Community discussions

 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Help separating vlans for iot and smart-tvs

Wed Oct 09, 2019 12:46 pm

Hi everyone,

I have upgraded my network equipment and changed my old home wireless router and access point with two mikrotik HAP AC2. One acts as a main router, connecting to the internet, and the second HAP AC2 has been configured as a basic AP, in the same subnet. The connection between them is done with a gigabit ethernet link.
The internet connection is tagged with the provider assigned VLAN, which is already done.
Basic configuration is working great, wlan are configured with different ssids for 2.4GHz and 5GHz bands and wifi coverage is great, with even more performance than with the old routers.

Now I want to migrate my IOT and smart-tv&speakers to separate VLANs, something like other users do nowadays as our home networks keep growing.

I guess that I have to (almost) duplicate the bridges wlan and VLAN configuration on both HAP AC2s, then reconfigure the ethernet link between them with a "trunk"" port on each router(switch).

The topology and architecture that I have in mind is this:
topology vlans ok.png
Each VLAN would be in a different subnet, then I would go with firewall rules to let some devices connect to the IOT devices.

Is it right?

What would be the right order for configuring both HAPs without loosing total connectivity with the home control system, iot devices and smarttvs?
To reduce the number of devices to reconfigure I'd like keep the IOT devices (15+) in the existing subnetwork 192.168.0.0/24, creating new subnets and VLANs for the other devices.

Could you point me to some tutorial with a similar topology?

Thanks in advance
You do not have the required permissions to view the files attached to this post.
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Sat Oct 12, 2019 1:13 am

After a couple of days trying some configurations and reading tutorials like this viewtopic.php?f=13&t=143620
I can't make the dhcp servers associated to the vlans assign any IP address. Any idea of what can I try? I created a bridge and the vlans associated with the wlans are into the bridge.
Each vlan has an IP address associated.
 
anav
Forum Guru
Forum Guru
Posts: 2968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help separating vlans for iot and smart-tvs

Sat Oct 12, 2019 5:37 am

I have a similar setup with capACs, works fine. Will try to post something tomorrow that should help.
Just to be clear your hapacs have four available networks, or two available networks and the second 2.4 and second 5hz wifi networks are actual virtual??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Sat Oct 12, 2019 10:50 am

Thanks for your reply, I appreciate if you can show some working example. Following the tutorial stated before I can't make it work.

To clarify, I'm trying to configure an AP and a virtual AP for each band (2.4 and 5 GHz) on the HAP AC2s
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Help separating vlans for iot and smart-tvs

Sat Oct 12, 2019 11:52 am

In most of the the cases when DHCP server doesn't work on vlans after initial configuration, the reason is somebody forgets to add bridge itself as a tagged member of all needed vlans, and as a result - all vlan-interfaces configured on that bridge are actually not connected anywhere.
 
anav
Forum Guru
Forum Guru
Posts: 2968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help separating vlans for iot and smart-tvs

Sat Oct 12, 2019 11:33 pm

Suggest you post a working config for review.
/export hide-sensitive file=yourconfig

(also delete any WANIPs and gateway addresses, and any WIFI passwords etc.......)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 9:58 pm

In most of the the cases when DHCP server doesn't work on vlans after initial configuration, the reason is somebody forgets to add bridge itself as a tagged member of all needed vlans, and as a result - all vlan-interfaces configured on that bridge are actually not connected anywhere.
Thanks for the reply. I double-checked (actually checked it five times -until I found the "Safe Mode" in WinBox) and I guess that the Bridge is a tagged member of all vlans.
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 10:05 pm

In order to stop guessing post your:
/export hide-sensitive
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 10:31 pm

Suggest you post a working config for review.
/export hide-sensitive file=yourconfig

(also delete any WANIPs and gateway addresses, and any WIFI passwords etc.......)

I maintained the original config, with the bridge "BR_original".
When I move some of the interfaces to the new bridge "BR1" I can ping the VLAN IP that I assigned (192.168.10.1, 192.168.20.1, ...) from a client connected to the wlan1, but wireless clients get no address from the corresponding dhcp-server. Setting an static ip address and connecting to wlan2 is not routing anything.
Wish someone can help with this issue...

