Page 1 of 1

Three vlans at home on MT hap ac2 - best practice?

Posted: Wed Feb 20, 2019 7:19 pm
by gutekpl
Hello.
I am new to mikrotik but already amazed with it's possibilities. Here is picture of what I want to accomplish at home:
192.168.1.0/24 default network (in my mind called vlan1), bridging eth2-5 + both wlans (2.4ghz and 5ghz) - already working, has own dhcp server with pool .1.100-.1.250, high secured wifi, standard network for our phones/tablets/laptops
192.168.10.0/24 network called vlan10, bridging slave wlans (I created one slave for each wlan interface - 2,4ghz and 5ghz, set them to use vlan tag 10), this is also already working, has own dhcp server with pool .10.100-.10.150,, disabled "default foward" so each client cannot see other clients, it has simple wifi password for guests. In the future I will probably add some filtering for p2p/porn/bandwidth usage.
192.168.100.0/24 technical network - vlan100 - not existing yet

Now the actual thing which I want to ask - I need third vlan, called "vlan100" for IoT devices. I have few of them already and will multiply that amount shortly. Security on those things is as it is, I dont want to wake up one day and notice that somene hacked my light switch and accessed whole network via SMB and deleted half of that stuff, etc. It could have been probably filtered in Firewall somehow, but on that field I am newbie, so solutions which came to my mind are:
1. Create one more slave wlan (2,4ghz is enough), and repeat all of those steps which i did for guest network but connect that with vlan tag 100. It is simple and easy, but I end up with aditional SSID which I want to avoid if possible (I know I can hide SSID, but still one more network will be discovered, that it wont have name doesnt change anything). BTW. Quick question - does ceating multiple slave wlans decrease its performance? What is the reasoable amount of slave wlans?
2. In my mind perfect solution would be connect IoT devices via normal master WLAN, but keep them away from default network via MAC adress filtering mechanism which will recognize device MAC address and assign it to third vlan100 network - here I am not sure if that is possible to have 2dhcp servers on one interface, probably no. So maybe some workaround? What if I create static lease, put there device MAC, set DHCP server it applies to to option "all" and tell that rule to assign 192.168.100.101 ip address (marked red on pict)? Will that work?

I am open to all best-practice solutions to solve my problem. If third vlan is too much effort I can organise it in way that I will limit default DHCP range to .1.200-250 and for IoT i will go with static .1.101, .1.102, .1.103, etc., and then in firewall I assume it is possible to cut out everything LAN based, leave only internet connection and apply that rule to IoT pool .1.100-199. But my dream is 3rd vlan, It sounds professional :)

I tried to explain it as simple as I could, but I may have used some wrong terms so here is image of what is done so far to help better understand it.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 2:37 pm
by gutekpl
I am thinking now about my idea number two and I suppose it is wrong too, because DHCP is two way communication, so if even if dhcp server from network 192.168.1.0/24 will assign someone IP from 192.168.100.0/24 it will lose connection with that client immidiately and there won't be handshake or what it is called. So 3rd network with 3rd DHCP server is a must, question is if it is doable without another slave interface.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 3:05 pm
by pcunite
Study the article in my signature.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 3:49 pm
by gutekpl
I just did. Thanks for tips contained in there and for Your approach which is easy to understand even for normal people, not only for network geeks, my VLAN knowledge has now grown a bit.
However I did find there only refference to my first idea which is seperate SSID per VLAN. I would really love to have only two wireless networks on the list - main with hidden SSID and Guest one with visible SSID.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 3:58 pm
by mkx
Running more than one SSID off single radio slightly reduces capacity (because beacons, transmitted for each SSID separately, take up some air time), but some rumours are running around that it's fine to have up to 3 or 4 SSIDs per radio.
You can set up VLAN membership per device ... but that involves entering MAC address of every single "special" device (i.e. those that should land on "technical" VLAN) on every wlan interface. Which might not be worth for little performance gain. KISS approach has some merits ...

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 4:02 pm
by gutekpl
You can set up VLAN membership per device ... but that involves entering MAC address of every single "special" device
I am aware of that and totally OK with reserving lease once per device lifetime. Just can't find the way to do it, I cannot select same interfaces (wlan1+2) second time for 3rd bridge and I think I need 3rd bridge to setup 3rd vlan.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 5:43 pm
by mkx
You only need singke bridge and configure all VLANs on it. So it seems you're doing something wrong there.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 5:46 pm
by gutekpl
Guest WiFi on seperate VLAN was done following this tutorial:
https://www.youtube.com/watch?v=1ZJ-pM89N7o

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 5:59 pm
by anav
There is no such thing as guest wifi.
Wifi is wifi.
It depends on which MT mode you are using ie 2 chains (2 wifi) or 3 chains (3 wlans available).
In my case I use capacs with two chains.
So i configured one chain for 2.4 another chain for 5ghz

If you want more wlans you can create virtual wlans.
So in my scenario i decided to do the following
a. 2.4ghz wlan for my smart devices (vlan separate)
b. 5ghz wlan for my home user wifi smart phones laptops etc (on homelan attached to bridge)
c. 5ghz virtual wlan for guest users (master wifi interface being the 5ghz wlan) (also on its own vlan)

So one can define whatever wlan they have to any function and if need be create extra WLANs virtually.
As to mkx's point how many vWlans one creates depends upon CPU and other factors but I wouldn't be tempted to do more than one vWLAN per master WLAN although theoretically I have heard 4-5 are possible.

