Hi,
I've been doing a lot of reading on this but I cant seem to establish which method to use to achieve my desired goal, which is to isolate all of my IoT devices on their own subnet which will not have access to my PC's, NAS etc., hopefully someone here can point me in the right direction. My setup is as follows:

3 TP-Link EAP225's as my WiFi AP's, currently one SSID for both 2.4GHz and 5 GHz frequencies with smart-switching between the two which is handled by the Omada management software. All wireless devices use these via the one SSID.
1 Dlink smart-switch which supports 802.1Q VLANs, the AP's are directly wired into this switch as are all the smaller 8-port switches located throughout the house to provide hard-wired connectivity
1 hAP ac2 as the main router which sits between the switch and the ISP hub which is in bridge mode. I could easily re-wire so that the AP's are directly plugged into this instead of the main switch.

I currently have multiple devices accessing the internet through WiFi, some I'd like to isolate and some that should have access to internal resources.

What I'd like to accomplish is to isolate the multiple smart devices we have from our "internal" traffic so that they would only be able to access the internet. Because they are mixed in with our other devices via our single WiFi SSID, I was thinking VLAN's would be the way to go, but would that be a MAC-based VLAN since there are no individual ports dedicated to just the IoT devices? It there another way to accomplish this without completely re-doing my home setup? I was thinking I could accomplish this all through the RouterOS on the hap as it performs all internal routing, but if there's a better way to accomplish this with the devices I have I'm happy to hear about it.

Thanks!

Use this guide
a. assign a vlan for every subnet (ip pool, dhcp server, dhcp server network, ip address)
b. assign vlan to bridge
c. Assign bridge ports (trunk ports to smart devices) access ports to dumb devices
d. Assign bridge vlan settings

Very doable once organized in thoughts and network structure/connectivity.

viewtopic.php?t=143620

I have implemented exactly your idea with my Mikrotik router, which sits behind an AVM Fritzbox as a pure DSL modem and controls several other AVM Fritzboxes used as WLAN access points, WLAN repeaters, subswitches and DECT telephone system in different VLANs.
I followed this approach:
"Mikrotik's RouterOS doesn't yet have specific functionality built in for network "Zones" like some other router platforms, but with new releases of RouterOS we can get the same functionality through 'Interface Lists'.
It's easy to think of three zone types - Trusted, Semi-Trusted, and Untrusted."

• "Trusted Zone
  Interfaces in a Trusted zone would be internal wired LAN or VLAN gateway interfaces, and management interfaces. We have a reasonable level of trust that the hosts in these networks are not trying to actively compromise our systems, and so we allow them to communicate (relatively) freely. Access to these networks would require physically plugging into a port on-premise, and hopefully port security is in place adding an additional security layer.
• Semi-Trusted Zone
  A Semi-Trusted network could be a point-to-point VPN to a vendor's network, or a corporate wireless network. We must have these networks in place for legitimate business or organizational reasons, but there is a chance that a bad actor could get access to these networks and we want that breach to be contained if it occurs. Many organizations give these networks access to internal server resources (Active Directory DCs, DNS servers, etc) as required, but access to other subnets or services is forbidden.
• Untrusted Zone
  Untrusted networks are networks where we know or have reason to suspect that malicious activities could occur, or do occur. A good example of an Untrusted connection is a connection to the internet via an ISP. Port scans and malicious login attempts are very common out on the internet, and it's a given that attackers are actively searching for soft targets."

From:
https://www.manitonetworks.com/networki ... face-lists

The exact number of zones and their access right is up to you. My IoT zone/vlan has no internet-access, neither has my camera zone.
With an AVM Fritzbox reused as WLAN APs ("IP Client" in their words) it is not possible to have more than one SSID, so I used one extra AP for IoT-WLAN. However, if your WLAN system supports one SSID per VLAN (as Mikrotiks APs do) you can just do that. If not you need to buy one extra CAP/WAP (?) for this purpose.

