Community discussions

MikroTik App
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

home network setup help

Mon Oct 17, 2022 1:51 am

hello all

I'm a newbie into mikrotik world and decided to jump on the deep (very deep) end to establish a home network implementing VLANs to allow for network segregation for IOT devices, guests, etc.

Followed a mix and match of resources:
1) maybe the most useful: viewtopic.php?t=143620 -> Switch with a separate router example
2) an useful yet basic video on CAPsMAN: https://www.youtube.com/watch?v=taQ70m0DVYA

Topology wise:
HEX S router running RouterOS 6.48.6 ->
port 1->WAN
port 2-sfp1 bridged connected to switch
CSS326 switch running SwitchOS 2.13 ->
port 1 -> trunk to router
port 2 -> desktop
port 3 -> server
port 23 -> CAP ac1
port 24 -> CAP ac2

Running 4 VLANs: 10-trusted, 20-untrusted, 30-guests, 99-mgmt
Ideally what I'm after is to isolate clients on VLANs 20 and 30 such that they can talk to the internet and nobody else.
VLAN 10 should be able to access clients on 10, 20, 30 VLANs.
I've done tests and I seem to be able to accomplish my goals (from .10 can ping .20, .30, from .20 cant ping anyone else, from .30 cant ping anyone else) but I'd love some review/inputs on my config so far.

Attaching my current routerOS config and screenshots from SwitchOS config.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: home network setup help

Tue Oct 18, 2022 2:05 am

I don't see a question.

But I will ask you some.

Is there a reason you want to stay with v6 instead of upgrading to v7.4 or above on the hEX S? If you are new to ROS, I don't see any big advantage to staying with v6.48.6 (unless you know why you want to stay with v6.48.6, I would upgrade to at least v7.4, because you are using the vlan-filtering bridge, and it has gained hardware support in recent versions of V7).

You have all hEX S ports except for ether1 (your WAN port) configured in the bridge, and they are configured as trunk ports with all your vlans, which seems odd to me at least in a lab situation, where having some ports configured as access ports can be very useful for troubleshooting and learning.

Also removing at least one port from the bridge and giving it its own ip subnet can also prevent you from locking yourself out as you play with the vlan-filtering bridge.

If you haven't found it, @anav has a good set of links to useful resources in his New User Pathway To Config Success thread, that's worth bookmarking.

Athough your choice of MikroTik and that you got something working suggests you have a technical networking background and may just be looking for MikroTik specific info here, if you are also new to networking or vlans, my recommendation of foundational neworking info (not MikroTik specific) is Ed Harmoush's Practical networking site https://www.practicalnetworking.net Ed has recently started a Networking Fundamentals course and he is putting the first module (with multiple videos) on Youtube. It's a good intro with very little assumptions about previous knowledge, and even if you think you already know this stuff, if you watch it, and give it your utmost attention, you will probably get a deeper understanding than you currently have. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also has a video covering the same info VLANs – the simplest explanation Here's an index to the vlan pages on PracticalNetworking And here's a good starting point for Networking topics in general (don't be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA Index You can ignore the ACL stuff which is Cisco specific.
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Tue Oct 18, 2022 3:39 pm

I don't see a question.

But I will ask you some.

Is there a reason you want to stay with v6 instead of upgrading to v7.4 or above on the hEX S? If you are new to ROS, I don't see any big advantage to staying with v6.48.6 (unless you know why you want to stay with v6.48.6, I would upgrade to at least v7.4, because you are using the vlan-filtering bridge, and it has gained hardware support in recent versions of V7).

You have all hEX S ports except for ether1 (your WAN port) configured in the bridge, and they are configured as trunk ports with all your vlans, which seems odd to me at least in a lab situation, where having some ports configured as access ports can be very useful for troubleshooting and learning.

Also removing at least one port from the bridge and giving it its own ip subnet can also prevent you from locking yourself out as you play with the vlan-filtering bridge.

If you haven't found it, @anav has a good set of links to useful resources in his New User Pathway To Config Success thread, that's worth bookmarking.