Please find the exported configuration below:
# oct/14/2019 21:03:23 by RouterOS 6.44.5
# software id = T6D5-IK67
#
# model = RBD52G-5HacD2HnD
/interface bridge
add comment=Bridge1 name=BR1 protocol-mode=none vlan-filtering=yes
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=BR_original \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx name=\
    ether1-gateway
set [ find default-name=ether4 ] name=ether4-trunk
/interface vlan
add interface=BR1 name=VLAN_BASE vlan-id=99
add interface=BR1 name=VLAN_HOME vlan-id=10
add interface=BR1 name=VLAN_IOT vlan-id=30
add interface=BR1 name=VLAN_SMART vlan-id=20
add interface=ether1-gateway name=vlan24-internet vlan-id=24
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=\
    vlan24-internet keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=\
    pppoe-out-fiber use-peer-dns=yes user=xxxxxxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=home supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=HOME2 supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=homeiot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=HOME2tv supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n comment=\
    "wlan1 = HOME (2.4 GHz)" disabled=no distance=indoors \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=home \
    ssid=HOME wireless-protocol=802.11 wps-mode=disabled
add comment="wlan1.1 = HOMEIOT (2.4 GHz)" disabled=no hide-ssid=yes \
    keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=\
    wlan1 multicast-buffering=disabled name=wlan1.1 ssid=HOMEIOT \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX comment="wlan2 = HOME2 (5 GHz)" \
     disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain mode=ap-bridge security-profile=HOME2 ssid=\
    HOME2 wireless-protocol=802.11 wps-mode=disabled
add comment="wlan2.1 = HOMESMART (5 GHz)" disabled=no hide-ssid=yes \
    keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=\
    wlan2 multicast-buffering=disabled name=wlan2.1 security-profile=\
    HOME2smart ssid=HOMESMART wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
/interface wireless manual-tx-power-table
set wlan1 comment="wlan1 = HOME (2.4 GHz)"
set wlan1.1 comment="wlan1.1 = HOMEIOT (2.4 GHz)"
set wlan2 comment="wlan2 = HOME2 (5 GHz)"
set wlan2.1 comment="wlan2.1 = HOMESMART (5 GHz)"
/interface wireless nstreme
set wlan1 comment="wlan1 = HOME (2.4 GHz)"
set wlan1.1 comment="wlan1.1 = HOMEIOT (2.4 GHz)"
set wlan2 comment="wlan2 = HOME2 (5 GHz)"
set wlan2.1 comment="wlan2.1 = HOMESMART (5 GHz)"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=dhcp-home ranges=192.168.0.110-192.168.0.190
add name=POOL_HOME ranges=192.168.10.200-192.168.10.254
add name=POOL_SMART ranges=192.168.20.200-192.168.20.254
add name=POOL_IOT ranges=192.168.30.200-192.168.30.254
add name=POOL_BASE ranges=192.168.99.200-192.168.99.220
/ip dhcp-server
add address-pool=dhcp-home disabled=no interface=BR_original name=\
    dhcp-server-home
add address-pool=POOL_HOME disabled=no interface=VLAN_HOME name=DHCP_HOME
add address-pool=POOL_SMART disabled=no interface=VLAN_SMART name=DHCP_SMART
add address-pool=POOL_IOT disabled=no interface=VLAN_IOT name=DHCP_IOT
add address-pool=POOL_BASE disabled=no interface=VLAN_BASE name=DHCP_BASE

/interface bridge port
add bridge=BR_original comment=defconf interface=ether2
add bridge=BR_original comment=defconf interface=ether3
add bridge=BR_original comment=defconf interface=ether4-trunk
add bridge=BR1 comment="MNGMT VLAN99" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=99
add bridge=BR_original comment=defconf interface=wlan1
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1.1 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2.1 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=ether4-trunk untagged=wlan2 vlan-ids=10
add bridge=BR1 tagged=ether4-trunk untagged=wlan2.1 vlan-ids=20
add bridge=BR1 tagged=ether4-trunk untagged=wlan1.1 vlan-ids=30
add bridge=BR1 tagged=BR1 untagged=ether5 vlan-ids=99
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes
/interface list member
add comment=defconf interface=BR_original list=LAN
add comment=defconf interface=pppoe-out-fiber list=WAN
add disabled=yes list=WAN
add interface=VLAN_BASE list=VLAN
add interface=VLAN_HOME list=VLAN
add interface=VLAN_SMART list=VLAN
add interface=VLAN_IOT list=VLAN
add interface=VLAN_BASE list=BASE
/ip address
add address=192.168.0.1/24 interface=BR_original network=192.168.0.0
add address=192.168.99.1/24 interface=VLAN_BASE network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN_HOME network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN_SMART network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_IOT network=192.168.30.0

/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=LAN-home
add address=192.168.0.0/24 list=LAN-IOT
add address=a6470abe9f63.sn.mynetname.net list=WAN_IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=VLAN_BASE
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "defconf: masquerade (MASQ srcnat TO WAN(INTERNET) )" ipsec-policy=\
    out,none out-interface-list=WAN

/system identity
set name=MikroTik1
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 10:32 pm

In order to stop guessing post your:
/export hide-sensitive
Done
 
mkx
Forum Guru
Forum Guru
Posts: 2948
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 10:43 pm

Bridge BR1 is tagged member only of VLAN 99 ... but should be tagged member of all VLANs which have their corresponding vlan interface (10, 20 and 30).
BR,
Metod
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 10:52 pm

Bridge BR1 is tagged member only of VLAN 99 ... but should be tagged member of all VLANs which have their corresponding vlan interface (10, 20 and 30).
Thank you very much, with all the try-edit-and-changes i thought I had tagged it.

Now it's working:
BR1_vlan.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 11:12 pm

Told ya! :)
 
foraster
just joined
Topic Author
Posts: 10
Joined: Tue Oct 01, 2019 5:31 pm

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 11:16 pm

Told ya! :)
My fault! I promise I tagged it at least once!

Thanks for your help.

Now I'm reviewing the second Hap AC2. Probably I'll come back with other questions.
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Help separating vlans for iot and smart-tvs

Mon Oct 14, 2019 11:28 pm

The second should not be a problem:
+1 local port to add to the bridge;
-1 wan port and everything related to connecting to the outside world;
-all dhcp servers;
+1 dhcp client on one of the vlan-interfaces (on this device it is actually ok if the bridge is a tagged member for only one vlan - to have access to the device itself).

Who is online

Users browsing this forum: No registered users and 4 guests