Now lets dismiss this hogwash of hiddens SSIDs, thats pure BS.
There is no such thing as security provided by hiding SSID. Any device will ping your radio and even if hidden will get a response.
So please stop the myth of it doing anything useful.
Imagine the front door to your house. The door is unlocked.
SSID is the light above your door. you can turn the light off but it does nothing else, the front door is still unlockeda nd when I approach the front door the light turns on automatically.

SSID is designed so that honest users can deconflict channel usage if nothing else and to easily pick out the AP to use if in a crowd of APs.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 6:57 pm
by gutekpl
I know that guest wifi is just a fancy name for logic behind that. I also know that hidden ssid isnt for protection. Anyway, lets skip it, thats not the point in here. I pasted link above to show how did i create guest wifi where guy used seperate bridge for that. If assumptions in this tutorial are wrong since begining i can remove that and make that in a different way, that doesnt matter to me.
I need home default vlan1 accessible via 4 ports and both wifi radios. I need second vlan10 for guests on both radios. I need third vlan100 for IoT accessible on 2.4ghz radio. If it can be done using 1 bridge just guide me how please and I will get on work.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 8:08 pm
by anav
Hi G,
That's what I have right now but soon will be migrating off using pvid=1 being tied to my homelan and the bridge.
My homelan will be on vlan11, pvid=1 remains on bridge and on devices as default setting but not what I use to define and move around any of my traffic.
However my radio and router are separate and thus in your case..........

On the radio side, suggest something like.
Use one WLAN 5ghz for home users
Use one WLAN 5ghz for for guests (vlanXX)
Use one WLAN 2.4ghz for smart devices (vlanYY)

From one physical device location you have not made it clear why you need two guest wifi networks one on each radio on the same vlan??
If you were going to have guests1 and guests2 with different SSIDs (two levels of guests) then the request would make sense and with two separate vlans if you wanted them to be secure from each other.
So what is the purpose?????

If so I would take my second chain
WLAN5Ghz for guests vlanXX)
and add another virtual vWLAN using that wlan as the master interface, the only difference would be a different SSID and different security password.
What would be smart would be to ensure freq separation from the other 5ghz main WLAN (home user wlan).

On the bridge port settings for the WLAN.
/interface bridge port
add bridge=HomeBridge comment=defconf interface=eth2
add bridge=HomeBridge comment=defconf interface=eth3
etc.
add bridge=HomeBridge comment=defconf interface=WLAN2.4ghz pvid=YY (smart devices)
add bridge=HomeBridge comment=defconf interface=WLAN5ghz-guest1 pvid=XX
add bridge=HomeBridge comment=defconf interface=vWLAN5ghz-guest2 pvid=XX
add bridge=HomeBridge comment=defconf interface=WLAN5ghz-home

The interface bridge vlan settings......
/interface bridge vlan
add bridge=Homebridge tagged=HomeBridge untagged=WLAN5ghz-guest1,vWLAN5ghz-guest2 vlan-id=XX
add bridge=Homebridge tagged=HomeBridge untagged=WLAN2.4ghz vlan-id=YY

/interface vlan
add interface=HomeBridge name=guest-vlan vlan-id=XX
add interface=HomeBridge name=sMartDevices vlan-id=YY

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 9:05 pm
by gutekpl
I wanted guest 2.4ghz and guest 5ghz in same vlan because I thought its the simplest solution. They will have same ssid and be transparent. However as I am thinking now I dont need 2.4 for guestd as guest wifi is mostly for mobile devices and those all should now have 5ghz so we can reduce that. Slave 5ghz for guests, slave 2.4ghz for iot.

I still however need both 2.4 ang 5ghz for personal use as my old notrbook and other devices operate only on 2.4. And i want both of those personal radios + slave iot radio operate on same ssid named just "home".

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Thu Feb 21, 2019 9:35 pm
by anav
Kewl that makes a lot of sense..............