Athough your choice of MikroTik and that you got something working suggests you have a technical networking background and may just be looking for MikroTik specific info here, if you are also new to networking or vlans, my recommendation of foundational neworking info (not MikroTik specific) is Ed Harmoush's Practical networking site https://www.practicalnetworking.net Ed has recently started a Networking Fundamentals course and he is putting the first module (with multiple videos) on Youtube. It's a good intro with very little assumptions about previous knowledge, and even if you think you already know this stuff, if you watch it, and give it your utmost attention, you will probably get a deeper understanding than you currently have. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also has a video covering the same info VLANs – the simplest explanation Here's an index to the vlan pages on PracticalNetworking And here's a good starting point for Networking topics in general (don't be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA Index You can ignore the ACL stuff which is Cisco specific.
Thanks Buckeye! I don't have a specific question per se, was more looking for input/review of the current setup, like your suggestion about upgrading to v7 - which I will look into.
Thank you for all the references. I have a very light understanding of networking and given a set of instructions/model I can follow along with maybe 90% of understanding, but I could not come with the current setup on my own. Hence the post, seeking for review/inputs/ideas.

I'll definitely take a look at these resources.
Thanks again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Tue Oct 18, 2022 3:48 pm

I would suggest you dont tackle too much at once.
Ditch the idea for capsman at the moment, a. because its not essential ( I used two MT capac just fine without it, easy to setup just didnt work as well as my TPLINK eap245s) and b. it adds a layer of complexity onto the rest of the config that quite frankly is a bad idea for new users. ( also prevents a user from understanding normal mT basic wifi setup and blunts ones knowledge of vlan usage)

Your config is at least clean without the bloat of too many youtube videos :-) Congrats on that.
You do have some cleanup items to work and some errors.......
Let me know if your interested in a capless setup.
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Tue Oct 18, 2022 4:38 pm

Thanks Anav!
Yes, i'm open to explore different alternatives, even though CAPsMAN didnt seem to be too hard to setup. But if you could share any details/suggestions on how you would go about implementing my network without capsman I'm willing to do my side of the deal.

Well, most of the credit is to you guys and PCUNITE's post. That was very straight fwd and useful!

Now i'm curious about the cleanup and errors you mentioned.
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Wed Feb 01, 2023 4:05 am

it has been a while, but I have to resuscitate this zombie.
I have a couple of questions, but let me start laying down the topology I have in mind, the configs for each of the elements, and then my questions/concerns.

topology:
home network.jpg
hex s config:
msp-v3-hidden.rsc
switch config:
trunk port on eth1 to hex S
access ports on eth2 and 3 to desktop and server
trunk port on eth23 to CAP ac
system:
switchOS-system.png
vlan:
switchOS-VLAN.png
vlans:
switchOS-VLANs.png
CAP ac config:
msp-v4-capds-hidden.rsc
Here are my two concerns:
1) I have connectivity to home-guest wifi but cannot connect to home and home-iot.

2) I cannot winbox into CAP ac -> I have been trying to connect via desktop on VLAN 10, maybe i need to connect to VLAN 99 in order for this to work? Oddly I can connect to hex S winbox on 10.0.99.1 - did I misconfigure something?
You do not have the required permissions to view the files attached to this post.
Last edited by msp01 on Wed Feb 01, 2023 4:12 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Wed Feb 01, 2023 4:11 am

Thats hard on my eyes.
Please provide the standard export file.

/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Wed Feb 01, 2023 4:14 am

apologies, I was experimenting with code block. it clearly didnt work and i wasnt expecting such a quick turn around... :)
just edited the original post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Wed Feb 01, 2023 4:24 am

Same comment those are not the export files...... those are pcunites way of breaking down explaining how to use vlans and ur killin me LOL.
/export file=anynameyouwish (minus device serial # and any public WANIP information )

for both hex and capac................ ( getting late here so tomorrow )
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Wed Feb 01, 2023 8:50 pm

there you go...
to_anav_with_love-hex-config.rsc
to_anav_with_love-capac-config.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Wed Feb 01, 2023 9:20 pm

CAPAC

(1) Remove PVID this is a trunk port !!
/interface bridge port
add bridge=cap_bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=99

(2) /ip neighbor discovery-settings
set discover-interface-list=MGMT_LIST

(3) Add
/tool mac-server mac-winbox
set allowed-interface-list=MGMT_LIST
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Wed Feb 01, 2023 9:25 pm

HEX

(1)What have you really accomplished with these rules......... ?? Nothing getting in the way of functionality, just not best practice.........figure it out :-)

add action=accept chain=input comment="Allow VLANs to access router services" \
in-interface-list=MGMT_LIST
add action=accept chain=input in-interface-list=TRUSTED_LIST
add action=accept chain=input in-interface-list=UNTRUSTED_LIST


(2) /tool mac-server
set allowed-interface-list=NONE { not a secure method so should not be used }
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: home network setup help

