Community discussions

MikroTik App
 
appeltert
just joined
Topic Author
Posts: 10
Joined: Fri Nov 12, 2021 12:10 pm

RB750Gr3 Vlan scenario advice

Fri Nov 12, 2021 12:17 pm

Hello there,

I'm quite new to ROS so not sure how to go about this following issue:

I've got a RB750Gr3 device that needs to do the following:
Port 1: Should be able to communicate with Port 2, 3 & 4 but not port 5
Port 5: Should be able to communicate with Port 2, 3 & 4 but not port 1

The reason being is I have cameras on Ports 2, 3 & 4 that needs to go to the Security Company (Port 1) but the client himself would also like to see his cameras (Port 5).

I don't want anyone to do the work for me. I've got a test unit to play around with. Would just like to know how to go about this as the VLAN on ROS seems rather foreign to me.

Kind regards,

Appeltert
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: RB750Gr3 Vlan scenario advice

Wed Nov 17, 2021 2:58 am

Good Morning,

If you want to learn about Mikrotik and VLAN
I recommend the Forum-Bible -->> viewtopic.php?t=143620

But i am not sure if VLAN will solve your Problem...
We need more information about your Network

Is the RB750 the only Network-Device?
Are you already using VLAN's in your Network ?
where does ether1 (port1) connect to ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB750Gr3 Vlan scenario advice

Wed Nov 17, 2021 10:10 am

You can get this done using bridge packet filters (use in-interface and out-interface properties ... or in-interface-list / out-interface-list). It only works if HW offload is disabled, so expect higher CPU utilization. Device should be able to do it wirespeed if it's not performing too many other tasks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB750Gr3 Vlan scenario advice

Wed Nov 17, 2021 5:06 pm

Easy peasy

VLAN 10 is assigned to ports 2,3,4
Vlan 11 is assigned to port 1
vlan12 is assigned to port 5

firewall rules forward chain
allow vlan11 access to vlan10
allow vlan12 access to vlan10
Drop all else.

Would need to know what is physically attached on each port.
If its a PC (dumb device) it gets a pvid number of the valid vlan (access port)
If its a Switch (managed device) it does not (trunk port)

For example below lets say each goes to a PC.

add bridge
/interface bridge port
add bridge=bridgehome interface=ether1 pvid=11
Add bridge=bridgehome inteface=ether2 pvid=10
add bridge=bridgehome interface=ether3 pvid=10
add brdige=brdigehome interface=ether4 pvid=10
add bridge=bridgehome interface=ether5 pvid=12

/interface bridge vlan
add bridge=bridgehome untagged=ether1 vlan-ids=11
add bridge=bridgehome untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridgehome untagged=ether5 vlan-ids=12
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB750Gr3 Vlan scenario advice

Wed Nov 17, 2021 7:34 pm

Easy peasy

What if @OP wants to have same IP subnet on all involved ports (e.g. because management SW expects cameras to reside in same broadcast domain), he just wants to block certain communication paths?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB750Gr3 Vlan scenario advice

Wed Nov 17, 2021 7:54 pm

Easy peasy

What if @OP wants to have same IP subnet on all involved ports (e.g. because management SW expects cameras to reside in same broadcast domain), he just wants to block certain communication paths?
I reread what was posted, and it is not clear whether the cameras need to be able to send information unsolicited to the security company or the security company needs access to the cameras.
My firewall rules assume the latter.

What you are stated may be true but at a level lower than perhaps the OP imagined need be considered. Lets wait and see.
 
appeltert
just joined
Topic Author
Posts: 10
Joined: Fri Nov 12, 2021 12:10 pm

Re: RB750Gr3 Vlan scenario advice

Tue Nov 23, 2021 2:08 pm

Easy peasy

VLAN 10 is assigned to ports 2,3,4
Vlan 11 is assigned to port 1
vlan12 is assigned to port 5

firewall rules forward chain
allow vlan11 access to vlan10
allow vlan12 access to vlan10
Drop all else.

Would need to know what is physically attached on each port.
If its a PC (dumb device) it gets a pvid number of the valid vlan (access port)
If its a Switch (managed device) it does not (trunk port)

For example below lets say each goes to a PC.

add bridge
/interface bridge port
add bridge=bridgehome interface=ether1 pvid=11
Add bridge=bridgehome inteface=ether2 pvid=10
add bridge=bridgehome interface=ether3 pvid=10
add brdige=brdigehome interface=ether4 pvid=10
add bridge=bridgehome interface=ether5 pvid=12

/interface bridge vlan
add bridge=bridgehome untagged=ether1 vlan-ids=11
add bridge=bridgehome untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridgehome untagged=ether5 vlan-ids=12
Hi, thanks for the reply.

Got everything setup like this, but I'm struggling with the Firewall filters on the VLAN IDs. Not sure where to find the VLAN ID list. If you can point me in the right direction.

*Edit. To be more clear, I setup the VLANs, Bridge etc. It's only the Firewall Rules I'm not getting right.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: RB750Gr3 Vlan scenario advice

Tue Nov 23, 2021 3:24 pm

Got everything setup like this, but I'm struggling with the Firewall filters on the VLAN IDs. Not sure where to find the VLAN ID list. If you can point me in the right direction.
Think of it as the VLAN interfaces rather than the IDs. You can firewall on the in and out interfaces or even interface lists if you want to.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB750Gr3 Vlan scenario advice

Tue Nov 23, 2021 3:45 pm

Please post your config
/export hide-sensitive file=anynameyouwish
 
appeltert
just joined
Topic Author
Posts: 10
Joined: Fri Nov 12, 2021 12:10 pm

Re: RB750Gr3 Vlan scenario advice

Fri Nov 26, 2021 2:01 pm

Got everything setup like this, but I'm struggling with the Firewall filters on the VLAN IDs. Not sure where to find the VLAN ID list. If you can point me in the right direction.
Think of it as the VLAN interfaces rather than the IDs. You can firewall on the in and out interfaces or even interface lists if you want to.
Thank you managed to get it right. Works like a charm on the test bench.
 
appeltert
just joined
Topic Author
Posts: 10
Joined: Fri Nov 12, 2021 12:10 pm

Re: RB750Gr3 Vlan scenario advice

Fri Nov 26, 2021 2:02 pm

Please post your config
/export hide-sensitive file=anynameyouwish
Got it right. Thanks for your help!

Who is online

Users browsing this forum: Bing [Bot], lurker888, mickeymouse690 and 80 guests