Community discussions

MUM Europe 2020
 
plmk
just joined
Topic Author
Posts: 4
Joined: Sat Apr 22, 2017 2:25 pm

Ports and interfaces separation - VLAN

Sun Jan 12, 2020 8:51 pm

Hi Folks,

I'm trying to setup a logically separated IoT network on my hAP lite. I have just successfully created two bridge interfaces, so they represent my needs when it comes to eth/wlan interfaces for home/iot usage.

Interface: bridge
  • wlan1 (physical) ssid: home
  • ether2-master

Interface: bridge-iot
  • ether3
  • ether4
  • wlan2 (virtual) ssid: IOT


Right now I can connect to either home or IOT Wi-Fi however there is no logical separation between them on the ethernet level.

I'm totally new to VLANs and I know there were some changes on RouterOS 6.41. I'm running v6.46.1. How should I proceed with VLANs in my case?
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ports and interfaces separation - VLAN

Sun Jan 12, 2020 10:03 pm

If the actual device config follows your explanation, then you already have L2 separation. However, devices running ROS are routers and will forward packets between different connected subnets unless that's forbidden by firewall filter rules. So how did you determine that there isn't any separation between the two L2 networks?

Or is your question actually about how to recreate your setup but using single bridge with VLANs configured?
BR,
Metod
 
plmk
just joined
Topic Author
Posts: 4
Joined: Sat Apr 22, 2017 2:25 pm

Re: Ports and interfaces separation - VLAN

Sun Jan 12, 2020 10:34 pm

Ok, now it makes more sense.

I'm connected to my IoT WiFi at the moment and I can still access resources in the home network.
$ ifconfig  | grep wlan0 -A 2 | grep "inet addr"
inet addr:192.168.100.199  Bcast:192.168.100.255  Mask:255.255.255.0

$ nmap -sP 192.168.1.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2020-01-12 21:24 CET
Nmap scan report for 192.168.1.10
Host is up (0.071s latency).
Nmap scan report for 192.168.1.14
Host is up (0.035s latency).
Nmap scan report for 192.168.1.103
Host is up (0.060s latency).

However at the same time my arp table is limited to my IoT network devices only.
$ arp -a
one.one.one.one (1.1.1.1) at <incomplete> on wlan0
? (192.168.100.10) at xx:xx:xx:xx:xx:xx [ether] on wlan0
? (192.168.100.50) at xx:xx:xx:xx:xx:xx [ether] on wlan0

If I understand your comment correctly it means the actual L2 isolation exists, however packets are allowed on L3 and it's my job now to create appropriate FW rules in order to prevent that?
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ports and interfaces separation - VLAN

Sun Jan 12, 2020 10:59 pm

If I understand your comment correctly it means the actual L2 isolation exists, however packets are allowed on L3 and it's my job now to create appropriate FW rules in order to prevent that?

If you do traceroute between hosts in different subnets, then your router should be in the path ...

But yes, it is your task to create FW rules which will block unwanted communication between different subnets.
BR,
Metod
 
plmk
just joined
Topic Author
Posts: 4
Joined: Sat Apr 22, 2017 2:25 pm

Re: Ports and interfaces separation - VLAN

Mon Jan 13, 2020 12:25 am

If you do traceroute between hosts in different subnets, then your router should be in the path ...
It is. Thank you for your guidance!
 
mkx
Forum Guru
Forum Guru
Posts: 3622
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ports and interfaces separation - VLAN

Mon Jan 13, 2020 12:41 pm

If you do traceroute between hosts in different subnets, then your router should be in the path ...
It is.

To spoil your enthusiasm :wink:: if traceroute shows your router in the path, this doesn't necessarily mean that both subnets are separated on L2 ... it only means they are separated on L3 (by using different network address/mask combination), both hosts could still be in same L2 domain. One of ways to verify L2 separation is that you connect PC to ethernet port, meant for home devices, statically configure it with an IP address from IoT subnet and IoT's gateway address as default gateway, and try to communicate with both IoT devices and usual home devices. If any communication works (apart from communication with router itself, it seems to respond to any of local addresses regardless the ingress port), then both subnets are not L2 separated.
BR,
Metod

Who is online

Users browsing this forum: Google [Bot] and 28 guests