Community discussions

MikroTik App
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sat Jul 03, 2021 9:26 pm

Hello all,

Fist of all, I apologize for the really noob question here, but I'm a bit confused with what route to go here. Here's my topology.

I have a Mikrotik RB4011 connected to 1Gbps WAN,
I have 2 L2 Switches and a WiFi router connected to the RB4011.
I have another WiFi AP connected to one of the switches.

I am trying to separate a Guest WiFi and my IoT devices from the general LAN.

What would be the best solution given that:
1. Guest WiFi and regular WiFi comes from the same AP (other APs connect to the first AP via WDS). If I have the port the AP is connected to tagged on a VLAN by the switch, I will end up with both regular and guest having the same VLAN (the AP is not capable of tagging them).
2. Some IoT devices connect to one switch directly, others connect to the other switch, while the rest connect to a 3rd smaller WiFi AP connected to one of the switches so I can't really define a port on there that would be the IoT VLAN as they're scattered throughout the house.
3. I have in-house services like a TrueNAS box for storage and backup of clients. Non-guest wifi clients should be able to access that, but guests should not see anything on the LAN.
4. even if I separate the IoT devices, I would need to be able to access them from the LAN or WiFi (non-guest), but not the other way around.

So far everyone sees everyone and all clients enjoy almost the full Gbit WAN connection, which is great, but I'd like to keep my NAS and other LAN-only devices safe from guests and IoT devices while not dropping below gigabit for LAN clients.

I understand that the switch chip in the RB4011 can't do VLANs and that I have a choice between bridge- or port-based.

Any advice would be greatly appreciated.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sat Jul 03, 2021 11:14 pm

...this is the first thing you should read: viewtopic.php?f=13&t=143620 and understand.
The basic, logic/concept applies to all hardware, not only MT devices based on RouterOS.

Are your L2 Switches and APs VLAN capable?
Especially, when running separate Wifi-Networks/SSIDs on the same, single wired connected AP, using tagged VLANs are a must requirement.

Then, start to think about the layout of your future network based on VLANs, independent of software capabilities and settings.
You'll want individual VLANs for each distinctive network you want to manage/use.
Then go from there and configure each component, VLAN for VLAN.
Do not forget to create a separate Management VLAN.
Fokus on getting connectivity first. Only after that, configure the RB4011 firewall to create the desired separations (Guest, IoT, reachable from LAN only, ...)

Do not worry about the VLAN features or lack thereof in the Switch-Chip of the RB4011, its CPU will compensate for that with ease.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 12:39 am

Just to add what was very well stated.
The second wifi router should probably be set as a switch/Ap and not a router.
Very important Q, was the L2 switches, are they vlan capable (tag and untag frames)?

As for the management VLAN its not 100% necessary as you may use a trusted home vlan as well for the same purpose.
It depends on how much security you need or want. For example I use my home vlan as a trusted vlan and all smart devices get their IP on that vlan and all dumb devices get the IP of the vlan they happen to be on (iot, guest wifi, or a dumb switch).

The link provided is most excellent
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 1:28 am

The switches are L2 capable, can tag/untag based on ports, however the APs can't. That's one of my issues. The same AP would provide access for both the regular and the guest WiFi so I don't have any idea how to tell them apart.

Thanks a million for your suggestions so far. I'm off in a moment to read the link you posted.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 2:17 am

however the APs can't. That's one of my issues. The same AP would provide access for both the regular and the guest WiFi so I don't have any idea how to tell them apart.
Yes, you have a problem. Unless there is some magic I don't know about, you need to either have access points that understand VLANs OR separate access point - one for each WiFi network.
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 2:28 am

That's exactly my issue. I have 2 floors to "serve" and have 2 access points which form a WDS and a third which is a separate SSID.

Also, I have the same issue with IoT devices. Some connect wired (I can have those ports tagged, for sure), however some access wirelessly and I have no clue how I could isolate them. I thought about separating by mac address. Would that work? That wouldn't for guest wi-fi as mac address can be forged, but my IoT devices won't swap mac addresses on their own.

Thanks for the help so far!
Last edited by Andreaux on Tue Jul 06, 2021 12:48 am, edited 1 time in total.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 2:42 am

My recommendation would be to get some new access points that understand VLANs. Personally I am using Meraki - which are getting fairly inexpensive on the used market - but the management service is rather expensive. Works really well at my house. I can run up to 15 SSIDs (not that I would need anywhere near that many).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 2:47 am

Consider to shop one product like Audience, I cover with ONLY ONE DEVICE two apartments,
110 square meters earht floor (on english is that?), 120 square meters 1st floor,
the device is near the center of the "earth floor" on top of wardrobe.

Do VPN with that device is extremely easy, you can create, for example,
1 VPN for your laptop/smartphone
1 VPN for topbox/sat decoder
1 VPN for Alexa
1 VPN for 1st floor apartment
1 VPN for Guests
etc.

I suggest you that device....

If you are curious, is how is configured my Audience:
viewtopic.php?f=7&t=175543&p=859309#p859309
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Sun Jul 04, 2021 5:40 am

I just found out that my AP (Apple Airport Time Capsule) assigns VLAN 1003 to guest wireless clients, so at least I have something to start with at least in that department. I'll keep you posted about any progress.

