Hello everybody,
A good friend of my advised me on buying devices from Mikrotik because of the good price/quality.
I've bought two devices:
a. RB951G-2HnD
b. CRS109-8G-1S-2HnD-IN
Reseller advised me on buying the RB951G in stead of a switch because of the possibility to extend the WiFi network from the CRS109.
I would like to get the following setup:
Segmentation through VLAN, routing between the VLAN's (Intervlan) and Fire-walling between the VLAN's.
I would like to ask you guys if you can help me how to accomplish this?
Thank you.
Re: Inter-Vlan Routing
VLANS are pretty easy to setup on Tiks, I researched it through Googleing and watching videos in less than a day. There is a lot of info out there. To get you started though..... Click on Interface tab-> VLAN and then just create a new one. Then under IP tab on left you will have to input the address and create DHCP pools and servers if you want that functionality.
Re: Inter-Vlan Routing
Thank you for your reply.VLANS are pretty easy to setup on Tiks, I researched it through Googleing and watching videos in less than a day. There is a lot of info out there. To get you started though..... Click on Interface tab-> VLAN and then just create a new one. Then under IP tab on left you will have to input the address and create DHCP pools and servers if you want that functionality.
That's right, VLANS are pretty easy to setup BUT InterVlan is something else.
Mikrotik devices:
Router1: CRS109-8G-1S-2HnD-IN
Router2: RB951G-2HnD
In my understanding......VLAN tagging in switch-chip (router2) and routing in RouterOS (router1)
Intervlan trunking, so it's possible for devices connected to router 1 in the 192.168.10.0/24 subnet to communicate with devices on router 2 in the 192.168.20.0/24 subnet.
When this is accomplished, I would like to add restrictions to the communications between the different VLANS.
Management of the Mikrotik devices must be also in a different VLAN
I searched on the web and tried different configs, unfortunately without any success.
That's why I would like to ask you guys again if you can help me how to accomplish this?
Thank you.
Last edited by mvdv78 on Fri Dec 05, 2014 5:08 pm, edited 1 time in total.
Re: Inter-Vlan Routing
The VLANS should by default route between the different subnets, then you can control isolation through the firewall. I was really struggling with them until I figured out trunking, tagging, and PVID setting on my SWITCH. Once I grasped that it was easy to setup multiple inter-routing VLANS.
I made a picture guide in Word to help me in the future if I forgot. Shoot me an email mike(at)43index(dot)com and I can forward it to you.
I made a picture guide in Word to help me in the future if I forgot. Shoot me an email mike(at)43index(dot)com and I can forward it to you.
Re: Inter-Vlan Routing
ok, sounds like this friend of yours deserves some good slappin. for that "Advice" 
So i did some configuration and setup a test lab and yes it is true that intervlan routing is on by default. All VLAN clients can connect to each other. Still i'm having trouble blocking specific traffic by default routed between different VLANS. Hence, i am planning to implement white listing using firewall chains, but I am having trouble understanding how the fw works. Guess I have some reading to do.
So i did some configuration and setup a test lab and yes it is true that intervlan routing is on by default. All VLAN clients can connect to each other. Still i'm having trouble blocking specific traffic by default routed between different VLANS. Hence, i am planning to implement white listing using firewall chains, but I am having trouble understanding how the fw works. Guess I have some reading to do.
Re: Inter-Vlan Routing
Thank you for your comment.ok, sounds like this friend of yours deserves some good slappin. for that "Advice"
So i did some configuration and setup a test lab and yes it is true that intervlan routing is on by default. All VLAN clients can connect to each other. Still i'm having trouble blocking specific traffic by default routed between different VLANS. Hence, i am planning to implement white listing using firewall chains, but I am having trouble understanding how the fw works. Guess I have some reading to do.
So that's strange, because at my testlab intervlan routing in not on by default.
This is my configuration:
Code: Select all
Router1:
/interface vlan
add name=VLAN20 vlan-id=20 interface=ether8 disabled=no
add name=VLAN30 vlan-id=30 interface=ether8 disabled=no
Add IP addresses to VLANs:
/ip address
add address=10.10.20.1/24 interface=VLAN20
add address=10.10.30.1/24 interface=VLAN30
Code: Select all
Router2:
/interface vlan
add name=VLAN20 vlan-id=20 interface=ether5 disabled=no
add name=VLAN30 vlan-id=30 interface=ether5 disabled=no
Add IP addresses to VLANs:
/ip address
add address=10.10.20.2/24 interface=VLAN20
add address=10.10.30.2/24 interface=VLAN30
Code: Select all
Router 1 + 2
/interface bridge
add name=br-vlan20 disabled=no
add name=br-vlan30 disabled=no
Code: Select all
Router1:
/interface bridge port
add interface="vlan-20" bridge="br-vlan20" disabled=no
add interface="ether7" bridge="br-vlan20" disabled=no
add interface="vlan-30" bridge="br-vlan30" disabled=no
add interface="ether6" bridge="br-vlan30" disabled=no
Code: Select all
Router2:
/interface bridge port
add interface="vlan-20" bridge="br-vlan20" disabled=no
add interface="ether4" bridge="br-vlan20" disabled=no
add interface="vlan-30" bridge="br-vlan30" disabled=no
add interface="ether3" bridge="br-vlan30" disabled=no
--> But when I connect a device on ether6 (router1) with IP: 10.10.30.30 and my laptop is still on ether4 (router2), communication is not working.
Code: Select all
Router1:
chain=forward action=accept src-address=10.10.20.0/24 dst-address=10.10.30.0/24 log=no log-prefix=""
chain=forward action=accept src-address=10.10.30.0/24 dst-address=10.10.20.0/24 log=no log-prefix=""
But i'm wondering, because whem I look @ the following guide:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
Section: InterVLAN Routing
This configuration is much different then my config.
Can somebody explain the difference and if my configuration is correct
What's my goal:
- Management VLAN
- Default VLAN for home network (Wifi / LAN)
- Guest Wifi VLAN
- DMZ
So isolation through VLAN, but intervlan for routing between vlan's and through firewall configuation rules so only accepting traffic from one vlan to another vlan.
Any help is very welcome
