Community discussions

MikroTik App
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

How to configure a network with VLANs, apartment building

Sun Nov 06, 2022 10:12 pm

So, i got this task, that seems a bit over my head, since i'm not used to work with VLANs, but there is always a chance to learn something new.

I'm helping a friend that build a house with 8 apartments and the main space, so totaly 9. Each of those apartments has 4 LAN sockets and all the cables end in much much too small cabinet on the main floor (i was not a part of the build process): https://i.ibb.co/b6Hqy4H/20221106-174307-1.jpg

So now i'm going to install a switch in the main cabinet. For start CRS326-24G-2S+IN (and afterwards add another one as needed). For now this building does not have it's own internet acess (but there is a fiber cable left from outside to the main cabinet for later) but relays on the internet i provided through 4 SXTsq 5 ac antennas and passive 4 port POE switch in the middle (no visible line). Main router on remote location for now is still HAP AC2 and the internet speed is 500/50.

My question now is, what would be the best way to separate all those aparments into it's own networks (isolate them from each other) so, that each appartment would have all 4 ports connected as one network and internet would be provided by the main router Hap AC2 . Also, where should i put quees to limit each apartment to let's say 30/10 internet for start?

1 of those 9 apartments can have acess to the network of HapAC2, others should not have acess to the main router and it's network.

Sugestions? Thank you.
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: How to configure a network with VLANs, apartment building

Mon Nov 07, 2022 2:35 pm

have you already referenced the official resources? if so what specifically do you need help with?
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: How to configure a network with VLANs, apartment building

Thu Nov 17, 2022 1:54 pm

have you already referenced the official resources? if so what specifically do you need help with?


Yes, i looked at those. In the meantime i somehow managed to separate ports into VLANs in Bridge - VLAN, so that ether1 and SFP2 are uplink ports, and then VLAN90 for ether 24,23, VLAN80 for ether 22,21 etc... Then i added PVID to each port in Bridge - Ports and enabled VLAN filtering on Bridge. I think that this is all i need to set up on switch (running RouterOS), if i'm wrong, please correct me.
add admin-mac=18:FD:74:9C:AE:C8 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 pvid=40
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 pvid=40
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 pvid=50
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 pvid=50
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 pvid=60
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 pvid=60
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 pvid=70
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 pvid=70
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 pvid=80
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 pvid=80
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 pvid=90
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 pvid=90
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
and
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether24,ether23 vlan-ids=90
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether22,ether21 vlan-ids=80
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether20,ether19 vlan-ids=70
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether18,ether17 vlan-ids=60
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether16,ether15 vlan-ids=50
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether14,ether13 vlan-ids=40
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether12,ether11 vlan-ids=30
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether10,ether9 vlan-ids=20
Then i added VLANs on ether4 port on router, set IP adresses and DHCP server on VLANs. Added VLANs to LAN list, so that internet started working and blocked acess to my main bridge in Firewall. Now i must find a way to separate those VLANs between themselves, without adding Firewall rule for each VLAN against others, because that would make a lot of rules.

Also, is it normal, that even if i drop traffic to main bridge, i can still acess my router on his main IP adress, but not any other device behind my home bridge? I'm guessing this is normal behaviour.

Quees on VLANs (set on main router) work without problems when i disable Fasttrack.

So this now works in direct connection. In reality main router will be on one location, then internet and VLANs must pass two wireless bridges (SXTsq 5 ac) with dumb switch in between to get to the CRS326-24G-2S+IN. I'm hoping, that no additional configuration is needed on wirelss bridges for VLANs.


EDIT: So i added this to firewall rules:
add action=drop chain=forward comment="Drop traffic between VLANs and Bridge" in-interface-list=VLANs_Firewall_drop \
    out-interface=bridge
add action=drop chain=forward comment="Drop traffic between VLANs" in-interface-list=VLANs_Firewall_drop out-interface-list=\
    VLANs_Firewall_drop
and this to Interface list:
add interface=vlan30 list=VLANs_Firewall_drop
add interface=vlan40 list=VLANs_Firewall_drop
add interface=vlan50 list=VLANs_Firewall_drop
add interface=vlan60 list=VLANs_Firewall_drop
add interface=vlan70 list=VLANs_Firewall_drop
add interface=vlan80 list=VLANs_Firewall_drop
add interface=vlan90 list=VLANs_Firewall_drop
Will this be OK?

Who is online

Users browsing this forum: baragoon, BinaryTB, raphaps, rplant and 64 guests