Better VLAN?

complex1 · Sat Sep 21, 2019 6:31 pm

Hi,

I’m using the RB4011iGS and setup one simple LAN for all my devices at home.
All work well, no issues.
But I have a few IoT devices which I do not want in my private LAN, so I want to setup just one (1) VLAN for these devices.
I have read, read and read http://forum.mikrotik.com/viewtopic.php?t=143620 and especially the "Router-Switch-AP (all in one)" part and hope I understand what is written.

Below is what I have created and like to know from all the VLAN experts here on the forum if I need to fine-tune my creation and if so, how.
BTW: The creation work well and as I had in mind, but maybe it could better.

Thanks for all the help.

# ether9 = PWR-Line
# wlan3  = Guest Wi-Fi

#######################################
# VLAN Overview
#######################################

# 20 = IoT

#######################################
# Bridge
#######################################

/interface bridge
add name=bridge1 vlan-filtering=yes

#######################################
# Access Ports & VLAN Security
#######################################

# ingress behavior
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20 interface=wlan3
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20 [find interface=ether9] comment=""

# egress behavior
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether9,wlan3 vlan-ids=20

#######################################
# IP Services
#######################################

# VLAN20 interface creation, IP assignment, and DHCP service.
/interface vlan add interface=bridge1 name=vlan20 vlan-id=20
/ip address add address=10.10.20.1/24 interface=vlan20
/ip pool add name=vlan20-pool ranges=10.10.20.2-10.10.20.254
/ip dhcp-server add address-pool=vlan20-pool interface=vlan20 name=dhcp-vlan20
/ip dhcp-server network add address=10.10.20.0/24 dns-server=1.0.0.1 gateway=10.10.20.1

#######################################
# Firewalling & NAT
#######################################

/interface list add name=VLAN
/interface list member add interface=vlan20 list=VLAN

mkx · Sat Sep 21, 2019 6:38 pm

It seems fine to me ...

anav · Sat Sep 21, 2019 7:02 pm

Since MKX said it was fine I will state its not fine.

Well the technical setup is fine LOL. I am more interested in requirements.
Why is ether9 called power line?
Which ports are connected only too LOT devices (ethr 9 only?)
What is the purpose of guest wifi? Why is it on the LOT VLAN? Does LOT share wifi with guests??

What I would do is provide a different vlan for guest wifi and one for LOT devices. More granularity, can separate fw rules if necessary etc etc.........
Thus I would use VLAN 10 for guest wifi and keep VLAN20 for LOT devices.
In terms of WIFI, I would use primary 5Gzh for home Wifi, if limited to one 5 and one 2ghz network then
- create a virtual 5ghz network for guests and use the stock 2ghz network for LOT devices.
- otherwise use two available 5ghz networks one for home, one for guests and use the stock 2ghz network for lot devices.

complex1 · Sat Sep 21, 2019 8:30 pm

Thank you very much for the replies. I appreciate it very much.

Initial I have this in mind…:
I have two PWR-Line AP (PL7411-2nD). One connected directly to ether9, the other one I use if I need it… sometimes to connect a (untrusted) guest PC/device by wire, and sometimes as AP… also to connect (untrusted) PC/device.
That’s why I do not want them to connect directly to my private LAN.

For guest WiFi I created a virtual 2GHz AP (wlan3) also to connect (untrusted) guest PC/devices.
The guest WiFi is also be used for refrigerators, solar cells, robot vacuum cleaner, etc.
I use 2GHz for better coverage of the premises.

So the default 2 / 5GHz WiFi and all other ports are part of my private LAN, and all untrusted devices may connect to vlan20 using virtual 2GHz WiFi and PWR-Line.

