Community discussions

MikroTik App
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 5:25 am

Hi All:

Pursuant to advice in my thread about outbound remote access, I am going to redo the setup for an hEX-S and associated networking hardware (2x wAP-AC and a Netgear switch). The previous setup uses multiple bridges and no VLANs and is apparently not a "best practices" approach.

To better solicit advice I have prepared a network map (attached at the bottom of this post).

I also have a few immediate questions for starters:
  1. Does it make more sense to jettison the previous setup (not super complex: a couple CAPsMAN setups, 10 NAT firewall rules or so and dynamic DNS) and start anew?
  2. If so (i.e. System / Reset_Configuration) will I lose the SSLs I established to access webfig via https? [ Not a "problem" but I would like to know upfront so there are no surprises! ]
  3. I am brand new to VLANs. Are these always numbered? I like how MikroTik allows custom naming of so much; mnemonics are good! Reading a bit so far about VLANs (including with my new switch), however, it seems that VLANs are always numbered . . .
  4. Now that I am redoing everything, is there a good way to use a dynamic DNS service OTHER than the one MikroTik provides (while quite simple to implement, I am not a fan of using their service with their hardware)? Basically, I would like to use my existing 3rd party dynamic DNS account; this will help me consolidate my services . . .
  5. What special VLAN "magic" will I need to invoke so that "security" devices (i.e. 192.168.2.x) and "entertainment" devices (192.168.4.x) can communication with 192.168.1.x (various locations for media content and storage for security cameras)
  6. Finally, from the attached network map, can anyone see any obvious places I am not thinking things through in an optimal way? As I said, VLANs are new to me; usually I would have everything (except the guest network) in such a small network in a single IP range like 192.168.1.x I actually really like the idea of further segmenting (according to type of use, for example) and can foresee huge potential benefits.

Thanks to anyone for input!

Network Map.RB_Home.v2.png
You do not have the required permissions to view the files attached to this post.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 5:37 am

1. If those old things have nothing to do with the new setups, then keep them.
2. You'll lose everything, unless you do an /export to save the certificates.
3. They're always numbered, but Mikrotik offers a mnemonic abstraction feature that only works within the router.
4. You can't easily, unless you do some scripting magic or hack the router to get access to a root shell.
5. I'm not sure exactly, but you either have to use bridge filter rules or plain old firewall rules. This works by connection tracking to see which device initiated a connection.
6. You could always add more stuff, such as an LTE failover that uses VRRP, but what you have is good enough, considering that plenty of home networks are way simpler.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 3:04 pm

The diagram is great! I only had one question, where is the guest wifi coming from?? (AP device?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 4:07 pm

Pretty basic vlan setup required.
The longest times will be spent on creating the DHCP setup for each VLAN (ip address, ip pool, dhcp-server, dhcp-server-network)
Getting your bridge port and bridge vlan configuration correct.
Getting the switch netgear setup to match the vlan setup coming from the router and out the ports to devices.
As for firewall rules, stick to the defaults until the network is up and running.........
The only change to default firewall rules would be to the Forward chain,

Take the one rule..........
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

and make it
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"

Because this changes the forward chain to block everything concept vice allow everything concept, you will need to add any traffic you want to permit.
allow vlans to WAN
allow admin to all vlans
allow users or vlans to shared printer etc.

This is much easier than trying to make block rules for all the vlans..........trust me!!!
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 7:47 pm

Hi @anav
The diagram is great! I only had one question, where is the guest wifi coming from?? (AP device?)

Glad you like the diagram! It should make setup easier to work through and make maintenance / expansion easier to understand / plan!

Yes, guest Wi-Fi should be available on each wAP-AC device so the whole property is covered.

The same APs should also provide non-guest Wi-Fi.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 9:20 pm

Hi @Cablenut9

Thanks for your comments!

For starters I'd like to look deeper for a moment at this:
2. You'll lose everything, unless you do an /export to save the certificates.

If I factory reset the router, are the certificates actually deleted?! I read somewhere at some point that certificates are not deletable, just revokable.

Because of this I actually have a couple certs I deemed "improperly" generated. If a reset really deletes everything on the router (including the certs I don't want!) this would actually be a good reason to reset the router. Then I can recreate certs (and probably hone my skills to boot! :-)

Thanks in advance to anyone who knows the answer to this.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Mon Apr 12, 2021 9:32 pm

Hi @anav
The diagram is great! I only had one question, where is the guest wifi coming from?? (AP device?)

Glad you like the diagram! It should make setup easier to work through and make maintenance / expansion easier to understand / plan!

Yes, guest Wi-Fi should be available on each wAP-AC device so the whole property is covered.

The same APs should also provide non-guest Wi-Fi.
Yeah I would draw dotted lines from your wapacs to the brick wall to make it clear.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Tue Apr 13, 2021 7:27 am

Hi @anav:
Yeah I would draw dotted lines from your wapacs to the brick wall to make it clear.

Funny, great minds work alike; I was already working on something like that! :-)

See attached.

