How very timely that I saw your month old VLAN video only 3 days after this one. Great content, definitely earned a subscriber. I weighed up the choice between Mikrotik and Ubiquiti a year ago and settled with Mikrotik for routing, with Ubiquiti's WiFi APs, as I do really like the look of Mikrotik's product suite, the level of control that you have as well as the longevity of their products what with them all running RouterOS/SwitchOS. With that said, it comes with a steep learning curve and I've forgotten the majority of my networking education from a decade ago since I chose software engineering as my occupation. It's always great to have content creators like yourself that give a succinct view over the ways of working with this hardware.
Purchased two separate mikrotik switches love the brand and pricing. I'm still learning things about filters and rules certainly amazing what network engineers need to know for configuring network today. I would image some companies today have extensive networks which cover vast distances always enjoyed learning about computers and networks.
Network engineering can be one of the most interesting and fun careers in the world! Some networks span completely globally, it's really cool to see just how big a network can grow and how everything just fits together and talks to other networks.
Thanks, Great video.I was expecting blocking using bridge decisions in "vlan tab" admit only ingress vlan - i dont know if this way work too - ... This way showed is more easy to understand.
Man, Gothic 1 and 2 were such awesome games. I still replay them every few years and besides a bit of jank they hold up really well still. Great video!
Same here!!! I sometimes add some mods for some extra flavor if I get tired of vanilla gothic but it is amazing. Piranhabytes were at their prime with Gothic2 for me.
@@TheNetworkBerg For sure, I remember being quite disappointed with Gothic 3 at the time, mostly due to the fact it would just perpetually crash after trying to start a new game haha! Helped me discover Oblivion though, which was no Gothic 2 but I still had a blast with it. I've always wanted to try out a bunch of the awesome looking Gothic mods but, alas I speak about 3 words of German so it rules out a lot of them.
Thanks so much for this. I've seen some questions here that echo my first thought - how does this relate to bridge filtering? I'm just imagining that (VLAN filtering) is a *first* option and the method you show here is for some higher-order concern or secondary option if VLAN filtering is not implemented for some reason. This video is a great "how" but it would be nice to see some companion that details the "why" questions - choosing one method or the other (and of course how both may be used together) ;)
oh another thought ... split firewall rulesets into chains according to your vlan setup. so a chain for each VLAN. what do you think about that approach? i have remodeled it that way at home and it even gave me a little performance bump up
Couldn't make it work, only with RAW rules could work..i even enabled firewall on bridge settings but still...but great job man, i learned a lot from you Thank you!!
Thanks for the video! It was infomative at least for me. I am wondering though if it would be possible to do the same on a Bridge level with Bridge Filters!!!
Logically speaking it is the same concept, just different conditions. Instead of using a source/destination address or address list you can specify your VLAN interfaces as an in or out interface and apply actions based off of your requirements. ie In-interface=mgmt out-interface=servers action=accept. This is nice as the MikroTik will use any addresses bound to a VLAN interface to make forwarding decisions. You can even do the same thing as a firewall address list by using an interface list.
you can also group the interfaces together via the "interface lists" in which the appropriate interfaces are added to. Another way would be to use bridges as bridges give us interfaces that dont drop when we disconnect a cable or do something with that specific port mikrotik is versatile like this
Cool video thank you, what about the Loose Connection tracking, should that be enabled or disabled? By default it's enabled meaning loose connection tracking is enabled however is that good practice? I found somewhere on the MikroTik forums indication that it should be disable, what's your opinion on that?
Newbie Question: I would think that with your new rule to block traffic between local-networks you would also block traffic within the same local-network or sub-net, so you couldn't reach a printer or file-server within the same subnet? Or is there a reason or rule why this wouldn't happen?
Hi Rudy, that is a great question. Typically this should not break access as devices in the same VLAN would connect directly over the same broadcast domain. ie the computer and printer would communicate directly over L2 and traffic would be passed directly between these devices on a switching layer, so you could think of this as the devices will just use the switch to talk. The router would not be involved in passing that traffic or forwarding it. It is worth noting that if you were using the router as a bridge between different devices like other switches or routers then in that event you could potentially stop the traffic and it would be better to define individual networks.
