MikroTik

I've been running routeros for a few years now and have my network segregated into vlans for lan/security devices (cameras, intruder alarm etc)/guest/home automation through using different physical or virtual (different wlans) interfaces, all running smoothly.

I do have one trunk port, connected to my proxmox server with the proxmox server tagging the vlan to the vm, but what I'm interested to know is if it's possible to have a trunk port that defaults to my guest vlan, but where I can add some sort of filter to add specific devices to a different vlan?

I know on some switch cpu types you can change the vlan tag using filters, but my hapAC doesn't have one of those cpus.

I don't even mind if I have to manually assign the device somewhere, but I'm eventually going to get a poe switch (remote to the router) to stick a few extra cameras up but may also want to add a wireless access point or two so it would be hand if a dumb switch could be used and then I manually choose which vlan a device belongs in after it connects.

I understand that mac spoofing etc is easy, I'm not looking for maximum security here, I don't expect anyone will be breaking into my house and plugging into my poe switch, I just like to segregate things as best I can

Unless you intend to have all devices in the same vlan, using a dumb switch isn't recommended, because a dumb switch offers no real separation of devices. Also, to use mac or protocol based vlans requires a managed switch above the "smart switch" variety, that are usually vlan aware but not able to assign vlans based on mac address. I am not sure what you mean by ip based vlan.

My suggestion is to "cry once" and spend the extra to get a vlan-aware poe switch instead of "saving money" on a "dumb" poe switch, if you expect to connect different "classes" of devices to the switch, because then you will cry every time you need a vlan-aware switch and don't have one.

If you are dead set on going the cheapest possible route with a poe "dumb" switch, and you only expect to connect cameras and vlan-aware wifi access points, and you "trust" everything connected to the dumb switch, you could connect the Camera's with the untagged "native" vlan on a hybrid trunk connection from the hap ac and then use the tagged vlans for the guest and other SSIDs on the access points. Then the Access point would "tag" the vlan being used by the guest network, and the hap ac bridge or ether interface would need to have vlan interface associated with the guest vlan.

But I know what I would do in your situation; spend the extra money when buying the poe switch to be sure it is as a minimum vlan-aware "smart" switch. And I would forget the idea of using mac based vlans.

Horribly explained, dont ask a requirement question based on config changes.
State the requirement in terms of traffic flow required by users...........

Once understood a config plan/design can be formulated.

Unless you intend to have all devices in the same vlan, using a dumb switch isn't recommended, because a dumb switch offers no real separation of devices. Also, to use mac or protocol based vlans requires a managed switch above the "smart switch" variety, that are usually vlan aware but not able to assign vlans based on mac address. I am not sure what you mean by ip based vlan.

My suggestion is to "cry once" and spend the extra to get a vlan-aware poe switch instead of "saving money" on a "dumb" poe switch, if you expect to connect different "classes" of devices to the switch, because then you will cry every time you need a vlan-aware switch and don't have one.

If you are dead set on going the cheapest possible route with a poe "dumb" switch, and you only expect to connect cameras and vlan-aware wifi access points, and you "trust" everything connected to the dumb switch, you could connect the Camera's with the untagged "native" vlan on a hybrid trunk connection from the hap ac and then use the tagged vlans for the guest and other SSIDs on the access points. Then the Access point would "tag" the vlan being used by the guest network, and the hap ac bridge or ether interface would need to have vlan interface associated with the guest vlan.

But I know what I would do in your situation; spend the extra money when buying the poe switch to be sure it is as a minimum vlan-aware "smart" switch. And I would forget the idea of using mac based vlans.

Thank you.

Yeah, IP based was just throwing a random suggestion out there for simply manually assigning a device to a specific vlan after it connects. My question was really just to see if there was any way to do it but it seems not.

I probably will bite the bullet and get a smart poe switch and just go with port based vlans, but I wanted to keep everything smart as Mikrotik so winbox could be a central management solution and their poe switches just don't appeal to me.

Horribly explained, dont ask a requirement question based on config changes.
State the requirement in terms of traffic flow required by users...........

Once understood a config plan/design can be formulated.