Thanks guys.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Mon Jul 05, 2021 4:53 pm

I just found out that my AP (Apple Airport Time Capsule) assigns VLAN 1003 to guest wireless clients, so at least I have something to start with at least in that department.
...put it to a test.
Define VLAN ID=1003 in the RB4011 and attach the AP, with Guest-Wifi enabled.
Do you really see tagged traffic with that ID, when connecting a client to guest WiFi and then browsing the Web?

There are other AP models, like ubiquity/unifi, that handle this thing internally and will simply block all traffic that is not going to the default-Route or network gateway respectively.
All traffic from guest wifi will still appear untagged.
However, this only works for up to 2 SSIDs (where these are 1x guest + 1x non-guest/LAN).
Should you need more (guest, home, IoT, ..) you cannot go without vlans for these.

If the AP does not support VLANs natively, do not mess around and trying to circumvent things in the setup.
The next firmware update will most likely break it anyway....just replace the AP with one that support tagged VLANs.
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Mon Jul 05, 2021 7:55 pm

Thanks for the suggestion.

Yes, it does. I managed to separate my guest wifi from the rest. I also put a bandwidth limit on it so it can not overstep its boundaries. I'm unable to access anything on the LAN from the guest wifi, but can access everything on the LAN from the general wifi.

I can't however (at least not yet) have the general wifi traffic tagged so that i can separate that too (although with more access to the LAN). I'll experiment with creating a hybrid port on the RB4011, where the Time Capsule connects directly and try to achieve tagging of untagged traffic only. I'm not sure I'll manage to do that, but that's the next goal. Does that sound right?

I also can't put separate mac-address filtering and/or time-based access rules in the Time Capsule, for the guest wifi and general wifi so I had to turn off mac-address filtering off on the AP.

Thanks for the help so far.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Mon Jul 05, 2021 8:56 pm

From a bit of reading, you need to turn network Off, which means it becomes a switch and DHCP client I believe the setting selection is (Off) Bridge Mode.
Then you can use all ports as switch ports.
Not sure about wireless settings nor if the time capsule is capable of reading vlan tags...........

Not looking good so far.
"...The conclusion: guest network traffic is tagged VLAN 1003, while "internal" traffic is simply untagged. Whether or not AirPort Extremes always use VLAN 1003 is unknown, but now you know how to look and see in your own setup... if you wanted to do that. Okay, I realize that I am probably literally the only person out there who wanted to do that"
.
".................The issue is that Apple uses VLAN 1003 tagged on the Airport, BUT they actually do NOT support using a managed switch with the same VLAN Tag!! I was seriously baffled at what I found. They have said they only support the roaming configuration with Airports connected to each other via the built-in LAN ports, OR an unmanaged switch. They flat-out do not support using a high-end managed switch tagging and passing the traffic. In fact, in reading the Apple forums they admit the problem and refuse to fix the bug."

In other words, I am not convinced you can have TWO separate networks running through the time capsule, either you have the non tagged Normal LAN OR the tagged guest vlan.


You may want to test it this way.

Bridge on MT router
Lets say ETHER2 goes to a time capsule
VLAN20 is HOme users (for wired or wireless use, home is home)
VLAN1003 is Guest users

Bridge for your MT network is called BridgeHome
Note both vlan20 and vlan1003 are identified with BridgeHome as the interface, then the usual 4 settings of, IP address, IP Pool, DHCP-Server, and DHCP-Server Network.
We will try and setup a hybrid port scenario.

interface bridge port
add bridge=HomeBridge interface=ether2 frame-type=accept all pvid=20

/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=1003
add bridge=HomeBridge tagged=HomeBridge untagged=ether2 vlan-ids=20


Then see if the home apple user can get an IP and internet connectivity
Then see if the guest apple user can get an IP and internet connectivity

The problem is I have my doubts the time capsule can handle both untagged traffic (vlan20) and tagged traffic 1003 at the same time, but you wont know until you test it.
By untagged the router takes any traffic from apple without tags and applies vlan20 tags to it and then when it sends this traffic back to the time capsule it strips the vlan20 tags first.
 
Andreaux
just joined
Topic Author
Posts: 6
Joined: Sat Jul 03, 2021 4:58 pm

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Tue Jul 06, 2021 12:38 am

Hello there,

I think there's some misunderstanding. I'm not using the AP as a switch, my topology in this regard is (RB4011/eth10)--(Time Capsule/Wan) . . . (Airport Extreme/WDS).
Time Capsule is in Bridge Mode, 5GHz and 2.4GHz Wifi serve regular WiFi clients and Guest WiFi serves guest clients. The Airport Extreme doesn't support a guest WiFi so it's just extending the regular WiFi's range.
I have 2 switches hooked to 2 ports on the RB4011 and they serve wired LAN clients and an additional small WiFi AP, but that's a separate SSID.

What I managed so far.
I have the Time Capsule tag guest WiFi traffic with VLAN 1003 which is handled by the RB4011 and there is no connection to the LAN from there. Traffic on the guest WiFi is limited to 20/5Mbps in the RB4011.

