So I have gotten a few requests to explain my VLAN setup with Mimosa Equipment, instead of copy and pasting the same comment several times I will just make a new Topic than I can link to:
I use entirely Mikroitk equipment for my system, but anything else that can Tag/Untag/Trunk VLANs should be usable.
Here is a general idea of my network design:
Router --Tagged VLAN 1501-1800,999,998-- Switch --Tagged VLAN 1501-1550,999,998-- A5c --< Tagged VLAN 1501, untagged 998 >–C5# – Untagged VLAN 1501-- Customer Router (This is the general Layer 1 connectivity of how one of my customers get their internet)
Layer 2 looks like this to my customer: Router — Customer router (They can’t see anything about my network as long as I have decent firewall rules at my router)
The Router will have 200-1000 VLANs on it, 50 for each access point. (I don’t plan on ever having 50 customers on any single AP, but it’s a nice round number and since it’s isolated to that switch I can reuse those VLANs repeatedly in my network.) One VLAN for management of the APs and one for management of the C5#s
Then I trunk those VLANs through my switch. It takes the 100s of VLANs and spits 50 of them out to each AP along with the two management VLANs 998 and 999.
Each Access Point is setup to have it’s management interface on VLAN 999 and to untag 998 so that I can be lazy and not have to change the management interface on EVERY SINGLE ONE of my C5#s.
Then in the Clients page I select which customer gets which of the 50 VLANs is available on the A5.
I use a /30 private IP space for each of my customers. The router gets one IP, the customer can use the other available IP. I setup a DHCP server on the VLAN interface so that a customer can just plug in whatever device they want and they don’t have to call me every time they want to swap their router.
This poses a slight problem if a customer needs a Public IP address, there are a couple of ways to handle that, either with NAT or sacrificing a /30 of public IP space per customer. My solution is to take those customers that want public IPs and put them into a bridge (a term in Mikrotik that treats multiple interfaces as if they had a switch between them) I then remove all the private IP stuff and that bridge has a Public IP DHCP server which hands their router a Public IP. I basically sacrifice a bit of isolation between these customers, normally I only do this for homes that want Public IPs for a VPN or Gaming. If they were a really important customer I would sacrifice a /30. (Note, Mikrotik doesn’t support /31 addressing, instead insisting that their weird /32 addressing stuff is better, but it’s not compatible with anything else and I wanted a system that most non-stupid routers that followed standards would work with)
I did lie a little bit, I use some Netonix switches, but how they operate is exactly the same as how I have the Mikrotiks setup. The port that has all the VLANs coming from the router is setup to trunk all those VLANs, each port that goes to a different AP is set to only trunk the VLANs that the AP is supposed to get…
Following is a few lines of config that follow a single customer’s VLAN from my router to that customer.
On the Router, where the VLAN interface is created, we give it an IP address and range, bandwidth limit it with the Queue, create an IP pool for the DHCP server to hand out from, create the settings for the DHCP server to hand out, create the DHCP server to listen do do DHCP things, then add the interface to an interface list so my firewall can treat it appropriately.
interface vlan add name=Customer1603interface interface=ether7 vlan-id=1603
ip address add interface=Customer1603interface address=10.30.2.157/30
queue simple add target=Customer1603interface max-limit=64k/64k name=Customer1603 queue=ethernet-default/ethernet-default
ip pool add name=Customer1603pool ranges=10.30.2.158/32
ip dhcp-server network add address=10.30.2.158/32 dns-server=x.x.x.200,10.0.0.17 gateway=10.30.2.157 netmask=30 comment=Customer1603DHCPNet
ip dhcp-server add interface=Customer1603interface name=Customer1603DHCP address-pool=Customer1603pool disabled=no
interface list member add interface=Customer1603interface list=customer
On the switch we trunk everything through. I also untag VLAN 998 so that I can be lazy later on
add bridge=bridge1 tagged=ether1,ether2 vlan-ids=1601-1650
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=998
add bridge=bridge1 tagged=ether1,ether2 vlan-ids=999
On the AP it gets a little bit more interesting:
Under Clients >> Settings:
What this does is tell the AP that each C5# will be untagging a VLAN, but that there will be untagged traffic coming to the AP as well and to just pass that traffic along. Each customer gets their own VLAN and I just have to be careful to not put two different customers onto the same VLAN.
My Installers normally call us up to verify their work and make certain that their alignment isn’t crap, then when we OK everything we apply the VLAN to the C5# and then the installer buttons everything up. If the installer needs access to the C5# at a later date, they have to use our VPN to access it. Or call us for help.