On the radio side, suggest something like.
Use one WLAN 5ghz for home users
Create virtual WLAN 5ghz for guests (vlan-id=xx)
Use one WLAN 2ghz for home user
Create virtual WLAN 2ghz for smart devices (vlan-id=yy)

On the bridge port settings for the WLAN.
/interface bridge port
add bridge=HomeBridge comment=defconf interface=eth2
add bridge=HomeBridge comment=defconf interface=eth3
etc.
add bridge=HomeBridge comment=defconf interface=WLAN2.4_home
add bridge=HomeBridge comment=defconf interface=vir-WLAN2.4-sd pvid=YY (smart devices)
add bridge=HomeBridge comment=defconf interface=WLAN5_home
add bridge=HomeBridge comment=defconf interface=vir-WLAN5-guest pvid=XX (guest wifi)


The interface bridge vlan settings......
/interface bridge vlan
add bridge=Homebridge tagged=HomeBridge untagged=vir-WLAN5-guest vlan-id=XX
add bridge=Homebridge tagged=HomeBridge untagged=vir-WLAN2.4-sd vlan-id=YY

/interface vlan
add interface=HomeBridge name=guest-vlan vlan-id=XX
add interface=HomeBridge name=sMartDevices vlan-id=YY

For the wireless side the key is when setting up the virtual wlans to identify the master interface
(the 5ac one points to the 5ac WLAN and the 2.4 one points to the 2.4 WLAN).
The SSIDs and of course wpa2 psk passwords should be different.
Do not assign any vlans in the wireless as that is all done above already.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 12:26 am
by gutekpl
The SSIDs and of course wpa2 psk passwords should be different.
So in Your example I have 3 SSIDs, right?
home - common for 2.4 and 5 master radios
guest - for slave radio 5
iot - for slabe radio 2.4
Am I right? If I have master and slave 2.4 with same SSID then how would client device know to which one it should connect (iot device to slave, home device to master)

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 12:38 am
by anav
Yes of course, that is standard wifi config, no need to ask that in an MT forum LOL.
Each WLAN has its own SSID so in your case I would imagine 4 ssids

SSID names for example
guestwifi
smartdevices
homewifi-2
homewifi-5

If you want to make people guess then you could make them the same SSID and login for home users but i dont see the point..........

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 12:56 am
by gutekpl
Then You got me wrong. Both master radios have same SSID with same password, so home client device just connect with the one which is best for it. In case of my new phone it uses 5ghz, in case of old notebook it uses 2.4ghz, etc.

Same was with guest SSID, but it is no longer valid as I removed guest on 2.4.

Now what I want to achieve is create static leases for all smart devices and connect them on same SSID as home (but here they are all 2.4 so no need to clone that settings for 5ghz radio). Then during connection I want my mikrotik to check that static leases. If device is on the list with 192.168.100.x address then throw it to VLAN100 because it means its IoT device. If device is on the list with 192.168.1.x (I plan some reservations for home devices as well) address or IT IS NOT ON THE LIST then throw it to default VLAN1.

This is what I am talking since begining. Assigning to correct VLAN via MAC or any other mechanism.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 1:04 am
by pcunite
This is what I have been asking since beginning. How to assign to correct VLAN via MAC or any other mechanism.

Right, in the VLAN document (linked in my signature) this is shown using difference SSID values. You make as many SSID's (which are applied to virtual wlan interfaces) as you need, each one applies to a different VLAN.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 1:09 am
by gutekpl
So the solution from picture attached below is not possible to achieve, right?

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 1:24 am
by pcunite
So the solution from picture attached below is not possible to achieve, right?

Well, I'm suggesting you create two SSID names, Home and Home24G. Name them whatever you want.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 10:47 am
by gutekpl
Well, I'm suggesting you create two SSID names, Home and Home24G. Name them whatever you want.
How this solves splitting devices connected to Home24G between home vlan1 and iot vlan100? I would understand if You suggest
"IoT" 2.4 SSID,
"HOME" 2.4 and 5 SSIDs overlaping each other,
"Guests" 5 SSID.
At this setup I can really match vlan by SSID. Cannot imagine how Home and Home24G would change anything, please clarify, maybe I dont see whole picture in here.

Re: Three vlans at home on MT hap ac2 - best practice?

Posted: Fri Feb 22, 2019 11:58 am
by mkx
I would understand if You suggest
"IoT" 2.4 SSID,
"HOME" 2.4 and 5 SSIDs overlaping each other,
"Guests" 5 SSID.
At this setup I can really match vlan by SSID. Cannot imagine how Home and Home24G would change anything, please clarify, maybe I dont see whole picture in here.

That's the way to go.

Some people like to have different SSIDs for 2.4GHz and 5GHz radios so that they can force certain devices to certain band by selecting desired SSID on client (some devices don't like 5GHz and they keep using 2.4GHz band even if 5GHz signal is present and strong). For now you don't have to fiddle with this (you can go this way later if you see it fit).