Hi, my goal is to cabling offices of a building consist on 3 floors, there will be rent small offices for companies and there should be located in the same ethernet broadcast, to avoid for example looking on neighbors computers files or print on other's printers.
Please have a look on the scheme;


I suppose this structure is quite popular, and it maybe easy to get a solution, but let me be sure please before buying devices.

The red rectangulars are the smart swtiches/routers placed on every floor, they should have 24 ports, This devices are connected together by a smaller switch (blue circle), connected to internet gateway (pink arrow). Eventually the internet will come and connected to one port of the red swtiches, it's not clear yet.
Rooms are connected to the switches, for each room (in the scheme violet, yellow, orance and blue items) there may be 2-3 plugs and they should be in the same broadcast, we may suppose the same company rents another office in another floor (yellow plugs), so it should be possible to extend to it the broadcast through switches.
On each floor there should be a WiFi hotspot, connected to switch, managed by capsman preferably sending an SSID for each company, broadcasting the same ethernet domain.
On each floor one or more IP cameras.

I admit I've never configured VLANs on Mikrotik, and I suppose I have to in this case, VLAN should be activated on the 24 ports uplinks and the small 5 port switch need to support them too right? I need to color each group of ports (for each office) before but it on the bridge and send to other switch, there still questions:

1) who will route to bridge as gateway, manage DHCP and QoS for each group of ports? Can I do it in each switch? I mean, if an office will be "activated" on that floor, in that switch I'll create a gateway for it, with its DHCP. IN another floor, same situation, the other router/switch will do that. In case the same doamin should be available on both floors, they will send packets through vlan.

2) Cameras should follow this logic, through VLAN and exit into a port, going to NVR.

3) WiFi caps should be connected to one capsman, supposing to use one of these 3 switches. And broacasting several SSID.

MY IDEA:
The routers, as well as cameras, caps and internet gateway, may use the same IP broadcast, the main bridge. For each comapmy I can create a new bridge, assign a VLAN for them. On the capsman I create the slave SSID and assign them to the company bridges. On the switch with capsman there should be configured all bridges, to give caps the slave ssid the right company's broadcast.

Do you share it?
Which Mikrotik device I can choose for the 24 ports and the small 5 ports? I would prefer to have gigabits ports, but if it cost "doble" as the 100mbit one, then I'll think about that. Thanks!

That's quite a plan you have there, and it would benefit from a proper design including looking at your actual WiFi needs and what the actual RF environment is like.

Anyway, as a general guide, here are some pointers.

Instead of the 5 port switch, place a router, with enough grunt to run a bunch of VLANs. An RB5009 or one of the CCR units depending on your budget. Depending on the requirements you may need to go for a router with 2.5GbE or 10GbSFP+ to connect to each switch.

All VLAN config is done on the router. You'd want a management VLAN, A VLAN for your operating requirements (office etc) and then a separate VLAN for each client who rents space and services. You could then have a different one for the CCTV too if you like.

You'd create a trunk port to each 24 or 48 port switch (again whatever CCR units work best in terms of price vs requirements) which carries all VLANs and then just set each port to whatever VLAN is required to service whatever is plugged into it from each office. APs would get a trunk port ad the various SSIDs would have a vlan set on their datapath, so all traffic for SSID CompanyA would end up on whatever VLAN is assigned to Company A. You could then use the same VLAN on multiple switches if a customer has offices on multiple floors.

That is a very high level overview. If you want to offer this to your customers, I'd strongly recommend talking to a network engineer and getting it designed right. There can be a lot of headaches both in design and installation, and in managing and maintaining a setup like this, and if you're not sure what you're doing, it can go horribly wrong very easily, with expensive consequences.
It's definitely doable with Mikrotik kit too.

