Community discussions

MikroTik App
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

help with setting up home network

Tue Apr 27, 2021 12:29 am

Hello!
I am setting up my home network (diagram attached). I had a few questions before I actually start on it.
1) I want to have clients isolated from each other especially wifi ones (2.4 & 5 GHz)
2) would like to use vlan filtering, if possible.
3) using heX S (no wireless), smart switch (TLSG108E), & asus router (RT1200 gigabit).

Is this possible with this setup? If not, any suggestions.
Thanks for your help!
Al
You do not have the required permissions to view the files attached to this post.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: help with setting up home network

Tue Apr 27, 2021 10:32 am

...in principle yes, this should be possible.
It will depend on the capability of your ASUS to enable VLAN tagging for each WiFi Interface or even SSID (if you plan to have more than one per band).
Edit: ...and you do not want to run your ASUS in router mode but rather in AP-mode, if the firmware is capable of doing so. If the stock firmware is not capable of doing that, you'll either have to move away from the ASUS or try a different firmware source (merlin or openwrt, for example)
Edit2: Wifi-Client isolation also needs to be enabled / is a feature of the ASUS and its firmware ... you will need to test, if this needs additional tweaks in the Hex-S but I think not.

Also assuming your Switch is capable of enabling VLANs, you most likely - for simplicity - would want to enable each port as a trunk port unless you want to force non-VLAN-capable clients into one, by using single ports as access ports, like for your TV.

See this for a start: viewtopic.php?t=143620 ... you should start with the "Switch with a separate router (RoaS)" scenario.

You also will need to run each VLAN through the Hex-S and its firewall, for performing the VLAN filtering and isolation in there.
In terms of performance expectations, I don't have the real experience with the Hex-S, but for that, what you have scetched in your paper, it will be fine, I think.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Tue Apr 27, 2021 5:10 pm

Very reasonable plan if the ASUS is a smart wifi device (if not suggest the TPLINK EAP245) stable decent wifi5 device that handles vlans and not costly.
I would look at your hex S management access as more of an emergency access in case something funky happens with the rest of the bridge config (we are human we will lock ourselves out at some point). So for ether5 just keep it as its own interface and subnet OFF the bridge and something you can plug a laptop into at any time to gain access to the router for config purposes.

As far as a management vlan, for at home just use the trusted network (homelan) as dual purpose, home vlan and managment vlan. The reason for a managment vlan is to be able to access all your devices for config purposes and most importantly to limit access to the router from the LAN side.
The way you narrow access down is by firewall rules and interface list members.

interface
WAN
LAN
MGMT

Interface list members
Bridge=LAN
ether5-emerg=LAN
ether1=WAN
vlanhome=MGMT
ether5-emerg=MGMT

In firewall rules make up a firewall address list (of static fixed lan ips) which can then be applied in various rules
ip of admin desktop = adminaccess
ip of admin laptop=adminaccess
ip of admin smartphone=adminaccess
subnet of ether5 =adminaccess

Ex rules
input chain in-interface-list=MGMT source-address-list=adminaccess
forward chain in-interface-list=MGMT source-address-list=adminaccess out-interface=bridge (access to all vlans)
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

Re: help with setting up home network

Fri Apr 30, 2021 2:02 am

Thank you @Hominidae and @anav for your suggestions & help. I will see if I am able to flash openwrt on my asus router, else I will get hold of an EAP245.

I did some basic setup and was wondering if someone would be able to comment/suggest/clarify things. I am attaching the diagram as well as the configuration file.
I haven't configured the smart switch or the AP yet. Also, I haven't finished configuring the ip services yet as well as the final drop all firewall rule. I forgot to write out the mgmt_vlan on
the diagram. It is tagged on ether4.

Couple of questions (more to come later):
1) do I need to put vlans in interface list (I have)?
2) which would be the trusted ports? (ether 2, 3, 4 ??)
3) I tried checking emergency (ether5) access which was successfull, but then I noticed that the router had added another dhcp pool which is identical to the one before.
I suspect that it has more to do with my confusion over networking.
4) Anything weird/redundant/missing from the configuration?

If someone can help out, that would be appreciated!
Thanks
Al
You do not have the required permissions to view the files attached to this post.
Last edited by atosh12 on Sat May 08, 2021 5:56 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Fri Apr 30, 2021 4:18 am

This is the best document for reading prior to setting up, sorry I didnt link it before.
viewtopic.php?f=23&t=143620

Two comments.
1. the vlans interface is the bridge not etherports
2. set this to none as its known to cause issues
/interface detect-internet
set detect-interface-list=LAN internet-interface-list=LAN lan-interface-list=\
MGMT

okay one more
3. Your bridge ports do not jive with the diagram, eth2 and eth3 look like they are going to dumb devices and yet you have trunk ports indicated in the config??
Eth4 carries all vlans to the next node, the switch.

sorry saw something else
Ether5 is your emerg access, therefore in IP address the interface is NOT the bridge but ethernet 5!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Fri Apr 30, 2021 4:39 am

and why does ether1 your WAN connection have a dhcp server setting??

you have two pools for 192.168.5.x

You have 13 vlans
which means you should have
15 Ip addresses (includes 13 vlans, and 1 emerg-access for ethe5)
14 dhcp servers
14 dhcp server networks
14 ip pools.

