Community discussions

MikroTik App
 
TheFz
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 11:39 am

Suggested VLAN configuration

Fri Aug 27, 2021 11:46 am

Hello everyone

I just got an RB260GS and I am looking for some suggestions on how to configure VLANs.
I understand how they work and I have read the examples at https://wiki.mikrotik.com/wiki/SwOS/RB2 ... AN-Example but I have a hard time with Mikrotik's way of configuring things.

The RB260GS is linked to an HAP AC2 which serves as a firewall before the ISP router.
What I would like to achieve is this:

- one port is for management, no VLAN
- one port goes upstream to the firewall
- one port is for a restricted VLAN that only gets forwarded upstream to the firewall and not to other ports
- one port is a management VLAN that spans all the ports

Also, is there any configuration needed upstream in the HAP AC2? From what I gather I could strip all the headers before sending them to the firewall but I am not clear about this.

Thanks everyone.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Suggested VLAN configuration

Fri Aug 27, 2021 7:36 pm

Your description of what you want is a little odd, but let's go with that. I don't really understand what you mean by having one port as Management, but another port that is a Management VLAN that spans all ports.
I have posted a couple of screen captures of my CSS106. I included a link to the photos in addition to the capture because the source is not a secure website and recent versions of Google Chrome will not imbed an image from a non-secure website into a secure webpage (and this forum is secured).

I'm going to describe what I am using this switch for, and you can see how I have it configured. Ports 1 & 2 are WiFi access points that use an untagged port for online configuration, and each SSID is mapped to one VLAN. I am sending every VLAN that MIGHT be used on that access point, and let the AP decide which ones to do anything with depending on the configuration of the AP. You can see that there is one VLAN on each on that is set to "Always strip" to provide that AP with the required untagged access for configuration. Each of the APs was actually only using four SSIDs and therefore four VLANs in addition to the untagged LAN.

Ports 3, 4, & 5 are plain untagged devices so the VLAN for those is set to "always strip" for the one VLAN used for those devices.

Port 6 (the SFP) is a trunk to the upstream switch. The trunk port to the firewall is the easiest part. Add all the VLANs to the trunk port. On the VLAN tab, the trunk is set to "only tagged" and Egress is set to "add if missing". My opinion is that the trunk should be all VLAN tagged and not a hybrid.

Management access can be limited on the System tab.

The upstream switch (in my case a CSS326) is set similar. Since you will be having the RB260GS connected to a hAP AC2, the trunk port on the router will need to be set up so that whatever VLANs are needed on the switch will be there. I assume you will have that as part of a bridge and I have never set up a bridge in RouterOS, so I can't help you with that part of the configuration.


Image
http://extraphotos.info/mikrotik/CSS106-System.PNG
Image
http://extraphotos.info/mikrotik/CSS106-VLAN.PNG
Image
http://extraphotos.info/mikrotik/CSS106-VLANs.PNG
 
TheFz
just joined
Topic Author
Posts: 5
Joined: Fri Aug 27, 2021 11:39 am

Re: Suggested VLAN configuration

Mon Aug 30, 2021 9:30 pm

Your description of what you want is a little odd, but let's go with that. I don't really understand what you mean by having one port as Management, but another port that is a Management VLAN that spans all ports.
Yes, reading my post again and I realize it's quite confusing.
What I mean is: on the switch I label only one port from which managemet of the switch is allowed and enforce that via configuration, so that no device on any other port is allowed to the Web UI.
With "management VLAN" I mean one VLAN that gets traffic in and from all the other ports.
Your examples and explanation are very useful and I cannot thank you more.

Who is online

Users browsing this forum: No registered users and 15 guests