Use this guide
a. assign a vlan for every subnet (ip pool, dhcp server, dhcp server network, ip address)
b. assign vlan to bridge
c. Assign bridge ports (trunk ports to smart devices) access ports to dumb devices
d. Assign bridge vlan settings

Very doable once organized in thoughts and network structure/connectivity.

viewtopic.php?t=143620

Thanks for stating this so clearly and simply. One thing though; as I have yet to set up a VLAN-based network, I'm still struggling with how to assign the clients to the VLANS. I can't use ports as many of them are wireless and mixed together. Is your method based around using DHCP reservations=subnet=VLAN assignment? I've been consulting that link you referred to in my research, but it's generally based on a port-based VLAN assignment.

I have implemented exactly your idea with my Mikrotik router, which sits behind an AVM Fritzbox as a pure DSL modem and controls several other AVM Fritzboxes used as WLAN access points, WLAN repeaters, subswitches and DECT telephone system in different VLANs.
I followed this approach:
"Mikrotik's RouterOS doesn't yet have specific functionality built in for network "Zones" like some other router platforms, but with new releases of RouterOS we can get the same functionality through 'Interface Lists'.
It's easy to think of three zone types - Trusted, Semi-Trusted, and Untrusted."

• "Trusted Zone
  Interfaces in a Trusted zone would be internal wired LAN or VLAN gateway interfaces, and management interfaces. We have a reasonable level of trust that the hosts in these networks are not trying to actively compromise our systems, and so we allow them to communicate (relatively) freely. Access to these networks would require physically plugging into a port on-premise, and hopefully port security is in place adding an additional security layer.
• Semi-Trusted Zone
  A Semi-Trusted network could be a point-to-point VPN to a vendor's network, or a corporate wireless network. We must have these networks in place for legitimate business or organizational reasons, but there is a chance that a bad actor could get access to these networks and we want that breach to be contained if it occurs. Many organizations give these networks access to internal server resources (Active Directory DCs, DNS servers, etc) as required, but access to other subnets or services is forbidden.
• Untrusted Zone
  Untrusted networks are networks where we know or have reason to suspect that malicious activities could occur, or do occur. A good example of an Untrusted connection is a connection to the internet via an ISP. Port scans and malicious login attempts are very common out on the internet, and it's a given that attackers are actively searching for soft targets."

From:
https://www.manitonetworks.com/networki ... face-lists


The exact number of zones and their access right is up to you. My IoT zone/vlan has no internet-access, neither has my camera zone.
With an AVM Fritzbox reused as WLAN APs ("IP Client" in their words) it is not possible to have more than one SSID, so I used one extra AP for IoT-WLAN. However, if your WLAN system supports one SSID per VLAN (as Mikrotiks APs do) you can just do that. If not you need to buy one extra CAP/WAP (?) for this purpose.

This is very cool, I'll take some time to go over it and see how well it fits. For me the untrusted zone wouldn't work too well for most of the IoT devices as they wont function without internet access, but thats a simple tweak to the configuration. I should point out that I have a second Mikrotik device, an RB750G which I can use to provide additional routing functionality if required. I bought it to play around with and use to familiarize myself with RouterOS, but it would also be able to be configured with the same config as my existing ac2 and used to do all of my routing while I experiment with getting this all up and running.

Yes, the vlans provide dhcp services.
Basically a port can carry one or more vlans (one or more subnets) in vlans.
If the port is connected to a dumb device, its only sending one subnet and the router untags the vlan before it exits the port and tags the traffic entering the port. (access port).
If the port is connected to a smart device (managed switch or AP that can read vlans) then all the vlans are carried over the port.

So think of the vlans as your zones or isolated groups of users or devices. Zone is not a concept used in MT,
I think of the vlans as my isolated segments (or groups of users or devices)

Now there are many ways to identify users and devices and subnets in Mikrotik.
In practical terms there are two TOOLS besides singular source address*** and a singular interface (be it a vlan, or whatever) to GROUP or IDENTIFY GROUPS of users/devices.

Lets say vlan_101 describes a subnet of 192.168.2.0/24
**** Note that one can use a source address 192.168.2.0/24 to identify a subnet
So one can state in or out interface=vlan_101, source or destination address=192.168.2.0/24
Summary, mat least two ways to identify a singular interface.

