Hi. I want to try and do an unorthodox thing on my home network.
There's an awful lot of protocols that you would want to work on a home network that depend on a single multicast packet emitted from one node on the network being able to reach all other nodes on the network. Multicast routing, however, is confusing at best, and even more so with MikroTik. There is very little documentation and it seems to be of no use to anyone but the network pros. I've found that the easiest solution, is to just put everything in a bridge and enable 'use-ip-firewall' setting, so that you can still put your servers into their own little walled garden, just in case.
For this reason, I'd like to do Inter-VLAN Bridging on my home network. (I also don't quite like how the router has to have a separate address for each VLAN, this seems pretty unnecessary)
Let's say I have two ports, ether1 and ether2. There's a device (172.16.1.1) connected to ether1 that uses native VLAN, i.e. does not send out packets with VLAN tags and does not accept packets with VLAN tags. Let's say there is a unicast packet coming in on ether2 with a VLAN tag (VLAN-ID=20, for specificity's sake) that has 172.16.1.1 as a destination address. I would like it to be forwarded to the device on ether1, stripped of its VLAN tag. I would also like for the device to be able to reply to that packet and reach whatever device was sending this packet. It would send an untagged packet towards ether1 with destination IP address, say 172.16.1.2, and the packet would be bridged and would come out of ether2 with an appropriate VLAN tag (VLAN-ID=20).
I would then like to use IP firewall to moderate which connections are allowed, and which aren't. For example, let's say, I'd like to expose my media server to my guest network (let's say VLAN-ID=10), but not the other way around. I would first put the media server on a separate VLAN (let's say 55), then set up a rule to drop any connections from vlan 55 to vlan 10, then a rule to allow established connections through.
Problem is, any way to make this real that I can come up with is either a known level 2 misconfiguration or simply doesn't work.
The most obvious way that comes to mind first, is to put all required physical interfaces in a bridge, set up VLAN interfaces on this bridge, and then put these VLAN interfaces in another bridge. But that's just "VLAN on a bridge in a bridge" L2 misconfiguration.
There's also a "Bridged VLAN" L2 misconfugration, which isn't a misconfiguration at all if you don't create loops or want STP, and seems to be exactly what I want, apart from being CPU-heavy. However, it doesn't seem to work with native VLAN. I can only think of one way to allow native VLAN to also be bridged, and it's to put physical interfaces into the bridge. But that's yet another L2 misconfiguration, "VLAN interface on slave interface".
Please help. I'm utterly confused as to how to do this. It seems like it should be simple.
There's an awful lot of protocols that you would want to work on a home network that depend on a single multicast packet emitted from one node on the network being able to reach all other nodes on the network. Multicast routing, however, is confusing at best, and even more so with MikroTik. There is very little documentation and it seems to be of no use to anyone but the network pros. I've found that the easiest solution, is to just put everything in a bridge and enable 'use-ip-firewall' setting, so that you can still put your servers into their own little walled garden, just in case.
For this reason, I'd like to do Inter-VLAN Bridging on my home network. (I also don't quite like how the router has to have a separate address for each VLAN, this seems pretty unnecessary)
Let's say I have two ports, ether1 and ether2. There's a device (172.16.1.1) connected to ether1 that uses native VLAN, i.e. does not send out packets with VLAN tags and does not accept packets with VLAN tags. Let's say there is a unicast packet coming in on ether2 with a VLAN tag (VLAN-ID=20, for specificity's sake) that has 172.16.1.1 as a destination address. I would like it to be forwarded to the device on ether1, stripped of its VLAN tag. I would also like for the device to be able to reply to that packet and reach whatever device was sending this packet. It would send an untagged packet towards ether1 with destination IP address, say 172.16.1.2, and the packet would be bridged and would come out of ether2 with an appropriate VLAN tag (VLAN-ID=20).
I would then like to use IP firewall to moderate which connections are allowed, and which aren't. For example, let's say, I'd like to expose my media server to my guest network (let's say VLAN-ID=10), but not the other way around. I would first put the media server on a separate VLAN (let's say 55), then set up a rule to drop any connections from vlan 55 to vlan 10, then a rule to allow established connections through.
Problem is, any way to make this real that I can come up with is either a known level 2 misconfiguration or simply doesn't work.
The most obvious way that comes to mind first, is to put all required physical interfaces in a bridge, set up VLAN interfaces on this bridge, and then put these VLAN interfaces in another bridge. But that's just "VLAN on a bridge in a bridge" L2 misconfiguration.
There's also a "Bridged VLAN" L2 misconfugration, which isn't a misconfiguration at all if you don't create loops or want STP, and seems to be exactly what I want, apart from being CPU-heavy. However, it doesn't seem to work with native VLAN. I can only think of one way to allow native VLAN to also be bridged, and it's to put physical interfaces into the bridge. But that's yet another L2 misconfiguration, "VLAN interface on slave interface".
Please help. I'm utterly confused as to how to do this. It seems like it should be simple.
Statistics: Posted by Nullcaller — Tue Apr 02, 2024 9:18 pm