Hi, I have a newly purchased MikroTik RB4011iGS+5HacQ2HnD router which I would like to integrate into my existing home network and utilise VLANs to isolate network traffic. TL:DR: below.
My current setup has a pfSense Firewall connected to Fibre Internet. I have 3 physical locations that I need to provide connectivity to; Front House, Cabin and Back House, all connected via CAT5E Ethernet. I have a MikroTik hAP-ac-lite in the Front House, a Netgear WNR3500L in the Cabin and an Asus RT-AC3200 in the Back House all connected through the Firewall to the Internet.
Internet > Firewall > 192.168.1.0/24 = Back House Network devices including Cabin Netgear WNR3500L
Firewall > hAP-ac-lite > 192.168.2.0/24 = Front House devices
There are about 40 devices on this network ranging from end user devices (PC's, Tablets, Laptops, Phones, etc) to smart devices (Chromecasts, Home automation controllers, Game Consoles, etc) to Servers (NAS, Web, Email, etc) to Network devices (Switches, Routers, Firewalls) which all have varying security profiles (Untrusted, Trusted, Insecure, Guest, Secure, etc) and require differing management and access controls.
Below is an image of where I would like to get to in terms of network isolation:
My initial configuration has got the trunk between the Firewall to the RB-4011 configured and serving the Cabin_VLAN200 and another trunk between the Firewall to a NetGear ProSafe switch serving the Server_VLAN50 and Back_VLAN100. Layer 3 Routing and DHCP is being provided by the Firewall and working correctly for these VLANs.
I am having problems understanding the correct (or most correct) way to achieve the above. I have read differing statements on forums, in documentation and in practice things are not really making sense to me. Most of the time I configure anything further on the RB-4011 or hAP AC Lite I lock myself out of the device (although interestingly traffic still flows just fine) and have to reset it to defaults and start over. I have zero problems with either the Firewall or the Netgear Switch. I can even get VLANs running on the Asus RT-AC3200 (I am wanting to discontinue this device), but there is something I am not understanding with the MikroTik configurations.
TL:DR;
Is this configuration possible with this hardware utilising VLANs on a Bridge? Is there a better way to configure this?
Do I need to tag the default Bridge with all the VLANs I will be using or is the bridge dynamically added? Tagging the Bridge results in loss of access.
How do I assign an IP address to the bridge that exists in VLAN50? as just adding "192.168.5.254/24" to the bridge only ever replies locally and then prevents further access to the device.
How do I remove VLAN1 without removing access to everything on the networks connected via the Mikrotik devices? Doing this results in loss of access.