(i) Source Address Lists; These are best used to
a. identify two or more IP addresses within a subnet ( a group of IPs within a subnet but not the entire subnet)
b. identify IP addresses from different subnets.
c. mix of subnets and IP addresses

KEY WORD here is IP addresses!!!

(ii) INTERFACE LISTS: These are best used to identify whole subnets that have specific purposes.
Typically an interface list is used to identify all LAN groups (mainly for the purpose of already existing firewall rules).
If all LAN groups do not require Internet Access then create another list for INTERNET
If you have one subnet that is a management vlan for example you may have an interface list called CONTROL.

Here is the best approach.

1. State a clear bullet by bullet one liners that explain the requirements: IN other words state the use cases, what each group of users or devices should be able to do and what they should not be able to do. Dont worry about hardware or configuration in these statements.

2. Draw a network diagram to illustrate how the groups and devices are physically connected. ISP modem to router to access points/switches (and which ports to PCs, etc.)

With the two bits of information above, then a config will fall out naturally and if you are attempting to do something your equipment does not permit one can move around the physical connectivity or purchase a needed component.

3. One should not start the config until one is clear in the head of exactly what the network will look like and how it will work.

Here is the best approach.

1. State a clear bullet by bullet one liners that explain the requirements: IN other words state the use cases, what each group of users or devices should be able to do and what they should not be able to do. Dont worry about hardware or configuration in these statements.

2. Draw a network diagram to illustrate how the groups and devices are physically connected. ISP modem to router to access points/switches (and which ports to PCs, etc.)

With the two bits of information above, then a config will fall out naturally and if you are attempting to do something your equipment does not permit one can move around the physical connectivity or purchase a needed component.

3. One should not start the config until one is clear in the head of exactly what the network will look like and how it will work.

Thanks Anav. I appreciate the posts detailing the planning steps as well as the technical explanations. I obviously have some homework still to do before I start fiddling with our current config, and I'll likely be posting some follow-up questions, but my biggest challenge will be convincing my kids that Daddy needs more than 4 minutes in a row of uninterrupted peace and quiet to concentrate on this stuff!

Cheers!

Heheh,
Get them involved, get them each to draw a picture of your network and tell them you will post one (picked at random, no favourites) to the thread.

I'm back with a follow-up question.
I have a clear idea of what I want to accomplish, but I'm coming up against what I believe is a technical limitation, so I'm seeking confirmation or correction.

I currently have a single SSID which serves all my wireless devices, including IoT and personal equipment, on the 5Ghz and 2.4Ghz bands. I've read a fair amount about VLANS as well as the capabilities of the Omada management software and my DLink Switch. What I want to accomplish is to be able to assign different VLAN's to different wireless clients, all of which are on the same switch port and using the same SSID. I'm coming to believe that this is not possible without creating an "IoT" SSID and using that to assign a VLAN to the clients. I can assign a VLAN using the SSID in Omade, or on the switch port on the DLink, but I just dont see how I can assign a VLAN to individual clients, all of whom are using the same SSID and the same port. I originally thought that I could use DHCP via a reservation for each client, but I dont see VLANS as a DHCP option for anything other than VOIPphones. In a nutshell, do I need to create a second SSID and use that to assign the VLAN tag?

Hi johnster,
Much depends upon the capabilities of those other devices.

For example I have four APs in my house,
a. TPLINK eap245 (smart)
b. TPLINK 660HD (smart)
c. MT capac (smart).
d. wifi router onlly using its wifi (dumb)

What I mean by smart is that I can assign more than one 2.4 SSID and more than one 5ghz SSID
(in otherwords to use MT lingo, virtual Access Points).
Further each SSID can be assigned its own VLAN.

For one device, your hapac2, I would look at no more than 4 SSIDs, (aka two virtual WLANs). or 4 vlans.
home wifi, guest wifi (on 5ghz) and iot devices 2.4 and perhaps multimedia or personal devices on 2.4 etc......