I hope you understand my thought twist.

mkx · Sun Sep 22, 2019 12:06 pm

As opposed to my arch enemy anav, I agree with him

I never let my guests near my refrigerator

I let guests near vacuum cleaner, but they are mostly not interested

Seriously: around here I generally don't question people's strategic decissions, I only try to help them with dirty details. Strategically, though, I'd separate guest access from IoT network, I might even consider having multiple IoT networks as well (vacuum cleaners and refrigerators don't go together well).

complex1 · Sun Sep 22, 2019 1:25 pm

@mkx

I think I understand what you are saying, but in practice…
Vacuum cleaner(s), refrigerator(s) and so on are usually connect via WiFi to the network.
That’s why I create and connect them to one (1) virtual 2.4GHz AP. This virtual AP use vlan20.
But how do I give the cleaner a other vlan number than the frig or solar panel… how to separate them. The access point is the same. Do I need to create more virtual AP’s and give them their own vlan?
e.g. 10 IoT devices have 10 dedicated virtual AP’s and 10 vlans?

mkx · Sun Sep 22, 2019 1:45 pm

Perhaps you don't need 10 VAPs for 10 devices, perhaps you could group them together. Like based on whether they connect to some cloud or not (if yes, all devices connecting to same cloud can use same VLAN). Or based on their functionality (you might have single VLAN for both doorbell and video surveilance... or same VLAN for both robotic vacuum cleaner and your pet's telemetry device).... Use your immagination.

I don't have any fancy devices, just some AV gear. So I have 3 main VLANs: one for general home networking and both home theatre and TV set are members of this VLAN because DLNA server is on that VLAN as well (and it's possible to control the home theatre using apl on smart devices). I do have firewall rules to block their internet access though.
The second VLAN is for ISP's IPTV set top boxes, I don't want my ISP to sniff my own movies off the wire. Even though those boxes can play media from DLNA servers, I prefer to use AV/TV boxes for that.
And there's third VLAN for guest WiFi access.
When I'll get some smart refrigerator, it'll get its own VLAN with internet access because it will really need to make those on-line purchases...

xvo · Sun Sep 22, 2019 1:50 pm

@mkx

I think I understand what you are saying, but in practice…
Vacuum cleaner(s), refrigerator(s) and so on are usually connect via WiFi to the network.
That’s why I create and connect them to one (1) virtual 2.4GHz AP. This virtual AP use vlan20.
But how do I give the cleaner a other vlan number than the frig or solar panel… how to separate them. The access point is the same. Do I need to create more virtual AP’s and give them their own vlan?
e.g. 10 IoT devices have 10 dedicated virtual AP’s and 10 vlans?

Nope.

You can easily have one wlan interface and have different vlan tags assigned to different devices using the access list.
That is exactly how I separate guest and iot devices from thу rest at home.

complex1 · Sun Sep 22, 2019 5:33 pm

Please. Can you provide me an example, please?
Or push me into the right direction?

xvo · Sun Sep 22, 2019 6:33 pm

Please. Can you provide me an example, please?
Or push me into the right direction?

That is the relevant part of my config with access list examples:

/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes interface=ether1 pvid=99
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1-2.4G pvid=66
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2-5G pvid=66

/interface bridge vlan
add bridge=bridge-LAN tagged=ether1,wlan1-2.4G,wlan2-5G vlan-ids=69	<---- guest vlan
add bridge=bridge-LAN tagged=ether1,wlan1-2.4G,wlan2-5G vlan-ids=66	<---- home vlan
add bridge=bridge-LAN tagged=bridge-LAN untagged=ether1 vlan-ids=99	<---- management vlan
add bridge=bridge-LAN tagged=ether1,wlan1-2.4G vlan-ids=93	<---- IoT vlan

/interface wireless access-list
add comment=5GHz interface=wlan2-5G mac-address=XX:XX:XX:XX:XX:XX vlan-id=66 vlan-mode=use-tag	<---- device uses 5ghz radio and goes to home vlan
add comment="5GHz guest access" forwarding=no interface=wlan2-5G vlan-id=69 vlan-mode=use-tag	<---- all unknown devices on 5ghz radio go to guest vlan
add comment=2.4GHz interface=wlan1-2.4G mac-address=XX:XX:XX:XX:XX:XX vlan-id=66 vlan-mode=use-tag	<---- this device uses 2.4ghz radio and goes to home vlan
add forwarding=no interface=wlan1-2.4G mac-address=XX:XX:XX:XX:XX:XX vlan-id=93 vlan-mode=use-tag	<---- device uses 2.4ghz radio and goes to IoT vlan
add comment="2.4GHz guest access" forwarding=no interface=wlan1-2.4G vlan-id=69 vlan-mode=use-tag	<---- all unknown devices on 2.4ghz also go to guest vlan

