Community discussions

MikroTik App
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

hAP ac3 - VLAN & inter-VLAN

Sun Jan 31, 2021 4:32 pm

Hi Guys,

having trudged the internet looking at videos and forums to figure out how to do this, I have finally resorted to swallow my pride, accept the fact that I may have bitten off more that I can chew, and revert back to the forum with the pros' and ask for your advice.

I have got fed up with ultra restricted commercial grade routers that seem on paper very capable but for price point/political & marketing reasons completely emasculated in their functionalities, hence me buying a MikroTik hAP ac3.

Having moved from an 18Mb ADSL to a 300Mb up and 300Mb down fiber, and my trustworthy Draytek couldn't handle the bandwidth I was throwing at it (mainly inter-VLAN routing).
The new MikroTik is inserted between my ISP router and the network, this enables me not to have to go through all my network settings every time I change ISP, and this works very well.

The setup is quite simple, I have to sites (two CAT6 interlinked houses in fact) , a Pi-Hole (sitting on the ac3), and a Mesh WIFI (Tenda MW6 scattered around house1).

Cable work as follows :
eth1_WAN -> ISP router
eth2 -> house1
eth3 -> house2
eth4 -> pi-hole
eth5 -> mesh

To date, everything is running on the same network running one DHCP on the ac3, simple.

Previously with the Draytek (didn't have mesh wifi at that point), I had 3 VLANS (VLAN10=>house1 & VLAN8=House2) and a VLAN for the Pi-Hole (VLAN222), with inter-VLAN routing and a couple of firewall rules (for specific ports mainly DNS port 53 for pi-hole) to only enable the following communication :

VLAN10 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN10 -> VLAN222 = YES
VLAN10 -> VLAN8 = NO

VLAN8 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN8 -> VLAN222 = YES
VLAN8 -> VLAN10 = NO

VLAN222 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN222 -> VLAN10 = only specific port 53
VLAN222 -> VLAN8 = only specific port 53

As the mesh has been added since, I would need a VLAN100

VLAN100 -> WAN -> ISP ROUTER -> INTERNET = YES
VLAN100 -> VLAN222 = YES
VLAN100 -> VLAN10 = NO
VLAN100 -> VLAN8 = NO

VLAN222 -> VLAN100 = only specific port 53
VLAN222 -> VLAN100 = only specific port 53

Also each VLAN would ideally need a DHCP server as follows :
VLAN10 : 192.168.10.xxx
VLAN8 : 192.168.8.xxx
VLAN222 : 192.168.222.xxx
VLAN100 : 192.168.100.xxx

The 10, 8, 222, 100 figures are only for mental recollection (house1 is n°10 of the street and house 2 is n°8, 222 being DNS and 100 anything Wifi)

To configure the MikroTik, I use the browser GUI (not the CLI), and it seems to do the trick, but between the settings, tabs, sub-tabs, radio buttons, bridges, switches interfaces etc. etc. etc. I am overwhelmed.

Could one of you be kind enough to point out the process and point me in the right direction for the setup, and I am all ears if one of you figures out a more noble way of segregating the network to meet the needs. No worries if one of you comes back with a "Steve your setup is absolute nonsense !"

A huge thank you in advance for any help,
Best regards,
Steve.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Mon Feb 01, 2021 8:46 pm

Hey steve,
It can be overwhelming for sure!!
This article will help you setup vlans, read it carefully, pick the example that fits your situation.
When you have given it a go do not hesitate to provide your config and will help you get to a working config.

/export hide-sensitive file=anynameyouwish

viewtopic.php?t=143620

Most of the rest is accomplished by firewall rules.
The default rules are a great start but then you will want to
put a drop all else rule at the end of the forward chain which will mean
you dont need to make any block rules between vlans, just allow rules.
Anything not allowed will be blocked automatically by the last drop all else rule.
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:29 pm

Hi anav,
thanks for you feedback. I have read through the long post you stated and I am starting to get to grips with what the Tik is doing now (mainly terminology).
Following some research I came across a nice YT video that explains in pretty well how to VLAN, and more precisely using the switch chip, which is an extremely interesting feature.
I just want to share my find : https://www.youtube.com/watch?v=Rj9aPoyZOPo

Following this video, one question arises for my specific needs. As the VLANs are dealt with by the switch chip, is it possible to do inter-VLAN routing using this method ?
I have my doubts...

