Hey, I have a Mikrotik as main home router and Archer C7 as "not-so-dumb" AP connected with only one cable, cannot afford the run another cable.
Right now I have 192.168.1.0 network connected between them. I also want another network 192.168.7.0 (which is already isolated from main network on my AP), on the same port, connecting to my main router, again on the same port and cable.
I searched a bit and it seems possible but I couldn't figure out exactly how to configure this.
What you want is two tagged vlans on the same cable. Read up on tagged VLAN.
| CPU (eth0) | LAN 1 | LAN 2 | LAN 3 | LAN4 | WAN | |
|---|---|---|---|---|---|---|
| 1 | tagged | tagged | off | off | off | off |
| 2 | tagged | tagged | off | off | off | off |
Like that? eth0.1 and eth0.2 on same port/cable set up in interfaces with appropriate networks, going to Mikrotik, and so I also have to configure Mikrotik side VLAN tagging...
exactly. so everything sent out LAN1 will have either tag 1 or tag 2 and you set up mikrotik device to also use only tag1 or tag2 on that cable... voila you have two separate networks on the same wire.
To make things clean and simple, can I not change my already working network with VLAN and only have one VLAN for the other network?
| CPU (eth0) | LAN 1 | LAN 2 | LAN 3 | LAN4 | WAN | |
|---|---|---|---|---|---|---|
| 1 | tagged | untagged | off | off | off | off |
| 2 | tagged | tagged | off | off | off | off |
1 is 192.168.1.0
2 is 192.168.7.0
edit: it would be much easier because I won't have to change my home network in Mikrotik into VLAN. That may complicate things.
It is possible to do, if it is complicated to make the change, then feel free. The main reason not to do that is that all-tagged packets makes everything more explicit and easier to debug and avoid bugs, bugs like you start sending packets from a VLAN2 device but forget to tag them, and then suddenly they're crossing onto VLAN1 and violating your important security.
Then let me ask you this, in Mikrotik device, ether5 (connected to openwrt AP getting 192.168.1.252 as DHCP client) is on bridge (192.168.1.1/24), can I create VLAN on ether5 having Mikrotik router's network address (192.168.1.0)? So that it still gets xx.1.252?
I sure can create VLAN on ether5 with id:2 and assign 192.168.7.0 to it. thats not complicated.
That was the complication when I was thinking.
is the mikrotik device running OpenWrt or their own router OS? I know it's possible to do what you want either way but I don't know how router OS configures it.
Its routeros.
then the answer is yes, but you've got to do it basically the same way that you did for the VLAN 2 which I don't know what that is.
So you are saying its OK to do:
OpenWrt Already configured on eth1 as tagged for IDs 1 and 2, and appropriate firewall.
Mikrotik Create VLAN on ether5 with id:1 and assign 192.168.1.0 to it.
Mikrotik Create VLAN on ether5 with id:2 and assign 192.168.7.0 to it.
OpenWrt AP VLAN id1 gets its IP from DHCP client which served by DHCP server on Mikrotik by bridge1 at ether5.
Mikrotik AP VLAN id2 puts its IP 192.168.7.226 on address setting, getting id2 VLAN from OpenWrt AP.
I'm planning to do this.
that's exactly what I'd do.
I did it as you said, both tagged and it worked nicely. Thanks!
And for the confusion I had yesterday turned out to be nothing because I remembered when I created vlan-local via ether5, I just went and deleted ether5 from bridge and add the vlan-local to bridge, which DHCP serves to. No complications at all.
Just a little reminder. In Mikrotik, after v6.41, one must use bridge vlan filtering mode for any VLAN added and working in the bridge. So my over-thinking on that before actually was true, I had dropped packets on the interface thats been VLAN'd and now its OK.
This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.