What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JPNH

New Around Here
Hi,

First post nice to meet you all. Been reading reviews here for some time, but haven't had a chance to use the forums. Hopefully I can contribute in the future to others that may be at the same knowledge level I am now.

I am hoping for some best practice advice concerning my home network setup. Hopefully this aren't stupid questions!

Currently, I have a Mikrotik RB2011 router with five gigabit ports and five fast ethernet ports. A TP-Link layer 2 16 port switch. A Ubiquiti Unifi AC Pro Wap. An Ooma voip and an Emby media server running Windows Server 2012 Essentials R2.

I am curious as to the best practices concerning setting up the WAP and Ooma voip. Should I setup multiple vlans on the Mikrotik router gig ports and connect the WAP and voip through those? Or should I connect both to the switch and manage them from there?

The reason I ask is, with the server and lines running to multiple recepticles in different rooms within the house, I am running short of ports on the switch. I have the Emby server setup on a vlan within the switch as well as the HTPCs they are connected to. I could pick up a second switch, but hate seeing all those empty ports on the Mikrotik router.

Also, I was not able to get the voip working through the switch. I was thinking it may be easier through a vlan on the router or a bridge.

Anyway, just curious as to what others would do and possibly learn the best practices.

Oh btw I have a dynamic IP and use dhcp and nat.

Thanks for any help you can provide! It's greatly appreciated!
 
Thanks kindly for the info! Maybe a pm is in order.

I'd keep it public for now, as info share - he's been tagged in my previous post, so he should see it, and perhaps respond.

My personal advice - VLAN's are handy, but they can add additional complications if taken to far - use them sparsely and only when needs (not wants) dictate the need to build them out, and you'll be fine.
 
I'd keep it public for now, as info share - he's been tagged in my previous post, so he should see it, and perhaps respond.

My personal advice - VLAN's are handy, but they can add additional complications if taken to far - use them sparsely and only when needs (not wants) dictate the need to build them out, and you'll be fine.
Good call! Didn't realize he would be tagged. Thanks for the advice and the tip! [emoji106]

Sent from my SM-G935T using Tapatalk
 
for vlans on mikrotik you can use the CPU or switch chip. The RB2011 has 2 switch chips so for LAN to go from one switch to another you must bridge the master interfaces together. VLANs are flexible on mikrotik in that you can apply them in various ways. It is very dependent on the flow of your traffic within the router. The switch chip segment would have vlans too if you want to apply it there. You may need to apply the vlans on the bridge, and 2 switch chips for it to work (See vlan routing within a normal switch).

Typically you apply vlans on the switch and the router would have 1 LAN port with all the vlans and a NAT rule configure for all the LANs to have internet and inter routing restricted on the router itself. If you want to use vlans but have devices communicate with each other than use the same subnet (using multiple DHCP servers of same subnet but different IP range). If you dont want inter communication than use multiple subnets and under routes set the routes to drop/prohibit/blackhole.

If you have multiple subnets than create an address list under firewall and have an entry for each subnet (call it LAN for example). Than for your rules you could use the address list LAN in your rules to reduce the number of rules and make it easier to configure.

for your VOIP make sure to trace the vlans that you configure/use. On the switch chip if you attach a vlan to a port than only that port will have that vlan. If you attach a vlan to the master port on the switch using the CPU than all traffic between switch and CPU can use that vlan. VOIP doesnt need bandwidth so the 100Mb/s ports can be used.

The RB2011 uses switch chips so it is pointless to combine ports but you can complicate switching to eliminate bottlenecks like this :
Set eth 0 and eth 1 to have no master port on gigabit switch.
Set eth 2-4 to have eth 1 as master port.
Connect devices and eth 1 and eth 0 to switch
this can help eliminate the bottleneck of LAN and WAN devices fighting over the same gigabit ethernet port so that only eth0 link goes to WAN.

Instead of bridging the 2 switches together you can connect a cable from one to another for switching between them or connect both switch chips to your switch. There are various ways you can set it up. If you just connect 1 gigabit port to switch and use bridging you will have more ports. If you connect 3 cables than traffic wont touch CPU until it goes to internet. You need to remember that link between switch chip and CPU is 1 Gb/s for gigabit switch chip and 100Mb/s for the fast ethernet switch chip so having traffic moving back and forth for LAN can limit throughput by filling up that link. It just depends on your WAN speeds but for the RB2011 bridging both switch chips will not interfere with the gigabit switch chip so it matters where you connect your WAN (preferably on the SFP port or CPU connected port).