Thank you for your kind answer, I've to add an important info, it's unknown yet to me who designed this network, I mean who placed cables and the logic it follow, I have to discover, probably it's not an expert at all. All the plugs (cat5e) of each floor goto a point hwre supposed to install the switch, and the same cable it's used to uplink from 3 floors to another point, near the door, probably they expect the internet coming somehow there from the street. Well, there is another internet in the building and there is an access to it from the second floor, that's why I would like to use the second floor's switch to bring internet to this system.
So, the wires are already there, I can just do my best to use them in the best way.


So you are suggesting me to use just a Layer2 switches (which I suppose may cost less than Layer3, and does mikrotik sell them?), group its ports under VLANS (for exmaple, 1st office porta 1+2+3, 2nd office ports 2+3... , 22+23 Camera 1+2, WiFi port 23, Uplink port 24), and use a good router where uplinks coming.
On that router place every VLAN in a different bridge, assign a DHCP, managing routing between bridges, configure Capsman and place on it slaves SSID. It doesn't look too difficult, if there aren't tricks to be careful on Mikrotik.
Am I correct? Thanks

I'm not expecting huge traffic from each (small) office, let's say I'll have only a 100Mbit internet to share, I suppose it may be enough. If the switches may route themselves ethernet packets between the grouped ports, then the VLAN uplink will be used for internet only (and yes for eventually a second office in the other floor, remotely possibile), videosurvelliaice and caps. Something that a router may sustain.. I guess

That's largely correct, but you don't have to put each VLAN on a different bridge on the router, you can place them all on the same bridge. Each VLAN has it's own subnet, and you control traffic between them using firewall rules.

Again I will say that if there are aspects of this which you are not sure about, employ someone who does know to design the logical layout and do the configuration for you. Getting this wrong can potentially open you up to serious liabilities, if you are charging people for infrastructure in your serviced offices.

CapsMan takes some getting used to, and VLANs on Mikrotik also have some quirks, so if you take this on yourself, you will likely need to learn very quickly, and potentially still get (paid) advice from a professional.

Oh and I forgot to mention some switches.

If PoE is not important to you, you could go with something like the https://mikrotik.com/product/CSS326-24G-2SplusRM
If you need PoE, you could look at something like the https://mikrotik.com/product/crs328_24p_4s_rm

Thank you, your infos are really precious
I would say, I had 10 years experience in a telecomunication company and worked with CISCO, yes it's a bit time ago but I'm pretty sure I can manage to configure all, except "quirks" you meant. Well I would love to experience it and I'll take some time in my office doing experiments, before implementing it to client, eventually asking here if something going wrong. I would be positive about. As capsman I've installed it already 5 times, and spent some time managing it, with access lists, slaves SSID and so on.

What sounds new to me is how to manage the traffic using only firewall, DHCP is a level 2 protocol, I should separate the ethernet broadcasts avoiding giving wrong address to wrong vlans, so I suppose I should use them, (on router) give a IP address to each bridge and use it as gateway. I've used this logic on Caps with different SSIDs, to each bridge I have a DHCP and on firewall a NAT to the main network as gateway, isn't it correct? Which is the way you want using only firewall?
About QoS, I've tried but I haven't succeed, and as it wasn't crucial I leaved it to don'tcreate issues. I've tried to reduce bandwith of the bridge, but with fast forwarding.. it wasn't effective. So I've to concentrate on the NAT as gateway, if I want to limit the bandwith to internet and leave other clients a better performances.

The switch you suggest seems what I need, not expensive one, minumum IP support, cool.
What about the router? I suppose a RB750Gr3 can be enough, it has a powerful CPU..
Thank you!

If you're coming from a Cisco background, you might find this helpful:

https://stubarea51.net/2019/02/06/cisco ... and-vlans/

https://stubarea51.net/2018/01/05/cisco ... tion-ospf/

I would say, I had 10 years experience in a telecomunication company and worked with CISCO, yes it's a bit time ago but I'm pretty sure I can manage to configure all, except "quirks" you meant. Well I would love to experience it and I'll take some time in my office doing experiments, before implementing it to client, eventually asking here if something going wrong.