Wed Feb 01, 2023 10:26 pm

Your arrangement is similar to mine with a router being used just as a router (or at least primarily) and the switch doing the switch functions - but I'm using a RB4011 router.
Couple comments on the SwitchOS part. It appears that port 1 is the router trunk, ports 2 & 3 are your local PC and server, and ports 23, 24, & SFP1 are trunk ports likely to APs
1) Name the ports. Although it looks like you are only using 6 ports on a 26 port switch (I have 4 of those at home), the more ports being used, the easier it is to forget what is where and make a mistake.
2) On your trunk port, change VLAN receive mode to only tagged, and my preference is to use a dummy Default VLAN ID - I generally use 980 + port number - so port one would be VLAN 981. Recommend not using 1 because too many devices want to use 1 and you can end up with things talking where you do not expect them to.
3) You have what I think are the trunks to the APs set up with your management VLAN as untagged. That may not be what you want. Yes, that may depend on how your APs function. If the APs function with all SSIDs as VLANs and untagged traffic for management of the AP, then this likely is correct.
4) You are allowing management access on every port of the switch. Not likely a good security plan.

That's enough for now...
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Thu Feb 02, 2023 5:44 am

excellent!

thanks Anav and k6ccc for the valuable inputs.

@anav - i find that without those 3 rules i dont get internet connectivity... is this not expected?
the next issue I'm having: i can connect to all 3 SSIDs and have full internet connectivity, but one interesting behavior I'm seeing is: having shared folders on the notebook (SSID home/VLAN10) and on the desktop (VLAN 10 via switch port 2) I can access notebook's share via desktop but I can't access desktop's share via notebook. Do I need to disable local_forwarding? how do I do with this config?

@k6ccc - so far I have not put this hardware into action, i have it sitting in my office and have been trying to figure this puzzle for a while now... but naming the ports seems like a very sensitive approach to keeping things organized. you guessed correctly the port usage, and the untagged vlan 99 on port 23 was preventing me from accessing CAP remotely. all set now!

my next question to both would be: I want to set another CAP on port 24 on the switch such that the plan is having 1 CAP upstairs, 1 downstairs and have client hover from one to the other.
What are the suggested steps to achieve this?
On CAP i suppose i need to set specific rules regarding when to let a client go depending on signal strength?
On the switch, do i need to mirror traffic between ports?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: home network setup help

Thu Feb 02, 2023 9:55 am

On the switch, do i need to mirror traffic between ports?
If you are talking about the checkbox in the column under Mirror, that is to allow you to see traffic on that port from a single designated port, where you would have a device capturing traffic for analysis. So unless that is what you want to do, you would not use the Mirror feature.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Thu Feb 02, 2023 3:25 pm

mps01, your first question is so vague which three rules? which user cannot get internet..... etc.. if you have issue you need to spend more energy describing them fully.
As for two devices on the same vlan correct they should be able to see each other.
However you are talking two PCs, that often have their own firewalls on the PCs. there is nothing stopping traffic from the MT side of the house for two devices on the same vlan.
 
msp01
just joined
Topic Author
Posts: 9
Joined: Sat Oct 15, 2022 10:32 pm

Re: home network setup help

Thu Feb 02, 2023 4:28 pm

sorry, i thought it would be clear since you only mentioned rules once, but here it is...
(1)What have you really accomplished with these rules......... ?? Nothing getting in the way of functionality, just not best practice.........figure it out :-)

add action=accept chain=input comment="Allow VLANs to access router services" \
in-interface-list=MGMT_LIST
add action=accept chain=input in-interface-list=TRUSTED_LIST
add action=accept chain=input in-interface-list=UNTRUSTED_LIST
I find that without these rules, I dont have internet connectivity.

regarding devices on same vlan being able to 'see' each other I will do some tests later today and revert back.

Regarding having 2 CAPacs setup and having clients roaming between devices, any suggestions/pointers?

thx
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: home network setup help

Thu Feb 02, 2023 5:03 pm

Capac are not devices that facilitate roaming to any great extent. The features you are looking for or found on much newer access points and do not believe actually fully implemented on the newest ax3 devices but perhaps someone can better speak to that part of your question. Should add that roaming is more a function of the device being used ( aka your smartphone ) then it is the access point!

The reason I asked the internet question is because, the input chain rule has nothing to with internet access!!
Its important you understand that the input chain is SOLELY traffic TO the router for SERVICES from the router.
Typically one has LAN to ROUTER traffic and WAN to router traffic ( output chain is advanced usage )
examples users need DNS from router, and an incoming VPN connection needs to access router vpn services.

