Community discussions

MikroTik App
 
Jabbery
just joined
Topic Author
Posts: 1
Joined: Thu Apr 14, 2022 12:05 pm

new to Mikrotik - need some config suggestions

Thu Apr 14, 2022 1:14 pm

Hello,
I am converting my home / business internet system to a more managed system due to the number of devices that are being added all to a single subnet being now difficult to manage. I think I have a good portion worked out but I want to be sure I set it up correctly and don't get backed into corners.

The image uploaded is the general layout currenlty with unmanaged switches.
WAN network
Lan1 Network - jumble of everything including Wifi
Lan2 Network - security

The image also shows the new:
Switch A will be replaced by a CRS125-24G-1S-2HnD-IN (Wifi disabled) it is simply a device to measure bandwidth, no routing. Switch A has ports ether1-6 un bridge1 isolated. ether24/vlan-254 for management.
Switch B CRS-326-24G-2S+RM - will have all the Vlan's some to dedicated ports and trunks.
Switch D CSS326-24G-2S+RM - office switch, Wifi Zone2 connected, multiple unmanaged switches to hardwired devices on different Vlans.

I am having trouble with the Management interface on Switch A, I of course do not want the public facing to have access which is ethernet1-6. Do I connect a patch cord from Switch B port to Switch A port 24 for management? Old school tells me no but I need snmp access for traffic monitoring.
I think although not configured and working yet Switch B is fairly strait forward other than if I use a port to connect the WAN side to the LAN side.

Switch B port Layout
SFP-1 - Server 1 all VLans
SFP-2 - Backbone to Switch D (CSS326)
ether1/2 - Bonded to Server 2 all Vlan's
ether3/4 - Bonded to Server 3 all Vlan's
ether5 - Connected unmanaged switch - untagged Vlan-100
ether6 - Connected unmanaged POE switch - Camera's - Untagged Vlan-10
ether7 - Wifi - Trunk - Vlan-40/50/60 to connected Ubiquity AP Zone 1
ether8 - ??? Backup management port untagged vlan-254
ether9 - untagged vlan-20 (unmanaged switch future)
ether10 - untagged vlan-30 (unmanaged switch future)
ether11 - untagged vlan-70 (unmanaged switch future)

Possibly putting the WAN 6 ports here and not use the CRS125.
Most vlans do not need to brodcast across each other, access via routing is all that is needed. Routing is handled by the Ubuntu servers. I'm not sure if a bridge is needed as I think that mostly allows brodcasting across vlan's.

I have not done a port map for Switch D, fairly strait forward. two Trunk lines (Backbone, Wifi) and access ports.

Below is the switch A config. I do not yet have switch B config. I also do not know if I need any filtering/firewall to deal with the WAN/LAN connection of if isolation is enough.
# CRS125-24G-1S-2HnD-IN WAN config
# jan/02/1970 00:52:07 by RouterOS 6.49.5
# software id = 012R-89P1
#
# model = CRS125-24G-1S-2HnD
# serial number = XXXXXXXXXXXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country=canada distance=indoors ssid=MikroTik
/interface vlan
add interface=ether24 name=vlan-254 vlan-id=254
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether\
7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,\
ether21,ether22,ether23,ether24,sfp1"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=SSIDXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXX
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=1
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=254 ports=ether24
/interface ethernet switch port-isolation
add ports=ether1,ether2,ether3,ether4,ether5,ether6 vlan-profile=isolated
/interface ethernet switch vlan
add ports=ether24,switch1-cpu vlan-id=254
/ip address
add address=192.168.100.4/24 interface=vlan-254 network=192.168.100.0


Thanks for any help and suggestions.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: esj, sybadi and 84 guests