Fair enough, no worries.

On the router, that is a little more difficult. As it looks like you don't have the option of running fibre between floors, having 3+ SFP+ ports for 10GbE links is not going to be as big a deal. However, even having one or two will allow you to daisy chain the three switches using 10G if the cabling situation changes, which would still give you better throughput than using a single GbE to link a switch to the router.

For this, either a https://mikrotik.com/product/rb4011igs_rm or a https://mikrotik.com/product/rb5009ug_s_in would be a compelling proposition, and would give you a lot of options for expansion too. Both are rack-mountable too if your router is going into the same rack/cabinet that one of the switches is going into.

However, it's worth checking if the cabling supports 2.5GbE. At Cat5E it probably may not be reliable, Cat6 or 7 is better but you have constraints there. If 2.5GbE is an option, it's worth looking at the switch and router options again to see if you can get a better initial setup using that.

thank you, I suppose this router rb4011igs_rm will be suitable for my needs, it can manage up to 10gbps packets and I have 3 gigabits connected. Unfortunately who disigned the network wasn't a proper person, now it's too late, the place is on painting stage and will be finished/opened soon, I can't destroy walls to put other cables. It will be 1Gbps only.

So I'm evaluating to buy, 3 switches CSS326-24G-2SplusRM, 1 router rb4011igs_rm,
group ports for small offices, cameras, wifi and evenually internet uplink for the second floor and send all by vlan to the main router. The router will merge offices vlans into the same bridge, where is located a DCHP and gateway to the main bridge with internet. On the main bridge static IP only, router/switch management, cameras and caps..

If it's possible, please answer about firewall, it's interesting what you meant and if my approach about bridges is correct, thank you a lot!

What sounds new to me is how to manage the traffic using only firewall, DHCP is a level 2 protocol, I should separate the ethernet broadcasts avoiding giving wrong address to wrong vlans, so I suppose I should use them, (on router) give a IP address to each bridge and use it as gateway. I've used this logic on Caps with different SSIDs, to each bridge I have a DHCP and on firewall a NAT to the main network as gateway, isn't it correct? Which is the way you want using only firewall?
About QoS, I've tried but I haven't succeed, and as it wasn't crucial I leaved it to don'tcreate issues. I've tried to reduce bandwith of the bridge, but with fast forwarding.. it wasn't effective. So I've to concentrate on the NAT as gateway, if I want to limit the bandwith to internet and leave other clients a better performances.

IPANetEngineer: thanks for the link, I'll look at them especially vlan. I'm not going to implement routing between offices networks, as there is no reason to comunicate each other, so I'm going to use a source nat for each network, to a specific address, for example:
192.168.88.1 main switch
88.11 1st floor switch
...
88.101 first office network gateway
88.102 second office network gateway
...
on the bridges for offices I'll disable the fast forwarding, now how can I reduce the access to internet? I suppose I've to implement it on the firewall NAT rule, but when I've tired it wasn't working properly. Thans

Hi Giovanni,

Focusing on the router at first, you'd add as many of the physical interfaces as you think you need to the bridge. It might be prudent to leave 2 GbE interfaces off, for your Internet provision and a spare.

On that bridge you would then create VLAN interfaces, each with the "router" IP on that VLAN's subnet. For each VLAN subnet you'd also create a DHCP server on the VLAN interface, so you'd have as many DHCP servers as you have VLANs. Traffic coming off the bridge for each VLAN would be tagged with that VLAN's ID and then you simply choose which physical ports carry which traffic. For the ports which will connect the router to the switches, you simply pass all traffic tagged, and then on the switches you set specifc ports as access ports for the various VLANs that need to transit the switch.

I'd recommend looking at the following forum article on VLANs and how to get a basic setup working with a sample config. You can then try this out in a virtual lab by deploying a few CHR virtual routers on VirtualBox or VMware Player or something.
viewtopic.php?t=143620

@spynapples, for TO's scenario, would you recommend using the MTK 'Controller Bridge and Port Extender' feature?

https://help.mikrotik.com/docs/display/ ... t+Extender

This would make it possible to manage everything only on the router.