What I would still need is to have the rest of the traffic from the Time Capsule handled separately while keeping the traffic tagged with VLAN 1003 unchanged. In other words, tag the rest of the traffic from the Time Capsule with some other VLAN by the RB4011.

Also my other issue is with IoT devices which are more-or-less scattered around the house. I'd like to have them on the same VLAN, but there's no port I can single out for most of them as some access via WiFi, some via ethernet. I know their Mac addresses, but I don't feel that's a real secure solution (If at all I can separate them via mac address). Also, I would need to access them from the LAN, but not the other way around. Does it sound silly to have them on a IoT dedicated VLAN or should I treat them one-by-one with firewall rules?.
I'm a bit afraid that if they change their Mac address, they'll be let loose on the network. What's the best approach in this case? I'm a bit clueless with those.

Thanks for the precious help.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Home LAN/WiFi/Guest WiFi/IoT devices advice needed

Tue Jul 06, 2021 9:56 am

Hello there,

I think there's some misunderstanding. I'm not using the AP as a switch, my topology in this regard is (RB4011/eth10)--(Time Capsule/Wan) . . . (Airport Extreme/WDS).
I don't know that Apple stuff, but do you really mean WAN, or did you misspell WLAN/WiFi?...assuming you meant WiFi

Time Capsule is in Bridge Mode, 5GHz and 2.4GHz Wifi serve regular WiFi clients and Guest WiFi serves guest clients. The Airport Extreme doesn't support a guest WiFi so it's just extending the regular WiFi's range.
I have 2 switches hooked to 2 ports on the RB4011 and they serve wired LAN clients and an additional small WiFi AP, but that's a separate SSID.
So the time Capsule is the only AP that serves more than one SSID (guest + regular)?

What I managed so far.
I have the Time Capsule tag guest WiFi traffic with VLAN 1003 which is handled by the RB4011 and there is no connection to the LAN from there. Traffic on the guest WiFi is limited to 20/5Mbps in the RB4011.
Just to confirm:
You managed to define a *tagged* VLAN 1003 in the RB4011 according to the documentation given earlier in that link above?
When opening your Interface List, do you see the VLAN-1003 attached to the bridge and, when doing a speedtest with a guest client, do you see traffic flowing in the RX/TX columns of than VLAN 1003?

What I would still need is to have the rest of the traffic from the Time Capsule handled separately while keeping the traffic tagged with VLAN 1003 unchanged. In other words, tag the rest of the traffic from the Time Capsule with some other VLAN by the RB4011.
If that SSID is the only other, besides guest, on that AP and guest is a tagged VLAN, the traffic from the regular SSID will be untagged and, if defined correctly, will be identified by the VLAN filter in the bridge.
You then can define another VLAN-ID (ie.10) and then use this as PVID for untagged traffic in the bridge-port of the physical port, where your time-Capsule is connected (ether10 it was in your case) and the RB4011 (bridge-)port will tag it for you.

Also my other issue is with IoT devices which are more-or-less scattered around the house. I'd like to have them on the same VLAN, but there's no port I can single out for most of them as some access via WiFi, some via ethernet. I know their Mac addresses, but I don't feel that's a real secure solution (If at all I can separate them via mac address).
As your Switches are L2 capable, define port based VLANs / access ports for the ethernet connected IoT devices (fan-out with more ports/switches, until you are 1:1). Also, if the AP serving them is not VLAN capable, use one or more dedicated APs with IoT-SSID and connect these to an access port on a switch.

Also, I would need to access them from the LAN, but not the other way around. Does it sound silly to have them on a IoT dedicated VLAN or should I treat them one-by-one with firewall rules
Ones you have them in a dedicated VLAN, just define a filter rule in the forward chain, dropping all traffic *initiated* (new) from than IoT VLAN, where destination is your regular LAN/VLAN or not equal to WAN.
The connection from inside your LAN/regular VLAN should still work, as you normally would allow forward for already related / established connections that are response-traffic from IoT to LAN (previously newly initiated from LAN to IoT, which is what you want).

Remark1: it definitely is a good practice to put your IoT Devices in a separate VLAN. Many of these, not with open firmware, are "phoning home" and you never know, what they are doing.
For example, I do have a power converter from my solar array that establishes a permanent connection to the manufacturer, so some maintenance guy can log into it, if need be.
With the "right", bogus firmware, this device would allow for more in my LAN...so I have this little thing in a dedicated VLAN/DMZ, even separated from other IoT devices.
I also only use IoT devices controllable/connected via mqtt and have a dedicated mqtt broker in another VLAN, with a mqtt-bridge to the mqtt broker in the IoT VLAN, controlling mqtt access from inside LAN to outside IoT VLAN only.

Remark2: instead of going through the hassle, fiddling with your SSIDs and VLANs, just ditch that Apple consumer stuff and get some decent APs...you'd be surprised that they are a lot cheaper than you think. Look into TP-Link Omada series, for example....of course MT APs will also do fine in this regard, but their WiFi performance is below par.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 39 guests