Hi,
I have been studying VLANs on Mikrotik, and trying to figure out what would be the best way to go for it according to my needs, even though it is going to be for learning purpose basically at the beginning at least.
As suggested I took a look at this article:
viewtopic.php?t=143620
the "Router-Switch-AP (all in one)" part in particular, since I got a Hap Ac2 mikrotik device.
(For the record, I'm going to set my Hap ac2 up the same way as in the "Router-Switch-AP (all in one)" more or less. When I buy a second Mikrotik device, I'll set a trunk port on the HAp ac2 and plug the new Mk on it to extend my network. Of course on the second one will be set the same VLANs.)
I read this article too:
https://wiki.mikrotik.com/wiki/Manual:B ... _switching
As you can see, it also talked about such a vlan99, the management port which is not mentioned in the former post I linked above.
So, I was wondering if and/or when we real need it. Your thought, please. Thanks
Re: VLANs and MGMT VLAN
The purpose of dividing a network into VLANs is, among other things, to control the access rights of certain devices and their users via the firewall.
This also includes access to the network devices themselves, which should be set as restrictively as possible.
This also includes access to the network devices themselves, which should be set as restrictively as possible.
Re: VLANs and MGMT VLAN
So, would that be the purpose of having a Vlan 99? To set more restrictive rules to access the Mikrotik device itself? ThanksThe purpose of dividing a network into VLANs is, among other things, to control the access rights of certain devices and their users via the firewall.
This also includes access to the network devices themselves, which should be set as restrictively as possible.
Re: VLANs and MGMT VLAN
I think yes, because access to the network devices and their configuration should definitely be limited to the administrator.So, would that be the purpose of having a Vlan 99? To set more restrictive rules to access the Mikrotik device itself?
-
-
404Network
Member Candidate
- Posts: 285
- Joined:
Re: VLANs and MGMT VLAN
Yes, think of a vlan99 as the trusted subnet.
(1) In a business, that VLAN should only be accessible to the Admins. All attached smart devices should get their IPs from this vlan.
(2) In a home, the home LAN could be the trusted subnet, or it could be a subnet that the admin is on all the time (convenience). If you wanted to get really sticky with best practices, still have a vlan 99 and a managed switch at your desk and every time you want to config the router or any smart device on the network plug your ethernet cable into a different switch port to access vlan99.
The trusted subnet should be an interface list entry with appropriate interface list member(s).
Its should the only interface that can have one interface member (as interface list power is being able to combine interfaces for rules etc.).
The IP TOOLS MAC WINMAC server should also be set to this interface.
The IP neighbours discovery should be also set to this interface.
As for Vlan, correct there is no need for VLANS if the number of subnets does not exceed the number of ports, if it does, then vlans make sense. As you have noted, the other common case is if you need to send multiple subnets down a port, typically to another smart device that can read vlan tags.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
If your concerned about proper vlan config and security then carry this through to the input chain rules which is access to the router. Most default configs have some variation of
add chain=input action=accept in-interface-list=LAN
This does allow all users access to commonly required services such as DNS, or even NTP, however it also allows all users (including guests) to possibly access the router.
Better is:
add chain=input action=accept in-interface-list=Manage (or BASE etc....)
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=drop comment="drop all else"
Even better is:
add chain=input action=accept in-interface-list=Manage src-address-list=authorized { narrow it further by IP addresses }
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking/troubleshooting LAN issues}
add action=drop chain=input comment="drop all else"
(1) In a business, that VLAN should only be accessible to the Admins. All attached smart devices should get their IPs from this vlan.
(2) In a home, the home LAN could be the trusted subnet, or it could be a subnet that the admin is on all the time (convenience). If you wanted to get really sticky with best practices, still have a vlan 99 and a managed switch at your desk and every time you want to config the router or any smart device on the network plug your ethernet cable into a different switch port to access vlan99.
The trusted subnet should be an interface list entry with appropriate interface list member(s).
Its should the only interface that can have one interface member (as interface list power is being able to combine interfaces for rules etc.).
The IP TOOLS MAC WINMAC server should also be set to this interface.
The IP neighbours discovery should be also set to this interface.
As for Vlan, correct there is no need for VLANS if the number of subnets does not exceed the number of ports, if it does, then vlans make sense. As you have noted, the other common case is if you need to send multiple subnets down a port, typically to another smart device that can read vlan tags.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
If your concerned about proper vlan config and security then carry this through to the input chain rules which is access to the router. Most default configs have some variation of
add chain=input action=accept in-interface-list=LAN
This does allow all users access to commonly required services such as DNS, or even NTP, however it also allows all users (including guests) to possibly access the router.
Better is:
add chain=input action=accept in-interface-list=Manage (or BASE etc....)
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=drop comment="drop all else"
Even better is:
add chain=input action=accept in-interface-list=Manage src-address-list=authorized { narrow it further by IP addresses }
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking/troubleshooting LAN issues}
add action=drop chain=input comment="drop all else"
Re: VLANs and MGMT VLAN
thanks @404Network. Something to work on.
As I said in one of my previous threads, I actually don't need VLANs in my home LAN network. Just two subnets (a main and a guest one) would probably get the job done, and I would be happy with that eventually.
If I set up any VLANs it would be for learning purpose only now.
I'll probably go for using two subnets (I'll separate an ethernet port from the bridge and set an Ip adress..and all that jazz on it) at the beginning, then see how it works out and if it feets my needs.
The guest network is going to be allowed to access internet only, and my smart tv, which is on the same guest subnet because plugged to the same 'Not VLAN-capable' switch/AP as the guests, to access my plex server only. So, I think I'll need a few firewall rules as well.
Thanks
As I said in one of my previous threads, I actually don't need VLANs in my home LAN network. Just two subnets (a main and a guest one) would probably get the job done, and I would be happy with that eventually.
If I set up any VLANs it would be for learning purpose only now.
I'll probably go for using two subnets (I'll separate an ethernet port from the bridge and set an Ip adress..and all that jazz on it) at the beginning, then see how it works out and if it feets my needs.
The guest network is going to be allowed to access internet only, and my smart tv, which is on the same guest subnet because plugged to the same 'Not VLAN-capable' switch/AP as the guests, to access my plex server only. So, I think I'll need a few firewall rules as well.
Thanks
-
-
404Network
Member Candidate
- Posts: 285
- Joined:
Re: VLANs and MGMT VLAN
I use vlans to separate many things.
Two, work from home networks, IOT devices, media, cameras, hvac device, guests, and a few more.
Two, work from home networks, IOT devices, media, cameras, hvac device, guests, and a few more.