Any help is much appreciated.
Steve
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:35 pm

There are two ways to do vlans, the switch chip method as you noted (excellent video) and bridge vlan filtering method on the link I posted.
I am familiar only with the latter. The switch chip method makes sense if your router has the right switch capabilities.
The vlan bridge filtering method will work regardless.

If the hapac3 is switch chip friendly in that regard then by all means give it a go.
I will only be able to help with the FW rules but others here will ensure your switch chip config is fixed up when you post your config and its not working.
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 7:49 pm

Hi anav,
yes I double checked that the hAP ac3 had a switch chip as described in the YT video.
Turns out that it has a Atheros 8327 onboard, which is good news, so I should be in the clear on this point.
My main concern is that the firewall rules could not be applied for the inter-VLAN routing if the packets only are switched via the Atheros8327, and not via the the CPU of the ac3.
I don't know if I am clear.
Sorry for being such a noob.
Steve
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 8:03 pm

All routing is done via CPU, firewall will see this traffic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Feb 02, 2021 9:01 pm

As CZFAN noted, the firewall rules are independent of the vlan switch chip functionality.
The firewall rules will be applied to the flow of traffic in and out of interfaces, subnets, ips etc at the router.
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 5:51 pm

Hi Guys,

sorry for digging up a 5 month old post, but I got side tracked and haven't been able to look into this lately. Holidays have come and I have some time now to get this matter sorted or at least try ;.)
As explained, I have an ac3 which is running all my home network, and my experience with modifying configurations without "pro" knowledge" usually winds up into disconnecting the entire network and getting an earful from Mrs.
I have resorted to buying a secondary hAPLite to test and trial VLAN configurations, and this enables me to bugger up the config to my hearts delight without pi*** everybody off by disconnecting constantly. Once figured out I'll be able to replicate to the ac3 in one go.

The hAPlite has 4 eth ports (eth1 is WAN,eth2, eth3, eth4) and a wlan1

To get my head around the way I would like it to work I have simplified the initial setup requirement. to keep things simple, here is what I would like to do :
VLAN3 on eth3 -> DHCP 192.168.3.1/24
VLAN4 on eth4 -> DHCP 192.168.4.1/24
inter-VLAN on certain ports

I'm not even certain I have got he VLANS setup correctly as Interfaces has a VLAN tab, Bridge has a VLANs tab, as Switch has a VLAN tab.

I have tried so many things, that I'm totally confused now and have been sitting here like a dork writing this post, not even knowing how to explain what I have done. Wanting to understand exactly what is to be done, i usually look at the .rsc files and replicate the commands in WinBox manually.

Would one of the Mikrotik Gurus be kind enough to point me in the correct direction maybe with a set of CLI commands that I could bluntly follow in WinBox to setup :
Bridge(s)
Ports
VLAN
Addresses
DHCP servers
Firewall rules.

A huge thank to anyone who can help,
Best regards,
Steve
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 6:02 pm

MikroTik has 3 ways to do VLANs and it depends on which model the product is, to make efficient use of which method.

https://www.reddit.com/r/mikrotik/comme ... &context=3
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 6:08 pm

For starters read (and understand) tge VLAN tutorial, @anav posted link in post #2 above. Nowdays it's the most versatile way of doing it (perhaps not the most resource friendly but with hAP ac3 this shouldn't be a problem).

Remember, VLANs are sort of LANs. When it comes to connectivity between different VLANs it's not about "certain ports" any more, it's about routing and routing works in IP address domain. But I suggest you to go step by step: first master VLANs, having router between them will allow inter-VLAN connectivity. After that you can start off controling connections.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 7:41 pm

(1) A detailed network diagram will help.
What vlans are going out what ports, not important to us which house simply the vlans and what each network device that is a connecting one is.
a. smart switch capable of reading vlans
b. smart AP capable of reading vlans
c. dumb devices (unmanaged switches, basic APs, pcs, printers etc)

(2) set of coherent requirment what users and devices or vlans) should be able to do.)
(3) Latest config for viewing
/export hide-sensitive file=anynameyouwish
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 8:34 pm

@DarkNate : Thanks for the link, really helpful read, and help to understand which is the best way to do VLANS, I guess the interface bridge vlan is the way to go forward.
@mkx : Yes, I did use the link anav sent and have isolated the VLAN configuration to the "Router-Switch-AP (all in one)"
@anav : I'll get a topology up asap. I don't remember being born an ethernet connector, as this evening I feel like a Dumb Device ;.)

