Please help me understand how VLAN assignment works

I have followed a tutorial to create a guest wifi network that is separated from the private network, using a VLAN. I’m not sure if I have done everything right, but this setup does work. I’m going to post the basic configuration below before I ask. My private network has two wireless radios and two wireless devices (lacinet_24 and lacinet_5).

; Add security profile
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=lacinet_sec_guest \
    supplicant-identity="" wpa2-pre-shared-key="******************"
; Add virtual wireless interfaces
/interface wireless
add disabled=no keepalive-frames=disabled master-interface=lacinet_5 \
    name=lacinet_guest_5 security-profile=lacinet_sec_guest ssid=lacinet_guest_5 \
    vlan-id=10 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled master-interface=lacinet_24 \
    name=lacinet_guest_24 security-profile=lacinet_sec_guest ssid=lacinet_guest_24 \
    vlan-id=10 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
; Connect vlan with wireless interface
/interface vlan
add interface=lacinet_guest_24 name=vlan10_guest24 vlan-id=10
add interface=lacinet_guest_5 name=vlan10_guest5 vlan-id=10
; Create bridge for guest
/interface bridge
add name=bridge_guest
/interface bridge port
add bridge=bridge_guest interface=vlan10_guest5 comment="guest"
add bridge=bridge_guest interface=vlan10_guest24 comment="guest"
add bridge=bridge_guest interface=lacinet_guest_24 comment="guest"
add bridge=bridge_guest interface=lacinet_guest_5 comment="guest"
; Add guest to LAN so it can pass firewall and access internet
/interface list member
add interface=bridge_guest list=LAN comment="guest"
; Create DHCP server for guest network
/ip address
add address=10.10.10.1/24 interface=bridge_guest network=10.10.10.0 comment="guest"
/ip pool
add name=dhcp_guest ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_guest disabled=no interface=bridge_guest name=dhcp_guest
/ip dhcp-server network
; do not use our local DNS here, hide local static DNS names
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1 comment="guest"
; Drop packets between guest and private networks (rules are moved to the right place )
/ip firewall filter
add action=drop chain=forward in-interface=bridge_guest out-interface=bridge \
    comment="Prevent access from guest vlan to private lan"
add action=drop chain=forward in-interface=bridge out-interface=bridge_guest \
    comment="Prevent access from private lan to guest vlan"

This setup works, and I think I understand most of it. But there is one part that I don’t understand about VLANs. There are three places where VLAN id needs to be used in this setup:

• When adding the virtual wireless interface ( /interface wireless ) I have used vlan-id=10 vlan-mode=use-tag
  
  
  
• When adding VLANs (/interface vlan add) a new vlan interface is created for each virtual wireless interface
  
  
  
• And finally, when adding ports to the bridge (/interface bridge port) the created vlan interfaces and the wireless virtual interfaces are added to the same bridge

I don’t understand why this has to be done at three different places.

1. When we create the wireless interface, then it is already assigned a vlan id.As far as I understand, this is used for tagging incoming packets (with vlan id=10) and prevent sending packets with vlan id other than 10. This (apparently) cannot be used to filter outgoing packets for multiple vlan ids. Despite the fact that VLAN is a Layer 2 method that allows multiple Virtual LANs on a single physical interface, I can only specify a single vlan id here.

2. I can see that it is possible to create a many-to-many connection between physical interfaces and vlan ids under /interface vlan add . As far as I understand, any packet that goes out through a VLAN interface, also gets tagged with the given vlan id.

3. And finally, I have added the vlan interfaces and the virtual wifi interfaces to a bridge.

I don’t see why I have to do all three.The VLAN interfaces already have a reference to the physical interface. Which interface will the bridge use to send out packets? Will it use the vlan interface (that has a single virtual wireless interface assigned)? Or will it use the virtual wireless interface directly? What is the difference between the vlan-id setting of the virtual wireless interface and the vlan-id setting of the vlan interface? Are they used differently? How?

Sorry for the many questions, I’m a beginner.

What you actually do is that you tag the wireless frame as it comes in from the air, then untag it again because the tagged end of each /inteface vlan is connected to one of the two /interface wireless, and you deliver it to the bridge-guest tagless because the tagless end of /inteface vlan is a member port of the bridge. This makes it possible to attach the IP configuration (local IP address, DHCP server) to the bridge. At the same time, the /interface wireless are also member ports of the bridge, but as no frames run directly between your 5 GHz and 2.4 GHz guests, there is no confusion which path they should take.

So you can remove everything vlan-related, including /interface vlan themselves, from that configuration, and it will still work - both the /interface wireless will remain member ports of bridge-guest and everything will run tagless on this dedicated bridge.

The idea with VLANs would make sense if you wanted to use a single common bridge for several VLANs. So in the current setup, you’d do the following:

• keep the configuration of the two /interface wireless as it is now, including keeping them as member ports of the bridge
• delete one of the /interface vlan, and membership of the tagless side of both /interface vlan in the bridge
• instead, set the interface of the remaining /interface vlan to bridge-guest, i.e. connect the tagged side of it to the bridge
• move all the IP configuration (IP address, DHCP server) from the bridge-guest to the surviving /interface vlan

.

This way, you could add another VLAN(s) to the same bridge, replicating the above for another vlan-id and another IP subnet.

I have removed vlan10_guest24 and vlan10_guest5, this also removed the vlan interfaces from bridge_guest. I have also changed vlan_mode=no_tag for both virtual interfaces.

The guest network is still working. So I do not need to use VLANs for making a guest network at all.

BTW I was following this article: https://www.marthur.com/networking/mikrotik-setup-guest-vlan-wifi/2582/ but it looks like the author was also not knowing what he was doing - he was also adding VLANs, but apparently that is not needed.

Thanks four your help! At least I can now confidently configure a guest network. (I still don’t know much about VLANs but it looks like I don’t need them.)

I’m beginning to grasp what you wrote. I was not aware of the two sides of vlan interfaces.