Hi.
Wonder if this is possible - I have one thunderbolt dock with one NIC/MAC address and I'd like to set my MikroTik router to behave so that if a specific laptop is plugged in (i.e. my work laptop), it gets connected to my guest VLAN interface (pvid 20), but for any other devices plugged into that dock, this goes to my main network (which is the bridge interface, pvid 1).
Is that possible to set up router-side?
Thanks!
Re: One dock with two computers & two VLANs
you would need something like user-manager (mikrotik's implementation of RADIUS server) and some kind of (basic) dot1x setup to evaluate (and authenticate) the device/user connecting to the network
you could try to do basic mac-authentication and then set the PVID of that port to your desired VLAN and otherwise leave it at PVID 1
never done it on a setup with user-manager (additional .npk package in "all packages")
you also could work with more sophisticated setups like EAP-PEAP and/or computer-authentification (cert. based; most likely in place in a domain network, hence the domain has an internal CA and signes computer certificates which are pushed to domain-joined computers)
but implemented dot1x with an aruba radius server which serves a variaty of access layer devices (cisco, fs, ubnt es and also mikrotik RB4011 and hEX)
the radius server has to respond with the according values to set the VLAN PVID
the 3 important values here are
- Tunnel-Medium-Type (=VLAN)
- Tunnel-Type (=802)
- Tunnel-Private-Group-ID (=vlan pvid)
(here for example the RADIUS server is implemented via Micro$ofts NPS: https://www.expertnetworkconsultant.com ... us-server/ )
you could try to do basic mac-authentication and then set the PVID of that port to your desired VLAN and otherwise leave it at PVID 1
never done it on a setup with user-manager (additional .npk package in "all packages")
you also could work with more sophisticated setups like EAP-PEAP and/or computer-authentification (cert. based; most likely in place in a domain network, hence the domain has an internal CA and signes computer certificates which are pushed to domain-joined computers)
but implemented dot1x with an aruba radius server which serves a variaty of access layer devices (cisco, fs, ubnt es and also mikrotik RB4011 and hEX)
the radius server has to respond with the according values to set the VLAN PVID
the 3 important values here are
- Tunnel-Medium-Type (=VLAN)
- Tunnel-Type (=802)
- Tunnel-Private-Group-ID (=vlan pvid)
(here for example the RADIUS server is implemented via Micro$ofts NPS: https://www.expertnetworkconsultant.com ... us-server/ )
Re: One dock with two computers & two VLANs
If I get this right, this particular kind of dock is connected via thunderbolt and has an internal NIC (with its own MAC address).
So the router (or any other device on the network connected to it) has no way to see which computer is connected via thunderbolt, it will always see the MAC of the dock NIC, no matter which computer is connected to it.
It has to be seen if it is possible to do some kind of MAC spoofing on that device.
Only as an example/reference, DELL has a "pass-through mode" for similar devices:
https://www.dell.com/support/kbdoc/en-u ... ss-through
and if I recall correctly also Lenovo and other manufacturers has something similar.
So the router (or any other device on the network connected to it) has no way to see which computer is connected via thunderbolt, it will always see the MAC of the dock NIC, no matter which computer is connected to it.
It has to be seen if it is possible to do some kind of MAC spoofing on that device.
Only as an example/reference, DELL has a "pass-through mode" for similar devices:
https://www.dell.com/support/kbdoc/en-u ... ss-through
and if I recall correctly also Lenovo and other manufacturers has something similar.
Re: One dock with two computers & two VLANs
HP also has such an optionIf I get this right, this particular kind of dock is connected via thunderbolt and has an internal NIC (with its own MAC address).
So the router (or any other device on the network connected to it) has no way to see which computer is connected via thunderbolt, it will always see the MAC of the dock NIC, no matter which computer is connected to it.
It has to be seen if it is possible to do some kind of MAC spoofing on that device.
Only as an example/reference, DELL has a "pass-through mode" for similar devices:
https://www.dell.com/support/kbdoc/en-u ... ss-through
and if I recall correctly also Lenovo and other manufacturers has something similar.