Differences between "Port based" and "bridge based" VLAN

RouterOS Beginner Basics
17

Hi,
thank you very much for your very detailed reply. I am very happy about any support, especially if an expert takes care of newbie issues .
First of all, I will try to answer your questions, although I find it very difficult to give meaningful answers :slight_smile:.


  1. sorry, youĀ“re right. There is no hint which HW I use. My Mikrotik is the RB3011. IĀ“ve updated the signature
  2. Trunk Port is SFP1, this is connected to a Cisco SG250 POE (and from the second SFP-Port of the SG250 to the next Cisco Switch)
  3. Hm! This is a good question. I followed this tutorial (https://www.administrator.de/wissen/mikrotik-vlan-konfiguration-router-os-version-6-41-367186.html; sorry, the tutorial is in german, but have a look at the screenshots) because this was described as the best choice for vlan setup for OS 6.41 and above.
    Please keep in mind: I am a newbie and in a ā€œlearning modeā€ and I use tutorials to collect experience. But if I read between the lines, I notice that this could might be nonsense. If there is a better way, it would be great if you can help me to understand how this should be processed.
  4. puuh! Newbie is overstrained! I am not sure what exacly must be removed in the config.
  5. this part of the firewall-rule is stolen from annother tutorial. There is no profound reason for ā€œrejectā€
  6. I am planning a redsign of my network (http://forum.mikrotik.com/t/redesign-of-local-network-with-mikrotik-router/119063/1)and I have to learn all basics from scratch. After lessons learned, I reset the router and kill the default configuration. This helps me to familiarize with the OS. At the end I will put the puzzle together.

As you can see, there are a lot of gaps and I have to work on it, step by step! Maybe you can help me to shed some light on this!


Tomorrow I will try to understand the firewall rules and I will test it on the Router. I will let you know!

IĀ“ve checked the firewall-rules. I have installed the default-rules and IĀ“ve added the advanced setting, but I am little bit confused about it:

/ip firewall address-list
add address=172.16.10.0/24 list=VlanFriends
add address=172.16.20.0/24 list=VlanFriends

/ip firewall filter
add action=accept chain=forward comment="Accept VLAN friends" dst-address-list=VlanFriends src-address-list=VlanFriends
add action=drop chain=forward comment="Drop inter-VLAN traffic" dst-address-list=PrivateSubnets src-address-list=PrivateSubnets log=yes log-prefix=InterVLAN



  1. you add an additional list for ā€œVlanFriendsā€ to allow the communication between vlan10 and vlan20. This is ok, I can follw you.
  2. you drop inter-vlan-traffic for the same networks, including vlan1 with list PrivateSubnets (vlan1, vlan10, vlan20).

This is what I do not understand. Are you sure, this is correct?

Requirements are:

  • vlan1, vlan10 and vlan20 are allowed to use the internet
  • vlan10 and vlan20 are not allowed to comminicate each other, including Gateway
  • vlan1 is allowd to communicate with vlan10 and vlan20

with best regards,
Spartacus