Topic Author
Joined: Mon May 25, 2020 3:56 pm

CSS326-24G-2S+ VLAN and sharing

Mon May 25, 2020 4:08 pm

Hi. I am strugling now for a week to setup VLANs on Mikrotik Switch, read whatever I can found, but no success.

Here is my situation:
- Port 1 router 1
- Port 2 router 2
- Port 3 printer
- Port 23 Backup disk
- Port 24 NAS

Would like to have to VLANs: one for company, which is on router 1 and ports 4-16, one for home, on router 2 and ports 17-20. Until here everything is OK, but:
I need BOTH VLANs to access to printer, backup disk and NAS. If I left them on default VLAN 1 and permit any packet they are not accessible.
I have set them as a member of each VLAN group. It seems like VLANs (groups) does NOTHING. As if I don't set anything. Only visible are units that have marked the right VLAN in VLAN menu. Whay would we have to set the group member if they don't mean anything?
I am using the last version of SwOS. Is this a bug maybe, or I don't know how to set?

Any help?
Best regards,
Re: CSS326-24G-2S+ VLAN and sharing

Mon May 25, 2020 4:19 pm

Essentially you're running two LAN networks, company and home. And any device (printer, NAS, ...) can only be part of one network. So if you want connectivity from another network, there has to be a router between the networks. Simple switch can not do it and VLANs don't help here if devices (printer, NAS) themselves are not VLAN capable (NAS might even be, but printers usually are not).
So you'll need some router to do the (limited) routing between the networks.
Topic Author
Re: CSS326-24G-2S+ VLAN and sharing

Mon May 25, 2020 4:32 pm

Thank you for answer. I thought there might be something in this way. But still not sure why there are group members for each different VLAN?

So then a solution is only by isolating ports. But here is also a problem why there are home devices connected to different router (WiFi) with different gateway. It seems there will also be a problem.
Re: CSS326-24G-2S+ VLAN and sharing

Wed Jun 03, 2020 8:59 pm

You largely need a router to accomplish what you are trying to do. Here's the problem. When you put both VLANs onto a single port (the NAS for example), the data stream from the switch to the NAS will have all the traffic VLAN tagged. Since your NAS presumably is not capable (or at least not configured) for VLAN operation, it's not going to work well. The NAS may TRY to process the data by ignoring the VLAN tags. The situation is worse in the other direction because the NAS would NOT be VLAN tagging the traffic, so the switch (which would be expecting VLAN tags) would not know where to send the packets. All that means that two way communication would not happen. You need a rotuer to route traffic between VLANs.

One other possible way (I have not fully thought this through) would be to not use VLANs, but segment the ports using the port isolation table. I've never really played with that, but it might work. The biggest issue there may not be the switch, but getting compatible IP schemes between the networks. You still may need a router somewhere in the picture.
Topic Author
Re: CSS326-24G-2S+ VLAN and sharing

Thu Jun 04, 2020 3:49 pm

As you mentioned, I have forgot VLAN tagging and dig into port isolation. It is working OK for quite some time now, with one minor problem. Here is what I did:
- I put two routers on two ports both in the same subnet ( fixed WAN IP and DHCP WAN). DHCP server just on second one. Company LAN is on router 1, home is on router 2.
- all comany devices has fixed IP's except for WiFi network
- I blocked all ports from home except of NAS and Printer companie's computers, server and router 1
- I blocked all ports from company devices (except NAS, Printer and my computer) from home devices (except router 2 for DHCP purposes and gateway for internet)
- all files for home are shared on NAS, for company on NAS and Windows server

The problem which persists:
- my development computer must sometime be on fixed WAN, sometimes I put it on DHPC when surfing, as I don't alway like my IP to be public. It works OK by changing the Gateway
- but, I have Retrospect backup on server (which is also WEB server and it is on gateway 1). Have client installed on my PC which is backuping some of my documents every day proactive. So I don't know why yet, the backup does not work if my computer is on gateway 2, although they are both on the same subnet. It does not even work if I set server's secondary gateway.
But I think will find a solution also for this. It might be an issue with retrospect.

