\n\n\n\n
The Lab Topology<\/h2>\n\n\n\n
In this scenario we have a MikroTik router connected to a Cisco switch via a trunk port. Three VLANs are configured, and devices on each VLAN can reach the internet and talk to each other through the router. <\/p>\n\n\n\n MikroTik’s more advanced VLAN method uses a single bridge with VLAN filtering enabled \u2014 cleaner, more scalable, and better for CPU. The method in this post creates a separate bridge for each VLAN instead, which is simpler to visualize and configure but doesn’t scale well beyond a handful of VLANs. For a home lab with 3-4 VLANs, the difference is negligible.<\/p>\n\n\n\n Instead of attaching VLANs directly to a physical interface, I prefer to create a bridge for the trunk port. This gives you flexibility to add more trunk ports later without restructuring everything.<\/p>\n\n\n\n Here Now we create the VLAN interfaces and attach them to <\/p>\n\n\n\n This is the “clunky” part. Each VLAN gets its own bridge. This bridge is what you’ll later attach access ports and IP addresses to.<\/p>\n\n\n\n <\/p>\n\n\n\n Now we tie everything together. Each VLAN interface goes into its corresponding bridge, and the access ports (the physical interfaces your end devices connect to) go into their respective bridges as well.<\/p>\n\n\n\n <\/p>\n\n\n\n At this point the trunk and access ports are working at Layer 2. Devices on the same VLAN can reach each other. To get IP addressing, DHCP, and internet access working we need a few more steps.<\/p>\n\n\n\n Each VLAN bridge gets an IP address (this becomes the default gateway for devices on that VLAN), a DHCP pool, and a DHCP server. We also configure NAT so all VLANs can reach the internet.<\/p>\n\n\n\n With everything in place, devices on different VLANs can communicate through the router and reach the internet \u2014 as shown here with PC1 and PC8 on opposite ends of the topology on different VLANs: <\/p>\n\n\n\n If you want to study the full configuration or follow along in your own lab, here are the config files used in this post:<\/p>\n\n\n\n If you’d like the GNS3 lab file, send me an email and I’ll share it.<\/p>\n\n\n\n If you’ve never configured VLANs before, or you’ve never done it on MikroTik specifically, this is a great way to get your feet wet. The structure is visible and tangible \u2014 you can see every bridge, every VLAN interface, every port assignment in Winbox. That transparency makes it easier to understand what’s actually happening at each layer, which is valuable when you’re learning.<\/p>\n\n\n\n That said, you should make an effort to learn the proper way once this clicks. Here’s why:<\/p>\n\n\n\n Performance.<\/strong> The easy way does all VLAN tagging and untagging in software on the CPU. Every packet that crosses a VLAN boundary goes through RouterOS’s bridge code. On a busy network or a router handling many VLANs, this adds up. The proper method \u2014 bridge VLAN filtering \u2014 is more efficient because there’s only one bridge in the kernel’s forwarding path instead of one per VLAN. On hardware with a built-in switch chip it can offload VLAN handling entirely to hardware, barely touching the CPU at all.<\/p>\n\n\n\n Management.<\/strong> The easy way grows linearly and messily. Five VLANs means five extra bridges, five VLAN interfaces, and five sets of bridge port assignments on top of your trunk bridge. Your interface list becomes a wall of entries and finding things in Winbox gets tedious. With bridge VLAN filtering, everything lives in one bridge. The VLAN table is a single clean list, and adding a new VLAN is a one-liner instead of three commands and a new bridge.<\/p>\n\n\n\n Troubleshooting.<\/strong> When something breaks with the easy way, you’re tracing traffic across multiple bridges. With a single bridge there’s one place to look \u2014 the bridge VLAN table and its port assignments.<\/p>\n\n\n\n The honest caveat:<\/strong> for a home lab with three or four VLANs and normal traffic levels, the performance difference is genuinely invisible. The management argument is the stronger one \u2014 this approach just gets unwieldy as you grow. Start here if you need to, but treat it as a stepping stone rather than a destination.