My home network consists of about a dozen VLANs. I have a dedicated (non-MikroTik) router, with each interface dedicated to a separate VLAN. Each interface serves DHCP from a subnet dedicated to that particular VLAN, and enforces various firewall rules controlling access between each of these subnets. I also have a (also non-MikoTik) switch with ports divided into access ports for each of the VLANs, and into this switch are plugged various virtualization servers, network appliances, and misc "home lab" devices around my house.
One of my VLANs is dedicated to my employment. I work from home, and my field is somewhat sensitive (cybersecurity), so my employer has a rule that any work-related devices must be connected to a dedicated, isolated network, away from e.g. family cellphones, laptops, IoT devices etc.
Here is a diagram of how it is currently set up (note the "work-laptop" at the bottom, outside of the dotted lines):
I've shown this diagram to my work's network team and they're satisfied with it.
Recently, my employer has decided to backhaul some work-related traffic via an OpenVPN network. They are attempting to make this as painless as possible for their employees, so they shipped out a pre-configured Mikrotik router to each employee, with the VPN pre-configured, as well as various logging/firewall rules. The expectation was that most employees (who probably generally have a simpler network topology than I do) could just unplug their work laptop from wherever it is currently plugged in, and put ether1 from this new Mikrotik in its place. The MT would then pull a DHCP address from upstream, and the laptop would then plug into one of the Mikrotik's other ports, which are configured as a switch.
I would like to continue using my current DHCP+firewall+VLAN setup, and their network guys have given me permission to reconfigure this MikroTik as I desire, so long as the VPN still connects and respects their pre-configured firewall/routing rules. I have reconfigured it to use ether1 as a trunk port, and ether2-ether10 as various Access ports. This setup allows me to keep this new work-issued MikroTik at my desk and also (conveniently) lets me have several access ports to other VLANs right at my desk.
This config looks like the following:
So swapping the MikroTik inline with my work-laptop, it currently looks like this:
The OpenVPN is connecting fine, and I can use tools on the MikroTik to ping resources on the other side of the OpenVPN tunnel just fine. My work laptop also pulls an IP address from the 10.11.0.0/16 subnet just fine (just as it did before). Here is the MikroTik's current IP/routing, including the dynamic routes set up by the OpenVPN:
However, with this current setup I cannot hit the work resources from my work-laptop as I can directly from the MikroTik via ping. It makes SENSE to me that I cannot hit them yet, because the L2 VLAN-tagging is making my work-laptop traffic think it's plugged into my personal switch just like it's been all along. However what I do not know is the right way to approach solving this. I would like the MikroTik to route traffic intended for the other end of the OpenVPN appropriately, but with it's current configuration, that traffic is currently VLAN-tagged "11" while it's on the bridge, and that's not stripped off of the packets until after they are sent up and out the trunk port.
Do I need to somehow make the ovpn-work interface itself aware of vlan-tagging? Or maybe somehow setting static routes on my laptop would let my laptop know where to send those packets for routing?
One of my VLANs is dedicated to my employment. I work from home, and my field is somewhat sensitive (cybersecurity), so my employer has a rule that any work-related devices must be connected to a dedicated, isolated network, away from e.g. family cellphones, laptops, IoT devices etc.
Here is a diagram of how it is currently set up (note the "work-laptop" at the bottom, outside of the dotted lines):
I've shown this diagram to my work's network team and they're satisfied with it.
Recently, my employer has decided to backhaul some work-related traffic via an OpenVPN network. They are attempting to make this as painless as possible for their employees, so they shipped out a pre-configured Mikrotik router to each employee, with the VPN pre-configured, as well as various logging/firewall rules. The expectation was that most employees (who probably generally have a simpler network topology than I do) could just unplug their work laptop from wherever it is currently plugged in, and put ether1 from this new Mikrotik in its place. The MT would then pull a DHCP address from upstream, and the laptop would then plug into one of the Mikrotik's other ports, which are configured as a switch.
