I successfully assembled this configuration using VLANs assigned to interface Ether1 on switch. The router is an RB750Gr3 and the RB260GS switch. The trunk on the router side is port 5.
I’m stumped on how to create a second truck interface on port 4 of the router with the same VLANs but connects to a different switch.
Is this possible using VLANs on interfaces or do I need to look at the VLANs using thebridge option?
In Webfig [Bridge -> VLANs] add ether4 as 'tagged' to the relevant vlan, exactly as ether5 and check under [Bridge -> Ports] that ether4 has the same settings as ether5
I failed to explain myself well enough. My solution does not use a bridge. The VLAN are assigned to an interface, under VLAN in the Interface menu. I thought using the VLAN with bridge might be the solution.
Did you look where I suggested? That is the place where bridges and ports are attached to vlans. Despite being under the Bridge menu, this contains the settings for tagged and untagged interfaces on vlans. If it is not there, then, sorry, I don't know.
[admin@Farmstar] /interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VLAN-ID INTERFACE
;;; VLAN
0 R vlan110 1500 enabled 110 ether5
;;; VLAN
1 R vlan120 1500 enabled 120 ether5
;;; VLAN
2 R vlan130 1500 enabled 130 ether5
[admin@Farmstar] /interface/bridge/vlan> print
I confess my ignorance on the subject may be the cause for confusion. The print shows nothing for vlans in the bridge.
I blew away to configuration and invested in a bridge. I am back to the same connection above expect the VLAN trunk is now on a bridge.
I followed your suggestion and was able to extend the trunks to a second interface. That now lines me up to tackle the table you created. Thanks for the input.
I’ve tagging this entry as a final answer to conclude this post on Implementing a VLAN Solution. I have a reached a milestone of discovery that I needed. The project is by no means complete. I will be taking what I have learned and begin to apply it. I suspect I will return as I begin to know more of what I don’t know and seek answers. Thank you to the people that provided input.
Before I leave I thought it only reasonable to share my outcome. My hope is that it helps someone else in their quest. I constructed a small development network using one router and two switches. I configured the network to support VLAN Bridging. I arrived at this point after discovering VLAN interfaces didn’t accomplish all that I needed.
I’ve including no theory, you have to discover that on your own and no reasoning for doing something. This dev network has most of the VLAN configuration challenges I believe I will face in my production network. I needed a sandbox to learn about VLANs.
The drawing is the dev_network showing the VLAN implemented. I’ve included an export of the router configuration.
# 2026-01-10 12:21:38 by RouterOS 7.20.6
# software id = JPC6-9H6F
#
# model = RB750Gr3
#
/interface bridge
add auto-mac=no comment=bridge_mgmt name=bridge
add comment=bridge_LAN name=bridge_LAN
add comment=bridge_VLAN name=bridge_VLAN vlan-filtering=yes
/interface vlan
add comment=VLAN interface=bridge_VLAN name=vlan110 vlan-id=110
add comment=VLAN interface=bridge_VLAN name=vlan120 vlan-id=120
add comment=VLN interface=bridge_VLAN name=vlan130 vlan-id=130
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.87.200-192.168.87.254
add name=dhcp_pool2 ranges=192.168.110.200-192.168.110.254
add name=dhcp_pool3 ranges=192.168.120.200-192.168.120.254
/ip dhcp-server
add address-pool=dhcp_pool1 comment=bridge_LAN interface=bridge_LAN name=\
dhcp1
add address-pool=dhcp_pool2 comment=VLAN interface=vlan110 name=dhcp2
add address-pool=dhcp_pool3 comment=VLAN interface=vlan120 name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=bridge_mgmt interface=ether2
add bridge=bridge_LAN comment=bridge_LAN interface=ether3
add bridge=bridge_VLAN comment=bridge_VLAN interface=ether4
add bridge=bridge_VLAN comment=bridge_VLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge_VLAN comment=VLAN tagged=ether5,ether4,bridge_VLAN \
vlan-ids=110
add bridge=bridge_VLAN comment=VLAN tagged=ether5,ether4,bridge_VLAN \
vlan-ids=120
add bridge=bridge_VLAN comment=VLAN tagged=ether5,ether4,bridge_VLAN \
vlan-ids=130
/interface list member
add comment=bridge_mgmt interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=bridge_LAN interface=bridge_LAN list=LAN
/ip address
add address=192.168.88.1/24 comment=bridge_mgmt interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=bridge_LAN interface=bridge_LAN network=\
192.168.87.0
add address=192.168.110.1/24 comment=VLAN interface=vlan110 network=\
192.168.110.0
add address=192.168.120.1/24 comment=VLAN interface=vlan120 network=\
192.168.120.0
add address=192.168.130.1/24 comment=VLAN interface=vlan130 network=\
192.168.130.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.87.0/24 dns-server=192.168.87.1 gateway=192.168.87.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.110.0/24 dns-server=192.168.1.110 gateway=192.168.110.1
add address=192.168.120.0/24 dns-server=192.168.120.1 gateway=192.168.120.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set
/system identity
set name=FarmStar
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I’ve included the image of the SwitchOS configurations screens to establish the VLANs..
The router uses MikroTik default configuration (i.e. firewall rules) with a few of my tweaks. This is NOT a production ready configuration. It was created in a development environment as a learning tool for VLANs and NOT hardened for a production release.
