Private VLAN

RouterOS Beginner Basics
1

Hi! First post on these forums :slight_smile:

It is my understanding that a PVLAN is a good option to achieve better security through isolation, but it seems I need some help with setting it up on my new RB4011 :slight_smile:

I have a TP Link T2600G that I already set up with a primary VLAN (ID and PVID 111) and a secondary community VLAN (ID and PVID 3540).
Primary VLAN is on trunk port 1/0/24 and connected to port ether5 on a RB4011.

DHCP servers are set up on the RB4011 - as soon as I switch from VLAN to Private VLAN the hosts connected to the switch can’t get an IP.

The info in the manual (https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table) is not really helpful as the PVLAN is set up on the switch without any mention of the router set up.
I tried following the info on VLAN tunnelling and Tag stacking but I didn’t get results.

What I’m trying to achieve is

  • a promiscous port on ehter5 and 1/0/24
  • DHCP server only on the RB4011


    Any help or pointer or tuts on a similar setup are most appreciated :slight_smile:
2

Have you checked the gold standard: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

Hi, yes, I did check that series of posts but haven’t found any reference to Private VLANs, tunnelling, tag stacking, etc.

I was able to set up a RoaS, and checking what pcunite wrote I have almost exactly the same setup for that but PVLAN takes it a step further nesting multiple secondary VLANs into a single primary VLAN.

4

I had to Google “Private VLAN” to see what you were talking about - never heard that term before.

The thread on VLAN setup likely does not mention “Private VLAN” because PVLAN really has nothing to do with VLANs. A so called PVLAN is using switch port isolation in order to sort of give VLAN isolation when you can’t do real VLANs. If you have real VLAN capability, use it.

After thinking about it for a while, I did do that once while testing something, but had not heard of the PVLAN term.

5

Am I mistaken into assuming PVLAN is some sort of tag stacking?
I assumed 2 different set of tags would be added, 0x8100 and 0x88a8 if I’m not mistaken.

I keep finding topologies as below in both Cisco and TP-Link materials:

Also, PVLANs are referenced in MikroTik manual (but still only as the switch config):
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Private_VLAN

If it helps this is an older Cisco document that goes a bit more in depth:
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/10601-90.html

If a PVLAN is a sort of port isolation on my TP-Link switch, and considering both the VLAN and PVID of primary and secondaries VLANs are assigned to specific ports, how do I make the RB4011 understand it?

6

https://iparchitechs.com/2018/08/20/mikrotik-is-getting-serious-about-switching/

7

IIRC, only the CRS3xx switches support private vlan config.

The RB4011 switch chip is very limited

8

Thanks everyone for the help!

RB4011 can’t PVLAN so I stuck with a few VLANs, switch port isolation, and router firewall rules, good enough for this setup :slight_smile:

9

I think you could emulate the functionality using bridging on top of VLAN, and a lot of bridge filter rules.