Installing a new network and have decided on the hardware that will be used.. Next up is to start planning the best configuration settings I should use.

If you were presented this hardware diagram how would you suggest the network config be done? Ip addressing, Subnetting, Vlan setup, DHCP server location, etc???

I will need to setup some internet bandwidth shaping features so that the "Production" VLAN always get priority in regards to upload and download internet bandwidth. I think this will be done in the Mikrotec.

Is there a way to make it so that the "NetworkAdmin" Vlan can see and talk to every device on the network in every vlan? All the other Vlan's don't need to be able to communicate to each other.

I haven't done the research yet, but I am assuming there is a way to assign openvpn tunnels to certain Vlan ID's? So when I configure a remote phone using open vpn, that tunnel will be placed in the PBX vlan? Also, if I needed to remote into the network, I could setup up an openvpn tunnel that is assigned to the "NetworkAdmin" vlan?



Datasheets for the hardware.

Router = Mikrotik hEX S RB760iGS
https://mikrotik.com/product/hex_s#fndtn-specifications

Layer 3 Switch = Cisco Business CBS350-24P-4X
https://www.cisco.com/c/en/us/products/ ... 44156.html

Smart Switch = Cisco Business CBS250-8P-E2G
https://www.cisco.com/c/en/us/products/ ... te-en.html

Access Point = Cisco Business 240AC
https://www.cisco.com/c/en/us/products/ ... te-en.html

Access Point = Cisco Business 145AC
https://www.cisco.com/c/en/us/products/ ... te-en.html

UPDATE....
So here is what I am am thinking about using for the Ip Class, Subnetting, & Vlans

10.12.0.0/18
CIDR IP Range 10.12.0.0 - 10.12.63.255
Subnet Mask 255.255.192.0

10.12.10.0/24, SM 255.255.255.0, Range 10.12.10.0 - 10.12.10.255, VLAN10, Network Devices

10.12.11.0/24, SM 255.255.255.0, Range 10.12.11.0 - 10.12.11.255, VLAN11, NetworkAdmin

10.12.12.0/24, SM 255.255.255.0, Range 10.12.12.0 - 10.12.12.255, VLAN12, PBX

10.12.13.0/24, SM 255.255.255.0, Range 10.12.13.0 - 10.12.13.255, VLAN13, Production

10.12.14.0/24, SM 255.255.255.0, Range 10.12.14.0 - 10.12.14.255, VLAN14, Office

10.12.15.0/24, SM 255.255.255.0, Range 10.12.15.0 - 10.12.15.255, VLAN15, Classroom

10.12.16.0/22, SM 255.255.252.0, Range 10.12.16.0 - 10.12.19.255, VLAN16, Guest

10.12.20.0/22, SM 255.255.252.0, Range 10.12.20.0 - 10.12.23.255, VLAN20, Event

What is your training ON MT products, or any IT networking certifications, it will help us guide the advice.

Not certified. Have experience with setting up and configuring small networks where as the router is also the DHCP server. But since I am going to be using a Layer 3 switch I think it would be best to off load as much as possible to the switch including the DHCP server. So the router will only handle things related to internet packets.. I understand in theory, but wanted to discuss it and flesh this out before I do the config..

Well to be honest, this setup is not for an untrained person.
It makes more sense to me that this is more a University Course type question or mini project to get the student to explore all the consideration and requirements for design
Is this a course thing you have to do?

No. this is a real life network install that I am doing. I could take the easy way out and just let the VAR handle it for me, or have Cisco support do it for me.. But I would rather use this opportunity to learn more about this..

Several points.

First, it is just a "best current practice" to use a dedicated (V)LAN for each IP subnet, but there is no technical barrier preventing you from using multiple subnets in the same VLAN, and in specific cases, you may need to use the same IP subnet in multiple (V)LANs. Therefore, "I need device A to be in device B's VLAN" is an ambiguous statement. People usually mean they want the two devices to be in the same subnet when saying this, but you can't be sure.

