In reference to a RB40 (bunch of stuff). I know 0.01% about networking, but better than your grandma (Maybe). Im just trying to learn…
I think I understand the concepts of vlans but not sure if they are required instead of just subnetting.
I know what a dhcp server is.
I think I comprehend a bridge (in reference to interfaces aswell as tagged vlan trunks)
My BHAG would be, on my one router eth1 and eth2 as WANs from two separate providers eth1 as main and eth2 as failover (no load balancing)...
I think I found some information on this, but below problems are stopping me. eth3 fed into a layer2 switch servicing multiple [10ish] hosts. eth4 fed into a layer 3 switch, with no vlans and only QoS implemented.
eth3 are all my machines, eth4 are another departments [that for QoS reasons has 6 of my machines on it, do they need to be?], I would like to be able to run a DHCP on eth3 that wont get broadcast requests from eth4, but be able to connect to and from my machines on eth4 (static IP given by guy who 'owns' that network).
I would like all of my machines (eth3 and eth4) to be able to acces the internet via the wans on eth 1 and 2 but deny internet access to the other machines on eth4. I would also like to not let any other devices on the eth4 network initiate communication with my devices on the eth3 network (except my devices on eth4), and vice versa my machines on eth3 can only initiate communication with my devices on eth4. I assume I have to give eth4 an ip that my machines (on the eth4 network) would use as a gateway to contact my machines on the eth3 network. I thought I would need to create vlans and then use routing between them to limit traffic to only allowed devices… this seems to be incorrect.
In my head this seems simple for a competent engineer, I am not. I don't expect you to solve my problems for me, but maybe point me in a direction of learning? Everything ive found online seems either elementary or PHD level or in another language, im looking for middle school…. any help is appreciated, THANKS! PS this is not a mission critical application or corporate infrastructure, if it was id hire some one, this is just a learning opportunity for me.
Re: I Know Im Dumb
Best tips to understand is to start simple.
Start with 1 WAN (no failover).
You actually dont need a bridge (which is a virtual switch you can add and remove your physical interfaces (ETH1-5) from) at all to get started.
So remove all ports from bridge.
DHCP client or static setup (depends on how your ISP is delivering things) on the port you assign as WAN.
Ensure that you have a default route going out over the WAN port, and NAT rules (google it
).
Ensure that you have a proper firewall, but try to understand every rule so you don't block things that will give you problems in the next step.
Set internal gateway IP (for example 10.10.10.1/24) on ETH3 . assign dhcp server for this range (10.10.10.2-255).
Set internal gateway IP (for example 10.10.11.1/24) on ETH4 . assign dhcp server for this range (10.10.11.2-255).
Without firewalling between ETH3/4, Since Mikrotik has routing enabled as default this will give you full access from clients behind both ETH3 and ETH4 to internet, as well as full access between all clients from ETH3 to ETH4 and vice versa.
Now tacle one problem/new feature at the time. Save/export config every time you have done something that works, and take a note of what you did, how it is supposed to work. This way you can revert to your last step easily.
If you don't want clients from ETH4 to be able to access clients from ETH3 , set up the firewall rule for this. (deny from ETH4->ETH3 or 10.10.11.0/24->10.10.10.0/24).
If you want to do something with WAN1+WAN2, google this problem try to get this to work by following one of the many guides or forum posts.
If you want QOS, the same.. BTW - QOS can be set on Interface, IP range or specific IP. So you can easily QOS only 6 IPs on ETH3 for example.
If I understand correctly, you don't need VLAN or bridges to achieve your desired setup, VLANS is used if you need/want to "trunk" more than one network over the same physical link, and you don't need that if all you want to to is QOS some of your own machines.
Start with 1 WAN (no failover).
You actually dont need a bridge (which is a virtual switch you can add and remove your physical interfaces (ETH1-5) from) at all to get started.
So remove all ports from bridge.
DHCP client or static setup (depends on how your ISP is delivering things) on the port you assign as WAN.
Ensure that you have a default route going out over the WAN port, and NAT rules (google it
). Ensure that you have a proper firewall, but try to understand every rule so you don't block things that will give you problems in the next step.
Set internal gateway IP (for example 10.10.10.1/24) on ETH3 . assign dhcp server for this range (10.10.10.2-255).
Set internal gateway IP (for example 10.10.11.1/24) on ETH4 . assign dhcp server for this range (10.10.11.2-255).
Without firewalling between ETH3/4, Since Mikrotik has routing enabled as default this will give you full access from clients behind both ETH3 and ETH4 to internet, as well as full access between all clients from ETH3 to ETH4 and vice versa.
Now tacle one problem/new feature at the time. Save/export config every time you have done something that works, and take a note of what you did, how it is supposed to work. This way you can revert to your last step easily.
If you don't want clients from ETH4 to be able to access clients from ETH3 , set up the firewall rule for this. (deny from ETH4->ETH3 or 10.10.11.0/24->10.10.10.0/24).
If you want to do something with WAN1+WAN2, google this problem try to get this to work by following one of the many guides or forum posts.
If you want QOS, the same.. BTW - QOS can be set on Interface, IP range or specific IP. So you can easily QOS only 6 IPs on ETH3 for example.
If I understand correctly, you don't need VLAN or bridges to achieve your desired setup, VLANS is used if you need/want to "trunk" more than one network over the same physical link, and you don't need that if all you want to to is QOS some of your own machines.