Mikrotik Setup Help

[rosco]

I need to setup a network with VLANs so that I can operate a guest wireless network alongside our secured wireless network. Each one will be on a separate VLAN. I'm planning on using UNIFI APs for that part.

I have been looking for a L3 switch to do the routing between VLANs:http://hardforum.com/showthread.php?t=1678294

However, now i'm thinking it would be more cost affective to just use a Mikrotik RG750GL to do the routing between the VLANs.

I have never setup a Mikrotik router before so I was wondering if there is someone out there that is good with Mikrotik that could give me the cliffnotes version of how to set this up.

 

[randyc]

Good choice in the UBNT gear. I absolutely love that stuff. I'm not familiar with the Mikrotik equipment though I do know everyone likes it at the UBNT forums.

I'd simply create an interface for each VLAN on the router and then plug them into the corresponding VLANs on the L2 switch. If possible, send it all over one cable via 802.11q. This should be default route between all the networks unless you have some rules in place saying nay to that.

 

[dashpuppy]

I need to setup a network with VLANs so that I can operate a guest wireless network alongside our secured wireless network. Each one will be on a separate VLAN. I'm planning on using UNIFI APs for that part.

I have been looking for a L3 switch to do the routing between VLANs:http://hardforum.com/showthread.php?t=1678294

However, now i'm thinking it would be more cost affective to just use a Mikrotik RG750GL to do the routing between the VLANs.

I have never setup a Mikrotik router before so I was wondering if there is someone out there that is good with Mikrotik that could give me the cliffnotes version of how to set this up.

Be careful tho,

My Sonicwall TZ210 handles all my vlan routing, and when i transfer a large file over the vlans, it PLOW to the earth and reboots etc etc it can't handle it.

Not sure what the cpu power on your Mikrotik RG750GL is but make sure you test this before you go ahead..

 

[/usr/home]

How I have my Unifi and RB450G setup is I have two vlans. VLAN 1 is my private network and VLAN 2 is my guest network. They are in different subnets. 192.168.x.x and 10.0.0.x. So on my switch I set the port with the unifi on it to both vlans and then set one port on the switch to the guest vlan. From that guest vlan port I ran a patch cable to the third interface on my RB. It hands out the DHCP for the guest network. On the second interface on the RB I have a cable running to my switch as well but on VLAN1. The RB as well does DHCP for this network. You can do multiple dhcp servers on the RB.

In the filter rules I created two that drops any traffic from 192.168.1.0/24 to 10.0.0.0/24 and one that drops any traffic from 10.0.0.0/24 to 192.168.1.0/24. I also setup client isolation on the guest network on the unifi. They can't see anyone on their network OR my private network.

I hope my wall of text at least makes a bit of sense.

 

[dashpuppy]

How I have my Unifi and RB450G setup is I have two vlans. VLAN 1 is my private network and VLAN 2 is my guest network. They are in different subnets. 192.168.x.x and 10.0.0.x. So on my switch I set the port with the unifi on it to both vlans and then set one port on the switch to the guest vlan. From that guest vlan port I ran a patch cable to the third interface on my RB. It hands out the DHCP for the guest network. On the second interface on the RB I have a cable running to my switch as well but on VLAN1. The RB as well does DHCP for this network. You can do multiple dhcp servers on the RB.

In the filter rules I create two that drops any traffic from 192.168.1.0/24 to 10.0.0.0/24 and one that drops any traffic from 10.0.0.0/24 to 192.168.1.0/24. I also setup client isolation on the guest network on the unifi. They can see anyone on their network OR my private network.

I hope my wall of text at least makes a bit of sense.

sure does,

 

[PigLover]

I run this kind of setup with a RB450G as well, though I used a really cheap AP (VersaTek). As /usr/home notes it works really well and RouterOS give you a lot of flexibility in building rules to route traffic between the VLANs.

One thing I'll point out to save you some hassle. Unlike every other router in the world, RouterOS cannot support combining "tagged' and "untagged" VLANs on the same port (i.e., you can't run a "default" VLAN along with tagged traffic). There is no indication in the GUI that you can't do this. In fact, the GUI is just fine with helping you define it. It just doesn't work.

You have to treat the link between your AP and the Routerboard as a VLAN trunk with all VLANs tagged. Once you get this its all pretty easy stuff to set up.

I love the Mikrotik and RouterOS. Can't imagine a more capable device at <$100. But this one bit of silliness does bug me about it...

 

[rosco]

It is starting to make sense. One thing though is I will actually have at least 6 unifi APs. Can I just expand your example and dedicate 6 ports to both VLANs on my L2 switch and then follow your example after that?

In your example, are you ONLY using the ports on your Microtik that you mentioned, 2 and 3? I just want to make sure there is nothing else I would have to plugin.