Thanks chief.

Yeah, IP based was just throwing a random suggestion out there for simply manually assigning a device to a specific vlan after it connects. My question was really just to see if there was any way to do it but it seems not.

The reason I said I didn't understand what you meant by IP based vlan, is that a switch (unless it is a layer 3 switch, and those are in a different category) has no concept of IP addresses. The only thing in a managed switch that is aware of ip addresses is the built in "host" that is used to configure the L2 switch. All the switch knows about are MAC addresses. VoIP vlans can use the OUI portion of the mac address to identify the vendor involved, and then assign the traffic to a specific vlan on the switch fabric. If you are using dhcp, the IP address of the new host won't even be available until the IP address is assigned by the dhcp server, and remember that vlans are separate broadcast domains, so there will be only one dhcp server that sees the dhcp discover message, and for this to work, the vlan has to be chosen before the first ethernet frame received from the new host gets "forwarded", so the forwarding decision must be based on something in the ethernet frame, e.g. the MAC address. If there is such a thing as IP based vlans, I am not aware of any, or how they could work. If you do know of such a thing that does work, I would be interested in a reference to it. There are some switches with ACL capability that can look "deeper" into the ethernet frame than just the mac addresses and ethertyp fields, but this would work only if you had static ip addressing and did not plan to ever use dhcp.

I probably will bite the bullet and get a smart poe switch and just go with port based vlans, but I wanted to keep everything smart as Mikrotik so winbox could be a central management solution and their poe switches just don't appeal to me.

Port based vlans exist, but they are not based on IEEE 802.1Q vlans; they are based on port forwarding tables which specify what ports any specific port is allowed to forward to. And they have significance only on the local switch. If you ever plan on expanding to multiple vlan-aware switches, I wouldn't use port based vlans. But perhaps that is not what you meant by port based vlans.

For example, the CSS106-5G-1S (aka RB260) switch, has port isolation feature that can implement port based vlans and cab be combined with IEEE 802.1Q vlans on the same switch. The TP-Link TL-SG108E has 4 "switch" vlan modes: None (vlan transparent, just like most dumb switches, it will pass tagged frames, but not modify them, in essence the switch just ignores what is in the ethtype following the src mac in the ethernet frame), port based (each port can only forward to other ports in the same port group), MTU (Multi-Tenant Unit) - asymmetric port groups, and IEEE 802.1Q - standards based vlans that can span multiple IEEE 802.1Q switches.

Another comment. Before pressing "confirm purchase" on any poe switch, do your homework. There are multiple PoE types (Passive 24V not an IEEE standard, 802.3af (PoE), 802.3at (PoE+), 802.3bt (PoE++). Also pay attention to the PoE budget and what your devices need. Some PoE switches only provide PoE on a limited number of ports, (and these usually still have insufficient budget to drive even the limited set of ports with PoE capability at the max per port wattage). It's no different than a power outlet strip that won't provide all outlets with the maximum amps at the same time without overloading the 15A circuit the power strip is plugged into, where it would be oK to plug a hair dryer into the power strip it it was the only thing being used at the time. Doing the homework before purchase will save you grief and buyer remorse.

The reason I said I didn't understand what you meant by IP based vlan, is that a switch (unless it is a layer 3 switch, and those are in a different category) has no concept of IP addresses. The only thing in a managed switch that is aware of ip addresses is the built in "host" that is used to configure the L2 switch. All the switch knows about are MAC addresses. VoIP vlans can use the OUI portion of the mac address to identify the vendor involved, and then assign the traffic to a specific vlan on the switch fabric. If you are using dhcp, the IP address of the new host won't even be available until the IP address is assigned by the dhcp server, and remember that vlans are separate broadcast domains, so there will be only one dhcp server that sees the dhcp discover message, and for this to work, the vlan has to be chosen before the first ethernet frame received from the new host gets "forwarded", so the forwarding decision must be based on something in the ethernet frame, e.g. the MAC address. If there is such a thing as IP based vlans, I am not aware of any, or how they could work. If you do know of such a thing that does work, I would be interested in a reference to it. There are some switches with ACL capability that can look "deeper" into the ethernet frame than just the mac addresses and ethertyp fields, but this would work only if you had static ip addressing and did not plan to ever use dhcp.