Same with smart switches and dumb switches, being able to handle multiple vlans on any port or in the case of a dumb switch typically used with just one subnet.

To illustrate I have multiple VLANS
vlan25 for iot devices 2.4 upstairs unique SSID
vlan50 for iot devices 2.4 in the basement with a unique SSID
I have vlan10 for home wifi on 5ghz with unique SSID
I have vlan20 for guest wifi on 5ghz with unique SSID

So I am using smart Access points to create unique SSIDs for their area of coverage and each SSID is connected to a unique VLAN.

Thanks Anav,
I've modified my plans for my setup. I'm now planning on separate SSID's for IoT and personal devices, with a VLAN for each, along with a management VLAN for things like switches and routers. I'm wondering though, do I really need a management VLAN? I have a NAS which is the primary file, media, DNS (Pi-Hole on a docker instance), and Plex server for my home. I was planning on placing the NAS on my Personal Devices VLAN, but I'll also need to have it reachable from the management VLAN and vice versa. If I'm going to allow traffic between the two VLANS, is there any point in having them separate, or should I just allow certain kinds of traffic and only from specific source IP's? I guess what I'm after is how others are designing the membership and communication for their VLANS,

Also, Anav, I have a question about your setup. You have separate SSID's for each level of your home, do you have ay problems with clients that move between the two? Is the hand-off from one SSID to another seamless? I have 3 TP-Link EAP225's, one for each level of my home, and if I look at the client list, it's more vertical than horizontal as the AP's are not placed in the middle of each floor. I'm always looking to improve the WiFi coverage in my home so I'm curious as to how well that works for you.

Excellent questions.
Yes, I recommend a management VLAN for business environment, as the only person that needs access to this is the admin for the configuration of the devices for winbox purposes and for access to the router itself via winbox. In terms of vlan to vlan access, this is easily accomplished with the fidelity desired using forward chain firewall filter rules. Not a biggie!


However, you can use instead a TRUSTED VLAN (like I do at home) as you are thinking NAS etc...... and this also works with the following caveats.
I only allow the admin access to the router (full access)
I only allow users to have DNS services from the router (and some devices to NTP).
This looks like this....

add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=control src-address-list=adminaccess

Where:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=control

/interface list member
add comment=defconf interface=ISP1_eth1 list=WAN
add interface=ISP2_eth2 list=WAN
add interface=vlanX(trusted) =LAN
add interface=vlany(iot) list=LAN
add interface=vlanz(guestwifi) list=LAN
.......... (continue for all vlans)
add interface=vlanx9(trusted) list=control

and finally
/tool mac-server mac-winbox
set allowed-interface-list=control

AND

/ip firewall address-list {via statically assigned DHCP leases)
add address=IPofadminDesktop list=adminaccess {ip on trusted network}
add address=IPofadminLaptop list=adminaccess {ip on trusted network}
add address=IPofSmartphone list=adminaccess {ip on trusted network}
add address=IPofIPad list=adminaccess {ip on trusted network}


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
And, all other users access is limited to.....
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

Followed by the necessary: (only put this in until after admin access is done otherwise you will lock yourself out.)
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
"INPUT DROP ALL"

I dont do anything special for my ACCESS POINTS.
Clients selecting which AP is more about the client programming/radio/setup behaviour we cannot control.

Suffice to say I make sure that there is minimal to zero overlap on channels so that there is minimal interference.
I also have more a upstairs (two floors) separation from the basement.

So for example the upstairs non-trusted IOT vlan is different from the basement non-trusted vlan and ALSO has a different SSID.
In this regard I can see and separate issues more readily.

So for example the trusted VLAN has a different SSID in the basement, than the SSID upstairs (same vlan unlike untrusted devices).
I prefer this because then trusted people moving around can easily select the different SSID more appropriate to where they are.
With the same SSID, the client may not switch and they are using the signal from a weaker source and may not check.......

Similarly to IOT devices, I have an upstairs guest wifi and a downstairs guest wifi, two different vlans and two different SSIDs.
This may not be necessary in your case, but the basement guests in my case are not the same guests.