{"id":152,"date":"2026-04-18T17:48:42","date_gmt":"2026-04-18T22:48:42","guid":{"rendered":"https:\/\/blog.lfps64.com\/?p=152"},"modified":"2026-04-11T17:49:30","modified_gmt":"2026-04-11T22:49:30","slug":"how-to-create-vlans-with-mikrotik-the-proper-way-bridge-vlan-filtering","status":"publish","type":"post","link":"https:\/\/blog.lfps64.com\/?p=152","title":{"rendered":"How to Create VLANs with MikroTik \u2014 The Proper Way (Bridge VLAN Filtering)"},"content":{"rendered":"\n<p>In a previous post I covered the easy way to create VLANs on MikroTik \u2014 one bridge per VLAN. It works, it&#8217;s great for learning, but it doesn&#8217;t scale well and it&#8217;s heavier on the CPU than it needs to be. If you haven&#8217;t read it, <a href=\"https:\/\/blog.lfps64.com\/?p=82\">you can find it here<\/a>.<\/p>\n\n\n\n<p>This post covers the proper way: bridge VLAN filtering. One bridge, one VLAN table, everything in one place. Understanding the easy way first makes this much easier to appreciate \u2014 but you don&#8217;t need it to follow along.<\/p>\n\n\n\n<p>The topology is the same as in the previous post: a MikroTik router connected to a Cisco switch via a trunk port, three VLANs, devices on each VLAN getting DHCP and internet access.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">How Bridge VLAN Filtering Works<\/h2>\n\n\n\n<p>Instead of creating a separate bridge for each VLAN, we create a single bridge and enable VLAN filtering on it. The bridge then maintains a VLAN table that controls which ports carry which VLANs \u2014 tagged (trunk) or untagged (access).<\/p>\n\n\n\n<p>The key concepts:<\/p>\n\n\n\n<ul>\n<li><strong>Tagged ports<\/strong> carry traffic for multiple VLANs with 802.1Q tags. Your uplink to a switch or another router is typically tagged.<\/li>\n\n\n\n<li><strong>Untagged ports<\/strong> carry traffic for a single VLAN with no tag. Your end devices (PCs, printers, APs) connect to untagged ports.<\/li>\n\n\n\n<li><strong>PVID (Port VLAN ID)<\/strong> is the default VLAN assigned to untagged traffic arriving on a port. When a frame arrives without a tag, the bridge stamps it with the PVID before processing it.<\/li>\n<\/ul>\n\n\n\n<p>This model maps closely to how Cisco switches think about VLANs \u2014 trunk ports and access ports \u2014 which may feel more familiar.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1 \u2014 Create the Bridge<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\/interface bridge\nadd name=bridge-vlans\n<\/code><\/pre>\n\n\n\n<p>We create the bridge first without enabling VLAN filtering yet. We&#8217;ll turn that on after the VLAN table is fully configured \u2014 enabling it on an empty table drops all traffic immediately.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2 \u2014 Add Ports to the Bridge<\/h2>\n\n\n\n<p>Add your trunk port (uplink to the switch) and your access ports (connected to end devices).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/interface bridge port\nadd bridge=bridge-vlans interface=ether5 pvid=1\nadd bridge=bridge-vlans interface=ether2 pvid=2\nadd bridge=bridge-vlans interface=ether3 pvid=3\nadd bridge=bridge-vlans interface=ether4 pvid=4\n<\/code><\/pre>\n\n\n\n<ul>\n<li><code>ether5<\/code> is the trunk port to the Cisco switch \u2014 PVID 1 is fine here since tagged traffic will override it<\/li>\n\n\n\n<li><code>ether2<\/code>, <code>ether3<\/code>, <code>ether4<\/code> are access ports \u2014 PVID tells the bridge which VLAN to assign untagged frames arriving on each port<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3 \u2014 Configure the VLAN Table<\/h2>\n\n\n\n<p>This is where you define which VLANs are allowed on which ports, and whether each port carries them tagged or untagged.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/interface bridge vlan\nadd bridge=bridge-vlans vlan-ids=2 tagged=ether5,bridge-vlans untagged=ether2\nadd bridge=bridge-vlans vlan-ids=3 tagged=ether5,bridge-vlans untagged=ether3\nadd bridge=bridge-vlans vlan-ids=4 tagged=ether5,bridge-vlans untagged=ether4\n<\/code><\/pre>\n\n\n\n<p>Breaking this down:<\/p>\n\n\n\n<ul>\n<li>VLAN 2 is carried <strong>tagged<\/strong> on <code>ether5<\/code> (the trunk to the switch) and on <code>bridge-vlans<\/code> itself (so the router can route it), and <strong>untagged<\/strong> on <code>ether2<\/code> (the access port for VLAN 2 devices)<\/li>\n\n\n\n<li>Same pattern for VLANs 3 and 4<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4 \u2014 Enable VLAN Filtering<\/h2>\n\n\n\n<p>Now that the VLAN table is in place, it&#8217;s safe to enable filtering. The bridge will start enforcing the table immediately.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/interface bridge\nset bridge-vlans vlan-filtering=yes\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 5 \u2014 Create VLAN Interfaces for Routing<\/h2>\n\n\n\n<p>To route between VLANs and assign IP addresses, we need VLAN interfaces attached to the bridge.