MikroTik

I want to setup 3 networks, with three different subnets for different purposes (guest, home, and a lan only no internet network)
And I want everything separated completely, but access to a single IP (dns server, pihole)

1. I saw the guide suggested in here, that suggests creating vlan interface in a new bridge, so this means having 3 bridges.
2. To my understanding, although I didnt try to implement it yet, I can also follow the newer approach, of applying a single bridge with multiple vlans or interfaces with tagged fields, and using VLAN filtering, as suggested here
3. And I can also just have three bridges, and setup a firewall that doesnt allow any bridge to communicate with others bridge as I want. that seems to provide granular separation as well.

Can you please explain to me which approach should I use, and why?
Right now I followed the first one. but to my understanding it is a little redundant given the newer approach (which Im not fully familiar with just yet)
My setup is a hap ac router with a wAP using capsman

Maybe the following can give you some inspirations: viewtopic.php?f=2&t=162190
It creates 5 independent LANs by using basic IP routing; no VLAN, no CAPSMAN involved.

If you really mean 3 networks with 3 subnets each, then you need just a router with 3+ LAN ports plus 1 WAN port for the uplink.
The subnets would have a netmask of for example /22, like this:

Code: Select all

$ ipcalc 192.168.0.0/22
Address:   192.168.0.0          11000000.10101000.000000 00.00000000
Netmask:   255.255.252.0 = 22   11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255            00000000.00000000.000000 11.11111111
=>
Network:   192.168.0.0/22       11000000.10101000.000000 00.00000000
HostMin:   192.168.0.1          11000000.10101000.000000 00.00000001
HostMax:   192.168.3.254        11000000.10101000.000000 11.11111110
Broadcast: 192.168.3.255        11000000.10101000.000000 11.11111111
Hosts/Net: 1022                  Class C, Private Internet

$ ipcalc 192.168.4.0/22
Address:   192.168.4.0          11000000.10101000.000001 00.00000000
Netmask:   255.255.252.0 = 22   11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255            00000000.00000000.000000 11.11111111
=>
Network:   192.168.4.0/22       11000000.10101000.000001 00.00000000
HostMin:   192.168.4.1          11000000.10101000.000001 00.00000001
HostMax:   192.168.7.254        11000000.10101000.000001 11.11111110
Broadcast: 192.168.7.255        11000000.10101000.000001 11.11111111
Hosts/Net: 1022                  Class C, Private Internet

$ ipcalc 192.168.8.0/22
Address:   192.168.8.0          11000000.10101000.000010 00.00000000
Netmask:   255.255.252.0 = 22   11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255            00000000.00000000.000000 11.11111111
=>
Network:   192.168.8.0/22       11000000.10101000.000010 00.00000000
HostMin:   192.168.8.1          11000000.10101000.000010 00.00000001
HostMax:   192.168.11.254       11000000.10101000.000010 11.11111110
Broadcast: 192.168.11.255       11000000.10101000.000010 11.11111111
Hosts/Net: 1022                  Class C, Private Internet

But if you instead mean each of 3x3 as totally independent of each other, then this in fact means 9 networks.
For this you would need a router (or a switch-router like the CRS3xx) with 9+ LAN ports plus 1 WAN port.

To each router port you would attach a cheap unmanaged/dumb 8+ port switch where the end user devices get attached...

The best source for the newer method of single bridge is this reference, in case you choose to go this route.
viewtopic.php?f=13&t=143620 (its what I use for about 12 vlans and multiple managed switches and multiple wifi devices)

Thanks anav,
I think I should choose this path, for my requirements, no?
This seems to allow the biggest flexibility in seperating my network as I want, with minimal set of firewall rules and complexities. Please correct me if Im wrong

I tried following this guide for deeper understanding but I have couple of gaps.
Can you please hint me about the following:
1. Can/should I manage the router wireless interfaces via capsman (locally) as well? Since right now I need to duplicate settings for broadcasing the same SSID over my CAP
2. Once I enable bridge filtering in the new method, do I still need to setup a firewall rule to drop connections between vlans? Because this is what I need to do today, and I think its not necessary anymore, am I right?
3. If the answer to my second question is yes, What is the proper way to have a VM which I have, that runs some services, to be reachable from another VLAN? so that I could say, this vlan, can access ip:port on that other vlan?

2. Once I enable bridge filtering in the new method, do I still need to setup a firewall rule to drop connections between vlans? Because this is what I need to do today, and I think its not necessary anymore, am I right?

Wrong.