I am currently using our Windows server for DHCP. Would I continue using that for the private network and just have the Mikrotik act as DHCP for the public network? Or, should I have the RB act as DHCP for the whole network?

I also have several unmanaged switches. How would they blend into the new VLAN setup? I'm guessing you can just uplink them to the managed switch into a port that is dedicated to VLAN1 (private) and that is all it needs, correct?

I would like as little traffic as possible crossing the RB. In your example, only traffic from the wireless APs would touch the RB if I'm understand it. That would be great if that's the case.

Do you have anything else plugged into the RB, or just the two interfaces you mentioned?

Thanks for the help, I'm new to Mikrotik and the VLAN concept as well.

 

[/usr/home]

Hopefully this makes sense.

 

[PigLover]

It is starting to make sense. One thing though is I will actually have at least 6 unifi APs. Can I just expand your example and dedicate 6 ports to both VLANs on my L2 switch and then follow your example after that?

Yes.

In your example, are you ONLY using the ports on your Microtik that you mentioned, 2 and 3? I just want to make sure there is nothing else I would have to plugin.

Mine has:
- port 1 facing the WAN
- port 2 facing an untagged L2 switch with an "internal" VLAN, tags stripped
- port 3 facing an L2 managed switch with all VLANs trunked/tagged

You could then put as many of your Unifi APs as you want onto the L2 managed switch.

I am currently using our Windows server for DHCP. Would I continue using that for the private network and just have the Mikrotik act as DHCP for the public network? Or, should I have the RB act as DHCP for the whole network?

Complicated question. You do need to have each VLAN run as a separate subnet at layer 3 if you want to do routing/firewalling between VLANs. This means you need to run separate DHCP pool for each VLAN. You could configure the multiple pools on your windows server machine, but that would require exposing the "public" VLAN to your server. Good security practice probably suggests that is not a good idea...so even though its a PITA, you probably want to set up DHCP for the "public" VLAN on the Mikrotik.

I also have several unmanaged switches. How would they blend into the new VLAN setup? I'm guessing you can just uplink them to the managed switch into a port that is dedicated to VLAN1 (private) and that is all it needs, correct?

See above. You could also do the "uplink" to your managed L2 switch and set it up to only pass the "private" VLAN with tags stripped. This keeps the traffic off the Mikrotik (love it or hate it, you have to admit the RouterBoard has limited forwarding capability and adds more latency that a switch). I actually do this for most of my untagged traffic. The "untagged" switch listed above on port 2 actually only carries traffic for my little PBX to its SIP phones and this traffic has special QoS and Firewall rules in the Mikrotik.

I would like as little traffic as possible crossing the RB. In your example, only traffic from the wireless APs would touch the RB if I'm understand it. That would be great if that's the case.

If you do it the way its described above, the actual VLAN separation happens on your managed L2 switch. The only traffic that EVER hits the Mikrotik is traffic that routes from one VLAN to the other (and "internet" traffic if you have a WAN port active on the Mikrotik to dispose of your "public" traffic).

Do you have anything else plugged into the RB, or just the two interfaces you mentioned?

I use an untagged port for a VLAN dedicated to my PBX - see above.

Thanks for the help, I'm new to Mikrotik and the VLAN concept as well.

Hope its actually helpful. Good luck.

 

[rosco]

Thank you for taking the time to do that. I'm still going over all the info you gave me but I wanted to ask a followup question as I think I left out one piece initially.

We currently use Untangle for our firewall/content filter. What we are looking to do is to upgrade the package we have with them to include AD authentication. The idea is that based on their AD credentials, certain users will have access to more websites that others.

So, would that still work with the setup you are describing? It seems like you are saying untangle would have to be on a different subnet from everything else so I want to verify it won't break the AD authentication piece.

Thanks once again.

 

[Jay_2]

The Unifi doesn't even need VLANs does it? Can't you restrict subnets on it?

 

[/usr/home]

The Unifi doesn't even need VLANs does it? Can't you restrict subnets on it?

Yes you can and it works. I set mine up like that because I could .

 

[rosco]

Yes you can and it works. I set mine up like that because I could .

Are you saying I don't even need to mess with VLANs?

 

[Jay_2]

: In Wireless Configuration, enable "Apply Access Policies".

This turns on guest isolation and subnet restrictions (which can be customized in Settings->Guest Control), etc. - making sure guest cannot access your corporate network. If you choose Open for security, it's pretty much a connect-and-go, no guest portal, no "Terms of Use" or anything. UniFi controller doesn't even have to be running! You still have the option to choose WPA-Personal - just need to have a way to tell the guests the Passphrase.