1) Management vlan 99 is used only to access the AP itself.
2) Note forwarding=no setting for guest and iot devices in access list - this means that even being in the same vlan two devices can't see each other.
But that works only for clients on the same radio. Further separation (if needed) has to be done on bridge level and all the way to main router for the clients on different radios/different APs.

complex1 · Sun Sep 22, 2019 10:14 pm

@xvo

Thank you very much for posting the example.
I have tried it, but it does not work for me.
The example is for a separate AP, right?
I use the RB4011 which have 2 embedded AP's.
Thanks.

xvo · Mon Sep 23, 2019 8:16 am

@xvo

Thank you very much for posting the example.
I have tried it, but it does not work for me.
The example is for a separate AP, right?
I use the RB4011 which have 2 embedded AP's.
Thanks.

That's just an example of how to use access list.
So for sure it has to be adopted to your interface names, vlan ids, mac addresses and so on.

And yes, that's from a stand-alone AP, so in your case you need to add your bridge itself as tagged port to all vlan ids (not only the management one, like in my case).

Post your altered config and I'll try to find out, why it's not working.

anav · Mon Sep 23, 2019 5:23 pm

The issue or limitation is that the radio set cannot assign two different PVIDs to incoming wifi traffic and thus can handle one VLAN only. That was my basic premise when starting with my APs.
That is the reason I use a combination of stock radio frequencies (in your case two stock 5ghz and two stock 2.4ghz) and as many virtuals as required to address the number of wifi VLANS required.

In your case you only need one 5ghz for home VLAN.
Therefore you have one 5ghz stock, and two 2.4ghz stock for other uses plus virtual APs on top.
Typically I would use the other stock 5ghz for guest wifi.
I would use my two stock 2.4ghz for LOT devices and other devices and perhaps a third virutal 2.4ghz depending how I wanted to split up my devices.
a. one for security (doors, cameras) (or split into two segments)
b. one for appliances
c. one for media streaming
etc etc.

Having to know and program in known vs unknown devices and MAC addresses is too complicated for me............. I like to keep it simple until forced not to.
I just looked and I noted that I have default forward checked off, so I am assuming that anybody that connects to an AP with the correct password is allowed to access the same VLAN and whatever the firewall rules state in regard to other access - which is typically internet access only. (I have drop all rules at end of input and forward chain so if not explicitly permitted vlan to vlan connectivity is dropped).

xvo · Mon Sep 23, 2019 6:52 pm

The issue or limitation is that the radio set cannot assign two different PVIDs to incoming wifi traffic and thus can handle one VLAN only.

That is totally untrue.
It can and it does.

complex1 · Mon Sep 23, 2019 11:20 pm

Hi,

This is what I have create and it work well, I think.
It needs to be fine-tuned a little bit more, but so far so good.

# ether9 = PWR-Line
# wlan3  = Guest/IoT Wi-Fi

#######################################
# VLAN Overview
#######################################

# 20 = IoT
# 30 = Guest

#######################################
# Bridge
#######################################

/interface bridge
add name=bridge1 vlan-filtering=yes

#######################################
# IP Services
#######################################

# IoT interface creation, IP assignment, and DHCP service.
/interface vlan add interface=bridge1 name=iot-vlan vlan-id=20
/ip address add address=10.10.20.1/24 interface=iot-vlan
/ip pool add name=iot-pool ranges=10.10.20.20-10.10.20.254
/ip dhcp-server add address-pool=iot-pool interface=iot-vlan name=iot-dhcp
/ip dhcp-server network add address=10.10.20.0/24 dns-server=1.0.0.1 gateway=10.10.20.1

