Hi,
can someone explain me the difference between port based vlan and the possiblilty to add vlans to a bridge. I tried both configs in OS6.42. but I am not sure which one I should use.
Thanks,
Spartacus
Good question!!
I am in the same boat.
I have my LANS associated with Bridges
bridge1 is my homelan and the bridge is assigned to ether2 and ether3
bridge2 is my DMZlan and the bridge is assigned to ether4
I am assuming if I want to have 3 VLANS,
wired media VLAN 10 - (hosted on DMZ)
wifi guests VLAN20 (hosted on DMZ)
wifi HOME VLAN30 (hosted on Homelan)
Then I would using the interface setting under INTERFACE------> VLAN -----------> Interface: (_____________ ?)
and select the appropriate ??? there is no setting for the network, its either bridge or etherport.
I suspect I want the bridge choice.
What is scaring me off is that there is a separate bridge vlan settings area but that looks more like switch type vlan settings, probably for a different purpose than what I am attempting to initially setup and specifically a more advanced set of settings to decide what kind of vlan tagging etc is needed..
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples
Note very carefully that in the above link they only use Switch commands when the device supports specific switch chips.
If you don’t know what you’re doing, use VLANs on a single bridge and don’t touch any Switch options. Default hardware offloading should do the rest.
Think of a Bridge as a logical switch and the Switch stuff as a physical switch limited to specific interfaces (Ethernet on almost all devices). The bridge is a lot more flexible, can be used with any interface, and there’s limited hardware offloading support for a single bridge. Bridges also work correctly with certain protocols.
In other words, you can’t go wrong if your goto is a bridge - though you can lower your performance if there are multiple bridges, which is not necessary in most simple cases involving VLANs.
Hi everybody,
manny thanks for your reply. Seems to be that I am on the right way with the bridged vlan. Not sure in which usecase I will need several bridges if all vlans run over only one bridge!
I followed this guide (https://www.administrator.de/wissen/mikrotik-vlan-konfiguration-router-os-version-6-41-367186.html) were 4 vlans are configured in one bridge.
VLAN1 is the Management-LAN; the “Default Vlan”. All networks are configuren on the vlan Interfaces. this seems to be working and all networks were routed automatically.
I learned this is correct because it is a router´s work to route netorks 
. If I will separate the networks, I have to use firewall rules.
My problem is, I do not understand how to configure the Router IP-Address correctly in this environment? in my case vlan1 is 192.168.1.0/24 but the router IP seems to be not preset (see picture). Of course, I can ping the router over 192.168.1.1 but how does the router know, that he is on vlan1?
Many, many open questions for me and it seems to be that I do not have a clear view until now.
Thanks,
Christian
Just don’t use Quickset … your setup is well beyond intended use of quickset and it doesn’t show correct values.
Hi,
ok, I understand, thanks for clarification.
But there is already an issue with my config. I wanted to permit clients in vlan10 and 20 to see each other, and clinets in vlan 10 and vlan20 should not see clients in the admin LAN (vlan1). Therefore I defined a couple of firewall rules (last 4 lines in code).
It is working for vlan10 and vlan20; client in vlan10 cannot see clients in vlan20 and the other way around. But I can ping the router in vlan1 with IP 172.16.1.1 from vlan10 and vlan20. Annother switch with ip-Address 172.16.1.13 does not answer and the rule (add action=drop chain=forward dst-address=172.16.1.0/24 src-address=172.16.20.0/24) seems to be working. But why can I see the 172.16.1.1?
What is wron in my rule?
Thanks a lot,
Christian
/interface bridge
add fast-forward=no name=br_vlan vlan-filtering=yes
/interface vlan
add interface=br_vlan name=vlan1 vlan-id=1
add interface=br_vlan name=vlan10 vlan-id=10
add interface=br_vlan name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool_admin ranges=172.16.1.101-172.16.1.199
add name=pool_vlan10 ranges=172.16.10.100-172.16.10.199
add name=pool_vlan20 ranges=172.16.20.100-172.16.20.199
/ip dhcp-server
add address-pool=pool_admin disabled=no interface=vlan1 name=dhcp_admin
add address-pool=pool_vlan10 disabled=no interface=vlan10 name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20 name=dhcp_vlan20
/interface bridge port
add bridge=br_vlan hw=no interface=sfp1
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan1
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan10 pvid=10
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan20 pvid=20
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan,vlan1 untagged=sfp1 vlan-ids=1
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether4 vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=br_vlan list=LAN
/ip address
add address=172.16.1.1/24 interface=vlan1 network=172.16.1.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=192.168.1.1 domain=admin gateway=172.16.1.1
add address=172.16.10.0/24 dns-server=192.168.1.1 domain=vlan10 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=192.168.1.1 domain=vlan20 gateway=172.16.20.1
/ip firewall filter
add action=drop chain=forward dst-address=172.16.20.0/24 src-address=172.16.10.0/24
add action=drop chain=forward dst-address=172.16.10.0/24 src-address=172.16.20.0/24
add action=drop chain=forward dst-address=172.16.1.0/24 src-address=172.16.10.0/24
add action=drop chain=forward dst-address=172.16.1.0/24 src-address=172.16.20.0/24
So the only thing not working according to your expectations is that access to your router’s address works even from the “wrong” VLAN? This does screw up mental process of setting up FW rules for protecting router from LAN segments.
