EnGenius Neutron Series Wireless Management Solution Part 2 - VLAN Configuration

In Part 2 of our EnGenius Neutron Series blog we are going to configure two vlans to separate clients on our network. If you haven't already, check out EnGenius Neutron Series Wireless Management Solution Part 1 - Basic Setup to prepare your system for the following steps below.

Step 1:

We will start by creating our additional vlans on the MikroTik router and setting up the trunk port.

/interface vlan
add name=ether4.2 vlan-id=2 interface=ether4
add name=ether4.3 vlan-id=3 interface=ether4
/interface bridge
add name=lan2
add name=lan3
/interface bridge port
add interface=ether4.2 bridge=lan2
add interface=ether4.3 bridge=lan3
add interface=ether4 bridge=lan0
/ip address
add address=192.168.2.1/24 interface=lan2
add address=192.168.3.1/24 interface=lan3
/ip pool
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool3 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=192.168.3.1
/ip dhcp-server
add name=dhcp2 interface=lan2 address-pool=dhcp_pool2 lease-time=3d
add name=dhcp3 interface=lan3 address-pool=dhcp_pool3 lease-time=3d

Step 2:

We will now create the vlans on the switch. To do this login to the switch and navigate to Switch > VLAN > 802.1Q and create vlan2 and vlan3 and tag vlan2 and vlan3 traffic on port 1 (our trunk port to the EWS360AP Access Point) and port 8 (new trunk port to MikroTik Router currently not used).

Step 3:

We are now ready to create our new vlan isolated wireless networks. Navigate to Controller > AP Clusters > WLAN Settings - 2.4GHz then select SSID_2-2.4GHz, we will configure this network as our "lan2" wireless network:

Now do the same for SSID_3-2.4GHz but configure the SSID to lan3 and set a VLAN ID of 3. 

Step 4:
We will now move our ethernet cable from the Router to the Switch to our newly configured trunk ports.
MikroTik Router: port 3 > port 4
EnGenius Switch: port 10 > port 8

Step 5:
We can now test the trunk port is working correctly and passing vlans correctly depending on the wireless network we connect to:
1. Connect to SSID Office AP and verify you receive a 192.168.0.x IP Address from the management untagged vlan.
2. Connect to SSID lan2 and verify you receive a 192.168.2.x IP Address from vlan2.
3. Connect to SSID lan3 and verify you receive a 192.168.3.x IP Address from vlan3.

Step 6 - Optional:
With the current configuration devices traverse all vlans. For example a device on vlan2 can communicate with a device on lan3. If you wish to restrict devices to their own respective vlans you can use the following firewall filter rules on the MikroTik Router:
/ip firewall filter
add action=drop chain=input comment="drop management vlan traffic bound for any gateway other than its own" dst-address=!192.168.0.1 src-address=192.168.0.0/24
add action=drop chain=forward comment="isolate management vlan traffic" dst-address=192.168.0.0/16 src-address=192.168.0.0/24
add action=drop chain=input comment="drop vlan traffic bound for any gateway other than its own" dst-address=!192.168.2.1 src-address=192.168.2.0/24
add action=drop chain=forward comment="isolate lan2 vlan" dst-address=192.168.0.0/16 src-address=192.168.2.0/24
add action=drop chain=input comment="drop vlan traffic bound for any gateway other than its own" dst-address=!192.168.3.1 src-address=192.168.3.0/24

add action=drop chain=forward comment="isolate lan3 vlan" dst-address=192.168.0.0/16 src-address=192.168.3.0/24

Step 7 - VLAN Isolation Testing:
1. Devices on the same vlan should be able to communicate with each other.
2. All devices on all vlans should be able to access their own gateway and the internet.
3. Devices should not be able to communicate with other vlans (i.e. lan2 can't communicate with management or lan3).

"Thanks for reading, please rate this blog below"

Any Questions? Feel free to leave us a comment below or contact support@gowifi.co.nz