Hello! I do a lot of homelab, and have been trying to set up what feels like an unsual config. I want to place my router on my second floor for better wifi coverage while still using it for all my routing.
My hope was that I could just connect my comcast modem to my switch on a port set to vlan 2 and bring the connection to a vlan2 interface on the router, but I’ve been struggling to get it to work. (Vlan2 is in dhcp clients, but sits on ‘searching’ forever) I’ve included a rough diagram, and any config I could find that looks relevant. Any insight on how to get this to work would be great.
Router config
# 2025-01-03 23:51:15 by RouterOS 7.16.1
# software id = 5WBA-F651
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890A8E7CC3
/interface bridge
add ingress-filtering=no name=Main port-cost-mode=short vlan-filtering=yes
add admin-mac=74:4D:28:50:0C:62 auto-mac=no comment=defconf name=bridge port-cost-mode=short protocol-mode=none
add name=bridge2 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether4 ] disabled=yes
/interface vlan
add interface=Main name=vlan-5 vlan-id=5
add interface=Main name=vlan-10 vlan-id=10
add interface=Main name=vlan-20 vlan-id=20
add interface=Main name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Allowed-Internet
add name=Allowed-Server
add name=Allowed-Smart
add name=Allowed-Home-Server
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward in-interface=wlan1
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward out-interface=wlan1
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10 pvid=5
add bridge=Main comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface="Help I'm Trapped in a router" internal-path-cost=10 path-cost=10 pvid=5
add bridge=Main comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10 pvid=5
add bridge=Main ingress-filtering=no interface=vlan-10 internal-path-cost=10 path-cost=10
add bridge=Main ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=Main ingress-filtering=no interface=vlan-5 internal-path-cost=10 path-cost=10
add bridge=Main ingress-filtering=no interface=vlan2 internal-path-cost=10 path-cost=10 pvid=2
add bridge=Main ingress-filtering=no interface=wlan4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=Main ingress-filtering=no interface=wlan3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=Main disabled=yes ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge vlan
add bridge=Main tagged=sfp-sfpplus1,Main vlan-ids=5
add bridge=Main tagged=Main,sfp-sfpplus1 vlan-ids=10
add bridge=Main tagged=Main,sfp-sfpplus1 vlan-ids=20
add bridge=Main tagged=sfp-sfpplus1,Main vlan-ids=2
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=Main list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan-20 list=Allowed-Internet
add interface=vlan2 list=WAN
add interface=vlan-5 list=LAN
/ip address
add address=192.168.5.1/24 comment=defconf interface=vlan-5 network=192.168.5.0
add address=192.168.10.1/24 interface=vlan-10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan-20 network=192.168.20.0
add address=192.168.50.1/24 interface="Home VPN" network=192.168.50.0
add address=192.168.100.1/24 interface="station wg" network=192.168.100.0
/ip dhcp-client
add default-route-distance=4 interface=ether1 use-peer-dns=no
add add-default-route=yes disabled=no interface=vlan2 use-peer-dns=no
add disabled=yes interface=sfp-sfpplus1
Switch config
[admin@MikroTik] > /interface/bridge export
# 1970-01-02 02:34:21 by RouterOS 7.13.5
# software id = 4BXG-0AXQ
#
# model = CRS310-8G+2S+
# serial number = HGA09P2A0Z3
/interface bridge
add admin-mac=D4:01:C3:6B:34:8D auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 pvid=2
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=5
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2 pvid=10
add bridge=bridge interface=vlan5
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=5
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=5,10,15,16,2
add bridge=bridge untagged=ether4,ether5,sfp-sfpplus2 vlan-ids=10
add bridge=bridge untagged=ether1 vlan-ids=2
/interface vlan
add interface=bridge name=vlan5 vlan-id=5
Switch is ok
On router change:
future: The router configuration should be changed to have one bridge
Mikrotik sometimes has trouble applying VLAN changes, I recommend restart…
Hello! Thank you for the config suggestions!