I think you are way overcomplicating things.......
This is a simple case of various vlans supplying the various needs on the network.

Router MT should have enough ports to
a. connect to one or more WANs as per the network.
b. Rest of ports should be on a single bridge
c. Reserve one bridge port for very very local needs (admin access)
d. enough trunk ports to connect to managed switches
e. one spare port not on the bridge for emerg access

Then the user/device requirements, how many individual devices/users and how many groups of users/devices do you have.
This will dictate your vlan structure + 1 for a management VLAN
What will the user(s)/device(s) be allowed to do and not be allowed to do.
This will drive your firewall rules.
What is allowed to internet, what is allowed access to other vlans, any shared devices??
What kind of routing and load balancing you want to achieve may or may not require mangling etc......
Any other special requirements??

In general interface lists are optimized for groups of Subnets with a common purpose
(single subnets do not require interface list (unless its the managment vlan)
IP addresses firewall are best suited for a a subset of IPs from a subnet, a list of IPs across subnets, or mix of IPs and subnets.... (hint anytime you have IPs.......... use firewall address list).


Switches MT.
Each managed switch should get an IP address on the management vlan subnet.
For each switch one needs a single bridge and identifies the vlans coming to that switch + management vlan,
Setup up bridge port and bridge vlans setting as appropriate.
THe only interface list needs to be MGMT
The only member of that list is the vlan for management.
(note I normally create an emerg access on one of the switch ports, not on the bridge for physical admin access if required).
(this ether port would also be added to the interface list membership for MGMT)
Routing only to the gateway of the managment vlan is required.
Tools mac server winmac server set to interface MGMT
IP DNS server to the gateway of the vlan management.

Yes, anav, you are right. I like this feature somehow, but it is only feasible between switches anyway.

Yes, anav, you are right. I like this feature somehow, but it is only feasible between switches anyway.

Not sure what you mean........
Vlans works for me for all managed switches (independent of vendor) and all smart access points independent of vendor.

Of course, I was referring to the 'Control Bridge' feature I mentioned before, which is completely irrelevant here.

Ahh okay yeah if its not MT its not relevant LOL.

thank you for your answer, I'll read the documentation as I'll have time for )
I can't wire they system, the wires (cat5e) are already inside the wall, changing them it's unfortunately not an option. Trunk will work at 1Gbps only, and I hope it may be enough for the small businnes there.
So I've understand I've to place all VLANS into one bridge, so there will be a way to distinguish it and separate the ethernet broadcast, I'll check.
ON the main router probably there will be only 3 ports to the different switches, internet (not exactly the public adress, it will be an internal adress of the subnet of the old building, where internet is already active), will come to the switch of the second floor, I'll bring it by Vlan to the main router.

The QoS I've in mind is abuot internet only, the clients will have chances to use their ports at maximum speed available, even between floors, but internet will depend one how much they pay. I would reduce it to 10 megabit/s for example, where is better to configure this rule?
Thank you

I'm searching for devices here in SPB between distributors, seems difficult to get different Mikrotik devices, some of them looks available on site but to me only in january, why?
Seems now I can order only RB2011iL-IN which looks a bit low performance respect what I need to do

Yes, chip-shortage makes it a little bit difficult right now.
The successor RB5009 is available here
https://www.eurodk.de/de/products/mt-rb ... 009ug-s-in

There, the RB4011 is available as of 4.1.22.

Regarding your question how to implement QoS on your router, there are several MuM presentations available, e.g.
https://mum.mikrotik.com/presentations/ ... ordano.pdf

If you have customers paying for and relying on you as an ISP, you may think about how to acquire redundancy for internet access.
How to setup this in your router is described here:
https://mum.mikrotik.com/presentations/US12/steve.pdf