First time Mikrotik user, absolutely lost

I think you’ve received all sorts of advice, most of it valid. You have to recognize that you have a list of requirements (not at all unreasonable) and you’ll have to learn quite a bit about networking in general, and some if Mikrotik’s idiosyncracies as well.

Good luck! I think it would be useful if you could spare some time to periodically update us. This could make it easier for others to assess what they are getting themselves into.

Definitely go with vlans from the start. It’s a bit if a pain initially, but it really pays off.

It's not. It's pushed at people who want to configure VLANs on MT gear.

It seems like you're asking a XXX car manufacturer to provide full driving course to their new customers. In real world (at least in the part I live in) it doesn't happen, there are (3rd party) driving courses which teach driving basics (and even advanced things in "safe driving" courses) without regard to a particular car vendor and model. And then it's up to each user to correctly apply acquired knowledge to the particular car they are driving at any moment. Which is where car manual comes into the picture.

So what we expect from users reading such tutorial on this forum is that they already know basic road regulations (e.g. which side of road to drive on, who's got priority on the crossroads, etc.) before asking about how to drive a ROS car on those roads. And we may give some hints on what to do when going off-road (e.g. switch into 4WD mode).

To be honest, and I am certainly in the minority on this forum, but I also would not refer forum beginners to the @pcunite's VLAN guide. The reason is that because when I knew nothing about VLAN in RouterOS, I read that thread too, and I felt really confused reading it. With all the green, blue, purple, etc... (really, just saying VLAN 100, VLAN 120, ... is easier to follow and remember than blue VLAN and purple VLAN, because when the commands need to be written, you write 100 and 120, not blue and purple, fewer mental translation steps needed). And it was on the old forum, in the beginning, I didn't even notice that there were config files as attachment (I didn't have an account and guest visitors saw no attachments on the old phpBB forum). And then once I had access to the .rsc files, it caused even more confusions, because the config files contains many things, like DHCP server config or router identity and firewalling that dilute the VLAN parts.

I would prefer that the guide presents the core VLAN configuration parts inline (just the relevant /interface bridge, /interface bridge port, /interface bridge vlan part). Then you can have separate posts or threads, where the inter-VLAN routing/filtering with firewall can be addressed, instead of repeating that in every .rsc file. Same with Management access / Management VLAN, should be as a separate post.

What I also don't like is the need for putting 24 ethernet ports and how many SFP ports in the example .rsc, it just bloats the configuration unnecessarily. Why the need to see PVID 30 set on 8 ports for example? There are too many repetitions that don't improve the teaching.

In the end I found that MikroTik's own documentation is much easier to follow and to apply, the examples starting from this section:

Because those examples have just what I wanted, just the relevant commands presented inline, with short descriptions, for concrete Trunk / Access / Hybrid / InterVLANs / Management configurations. And I find the illustrations on MikroTik's page easier to follow too.

It's good to be in the minority sometimes, I have read that article/thread several times and I am still very confused about it. It is obviously not pcunite's fault, as he tried its best and objectively the contents are very good, but somehow that whole post is unreadable, or requires a level of abstraction that no new user will have.

I don't believe that it is me, as when you, Lurker88 or Sindy (to make some examples) explain things I usually understand them, but that VLAN guide remains way above my (current) level.

Glad I am not alone on this. Having moved on a bit in my vLAN journey, I am seeing some value in the document. I have not rubbished it, but I have made 2 -constructive- criticisms of it up thread which has resulted in a negative reaction from people who seem to have the attitude that if it was hard for them to learn, they are not going to let others have it any easier. Which is out of place on a beginner forum

What I also don't like is the need for putting 24 ethernet ports and how many SFP ports in the example .rsc, it just bloats the configuration unnecessarily. Why the need to see PVID 30 set on 8 ports for example? There are too many repetitions that don't improve the teaching.

Yes, it is definitely deficient there, requiring some isolated examples of the different port types. As you provided the link for:

Thanks for that link. It addresses one of my concerns completely. And I think if the pcunite link is posted, that linl should be posted too. perhaps @pcunite would consider including it in his document?

You got me

The problem is that the pcunite's article is the only one that squezzes that topic in one big post.
Yes, he could change it but anyone could write the "new better" article on that using the "better" wording and the fresh new point of view. The point of view that let anyone to understand the problem easier. I'm not the fan of that very usefull article, I just link it.

If anyone would write the better I would be recommending it but I do not like complains like:

• it's too complicated, do not link it
• I would prefer simpler version
• where is the video version?
• .....

Who will take up the challenge?

