this post was submitted on 12 Sep 2024
10 points (100.0% liked)
Mikrotik
177 readers
1 users here now
A community-contributed sublemmy for all things Mikrotik. General ISP and network discussion also permitted. Please ensure if you're asking a question you have checked the Wiki First: https://help.mikrotik.com
Mikrotik Rules: Don't post content that is incorrect or potentially harmful to a router/network.
This in itself is not a bannable offence but answers that are verifiably incorrect or will cause issues for other users will be edited or removed.
Examples: Factual errors - "EOIP is always unsecure" Configuration problems - Config that would disable all physical interfaces on a router Trolling - "Downgrade it to 5.26"
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Isn't it simpler to have two bridges with their own subnet and some firewall rules to prevent interaction between the two?
That’s essentially what VLANs are.
VLANs do this but on the same device.
Depends on what hardware you have I guess.
Actual bridges aren't really a thing these days, but unmanaged switches are still common, which are essentially just switches with all ports configured in the same VLAN that you can't change.
Whether you use dedicated physical devices or virtual LANs (VLANs) for the access ports where you connect you client devices, you'd likely still end up using different VLANs in whatever router or firewall you put inbetween those.
Yes, you can technically configure multiple subnets on the layer 2 broadcast domain, but that would be less secure and more prone to problems.
Mikrotiks normally have hardware acceleration for VLANs and switching for only 1 bridge. Beyond that, traffic has to go through the CPU.
Multiple bridges were one of the old ways, before hardware offloading.
The way to do it is to have 1 bridge, register the vlans on the bridge, tag/untag all the bridge ports as appropriate, set PVIDs as appropriate. Add 2 VLAN interfaces (this gives the CPU access to the VLAN), add static IPs to the vlan interfaces, set up DHCP appropriately.
Always worth taking a backup of the config, then enable hardware offloading last. If you end up locking yourself out, reset and reload the config, figure out what you did wrong.
Enable safe mode too? If there’s a problem while in safe mode just power cycle the router and the last good config before safe mode enables should come back up.
I’d still do a backup in addition to play it safe though.