New Home Setup Router+Switch+cAP+VLANs

Lesani · Mon Feb 26, 2024 10:42 pm

Hi!

I have an existing home setup with a single CRS, 3 bridges and CAPsMAN set up with separate DHCPs to segregate 3 different networks. Since my CRS regularly has hickups and the only answer I got was that it's too weak for what I ask of it, i have bought a RB5009 as my main router.

I am now in front of the daunting task of setting up the network, and since I now have 2 devices I have to set up VLANs. Having watched a few videos I am still no closer in how to best set up my devices.

Here is a rough network map:

mermaid diagram link

I am unsure how to connect my cAPs (the AX is not yet existent, but planned. When it arrives Internal will get the additional 6Ghz Wifi)
I probably need to connect them through my CRS326, at least the AX since the RB5009 only has 2.5Ghz ports?

How do I configure the different ports? As far as I understood, on the CRS I need to configure all ports with respective "VLAN tagging"?

Additionally I have another qsfpplus to my PC, currently not connected because my current mainboard doesn't have the necessary PCIE, but the next PC will have qsfpplus1 connected to the PC with 40G, so that needs to go through CRS326 only, without packages routed through the RB5009 which would represent a bottleneck at 10G speed?

Any mikrotik experts that can give me some configuration help or point me to the right videos that cover a situation such as mine? I am typically using the GUI but am not afraid of the terminal.

thanks in advance!

gigabyte091 · Tue Feb 27, 2024 7:50 am

Hello, did you try to do some configuration yourself ? If yes, can you post it here ?

Also, no need to use bridge for every network. One bridge is enough. How many VLANs do you need ? From WiFi diagram i presume 3 at least ?

Be aware, cAP ax doesn't have 6 GHz radio !!

Lesani · Tue Feb 27, 2024 9:32 am

Hello, did you try to do some configuration yourself ? If yes, can you post it here ?

I have gotten as far as this on my RB, but my windows computer, connected to ether3, does not get an IP address, unless I modify the DHCP_internal to be interface=bridge1 and assign /ip address 10.0.0.0 to bridge1...

/interface bridge
add name=bridge1

/interface vlan
add interface=bridge1 name=VLAN10-Internal vlan-id=10
add interface=bridge1 name=VLAN20-IoT vlan-id=20
add interface=bridge1 name=VLAN30-Guest vlan-id=30

/interface list
add name=WAN
add name=LAN

/ip pool
add name=pool_internal ranges=10.0.0.2-10.0.0.254
add name=pool_iot ranges=192.168.1.2-192.168.1.254
add name=pool_guest ranges=192.168.99.2-192.168.99.254

/ip dhcp-server
add address-pool=pool_internal interface=VLAN10-Internal name=dhcp_internal
add address-pool=pool_iot interface=VLAN20-IoT name=dhcp_iot
add address-pool=pool_guest interface=VLAN30-Guest name=dhcp_guest

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

/ip address
add address=192.168.1.1/24 interface=VLAN20-IoT network=192.168.1.0
add address=192.168.99.1/24 interface=VLAN30-Guest network=192.168.99.0
add address=10.0.0.1/24 interface=VLAN10-Internal network=10.0.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.99.0/24 gateway=192.168.99.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Also, no need to use bridge for every network. One bridge is enough. How many VLANs do you need ? From WiFi diagram i presume 3 at least ?

correct, I'd like to have the 3 VLANs, 10 Internal, 20 Guest, 30 IoT. There will be some crosstalk of my homeassistant on internal that needs to communicate to some IoT devices, but that is for later, first get the basics working

Be aware, cAP ax doesn't have 6 GHz radio !!

Sorry, that was just an example, I am waiting for a wifi7 (yes probably a long wait looking back at wifi6) AP

Mesquite · Tue Feb 27, 2024 1:41 pm

viewtopic.php?t=143620 ( for the 5009 )

viewtopic.php?t=204967 Look at this example of ap/switch and (router for that matter) AND THE CORRECTIONs,

ps.. mermaid looks nice, but not free.

Lesani · Wed Feb 28, 2024 1:33 am

Thanks,
viewtopic.php?t=143620
this and the examples given there were all I needed, a little bit of adaptation for my situation and my interfaces, and all 3 devices are working now
this post should have turned up much higher in VLAN searches, I did not see this one.

ps: mermaid the way I used it is free - you can create a diagram with an (editable) link any time without even logins

Mesquite · Wed Feb 28, 2024 2:59 am

Nice thanks for the tip as well!! Glad it worked out for you!!

Lesani · Wed Mar 06, 2024 11:20 pm

I am not struggling with port forwarding...

I am behind my ISP modem, my router has WAN address 192.168.0.5
My modem has Port 8123 forwarded to the routers IP

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=accept chain=forward connection-state=new dst-port=8123 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8123 in-interface=ether1 log=yes protocol=tcp to-addresses=10.0.10.51

I have logging enabled on the NAT rule, and can see the packets ticking up when I try to access my public IP:8123 from e.g. my phone on 5G, not on my wifi)

the messages shown in the log are:

dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac **mac**, proto TCP (SYN), **some IP**:58645->192.168.0.5:8123, len 60

The requesting IP constantly changes (whavever my phone is assigned to at that moment)
by watching the log I can confirm that it is my phone producing those log entries, not something random

My destination is on VLAN_INTERNAL
I have tried changing the order of my NAT rules
I have tried adding 8123 as an allowed "input" chain action "accept" on my filters

nothing I have tried has changed the behaviour

mszru · Thu Mar 07, 2024 12:24 am

Hi,

Filter and NAT rules are executed from top to bottom and your "accept" rule for dst-port 8123 will never be executed because of the preceding "drop" rule.
Try swapping the rules:

/ip firewall filter
...
add action=drop chain=forward comment=Drop
add action=accept chain=forward connection-state=new dst-port=8123 in-interface=ether1 protocol=tcp

Lesani · Thu Mar 07, 2024 1:06 am

I could have sworn I tried that.... anyway thanks, it works now.

New Home Setup Router+Switch+cAP+VLANs

New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Re: New Home Setup Router+Switch+cAP+VLANs

Who is online