The forward chain which is traffic thru the router ( WAN to LAN, LAN to LAN, LAN to WAN ) is where we allow LAN to WAN traffic.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN


If you are not getting internet when you modify the rules noted. It means your users are not able to access DNS services which is a necessary step to get out to the internet.
Therefore it makes sense that you dont LOL.

However I never said to remove them I asked you to look at them, make sense of them and come to the realization that you have missed !
What you should have noticed is that

add action=accept chain=input comment="Allow VLANs to access router services" \
in-interface-list=MGMT_LIST
add action=accept chain=input in-interface-list=TRUSTED_LIST
add action=accept chain=input in-interface-list=UNTRUSTED_LIST


what you have effectively done here is allow WHO full access to the router..................... Every stinking soul.
/interface list member
add interface=ether1 list=WAN_LIST
add interface=MGMT list=MGMT_LIST
add interface=MGMT list=TRUSTED_LIST
add interface=MGMT list=UNTRUSTED_LIST
add interface=TRUSTED list=TRUSTED_LIST
add interface=UNTRUSTED list=UNTRUSTED_LIST
add interface=GUEST list=UNTRUSTED_LIST
add interface=ether5-access list=MGMT_LIST


YOUR LISTS NEEDS WORK!

Interface lists are optimal for two or more subnets that will have common firewall rules...........
An interface list with a single subnet is the exception and is for the single subnet that is trusted, usually the management vlan but if one does not have a dedicated management vlan then a trusted vlan. You have both trusted and management which is very confusing..............

In other words, the trusted subnet is one where the admin normally resides to do all his/her work. Its not clear what you are doing LOL.
I will assume you have created a management interface with an etherport available on the router for you to plug into at any time or on a managed switch on your desk.
I will assume you are normally plugged into the trusted lan.

Recommend. Keep management VLAN and it should be the only member of the MANAGEMENT Interface list.

If you, as admin, are not normally on the MGMT VLAN but are on the TRUSTED vlan then simply make a firewall rule giving you access....
add action=accept chain=forward in-interface=TRUSTED out-interface=MGMT src-address=adminIPaddress

add interface=ether1 list=WAN_LIST
add interface=MGMT list=MGMT_LIST
add interface=MGMT list=LAN_LIST
add interface=TRUSTED list=LAN_LIST
add interface=UNTRUSTED list=LAN_LIST
add interface=GUEST list=LAN_LIST
add interface=UNTRUSTED list=UNTRUSTED_LIST
add interface=GUEST list=UNTRUSTED_LIST


as far as your firewall rules go.........
add action=accept chain=input in-interface-list=MGMT_LIST { access to router for config if connected to isolated management vlan }
add action=accept chain=input in-interface=TRUSTED src-address=AdminIP { access to config from Trusted vlan but only from admin IP }
add action=accept chain=input in-interface-list=LAN_LIST dst-port=53,123 protocol=tcp { access to needed services by all }
add action=accept chain=input in-interface-list=LAN_LIST dst=port=53 protocol=udp
{ access to needed services by all }


In terms of your forward chain your rules are convoluted..........
add action=accept chain=forward comment="Internet Access" connection-state=\
new in-interface-list=TRUSTED_LIST out-interface-list=WAN_LIST
add action=accept chain=forward connection-state=new in-interface-list=\
UNTRUSTED_LIST out-interface-list=WAN_LIST
add action=accept chain=forward comment="Allow MGMT -> All VLANs" \
connection-state=new in-interface-list=MGMT_LIST out-interface-list=\
WAN_LIST
add action=accept chain=forward comment="Allow TRUSTED in -> UNTRUSTED out" \
connection-state=new in-interface-list=TRUSTED_LIST out-interface-list=\
UNTRUSTED_LIST


Much clearer...
add action=accept chain=forward comment="Internet Access" in-interface-list=LAN_LIST out-interface-list=WAN_LIST

As for trusted to untrusted......... its a bit vague for me to comment.
Do you have users on the normal LAN ( trusted subnet ) that needs access to the untrusted or guest network and if so for what purposes.
I am trying to ascertain if its only the admin that needs access or if there is a common device on the guest or untrusted network people need access too.

Further within the untrusted subnets, do guest users need access to untrusted, or vice versa, do untrusted need access to guest users................
Last edited by anav on Thu Feb 02, 2023 5:39 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: home network setup help

Thu Feb 02, 2023 5:17 pm

Some useful posting guidelines: Getting Answers and How to Report Bugs Effectively (pay attention to the last 2 paragraphs).
Even though those were not written specifically for networking questions, the principles apply.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], Kanzler, miks and 81 guests