As a final thrash at this for Sunday evening, I hacked up the RouterSwitchAP.rsc file in the post stated by anav.
I seem to be getting somewhere as the VLANs seem to be working spot on, they get the correct IPs via their respective DHCP servers and can't ping each other but they can ping 8.8.8.8 and google.com (so DNS works also).

All I need to figure out now is how to make interVLAN work.

Huge thanks for your help, and help to come Guys !
Steve


FYI here is the config file i have hacked up from the original .rsc file of the Router-Switch-AP post :

#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridgeVLAN protocol-mode=none vlan-filtering=no


#######################################
# -- Access Ports --
#######################################

# ingress behavior
/interface bridge port

#VLAN3
add bridge=bridgeVLAN interface=ether3 pvid=3
#VLAN4
add bridge=bridgeVLAN interface=ether4 pvid=4

# L3 switching so Bridge must be a tagged member
/interface bridge vlans
set bridge=bridgeVLAN tagged=bridgeVLAN [find vlan-ids=3]
set bridge=bridgeVLAN tagged=bridgeVLAN [find vlan-ids=4]

#######################################
# IP Services
#######################################
# VLAN3 interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridgeVLAN name=vlan3 vlan-id=3
/ip address add interface=vlan3 address=192.168.3.1/24
/ip pool add name=dhcp_poolVLAN3 ranges=192.168.3.2-192.168.3.10
/ip dhcp-server add address-pool=dhcp_poolVLAN3 interface=vlan3 name=dhcp3 disabled=no
/ip dhcp-server network add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1

# VLAN4 interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridgeVLAN name=vlan4 vlan-id=4
/ip address add interface=vlan4 address=192.168.4.1/24
/ip pool add name=dhcp_pool4 ranges=192.168.4.2-192.168.4.10
/ip dhcp-server add address-pool=dhcp_pool4 interface=vlan4 name=dhcp4 disabled=no
/ip dhcp-server network add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1


#######################################
# Firewalling & NAT
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=VLAN

/interface list member
add interface=vlan3 list=VLAN
add interface=vlan4 list=VLAN

##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]

set bridge=bridgeVLAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridgeVLAN vlan-filtering=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Sun Jul 25, 2021 9:30 pm

Please send the full confing please,
/export hide-sensitive file=anynameyouwish
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Mon Jul 26, 2021 9:18 pm

Hi anav,
what sprung my whole Vlan quest was the fact that PiHole was logging 2500+ dns queries coming from IoT and the mesh system, hence my desire to isolate them off the main network and isolate the little buggers.
Please find attached a quick sketch of what I had in mind. Feel free to comment if you think I'm barking up the wrong tree with the port based VLANs.
To keep it simple, I'd like to isolate VLAN10, VLAN101 and VLAN8 from each other but still enable them to use the PiHole on VLAN222.
A couple of additional firewall rules to only allow port 22+53 to be used on the interVLAN222 would be perfect.
I am by no means a network Guru, but I don't like being defeated, like a lot of us, by a bit of electronics, so please bear with me ;.)
Many thanks for you feedback and help,
Steve
PS : Config is from a clean slate/reset, so hAPlite is empty
hAplite is to run tests as ac3 is being used but eventually once all is understood and good to go the config will be ported to the ac3.
Last edited by FrogTik on Wed Aug 04, 2021 7:59 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Mon Jul 26, 2021 9:48 pm

Hi Steve,
No worries, some small victories would be nice!

(1) So you basically get private IP from the ISPs router/modem combo.
Assuming if any ports need forwarding you have access to the router side of the ISP device to forward them to 192.168.4.2

(2) Ether2 is dedicated to VLAN10 which is then distributed to a dumb switch so this turns out to be an access port

(3) Ether3 is dedicated to VLAN101 and then is distributed to a mesh unit but no indication if the mesh unit is smart or dumb??

(4) Ether4 is dedicated to VLAN8 to a managed switch which usually indicates a trunk port but dont see anyother vlan besides 8 served by the switch although the switch should be on the management vLAN or base vlan so thats two vlans!!!

(5) Ethernet 5 is dedicated to VLAN 222, and that looks like an access port assuming the pihole cannot handle vlans..........

(7) ALL VLANS need access to pihole for DNS?

(8) On VLAN222, you want limited access off the subnet,
a. limited services to DNS services on the pihole? IF so this is covered under (7)?
b. limited FTP services access to where/what (the internet, the router FTP services, not sure).

(9) Begs the question, which vlans get full internet access??? Okay see YES all need full internet.

