Hi. I have been using VLANs on my home/homelab AP (separate SSID per VLAN) for quite a while to separate "trusted" and non-trusted devices (primarily wifi clients).
That had it's own cost, like inability to keep Chromecast in a separate VLAN (from home NAS), etc. And I still had to have extra firewall rules in place for VLANs.

Now, as I'm moving to Audience, I'm wondering, what's the downside of getting rid of VLANs and replacing them with firewall rules based on address lists (so clients will drop to respective address list)?
I'm also considering to get rid of multiple SSIDs and replace them with single SSID (that by itself may not be a limit for multiple VLANs if to base that on MAC, but should be simpler in pure firewall-based isolation).

I'm not that knowledgeable if that's an obvious question, I have heard VLAN is L2 and firewall works on L3, but I couldn't yet translate all I've found into practical/pragmatic answer to my question -

What are downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN? Performance, severe security issues, ...?

Pls advice.

VLANs indeed work on Layer 2 of the OSI model.. We use VLANs to create separate broadcast domains in our Networks, which has a lot of benefits, like increased security, smaller broadcast domains, better management, low latency and more...

In a network where you have InterVLAN Routing setup, meaning a Router that inter connects different VLANs that do exist on a switch(es), unless you block those VLANs through the Routers Firewall, they will be able to communicate with each other on the Layer 3 Level ( IPs / Packets ) but not on Layer 2 ( MACs / Frames )...

In case you need some VLANs to be able to communicate with each other, you just don't block them through the Firewall... That way, your PC for example that exists on VLAN10 will be able to communicate with an IP camera on VLAN20, but at the same time you are able to block the guest wifi on VLAN30 to reach VLAN20 that is your IP Camera ( example of increased security )... This is an example where you need the Firewall to block the communication between different VLANs...

Finally, if for example in a network that only a switch exists and no router is used to Inter connect your VLANs, then VLAN10 would be able to communicate with devices on the same VLAN only.. ( you need Routing to connect different networks )
Ofcorse that will not change if you have a router, it was an example for simplicity, even on interVLAN routing, under layer 2, only devices in the same VLAN will be able to communicate with each other... For example devices that use some kind of layer 2 discovery protocol, you will see that they only reach devices in the same VLAN and only...

It all depends on what exactly you want to achieve...

VLAN is more robust, or simpler to keep secure. It's separate interface, so no matter what users try, playing with fake MAC address, or anything, they are still isolated, and you don't need to think about it too much. You still have to control access between VLAN and the rest, but that's simple, because it's clearly going between interfaces, so you can just use in/out-interface(-list) in firewall and nobody will get around that. You should be able to make things secure enough with just firewall, but it's more work and easier to make mistakes.

It's like if you have prison with different groups of prisoners, and you can either have them all in one big cell, or split by groups in different cells. You can control prisoners in one big cell too, because they still have numbers or some kind of identification, but with separate cells you can be more sure that there won't be some mixup.

so no matter what users try, playing with fake MAC address, or anything, they are still isolated, and you don't need to think about it too much

Thank you.

As I'm indeed interested in rather practical/pragmatic answer, I'll need some extra help.
Inability to withstand "faking MAC" is a drawback for non-VLAN approach. It also "nails" an intention to have single-SSID and MAC-based VLAN tag assignment, if I understood it correctly.

I'll try to "qualify"/"quantify" the drawback. So, it's not like I'm actively "advertising" real MAC addresses of my "trusted" devices. For both my PCs and phones I do use randomized MAC addresses "by default", and only real MAC for trusted WiFi. I guess there may be an attempt to steal it, but that seems to be quite "personalized" type of attack (and maybe even expensive atm), so as home/homelab user, I would not really count on it. What do you think?
Still, I'll note it and will try to search for some protection against it, thank you.

Are there any other downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN that comes to your mind?

I think there are two better questions ( cases ) based on your replies.

A. Is there a way to ensure WIFI devices/users on the same (WLAN) do not talk to each other.

THis is more germane to having an UNTRUSTED VLAN where you want to ensure the devices on the WLAN cannot see each other but can reach the internet.
This is a problem due to the proliferation of untrusted devices using WIFI and lets be honest, there are only so many virtual WLANs to go around in one home before impacting trusted vlan wifi performance.

There are two cases.

i. NON-MT wifi devices and thus it would have to be accomplished within the router (assuming such a feature didnt exist on the non-mt AP, some do have this).
ii. MT Wifi devices, and here it may be doable ALL on the wifi device or perhaps a combo of wifi device and router.

VLANs indeed work on Layer 2 of the OSI model.. We use VLANs to create separate broadcast domains in our Networks, which has a lot of benefits, like increased security, smaller broadcast domains, better management, low latency and more...

