Community discussions

MikroTik App
 
FrogTik
just joined
Topic Author
Posts: 3
Joined: Sun Jan 31, 2021 3:27 pm

hAP ac3 - VLAN & inter-VLAN

Sun Jan 31, 2021 4:32 pm

Hi Guys,

having trudged the internet looking at videos and forums to figure out how to do this, I have finally resorted to swallow my pride, accept the fact that I may have bitten off more that I can chew, and revert back to the forum with the pros' and ask for your advice.

I have got fed up with ultra restricted commercial grade routers that seem on paper very capable but for price point/political & marketing reasons completely emasculated in their functionalities, hence me buying a MikroTik hAP ac3.

Having moved from an 18Mb ADSL to a 300Mb up and 300Mb down fiber, and my trustworthy Draytek couldn't handle the bandwidth I was throwing at it (mainly inter-VLAN routing).
The new MikroTik is inserted between my ISP router and the network, this enables me not to have to go through all my network settings every time I change ISP, and this works very well.

The setup is quite simple, I have to sites (two CAT6 interlinked houses in fact) , a Pi-Hole (sitting on the ac3), and a Mesh WIFI (Tenda MW6 scattered around house1).

Cable work as follows :
eth1_WAN -> ISP router
eth2 -> house1
eth3 -> house2
eth4 -> pi-hole
eth5 -> mesh

To date, everything is running on the same network running one DHCP on the ac3, simple.

Previously with the Draytek (didn't have mesh wifi at that point), I had 3 VLANS (VLAN10=>house1 & VLAN8=House2) and a VLAN for the Pi-Hole (VLAN222), with inter-VLAN routing and a couple of firewall rules (for specific ports mainly DNS port 53 for pi-hole) to only enable the following communication :

VLAN10 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN10 -> VLAN222 = YES
VLAN10 -> VLAN8 = NO

VLAN8 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN8 -> VLAN222 = YES
VLAN8 -> VLAN10 = NO

VLAN222 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN222 -> VLAN10 = only specific port 53
VLAN222 -> VLAN8 = only specific port 53

As the mesh has been added since, I would need a VLAN100

VLAN100 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN100 -> VLAN222 = YES
VLAN100 -> VLAN10 = NO
VLAN100 -> VLAN8 = NO

VLAN222 -> VLAN100 = only specific port 53
VLAN222 -> VLAN100 = only specific port 53

Also each VLAN would ideally need a DHCP server as follows :
VLAN10 : 192.168.10.xxx
VLAN8 : 192.168.8.xxx
VLAN222 : 192.168.222.xxx
VLAN100 : 192.168.100.xxx

The 10, 8, 222, 100 figures are only for mental recollection (house1 is n°10 of the street and house 2 is n°8, 222 being DNS and 100 anything Wifi)

To configure the MikroTik, I use the browser GUI (not the CLI), and it seems to do the trick, but between the settings, tabs, sub-tabs, radio buttons, bridges, switches interfaces etc. etc. etc. I am overwhelmed.

Could one of you be kind enough to point out the process and point me in the right direction for the setup, and I am all ears if one of you figures out a more noble way of segregating the network to meet the needs. No worries if one of you comes back with a "Steve your setup is absolute nonsense !"

A huge thank you in advance for any help,
Best regards,
Steve.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Mon Feb 01, 2021 8:46 pm

Hey steve,
It can be overwhelming for sure!!
This article will help you setup vlans, read it carefully, pick the example that fits your situation.
When you have given it a go do not hesitate to provide your config and will help you get to a working config.

/export hide-sensitive file=anynameyouwish

viewtopic.php?t=143620

Most of the rest is accomplished by firewall rules.
The default rules are a great start but then you will want to
put a drop all else rule at the end of the forward chain which will mean
you dont need to make any block rules between vlans, just allow rules.
Anything not allowed will be blocked automatically by the last drop all else rule.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
FrogTik
just joined
Topic Author
Posts: 3
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:29 pm

Hi anav,
thanks for you feedback. I have read through the long post you stated and I am starting to get to grips with what the Tik is doing now (mainly terminology).
Following some research I came across a nice YT video that explains in pretty well how to VLAN, and more precisely using the switch chip, which is an extremely interesting feature.
I just want to share my find : https://www.youtube.com/watch?v=Rj9aPoyZOPo

Following this video, one question arises for my specific needs. As the VLANs are dealt with by the switch chip, is it possible to do inter-VLAN routing using this method ?
I have my doubts...

Any help is much appreciated.
Steve
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:35 pm

There are two ways to do vlans, the switch chip method as you noted (excellent video) and bridge vlan filtering method on the link I posted.
I am familiar only with the latter. The switch chip method makes sense if your router has the right switch capabilities.
The vlan bridge filtering method will work regardless.

If the hapac3 is switch chip friendly in that regard then by all means give it a go.
I will only be able to help with the FW rules but others here will ensure your switch chip config is fixed up when you post your config and its not working.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
FrogTik
just joined
Topic Author
Posts: 3
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:49 pm

Hi anav,
yes I double checked that the hAP ac3 had a switch chip as described in the YT video.
Turns out that it has a Atheros 8327 onboard, which is good news, so I should be in the clear on this point.
My main concern is that the firewall rules could not be applied for the inter-VLAN routing if the packets only are switched via the Atheros8327, and not via the the CPU of the ac3.
I don't know if I am clear.
Sorry for being such a noob.
Steve
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1977
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 8:03 pm

All routing is done via CPU, firewall will see this traffic
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 9:01 pm

As CZFAN noted, the firewall rules are independent of the vlan switch chip functionality.
The firewall rules will be applied to the flow of traffic in and out of interfaces, subnets, ips etc at the router.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: lywkj, OtisLehawk, prjct and 47 guests