Simplify the list members.
get rid of VLAN list altogether its not even used in fw rules............
add interface=bridge1 list=LAN (this covers all the vlans)
add interface=ether5 list=LAN
keep the MGTM ones as that is useful.
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

Re: help with setting up home network

Wed May 05, 2021 12:11 am

Thanks @anav for your detailed reply. Unfortunately, I couldn't get my ip phones to work with this setup so I will start all over again. I suspect it may have something to do with either the firewall rules or sip alg. I will do some more reading before starting the setup again.

I was wondering about the vlan settings on the bridge i.e. vlan filtering (y or N), ingress filtering (Y or N), frame type (admit all or vlan tagged or untagged & priority tagged)
and on the bridge port i.e. vlan filtering (Y or N) and frame types ?

Thanks agian!
Al
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Wed May 05, 2021 1:43 am

I do not set any filtering on the BRIDGE itself, (leave as default totally, only thing to do is enable when the config is complete).
On bridge ports yes I set ingress filtering=yes and limit packet types to only vlan tags for trunk ports and only priority and untagged frames at access ports.

My understanding is that the MT sip alg is best not used and that SIP equipment should just work in the normal settings.
What kind of sip equipment are you using??
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: help with setting up home network

Wed May 05, 2021 1:49 am

Thanks @anav for your detailed reply. Unfortunately, I couldn't get my ip phones to work with this setup so I will start all over again. I suspect it may have something to do with either the firewall rules or sip alg. I will do some more reading before starting the setup again.

I was wondering about the vlan settings on the bridge i.e. vlan filtering (y or N), ingress filtering (Y or N), frame type (admit all or vlan tagged or untagged & priority tagged)
and on the bridge port i.e. vlan filtering (Y or N) and frame types ?

Thanks agian!
Al
You may read the article and guide that anav posted before.

From my understanding, VLAN filtering is to enable VLAN function on the bridge ports (be careful activating this as you could be locked out of your router if not configured VLAN properly). As for ingress filtering is to filter the incoming packet into the port. For the frame type, admit all means admit all VLANs, vlan tagged is for trunk port and untagged priority tagged is for access port.
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

Re: help with setting up home network

Wed May 05, 2021 2:40 am

Thank you @Halfeez92 for your explanation of the terms.
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

Re: help with setting up home network

Wed May 05, 2021 3:02 am

I do not set any filtering on the BRIDGE itself, (leave as default totally, only thing to do is enable when the config is complete).
On bridge ports yes I set ingress filtering=yes and limit packet types to only vlan tags for trunk ports and only priority and untagged frames at access ports.

My understanding is that the MT sip alg is best not used and that SIP equipment should just work in the normal settings.
What kind of sip equipment are you using??
Thank you @anav for your reply. I understand that vlan filtering has to be enabled or the bridge will just act an unmanaged switch. I checked vlan filtering, vlan tagged only, and ingress filtering on the bridge at the very end, and got locked out every time. So, I think there is an issue with my configuration. I think I need to further simplify my simplified diagram and start with just a bridge, one trunk port, a switch and 2-3 vlans only, and get that working properly first. I will start a new post with the diagram and config file when I have things set up.

I am currently using linksys pap2t & obi200.
Thanks
Al
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Wed May 05, 2021 5:18 am

Hi atosh,
Dont be alarmed but enabling the vlan filtering causes the router to burp.
Dont be afraid, one can reconnect to the router after this and normally one checks vlan filtering to see if the enabling sticks and voila its then enabled.
Sometimes it takes two attempts.

One should not be locked out of the router, simply need to relogin.
 
atosh12
just joined
Topic Author
Posts: 6
Joined: Fri Mar 26, 2021 9:51 pm

Re: help with setting up home network

Tue May 11, 2021 2:21 am

Thanks @anav. I started again and have it working but for the last firewall rule (line 144) i.e. drop all else. I am attaching the diagram and the config file. As soon as I enable this firewall rule, I lose connection. I am unable to figure out where I am messing up. Any help/suggestion would be appreciated.

Thanks
Al
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Tue May 11, 2021 5:30 am

Your config does not match up.

Really suggest you read this link and follow it properly
So many things wrong................. for starters only one bridge port??

viewtopic.php?f=23&t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help with setting up home network

Tue May 18, 2021 3:23 pm

Hi torumund,
without your config, not much one can say........

Who is online

Users browsing this forum: JBrinkZA and 52 guests