Scaling to Enterprise: Multi-Department VLANs with CPU-Optimized Security
Alex Nyambura
Module 7 of my MikroTik Zero to Hero Challenge
Time to go big! Module 7 was about scaling from a simple guest network to a full enterprise architecture. My mission: design a complete four-department network for Tech Innovators Kenya Ltd with proper security policies that won't kill the router's CPU.
The Enterprise Challenge
The Goal: Scale from simple guest WiFi to complete enterprise network segmentation
The Departments: Management, Development, Sales, plus Guests (4 VLANs total)
The Challenge: Create security policies that are both effective and CPU-efficient
The Reality: Small router hardware handling enterprise-level complexity
Building the Complete VLAN Infrastructure
I took initiative and built out the Development and Sales VLANs independently, applying the patterns I'd learned from the Guest network.
The Complete Network Design
Management VLAN 10: 192.168.10.1/24 (executives, high security)
Development VLAN 20: 192.168.20.1/24 (engineers, development resources)
Sales VLAN 30: 192.168.30.1/24 (marketing, sales operations)
Guest VLAN 40: 192.168.40.1/24 (visitors, internet-only access)
Main LAN: 192.168.88.1/24 (original infrastructure)
Each department gets:
Its IP address range
Dedicated DHCP server
Automatic DNS configuration
Gateway services through the router
The "That's Too Basic" Moment
After setting up all the VLANs, I had a realisation: "Management department being so secure... it seems so basic"
The Problem: Just separating networks into VLANs doesn't provide security - it's just organization.
The Reality Check: Network separation without security policies is like having separate rooms in a house with no locks on the doors.
This led to understanding the difference between network organization and security implementation.
The Scalability Question
Looking at my growing list of VLANs, I asked the critical question: "If I have 20 departments, won't managing individual firewall rules become impossible?"
This is where enterprise networking gets real. You need scalable security architectures, not individual rules for every department.
Three Approaches to Enterprise Security
Method 1: Individual Rules (Doesn't Scale)
# This approach becomes unmanageable quickly
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=drop
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.30.0/24 action=drop
# ... (multiply this by every department pair)
Method 2: Address Lists (Medium Enterprise)
# Group networks into logical security zones
/ip firewall address-list add list=Internal-Networks address=192.168.10.0/24
/ip firewall address-list add list=Internal-Networks address=192.168.20.0/24
/ip firewall address-list add list=Internal-Networks address=192.168.30.0/24
Method 3: VLAN-Based Firewall (True Enterprise)
This is what major ISPs and enterprises use - firewall rules that operate at the VLAN level rather than the IP level.
My Choice: Method 2 for practical learning, with recognition that Method 3 is the enterprise standard.
Building Production-Grade Security Architecture
Creating Security Zones
Instead of thinking about individual departments, I organised networks into security zones:
# Department-specific lists
/ip firewall address-list add list=Management address=192.168.10.0/24 comment="Management Department"
/ip firewall address-list add list=Development address=192.168.20.0/24 comment="Development Department"
/ip firewall address-list add list=Sales address=192.168.30.0/24 comment="Sales Department"
/ip firewall address-list add list=Guests address=192.168.40.0/24 comment="Guest Network"
# Security zone groupings
/ip firewall address-list add list=Internal-Networks address=192.168.10.0/24 comment="Management"
/ip firewall address-list add list=Internal-Networks address=192.168.20.0/24 comment="Development"
/ip firewall address-list add list=Internal-Networks address=192.168.30.0/24 comment="Sales"
/ip firewall address-list add list=Privileged-Networks address=192.168.10.0/24 comment="Management - Full Access"
/ip firewall address-list add list=Restricted-Networks address=192.168.40.0/24 comment="Guests - Internet Only"
The Four-Rule Security Policy
Instead of potentially 20+ individual rules, I created just 4 strategic rules:
# Rule 1: Management gets access to everything (executive oversight)
/ip firewall filter add chain=forward src-address-list=Privileged-Networks action=accept comment="Management full access"
# Rule 2: Guests can't reach company resources (security boundary)
/ip firewall filter add chain=forward src-address-list=Restricted-Networks dst-address-list=Internal-Networks action=drop comment="Guest isolation"
# Rule 3: All internal departments get internet access (business operations)
/ip firewall filter add chain=forward src-address-list=Internal-Networks action=accept comment="Internal internet access"
# Rule 4: Departments can't talk to each other (security segmentation)
/ip firewall filter add chain=forward src-address-list=Internal-Networks dst-address-list=Internal-Networks action=drop comment="Department isolation"
This elegant solution:
✅ Gives Management full network access
✅ Blocks guests from company resources
✅ Allows all departments internet access
✅ Prevents inter-department communication
✅ Scales to unlimited departments without adding rules
Router-on-a-Stick Magic
The Concept: One router providing routing services for multiple VLANs.