For best practice i would use vlan for voip on their own subnet and rest of LAN not necessary unless you want to segment (i.e. guest, office, kids) but you wont be able to share printer and NAS with segmented network.
 
for vlans on mikrotik you can use the CPU or switch chip. The RB2011 has 2 switch chips so for LAN to go from one switch to another you must bridge the master interfaces together. VLANs are flexible on mikrotik in that you can apply them in various ways. It is very dependent on the flow of your traffic within the router. The switch chip segment would have vlans too if you want to apply it there. You may need to apply the vlans on the bridge, and 2 switch chips for it to work (See vlan routing within a normal switch).

Typically you apply vlans on the switch and the router would have 1 LAN port with all the vlans and a NAT rule configure for all the LANs to have internet and inter routing restricted on the router itself. If you want to use vlans but have devices communicate with each other than use the same subnet (using multiple DHCP servers of same subnet but different IP range). If you dont want inter communication than use multiple subnets and under routes set the routes to drop/prohibit/blackhole.

If you have multiple subnets than create an address list under firewall and have an entry for each subnet (call it LAN for example). Than for your rules you could use the address list LAN in your rules to reduce the number of rules and make it easier to configure.

for your VOIP make sure to trace the vlans that you configure/use. On the switch chip if you attach a vlan to a port than only that port will have that vlan. If you attach a vlan to the master port on the switch using the CPU than all traffic between switch and CPU can use that vlan. VOIP doesnt need bandwidth so the 100Mb/s ports can be used.

The RB2011 uses switch chips so it is pointless to combine ports but you can complicate switching to eliminate bottlenecks like this :
Set eth 0 and eth 1 to have no master port on gigabit switch.
Set eth 2-4 to have eth 1 as master port.
Connect devices and eth 1 and eth 0 to switch
this can help eliminate the bottleneck of LAN and WAN devices fighting over the same gigabit ethernet port so that only eth0 link goes to WAN.

Instead of bridging the 2 switches together you can connect a cable from one to another for switching between them or connect both switch chips to your switch. There are various ways you can set it up. If you just connect 1 gigabit port to switch and use bridging you will have more ports. If you connect 3 cables than traffic wont touch CPU until it goes to internet. You need to remember that link between switch chip and CPU is 1 Gb/s for gigabit switch chip and 100Mb/s for the fast ethernet switch chip so having traffic moving back and forth for LAN can limit throughput by filling up that link. It just depends on your WAN speeds but for the RB2011 bridging both switch chips will not interfere with the gigabit switch chip so it matters where you connect your WAN (preferably on the SFP port or CPU connected port).

For best practice i would use vlan for voip on their own subnet and rest of LAN not necessary unless you want to segment (i.e. guest, office, kids) but you wont be able to share printer and NAS with segmented network.
Wow... thanks so much for the detailed response! It will give me a lot to ponder while I'm at work today. Once I get home I'll try some of examples you gave and see where it takes me. I'll also jump on Amazon or wherever and grab a copper sfp module. I've been meaning to do so anyway.

Thank, thanks, thanks! Can't wait to get home from work a get going with this! [emoji1]

Sent from my SM-G935T using Tapatalk
 
for vlans on mikrotik you can use the CPU or switch chip. The RB2011 has 2 switch chips so for LAN to go from one switch to another you must bridge the master interfaces together. VLANs are flexible on mikrotik in that you can apply them in various ways. It is very dependent on the flow of your traffic within the router. The switch chip segment would have vlans too if you want to apply it there. You may need to apply the vlans on the bridge, and 2 switch chips for it to work (See vlan routing within a normal switch).

Typically you apply vlans on the switch and the router would have 1 LAN port with all the vlans and a NAT rule configure for all the LANs to have internet and inter routing restricted on the router itself. If you want to use vlans but have devices communicate with each other than use the same subnet (using multiple DHCP servers of same subnet but different IP range). If you dont want inter communication than use multiple subnets and under routes set the routes to drop/prohibit/blackhole.

If you have multiple subnets than create an address list under firewall and have an entry for each subnet (call it LAN for example). Than for your rules you could use the address list LAN in your rules to reduce the number of rules and make it easier to configure.

for your VOIP make sure to trace the vlans that you configure/use. On the switch chip if you attach a vlan to a port than only that port will have that vlan. If you attach a vlan to the master port on the switch using the CPU than all traffic between switch and CPU can use that vlan. VOIP doesnt need bandwidth so the 100Mb/s ports can be used.