Second, Mikrotik's implementation of OpenVPN in RouterOS 6.x is very limited. On top of not supporting some compression methods, it only supports TCP as transport protocol, which makes it a bad choice for VoIP, where low delay is more important than zero loss, whilst TCP's inevitable retransmissions in case of packet loss increase the delay.

Third, OpenVPN supports both L2 tunneling and L3 tunneling, but for the Mikrotik acting as an OpenVPN server, you can only choose one of the two.

• With L3 tunneling, you cannot place the phones into the IP subnet of the PBX and something (the Mikrotik or the L3 switch) must provide routing between the subnets. Letting the OpenVPN assign addresses from a range overlapping the subnet of the PBX causes more problems than it solves: each such assignment actually constitutes a subnet of its own, and routing between that one and the overlapping larger one is necessary. Plus special measures need to be taken to deliver the packet from the PBX to the phone (as from the perspective of the PBX, the phone's address is inside the same subnet like its own one, so the PBX tries to send it directly rather than via the router).
• With L2 tunneling, you can make the L2 tunnel of each user a member interface of the bridge you want (using the bridge parameter of a /ppp profile row to which the /ppp secret row links), but there is (currently?) no way to make the L2 tunnel directly an access port to a particular VLAN on a multi-VLAN bridge, nor to set any horizon value (so port isolation is not possible). Hence you would need one bridge per each VLAN for the L2 OpenVPN clients, and connect these bridges via /interface vlan rows to the common bridge with vlan-filtering=yes or directly to the Ethernet port to which the Cisco L3 switch is connected. But I don't think you want the phones to talk to each other without any firewall betwen them, so the absence of port isolation is a serious security hole.

The rest seems quite simple to me. If one of the Cisco devices can act as a controller for all the APs, the SSID configuration is a bit simpler.

So here is what I am am thinking about using for the Ip Class, Subnetting, & Vlans

10.12.0.0/18
CIDR IP Range 10.12.0.0 - 10.12.63.255
Subnet Mask 255.255.192.0

10.12.10.0/24, SM 255.255.255.0, Range 10.12.10.0 - 10.12.10.255, VLAN10, Network Devices

10.12.11.0/24, SM 255.255.255.0, Range 10.12.11.0 - 10.12.11.255, VLAN11, NetworkAdmin

10.12.12.0/24, SM 255.255.255.0, Range 10.12.12.0 - 10.12.12.255, VLAN12, PBX

10.12.13.0/24, SM 255.255.255.0, Range 10.12.13.0 - 10.12.13.255, VLAN13, Production

10.12.14.0/24, SM 255.255.255.0, Range 10.12.14.0 - 10.12.14.255, VLAN14, Office

10.12.15.0/24, SM 255.255.255.0, Range 10.12.15.0 - 10.12.15.255, VLAN15, Classroom

10.12.16.0/22, SM 255.255.252.0, Range 10.12.16.0 - 10.12.19.255, VLAN16, Guest

10.12.20.0/22, SM 255.255.252.0, Range 10.12.20.0 - 10.12.23.255, VLAN20, Event

Several points.

First, it is just a "best current practice" to use a dedicated (V)LAN for each IP subnet, but there is no technical barrier preventing you from using multiple subnets in the same VLAN, and in specific cases, you may need to use the same IP subnet in multiple (V)LANs. Therefore, "I need device A to be in device B's VLAN" is an ambiguous statement. People usually mean they want the two devices to be in the same subnet when saying this, but you can't be sure.

Second, Mikrotik's implementation of OpenVPN in RouterOS 6.x is very limited. On top of not supporting some compression methods, it only supports TCP as transport protocol, which makes it a bad choice for VoIP, where low delay is more important than zero loss, whilst TCP's inevitable retransmissions in case of packet loss increase the delay.

Third, OpenVPN supports both L2 tunneling and L3 tunneling, but for the Mikrotik acting as an OpenVPN server, you can only choose one of the two.