How It Works: The router automatically provides layer 3 routing between VLANs without additional configuration.
The Result: Each department can reach its gateway (192.168.x.1) and the internet, but department-to-department traffic is controlled by firewall rules.
RouterOS handles this automatically - no complex routing protocols needed for basic inter-VLAN routing.
The Performance Reality Check
Hardware Limitations Discovered
My HAP Lite router started showing strain:
High CPU usage during complex operations
Multiple DHCP servers (5 total) are consuming resources
Complex firewall processing with address list evaluations
Bridge learning overhead, managing MAC addresses across VLANs
ISP Professional Advice
A friend working at an ISP warned me, "MikroTik routers can struggle with high rule counts. Keep it efficient."
The Trade-off: Functionality vs. performance on limited hardware.
My Decision: Continue with the current setup for learning, but understand the scaling limitations.
Enterprise Routing in Action
The final routing table showed the router handling multiple network segments:
# /ip route print
0 A S 0.0.0.0/0 192.168.100.1 (default internet route)
1 ADC 192.168.10.0/24 Management-VLAN (Management gateway)
2 ADC 192.168.20.0/24 Development-VLAN (Development gateway)
3 ADC 192.168.30.0/24 Sales-VLAN (Sales gateway)
4 ADC 192.168.40.0/24 Guest-VLAN (Guest gateway)
5 ADC 192.168.88.0/24 LAN-Bridge (Original LAN)
The router was simultaneously acting as:
Gateway for 5 different networks
DHCP server for 5 different networks
Firewall enforcing inter-network policies
NAT provider for internet access
Key Technical Skills Demonstrated
Scalable Architecture Design
# Address list management (scales to unlimited departments)
/ip firewall address-list add list=Security-Zone address=network-range comment="description"
# Strategic firewall rules (minimal count, maximum coverage)
/ip firewall filter add chain=forward src-address-list=source dst-address-list=destination action=policy comment="purpose"
# VLAN interface creation pattern
/interface vlan add name="Department-VLAN" vlan-id=XX interface=LAN-Bridge
/ip address add address=192.168.XX.1/24 interface=Department-VLAN
Performance-Conscious Implementation
Rule efficiency: Address lists instead of individual IP rules
Processing optimisation: Strategic rule placement for minimal CPU impact
Scalable design: Architecture supporting growth without linear complexity increase
What I Achieved
Complete Enterprise Network Infrastructure:
✅ 4-department VLAN segmentation with proper IP addressing
✅ Scalable security framework supporting unlimited department growth
✅ CPU-optimised firewall rules (4 rules instead of 20+)
✅ Professional inter-VLAN routing with centralised internet access
✅ Department-specific DHCP services with automatic configuration
Security Policy Implementation:
✅ Management privilege elevation (executive access to all resources)
✅ Guest network isolation (internet-only access)
✅ Department segmentation (preventing lateral movement)
✅ Centralised internet access (controlled outbound connectivity)
From Small Office to Enterprise Scale
Module 7 was where I stopped thinking like a home user and started thinking like a network architect.
The key insights:
Network organization ≠ Network security - VLANs need security policies
Scalability matters from day one - Architecture decisions affect long-term maintainability
Performance is always a constraint - Enterprise features require enterprise hardware
Address lists are powerful - They enable policy-based networking at scale
The Real-World Connection
The security architecture I built mirrors what you'd find in:
Corporate offices (department-based network segmentation)
Hotels (guest isolation with different service levels)
Schools (student/faculty/admin network separation)
Hospitals (patient/medical/administrative network isolation)
The scale changes, but the fundamental concepts remain the same.
Understanding these patterns prepared me for the next phase of the challenge - where network complexity would increase even further with load balancing, VPNs, and advanced traffic management.
This is part of my MikroTik Zero to Hero challenge. Enterprise networking: where architecture decisions made early determine how far you can scale.
Subscribe to my newsletter
Read articles from Alex Nyambura directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by