If no one complained, nothing would be improved. I have never wanted it not linked. But when it is linked, I would like to see some acceptance that it may not provide the stepping stone that an inexperienced poster may need.

The fixes which I can see are:

1. A rewrite of the “Welcome” paragraph, to acknowledge that it will be hard for a noob. Text such as “Follow along the light reading material … “ is depressing when you read the document for a second time.
2. A rewrite of the “Why vLAN” paragraph to reduce the boosterish statement “but VLAN is never a wrong choice.“ and incorporate the limitation that you only use a vLAN if you can see a need for a Single Broadcast Domain
3. After the 3 types of port are introduced, the link introduced by@CGGXANNX is required

So we have something like:

Fix1

Welcome:
This article is for system integrators, network administrators, and product enthusiasts looking for the definitive guide on how to design and setup VLAN networks using MikroTik. The text and diagrams give an introduction to vLANs. It is appreciated that this can be a difficult topic for a newcomer to the subject, so take your time to read through and perhaps consult other sources to get the broadest perspective. See the theory and then deep dive into the actual commands to implement it all. We'll discuss Access, Trunk and Hybrid ports, switching and routing, and guest access into our networks. NB You need logged into the forum to see the configuration files for the examples.

Fix 2

Why VLAN?
If you have a need to partition and isolate networks and devices from each other using the same physical hardware, you maybe a good candidate for VLAN. If you have IoT devices, IP cameras, guests who need to use your WiFi, and a need to QoS who gets what, VLAN can make your network simpler to reason about. In micro-sized networks, it is possible to use other methods besides VLAN, but anywhere you can identify a need for a Single Broadcast Domain will be a good candidate for implementation as a vLAN. This should give you the confidence to learn the VLAN concept knowing it will scale as your network and the number of devices grow.

Note: A Single Broadcast Domain is a portion of a network consisting on 1 [or maybe more] complete IP subnets, typically supported by a DHCP server, where Address Resolution Protocol enables the connected devices to communicate on Layer 2 by means of MAC address

Fix 3 - Right After this

Access Ports:
These ports define the entry into your VLAN. They represent groups of devices that need access to each other but not other networks. You will group them by ID. In this documentation we use colors like Blue, Green, and Red to help us to visualize the ID numbers. Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied. The egress (outgoing) packets (that are replying back to whatever was plugged in) get tags removed.

Trunk Ports:
These ports are what carry everything you care about between VLANs. If Access ports represent groups of things, think of Trunk ports as what enables these groups to get to places they need to go, like other areas of the switch or network. Trunk ports are configured such that ingress packets must have tags and egress packets will have tags.

Hybrid Ports:
These ports are for special situations and requirements. They share qualities and behaviors of Access and Trunk ports. Basically, they function as an Access port for ingress traffic without tags. When incoming traffic is tagged, and the tag is on the allowed list, it will then function as a Trunk port.

When designing your VLAN, you'll have reached your first step when you can logically think about Access port grouping and Trunk port interconnections. How many VLANs and devices will you need to work with? Who gets access to what? Don't rush this step. Take time to diagram your VLAN

Continue with

The implementations of these port types are shown as small examples in this Mikrotik help page

Bridging and Switching - RouterOS - MikroTik Documentation

Is that something to go forward with?

I’m an industrial electrician by trade, though as you surmised from my handle, I used to build performance engines.

I prepared the network diagram, using visio. I’m brand new to that software, and I’m certain that there is a better way of assembling it, but it has served its purpose so far. Putting that together was the best way for my neighbors (whose network this will be) and I to discuss what is needed, and how to arrange everything.

In order to get a better understanding of the fundamentals of networking, I have begun watching the CCNA study courses that are readily available on YT. This has already paid dividends, in that I am able to understand what you are saying here:

That said, obviously the way Cisco and MikroTik do things is slightly different, but I figure if I actually learn the Cisco way, I will better understand the documentation that MT has put out.

Given that you have a technical background, you should have less trouble picking up networking than someone without a technical background. You probably already have learned how to troubleshoot, and the same techniques work in networking as in electrical or mechanical work.

Once you understand the difference between Layer 2 (switching) and Layer 3 (Routing), and understand what vlans are (just a mechanism to share physical resources (switches and wires) for different logically separate networks), then it is just a matter of learning the different networking dialects used by different vendors. The Cisco SG300 supports vlans, and there are good examples of how to configure vlans on the internet, so as long as you understand what vlans are you should be able to configure a trunk link between the RB3011 and the SG300 that will carry the three vlans. All traffic between the vlans will have to be routed by the RB3011, and sent back down the same trunk using a different vlan. Then the firewall on the RB3011 will be what will limit what devices can initiate a connetion between the vlans.

