cables of the right length (add a healthy fudge factor).

You may be able to use some creativity to future proof the physical aspects if you take the time to think about them before you start.

Cat5e gets expensive when it's coming out a volunteer pockets, but I always regret not running at least two runs to each location, I really like four cables in a lot of places. You can easily end up with a desk phone, a computer, and a printer/scanner in the same place. Or two workstations/phones and a printer where you thought you would only ever have a phone and a computer. In a one person office, I once ended up using 8 strands of Cat5. But that was an IT focused office with test gear. If you hook them all into a patch panel, you have the most flexible voice/ethernet setup and can keep switching networks physically separate if that becomes useful. Just short patch cable moves when personnel make the inevitable room swaps. Dropping 5 port switches all over the building leads to madness in a couple of years.

I'd keep all the infrastructure wired as much as possible. The RF environment may end up a bit busy. Wired is more predictable and much faster once you have 3 users moving large files to and from a server.


When you get stuck, read the wiki. If you're still stuck, come back and ask specific questions. There are a lot of helpful people in here.
 
ehbowen
newbie
Topic Author
Posts: 43
Joined: Tue Sep 05, 2017 6:13 am
Location: Houston, Texas
Contact:

Re: Brand New to MikroTik

Sat Sep 09, 2017 7:27 pm

Doing all of this on a new to you platform is going to involve a steep learning curve. That's great if you have the time. If you know how to do all of this with something else, you may want to go that direction, even if it costs more. If you have to learn how to do this for any platform you might use, the MikroTik gear is probably close to the most cost effective platform to learn on.

I hope you have access to a good cordless drill and sharp bits...
My day job is as a maintenance engineer in a commercial laboratory facility, so...yes.
  • For Wi-fi, I want to have [at least] four separate networks: A guest network (secured, but with a simple password) with filtered access and time limits (no one should be accessing the guest network at a church after midnight!) which cannot reach the church computers or server....
Filtering and time limits are easier with the multiple VLANs. You're headed in the right direction there.
One possibility that I was thinking about: I'm going to have a web-accessible CalDAV calendar on the Synology for church events which anyone can view and which authorized users can access to enter events. Can you think of any way of integrating this with the Wi-fi system, either through RouterOS, through the switch (NetVanta 1534 PoE), or through the AP controller (looking at Ubiquiti as well as MikroTik), so that if someone enters an event the guest Wi-fi automatically activates, say, one hour before the event and shuts off one hour after the event?
When installing several APs in a dense area, you want to hide the APs from one another as much as possible. That usually means using bags of water, human bodies, to block/absorb the signals from other APs. That sometimes means you want to mount the APs under the pews. You definitely do not want them in the rafters.
I'm planning three APs separated from each other by about 50' in a frame building; one in the sanctuary, one in the classrooms/office area, and one in the fellowship hall. The area is very lightly developed, aside from the trailer park next door, and there are very few other Wi-fi signals detectable in the vicinity. The fourth AP will eventually be installed outdoors in/near our youth building. Does it sound like we will need to take special measures there?

BTW, I expect the Wi-fi to be lightly used, especially during services. It falls more into the, "Because I can!" category...although I hope it will be useful in the future.
  • I want to set up a VPN with certificate access only (I don't trust passwords) which is to be the only way that anyone (including myself) can access administrative functions while outside the physical LAN.
Probably at least two options:

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Keys

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP

OpenVPN can probably use certs also. OpenVPN support seems not to be a priority in RouterOS.
I've used OpenVPN before, but had some difficulty with it. I haven't taken a serious look at IPsec before. I'm looking for a solution which will work with Windows, Mac, iPhone, Android, and Linux as well as with the router and server.
  • Finally, I want to restrict the physical LAN so that someone cannot just, for example, sneak into an unused classroom and plug in and access sensitive data. We should have a set list of authorized computers.
There are probably a few ways to deal with this. I might authorize users rather than devices. MAC cloning might be less useful that way. Your data is going to require strong credentials to access and not be transferred in the clear anyway, right? Right? I thought so. The LAN in your environment is as hostile as the open Internet. You'll have devices moving in and out of your network and won't know what they've caught on someone else's network. BYOD brings the sewer inside...

