10 VLANs with 1 DHCP Pool

rahmatz · Thu Jan 04, 2007 5:53 am

Dear Forum Members,

I have a plan to divide my networks into 10 VLANs with only 1 DHCP Pool. The reason is to avoid trojan or worm in my networks. Have someone implement it with Mikrotik?

Thanks,

Thu Jan 04, 2007 8:27 am

You are able to create 10 VLAN interface on the single local interface.
However, I'm not sure that will protect users from "Trojans".
VLAN allows to decrease size of broadcast domain.
Probably firewall can help you to protect customers from some viruses (but it will not guarantee full 100% protection), the best way to protect customers is to educate them.

rahmatz · Thu Jan 04, 2007 10:18 am

Hi Sergejs,

Thanks for your reply,

I create 10 VLAN to decrease size of broadcast domain, based on quantity of the switches. If I add new switch, then I will create new VLAN.

The question is, could I use only one DHCP Pool, so i don't need to add new DHCP pool if I add new VLAN or new switches.

rahmatz · Thu Jan 04, 2007 10:34 am

BTW,

Is Mikrotik support VLAN Tagging?

Thanks

rahmatz · Thu Jan 04, 2007 10:42 am

Thanks

sten · Thu Jan 04, 2007 7:00 pm

you could bridge the 10 vlans and setup the dhcp-server on the bridge interface. you'd need to add a drop all rule in bridge firewall forward chain.

tneumann · Thu Jan 04, 2007 7:15 pm

you could bridge the 10 vlans and setup the dhcp-server on the bridge interface. you'd need to add a drop all rule in bridge firewall forward chain.

Yep, exactly. I'm running such a setup with a hotspot on the bridge interface and it works beautifully to prohibit direct client-to-client communication between two hotspot users that are associated to different access points (I'm running one VLAN to each AP, within the same AP default-forwarding=no handles this, of course).

--Tom

rahmatz · Fri Jan 05, 2007 10:32 am

Dear Sten and Tneumann,

Thanks for your information. Right now my 10 VLAN client can get IP Address from 1 DHCP Pool. But there is a new problem. When they try to access to internet, the Microtic doesn't redirect them to username and password page. The clients also can't ping to the gateway.

What should i do to enable them to access the internet?

Thanks,

sten · Fri Jan 05, 2007 9:35 pm

Dear Sten and Tneumann,

Thanks for your information. Right now my 10 VLAN client can get IP Address from 1 DHCP Pool. But there is a new problem. When they try to access to internet, the Microtic doesn't redirect them to username and password page. The clients also can't ping to the gateway.

What should i do to enable them to access the internet?

Thanks,

Put the gateway ip, hotspot and dhcpserver on bridge interface.

changeip · Sun Jan 07, 2007 6:29 pm

isn't adding 10 vlans into a bridge the same thing as not using vlans? Why VLAN if you are just going to bridge them back to a single port? Seems backwards but maybe I am missing something.

Are you giving each client on their own vlan their own subnet range? I think you can use the dhcp relay agent for that, one dhcp server that servers many subnets. The DHCP server listens on the local IP on each subnet and relays it to the main server.

Sam

tneumann · Sun Jan 07, 2007 8:55 pm

isn't adding 10 vlans into a bridge the same thing as not using vlans?

Basically yes, but it gives you the ability to put layer 2 filters between the vlans. This is useful in situations where layer 2 connectivity is called for (such as for hotspot) but you would like to gain more control over the communication between different segments of the layer 2 network.

--Tom

sten · Mon Jan 08, 2007 3:42 am

isn't adding 10 vlans into a bridge the same thing as not using vlans? Why VLAN if you are just going to bridge them back to a single port? Seems backwards but maybe I am missing something.

It is kind of backwards and is not something you'd wanna do unless you have no other choice. If you drop all traffic between them the users on the different vlans can't talk to each other. The risk of sudden failure is moderate, which is usually too risky for me.

Are you giving each client on their own vlan their own subnet range? I think you can use the dhcp relay agent for that, one dhcp server that servers many subnets. The DHCP server listens on the local IP on each subnet and relays it to the main server.

That, routing between vlans, would be the better way to go about (considerably lower risk of failure). You could additionally go without relaying to further reduce risk of failure. However if you were to use ISC dhcpd then you might need to do some minor alterations to the source code to permit many interfaces.

sisw · Wed Jan 17, 2007 9:53 am

I have got configuration of mikrotik with ether1 as outside and ether2 as inside connect to switch (Tag Vlan). In interface ether2 I added vlanid 101, 102, and 103 with detail below:

VLAN Gateway IP_Address
101 10.1.1.1/30 ------ 10.1.1.2/30 User101
102 10.1.2.1/30 ------ 10.1.2.2/30 User102
103 10.1.3.1/30 ------ 10.1.2.2/30 User103

1. why user101 can access to user102 and so user103? I dont need it.
2. I need user101, user102, or user103 only access to internet.

Any suggest?

tneumann · Wed Jan 17, 2007 1:55 pm

sisw,

it is perfectly normal for a router to provide layer 3 connectivity
between it's interfaces. That's what a router is for, after all, and
that is what is happening between your VLAN interfaces.

If you want to restrict the communication between certain interfaces
you need to add firewall filter rules to the forward chain. In your
situation it will probably be most effective to base the filter
rules on combinations of in-interface and out-interface.

--Tom