How to get rid of excess traffic through VLAN?

R

rt0012016-04-15 23:18:58

Mikrotik

rt001, 2016-04-15 23:18:58

The situation is as follows (I’ll say right away - the network is clumsy and inherited, but, as they say, we have)
Network diagram

-
          +-----+ +-----+ +-----+
          | DEV1| | DEV2| | PCS |
          +-----+ +-----+ +-----+
               |      |    |192.168.0.101/24
  +-------+   +--------------+            +-------+       +-----+
  | ISP 2 |   | LAN 2 Switch |            | ISP 1 |       | SVT |
  +-------+   +--------------+            +-------+       +-----+
     |              |                       |               |192.168.0.100/24
     |ETH1          |ETH3                   |ETH6           |ETH7
+--+-----------+-----------------+   +--------------------------------+
|  |  BRIDGE1  |  |  BRIDGE2  |  |   |                 |  BRIDGE2  |  |
|  +-----------+  +-----------+  |   |                 +-----------+  |
|          |              |      |   |                         |      |
| RB750    |              |      |   | RB2011                  |      |
|          |              |      |   |                         |      |
|  +-----------+  +-----------+  |   |  +-----------+  +-----------+  |
|  |     VLAN1 |  |     VLAN2 |  |   |  |     VLAN1 |  |     VLAN2 |  |
+--------------------------------+   +--------------------------------+
     | ETH2 (LAN) 192.168.1.3/24                | ETH2 (LAN) 192.168.1.2/24
     |                                          |
     |    +----------------------------+        |
     |    |                            |        |
     -----|   LAN 1 Switch             |--------+
          |                            |
          +----------------------------+
            |        |      |        |
        +-----+  +-----+  +-----+  +-----+
        | PC1 |  | PC2 |  | DC  |  | DVR |
        +-----+  +-----+  +-----+  +-----+

There are 2 independent subnets - the main one, in which the office works and for security, in which turnstiles (dev1, dev2) and the security guard's computer (pcs) work. There should be no connection between subnets, with some exceptions.
The turnstile server (svt) is physically installed at the other end of the building. It is necessary to provide communication between the turnstile server and the turnstiles themselves, as well as the security guard's computer. There are no special problems here, the turnstiles communicate with the server via VLAN, the traffic is small and justified.
But there was a task to display video surveillance on the security guard's computer. The registrar (dvr) stands at the opposite end of the building from the turnstile server and is connected to the main network, because the consumers of its pictures are office network users, and for security guards it is just a bonus.
It would seem that there is also nothing complicated, because. the turnstile network is plugged into the RB750 and it also has an office network. RB2011 has a NAT rule that when requesting port X, forward to port Y at address Z, i.e. to the DVR, this rule is also used when connecting from the Internet to watch videos from home. And it turns out, as I understand it, that traffic comes from the DVR to RB750, then via VLAN2 to RB2011, and then back to RB750 and from it to PCS, right ?. If you look at the graph on RB2011, then the CPU load is 27% and the interface is 45Mbps, at first I thought that this was normal. But the most interesting thing I noticed later - after a few days, the download of RB2011 falls, as if they stopped watching the video, although it shows perfectly. This traffic went directly through the RB750 bypassing the RB2011? At the same time, if you look at Connections on RB2011, then we will see the connection of the security company there, and no load. But it is worth restarting any of the devices, as the draconian waste of resources begins again, which lasts several days, after which everything returns to normal again. What is mysticism? How to make sure that there is always a low load and the traffic goes correctly?
I changed the NAT rule to RB2011, I said that it should work for everyone except the guards' computer, while on the RB750 I created a rule that specifically indicated that requests from the guards' computer should be sent to the registrar, but the connection was not established at all. The security computer says that the registrar is unavailable.
Maybe I did some stupid things here, you don’t kick much, but tell me - how to set it up correctly? :'(

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

Nadz Goldman, 2016-04-19
@nadz

A lot has been written, but nothing is clear without ...
I have a simple question: why are you confusing L2 and L3 (VLAN and NAT).
I so understand that it is necessary to ask a question: ports of the switch in a trunk/aktsess?
It's just that if you have two different vlans, then why do you need NAT between them?
Make it easier.
Two vlan, two networks. Static routing between these networks.
Firewall only allow what you need. Everything else is prohibited.
Each subnet will go to the Internet only through its provider according to the rules of the firewall and configured masquerading.
You can still pervert and color the traffic, but this is still superfluous.