I don't think RouterOS supports 802.1x for wired devices. You might want switches which do support it. It depends on your level of paranoia.

Otherwise,

https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

Maybe use static ARP entries. Have DHCP add ARP entries. Set your interfaces' ARP setting to "reply-only" instead of "enabled". Static ARP entries are going to be a hassle long term. It might be less hassle to use static DHCP leases for anything that needs a static IP. At least you only have to make the change in one place when a device is replaced.
The NetVanta 1534 PoE is supposed to support 802.1x. I'll have to learn how to use it.
Finally, all this stuff at present exists only in the back of my own mind. I've ordered the server rack and some of the hardware (and will order more once the next paycheck comes in), but I haven't started running wiring or anything yet. My assets include about 300' of Cat 5e interior cable and a new, unbroken 1000' box of Cat 6 exterior-grade; I also have the tools and cable tester and am comfortable running the physical wiring. But if anyone can make any suggestions at this stage which will make the job easier or leave possibilities open for future expansion, I'd like to hear them now.

Thanks!
If you can leave things in the wall, conduit, pull-strings, whatever, so that you can run fiber at some point in the future, it might be helpful. That could be as expensive as putting the fiber in now. It is possible to order pre-built fiber cables of the right length (add a healthy fudge factor).

You may be able to use some creativity to future proof the physical aspects if you take the time to think about them before you start.

Cat5e gets expensive when it's coming out a volunteer pockets, but I always regret not running at least two runs to each location, I really like four cables in a lot of places. You can easily end up with a desk phone, a computer, and a printer/scanner in the same place. Or two workstations/phones and a printer where you thought you would only ever have a phone and a computer. In a one person office, I once ended up using 8 strands of Cat5. But that was an IT focused office with test gear. If you hook them all into a patch panel, you have the most flexible voice/ethernet setup and can keep switching networks physically separate if that becomes useful. Just short patch cable moves when personnel make the inevitable room swaps. Dropping 5 port switches all over the building leads to madness in a couple of years.

I'd keep all the infrastructure wired as much as possible. The RF environment may end up a bit busy. Wired is more predictable and much faster once you have 3 users moving large files to and from a server.
Conduit would be best but is a little out of my price range at present, especially since I already have the box of Cat 6. Realistically, I think that should be able to handle our bandwidth requirements for at least the next two decades. I do like your suggestion of multiple drops, especially for offices and such...I'll probably run at least four drops each into the pastor's office and main office. I will go ahead and order a 48 port patch panel which should give more than enough space for our present and future needs; there's plenty of room for it in the rack and it will help to keep things organized.

I do think I'll install at least one remote switch, though; the baptistry and pulpit area is far enough away from the server room and there's enough connections going in there (3 cameras [2 exterior], streaming media outlet, pulpit connection, possible VoIP telephone extension) to justify an 8-port switch to serve that area. I do think, though, that I should run two separate physical Cat 6 lines to it for redundancy in case one goes bad in years to come.

Thanks for the very comprehensive and helpful post. (Voted up!)
Image There are very few problems which cannot be solved by a suitable application of high explosives....
 
lambert
Long time Member
Long time Member
Posts: 532
Joined: Fri Jul 23, 2010 1:09 am

Re: Brand New to MikroTik

Sat Sep 09, 2017 9:26 pm

One possibility that I was thinking about: I'm going to have a web-accessible CalDAV calendar on the Synology for church events which anyone can view and which authorized users can access to enter events. Can you think of any way of integrating this with the Wi-fi system, either through RouterOS, through the switch (NetVanta 1534 PoE), or through the AP controller (looking at Ubiquiti as well as MikroTik), so that if someone enters an event the guest Wi-fi automatically activates, say, one hour before the event and shuts off one hour after the event?
All things are possible through code running somewhere. It would probably not be easy, but possible. If you happen to a programmer in the congregation who likes a challenge, run it past them. Otherwise, let someone turn it on or off manually. Maybe plug the AP into an outlet on the same circuit as the lights?
I'm planning three APs separated from each other by about 50' in a frame building; one in the sanctuary, one in the classrooms/office area, and one in the fellowship hall. The area is very lightly developed, aside from the trailer park next door, and there are very few other Wi-fi signals detectable in the vicinity. The fourth AP will eventually be installed outdoors in/near our youth building. Does it sound like we will need to take special measures there?