• With L3 tunneling, you cannot place the phones into the IP subnet of the PBX and something (the Mikrotik or the L3 switch) must provide routing between the subnets. Letting the OpenVPN assign addresses from a range overlapping the subnet of the PBX causes more problems than it solves: each such assignment actually constitutes a subnet of its own, and routing between that one and the overlapping larger one is necessary. Plus special measures need to be taken to deliver the packet from the PBX to the phone (as from the perspective of the PBX, the phone's address is inside the same subnet like its own one, so the PBX tries to send it directly rather than via the router).
• With L2 tunneling, you can make the L2 tunnel of each user a member interface of the bridge you want (using the bridge parameter of a /ppp profile row to which the /ppp secret row links), but there is (currently?) no way to make the L2 tunnel directly an access port to a particular VLAN on a multi-VLAN bridge, nor to set any horizon value (so port isolation is not possible). Hence you would need one bridge per each VLAN for the L2 OpenVPN clients, and connect these bridges via /interface vlan rows to the common bridge with vlan-filtering=yes or directly to the Ethernet port to which the Cisco L3 switch is connected. But I don't think you want the phones to talk to each other without any firewall betwen them, so the absence of port isolation is a serious security hole.

The rest seems quite simple to me. If one of the Cisco devices can act as a controller for all the APs, the SSID configuration is a bit simpler.

:( There are not a whole lot of routers that have OpenVPN servers..... Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement?

Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement?

Hard to answer not knowing the priorities of the requirements. If OpenVPN is a must, I'd use OpenWRT on a device supporting it, but don't expect the L2 setup to be any easier. If L3 is enough, I'd use StrongSwan on the mobile phones, and IKEv2 at the "server" side, which may be Mikrotik or something else. I also don't know your budget, it seems you are not terribly limited as you intend to use Cisco for everything except the VPN gateway functionality.

If you haven't purchased the Mikrotik yet and you have some virtualization environment available, you can try the scenarios using a CHR with free license, as the speed limitation doesn't prevent you from testing everything, including a VoIP call. An image of OpenWRT for VMware is also available so you can compare the possibilities and configuration complexity before purchasing a box with one or the other software running on it.

If L3 is enough, I'd use StrongSwan on the mobile phones, and IKEv2 at the "server" side, which may be Mikrotik or something else.

The phones are full featured desk ip phones that have openvpn clients built in them.

DO you think Router OS 7 would solve a lot of these issues?

If so I can continue using the phones in the fashion they are currently being used, which is an access controlled port forward.. This methods works, but I have a few users that have DHCP wan addresses that actually change every 2 weeks or so. When their IP changes I have to go in and modify the rules in on my firewall... I was hoping that I could use the OpenVPN feature to "set it and forget it"

Lets say I shelve the whole OpenVPN requirement..

DO you feel the Mikrotik router is a good fit for the job?

The phones are full featured desk ip phones that have openvpn clients built in them.

Do you think Router OS 7 would solve a lot of these issues?

Depends on what you call an issue. ROS 7 supports UDP as OpenVPN's transports protocol, which has an impact on the possible issues with delay (but maybe packet loss is not a problem to consider in your country, so the current OpenVPN over TCP is sufficient for the job). Regarding the other "issues", from what I can see in 7.1beta2, bridge-horizon has been added to /ppp profile, so port isolation for dynamically added ports is intended to work; nothing VLAN-related there which doesn't mean they won't add it before ROS 7 reaches a "stable" stage.

But from this statement I deduce that
a) the only motivation to use OpenVPN is that the phones support it
b) you have never tried the capabilities of the OpenVPN on the phones themselves, so you have to try it first anyway
c) there may be no need to use the OpenVPN in L2 (= ethernet in Mikrotik terms, = TAP in OpenVPN terms) mode unless the phones themselves only support that mode

If so I can continue using the phones in the fashion they are currently being used

If this means "until ROS 7 becomes at least "stable", let alone "long-term", it may take months to years.

Lets say I shelve the whole OpenVPN requirement..

DO you feel the Mikrotik router is a good fit for the job?

I feel Mikrotik router to be fit as an L4 firewall and VPN gateway provided its CPU is powerful enough to handle the traffic you want it to handle. hEX S is definitely too weak for a 400 Mbit/s downlink even if not for the VPN role; hAP ac² could be at its margin, you haven't specified how many simultaneous phone calls you expect to move through it, nor what is the expected volume of other traffic. One of other issues with Mikrotik's OpenVPN in ROS 6.x is that it cannot use the hardware encryption, no idea whether ROS 7 has changed this.

