Community discussions

MikroTik App
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 1:13 am

Hi guys,

I'm a beginner when it comes to networking and I have the following situation:

I want to isolate an Access point that will be used to connect an untrusted surveillance camera, from the rest of the network.
I have a Mikrotik RB450G as the router and 2 consumer wifi routers as access points.
The switch is unmanaged.
Everything is already configured and working properly, except for the AP that will be used to connect the surveillance camera.

Can you guys please give me a short guideline on how to approach this situation?

Thank you in advance!
diagram.jpeg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 1:21 am

The only practical solution I see is to wire the untrusted AP directly to the router and bypass the switch, keeping the switch for all trusted traffic.
If not possible then consider getting a cheap managed switch. Even then your access points being consumer and not able to read vlan tags would only be able to serve one set of users, either untrusted, or trusted.
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 8:59 am

Is this switch good enough for the task of isolating that AP from the rest of the network?

https://us.dlink.com/en/products/dgs-11 ... ged-switch
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 10:05 am

Is this switch good enough for the task of isolating that AP from the rest of the network?

https://us.dlink.com/en/products/dgs-11 ... ged-switch

The page you linked mentions VLANs ... so yes, it's good enough. After you get it, you'll have to configure the switch and RB450 to use VLANs.
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 2:24 pm

Ok, so I ordered the managed switch and the surveillance camera.

I guess that I'll have to:
-create another subnet(the untrusted subnet) for the same eth port on Mikrotik?
-configure 2 VLANs in the Mikrotik router
-another DHCP server for the second AP that will be used to connect only untrusted devices
-assign these 2 VLANs to each subnet(local PCs subnet, untrusted devices subnet)
-configure the VLAN port limitation for the switch
-configure the 2nd router to work as an AP
-block traffic between these 2 VLANs(where should this be configured?)

Did I miss something?
I've never used VLANs before, and it took me a while, some years ago, to manage to configure my WiFi router to be used as an AP with my existing Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 3:44 pm

It will be less complicated than you think.
The router will do all the dhcp etc.......... all the rest of the devices will be accepting and pushing out the vlans as required.
Last edited by anav on Mon Apr 11, 2022 3:46 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 3:46 pm

It will only be two vlans from what I see, one trusted and one not trusted, UNLESS you want to separate your PC as a third VLAN.............
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Mon Apr 11, 2022 10:32 pm

What gateway should I specify for the new subnet? The same gateway that is used by the old subnet?

I'm trying to figure out what I need to create, in order to make the whole thing work:
- new DHCP pools
- new DHCP servers
- new address lists
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Tue Apr 12, 2022 12:06 am

Look at this example for Router...........
viewtopic.php?t=143620

The first example has a router config file which kinda shows what you need.

This next link includes an example of a MT device just being used as an AP/Switch.
viewtopic.php?t=182276
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Tue Apr 12, 2022 12:08 am

Create bridge,
Create vlans with interface bridge
create for each vlan IP pool, address, dhcp-server, dhcp-server network.

Can be the existing subnets with minor changes.
Set up bridge ports
Setup bridge vlans
turn bridge vlan filtering on etc......

Give it a stab, will be here.........
Oh do recommend one thing though........
viewtopic.php?t=181718
 
samguillou
just joined
Posts: 1
Joined: Tue Apr 12, 2022 10:25 am

Re: Isolate AP connected to via the same ethernet port?

Tue Apr 12, 2022 10:27 am

Wire the untrusted AP directly to the router and bypass the switch, keeping the switch for all trusted traffic.
spades
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Tue Apr 12, 2022 7:30 pm

Any ideas how to configure the vlans? :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Tue Apr 12, 2022 10:33 pm

Yes, I happen to have d-stink, netsheite, tp-stink as well as zyxle and MT switches..........

VLAN1 (in that display what you should see is.........)
a. ALL TRUNK PORTS ARE TAGGED FOR VLAN1
b. ALL ACCESS PORTS have no ENTRY either tagged or untagged.

VLAN XX
a. tagged for applicable Trunk ports (passing through that port going to smart devices that will read the vlans)
b. untagged for any access ports (going to dumb devices)

Under VLAN settings (at least what I have on mine)
each port should be identified as ingress checking ENABLED,
all trunk ports - ADMIT ALL
all access ports - untagged only

When you look at VLAN detail
Trunk port example,
Number of Port: etherXX
Vlan mode: trunk
Vlan Native: Vlan1
Trunk Allowed VLans: a,b,c as applicable
ingress checking: enabled
Allowed Frames: admit all

ACCESS PORT EXAMPLE
Number of POrt : etherYY
Vlan mode: Access
Access VLAN: VlanZ
ingress checking: enabled
Allowed Frames: admit all.

Your variant may be different but setting the PVID number to Vlanz for that etherport may the way you have to do it.
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Wed Apr 13, 2022 11:01 am

Thank you for your reply, but I still don't know what should I do. The switch doesn't specify all those things that you mention.