I would like to continue using my current DHCP+firewall+VLAN setup, and their network guys have given me permission to reconfigure this MikroTik as I desire, so long as the VPN still connects and respects their pre-configured firewall/routing rules. I have reconfigured it to use ether1 as a trunk port, and ether2-ether10 as various Access ports. This setup allows me to keep this new work-issued MikroTik at my desk and also (conveniently) lets me have several access ports to other VLANs right at my desk.
This config looks like the following:
Code:
## Add bridge1/interface bridge add name=bridge1 vlan-filtering=yes## Bridge Trunk port/interface bridge port add comment="TRUNK" bridge=bridge1 interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged## Bridge Access ports/interface bridge portadd comment="ACCESS" bridge=bridge1 interface=ether2 pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether3 pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether4 pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether5 pvid=11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether6 pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether7 pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether8 pvid=33 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether9 pvid=22 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-taggedadd comment="ACCESS" bridge=bridge1 interface=ether10 pvid=99 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged## Bridge VLANs/interface bridge vlanadd bridge=bridge1 tagged=ether1,bridge1 vlan-ids=11add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=22add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=33add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=44add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=55add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=66add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=77add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=88add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99## IP interfaces### MGMT/interface vlan add interface=bridge1 name=VLAN_MGMT vlan-id=99/ip address add address=10.99.0.10/16 interface=VLAN_MGMT### WORK/interface vlan add interface=bridge1 name=VLAN_WORK vlan-id=11/ip address add address=10.11.0.10/16 interface=VLAN_WORK/ip route add distance=1 gateway=10.10.0.1So swapping the MikroTik inline with my work-laptop, it currently looks like this:
The OpenVPN is connecting fine, and I can use tools on the MikroTik to ping resources on the other side of the OpenVPN tunnel just fine. My work laptop also pulls an IP address from the 10.11.0.0/16 subnet just fine (just as it did before). Here is the MikroTik's current IP/routing, including the dynamic routes set up by the OpenVPN:
Code:
[admin@mikrotik-router] /> /ip/route/print Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPNColumns: DST-ADDRESS, GATEWAY, DISTANCE# DST-ADDRESS GATEWAY DISTANCE0 As 0.0.0.0/0 10.11.0.1 1 DAv 10.8.0.1/32 10.8.5.1 1 DAc 10.8.5.1/32 ovpn-work 0 DAc 10.11.0.0/16 VLAN_WORK 0 DAc 10.99.0.0/16 VLAN_MGMT 0 DAv 10.255.255.0/24 10.8.5.1 1 DAv 172.22.0.0/24 10.8.5.1 1 DAv 172.46.0.0/24 10.8.5.1 1 [admin@mikrotik-router] /> /ip/address/printFlags: D - DYNAMICColumns: ADDRESS, NETWORK, INTERFACE# ADDRESS NETWORK INTERFACE0 10.99.0.10/16 10.99.0.0 VLAN_MGMT1 10.11.0.10/16 10.11.0.0 VLAN_WORK2 D 10.8.5.2/32 10.8.5.1 ovpn-workHowever, with this current setup I cannot hit the work resources from my work-laptop as I can directly from the MikroTik via ping. It makes SENSE to me that I cannot hit them yet, because the L2 VLAN-tagging is making my work-laptop traffic think it's plugged into my personal switch just like it's been all along. However what I do not know is the right way to approach solving this. I would like the MikroTik to route traffic intended for the other end of the OpenVPN appropriately, but with it's current configuration, that traffic is currently VLAN-tagged "11" while it's on the bridge, and that's not stripped off of the packets until after they are sent up and out the trunk port.
Do I need to somehow make the ovpn-work interface itself aware of vlan-tagging? Or maybe somehow setting static routes on my laptop would let my laptop know where to send those packets for routing?
Statistics: Posted by C28AB — Fri Jan 19, 2024 12:28 am