I’m looking for information how to setup two VLANs that do the following;
Vlan 1 functions on ether port 5 and can access the internet but can not access resources on VLAN 2 or the main network
Vlan 2 functions on ether port 4 and can access the internet but can not access resources on VLAN 1 or the main network
DHCP Server provides different pool addresses to Main network, VLAN 1 and VLAN 2
When I plug a switch into port 5 on the back of the Routerboard, any computers connected receive a VLAN1 address and can only access the internet and other VLAN 1 resources.
When I plug a switch into port 4 on the back of the Routerboard, any computers connected receive a VLAN2 address and can only access the internet and other VLAN 2 resources.
Port 1 is WAN and Port 2 and 3 are Main network Ports.
I’ve searched through the forum but I can’t find anything that really applies to this setup or i’m to much of a newbie to get it.
I’ll try to be of help. It"s more like a trial and error thing but perhaps I can be of some help. This applies to routed VLANs, which are slower than switched VLANs.
You need to create VLAN interfaces (I’d generally not use VLAN 1 as this holds special meaning). You can create the VLANs using Winbox and navigate to the interfaces menu (all the way at the top), and then to the VLAN tab. Name is not so important but be sure to get the VLAN ID correct and select the interface on which you want to create the VLAN.
Then you can set up a DHCP server on each of the VLAN interfaces at the menu IP → DHCP Server menu. You can simply click on DHCP setup from there. Normally, you want a seperate subnet per VLAN (interface).
You then need to pick a port as you WAN-interface and configure it accordingly.
You then need to add the proper routes (default route for the internet and a routes to your VLANs)
I also think you want to put the main network ports in a bridge together…
I hope this helps a bit:-). I’ve got someting similar going here. Search for my posts and I’m sure you will find something useful.
Thank you for your reply. I took your steps and completed 1 and 2 but I wasn’t sure what you meant or how to proceed with 3 and 4. Also why bridge the main network ports together? It is strange to have all your network traffic to go through Ether2-local-master regardless of what port you are connected to?
I don’t know how it is with your setup, but over here I need to get a lease from my provider for my WAN port. With this I mean that the Mikrotik router’s WAN-port will receive a public IP from my cable modem. In this scenario the router is actually a DHCP client (instead of server) because it will ask a public address from my provider’s DHCP server.
If you do not have a static public IP, you will have to setup DHCP client on the port that will serve as WAN-interface (at the IP=> DHCP client menu). Be sure to tick the box to add a default route and to use peer DNS. At the IP=> DNS menu you will have to click on settings and allow remote requests.
Then, if you want your computers on an internal network range like 192.168.0.0/24 you will need to setup masquarading (also known as NAT).
That would conclude the config(basic config that is) for step 3: setting up your WAN port .
I’ll check out your other questions soon but I’m trying to be careful not to mislead you.
I’ll put step 4 and the “why use a brigde” in this post.
I don’t think Mikrotik routes between VLANs by default (and it looks like you don’t wan’t this) so I think you only require a route to the internet. If you configure your WAN port correctly, this route will exist and your’re basically done. No need for step 4 (as you do not need any additional routes)in that case, sorry about that.
for the bridge:
If you want devices on “the main network ports” to communicate with each other, you’ll need to brigde the 2 ports. They’ll behave like a switch then. I think you are referring to putting them in a switch group, which is a different approach. A bridge will have lower throughput. so by default, 2 ports on Mikrotik will not be able to reach eachother, and brigde is a way to “fix” this.
Each interface on a MikroTik is it’s own separate routed interface. This is unless the ports are bridged together or placed on the switch chip. This includes VLANs, when you add a VLAN to a MikroTik it treats it just like Linux treats a VLAN, as far as it’s concerned, it’s another routed interface that it can use.
For your setup, there’s no real reason to use a VLAN on ether5 and 4, since you only have one VLAN assigned to each, and to make them separate from ether2 and ether3. Just put a different subnet on ether5 and 4 with their own DHCP server, DHCP pool, and NAT rules, etc. In the firewall filter, place rules that will drop traffic with an in-interface of ether5 and an out-interface of ether4 on the forward chain and so on for the other ports that you want to drop between.
Since you want ether2 and ether3 to be the “main” network, you can either bridge these two interfaces together, or use the switch chip (set the master port of one of them to the other port). Switch chip will allow wire speed between those two interfaces and will never touch the CPU. A bridge uses the CPU and software so it much slower, but will give you more control, like the ability to block communication of hosts on ether2 from talking to hosts on ether3.