Routing between IP networks is ... IP routing. And that's above ethernet or VLANs and any selection of L2/L2.5 technology used lower does not affect how L3 works. VLAN only allows you to set up different L3 networks to use same L2 infrastructure and are still separated on infrastructure level. E.g. instead of using 2 non-bridged ports on router, one per subnet, you can use single VLAN-configured port to connect both subnets to the router ... any way it's done the only path between the two subnets is via router on L3 layer ... between two router's interfaces (either physical or VLAN) which have IP addresses set.

Hi Silly position, if you were confused by the last post you are not alone LOL.
I try to speak at my level being an MT certified layperson ( MTUNA certificate).

The VLAN structure allows us to easily segrate subnets to prevent any crosstalk at layer 2, and its just clean and prevents any garbage from one subnet affecting the other.
Separation at Layer 3, is also required because without that the router will try to route traffic from one vlan to another.

The easy way to block this is in the forward filter chain.
The last rule in the chain should be
add chain=forward action=drop comment="Drop all else"

What this means in practical terms is that any traffic NOT EXPLICITLY allowed in rules above this rule will NOT be permitted.
Therefore besides the usual default firewall rules one will have to ensure the ADMIN creates rules for the following
-allow vlan to wan traffic
-allow vlan to vlan traffic (this could be allowing vlanA users to access a printer on vlanB for example)
-allow admin to all vlans


So its very easy to do and manage.
As for your VM ware, yes, you make the necessary filter rules to allow access for
a. user (single address)
b. group of users (firewall address list)
c. subnet (vlan interface)

To be clear, if you allow from users to vlan, one way, then traffic to the VLAN and return traffic associated back to the user is allowed, but VM to user originating at the VM is not allowed. That would be a separate rule.

Am I a fan of Capsman, NO. I have had up to two capacs and ran them directly and separately and wouldnt touch capsman with a 10 foot pole unless I had to. Its another layer of cpu drain and possible config errors (trust me I see people crying about setting up capsman all the time - trying to save you moisture leakage issues ) and IMHO for a small number 1-3, do not recommend it.

Finally read my disclaimer below in the faint grey text.

1. I saw the guide suggested in here, that suggests creating vlan interface in a new bridge, so this means having 3 bridges.

I think that's the old way. You only need one bridge. As others have mentioned multicast will break with VLANs so just keep stuff like Chromecast on the same VLAN as your devices.

Thanks guys.

anav, can you please explain why you are against capsman?
Because I thought its nice to be able to configure everything once from the router, and to be able to configure firewall rules only once.
I even thought to simplify by setting the router which is the capsman, to manage itself the same way, and then I dont even need to duplicate all my APs configurations (datapaths,security profiles etc)

If I manage each cap manually, it means that I also need to recreate every configuration from my main router in my caps.
That means everything, basically, If I try to do QoS using queues, or multiple vAPs/dhcp etc.

I am confused further LOL.
Why would you duplicate router setups without using caps?
You only have one router, one set of fw rules, one set of dhcp, one mangle, etc etc etc.
The capacs are easy, all you do is configure the WIFI and done!

Ha, sorry, after re-reading I guess I got confused.
There are two options to configure my wAP with my router:
1. Configure my wAP as a cap, and configure the wifi interfaces via capsman
2. Take a blank configuration and only configure my wifi antennas directly on the wAP

Can you explain to me your opinion why you are against capsman?

Why would I program capsman on a single device that is already attached on the router.
Its adding config for no gain.
The only reason for capsman is when programming many devices and devices that have similar setups I imagine.
Much easier to manage a group of objects from a controller being the idea, but only one.... not so much.
Running capsman is not free it uses up router CPU and I wonder if it slows down wifi at all even if just a smidge.

Let me ask you, what does Capsman do for you that I need??

Thanks anav
Yes, I understand, It doesnt add much for just 1 managed access point.

Let me please ask about the original question in this thread - What is the benefit of defining vlans in a single bridge, compared to just creating a bridge per sub network?
Because I can just specify another address pool for every bridge, and define a default fallback rule in my firewall to drop anything across bridges.

Thanks anav
Yes, I understand, It doesnt add much for just 1 managed access point.

Let me please ask about the original question in this thread - What is the benefit of defining vlans in a single bridge, compared to just creating a bridge per sub network?
Because I can just specify another address pool for every bridge, and define a default fallback rule in my firewall to drop anything across bridges.

I believe both work equally as well, personal preference I suppose.
I like vlans because I have multiple switches and dont just use one port for one subnet.
(max flex)