Hello.
I am new to mikrotik but already amazed with it's possibilities. Here is picture of what I want to accomplish at home:
192.168.1.0/24 default network (in my mind called vlan1), bridging eth2-5 + both wlans (2.4ghz and 5ghz) - already working, has own dhcp server with pool .1.100-.1.250, high secured wifi, standard network for our phones/tablets/laptops
192.168.10.0/24 network called vlan10, bridging slave wlans (I created one slave for each wlan interface - 2,4ghz and 5ghz, set them to use vlan tag 10), this is also already working, has own dhcp server with pool .10.100-.10.150,, disabled "default foward" so each client cannot see other clients, it has simple wifi password for guests. In the future I will probably add some filtering for p2p/porn/bandwidth usage.
192.168.100.0/24 technical network - vlan100 - not existing yet
Now the actual thing which I want to ask - I need third vlan, called "vlan100" for IoT devices. I have few of them already and will multiply that amount shortly. Security on those things is as it is, I dont want to wake up one day and notice that somene hacked my light switch and accessed whole network via SMB and deleted half of that stuff, etc. It could have been probably filtered in Firewall somehow, but on that field I am newbie, so solutions which came to my mind are:
1. Create one more slave wlan (2,4ghz is enough), and repeat all of those steps which i did for guest network but connect that with vlan tag 100. It is simple and easy, but I end up with aditional SSID which I want to avoid if possible (I know I can hide SSID, but still one more network will be discovered, that it wont have name doesnt change anything). BTW. Quick question - does ceating multiple slave wlans decrease its performance? What is the reasoable amount of slave wlans?
2. In my mind perfect solution would be connect IoT devices via normal master WLAN, but keep them away from default network via MAC adress filtering mechanism which will recognize device MAC address and assign it to third vlan100 network - here I am not sure if that is possible to have 2dhcp servers on one interface, probably no. So maybe some workaround? What if I create static lease, put there device MAC, set DHCP server it applies to to option "all" and tell that rule to assign 192.168.100.101 ip address (marked red on pict)? Will that work?
I am open to all best-practice solutions to solve my problem. If third vlan is too much effort I can organise it in way that I will limit default DHCP range to .1.200-250 and for IoT i will go with static .1.101, .1.102, .1.103, etc., and then in firewall I assume it is possible to cut out everything LAN based, leave only internet connection and apply that rule to IoT pool .1.100-199. But my dream is 3rd vlan, It sounds professional
I tried to explain it as simple as I could, but I may have used some wrong terms so here is image of what is done so far to help better understand it.