It only has a VID creation list and some PVID settings.
I don't know what are the implications of having that default VID 1 with all the ports assigned to it. Do I have to deleted, do I leave it, do I remove some ports from it?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Wed Apr 13, 2022 2:55 pm

Whats the model of the dlink switch, I will figure it out for you.
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Wed Apr 13, 2022 7:49 pm

This is the switch:
https://us.dlink.com/en/products/dgs-11 ... ged-switch
https://support.dlink.com/resource/PROD ... .00_WW.pdf

The Mikrotik router will be connected on port 1, port 2-6 will be for PC's, port 7 for the safer Wifi and port 8 for the unsafe Wifi.

What I don't know:
1. Do I go for 802.1Q VLAN or port-based VLAN?(These are the 2 options that this switch has) Do I have to use port-based VLANS with port tagging/untagging?
2. What happens with default VID 1? Do I alter it, after I create extra VLANs? or I leave it as it is?
3. Do I create 3 VLANs one containing port 1,7 and one containing port 1,8 and one containing port 1,2,3,4,5,6?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Wed Apr 13, 2022 7:58 pm

Yes 802.1Q
Default VLAN, pvid1 stays with trunk ports only and is replaced by the pVID of the vlan for untagged ports
Think of vlans needing to traverse ports, if they dont then its not identified to that port by the various means........

Will take a look.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Wed Apr 13, 2022 8:34 pm

Okay I have a dgs1100-24 and I dont have any pvid menus as its one step up the food chain in setup or its just older, who knows..
In any case I have provided a setup I use on one of my netgear smart switches that mimicks your choices.
To give you context
FIRST PICTURE
Trunk Ports are 1,3,7,8
1 goes to capac AP smart
3 goes to Tplink AP smart
7 goes to Main Router
8 goes to Backup to main router in case ether7 port fails.........

Access Ports are 2,4,5,6
2 goes to a dumb iot device
4 goes to a dumb switch
5 goes to another dumb iot device
6 is a spare port where I can hook up my laptop (dumb device).

PICTURES2-4
These show the tagging and untagging of various VLANS assigned to the switch.
As you can see the default PVID for every port is VLAN1 UNTAGGED, since we dont change PVID for trunk ports then each trunk port should have an untagged entry.
All access ports should have NO entry for vlan1 (tagged or untagged) as the pvid entry for the specific port removes vlan1 from the equation.

The 2nd picture shows the relationships of vlan1 to the ports (default vlan)
The 3rd/4th picture show the relationships of normal VLAN that comes in on trunk port and goes out both trunk and access ports (tagged for all trunk ports and untagged for access ports)
..............
exampleQ1.JPG
q2.JPG
q3.JPG
q4.JPG
q5.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?  [SOLVED]

Wed Apr 13, 2022 8:39 pm

So on port coming from Router lets call it ether1
Its a trunk port, It should show untagged for VLAN1, dont touch pvid or anything else.

The only thing you need to do here is tag vlanX and vlanY - assuming X is home and Y is guest.

Then lets say ether2 is to AP for home users
Then you will need to PVID port 2, with VLANnumber X, and the port is also UNTAGGED for VLANX

Then lets say ether3 is for the PC you use
Then you will need to set PVID port3 with VLANnuberX, and the port is also UNTAGGED for VLANX

Then lets say ether4 is for the GUEST AP.
Then you you will need to set PVID port 4 with VLANnumberY and the port is also UNTAGGED for VLANY.
+++++++++++++++++++++++++++++++++++

So in that computer screen layout picture you showed, it would look like
VLAN1: Untagged --> (should only be trunk ports = 1 and any unassigned ports on the switch) / Tagged (NONE).
VLAN2: WIFI1 (assuming homewifi) Untagged--> (Should be ether2 and ether3) / Tagged=ether1
VLAN3: WIF2 (assuming guest wifi) Untagged --> (should be ether4) / Tagged=ether1


+++++++++++++++++++++++++++++++++++++++++++++

That should be enough info to get you where you need to be. Fill it in as you need it specific to your setup and then post all the pics here and I will have a look.
 
Max2
newbie
Topic Author
Posts: 40
Joined: Fri Dec 05, 2014 5:57 pm

Re: Isolate AP connected to via the same ethernet port?

Fri Apr 15, 2022 5:50 pm

Can you please tell me how do I mark the packets of a specific subnet with a specific VLAN?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate AP connected to via the same ethernet port?

Sat Apr 16, 2022 7:11 pm

Hi Max, that is not a requirement that is an attempt at a solution using config.
What are you trying to do in plain english. Such as I need users X at device Y to have access to the internet (and maybe other subnets).

Remember Smart device to smart device one uses a trunk port to pass vlans
Smart device to dumb devices, one uses access ports to untag vlans

There is generally no need to mark traffic yourself or through mangling etc, for vlan data flow...........
Its all assigned in /interface bridge ports and /interface bridge vlans

Who is online

Users browsing this forum: 4l4R1, maigonis and 11 guests