Thank you for your opinion. I'm home/homelab user, so though I'm currently using VLANs, I don't think I get the same benefits from them as business/enterprise users.
Thus I'm trying to be more practical/pragmatic from home/homelab user point of view.

Are there any downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN that comes to your mind (for home/homelab concept)? Not simply "advantages of VLANs".


Even from knowledge point of view - I'm not a networking person, though I benefit from using some of MT features that are not available in "retail" APs/switches. So, to properly configure/use VLANs I need to get into the details of VLANs and their MT interpretation, distinguish between different options, etc. There are guides, but even finding the right (non-outdated) one takes time.

An example is an attempt to get Chromecast working across VLANs. It's not about just "not blocking" it by firewall. The only publicly known solution to cross-VLAN Chromecast'ing (as of my last check) is to !engage external device that runs avahi reflector. And no straightforward instruction exists even for that for non-advanced user.

Chromecast and SONOS are two examples of protocols that are not cross vlan friendly.

There are two cases.
i. NON-MT wifi devices and thus it would have to be accomplished within the router (assuming such a feature didnt exist on the non-mt AP, some do have this).
ii. MT Wifi devices, and here it may be doable ALL on the wifi device or perhaps a combo of wifi device and router.

I'm not sure I follow the underlying "reasoning", but to make a first step - the only networking env I will be using is Audience LTE6 kit, or (unlikely) a combination of Audience LTE6 kit + non-MT 5G router (having one of Audience's 5GHz radio serve as a station connected to the 5G router).
The rest will be non-MT "stations", some of them will run VMs/containers. OS-wise that will be a zoo (though no single Apple device except from guests).

Chromecast and SONOS are two examples of protocols that are not cross vlan friendly.

Thanks for the warning:) I'm preparing to get Sonos, haven't so far checked it relies on similar networking approach (thought it's obvious if to think of streaming type of device)

That's because of how they work..
Chromecast operates on DIAL protocol, the client devices searches for the Chromecast only on its local network...

That's because of how they work..
Chromecast operates on DIAL protocol, the client devices searches for the Chromecast only on its local network...

Exactly, so it's not as simple as "In case you need some VLANs to be able to communicate with each other, you just don't block them through the Firewall..".
So, if I have to keep multiple non-trusted devices in a trusted network anyway (I do have 2x GCCGTV, 2x CC Ultra, waiting for sonos) and secure it by firewalling, then why not to "simplify" the overall layout down to "pure firewall-based" IF there are no severe downsides. If indeed there ARE severe downsides (pragmatic/practical), then I may want to stay "as is" with combination of VLANs, multiple SSIDs and firewalling for "non-trusted" devices that must be kept in "trusted" VLAN.

But all of that may not be directly affecting my generic question "What are downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN? " (for home/homelab user).
So far "faking MAC" item was mentioned, though it may not be a deal breaker if no other details discovered (as there is some "softening" measures applied for randomized MAC for non-trusted SSIDs).

Can you think of any?

Exactly, so it's not as simple as "In case you need some VLANs to be able to communicate with each other, you just don't block them through the Firewall..".

No, its exactly like that...
When devices work or must work or depend on the layer's 2 functionality they must be on the same VLAN.. if you put them on separate VLANs then its your mistake...
When devices are capable of traversing networks they can communicate on Layer 3 as long as proper Firewall and Routing configurations are made...

So as my previous example, if you lets say you want to connect on a MikroTIK device with MAC and not IP and that MikroTik device is on a different VLAN than the one you are you won't even see it in your neighbors because MNDP ( MikroTIK neighbor discovery protocol ) works on Layer 2, so you can only see devices in the same broadcast domain...
So if you think you can still do it then its not a Network problem but a wrong approach...

VLANs need a good network design before they are applied, especially in bigger networks...
So a good approach would be to have the Chromecast and your Phone in the Same VLAN...

Exactly, so it's not as simple as "In case you need some VLANs to be able to communicate with each other, you just don't block them through the Firewall..".

No, its exactly like that...
When devices work or must work or depend on the layer's 2 functionality they must be on the same VLAN.. if you put them on separate VLANs then its your mistake...
When devices are capable of traversing networks they can communicate on Layer 3 as long as proper Firewall and Routing configurations are made...

So as my previous example, if you lets say you want to connect on a MikroTIK device with MAC and not IP and that MikroTik device is on a different VLAN than the one you are you won't even see it in your neighbors because MNDP ( MikroTIK neighbor discovery protocol ) works on Layer 2, so you can only see devices in the same broadcast domain...
So if you think you can still do it then its not a Network problem but a wrong approach...

I'm not sure what you wrote has anything to do with the topic of the 1st post.
If you don't have something to say in response to topic's question, that's totally OK.