Do the phones only support OpenVPN or also any other VPN types? If so, which ones?

I find it strange someone is building commercial phones based on openvpn and not other protocols that are not so 3rd party ish.
I would rather find a phone that is on a forward edge, such as the efficient wireguard vpn, vice openvpn which is a dodo going extinct.

Where I disgaree with SINDY (hope I dont get slapped LOL) is that the heX S is adequate but not great for the need (especially considering the switches you have should offload work off the hex CPU,) but NOT at all adequate when you throw in VPN.
I would look at the RB450xG routerboard as a minimum, but with the RB4011, etc, and up as better choices as any design should have some capacity for growth.
If you have already purchased the hexS then it will certainly be a good play/test device and a cheap temporary backup ready to install if things go wrong with the main router.

But from this statement I deduce that
a) the only motivation to use OpenVPN is that the phones support it
b) you have never tried the capabilities of the OpenVPN on the phones themselves, so you have to try it first anyway
c) there may be no need to use the OpenVPN in L2 (= ethernet in Mikrotik terms, = TAP in OpenVPN terms) mode unless the phones themselves only support that mode

I feel Mikrotik router to be fit as an L4 firewall and VPN gateway provided its CPU is powerful enough to handle the traffic you want it to handle. hEX S is definitely too weak for a 400 Mbit/s downlink even if not for the VPN role; hAP ac² could be at its margin, you haven't specified how many simultaneous phone calls you expect to move through it, nor what is the expected volume of other traffic. One of other issues with Mikrotik's OpenVPN in ROS 6.x is that it cannot use the hardware encryption, no idea whether ROS 7 has changed this.

Do the phones only support OpenVPN or also any other VPN types? If so, which ones?

A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test.

1st I ran a test with the Hex S configured as a router behind a router with out an OpenVpn connection, and I was able to get an Iperf transfer at 936 mbits.

Once I established an OpenVPN connection the iperf speed dropped to 35 mbits.

The openvpn server settings were Auth sha1, Cipher aes 256.
The certificate settings were 2048 key size.

The 35 mbits is a lot faster than I need for openvpn. There are not a lot of calls that will need to go through the tunnel. Maybe 2 or 3 a day, the remote deskphone is more of just a convenience and luxury for the executives, historically they don't actually use it.

So the speed that I attained with out using vpn was 936 mbits. My internet connection is only 400 mbits. So wouldn't the HEX's be able to keep up with Internet download rate when not using VPN?

As for normal data usage at the facility, 1 day a week I may have 50 users on the wifi streaming from youtube or facebook. But for those users I set the wifi to limit there download speed to 4mbits and there upload to a shared 10mbps..

One connection is different from many connections and the CPU and ram accordingly is designed for a home environment and you have something far greater in the planning.
Thats why I stated it the hex S is a good play toy and lab toy and a TEMPORARY backup for a main router.
I could run a marathon, I am capable but then I wouldnt be able to walk for 10 days at least............ :-) and I may be permanently (no, will be) damaged for the rest of my years.

One connection is different from many connections and the CPU and ram accordingly is designed for a home environment and you have something far greater in the planning.

@anav, I am using the hEX S for some of my business clients [30 people] and they all are very pleased. I 4 1 do not believe that the hEX S was designed for the home environment .... everything depends on requirement ..... IMO @Bionic made a good selection except for the OVPN side of things ... the CISCO switches are EXCELLENT and will do exactly what he wants to :-)

Good to hear Mozerd!
If you have practical experience that says otherwise, that is more valuable.

A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test.

1st I ran a test with the Hex S configured as a router behind a router with out an OpenVpn connection, and I was able to get an Iperf transfer at 936 mbits.

