Attached is a thought design for my lab network. I have 8 Mikrotik devices that I plan on setting up on VLANS if that is feasable. My question is do I need to setup a BRIDGE and assign VLANS to that or do I need to assign VLANS to each port?
Network Proposal.pdf (406.8 KB)
If your router needs only a tagged interface, a VLAN-interface bound to a physical interface (or bond) is enough. I you want to configure the router (with ROS) like a switch (trunkport here, tagged there, untagged there...), you need a Bridge.
But I dont understand your network-design, I see only one device (not 8).
each device with a bridge and only the management/trusted vlan need be identified as all smart devices get an IP from this managment vlan. The bridge on the router is included for all tagged vlans, all switches only the management vlan is tagged with the bridge.
Recommend take one port of every MT device and make it an off bridge port and do the configuration from this port.
Each trunk port leading from the router to a MT device will have at least one vlan, the management vlan. Add any other vlans that need to be distributed from the device.
So to be perfectly clear I need to setup a bridge on the CCR and configure the approate Vlans on each of the SFP+ ports for tagged on vlan 200 and all other ports added to the brigde as untagged for each of the other SFP+ ports.
I am working on a configuration of the CCR. I will post it for your review if you are willing to point me in the correct configuration.
Here is my first time config
myccr2004.rsc (3.8 KB)
Here, much easier to read:
# 2026-05-19 22:22:32 by RouterOS 7.22.3
# software id = 3VML-9N80
#
# model = CCR2004-1G-12S+2XS
# serial number = XXXXXXXX
/interface bridge
add comment="GTC Network" name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Management
set [ find default-name=sfp-sfpplus12 ] comment=WAN
/interface vlan
add interface=sfp-sfpplus1 name="Vlan 10" vlan-id=10
add interface=sfp-sfpplus2 name="vlan 20" vlan-id=20
add interface=sfp-sfpplus3 name="vlan 30" vlan-id=30
add interface=sfp-sfpplus4 name="vlan 40" vlan-id=40
add interface=sfp-sfpplus5 name="vlan 50" vlan-id=50
add interface=sfp-sfpplus6 name="vlan 60" vlan-id=60
add interface=sfp-sfpplus7 name="vlan 70" vlan-id=70
add interface=sfp-sfpplus8 name="vlan 80" vlan-id=80
add interface=sfp-sfpplus9 name="vlan 90" vlan-id=90
add interface=sfp-sfpplus10 name="vlan 100" vlan-id=100
add interface=sfp-sfpplus11 name="vlan 110" vlan-id=110
add comment="Management Vlan" interface=bridge name="vlan 200" \
use-service-tag=yes vlan-id=200
/interface bridge port
add bridge=bridge interface="Vlan 10" pvid=10
add bridge=bridge interface="vlan 20" pvid=20
add bridge=bridge interface="vlan 30" pvid=30
add bridge=bridge interface="vlan 40" pvid=40
add bridge=bridge interface="vlan 50" pvid=50
add bridge=bridge interface="vlan 60" pvid=60
add bridge=bridge interface="vlan 70" pvid=70
add bridge=bridge interface="vlan 80" pvid=80
add bridge=bridge interface="vlan 90" pvid=90
add bridge=bridge interface="vlan 100" pvid=100
add bridge=bridge interface="vlan 110" pvid=110
/interface bridge vlan
# vlan 200 not a bridge port
add bridge=bridge tagged="vlan 200" vlan-ids=200
/ip address
add address=10.10.200.0/24 comment=Management interface="vlan 200" network=\
10.10.200.0
add address=175.25.10.0/24 interface="Vlan 10" network=175.25.10.0
add address=175.25.20.0/24 interface="vlan 20" network=175.25.20.0
add address=175.25.30.0/24 interface="vlan 30" network=175.25.30.0
add address=175.25.40.0/24 interface="vlan 40" network=175.25.40.0
add address=175.25.50.0/24 interface="vlan 50" network=175.25.50.0
add address=175.25.60.0/24 interface="vlan 60" network=175.25.60.0
add address=175.25.70.0/24 interface="vlan 70" network=175.25.70.0
add address=175.25.80.0/24 interface="vlan 80" network=175.25.80.0
add address=175.25.90.0/24 interface="vlan 90" network=175.25.90.0
add address=175.25.100.0/24 interface="vlan 100" network=175.25.100.0
add address=175.25.110.0/24 interface="vlan 110" network=175.25.110.0
add address=10.10.200.0/24 interface=bridge network=10.10.200.0
/ip dhcp-client
add interface=sfp-sfpplus12 name=Wan
/ip dhcp-server
# No IP address on interface
add interface=sfp-sfpplus1 name=server1
# Interface not running
add interface=sfp-sfpplus2 name=server2
# Interface not running
add interface=sfp-sfpplus3 name=server3
# No IP address on interface
add interface=sfp-sfpplus4 name=server4
# Interface not running
add interface=sfp-sfpplus5 name=server5
# Interface not running
add interface=sfp-sfpplus6 name=server6
# Interface not running
add interface=sfp-sfpplus7 name=server7
# Interface not running
add interface=sfp-sfpplus8 name=server8
# Interface not running
add interface=sfp-sfpplus9 name=server9
# Interface not running
add interface=sfp-sfpplus10 name=server10
# Interface not running
add interface=sfp-sfpplus11 name=server11
add interface="vlan 200" name=server12
/ip firewall filter
add action=accept chain=input connection-state=established,related,new
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard settings
set enter-setup-on=delete-key
Is there any particual reason you enabled this ? I highly doubt you will use stacked VLANs in your home lab.
use-service-tag=yes vlan-id=200
Why your management VLAN is not on the same bridge like the rest of the VLANs ?