On still used VLANs on my unifi setup though

 

[PigLover]

Thank you for taking the time to do that. I'm still going over all the info you gave me but I wanted to ask a followup question as I think I left out one piece initially.

We currently use Untangle for our firewall/content filter. What we are looking to do is to upgrade the package we have with them to include AD authentication. The idea is that based on their AD credentials, certain users will have access to more websites that others.

So, would that still work with the setup you are describing? It seems like you are saying untangle would have to be on a different subnet from everything else so I want to verify it won't break the AD authentication piece.

Thanks once again.

Unfortunately i am not an untangle user and can't offer any help here.

As others have pointed out - there are more ways to skin this cat too. The VLAN separated idea worked well for me and my application, but depending on your tolerance for security risks the subnet idea above could be workable too (just remember that unlike the VLAN idea this one is not actually secure - a user on the 'private' subnet could always manually change his IP address to a valid address on the "private" one and pass traffic).

 

[/usr/home]

: In Wireless Configuration, enable "Apply Access Policies".

This turns on guest isolation and subnet restrictions (which can be customized in Settings->Guest Control), etc. - making sure guest cannot access your corporate network. If you choose Open for security, it's pretty much a connect-and-go, no guest portal, no "Terms of Use" or anything. UniFi controller doesn't even have to be running! You still have the option to choose WPA-Personal - just need to have a way to tell the guests the Passphrase.

On still used VLANs on my unifi setup though

This. It works great, but I just chose to do it AND VLANs because why not. I like doing that kind of stuff.

 

[rosco]

Well, in my situation, I would probably prefer a more simple setup.

Plus, that way I wouldn't need an extra router to do this.

Is there something I would be missing out on by NOT doing it the hard way......I mean implementing VLANs?

 

[rosco]

Wait, that's right, the reason I was thinking I would need to do a VLAN/router setup is that to make untangle do content filtering without adding in another network interface in my untangle box, I needed a VLAN and routing.

Supposedly, it's not terribly easy to setup untangle with another interface to filter guest internet traffic.

So, it looks like I'm back to needing to try your guys' tips to get the mikrotik working.

 

[rosco]

OK, so I finally have all the hardware and I'm working on getting it configured.

I have a 24 port switch and so I want to configure ports 1 - 12 for APs and ports 13 - 24 for my critical devices like servers, untangle firewall, dist switches, etc.

So, on the switch I set ports 1 to 12 as VLAN 1 and 2 tagged, then 13 - 24 VLAN1 untagged. (no other managed switches)

Then, I set port 2 of the mikrotik to vlan1 and port to to vlan2.

I set the guest network on the unifi to be vlan2 and the secured wireless to be vlan1.

I know I then need to set the routing on the mikrotik to route between the two but I haven't even gotten that far yet. I have no idea how to configure that on the mikrotik.

So, does that plan seem right? Can I have the mikrotik provide dhcp for just those two wireless networks and keep my Windows 2008 server as dhcp server for the rest of the network?

Any cheat sheets on how to create the mikrotik routing I need?

 

[/usr/home]

I already PMed you, but I'll try again to clarify.

Create a new VLAN, use 2. Now add only ports 1-12 (your AP ports) to VLAN 2. Leave VLAN 1 alone.

Now set ports 1-12 tagged (PVID) as 2. (Your new VLAN number) Leave everything else alone. If you having issues, change the PVID of the cable coming from the Mikrotik to 1, but 2 should work.

Take a cable from a port on the Mikrotik to a port on VLAN 2. Configure the port on the Mikrotik to block all traffic from the subnet of your internal network. Also setup DHCP on the Mikrotik for the wireless. Create filter rules blocking traffic to and from the two subnets. You do not need to do anything with VLANs on the Mikrotik. It doesn't care about VLANs right now.

Set your guest network as VLAN 2. Your internal network wireless doesn't even need to be set to a VLAN, it'll be one by default unless you specifically give it one.

You may need to remove the port on the Mikrotik from being in switch mode so that it can operate independantly from the rest.

Refer to my above diagram.

 

[rosco]

One issue I'm going to have that differs from your example is that I want all my internet to go over VLAN1. That is because I want to use Untangle to filter all traffic even from the Guest network which is on VLAN2.

How can I do that?

I'm pretty much going to have to plug my Untangle firewall directly into the Microtik, aren't I? Then the next question will be if AD authentication will still work. I'm getting the AD connector package through Untangle so that if people authenticate and are part of a privileged group, they can access additional sites.

 

[/usr/home]

I believe if you do VLAN tagging which I "think" RouterOS supports (I've never done it.)

As for Untangle, you may need to have two interfaces. One for guest and one for Internal. I don't think Untangle can do VLAN tagging. Again, I'm not sure on that, I've never tried to do it.