Beginner's question: Bridging and VLANs

danielwinn · May 27, 2024, 8:41am

Hey there, I have running a MikroTik-hEX and a CRS328-24P-4S+ and the latest LTE versions of RouterOS respectively SwitchOS.

So far I am not doing anything fancslopey with the setup: a Unifi AP is connected to the switch as well as a couple of ethernet sockets, but all of them have no VLAN tags or any separation at all. Even the three SSIDs of the AP are running on the same network so far.

My target, though, is to have a setup of 9 VLANs to separate admin, smart home (mainly Shellys) and personal devices as well as work devices (Home Office).

I started reading some tutorials about setting up VLANs in RouterOS, but what I don’t quite understand yet is, what to do with bridges. Would I put all networks

on one bridge
on two bridges: on with internet access and one without
on even more bridges

or would I to the rules on which traffic is allowed inbetween the networks with firewall rules?

Thanks a lot for some hints in form of posts or links!

cheers

tdw · May 27, 2024, 10:53am

One bridge. See http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1 https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples for RouterOS, https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#CRS3xxandCSS32624G2S+seriesManual-VLANConfigurationExample for SwOS.

The bridge and VLANs segregate the layer 2 / ethernet networks, by default layer 3 / IP packets are forwarded between networks unless you have firewall rules to restrict them.

anav · May 27, 2024, 12:59pm

If you are sticking with UNIFI smart APs, keep in mind you will need to connect to them via a HYBRID PORT.
The management or Trusted VLAN ( the one where it gets its IP address from) is expected to arrive at the UNIFI untagged and the rest of the vlans tagged.