Just in case, Cisco's guide for CC deployments https://www.cisco.com/c/en/us/td/docs/w ... tDG76.html - works across VLANs, nobody says they must stay in the same VLAN and the approach of placing them into different ones is wrong. But, as we're on Mikrotik, let's try to stick to original question - What are downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN? Performance, severe security issues, ...? (for home/homelab user)

No, its exactly like that...
When devices work or must work or depend on the layer's 2 functionality they must be on the same VLAN.. if you put them on separate VLANs then its your mistake...
When devices are capable of traversing networks they can communicate on Layer 3 as long as proper Firewall and Routing configurations are made...

So as my previous example, if you lets say you want to connect on a MikroTIK device with MAC and not IP and that MikroTik device is on a different VLAN than the one you are you won't even see it in your neighbors because MNDP ( MikroTIK neighbor discovery protocol ) works on Layer 2, so you can only see devices in the same broadcast domain...
So if you think you can still do it then its not a Network problem but a wrong approach...

I'm not sure what you wrote has anything to do with the topic of the 1st post.
If you don't have something to say in response to topic's question, that's totally OK.

That was an answer to your post #6.. Sorry i did not know that i should ignore the later...

Since you know better that is fine with me, i hope you can make it work...

For any MT wifi device, use the access list to stop devices on the same WLAN from seeing each other
Only three entries required, 1 - identify the WLAN 2. ENSURE check box is checked for Authentication 3. ENSURE check box is NOT selected for Forwarding.

If and when you elect to use MT equipment and MT guides, i can provide further assistance but for now will pass on the Crisco luvin op.

Reference to Cisco was to emphasize that business considers "CC in a separate VLAN" as quite valid case (otherwise they wouldn't bother) and such design is valid (and kinda natural), but, unfortunately, Mikrotik requires helping hand of avahi reflector (or similar) to get it running. One just need to be aware of it. Thank's, you've also added Sonos to the list of "no go" for VLANs if one want to keep "non-trusted" devices separately.
As of "If and when you elect to use MT equipment and MT guides" - Long-time MT "home" user, currently running hex poe + wap ac running in "VLAN per SSID" mode. Planning to switch to Audience once I finish my tests with external LTE antenna to ensure R11e-LTE6 is not a garbage by itself (comparing to cheap mobile LTE CAT6 routers from alcatel).

If you have any knowledge to share about original question, which is "what are downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN" (for home/homelab user), you're welcome!

For any MT wifi device, use the access list to stop devices on the same WLAN from seeing each other
Only three entries required, 1 - identify the WLAN 2. ENSURE check box is checked for Authentication 3. ENSURE check box is NOT selected for Forwarding.

ok, so then I'll be able to "fwd" it in FW, right? cool then, tnx!

For any MT wifi device, use the access list to stop devices on the same WLAN from seeing each other
Only three entries required, 1 - identify the WLAN 2. ENSURE check box is checked for Authentication 3. ENSURE check box is NOT selected for Forwarding.

ok, so then I'll be able to "fwd" it in FW, right? cool then, tnx!

Dont be confused there are two forward and authenticate settings. The one on the MAIN TAB of wireless settings are not the ones I am talking about.
The ones I am talking about are found under the ACCESS LIST tab.
If you decide to create a rule and identify an interface you can
set authentication checked
set forwarding checked
(basically have not changed the default behavior and probably dont need to create such a rule)

OR you can
set authentication checked
set forwarding to NOT checked
(Now you are stopping wifi clients on that WLAN from seeing/talking to each other).

Dont be confused there are two forward and authenticate settings. The one on the MAIN TAB of wireless settings are not the ones I am talking about.
The ones I am talking about are found under the ACCESS LIST tab.
If you decide to create a rule and identify an interface you can
set authentication checked
set forwarding checked
(basically have not changed the default behavior and probably dont need to create such a rule)

OR you can
set authentication checked
set forwarding to NOT checked
(Now you are stopping wifi clients on that WLAN from seeing/talking to each other).

yep, thank you for clarification. Coming back to your original "A. Is there a way to ensure WIFI devices/users on the same (WLAN) do not talk to each other." - does it mean that the answer is "yes, that's the way"?

if "yes, that's the way", what are the "leftover" downsides of using firewall and access-list-based separation "instead" of VLANs?

The ones I am talking about are found under the ACCESS LIST tab.

BTW, If one is using CAPsMAN, or wifiwave2 it will not be possible to find all those settings under those names.
CAPsMAN has Client to Client forwarding (instead of forwarding) and "action" (?instead of Authenticate)
wifiwave2 has only "action" (?instead of Authenticate), I couldn't identify what stands for Forwarding/C2CF

https://help.mikrotik.com/docs/display/ROS/WifiWave2

it's interesting if default is do not forward

I dont play with capsman its like adding another layer of complexity that hurts my brain.
Right now you are not alone in trying to think of ways of having chromecast and sonos work across vlans be it zerotier, mndp reflector with RPI or something called PIM, dont ask me.
That is for me the only issue with using vlans.