How very timely that I saw your month old VLAN video only 3 days after this one. Great content, definitely earned a subscriber. I weighed up the choice between Mikrotik and Ubiquiti a year ago and settled with Mikrotik for routing, with Ubiquiti's WiFi APs, as I do really like the look of Mikrotik's product suite, the level of control that you have as well as the longevity of their products what with them all running RouterOS/SwitchOS. With that said, it comes with a steep learning curve and I've forgotten the majority of my networking education from a decade ago since I chose software engineering as my occupation. It's always great to have content creators like yourself that give a succinct view over the ways of working with this hardware.
Thanks, Great video.I was expecting blocking using bridge decisions in "vlan tab" admit only ingress vlan - i dont know if this way work too - ... This way showed is more easy to understand.
Man, Gothic 1 and 2 were such awesome games. I still replay them every few years and besides a bit of jank they hold up really well still. Great video!
Same here!!! I sometimes add some mods for some extra flavor if I get tired of vanilla gothic but it is amazing. Piranhabytes were at their prime with Gothic2 for me.
@@TheNetworkBerg For sure, I remember being quite disappointed with Gothic 3 at the time, mostly due to the fact it would just perpetually crash after trying to start a new game haha! Helped me discover Oblivion though, which was no Gothic 2 but I still had a blast with it. I've always wanted to try out a bunch of the awesome looking Gothic mods but, alas I speak about 3 words of German so it rules out a lot of them.
Thanks so much for this. I've seen some questions here that echo my first thought - how does this relate to bridge filtering? I'm just imagining that (VLAN filtering) is a *first* option and the method you show here is for some higher-order concern or secondary option if VLAN filtering is not implemented for some reason. This video is a great "how" but it would be nice to see some companion that details the "why" questions - choosing one method or the other (and of course how both may be used together) ;)
Couldn't make it work, only with RAW rules could work..i even enabled firewall on bridge settings but still...but great job man, i learned a lot from you Thank you!!
Thanks for the video! It was infomative at least for me. I am wondering though if it would be possible to do the same on a Bridge level with Bridge Filters!!!
Logically speaking it is the same concept, just different conditions. Instead of using a source/destination address or address list you can specify your VLAN interfaces as an in or out interface and apply actions based off of your requirements. ie In-interface=mgmt out-interface=servers action=accept. This is nice as the MikroTik will use any addresses bound to a VLAN interface to make forwarding decisions. You can even do the same thing as a firewall address list by using an interface list.
you can also group the interfaces together via the "interface lists" in which the appropriate interfaces are added to. Another way would be to use bridges as bridges give us interfaces that dont drop when we disconnect a cable or do something with that specific port mikrotik is versatile like this
oh another thought ... split firewall rulesets into chains according to your vlan setup. so a chain for each VLAN. what do you think about that approach? i have remodeled it that way at home and it even gave me a little performance bump up
Cool video thank you, what about the Loose Connection tracking, should that be enabled or disabled? By default it's enabled meaning loose connection tracking is enabled however is that good practice? I found somewhere on the MikroTik forums indication that it should be disable, what's your opinion on that?
Newbie Question: I would think that with your new rule to block traffic between local-networks you would also block traffic within the same local-network or sub-net, so you couldn't reach a printer or file-server within the same subnet? Or is there a reason or rule why this wouldn't happen?
Hi Rudy, that is a great question. Typically this should not break access as devices in the same VLAN would connect directly over the same broadcast domain. ie the computer and printer would communicate directly over L2 and traffic would be passed directly between these devices on a switching layer, so you could think of this as the devices will just use the switch to talk. The router would not be involved in passing that traffic or forwarding it. It is worth noting that if you were using the router as a bridge between different devices like other switches or routers then in that event you could potentially stop the traffic and it would be better to define individual networks.
Hi! I have a question. I made a bridge interface (Eth2, Eth3) wich contains 'x' number of VLANS and add a VRRP to that Bridge also. The bridge Interface have the same IP that the VRRP. My question is if it is the right way to do it, because it works but i never saw anyone do it in that way
You can find me on Twitter, though I really don't do much on social media. Also don't have a second channel, have considered creating one to explore other things I enjoy and putting it out onto YT. But you are always welcome to message me on here. Relocation is going great, have secured full time employment, although I am under a probation at the moment, but life is pretty much the same it was before moving to another country. Though there are definitely other ups and downs when it comes to making a move like this.
Unfortunately not, the discord server was decommissioned about a month or so ago. I did make a community post about it and post on the server regarding it. I highly suggest checking out the MikroTik or Surviving Networking & IT discord servers. I have joined those myself :)
@TheNetworkBerg What if there is a rogue DHCP server (eg. 192.168.88.1/24) in one of your VLANs and the device get an IP from this rogue DHCP server. Your rules wouldn't block the routing to your managment VLAN since they didn't match the conditions, right?