It wouldn’t get me surprised if it would turn out that packet processing is as follows:
- packet arrives at router’s interface (e.g. vlan interface)
- router checks it and sees it’s destined to one of its own addresses
- due to that it skips forward chain and goes into input chain
I guess you better add some FW rules on input chain only allowing connections from either vlan1 interface or from 172.16.1.0/24 IP subnet.
My understanding is that the router at layer 3 will allow clients from one vlan to reach another.
Thus forward filter rules are required to block vlan to vlan traffic not desired.
Vlan traffic by its nature is blocked (layer 2) at the switch level.
@anav: Spartacus has got drop rules in forward chain which do prevent L3 connectivity between his subnets. As far as I understood it’s only router’s addresses that are reachable from “wrong” VLANs/subnets.
“Port based” VLANs is the old type of configuration that has been left in the wiki page for legacy reasons, but it is known to cause issues with RSTP and can even cause loops.
The “bridge based” VLANs should be used whenever possible since this type of configuration complies with IEEE 802.1Q and 802.1W, which is required for setups with many different vendor devices. If you are using “port based” VLANs, then you should migrate your configuration to “bridge based” VLANs, you can expect more features to be added to the new bridge implementation, which will never be possible on “port based” VLANs. You can find a case study for one of caveats that can exist in your setup when using “port based” VLANs here:
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Bridged_VLAN_on_physical_interfaces
It also seems that you are mixing both methods together, which is a very bad idea, check this case study:
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_on_a_bridge_in_a_bridge
With bridge VLAN filtering you are restricting Layer2 access between different VLAN IDs. With VLAN filtering enabled the bridge will not allow to forward packets on interfaces that are not allowed to carry such VLANs, but as soon as you have created a VLAN interface and added an IP address on it, then you have enabled interVLAN routing and Layer3 communication becomes possible. What you haven’t taken into account is that when you are pinging an IP address that the router has, you are using the “INPUT” chain instead of “FORWARD”, you need more rules in case you want to make these addresses “invisible” to other VLANs.
To limit access between VLAN domains you need to setup a Firewall. This can be done in /ip firewall filter, limit the access between 192.168.X.0/24 and 192.168.Y.0/24. This can also be done in /interface ethernet switch rules, if your devices supports it (and you have enabled hardware offloading). This can also be done in /interface bridge filter, if you are willing to give up FastPath and FastForward in case of a 2 port bridge.
Hello,
many thanks to all of you for your help. I am not sure, if have understood everything. This is very new stuff for me and i am currently in the “learning mode”. I will go through the links and I hope it makes things much more clear.
But I do not know what you mean with “mixing both methods”. I checked my current config, and I am not sure which part of the config is based on the old method. It would help, if you can refer to the specific part.
I also setup some firewall rules and it seems to be working as it should. Except one thing: Clients in the management lan (172.16.1.0/24) should have access to all other networks. Now i am trying for hours without success. 
Christian
/interface bridge
add fast-forward=no name=br_vlan vlan-filtering=yes
/interface list member
add interface=ether1 list=WAN
add interface=br_vlan list=LAN
/interface vlan
add interface=br_vlan name=vlan1 vlan-id=1
add interface=br_vlan name=vlan10 vlan-id=10
add interface=br_vlan name=vlan20 vlan-id=20
/ip address
add address=172.16.1.1/24 interface=vlan1 network=172.16.1.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
/interface bridge port
add bridge=br_vlan hw=no interface=sfp1
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged nterface=ether2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan1
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan10 pvid=10
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=vlan20 pvid=20
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan,vlan1 untagged=sfp1 vlan-ids=1
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether4 vlan-ids=20
/ip firewall address-list
add address=172.16.1.0/24 list=PrivateSubnets
add address=172.16.10.0/24 list=PrivateSubnets
add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input connection-state="" in-interface=vlan1 src-address=172.16.1.0/24
add action=reject chain=forward dst-address-list=PrivateSubnets in-interface= !ether1 reject-with=icmp-admin-prohibited src-address-list=""
add action=drop chain=input
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether4 vlan-ids=20
Spot the typo.