Hi! I have a question. I made a bridge interface (Eth2, Eth3) wich contains 'x' number of VLANS and add a VRRP to that Bridge also. The bridge Interface have the same IP that the VRRP. My question is if it is the right way to do it, because it works but i never saw anyone do it in that way
You can find me on Twitter, though I really don't do much on social media. Also don't have a second channel, have considered creating one to explore other things I enjoy and putting it out onto YT. But you are always welcome to message me on here. Relocation is going great, have secured full time employment, although I am under a probation at the moment, but life is pretty much the same it was before moving to another country. Though there are definitely other ups and downs when it comes to making a move like this.
Unfortunately not, the discord server was decommissioned about a month or so ago. I did make a community post about it and post on the server regarding it. I highly suggest checking out the MikroTik or Surviving Networking & IT discord servers. I have joined those myself :)
Does that firewall rule which dropped packages between "local network" address list, can kill connection on a same VLAN? What if 192.168.99.251 wants to talk to 192.168.99.252 (for example)?
@TheNetworkBerg What if there is a rogue DHCP server (eg. 192.168.88.1/24) in one of your VLANs and the device get an IP from this rogue DHCP server. Your rules wouldn't block the routing to your managment VLAN since they didn't match the conditions, right?
Just pinning this here for a direct link to the MikroTik firewall docs :D
help.mikrotik.com/docs/display/ROS/Firewall+and+Quality+of+Service
Thanks for producing all these videos, you make learning about mikrotik easier and more fun !
Thank you, I really appreciate the nice comment and I really enjoy making MikroTik easier for everyone ^^
How very timely that I saw your month old VLAN video only 3 days after this one. Great content, definitely earned a subscriber.
I weighed up the choice between Mikrotik and Ubiquiti a year ago and settled with Mikrotik for routing, with Ubiquiti's WiFi APs, as I do really like the look of Mikrotik's product suite, the level of control that you have as well as the longevity of their products what with them all running RouterOS/SwitchOS. With that said, it comes with a steep learning curve and I've forgotten the majority of my networking education from a decade ago since I chose software engineering as my occupation. It's always great to have content creators like yourself that give a succinct view over the ways of working with this hardware.
I think that's a solid choice and would highly recommend using MT for routing and UI for Wifi access :D
@@TheNetworkBerg As a quick heads up, it seems the Discord link in your video descriptions has expired.
@@ColinM9991 Oh sorry, I was sure I removed the discord server from the posts. The server was discontinued last month.
Purchased two separate mikrotik switches love the brand and pricing. I'm still learning things about filters and rules certainly amazing what network engineers need to know for configuring network today. I would image some companies today have extensive networks which cover vast distances always enjoyed learning about computers and networks.
Network engineering can be one of the most interesting and fun careers in the world! Some networks span completely globally, it's really cool to see just how big a network can grow and how everything just fits together and talks to other networks.
Thanks, Great video.I was expecting blocking using bridge decisions in "vlan tab" admit only ingress vlan - i dont know if this way work too - ... This way showed is more easy to understand.
Man, Gothic 1 and 2 were such awesome games. I still replay them every few years and besides a bit of jank they hold up really well still. Great video!
Same here!!! I sometimes add some mods for some extra flavor if I get tired of vanilla gothic but it is amazing. Piranhabytes were at their prime with Gothic2 for me.
@@TheNetworkBerg For sure, I remember being quite disappointed with Gothic 3 at the time, mostly due to the fact it would just perpetually crash after trying to start a new game haha! Helped me discover Oblivion though, which was no Gothic 2 but I still had a blast with it. I've always wanted to try out a bunch of the awesome looking Gothic mods but, alas I speak about 3 words of German so it rules out a lot of them.
fantastic video m8, thanks a lot!!!
I learn a lot from your tutorials keep on uploading :) Thank you
Thanks so much for this. I've seen some questions here that echo my first thought - how does this relate to bridge filtering? I'm just imagining that (VLAN filtering) is a *first* option and the method you show here is for some higher-order concern or secondary option if VLAN filtering is not implemented for some reason. This video is a great "how" but it would be nice to see some companion that details the "why" questions - choosing one method or the other (and of course how both may be used together) ;)
You rock! thanks a lot for sharing your knowledge! Regards
Great tutorial, you helped me set up a secure home network :)
oh another thought ... split firewall rulesets into chains according to your vlan setup. so a chain for each VLAN. what do you think about that approach?
i have remodeled it that way at home and it even gave me a little performance bump up
Couldn't make it work, only with RAW rules could work..i even enabled firewall on bridge settings but still...but great job man, i learned a lot from you Thank you!!