I think a MAC based vlan was closest to what I wanted to accomplish but in the end I decided to grab a CSS326-24G-2S+RM and a separate 8 port POE injector. I have a few dumb POE switches that I can use for a bundle of things that will go on the same VLAN (cameras for example) that can then connect back into one VLAN access port on a VLAN aware switch.
I was planning on manually setting a static IP address on devices I wanted in a specific VLAN and was hoping there was some easy way to have my router assign that device to a vlan but I'm only an amateur when it comes to networking. I have my home network segregated into several vlans but until now it's all just been based around one router rather than an actual multi switch network so I'm learning as I go along.

Port based vlans exist, but they are not based on IEEE 802.1Q vlans; they are based on port forwarding tables which specify what ports any specific port is allowed to forward to. And they have significance only on the local switch. If you ever plan on expanding to multiple vlan-aware switches, I wouldn't use port based vlans. But perhaps that is not what you meant by port based vlans.

For example, the CSS106-5G-1S (aka RB260) switch, has port isolation feature that can implement port based vlans and cab be combined with IEEE 802.1Q vlans on the same switch. The TP-Link TL-SG108E has 4 "switch" vlan modes: None (vlan transparent, just like most dumb switches, it will pass tagged frames, but not modify them, in essence the switch just ignores what is in the ethtype following the src mac in the ethernet frame), port based (each port can only forward to other ports in the same port group), MTU (Multi-Tenant Unit) - asymmetric port groups, and IEEE 802.1Q - standards based vlans that can span multiple IEEE 802.1Q switches.

Another comment. Before pressing "confirm purchase" on any poe switch, do your homework. There are multiple PoE types (Passive 24V not an IEEE standard, 802.3af (PoE), 802.3at (PoE+), 802.3bt (PoE++). Also pay attention to the PoE budget and what your devices need. Some PoE switches only provide PoE on a limited number of ports, (and these usually still have insufficient budget to drive even the limited set of ports with PoE capability at the max per port wattage). It's no different than a power outlet strip that won't provide all outlets with the maximum amps at the same time without overloading the 15A circuit the power strip is plugged into, where it would be oK to plug a hair dryer into the power strip it it was the only thing being used at the time. Doing the homework before purchase will save you grief and buyer remorse.

I'm using port based VLANs right now, I've even successfully setup my proxmox server to separate my VMs into different subnets where necessary through its single NIC. Most of my other devices connect wirelessly at the minute and I've even got separate slave interfaces with guest, security, smart home and iot VLANS all running well.
When I say port based, I'm talking about 802.1q on my Hap AC2 (recently upgraded to the HAP ax3). I have each port (i suppose the correct term should've been interface) assigned with the relevant vlan-id, all under one bridge. It's all working well, I have filter rules to stop the guest/security/iot vlans from doing anything I don't want them to do, but I'll be expanding my smart home and finally installing some cameras (I'm a fire and security engineer, cheap cameras and security devices at my fingertips but no time to install them!) so need to make sure I can take the existing VLAN setup and expand it beyond one switch/router.

I have a few of the smaller mikrotik devices (HAP AC2, HAP AX3, 3 MAP2ns and a MAP 2nd, as well as a CAP AC i needed in my old house to extend the wifi a little) and was dabbling a little last week in dot1x too but that looks like another rabbit hole for the future!

I use POE switches in work so I'm aware of the different standards, which is why my first though was to try to avoid having to get a smart POE switch. I'm good enough at getting myself out of trouble on RouterOS now but I really just didn't like any of Mikrotik's offerings - most of their POE capable stuff is passive POE but then I decided to just get the standalone 8 port poe injector and the CSS326-24G-2S+RM. I'm hoping I can fudge my way around SwitchOS given how long I've been using RouterOS, I'm hoping I only lock myself out of it 5 or 6 times before I successfully make an out of band port I can hook my CAP AC to so I can go in the back door when I lock myself out the front door.


Thanks for all the advice.