# Guest interface creation, IP assignment, and DHCP service.
/interface vlan add interface=bridge1 name=guest-vlan vlan-id=30
/ip address add address=10.10.30.1/24 interface=guest-vlan
/ip pool add name=guest-pool ranges=10.10.30.20-10.10.30.254
/ip dhcp-server add address-pool=guest-pool interface=guest-vlan name=guest-dhcp
/ip dhcp-server network add address=10.10.30.0/24 dns-server=1.0.0.1 gateway=10.10.30.1

#######################################
# Access Ports & VLAN Security
#######################################

# ingress behavior
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20 [find interface=ether9] comment=""
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged pvid=20 interface=wlan3
add bridge=bridge1 pvid=30 interface=guest-vlan

# egress behavior
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,wlan3 untagged=ether9 vlan-ids=20
add bridge=bridge1 tagged=bridge1,wlan3 untagged=guest-vlan vlan-ids=30

#######################################
# WiFi Access
#######################################

/interface wireless access-list
# add comment=5GHz interface=wlan1 mac-address=XX:XX:XX:XX:XX:XX vlan-id=xx vlan-mode=use-tag	# all known devices on 5ghz radio go to Home vlan
# add comment="5GHz guest access"  forwarding=no interface=wlan1 vlan-id=30 vlan-mode=use-tag	# all unknown devices on 5ghz radio go to Guest vlan

add forwarding=no interface=wlan3 mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 vlan-mode=use-tag	# all known devices on 2.4ghz radio go to IoT vlan

# add comment=2.4GHz interface=wlan2 mac-address=XX:XX:XX:XX:XX:XX vlan-id=xx vlan-mode=use-tag	# all known devices on 2.4ghz radio go to Home vlan
add comment="2.4GHz guest access"  forwarding=no interface=wlan3 vlan-id=30 vlan-mode=use-tag	# all unknown devices on 2.4ghz radio go to Guest vlan

#######################################
# Firewalling & NAT
#######################################

/interface list add name=VLAN
/interface list member
add interface=iot-vlan   list=VLAN
add interface=guest-vlan list=VLAN

anav · Tue Sep 24, 2019 1:54 am

The issue or limitation is that the radio set cannot assign two different PVIDs to incoming wifi traffic and thus can handle one VLAN only.
That is totally untrue.
It can and it does.

I know you are a bright chap and exponentially more experienced in networking/IT/MT and I am a relative simpleton so you will have to explain in the most basic of terms.
My understanding is that the AP or router, has no clue on the nature of incoming traffic to a port or wifi channel. The main difference between a port and a wifi channel is that the wifi channel needs to be connected to first (authenticated) user. BUT, and here is the nub, the router or AP has no clue to assign the device to any particular VLAN. That is the purpose of access ports, to accept non vlanned traffic and assign it a specific vlan for the purposes of routing and eventually sending return traffic back.

How the heck will the router or AP know which three vlans to assign incoming untagged traffic too..... Its a mystery to me so please enlighten me.

Sob · Tue Sep 24, 2019 2:08 am

@anav: https://wiki.mikrotik.com/wiki/Manual:I ... AN_tagging

xvo · Tue Sep 24, 2019 7:35 am

Hi,

This is what I have create and it work well, I think.
It needs to be fine-tuned a little bit more, but so far so good.

Yep, that looks nice

xvo · Tue Sep 24, 2019 7:41 am

How the heck will the router or AP know which three vlans to assign incoming untagged traffic too..... Its a mystery to me so please enlighten me.

Based on access list entries.
You can now see two working config examples in this thread: mine and TS's.

anav · Tue Sep 24, 2019 7:23 pm

Oh I am sure it works, but I haven't sold my soul to the devil either!