Hi sid5632,
I watched this line for several minutes and I diidn´t see what you meant! But then, after minutes…Of course, it must be
add bridge=br_vlan tagged=sfp1,br_vlan,vlan20 untagged=ether4 vlan-ids=20
. Ok. But this solves not the access- issue from 172.16.1.0 to the other networks. 
Christian
With filter rule you’re rejecting all traffic between private subnets except for traffic incomming through ether1. That might seem fine, but you’re dropping related traffic - replies in the opposite direction.
Hi,
ok, does it mean I have to add a forward rule for related and established traffic for all interfaces?
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
Sorry, for the stupid questions, but I try to understand the ruling!
Christian
I have several questions of my own. 
- Am I missing something, what is your device? This is important because VLAN filtering can be different for different devices and setups like hybrid ports
- Which of these physical interfaces are trunks to other VLAN-aware switches or routers?
- Why do you have vlan interfaces present in your bridge ports and bridge vlans? I do not believe ingress filtering is meant for logical interfaces, only physical and virtual (like virtual AP interfaces). After all, the tagged packets have to come in from somewhere! Please remove them entirely or check with more Mikrotik veterans or support.
- Is ingress filtering even enabled (I see no “ingress-filtering=yes” anywhere)? Do you actually need it and therefore testing it? I suggest removing all traces of it until you have the basic setup working
- Why are you rejecting traffic instead of dropping it and optionally logging it?
- Why were you attempting to use the QuickSet tools, which are meant for consumer friendly introduction to Mikrotik devices or just to quickly put up a basic configuration to start with, yet you do not have a default firewall configuration? Did you delete all the firewall rules or are you only showing us a subset of your IP firewall filter rules?
Prior to 6.42 I have also had difficulties with VLAN ID 1 with vlan-filtering bridge setups and trunk ports, even when listed explicitly in “/interface vlan”. I have not checked since. VLAN ID 1 is also the default bridge PVID. But since you don’t seem to be having any particular issues with VLAN ID 1 issues, you can ignore it.
I would have expected a default firewall filter configuration similar to this:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
You could disable the ICMP entry and the IPSec entries if you don’t need them, but the rest should be in any default firewall configuration unless you really, really know what you are doing!
I would then have added:
/ip firewall address-list
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends
/ip firewall filter
add action=accept chain=forward comment="Accept VLAN friends" dst-address-list=VlanFriends src-address-list=VlanFriends
add action=drop chain=forward comment="Drop inter-VLAN traffic" dst-address-list=PrivateSubnets src-address-list=PrivateSubnets log=yes log-prefix=InterVLAN
Hi,
thank you very much for your very detailed reply. I am very happy about any support, especially if an expert takes care of newbie issues .
First of all, I will try to answer your questions, although I find it very difficult to give meaningful answers .
- sorry, you´re right. There is no hint which HW I use. My Mikrotik is the RB3011. I´ve updated the signature
- Trunk Port is SFP1, this is connected to a Cisco SG250 POE (and from the second SFP-Port of the SG250 to the next Cisco Switch)
- Hm! This is a good question. I followed this tutorial (https://www.administrator.de/wissen/mikrotik-vlan-konfiguration-router-os-version-6-41-367186.html; sorry, the tutorial is in german, but have a look at the screenshots) because this was described as the best choice for vlan setup for OS 6.41 and above.
Please keep in mind: I am a newbie and in a “learning mode” and I use tutorials to collect experience. But if I read between the lines, I notice that this could might be nonsense. If there is a better way, it would be great if you can help me to understand how this should be processed. - puuh! Newbie is overstrained! I am not sure what exacly must be removed in the config.
- this part of the firewall-rule is stolen from annother tutorial. There is no profound reason for “reject”
- I am planning a redsign of my network (http://forum.mikrotik.com/t/redesign-of-local-network-with-mikrotik-router/119063/1)and I have to learn all basics from scratch. After lessons learned, I reset the router and kill the default configuration. This helps me to familiarize with the OS. At the end I will put the puzzle together.
As you can see, there are a lot of gaps and I have to work on it, step by step! Maybe you can help me to shed some light on this!
Tomorrow I will try to understand the firewall rules and I will test it on the Router. I will let you know!
