Mikrotik VLAN Configuration / switch ports

DL7JP · May 21, 2021, 8:38pm

Dear all,

I am still a bit confused with the Mikrotik VLAN implementation, maybe some kind soul could give me a hint here: My main router is a RB1100AHx4, port eth1 is connected to my ISP delivering VoIP over VLAN 40. For whatever reason I can only get one IP address from their dhcp Server in the VLAN, so I cannot route my VoiP-Client into the VLAN. Thus, I decided to map this VLAN to eth2, where my VoIP is connected to.

This does the job:

/interface vlan add interface=eth1 name=VLAN-VoIP vlan-id=40
/interface bridge add  name=bridge-VLAN-Voip
/interface bridge port
add bridge=bridge-VLAN-Voip interface=eth2
add bridge=bridge-VLAN-Voip interface=VLAN-VoIP

I am wondering if this is the preferred solution.
I guess I could also assign the VLAN under /interface ethernet switch to eth2, then I would not need to set up a bridge, correct?

Thanks,
Joachim.

sindy · May 22, 2021, 7:03am

The configuration with a dedicated bridge for VLAN 40 is perfectly “legal”. Whether it is also preferred depends more on your personal preference.

However, the switch chip used in the RB1100AHx4 (RTL8367) doesn’t support VLAN handling, at least under control of RouterOS, so you cannot set it up for tagging and untagging VLAN 40 as it passes between ether1 and ether2.

You can also make the two Ethernet interfaces member ports of a common bridge with vlan-filtering set to yes and use /interface bridge vlan and /interface bridge port configuration subtrees to set up which VLAN will be tagged at which port as follows:

/interface bridge add name=br-wan vlan-filtering=yes protocol-mode=none
/interface bridge port
add bridge=br-wan interface=ether1
add bridge=br-wan interface=ether2 pvid=40
/interface bridge vlan
add bridge=br-wan vlan-ids=40 tagged=ether1

With the setup above, you have to move any IP configuration from ether1 to br-wan, and also substitute ether1 by br-wan in all IP firewall rules and on all /interface list member rows used by IP firewall rules.

So as you can see, for just two ports in a bridge and just two VLANs on ether1, your method with a dedicated bridge for VLAN 40 is simpler; with more VLANs and more ports on the bridge, the other one becomes simpler.

Both ways are implemented completely in software, so there is no significant difference in CPU load between them.

rextended · May 22, 2021, 7:58am

The configuration with a dedicated bridge for VLAN 40 is perfectly “legal”. Whether it is also preferred depends more on your personal preference.

However, the switch chip used in the RB1100AHx4 (RTL8367) doesn’t support VLAN handling, at least under control of RouterOS, so you cannot set it up for tagging and untagging VLAN 40 as it passes between ether1 and ether2.

You can also make the two Ethernet interfaces member ports of a common bridge with vlan-filtering set to yes and use /interface bridge vlan and /interface bridge port configuration subtrees to set up which VLAN will be tagged at which port as follows:

/interface bridge add name=br-wan vlan-filtering=yes protocol-mode=none
/interface bridge port
add bridge=br-wan interface=ether1
add bridge=br-wan interface=ether2 pvid=40
/interface bridge vlan
add bridge=br-wan vlan-ids=40 tagged=ether1

With the setup above, you have to move any IP configuration from ether1 to br-wan, and also substitute ether1 by br-wan in all IP firewall rules and on all /interface list member rows used by IP firewall rules.

So as you can see, for just two ports in a bridge and just two VLANs on ether1, your method with a dedicated bridge for VLAN 40 is simpler; with more VLANs and more ports on the bridge, the other one becomes simpler.

Both ways are implemented completely in software, so there is no significant difference in CPU load between them.

+1

DL7JP · May 22, 2021, 9:29am

Thanks a bunch, very useful explanation!

Ups, I was implicitly assuming it is supported since the winbox UI under switch shows this option… not exactly an intuitve UI