Frustratingly, I do not understand the link nor the two configs.
It is not clear to me how the router or AP magically knows which VLAN to send traffic down.
The only thing I see is the use of forwarding somehow equates to known or unknown users and this directs traffic to vlans??
As I stated, I fathom to see logic only see incantations. Didn't know it was MT Academy of Hogworts.........

I didnt expect you to fathom my level of incompetence, but Sob should have known better LOL.

xvo · Tue Sep 24, 2019 7:44 pm

It is not clear to me how the router or AP magically knows which VLAN to send traffic down.

No magic here.
You just list all the known mac-addresses and vlan ids you want them to belong.
And after that add the final rule for "all others" that you don't know

Simple as that.

By the way, you can do the same for ethernet ports too (on some switch chips) - so called MAC-based vlans.
But that's the whole other story

anav · Tue Sep 24, 2019 8:45 pm

Ahhh okay, good my instincts were correct.
I didnt like the way you were heading. Not KISS, in that keeping track of mac addresses is a headache I dont need.
Too much overhead. Cellphones turn over like leafs in the wind.

It is also inefficient in that one is already giving out passwords to connect to APs and when those networks are attached to specific VLANs, no other work is required.
What you propose makes sense for a business environment but less so for the home environment.
Don't have to worry about the correct forwarding setting either.

The only time it makes sense to me is if one has so many wifi vlans that one is creating too many virtual APs and negatively affecting WIFI performance.
I suppose if one also has untrustworthy family members giving away wifi passwords to other then guest networks (ie to home lan), then yes it would also be plausible.

The good news is that the OP likes the setup and is finding it useful.

--------------------------------------------------------------------------------------------------------

Hmmm, thinking about this a bit more, is there a way to do this via IP address (where one knows devices by IP address - static setting) and thus forwards known IPs vice macs???
(can you tell I dislike mac addresses)

xvo · Tue Sep 24, 2019 9:03 pm

I suppose if one also has untrustworthy family members giving away wifi passwords to other then guest networks (ie to home lan), then yes it would also be plausible.

Well, I look at it from another perspective: I don't want any awkward moments trying to explain to my guests why I don't trust them with the password to my regular SSID and why I ask them to join the guest one.

All is done under the hood.

Hmmm, thinking about this a bit more, is there a way to do this via IP address (where one knows devices by IP address - static setting) and thus forwards known IPs vice macs???
(can you tell I dislike mac addresses)

Surely not.
First the device gets into desired vlan, and only then IP is assigned to it by the DHCP server that works in it.
Not the other way around

anav · Tue Sep 24, 2019 9:14 pm

Haha, okay, i have no problem giving out guest passwords for wifi. Its acceptable etiquette. Simple rule, no DNA related to me or my wife, you get guest password LOL.

complex1 · Tue Sep 24, 2019 10:20 pm

Wow, you are still in discussion.

Let me try to explain my needs or what I have in mind.

The stock 2.4 and 5GHz radios are for private use, both radios have the same SSID.
I create one virtual 2.4GHz AP with its own SSID for guests / IoT.

Many IoT devices want to make internet connection by WiFi. I give them access through the virtual AP but don’t want them on my private LAN.
Also I have a few people (random) with a laptop/smartphone who want to use internet. I give them access to internet, the same way as the IoT devices. Same virtual AP and no access to the private LAN.
This way my privacy is secured, I think.

For the IoT devices I use the access list to select the IoT device by MAC-address so it can connect the internet using the IoT network.
“forwarding=no interface=wlan3 mac-address=XX:XX:XX:XX:XX:XX vlan-id=20 vlan-mode=use-tag”

The same for the laptops, but now without the use of MAC-address, the laptop can connect the internet using the guest network.
“forwarding=no interface=wlan3 vlan-id=30 vlan-mode=use-tag”

What @xvo suggested is exactly what I want and I am very happy with it.

anav · Wed Sep 25, 2019 1:00 am

Thats what counts and I learned something new about how to segregate vlans on a single wifi radio (or to use multiple vlans on the same wifi link).

Better VLAN?

Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Re: Better VLAN?

Who is online