Community discussions

MikroTik App
 
jeroenR90S
just joined
Topic Author
Posts: 9
Joined: Tue Dec 08, 2020 10:30 pm

Thanks for the "vlan your network" topic, pcunite and others

Sat Aug 21, 2021 1:40 pm

Just wanted to say thanks for this: viewtopic.php?f=23&t=143620
and cannot recommend it enough for those new to VLANs.

I've had VLANs up and running for quite a while but just could not get management access working from any of them.
I've read your explanations and the comments and questions by mkx, sindy and anav, but could not figure out why it was not working.

With it being weekend (no working from home, as in, the router is then sorely needed) and everyone except me being from home I re-examined your config examples and it finally dawned what I've been missing in my management vlan setup all along.
It was the "input" rules -> I added those (but used a source group with just my own devices in it) and it worked immediately.

Even though it's mid-day here, I'll pull open a beer and have one on you, mkx, sindy and others :) Cheers!

Best regards, and have a nice day all,

a very happy Jeroen
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Thanks for the "vlan your network" topic, pcunite and others

Sat Aug 21, 2021 5:41 pm

Hi Jeroen,

The management access is a tricky bugger to be sure.
The access to the router (input chain) is only required by the admin (full) while users only need partial for services such as DNS or NTP.
Thus with a block all rule at the input chain and the allow rules above, prior to that, you are golden.

One should also factor in that the management access to winbox is also partially controlled by the mac winbox server interface setting.
Thus I typically match my input rule to what is the interface identified in the winbox server setting.
Lets say I call it in interface members list=management.
I will put my home lan (or management vlan if there is a separate one) as a member of management.

If for example you have a list of static IPs on the home lan, and a couple on other LANs then you add the other subnets to the LIST
and in the input chain rule use the management interface list on the in-interface-list BUT ALSO in conjunction with a source firewall address list of all the IPs that are static across subnets associated with admin devices.
For example your IPHONE on the home lan is in there but also the IPHONE on a wlan thats on a different vlan..............

The other important aspect to consider is that all smart devices should have their IP address from the management subnet (access point, switches etc.)
 
jeroenR90S
just joined
Topic Author
Posts: 9
Joined: Tue Dec 08, 2020 10:30 pm

Re: Thanks for the "vlan your network" topic, pcunite and others

Thu Sep 02, 2021 9:44 pm

Hi Anav,

Yes, that surely took me a while to figure out!
.
Now that I had that working I've also had success with my two CAP-AC's, so don't need to connect these to my laptop with PoE injectors to update the software or tweak a setting here and there.
I also scored a very nice older and used Juniper (shh, don't tell :P) EX2200 passively cooled 12 port PoE switch, which I've also managed to get "manageble" in my mgmt network. This makes life a lot easier :)

Now setting up everything to get more secure (security groups, firewall, ssh certificate based access etc), then find some time to get the LAG working from my Proxmox server. Too bad all work takes so much time I could otherwise fiddle with this stuff.

Jeroen

Who is online

Users browsing this forum: ccrsxx, johnson73, mkx, Qalderu, rano, rplant and 80 guests