(10) Did you have a managment vlan in mind or is the admin on vlan10 all the time.

(11) Need far more info on mesh, smart devices, brand?? etc........ Okay its tenda .........but are they smart ???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Mon Jul 26, 2021 10:33 pm

I would do something like
bridge=dualhome
add vlans with interface being dualhome
each vlan gets 4 properties, address, pool, dhcp server, dhcp-server network where DNS address is pi-hole IP address**
(except vlan222 which DNS= is either the IP address of the PI server or the external servers that pi will use to get dns such as 1.1.1.1 and 9.9.9.9. unk????

Dhcp client settings not required
Simply put in DHCP WAN information for address
ether1 interface 192.168.4.2 gateway 192.168.4.4 etc......
and ensure ether1 is designated a WAN interface list entry
and ensure ether1 has a route created
dst 0.0.0.0/0 gateway=192.18.4.4

interface bridge port settings
eth2 ingress filtering yes, allow only untagged or priority packets pvid=10
eth3 ingress filitering yes, allow only untagged or priority packets pvid=101
eth4 ingress filtering yes, allow only tagged packets
eth5 ingress filtering yes, allow only untagged or priority packets pvid=222

interface bridge vlan settings (if you create a separate management vlan that only the admin has access to)
add interface=dualhome tagged=bridge, tagged=port4 untagged=port2 vlanid=10 ****
add interface=dualhome tagged=bridge, untagged=port3 vlanid=101
add interface=dualhome tagged=bridge, untagged=port5 vlanid=222
add interface=dualhome tagged=bridge, tagged=port4 vlanid=8

**** Basically we want to ensure the smart switch (at port4) is accessible by vlan 10, where the admin resides.

Interface list.
ether1=wan
bridge=LAN
vlan10=DNSgroup
vlan101=DNSgroup
vlan8=DNSgroup


extra firewall rules.....
input chain.
Allow traffic from vlan10 to the router and with source address list to refine it only to the admin devices (static IP leases - desktop, laptop, smartphone, ipad etc.)
add chain=input action=accept in-interface=vlan10 source-address=adminIP (or address-list=adminaccess) (where admin access is a firewall address list).

forward chain
add chain=forward action=accept interface-list=DNSgroup dst-address=pi-hole dst-port=53 protocol=tcp
add chain=forward action=accept interface-list=DNSgroup dst-address=pi-hole dst-port=53 protocol=ucp

not sure about router DNS settings specifically but
one may need to tick off allow remote requests...........just not sure about how pi works separately from DNS router services.
I am assuming completely separately???
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Jul 27, 2021 2:04 pm

Hi anav,
thanks for your help. I have amended the diagram to be more precise.
To answer your questions :

(1) So you basically get private IP from the ISPs router/modem combo.
Correct, the ISP router (192.168.1.1) delivers a static address (192.168.1.2) to the ac3's WAN port.
I know that many are not huge fans of double NAT but in this case, it doesn't pose much grief, so having double NAT is not a problem.
Even with the firewall in the ISP router activated, when you call them due to a problem they always seem to have access to the internal topology of the network, and this bothers me. So with a second router behind the ISP router, the only thing they see is one IP the ac3 (192.168.1.2) and not the whole topology. No ports need to be forwarded from the Internet to the inside network.

(2) Ether2 is dedicated to VLAN10 which is then distributed to a dumb switch so this turns out to be an access port
Correct, if needed this switch could be replaced with another TPlink TL-SG108G (802.1Q capable).

(3) Ether3 is dedicated to VLAN101 and then is distributed to a mesh unit but no indication if the mesh unit is smart or dumb?
These are Tenda MW6 Mesh units (x3) and they are very efficient but dead simple. You plug the main one in to the router, configure the SSID (via their app) then plug the second one in which in-turn normally connects to the first box via a separate radio channel (in my case, I use the back-haul port to make connectivity a lot faster), and then third box and the 3 just seem to work. SO to answer your question I would say that they are "dumb" devices.

(4) Ether4 is dedicated to VLAN8 to a managed switch which usually indicates a trunk port but dont see anyother vlan besides 8 served by the switch although the switch should be on the management vLAN or base vlan so thats two vlans!!!
This TPLink is being used as a dumb switch at the moment. It is 802.1Q capable but not being implemented. The prices of a small 8 port manageable switch is only a few euros more expensive than a dumb one, so I'm of the philosophy of buy the best you can with the budget allocated to the need.