I would add management VLAN to the bridge. Only port used for off bridge management is, well, off bridge...
/interface bridge vlan
# vlan 200 not a bridge port
add bridge=bridge tagged="vlan 200" vlan-ids=200
I hope your CCR is not connected to the internet... Use default rules for start.
/ip firewall filter
add action=accept chain=input connection-state=established,related,new
add action=drop chain=input connection-state=invalid
Your DHCP servers should run on VLAN interfaces instead of the physical ports:
/ip dhcp-server
# No IP address on interface
add interface=sfp-sfpplus1 name=server1
# Interface not running
add interface=sfp-sfpplus2 name=server2
# Interface not running
add interface=sfp-sfpplus3 name=server3
# No IP address on interface
add interface=sfp-sfpplus4 name=server4
# Interface not running
add interface=sfp-sfpplus5 name=server5
# Interface not running
add interface=sfp-sfpplus6 name=server6
# Interface not running
add interface=sfp-sfpplus7 name=server7
# Interface not running
add interface=sfp-sfpplus8 name=server8
# Interface not running
add interface=sfp-sfpplus9 name=server9
# Interface not running
add interface=sfp-sfpplus10 name=server10
# Interface not running
add interface=sfp-sfpplus11 name=server11
Remove this:
add address=10.10.200.0/24 interface=bridge network=10.10.200.0
You already assigned that to VLAN200, also you specified subnet address as a host address. Instead of the 10.10.200.0/24 you put 10.10.200.1 for eg.
And repeat for all entries you made:
add address=175.25.10.0/24 interface="Vlan 10" network=175.25.10.0
add address=175.25.20.0/24 interface="vlan 20" network=175.25.20.0
add address=175.25.30.0/24 interface="vlan 30" network=175.25.30.0
add address=175.25.40.0/24 interface="vlan 40" network=175.25.40.0
add address=175.25.50.0/24 interface="vlan 50" network=175.25.50.0
add address=175.25.60.0/24 interface="vlan 60" network=175.25.60.0
add address=175.25.70.0/24 interface="vlan 70" network=175.25.70.0
add address=175.25.80.0/24 interface="vlan 80" network=175.25.80.0
add address=175.25.90.0/24 interface="vlan 90" network=175.25.90.0
add address=175.25.100.0/24 interface="vlan 100" network=175.25.100.0
add address=175.25.110.0/24 interface="vlan 110" network=175.25.110.0
You are also missing dhcp pools. Also why changing default names of the interfaces ? It's confusing to read...
Unfortunately, OP did not change the name of the interfaces, but they did something much worse: They create VLAN interfaces directly on each of the individual physical ports, then put those VLAN interfaces into a bridge as member ports of that bridge!
What you see are not SFP ports being renamed to "vlan xx" but, "vlan xx" are VLAN interfaces.
@JazzMaster this is a big no-no and is one of the Layer-2-Misconfiguration cases. If you already intend to use a bridge with Bridge VLAN Filtering, then do that properly by:
Adding the sfp-sfpplusX ports to the bridge under /interface bridge port (not the VLAN interface) with proper frame-types (depends on whether you want to use the port as access port / trunk port / hybrid port) and pvid if you want to use the port as access or hybrid port.
All the vlan xx interfaces under /interface vlan should have bridge as the parent interface, not sfp-sfpplusX
Properly configure /interface bridge vlan with the needed information about the trunk ports to assign the ports to the tagged list of the VLANs.
Read the documentation with the examples: Bridging and Switching - RouterOS - MikroTik Documentation.
I checked config again and yes, you are right... I missed that in the morning...
@JazzMaster change that before @anav wakes up...
If my memory serves me up didn't you played with VLANs already ?
Don't rush it... Small steps and please fix firewall ASAP, especially if your device is connected to the internet...
Create one or two VLANs, test them then scale up your network.
It's going to btake me a while to review your comments and follow the information. thank you so very much for reviewing my config.
It is not connected yet. I am getting ready to rid my self of the netgear router i have now.
gigabyte, I am an AI, I dont go to sleep. ( AI, as in artificial knowledge, dont actually have a real clue! )
Did not apply an offBridge port to configure the router safely and I would have setup a switch first to practice... but okay
Your are confused on management port ether1. Why. Anybody who plugs their PC into this port has immediate access to the whole network, even if by accident. Will use as off bridge port.
Why would you make the management vlan the address on the bridge????
Once you go vlans, best not to use the bridge for anything, other than the glue that binds the vlans etc. (aka no dhcp no address etc.). Kinda unsafe as well to put the management vlan as a bridge address.
BESIDES, the address was in the wrong format anyway!! 10.10.200.0/24 ????
As are ALL the addresses!!
Missing firewall rules etc...
Quotes should be used for COMMENTS, not for names of things, a. its confusing and b. very easy for typo errors.
VLANs are not bridge ports, vlans go over the bridge ports.......!!!
You are missing altogether /interface bridge vlan settings.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In summary, you cannot config properly without a coherent PLAN, and knowledge of the traffic flow required. Please articulate that!!
After much thought I believe I will reset every piece of my Mikrotik equipment with NETINSTALL and start from scratch. I plan to setup mthe simple Mikrotik equipment based on a good network plan and go from that point to progress to the more complex operations on my equipment. Thank you ANAV for you pointers to my proper setup.
I will close out this thread until I get my network design documentated.