Since you've mentioned almost 10 VLANs/subnets intended for various types of users, I automatically supposed that the firewalling functionality is required, as you probably don't want the guests to access any of the internal subnets, nor you want users in any other subnets to have management access to your infrastructure elements, etc. That's why I looked at the "25 firewall rules" throughput figures for mid-sized packets. If you didn't need it to act as a firewall, only as a router, it would definitely be sufficient. If you set up some firewall rules, the CPU may have tough time, so it is important to use the stateful firewall so that most packets would be fasttracked and if not, handled by just two firewall rules each.

Since you already have it anyway, just go ahead and try.

Once I established an OpenVPN connection the iperf speed dropped to 35 mbits.

That's still twice the bandwidth of your upload, so if you'd be only using the hEX S for this "voice VPN" and a little bit of remote management, it's OK.

The openvpn server settings were Auth sha1, Cipher aes 256. The certificate settings were 2048 key size.

The ciphers used are important to a certain degree; the certificate settings are not as the certificate is only used when the connection is established.

As for normal data usage at the facility, 1 day a week I may have 50 users on the wifi streaming from youtube or facebook. But for those users I set the wifi to limit there download speed to 4mbits and there upload to a shared 10mbps..

Shared upload of 10 Mbps from multiple APs will be enforced by what? If the APs themselves or one of the Cisco boxes, no problem; if the bandwidth enforcement should be done by the hEX S, it's additional load for it. Again, try and see.

If you have practical experience that says otherwise, that is more valuable.

Many Home networks are far more demanding than Business networks by a country mile :-) There are some niche business networks that require POWER but for the most part the majority of office environments are as boring as watching frozen molasse become unfrozen :-)

Where it becomes an issue TODAY is live streaming ...i.e. Microsoft Teams where many join in from the cloud, the same for Zoom, because the bandwidth throughput required is symmetrical and most use HD .... high volume concurrent VoIP usage .... etc the hEX could not handle that kind of stuff.

Where it becomes an issue TODAY is live streaming ...i.e. Microsoft Teams where many join in from the cloud, the same for Zoom, because the bandwidth throughput required is symmetrical and most use HD .... high volume concurrent VoIP usage .... etc the hEX could not handle that kind of stuff.

If I succeed the OpenVpn requirement that now puts a lot of diffrent routers back on the table. Including the cisco RV340..

What is giving me pause about going with the HexS is the fact that heavy usage of 500mbit per sec, it may not be able to handle. And the fact that this network will see the most usage 1 time a week when guest come in and expect to be able to stream video as well as go live them self (upload there own HD video stream 4mbits out.). So I am pretty much sure I am going to have to eventually increase my upload speed to at least 100mbits..

So to better prepare myself for the future what Mikrotik router would you all recommend?

Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard to see and configure everything???

So to better prepare myself for the future what Mikrotik router would you all recommend?

Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard to see and configure everything???

Consider the RB4011, it will handle all of the load you've described with relative ease ....

YES if I was in your shoes I would go with the Cisco Router because the single pane of glass management and monitoring solution is outstanding.

So to better prepare myself for the future what Mikrotik router would you all recommend?

Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard to see and configure everything???

Consider the RB4011, it will handle all of the load you've described with relative ease ....

YES if I was in your shoes I would go with the Cisco Router because the single pane of glass management and monitoring solution is outstanding.

The RB4011 is $204 @ Amazon.
The RV340 is $205 @ Provantage.

Looks like I am going to go with the the Cisco.

Have you had an opportunity to use the Cisco Business Dashboard?

Have you had an opportunity to use the Cisco Business Dashboard?

Yes I have .... that’s why I stated outstanding.
Btw, it’s really not a fair comparison between the RB4011 and the RV340 ... the Cisco is a security appliance plus it does near line rate NAT +++

Anyway, this is MikroTik forum so let’s stop here :-)

Have you had an opportunity to use the Cisco Business Dashboard?

Yes I have .... that’s why I stated outstanding.
Btw, it’s really not a fair comparison between the RB4011 and the RV340 ... the Cisco is a security appliance plus it does near line rate NAT +++

Anyway, this is MikroTik forum so let’s stop here :-)

RV340 is severely limited and handicapped - only a dual wan router, NOT multiwan ;-P

RV340 is severely limited and handicapped - only a dual wan router, NOT multiwan ;-P

@anav :-)
@Bionic does not need multi-wan but Bionic does need dual wan :-) PLUS Bionic would benefit greatly from the security mechanisms that come with the Cisco device.

