Community discussions

MikroTik App
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Redesign of Local Network with Mikrotik Router

Tue May 01, 2018 7:33 pm

Hi everybody,
I wanted to redesign my internal network because I am little bit afraid about security. Banking Software together with Gaming-PC and Alexa
in the same network is not a good choice in my opinion.

Below you will find the current situation and my thoughts to make the local Netzwork a little bit more secure.
It would be great, if you can help me to find the correct approach and how I can implement this with Mikrotik devices.

Please be a little lenient I am currently in "testing mode" and I use the RB3011 as test environment together with two clients. I have to close my gaps in basic network knowledge....and I guess this will take a while...:-)
Therefore I count on your support in my other threads in oder to realize this project some day!

If this is not the correct place for this post, please excuse me.

Current mode of operation:
Internet-domain: (hosted Mail-Server)
local domain:

Network-Design, Router FB7490:
LAN: Class C-Subnet
WLAN: Same Subnet
WAN: Fiber optic (Fritzbox used as "Kabelmoden", DHCP Client)

There are round about 100 Clients in my network:
  • Office Devices (Windows PCs)
  • Voice (IP phone + DECT phone)
  • qnap NAS-Server
  • IPTV Devices (Dreambox, Fire-TV, Smart TV)
  • Multiroom audio devices (Sonos)
  • Smart Home Devices
  • Gaming Devices (Playstation, Gaming-PC, Xbox)
  • Network Devices (Cisco Switch, AVM-WLAN Repeater, Fritzbox)
  • WLAN-User (Smartphones, Tablet)
  • VPN-Access via Smartphones
  • VPN Lan2Lan with other Fritzbox in different Site with other Class C net

Future Mode of Operation:
Domain Design:
local domain:

Network-Design, Router RB3011
ether1: WAN-Interface
SFP1: Uplink to Cisco Switch
LAN: Vlan on bridge1 with Class C-Subnets
  • vlan1: admin -> Network devices
  • vlan10: Office
  • vlan20: Voip
  • vlan30: IPTV
  • vlan40: Sonos
  • vlan50: SmartHome
  • vlan60: WLAN
  • vlan70: Guest-WLAN
  • vlan80: Gaming

  • vlan-subnets should be part of the internal domain
  • dhcp Server for the subnets (vlan01 and vlan50 with static IPs)
  • traffic between the subnets should be controlled by firewall rules (e.g. vlan1 can see all other vlans, but none of the other can see vlan1)
  • traffic to internet should be controlled by firewall rules (e.g. vlan50 only access for updates from manufacture)
  • internal dns-server to resolve local client-addresses in all subnets (if access is not restricted by firewall rule)
  • AVM Fritzbox will run in IP-Client-Mode as PBX and DECT Interface in vlan20
  • wired WLAN Access-Points with restricted access to clients in vlan20-vlan40
  • wired WLAN Access-Points running guest WLAN
  • VPN-Access only for single subnets available
  • VPN-Lan2Lan for vlan10

Who is online

Users browsing this forum: ctlo, markos222 and 83 guests