BTW, I expect the Wi-fi to be lightly used, especially during services. It falls more into the, "Because I can!" category...although I hope it will be useful in the future.
Okay. You didn't give us a sense of scale. I was worried you needed to handle 200 devices in the sanctuary which would require 4 to 10 APs depending on utilization.

Three indoor APs on 20MHz channels on 2.4GHz will be okay in different rooms. Do your channel planning so that your outdoor AP is as far from the other AP with the same channel as is possible. Only use channel 1, 6, and 11 on 2.4GHz. Using the in-between channels will ensure that you cause problems for at least one of your other 2 APs.

5GHz has plenty of room for four 20 or 40 MHz non-overlapping channels.

So, given your AP count, using dual-band APs should not be a major logistical issue for you.
I've used OpenVPN before, but had some difficulty with it. I haven't taken a serious look at IPsec before. I'm looking for a solution which will work with Windows, Mac, iPhone, Android, and Linux as well as with the router and server.
To talk to all of those platforms without installing extra software on all the devices, you want L2TP/IPsec.
Cat5e gets expensive when it's coming out a volunteer pockets, but I always regret not running at least two runs to each location, I really like four cables in a lot of places. You can easily end up with a desk phone, a computer, and a printer/scanner in the same place. Or two workstations/phones and a printer where you thought you would only ever have a phone and a computer. In a one person office, I once ended up using 8 strands of Cat5. But that was an IT focused office with test gear. If you hook them all into a patch panel, you have the most flexible voice/ethernet setup and can keep switching networks physically separate if that becomes useful. Just short patch cable moves when personnel make the inevitable room swaps. Dropping 5 port switches all over the building leads to madness in a couple of years.

I'd keep all the infrastructure wired as much as possible. The RF environment may end up a bit busy. Wired is more predictable and much faster once you have 3 users moving large files to and from a server.
Conduit would be best but is a little out of my price range at present, especially since I already have the box of Cat 6. Realistically, I think that should be able to handle our bandwidth requirements for at least the next two decades. I do like your suggestion of multiple drops, especially for offices and such...I'll probably run at least four drops each into the pastor's office and main office. I will go ahead and order a 48 port patch panel which should give more than enough space for our present and future needs; there's plenty of room for it in the rack and it will help to keep things organized.

I do think I'll install at least one remote switch, though; the baptistry and pulpit area is far enough away from the server room and there's enough connections going in there (3 cameras [2 exterior], streaming media outlet, pulpit connection, possible VoIP telephone extension) to justify an 8-port switch to serve that area. I do think, though, that I should run two separate physical Cat 6 lines to it for redundancy in case one goes bad in years to come.
When you run cable to the offices, pull it so that it can touch the floor or ceiling (depending on if you are coming in from above or below) + 6ft at the point in the office which is furthest from the patch panel. That way, when they re-arrange the office, the wire can be pulled back into the ceiling or basement and dropped down the wall where the desk is to be located at that time. It's okay to neatly coil the excess cable in the ceiling/basement/crawl space. It's not good when you have to string patch cables around the perimeter of a room to get to the new desk location. They don't look good, and always seem to get damaged and fail eventually.

Also, it's a lot less labor intensive to have two or four boxes/spools of ethernet when you are pulling multiple runs.

Label each end of the cable. You might want to label the cable that remains in the crawl space where you spool up the extra slack. It might be worthwhile down the road. It might not. Label the wall jacks to match the patch panel (if you use one, highly recommended) or server room end of the cable. Do not label with room names. Room names change. A1 would be port 1 of the first patch panel. B48 would be the 48th port of the second patch panel.
 
ehobo
just joined
Posts: 3
Joined: Mon May 29, 2017 10:29 pm

Re: Brand New to MikroTik

Sat Sep 09, 2017 10:25 pm

Another possible use of the Tik router is to use Policy Based Routing (PBR). You can use firewall mangle rules to manage packet tagging for traffic management and the like.

Who is online

Users browsing this forum: No registered users and 31 guests