The Cisco device needs a subscription to get all the fancy stuff. Annual subscription price is around 2/3 of the initial hardware cost.
Cisco Small Business RV340
Cisco RV Securitysubscription licence (1 year) - 1 licence

Thats okay Mozerd is going to pay for them!! ;-P
One should be held responsible for promises of 'wow' security!!!!!!!!

Regarding the subscription security features, I have never considered enabling those pay for play features that the Cisco Rv has. But, in all fairness I have never owned a router that offered such subscription services. To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change?

Thats okay Mozerd is going to pay for them!! ;-P
One should be held responsible for promises of 'wow' security!!!!!!!!

Yes YOU are 100% correct :-)

Because 92% of Internet Traffic today is encrypted .. malware, virus and Ransomewhere hides very easily -- and the only way to detect that is to decrypt, inspect and accept or reject ..... all of that happens at layer 7

A very capable blacklist can be a big help .... identify IP addresses of the bad guys etc :-) ... but nothing compares to Layer 7 work if that is done efficiently preferable at line rate.

To justify the budget for security is always complicated, as the damage feels abstract and unreal to the CFO until the company gets actually hit.

In simple words, Layer 7 analysis does more or less the same like an anti-virus running on the endpoint: it scans the application data flowing through it for occurrence of typical patterns (signatures) of known malware.

What is important is that the list of those signatures needs to be constantly updated, as a result of continuous threat research and analysis, which explains the need for a subscription. So without the subscription, the whole Layer 7 part becomes obsolete, and hence pointless, very quickly.

Layer 7 analysis has to execute man-in-the-middle attacks to the encrypted connections in order to see the application data in plaintext, otherwise it would be useless.

To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change?

@Sindy provided a very nice description of Layer 7 work :-) Thank You.

@Bionic .... IMO, Yes they are worth the price especially for IDS/IPS and Application Control. I typically use Untangle for UTM work because the machines my untangle installations are very capable and yes expensive. With the RV340 you have 90 day free trial of the UTM capabilities which time is enough for you and your client to determine the performance impacts. BTW, UTM stands for Unified Threat Management.
My typical UTM chain looks like : Internet >>ISP device>>Router>>Untangle [bridged]>>switch>>etc

Out of curiousity Mozerd, at home do you run MT with mOAB or are you using CISCO with UTM.
What do you recommend for your clients.............. ie what threshold do you insist they move to CISCO

Out of curiousity Mozerd, at home do you run MT with mOAB or are you using CISCO with UTM.
What do you recommend for your clients.............. ie what threshold do you insist they move to CISCO

At home I run MikroTik with MOAB
For my clients -- majority is MikroTik + MOAB

Threshold = level of client paranoia.

For non paranoid clients I offer MikroTik + MOAB first and if after 6 months if level of intrusions are not acceptable I will switch to UTM solutions -- they only pay for the UTM integration. I have not had any switch-overs yet -- so far MOAB has been effective ... very effective.

For paranoid clients its CISCO UTM first and if the budget is not there then MikroTik+Untangle ....

To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change?

i don't use anything like these at home but we do for our customers. To be honest I'm not a fan of the Cisco Small Business products (although their L2 switches can be OK). Aside from that we've had disappointments where they didn't support something you'd take for granted in anything called "Cisco", or where a feature had to be configured in a bizarre way. I don't suppose much has changed aside from renaming the range as "Business" rather than "Small Business". Pure prejudice tells me that since Cisco has Firepower as their premium firewall family, and Meraki below that, it stands to reason that the Small Business products must be less capable.

So we don't have anyone running Small Business security products. Of the customers running Meraki with Advanced Security, they are mainly interested in policy enforcement by URL categorisation, and application control (limit bandwidth for iTunes for example). Also ad blocking. Bigger outfits running Firepower tend to be interested in malware filtering and intrusion detection, but also the same classification and policy enforcement.