<\/p>\n","protected":false},"excerpt":{"rendered":" When you start working with MikroTik, VLANs can feel intimidating \u2014 especially if you’re coming from a Cisco background where the mental model is different. I’ve been there. This post covers what I call the easy way: one bridge per VLAN. It’s not the most efficient method, and I wouldn’t recommend it for a production … Continue reading “How to Create VLANs with MikroTik \u2014 The Easy Way”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[13,11,14,15,12],"_links":{"self":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/82"}],"collection":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=82"}],"version-history":[{"count":3,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/82\/revisions"}],"predecessor-version":[{"id":151,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/82\/revisions\/151"}],"wp:attachment":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=82"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=82"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-1024x457.png\")
<\/figure>\n\n\n\n
\n\n\n\nWhy one bridge per VLAN?<\/h2>\n\n\n\n
\n\n\n\nStep 1 \u2014 Create the Trunk Bridge<\/h2>\n\n\n\n
\/interface bridge\nadd name=bridge-trunk\n\n\/interface bridge port\nadd bridge=bridge-trunk interface=ether5\n<\/code><\/pre>\n\n\n\nether5<\/code> is the interface connected to the Cisco switch trunk port. After running this you should see the bridge and its port in Winbox: <img <\/p>\n\n\n\n![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-1.png\")
<\/figure>\n\n\n\n
\n\n\n\nStep 2 \u2014 Create the VLANs on the Trunk Bridge<\/h2>\n\n\n\n
bridge-trunk<\/code>. This tells MikroTik to expect tagged traffic for these VLAN IDs on that bridge.<\/p>\n\n\n\n\/interface vlan\nadd interface=bridge-trunk name=\"vlan-2\" vlan-id=2\nadd interface=bridge-trunk name=\"vlan-3\" vlan-id=3\nadd interface=bridge-trunk name=\"vlan-4\" vlan-id=4\n<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-2.png\")
<\/figure>\n\n\n\n
\n\n\n\nStep 3 \u2014 Create a Bridge for Each VLAN<\/h2>\n\n\n\n
\/interface bridge\nadd name=br-vlan2\nadd name=br-vlan3\nadd name=br-vlan4\n<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-3.png\")
<\/figure>\n\n\n\n
\n\n\n\nStep 4 \u2014 Attach VLAN Interfaces and Access Ports to Each Bridge<\/h2>\n\n\n\n
\/interface bridge port\nadd bridge=br-vlan2 interface=\"vlan-2\"\nadd bridge=br-vlan3 interface=\"vlan-3\"\nadd bridge=br-vlan4 interface=\"vlan-4\"\nadd bridge=br-vlan4 interface=ether4\nadd bridge=br-vlan3 interface=ether3\nadd bridge=br-vlan2 interface=ether2\n<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-4.png\")
<\/figure>\n\n\n\n
\n\n\n\nStep 5 \u2014 Assign IPs, Configure DHCP, and Set Up NAT<\/h2>\n\n\n\n
\/ip address\nadd address=10.0.2.1\/24 interface=br-vlan2 network=10.0.2.0\nadd address=10.0.3.1\/24 interface=br-vlan3 network=10.0.3.0\nadd address=10.0.4.1\/24 interface=br-vlan4 network=10.0.4.0\n\n\/ip pool\nadd name=dhcp_pool0 ranges=10.0.2.2-10.0.2.254\nadd name=dhcp_pool1 ranges=10.0.3.2-10.0.3.254\nadd name=dhcp_pool2 ranges=10.0.4.2-10.0.4.254\n\n\/ip dhcp-server\nadd address-pool=dhcp_pool0 disabled=no interface=br-vlan2 name=dhcp1\nadd address-pool=dhcp_pool1 disabled=no interface=br-vlan3 name=dhcp2\nadd address-pool=dhcp_pool2 disabled=no interface=br-vlan4 name=dhcp3\n\n\/ip dhcp-client\nadd disabled=no interface=ether1\n\n\/ip dhcp-server network\nadd address=10.0.2.0\/24 dns-server=10.0.2.1 gateway=10.0.2.1\nadd address=10.0.3.0\/24 dns-server=10.0.3.1 gateway=10.0.3.1\nadd address=10.0.4.0\/24 dns-server=10.0.4.1 gateway=10.0.4.1\n\n\/ip dns\nset allow-remote-requests=yes\n\n\/ip firewall nat\nadd action=masquerade chain=srcnat\n<\/code><\/pre>\n\n\n\n
\n\n\n\nResult<\/h2>\n\n\n\n
![\"\"\/](\"https:\/\/blog.lfps64.com\/wp-content\/uploads\/2022\/08\/imagen-5-1024x447.png\")
<\/figure>\n\n\n\n
\n\n\n\nConfig Files<\/h2>\n\n\n\n
\n
\n\n\n\nWhen to Use This Method \u2014 And When to Move On<\/h2>\n\n\n\n