Also, your stated attitude is appropriate, and I think you will find people here willing to help as long as you are willing to put in the effort to learn.

As long a you are not expecting "spoon feeding" and you are willing to put in the effort to learn, I think you will find people here willing to help.

There is another solution: hire a professional. Simple, efficient, job done.

But that assumes that the requirements can be given correctly. And that there will not be changes needed in the future.

And finding someone that will do it right with the equipment that already exists will probably not be cheap. The RB3011 uses two QCA8337 switch chips that don't have support for HW offloading when using the "modern" vlan-filtered bridge, so to be able to extend the vlans between the Cisco SG200 and the RB3011 will require the more complex vlan setup using the /interface/ethernet/switch method instead of vlan-filtering bridge if you want to have the vlan processing done by the switch chip at wire-speed instead of using the CPU (which consumes processing from the CPU and is also slower). This is only needed if you want to be able to use ports on the RB3011 as switch-ports.

If you want to be able to support it, you will need to understand it. You could hire someone, but unless you work with them, you will have to keep going back to the well when something changes. From your initial post, it sounds like this is something you are doing as favor/hobby, and not for a business, where spending the money for a professional setup would probably make more sense.

The easier to configure and if the SG200 has sufficient ports for all devices, would be to let the SG200 do all the L2 switching, and have the RB3011 be only for routing.

See the following thread for more information about vlans on the RB3011
VLAN performance issues in routing on RB3011
RB3011, VLAN switching/routing and DHCP server

The above threads also have links to other related material.

Also see the RB3011 block diagram

RB3011UiAS-160307123613_1603131306×765 25.7 KB

While I agree with everybody (including @Buckeye) regarding performance details of RB3011, my recommendation to a newbie to ROS world would be:

don't bother with most performant setup until you're intimately familiar with ROS. Just go with mainstream setup, which is single bridge (with VLAN filtering enabled if VLANs are in the mix). Just beware that some devices won't perform nearly close to their maximum this way

After things start to work and one discovers that there's a performance bottleneck, either start playing with performance-optimized setup or just go ahead and purchase a more appropriate device.

ROS can be overwhelming for a newbie, but when one has to throw in an uncommon setup (RB3011 running ROS v7 is, let's face it, a rarity) things quickly spiral out of control. And we don't really want that to happen to a new user, specially since many experienced (and "experienced") users wanting to help don't have experience with such rarities themselves.

I would add that - judging from the configurations sometimes posted on the forum by users that report having them created by a professional, not all professional are actually professional, so it seems not so easy to find one that knows where his/her towel is.

mkx gives sage advice!

@Enginebuilder your diagram shows SG200-24P as the Cisco switch model. I don't see that as a model in Cisco's 200 Product Family Model Comparison; there is the SF200-24P (but that's a 10/100 PoE 24 port switch), and the SG200-26P with 24 PoE RJ45 port plus two SFP ports. Hopefully what you have is the SG Gigabit model.

Configuring vlans on the SG200 looks reasonably straight forward. See this google search

That query found this Cisco article VLAN Configuration on the 200/300 Series Managed Switches plus there are several youtube videos (which I didn't watch).

If you don't want to configure vlans on the RB3011, you could just remove 3 ether interfaces from the bridge, add the interfaces to the LAN list, add ip addresses (each in a separate subnet) to the ethernet interfaces, and create dhcp servers for the three subnets. Then you could configure all the SG200 with three vlans, add switch ports as access ports for each of the three vlans and then after you confirm that everything is working, then configure the firewall so you can limit traffic between the different subnets/vlans. This may have been what @DuctView was implying in this post.

Or you could configure three vlan interfaces either using a single ethernet port as the parent and avoid the use of the bridge on the RB3011 (with for example, ether1 configured as the WAN and ether6 configured as the trunk port ot the SG200 switch). Then if you need more ethernet ports than the SG200 provides, you could configure the extra ports on the RB3011 in a bridge configuration (and if you want best intra-vlan performance, learn the switch method. But if you are using only two ports on the RB200, you won't notice a difference in performance because all the traffic will be routed anyway, and that will be done by the CPU anyway. Theoretically you may be able to get slightly better performance inter-vlan performance if you used a separate ether ports, each connected to a separate vlan access port on the switch, because then the single trunk link would not be a potential bottleneck. But with the RB3011, I am not sure that the CPU wouldn't be a bottleneck before the trunk link. I don't have any RB with two switch chips (I have only an RB760iGs and a RB5009).