(5) Ethernet 5 is dedicated to VLAN 222, and that looks like an access port assuming the pihole cannot handle vlans..........
Correct PiHole to my knowledge cannot handle vLANs.

(7) ALL VLANS need access to pihole for DNS?
Correct, the PiHole acts as a network DNS server to get rid of all these nagging popups, french RGPD (data protection crap) that has corrupted 3/4 of the internet. PiHole is the next best thing after sliced bread.

(8) On VLAN222, you want limited access off the subnet,
a. limited services to DNS services on the pihole? IF so this is covered under (7)?
b. limited FTP services access to where/what (the internet, the router FTP services, not sure).

Vlan222 holds only one machine a NanoPi Neo2 running Docker. Within Docker i have Portainer, PiHole, and la local instance of OpenSpeedTest so that I can test Gig cabling etc..

(9) Begs the question, which vlans get full internet access??? Okay see YES all need full internet.
All Vlans need full internet access.

(10) Did you have a management vlan in mind or is the admin on vlan10 all the time.
Management would be ideally on VLAN10 and VLAN8

(11) Need far more info on mesh, smart devices, brand?? etc........ Okay its tenda .........but are they smart ???
see (3)
Last edited by FrogTik on Wed Aug 04, 2021 7:57 pm, edited 3 times in total.
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Jul 27, 2021 2:19 pm

Having written all this, I am now starting to think that instead of using the switch ports on the ac3 (limited number of ports and limited knowledge of Mikrotik config), why not set up the ac3 as a RoaS and using the TPLink TLSG108G 802.1Q capable switch to deal with all the switching and the ac3 for the routing ?
As said previously, I'm not network Guru, but extremely interested in overcoming this conundrum ;.)

My guess is that if the dumb switch is replaced with yet another TLSG108E 802.1Q capable switch, the VLAN situation becomes a lot more granular to the point of being able to dictate which port is allocated to which VLAN, and maybe even get the PowerLine+Wifi (site#2) off VLAN8 and get it onto VLAN101 even though it is on a different location/site.
PS : The use of 3 smaller switches and not one large switch is due to link+site restrictions.

Once again, huge thanks for any help !
Last edited by FrogTik on Wed Aug 04, 2021 7:57 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Jul 27, 2021 3:42 pm

All cases will work.
You will still need to setup the dhcp services for all the vlans.
However you need to figure our managment vlan.
Where is the admin going to access the router for config.

What is the purpose of 192.168.2.0? (if not on the bridge good to have a non-bridge emerg backup access to the router.
 
FrogTik
just joined
Topic Author
Posts: 9
Joined: Sun Jan 31, 2021 3:27 pm

Re: hAP ac3 - VLAN & inter-VLAN

Tue Jul 27, 2021 6:28 pm

Hi anav,
thanks ever so much for your feedback.
I think that the RoaS solution n°2 seems more noble, maybe just me, but I guess that the MikroTik config would be less complex also.
Where is the admin going to access the router for config.
admin i.e. "pc(D)" would need to access [ISP router]+[all tplinks]+[hAPac3]
1. physically on site#1 by connecting to port#8 on TPLink (just an idea)
2. from site#2 by connecting physically to port#8 on TPLink (just an idea)

What is the purpose of 192.168.2.0?
As I would like to preserve the NAT/Firewall of the ac3 and lock out anything coming from the ISP router, hApac3#1 being WAN, i guess 192.168.2.0/24 seemed logical, but are you suggesting to keep the original 192.168.88.0/24 of the MikroTik ?

(if not on the bridge good to have a non-bridge emerg backup access to the router.
Well spotted, maybe port#5 of th ac3 as the non-bridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac3 - VLAN & inter-VLAN

Tue Jul 27, 2021 6:32 pm

No not at all.
Are you located by the router (aka office) or are you by a switch ?

What I would do is the following
create vlan99 for management with you on it and nobody else.
Ensure vlan99 has access to all other vlans.
Put all smart devices on VLAN99 as their IP address for management purposes.
Done.
Vlan 99 can be use for ports 3,4 on the hapac, keeping 5 for 192.168.2.01 (but dont need to create a subnet just an IP: address. that way you can always log into the router from that IP: by setting the ip ip of your laptop to something like 192.168.2.2 just in case the bridge falls apart at any time.

You can ensure vlan 99 reaches the other house as well, and from there dedicate a switch port to that VLAN and only allow your IP address to access the vlan as per y our input chain rules.

Who is online

Users browsing this forum: robertkjonesjr, UkRainUa and 40 guests