Thanks for the video! It was infomative at least for me. I am wondering though if it would be possible to do the same on a Bridge level with Bridge Filters!!!
How about setting firewall rules using In Interface / Out Interface and specifying VLAN interfaces for that?
Logically speaking it is the same concept, just different conditions. Instead of using a source/destination address or address list you can specify your VLAN interfaces as an in or out interface and apply actions based off of your requirements. ie In-interface=mgmt out-interface=servers action=accept. This is nice as the MikroTik will use any addresses bound to a VLAN interface to make forwarding decisions. You can even do the same thing as a firewall address list by using an interface list.
you can also group the interfaces together via the "interface lists" in which the appropriate interfaces are added to.
Another way would be to use bridges as bridges give us interfaces that dont drop when we disconnect a cable or do something with that specific port
mikrotik is versatile like this
Thankyou for i get knowledge about types of vpn.❤
Hello ! For the same purposes ( to deny access between vlans) I use routing rules. Very interesting, which method is more difficult for the processor?
Cool video thank you, what about the Loose Connection tracking, should that be enabled or disabled? By default it's enabled meaning loose connection tracking is enabled however is that good practice? I found somewhere on the MikroTik forums indication that it should be disable, what's your opinion on that?
Can you repeat this as a followup to see the effects under high loads?
Newbie Question: I would think that with your new rule to block traffic between local-networks you would also block traffic within the same local-network or sub-net, so you couldn't reach a printer or file-server within the same subnet? Or is there a reason or rule why this wouldn't happen?
Hi Rudy, that is a great question. Typically this should not break access as devices in the same VLAN would connect directly over the same broadcast domain. ie the computer and printer would communicate directly over L2 and traffic would be passed directly between these devices on a switching layer, so you could think of this as the devices will just use the switch to talk. The router would not be involved in passing that traffic or forwarding it. It is worth noting that if you were using the router as a bridge between different devices like other switches or routers then in that event you could potentially stop the traffic and it would be better to define individual networks.
Quick question ❓ on how to not show ISP company that you are using when doing speed test from any speed test website
Hi! I have a question. I made a bridge interface (Eth2, Eth3) wich contains 'x' number of VLANS and add a VRRP to that Bridge also. The bridge Interface have the same IP that the VRRP. My question is if it is the right way to do it, because it works but i never saw anyone do it in that way
Nice video, but could you please make one explaining using HW VLAN switching using ACL rules?
Thank you for the advice. It works but I also lose Internet connection to the outside world from those vlans :(
maybe useful examples for MACVLAN next, maybe? 🤔🤔
Great idea :D
Can you please explain fast track concept?
Is it possible to take e-waste from recycling places for free? (South Africa)
How do i add isp billing to mikrotik for hotspot
Do you have a second channel or social media? Wanted to know how your relocation is going.
You can find me on Twitter, though I really don't do much on social media. Also don't have a second channel, have considered creating one to explore other things I enjoy and putting it out onto YT. But you are always welcome to message me on here.
Relocation is going great, have secured full time employment, although I am under a probation at the moment, but life is pretty much the same it was before moving to another country.
Though there are definitely other ups and downs when it comes to making a move like this.
Happy for ya. Cheers
Is the discord server still available? if so, can you please provide the invite URL
Unfortunately not, the discord server was decommissioned about a month or so ago. I did make a community post about it and post on the server regarding it. I highly suggest checking out the MikroTik or Surviving Networking & IT discord servers. I have joined those myself :)
Thank you
make a paid connection to mikrotik, it would be interesting
A paid connection?
@@TheNetworkBerg that's right, like 1$ to join
Does that firewall rule which dropped packages between "local network" address list, can kill connection on a same VLAN? What if 192.168.99.251 wants to talk to 192.168.99.252 (for example)?
@TheNetworkBerg What if there is a rogue DHCP server (eg. 192.168.88.1/24) in one of your VLANs and the device get an IP from this rogue DHCP server. Your rules wouldn't block the routing to your managment VLAN since they didn't match the conditions, right?
thank you
Could you mention your email i want to send a network architecture i designed using mikrotik for your review and input.