Confusion about interface, switch, bridge, VLAN

RouterOS Beginner Basics
1

I am new to RouterOS and just trying to replace my router based on WRT54GL/OpenWRT with RouterBoard 750.

I am confused with the architectural way Mikrotik handles VLANs (and interfaces, switches etc).

What I want:

  • Interface 1: WAN (static IP), VLAN3, untagged
  • Interface 2: VLAN1, untagged
  • Interface 3, 4: VLAN2, untagged, “LAN”, bridged to OpenVPN server
  • Interface 5: VLAN1-3, tagged

In Linux (or OpenWRT) I would first create the VLAN ports (eth0.1 - eth0.3) and maybe bridge them to different interfaces.
Similarly for all managed switches I used so far (3COM and TP-Link): There are physical ports which I can split into VLANs and say that Port 1 should be assigned to one VLAN while other ports may be assigned multiple VLANs (tagged).

I use WinBox - when I create a VLAN in the “Interfaces” section, I can only select one interface. Why?

In contrast in “Switch” section, VLAN, I can assign VLAN IDs to ports but I cannot create VLANs. How are they related to the VLANs I create in Interfaces?

How do I configure using WinBox for the scenario above?

2

Think of VLANs on a Mikrotik as just bridges. Think of VLAN interfaces as a device that adds vlan tags on egress and removes tags on ingress. A standard interface (eth1, eth2, etc) are always untagged.

In a simple scenario, bridging eth2 and eth3, then bridging eth4 and eth5 is two vlans accepting untagged packets.

If you create a vlan interface, you specify the physical port it’s bound to and the vlan ID (in this example ID #1). So if you create vlan1 and it’s bound to eth2 and add vlan1 to the second bridge, then packets tagged with the vlan ID#1 will be apart of bridge2.

In your setup I’d create three bridges to represent your three vlans: bridge1, bridge2, bridge3.

Then I’d create vlan interfaces:
Name: vlan3_eth1, VLAN ID: 3 , Interface: Eth1
Name: vlan1_eth2, VLAN ID: 1, Interface: Eth2
Name: vlan2_eth3, VLAN ID: 2, Interface: Eth3
Name: vlan2_eth4, VLAN ID: 2, Interface: Eth4
Name: vlan1_eth5, VLAN ID: 1, Interface: Eth5
Name: vlan2_eth5, VLAN ID: 2, Interface: Eth5
Name: vlan3_eth5, VLAN ID: 3, Interface: Eth5

Then I’d assign the members to the bridges:

bridge1: vlan1_eth2, vlan1_eth5
bridge2: vlan2_eth3, vlan2_eth4, vlan2_eth5
bridge3: vlan3_eth1, vlan3_eth5

This handles all the tagged packets.

Your example doesn’t say what vlans the untagged interfaces should belong to. So should you want untagged packets to/from Eth5 to belong to vlan3, then add Eth5 to bridge 3.

3

This is a great explanation - thank you!

Do I understand correctly that

1.) For a physical port 5 that has vlan1,vlan2,vlan3 tagged I would need to create three interfaces and bridge them together?
2.) For example, vlan1_eth2 in your example - is this really needed? Because eth2 is an untagged port - I think I could just directly bridge eth2 with vlan1_eth5? (I mentioned ports 1-4 are untagged but only 5 is tagged)

Furthermore, according to http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features, the RouterBoard provided hardware level switching (in my case Atheros8316) which I would like to use if possible. Creating a bridge is a pure software level thing and hence not efficient - to my understanding. Is it still possible to combine VLANs with hardware level switching (as it is done in a managed switch too)?

4

2.) vlan1_eth2 isn’t needed, I misread your design. Add Eth2 to bridge1, this means packets with no vlan tag will belong to bridge1 (so vlan1)

1.) For physical port 5 (eth5) you’d create three vlan interfaces on it. label them ass vlan1_eth5, vlan2_eth5, vlan3_eth5. Then add vlan1_eth5 to bridge1, vlan2_eth5 to bridge 2, vlan3_eth5 to bridge3. And because the physical port eth5 is not part of any bridge, that means inbound untagged packets will not be routed anywhere, and thus dropped.

If you have a CRS switch, then in winbox under Switch I see VLAN options. I haven’t used those settings before and don’t know if they’ll do hardware switching for vlans.