I´ve checked the firewall-rules. I have installed the default-rules and I´ve added the advanced setting, but I am little bit confused about it:
/ip firewall address-list
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends
/ip firewall filter
add action=accept chain=forward comment="Accept VLAN friends" dst-address-list=VlanFriends src-address-list=VlanFriends
add action=drop chain=forward comment="Drop inter-VLAN traffic" dst-address-list=PrivateSubnets src-address-list=PrivateSubnets log=yes log-prefix=InterVLAN
- you add an additional list for “VlanFriends” to allow the communication between vlan10 and vlan20. This is ok, I can follw you.
- you drop inter-vlan-traffic for the same networks, including vlan1 with list PrivateSubnets (vlan1, vlan10, vlan20).
This is what I do not understand. Are you sure, this is correct?
Requirements are:
- vlan1, vlan10 and vlan20 are allowed to use the internet
- vlan10 and vlan20 are not allowed to comminicate each other, including Gateway
- vlan1 is allowd to communicate with vlan10 and vlan20
with best regards,
Spartacus
In RouterOS firewall the order of the rules matters. The CPU is going down the list starting from the top. RouterOS Firewall Filtering is Accept-based, i.e. if something does not match it is Accepted. That’s why you should always have a Drop rule for any category of filtering, look at the default rules I posted for inspiration. This inversion is also best security practice and principle (drop by default).
Internet has nothing to do with VLANs if all the inter-VLAN traffic is attached to LAN interfaces …
You can amend the rules to add an exception for the final requirement:
/ip firewall address-list
add address=172.16.1.0/24 list=Admin
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends
/ip firewall filter
add action=accept chain=forward comment="Accept VLAN Admin" src-address-list=Admin
add action=accept chain=forward comment="Accept VLAN friends" dst-address-list=VlanFriends src-address-list=VlanFriends
add action=drop chain=forward comment="Drop inter-VLAN traffic" dst-address-list=PrivateSubnets src-address-list=PrivateSubnets log=yes log-prefix=InterVLAN
Hi,
sorry, I cannot follow the rules you have added. I have installed the following:
/ip firewall address-list
add address=172.16.1.0/24 list=Admin
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends
add address=172.16.1.0/24 list=PrivateSubnets
add address=172.16.10.0/24 list=PrivateSubnets
add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall filter
add action=accept chain=forward comment="Accept VLAN Admin" src-address-list=Admin
add action=accept chain=forward comment="Accept VLAN friends" dst-address-list=VlanFriends src-address-list=VlanFriends
add action=drop chain=forward comment="Drop inter-VLAN traffic" dst-address-list=PrivateSubnets src-address-list=PrivateSubnets log=yes log-prefix=InterVLAN
line 1:Admin vlan is acceped, I understand
line 2. you allow the inter-vlan traffic between vlan10 and vlan20, but this should be forbidden
line 3: you drop the traffic between all subnets
What I´ve tested with this config:
Client in admin LAN:
- ping client in admin lan: ok
- ping client in vlan10: nok
- ping client in vlan20: nok
Client in vlan20:
- ping client in admin LAN: nok
- ping client in vlan10: ok
- ping client in vlan20: ok
Client in vlan20:
- ping client in admin LAN: nok
- ping client in vlan10: ok
- ping client in vlan20: ok
So it seems to be not working in the correct way.
Christian
The FW rules are only partial.
Example: ping from adminVLAN towards VLAN10:
- passes router on the way “there” according to top-most filter (allowing to forward any packet, originating Admin subnet)
- drops on the way “back”. Doesn’t pass top-most rule (src-address is from VlanFriends), doesn’t pass second rule (dst-address is not in VlanFriends), hits the last rule (dropping anything between LAN segments).
So unless you have some more rules (above these in your last post) you’ll have to add a few more. Such as
add action=accept chain=forward comment="Accept established and related connections" connection-state=related,established
before rules that drop connections.
If communication between VLAN10 and VLAN20 is not desired, just omit middle rule (that accepts connections between VlanFriends subnets).
Another thought: if you happen to add additional subnet (say VLAN30) and you forget it to add to FW address lists, devices from that subnet will be able to communicate everywhere freely. I’d construct the FW rules the other way around:
/ip firewall address-list
add address=172.16.1.0/24 list=Admin
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="Accept established and related connections" connection-state=related,established
add action=accept chain=forward comment="Accept VLAN Admin towards anywhere" src-address-list=Admin
add action=accept chain=forward comment="Accept VLAN friends towards internet" src-address-list=VlanFriends dst-interface=<your WAN interface>
add action=drop chain=forward comment="Drop any other inter-subnet communication"
This way, lack of configuration will be quite obvious as newly configured subnet devices will not have internet connectivity …
If your WAN configuration is not trivial (e.g. you don’t have simple etehr1 or pppoe-out1 or … interface), then the penultimate rule would have to be rethought.