I went and applied them, and disabled my extra bridges (They were left over from when I was struggling to understand how to impliment vlans on mikrotik)
Sadly even after rebooting my router and hooking it up as diagramed vlan2 is still unable to get an IP from my isp modem. Would you have any other suggestions?
This is my current config after the suggested changes.
[admin@NicksdenRouter] /interface> export
# 2025-01-04 12:52:59 by RouterOS 7.16.1
# software id = 5WBA-F651
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890A8E7CC3
/interface bridge
add ingress-filtering=no name=Main port-cost-mode=short vlan-filtering=yes
add admin-mac=74:4D:28:50:0C:62 auto-mac=no comment=defconf disabled=yes name=bridge port-cost-mode=short protocol-mode=none
add disabled=yes name=bridge2 port-cost-mode=short
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
/interface wireguard
add listen-port=19231 mtu=1420 name="station wg"
add listen-port=13231 mtu=1420 name="Home VPN"
/interface vlan
add interface=Main name=vlan-5 vlan-id=5
add interface=Main name=vlan-10 vlan-id=10
add interface=Main name=vlan-20 vlan-id=20
add interface=sfp-sfpplus1 name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Allowed-Internet
add name=Allowed-Server
add name=Allowed-Smart
add name=Allowed-Home-Server
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward in-interface=wlan1
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward out-interface=wlan1
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10 pvid=5
add bridge=Main comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=Main comment=defconf ingress-filtering=no interface="Help I'm Trapped in a router" internal-path-cost=10 path-cost=10 \
pvid=5
add bridge=Main comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10 pvid=5
add bridge=Main ingress-filtering=no interface=vlan-10 internal-path-cost=10 path-cost=10
add bridge=Main ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=Main ingress-filtering=no interface=vlan-5 internal-path-cost=10 path-cost=10
add bridge=Main ingress-filtering=no interface=wlan4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=Main ingress-filtering=no interface=wlan3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=Main disabled=yes ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge vlan
add bridge=Main tagged=sfp-sfpplus1,Main vlan-ids=5
add bridge=Main tagged=Main,sfp-sfpplus1 vlan-ids=10
add bridge=Main tagged=Main,sfp-sfpplus1 vlan-ids=20
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=Main list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan-20 list=Allowed-Internet
add interface=vlan2 list=WAN
add interface=vlan-5 list=LAN
[admin@NicksdenRouter] /ip/dhcp-client> export
# 2025-01-04 12:59:39 by RouterOS 7.16.1
# software id = 5WBA-F651
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890A8E7CC3
/ip dhcp-client
add default-route-distance=4 interface=ether1 use-peer-dns=no
add interface=vlan2 use-peer-dns=no
anav
January 4, 2025, 7:40pm
4
The switch should tag the traffic coming from comcast on a single vlan and carry it through to the trunk port to the router.
I would use ether4 for an offbridge access to do all the configuring.
Not full config shown on the router or the switch so not able to help further…
I guess, probably because of the VLAN filtering enabled on the bridge, you need to add:
/interface bridge vlan
For testing, you can disable VLAN filtering.
jaclaz
January 5, 2025, 5:08pm
6
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward in-interface=wlan1
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add action=drop chain=forward out-interface=wlan1
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
A line (rendered in red by the board parser) starting with a # is RoS telling you that there is an error in configuration and that the following line/command/setting won’t work.
An asterisk “*” followed by a (hex ) number means that there was there something that made sense but that has now been deleted or renamed and cannot be found anymore.
You should fix these errors before anything else.
anav
January 5, 2025, 6:11pm
7
This is basic vlan filtering…http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
A decent video for switch – > https://www.youtube.com/watch?v=YLtGQAQ8iS0
I will hold you responsible for reading and applying the above knowledge.
The only tricky part is the fact that the trunk port from the switch to the router carries both data vlans and the management/trusted vlan (normal) but also carries the internet vlan ( traffic captured into a vlan to carry it through the trunk port to be terminated on the router.
Both devices get one bridge.
On the router one has/interface bridge vlan
/ip dhcp client
