Community discussions

MikroTik App
 
gerik
just joined
Topic Author
Posts: 4
Joined: Tue Nov 07, 2023 10:03 pm

Internet connection on CRS326 behind external router

Mon Apr 22, 2024 12:34 am

Hi all,

I'm pretty new to Mikrotik and I have the following architecture planned:
Router provided by ISP (cable) -> CRS326 creating 4 VLANs -> LAN ports and several cAP ax for WiFi
VLAN 10 internal
VLAN 20 guest (participants can't see others)
VLAN 30 for home automation system
VLAN 99 for management
The cAPs shall provide all VLANs 10, 20 and 30 with separate WiFi SSIDs and enable WiFi roaming between the APs.
And some endpoints shall have access to multiple VLANs. To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet.
VLAN 99 devices shall also be able to connect to the router for configuration.

I'm currently building the network setup step by step reading the documentation. Port 1 shall be used for WAN and port 2 for management. The current state is having set up the VLAN on the first ports.
/interface bridge
set bridge vlan-filtering=no

/interface vlan
add interface=bridge vlan-id=99 name=MGMT
add interface=bridge vlan-id=10 name=V10
add interface=bridge vlan-id=20 name=V20
add interface=bridge vlan-id=30 name=V30

/ip/pool
add name=vlan10 ranges=192.168.0.10-192.168.0.127
add name=vlan20 ranges=192.168.0.128-192.168.0.191
add name=vlan30 ranges=192.168.0.192-192.168.0.223

/ip/dhcp-server/
add address-pool=default-dhcp interface=MGMT
add address-pool=vlan10 interface=V10
add address-pool=vlan20 interface=V20
add address-pool=vlan30 interface=V30
remove defconf

/interface bridge port
set bridge=bridge interface=ether2 pvid=99 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether3 pvid=10 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether4 pvid=10 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether5 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
Questions at the current stage:
  • Makes this approach any sense or not at all or what should be changed?
  • How do I integrate the internet access?
 
tdw
Forum Guru
Forum Guru
Posts: 1880
Joined: Sat May 05, 2018 11:55 am

Re: Internet connection on CRS326 behind external router

Mon Apr 22, 2024 3:14 am

To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet.
That will not work, and it is not specific to using a Mikrotik. Each VLAN is its own layer 2 broadcast domain so broadcasts will not pass between them. Having overlapping subnets would require special handling as the router would not know which interface to send ARP requests from for any particular address within the /24.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19765
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Internet connection on CRS326 behind external router

Mon Apr 22, 2024 8:06 pm

Also be aware you are asking the CRS326 to perform routing functions and its a switch so not quite sure what performance will be realized.
In terms of the upstream router and configuration. If the upstream router cannot read vlans sending it vlan99 would be a waste of time.
The private WANIP, will be coming from the private LAN of the upstream router. Thus if you need to access the config of the mikrotik while on the LAN of the upstream router, that would simply be a case of identifying which LANIPs have access to the input chain.
Typically I put on the local LANIPs that the admin uses on an address list for input chain access. The LAN only gets access on input chain to DNS services and sometimes NTP, then drop all else.
- wired admin
- wifi admin
- wireguard admin

In your case it would appear you would also add
- wired admin on upstream router LAN.

(1) Your missing IP pool for management vlan 99 ???

you have no firewall rules, you have no bridge vlan settings.......... sorry this is not worthwhile reviewing.

Check out.
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=447s

Who is online

Users browsing this forum: sw1tch and 20 guests