Router Details for the VLAN’ing
Ether1 is running a DHCP client that connects to my home network.
• VLAN110 192.168.110.1/24 DHCP
• VLAN120 192.168.120.1/24 DHCP
• VLAN130 192.168.130.1 NO DHCP
• VLAN170 is not on the router. It was an exercise on how to carve out a VLAN between two switches that don’t involve the router.
Great! I think you have done most of the heavy lifting now. Just worth mentioning that Routers connect Layer 3 networks together and switches do the same for Layer 2 networks. Thus it is absolutely the expectation that vlans need not involve a router, since they do not require any Layer 3 functionality.
What is the purpose of the two bridges with names "bridge" and "bridge_LAN"?
The "normal" way to configure the RB750Gr3 with vlans where you want multiple ports as members of the same vlan would be to use a single vlan-aware bridge (similar to your bridge_VLAN interface).
If you do have a reason, please let me know, I might learn something new.
bridge was there from a default configuration with .88 and bridge_vlan I made to get off .88. Nothing to do with the vlan’ing.
As I see it, you have now three bridges on the RB750GR3:
bridge <- with ONLY ether2 in it
bridge_LAN <- with ONLY ether3 in it
bridge_VLAN <- with ether4 and ether5 in it
The usual recommendation is to have only one bridge on a device, though it is not strictly mandatory, i.e. you can have more than one bridge, IF needed.
BUT right now I am failing to see the need for that.
The "bridge" contains only one port, ether2, used for (emergency) management, this can be (should be?) a "direct" ether2 port.
The "bridge_LAN" contains only one port, ether3, the intended use of which is a mistery (to me), a bridge is usually used to connect (say) two riverbanks , if you have a bridge that connects one riverbank to nothing, it seems to me pretty much unuseful, and it can be removed and make use directly of ether3.
The "bridge_VLAN" is not classified as either LAN or WAN (it doesn't really have to, but it would be IMHO a good idea to assign it to a category, even if not used, to make configuration more readable/complete).
Maybe you could expand of the intended use of these additional bridges (besides the bridge_VLAN).
Just for the record (for potential readers with less ROS experience): bridges with single port can be useful in certain cases (e.g. to provide bridge filtering capabilities to that single port, can help with migration of L3 setup to another physical port without too much downtime by temporarily adding another port, etc.).
But yes, they do introduce slight performance hit for traffic via that single port. And in worst case they can cause ROS to select wrong bridge for enabling HW offload (logically it should be the bridge with most switc-connected ports).
Thanks for sharing your insight. My intent was not to discourage use of the VLAN Interface. I initially configured one trunk port using this method to discover I couldn’t add another trunk port.
I would like to swim in the pool that can trade-offs like performance but I new to these water. You have given me food for thought as I go forward.
I didn’t want .88 in my home network since the subnet is already used. My initial foray was to create the bridge_LAN with a different subnet assignment and move all interfaces to that new subnet. I’m reluctant to remove MikroTik default configurations because of lack of experience. I typically just disable them.
The exercise of moving all interfaces to the bridge. LAN left me unable to access the router. bridge_LAN was included in the LAN defined list so the FW denied access. Reset to start again.
I followed the same steps but this time disabled DHCP on .88 and assigned it to a single port (i.e. in case of emergency use this port.) My allotment shows bridge 1 port, bridge_VLAN 1 port and two ports to bridge_VLAN.
This is a development router I wanted to focus on VLANs.
You should check this:
skip through first post (the "normal" way) and go to second post (using VLANs).
I continue to discover ways to lock myself out. My production router has an offbridge interface that I have tested and hope never to use. My dev_lab router lockout was an augh-sh&^% configuration change that left me thinking as I hit enter, that I might lock myself out with this change. OH well, I quick reset got me back to square on.
I will look at the resource you recommend. I have a nagging question about PVID1 and what if anything I should do to secure it? I have not used ID 1 in my schema. I recall best practice note on that. Looking at different resources there seems to be a bogeyman concern around this VLAN. LIke to feel I’ve done it right before implementing in production.
Not a big deal for a Management vlan. It is a performance hit you wouldn't notice.
VLAN 1 is used by default by Mikrotik, this it NOT normally evident because - being a default - is not normally shown in exports (you need to make an export "verbose" to see it and how it is used on interfaces and bridges), fiddling with it (unless you really-really know where your towel is) is a perfect recipe to create "strange" behaviours (that can be extremely difficult to troubleshoot) hence the first two Rules of the Mikrotik Club:
The twelve Rules of Mikrotik Club
Read with particular attention the corollary to Rule #2, it is not that much a limitation to be free to play with only 4093 VLANs instead of 4094.
Remember how behind all myths and legends, including the one about the bogeyman there is at least a grain of truth.
It's better not to make fun of the bogeyman ...
On a network like yours you have reached the threshold for putting network hardware under lock and key.
Once you have done that, if you make every network socket on the estate go to an access port for a vlanid != 1, and you make all your trunks true trunks rather than hybrid, then PVID 1 only comes into play for people with physical access to the network cupboards.
And don't forget thingies like these (examples):
https://www.ampcom.com/products/rj45-port-lock
just ensure on your bridge setting, you only allow tagged frames, will keep rogue vlan1 untagged out of your hair.