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/interface vlan\nadd interface=bridge-vlans name=vlan2 vlan-id=2\nadd interface=bridge-vlans name=vlan3 vlan-id=3\nadd interface=bridge-vlans name=vlan4 vlan-id=4\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Step 6 \u2014 Assign IPs, DHCP, and NAT<\/h2>\n\n\n\n<p>This part is identical to the easy way \u2014 the IP addressing, DHCP, and NAT configuration doesn&#8217;t change, only the interfaces you assign them to.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip address\nadd address=10.0.2.1\/24 interface=vlan2 network=10.0.2.0\nadd address=10.0.3.1\/24 interface=vlan3 network=10.0.3.0\nadd address=10.0.4.1\/24 interface=vlan4 network=10.0.4.0\n\n\/ip pool\nadd name=dhcp_pool0 ranges=10.0.2.2-10.0.2.254\nadd name=dhcp_pool1 ranges=10.0.3.2-10.0.3.254\nadd name=dhcp_pool2 ranges=10.0.4.2-10.0.4.254\n\n\/ip dhcp-server\nadd address-pool=dhcp_pool0 disabled=no interface=vlan2 name=dhcp1\nadd address-pool=dhcp_pool1 disabled=no interface=vlan3 name=dhcp2\nadd address-pool=dhcp_pool2 disabled=no interface=vlan4 name=dhcp3\n\n\/ip dhcp-client\nadd disabled=no interface=ether1\n\n\/ip dhcp-server network\nadd address=10.0.2.0\/24 dns-server=10.0.2.1 gateway=10.0.2.1\nadd address=10.0.3.0\/24 dns-server=10.0.3.1 gateway=10.0.3.1\nadd address=10.0.4.0\/24 dns-server=10.0.4.1 gateway=10.0.4.1\n\n\/ip dns\nset allow-remote-requests=yes\n\n\/ip firewall nat\nadd action=masquerade chain=srcnat\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Easy Way vs. Proper Way \u2014 At a Glance<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><\/th><th>Easy Way<\/th><th>Bridge VLAN Filtering<\/th><\/tr><\/thead><tbody><tr><td>Bridges needed<\/td><td>One per VLAN + one trunk<\/td><td>One total<\/td><\/tr><tr><td>Interface list size<\/td><td>Grows fast<\/td><td>Clean and minimal<\/td><\/tr><tr><td>Adding a new VLAN<\/td><td>3+ commands, new bridge<\/td><td>2 commands<\/td><\/tr><tr><td>CPU usage<\/td><td>Higher (software per bridge)<\/td><td>Lower (single bridge path)<\/td><\/tr><tr><td>Switch chip offload<\/td><td>No<\/td><td>Yes (on supported hardware)<\/td><\/tr><tr><td>Troubleshooting<\/td><td>Multiple bridges to check<\/td><td>One VLAN table to check<\/td><\/tr><tr><td>Good for learning<\/td><td>\u2705<\/td><td>After you know the basics<\/td><\/tr><tr><td>Good for production<\/td><td>\u274c<\/td><td>\u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">A Few Things Worth Knowing<\/h2>\n\n\n\n<p><strong>PVID must match the VLAN table.<\/strong> If a port&#8217;s PVID doesn&#8217;t have a corresponding untagged entry in the VLAN table, untagged frames arriving on that port will be dropped. Double-check both match \u2014 it&#8217;s the most common source of &#8220;why isn&#8217;t this device getting an IP&#8221; confusion.<\/p>\n\n\n\n<p><strong>The bridge itself must be tagged in the VLAN table<\/strong> for routing to work. That&#8217;s what the <code>bridge-vlans<\/code> entries in Step 3 are for. If you forget this, inter-VLAN routing fails silently \u2014 devices get DHCP but can&#8217;t reach other VLANs or the internet.<\/p>\n\n\n\n<p><strong>This configuration assumes a clean slate.<\/strong> If you&#8217;re adapting this to an existing bridge that already has ports and traffic, take care \u2014 enabling VLAN filtering mid-session will drop everything that isn&#8217;t covered by the VLAN table. Test in a lab or during a maintenance window.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts<\/h2>\n\n\n\n<p>Once you&#8217;ve done it a few times, bridge VLAN filtering is actually simpler to manage than the easy way \u2014 there&#8217;s just less of everything. The learning curve is the VLAN table concept, which takes a bit of getting used to if you&#8217;re new to it.<\/p>\n\n\n\n<p>If Part 1 got your VLANs working and you understand why each piece is there, you&#8217;re ready for this. The configuration is a bit more deliberate, but the payoff in cleanliness and efficiency is worth it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a previous post I covered the easy way to create VLANs on MikroTik \u2014 one bridge per VLAN. It works, it&#8217;s great for learning, but it doesn&#8217;t scale well and it&#8217;s heavier on the CPU than it needs to be. If you haven&#8217;t read it, you can find it here. This post covers the &hellip; <a href=\"https:\/\/blog.lfps64.com\/?p=152\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to Create VLANs with MikroTik \u2014 The Proper Way (Bridge VLAN Filtering)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[13,11],"_links":{"self":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/152"}],"collection":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=152"}],"version-history":[{"count":1,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions"}],"predecessor-version":[{"id":153,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions\/153"}],"wp:attachment":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}