Meanwhile, do you happen to have any idea about my question (further up) of what happens to certs if one factory resets a MikroTik router? I recall reading somewhere (and experiencing in Webfig configuration of this hEX-S ) that certs can not (ever? even with a reset?) be deleted.

If a reset does delete them, I'm going to do it, otherwise will just "edit" the hEX-S config. I'm starting to play with VLANs. Interesting stuff. Expecting to "break" Mom's Wi-Fi a bit tonight!
Network Map.RB_Home.v2.2.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Tue Apr 13, 2021 2:38 pm

Only thing I know about certs, is fresh breath. ;-)
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Tue Apr 13, 2021 8:44 pm

Hi @anav:
Only thing I know about certs, is fresh breath. ;-)

Smart Alec! You're showing your age. Certs (the breath mint) were all the rage in California in the 1970s and (maybe) early 80s. Do they still exist in your neck of the woods (Nova Scotia, right)? I think they were discontinued here a few years ago.

While waiting for some of these answers I added VLANs to the new switch and am about to add the same-named VLANs to the hEX-S.

I also updated the network map (one final time?) to make it more obvious that the "management" and "private" devices are in "nested" (probably not a great name I have for this) VLANs.

Conceptually, I know exactly what I want to create, but fully implementing it seems, at the moment, still a bit above my skill set with RouterOS . . .
Network Map.RB_Home.v2.3.png
You do not have the required permissions to view the files attached to this post.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

first significant confusion | Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Wed Apr 14, 2021 4:12 am

So . . . I have finally added VLANs to the hEX-S (under interfaces).

My next step was to add ip addresses for the VLANs.

It immediately occurred to me that my bridge has addresses 192.168.1.1/24 (and somehow Ether 2 did as well!)

Can I assign the same range to VLAN10? I think NOT -- the VLAN10 would conflict with the bridge, right?

This also begs the additional question: if everything is VLANed, does the bridge even need to have IP addresses assigned to it?

On the other hand, if I remove addresses from the bridge, will VLANs even be able to "initialize"?
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: first significant confusion | Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Wed Apr 14, 2021 5:11 am

Can I assign the same range to VLAN10? I think NOT -- the VLAN10 would conflict with the bridge, right?

This also begs the additional question: if everything is VLANed, does the bridge even need to have IP addresses assigned to it?

On the other hand, if I remove addresses from the bridge, will VLANs even be able to "initialize"?
The bridge itself does not need an address - you would move the address to VLAN10. A bridge doesn't have to have an IP at all and it will not impact whether or not VLANs will work. For your setup it would be unusual and unnecessary to give the bridge itself an IP - you would instead give your VLAN subinterfaces IP addresses.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: first significant confusion | Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Wed Apr 14, 2021 5:59 am

Hi @mducharme:
The bridge itself does not need an address - you would move the address to VLAN10. A bridge doesn't have to have an IP at all and it will not impact whether or not VLANs will work. For your setup it would be unusual and unnecessary to give the bridge itself an IP - you would instead give your VLAN subinterfaces IP addresses.

Thanks for the tip.

What about Ether 2 on the hEX-S? I suppose I can still keep droped the IP address binding for that too?

What about the VLAN1 for "management" what is the secret sauce to use the same address range as VLAN10 (or is this sensible in the first place). My idea is to "keep" VLAN1 as it is the default both with the MikroTik and Netgear equipment, but really all I want to be able to achieve is to use either the server or desktop to easily manage the hEX-S and the switch. If that is easier/better on VLAN10, that would be fine too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX-S "advanced" setup with VLANs, dynamic DNS, CAPsMAN, etc.

Wed Apr 14, 2021 2:16 pm

The secret sauce is following the guide.
all your questions are already answered.
viewtopic.php?f=23&t=143620

Its much better not to saddle the bridge with dhcp responsbiilities default vlan pvid=1 is kept.
Just make vlan10 your management vlan which means all devices attached (switches, APs) etc get an IP on vlan10.
For MT devices, make a bridge, tag incoming port and bridge with vlan10 and done, if you are also carrying vlan 10 to other devices then assign tagging or untagging of etheports/wlans as required.
For non-MT devices,
the rule of thumb is default pvid of 1, is only removed if its an access port (where one needs to set a pvid of xx.
In this case, one sets pvid of xx and the port is ungagged for the vlan "U" . (typically one allows only untagged vlans or all frames (as some dont have such an option)
For trunk ports, one tags such ports with required vlans "T", (and allow only tagged vlans), ingress filtering = yes.
For MT switches using Swos
VLAN SETTINGS
trunk ports--> vlan mode:enabled, vlan receive:any, Default vlanID:1, vlan header: leave as is
Access ports---> vlan mode:strict, vlan receive: only untagged, default vlanID:xx (whatever the vlan is for that port), vlan header: always strip
VLANs SETTING
PEr VLAN ID -------> TRUNK PORTs are :Leave as Is (for all vlans running through the port), not a member if a vlan is not running through that port.
Per Vlan iD ______> Access POrts are :Leave as is for the pvid vlan, Not a member (for all other vlans)

Who is online

Users browsing this forum: sokalsondha and 45 guests