The RB2011 uses switch chips so it is pointless to combine ports but you can complicate switching to eliminate bottlenecks like this :
Set eth 0 and eth 1 to have no master port on gigabit switch.
Set eth 2-4 to have eth 1 as master port.
Connect devices and eth 1 and eth 0 to switch
this can help eliminate the bottleneck of LAN and WAN devices fighting over the same gigabit ethernet port so that only eth0 link goes to WAN.

Instead of bridging the 2 switches together you can connect a cable from one to another for switching between them or connect both switch chips to your switch. There are various ways you can set it up. If you just connect 1 gigabit port to switch and use bridging you will have more ports. If you connect 3 cables than traffic wont touch CPU until it goes to internet. You need to remember that link between switch chip and CPU is 1 Gb/s for gigabit switch chip and 100Mb/s for the fast ethernet switch chip so having traffic moving back and forth for LAN can limit throughput by filling up that link. It just depends on your WAN speeds but for the RB2011 bridging both switch chips will not interfere with the gigabit switch chip so it matters where you connect your WAN (preferably on the SFP port or CPU connected port).

For best practice i would use vlan for voip on their own subnet and rest of LAN not necessary unless you want to segment (i.e. guest, office, kids) but you wont be able to share printer and NAS with segmented network.
I forgot to ask as well. Do you have any recommendations as far as one on one Router OS training or classes in the NYC area that would lead to a cert?

Sent from my SM-G935T using Tapatalk
 
I forgot to ask as well. Do you have any recommendations as far as one on one Router OS training or classes in the NYC area that would lead to a cert?

Sent from my SM-G935T using Tapatalk
I myself dont have a cert but if you check mikrotik's website they have a training section and times where they do their showcase. It varies everytime but i think their cert and classes are usually done in the same places.
 
for vlans on mikrotik you can use the CPU or switch chip. The RB2011 has 2 switch chips so for LAN to go from one switch to another you must bridge the master interfaces together. VLANs are flexible on mikrotik in that you can apply them in various ways. It is very dependent on the flow of your traffic within the router. The switch chip segment would have vlans too if you want to apply it there. You may need to apply the vlans on the bridge, and 2 switch chips for it to work (See vlan routing within a normal switch).

Typically you apply vlans on the switch and the router would have 1 LAN port with all the vlans and a NAT rule configure for all the LANs to have internet and inter routing restricted on the router itself. If you want to use vlans but have devices communicate with each other than use the same subnet (using multiple DHCP servers of same subnet but different IP range). If you dont want inter communication than use multiple subnets and under routes set the routes to drop/prohibit/blackhole.

If you have multiple subnets than create an address list under firewall and have an entry for each subnet (call it LAN for example). Than for your rules you could use the address list LAN in your rules to reduce the number of rules and make it easier to configure.

for your VOIP make sure to trace the vlans that you configure/use. On the switch chip if you attach a vlan to a port than only that port will have that vlan. If you attach a vlan to the master port on the switch using the CPU than all traffic between switch and CPU can use that vlan. VOIP doesnt need bandwidth so the 100Mb/s ports can be used.

The RB2011 uses switch chips so it is pointless to combine ports but you can complicate switching to eliminate bottlenecks like this :
Set eth 0 and eth 1 to have no master port on gigabit switch.
Set eth 2-4 to have eth 1 as master port.
Connect devices and eth 1 and eth 0 to switch
this can help eliminate the bottleneck of LAN and WAN devices fighting over the same gigabit ethernet port so that only eth0 link goes to WAN.

Instead of bridging the 2 switches together you can connect a cable from one to another for switching between them or connect both switch chips to your switch. There are various ways you can set it up. If you just connect 1 gigabit port to switch and use bridging you will have more ports. If you connect 3 cables than traffic wont touch CPU until it goes to internet. You need to remember that link between switch chip and CPU is 1 Gb/s for gigabit switch chip and 100Mb/s for the fast ethernet switch chip so having traffic moving back and forth for LAN can limit throughput by filling up that link. It just depends on your WAN speeds but for the RB2011 bridging both switch chips will not interfere with the gigabit switch chip so it matters where you connect your WAN (preferably on the SFP port or CPU connected port).

For best practice i would use vlan for voip on their own subnet and rest of LAN not necessary unless you want to segment (i.e. guest, office, kids) but you wont be able to share printer and NAS with segmented network.
Thanks again for your help! After playing around with the switch this weekend. My Unifi WAP and Ooma are now working like a charm. I have my HTPCs setup on the switch and now I just need to figure out how to route certain ports through a VPN server. Getting there....

Thanks again! Wish I could tip you for the help! [emoji2]

Sent from my SM-G935T using Tapatalk
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top