Losing hair over Wifi Vlans (Hap AC2)
Posted: Thu Sep 06, 2018 10:14 pm
Hi all.
So, just got my new Hap AC2 today, and it's my first proper router (and my first Mikrotik). So, naturally this is all very new to me. I spent most of the time between purchase and the device arriving (3 days) planning and reading about how to set up the things I wanted/needed.
My home network consists of:
One server with multiple dockers
Some RaspBerrys running different things (Volumio, RetroPie, etc)
"User Devices" (Laptop, mobile phones, etc)
Chromecast and "Smart"-TV
I purchased some Xiaomi Smart Home devices (Zigbee and Wifi) and a Zigbee usb-stick which will be arriving in some time.
Now, my plan is to segment my devices in VLans, but I'm having trouble finding (or discovering) how I'm suppose to do that.
My plan is to have 5 Vlans:
Home Network - for user devices
Guest Network - for guest that come over
Streamers - Chromecast, Volumio, SmartTV
IOT - for Xiaomi and other IOT devices
Server
This also means (at least) three SSIDs:
Home Network (preferably a single SSID with 2.5ghz and 5ghzdr)
Guest Network (preferably a single SSID with 2.5ghz and 5ghz)
IOT network (most likely a single SSID 2.5Ghz)
My thinking is:
User, Guest and Server should have full WAN/Internet access.
IOT shouldn't be allowed on WAN (except if there ever was a necessary update for a given product).
IOT and Server (Home Assistant docker) should be able to communicate, but only on the Home Assistant Docker port.
Streamers should be allowed to communicate with Server, but only on Plex Port, and it should also be allowed to communicate with specific streaming-sites (ViaPlay, Netflix, etc).
Guest Network should be allowed to communicate with Streamers (for putting on music, etc).
Home network should be allowed to connect to Server for administration, etc.
Furthermore there should be some priorities amongst the various VLans. Like Server traffic to/from WAN is lowest priority, compared to Streaming, Home users, etc.
My thinking is that the best way to achieve a certain level of segmentation, security and priority queueing between the various segments of devices would be VLans and Virtual AP's.
I've set it up using a variety of sources and input, and tried both Winbox and CLI.
I've followed a couple of guides to setting up the Hap AC2 so far:
https://www.manitonetworks.com/networki ... -hardening
https://www.manitonetworks.com/mikrotik ... n-trunking
And I've followed along the stuff in the wiki:
https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless
https://wiki.mikrotik.com/wiki/Manual:W ... VLAN_Trunk
I managed to create the VLans and some of the Virtual AP/SSID's. But, when I assign VLAN id's to the virtual AP/SSIDs nothing happens. When I assign VLAN id's to the real Wifi interfaces they are marked correctly. IE. When I connect to a Virtual AP I should think the traffic would show under the specific VLAN attached to that Virtual AP/SSID, but the traffic is only shown under the Virtual AP. When I connect to a normal wifi interfaces with a VLAN attached, the traffic is shown under that VLAN.
Any and all help would be appreciated!
So, just got my new Hap AC2 today, and it's my first proper router (and my first Mikrotik). So, naturally this is all very new to me. I spent most of the time between purchase and the device arriving (3 days) planning and reading about how to set up the things I wanted/needed.
My home network consists of:
One server with multiple dockers
Some RaspBerrys running different things (Volumio, RetroPie, etc)
"User Devices" (Laptop, mobile phones, etc)
Chromecast and "Smart"-TV
I purchased some Xiaomi Smart Home devices (Zigbee and Wifi) and a Zigbee usb-stick which will be arriving in some time.
Now, my plan is to segment my devices in VLans, but I'm having trouble finding (or discovering) how I'm suppose to do that.
My plan is to have 5 Vlans:
Home Network - for user devices
Guest Network - for guest that come over
Streamers - Chromecast, Volumio, SmartTV
IOT - for Xiaomi and other IOT devices
Server
This also means (at least) three SSIDs:
Home Network (preferably a single SSID with 2.5ghz and 5ghzdr)
Guest Network (preferably a single SSID with 2.5ghz and 5ghz)
IOT network (most likely a single SSID 2.5Ghz)
My thinking is:
User, Guest and Server should have full WAN/Internet access.
IOT shouldn't be allowed on WAN (except if there ever was a necessary update for a given product).
IOT and Server (Home Assistant docker) should be able to communicate, but only on the Home Assistant Docker port.
Streamers should be allowed to communicate with Server, but only on Plex Port, and it should also be allowed to communicate with specific streaming-sites (ViaPlay, Netflix, etc).
Guest Network should be allowed to communicate with Streamers (for putting on music, etc).
Home network should be allowed to connect to Server for administration, etc.
Furthermore there should be some priorities amongst the various VLans. Like Server traffic to/from WAN is lowest priority, compared to Streaming, Home users, etc.
My thinking is that the best way to achieve a certain level of segmentation, security and priority queueing between the various segments of devices would be VLans and Virtual AP's.
I've set it up using a variety of sources and input, and tried both Winbox and CLI.
I've followed a couple of guides to setting up the Hap AC2 so far:
https://www.manitonetworks.com/networki ... -hardening
https://www.manitonetworks.com/mikrotik ... n-trunking
And I've followed along the stuff in the wiki:
https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless
https://wiki.mikrotik.com/wiki/Manual:W ... VLAN_Trunk
I managed to create the VLans and some of the Virtual AP/SSID's. But, when I assign VLAN id's to the virtual AP/SSIDs nothing happens. When I assign VLAN id's to the real Wifi interfaces they are marked correctly. IE. When I connect to a Virtual AP I should think the traffic would show under the specific VLAN attached to that Virtual AP/SSID, but the traffic is only shown under the Virtual AP. When I connect to a normal wifi interfaces with a VLAN attached, the traffic is shown under that VLAN.
Any and all help would be appreciated!