HI,

could someone explain shortly how to setup a VLAn with the new RouterOS?
Got one running, but still able to see the other VLANs and ping them.

Should look like this

ether1 = WAN where all VLANS going through
ether7,8,9 vlan 101
ether10,11,12 vlan 201

101 should see 201 but 201 shouldnt see 101

Possible?
So confused currently.
As working through the manuals, doesnt really help

Thank you in advance!

Or does somebody got a good manual

101 should see 201 but 201 shouldnt see 101

What do you want to achieve by this?

In principle, VLANs are transparent to devices inside and completely isolated from outside. As if you actually had two separate physical networks. If you want to do some fancy bridge between two VLANs, you quite probably need routing wizh some filtering.

Sounds like you just need to set up ip firewall rules to limit talking between the two subnets.

I want to seperate the CCTVs from the server.
As the CCTV needs the server to write there images on.

Could be done by a firewall, but I got problems setting the vlans up anyway.




Regards

I'd say that you really want to set-up two VLANs and a router between them. The easiest way of protecting the CCTVs from the evil rest of network is to deploy NAT ... server will see connections from router's address.

To do that you first create two VLAN groups - just follow any decent tutorial. Later add routing on top of it. I'm sure CRS326 can do everything needed to be done.

This is the best manual for vlans in RouterOS, in my opinion:

https://wiki.mikrotik.com/wiki/Manual:CRS_examples

So this is my setting I'd like to realize.

Does this make sense for the experts?

From VLAN point of view it makes sense. As written before, you'll need to do routing between individual VLANs, with some filters deployed to get desired interconnection limits. That said, whichever CRS will do the routing for a paricular VLAN will need additional IP address within that particular VLAN.

If the link between the two CRS326s is not going to be bottleneck, then I'd do the routing only in one of CRS just to make administration and network design slightly (or mightly) simpler.

If that is going to be bottleneck (either you know that already or you find out later), then you'll have to distribute the routing between both CRSes. However, I'd still do the routing between any pair of VLANs only in single CRS. I guess it could be done in both at the same time, but would involve major complications (from the network devices point of view that is). On the other hand you'll probably end up with both CRS being members of most VLANs and play with routing between both of them (one being default gateway for a particular VLAN while the other being gateway for a few particular destination networks).

If you'll settle with single CRS doing all the routing, the other will act as smart (VLAN capable) switch only. You could boot that one in SwitchOS ... but from simplicity point of view I'd run RouterOS on it regardless.

There will eb one crs and on css. The Location1 will get an CRS125 one of my "old" ones. Between the crs and the css there will be 2 bonded 10gbs connections.

I'll try to set it up, like you mentioned in the manual. But struggling with it.

Does the WAN port need to be tagged and the other untagged?

On your network chart I don't see any CRS or CSS port logically being WAN port ... apart from those interfacing the Fritz devices, which I assume expect untagged traffic.

Regarding the bonded interconnection: first you need to create bond (on both RBs), then add bond "interface" to bridge and add all needed VLANs to it. You don't configure individual bond members.

The Fritz Devices will be 3 Wan Ports, which will run with loadbalancing.
So Ether1 CRS326 will be WAN. This port is connected to the ISP Router. (Fritzbox 7490)

THE LACP connection already exists and running balance-rr.

To the question about ports being tagged or not: really depends on what the device on the other end of given ethernet cable expects. Most of devices are configured to work without VLAN, hence you need to configure corresponding ether ports on RB devices as untagged.
If, on the other hand, the other device is configured to use VLAN tagging, then you need to configure tagged VLANs at your end as well. In your case, probably the following connections need to be VLAN tagged: bond between CRS326 and CCS326, CAP AC connections towards corresponding RB device, IPSEC tunnel ... and probably that's it.