Improvement recommendations? Diagram inside

LucasG

Gawd
Joined
Jul 2, 2004
Messages
675
Hey everyone,

Getting my first Mikrotik Router tomorrow and I will be re-arranging all my network, adding cable to all cameras, placing a wireless access point and looking at the best way to securely have my network. I already went over MikroTik first configuration, which seems rather simple.

Any recommendations to add to this diagram?

Screen Shot 2022-03-09 at 23.15.18.png


I will probably add a switch in the future with POE for the two cameras and the AP, for now they are using external power. Will be adding a guest network for visitors on the AP.

I have seen people recommend creating virtual networks within the router, any specific reason? To separate the network even more?
 
Last edited:
Well there is a lot of doodads on that diagram, but it just looks like a flat network to me, with guest wifi. What kind of advice are you looking for? You might want to put the NVR and cameras on a different network, or anything that is "outside".
 
Secure your network would be

Put all IoT devices on their own VLAN and block it from talking to anything else on your network - they are your most insecure devices. You could also include your TV on here. Assuming your TPLink lets you do SSID per VLAN.

Aside from that, block outbound DNS port 53/853 - this removes any chance of DNS poisoning and then devices on your network can only use your DNS server.
 
Secure your network would be

Put all IoT devices on their own VLAN and block it from talking to anything else on your network - they are your most insecure devices. You could also include your TV on here. Assuming your TPLink lets you do SSID per VLAN.

Aside from that, block outbound DNS port 53/853 - this removes any chance of DNS poisoning and then devices on your network can only use your DNS server.
Yes it allows SSID per VLAN. Will block outbound 53/853.
 
Hey everyone,

Getting my first Mikrotik Router tomorrow and I will be re-arranging all my network, adding cable to all cameras, placing a wireless access point and looking at the best way to securely have my network. I already went over MikroTik first configuration, which seems rather simple.

Any recommendations to add to this diagram?

View attachment 452315

I will probably add a switch in the future with POE for the two cameras and the AP, for now they are using external power. Will be adding a guest network for visitors on the AP.

I have seen people recommend creating virtual networks within the router, any specific reason? To separate the network even more?
Very nice diagram. What tools did you use to create this?
 
Is there a switch connected to the router not shown in the diagram? I ask this not having used Mikrotik devices but in general routers frown, read puke and don't allow, on having the same subnet connected to multiple interfaces. That said, from a security standpoint wireless and wired should not be bridged. The zigbee hub should also not be on the same subnet as anything else. Cameras should also be moved to a separate network, especially so if they are outside where anyone access the connection ie the patio. To be blunt that network is extremely insecure and that's putting it mildly.
 
A routers job is to route between different subnets, aka different subnet on each port, I'd honestly be surprised is the router allows for this configuration, home routers allow it because their ports are basically an inbuilt switch. In this layout you are treating the router as a switch, it isn't and IF it allows this configuration you're going to have not only an insecure network, but you'll be dropping packets and it will be SLOW
 
You can definitely use a Mikrotik router to send the same subnet or different subnets to a bunch of devices without a switch in between.
 
You can definitely use a Mikrotik router to send the same subnet or different subnets to a bunch of devices without a switch in between.
Just because you can doesn't mean you should. If you're really looking for a secure network you most certainly should not. As others said, the picture is pretty though.
 
It would be much more appreciated to provide guidance or something rather than just jumping in, saying it sucks/it's unsecure without actually explaining much, missing the point of the forum.
 
Failing to read is missing the point of the forum. Which part of posts #2, #3, #5, and #9 did you not read?


1. You might want to put the NVR and cameras on a different network, or anything that is "outside".
2. Put all IoT devices on their own VLAN and block it from talking to anything else on your network
3. I would take security even one step further if the nvr can connect directly to the cameras
4. wireless and wired should not be bridged.
5. The zigbee hub should also not be on the same subnet as anything else.
6. Cameras should also be moved to a separate network, especially so if they are outside where anyone access the connection ie the patio.
 
Last edited:
You can definitely use a Mikrotik router to send the same subnet or different subnets to a bunch of devices without a switch in between.
A decent router honestly shouldn't allow that, but I'm used to enterprise gear. I'd be surprised if you aren't dropping packets in this setup, unless Mikrotik is essentially a consumer router with a built-in switch with some enterprise software capabilities. I haven't used their products.
 
Like, freaking awesome. Seems way better than Visio and much easier to use. +1.
We moved from Visio to Lucid Chart years ago. Visio is dead software for all intents and purposes.

Make sure you look up how to harden that Mikrotik. It’s an incredibly insecure device out of the box.
 
I'd add a switch to this environment, create a VLAN for your IOT devices, set your PC's up on another VLAN this could be VLAN for Trusted-Wifi and your wired PC's(and anything else you trust), perhaps a third VLAN for your NVR equipment. Do the VLAN's at the switch level, set up a trunk port between the switch and router, this will require router on a stick configuration.

The main reason for VLANS is obviously network segmentation, but more than that it allows you to create firewall rules in your router, for example, your IOT network you allow it out to the internet only, but block it from talking to the trusted WifI PC's no need for it to do that. Depending on how you manage your NVR you can create rules to only allow Communication from a particular IP on one network to the "semi-trusted" network or even just one IP from the trusted network to NVR, obviously the cameras would be on the same VLAN as the NVR, the rules really depend on how you plan on using your network, and what you want to allow to communicate with what, that becomes a much easier task when the network is already segmented to suit your needs.
 
Back
Top