Separating WiFi and LAN networks with VLANs between two Mikrotik RouterOS devices

RouterOS General
1

Hi to all.
I need suggestion how to configure two Mikrotik with VLANs for maximum performance and minimal Mikrotik CPU usage that should work with WiFi and local Mikrotik LAN ports, streched between two Mikrotik Router OS-es. I noticed that this can be done with different approaches so I need to know what is a proper way that should be done (what is preffered by Mikrotik).

Little intro:
I have been using Mikrotik for home purposes more than 15 years, but mostily only WiFi, routing, firewalling on simple single network. Professionaly, I am a Cisco network and VoIP engineer in a big company, so I’m preety much familiar with advanced networking, VLANs, trunking, routing and so on.
However, Mikrotik’s approach to VLANs and trunking are a bit confusing for me, as there are VLAN/PVCID/tag/untag or other related options all around different settings in Mikrotik. Not sure why are there, what differs when something is enabled/disabled or changed, as nothing seems logic to me. Tutorials for Mikrotik what I have seen are also all logic and understandable, but that tutos are regulary only covering single use case, not a complete solution. So I need your help for better understanding how to configure system in proper way. I hope that this will also be informative for other Mikrotik users who wants to learn this.

So, let’s go to a problem:

I have a two Mikrotik RouterOS-es (hAP ac^2 and RB951G-2HnD). Both should have a tree different SSIDs which sits in three different subnets. That SSIDs and subnet should be same on both Mikrotiks. So, SSID3 on Mikrotik1 shoud belongs to VLAN3, and same name SSID3 should also exists on Mikrotik2, also in VLAN3. That should be same L2/L3 network. Both Mikrotik should be inter-connected with link, on which is native (untaged) VLAN1 and tagged VLAN2 and VLAN3. That is because that link is not direct UTP cable, but goes over “dump” switch. Everything that is connected to that “dump” switch should be in untagged VLAN1.
On both Mikrotik, some ports should be configured as access ports in different VLANs: VLAN1, VLAN2 and/or VLAN3
One port on Mikrotik 1 belongs to uplink, separate network, and there is no need to be any VLAN for it as that network should not be propagated anywhere else. Mikrotik 1 should also be responsible for routing, firewalling, DHCP and so on. Mikrotik2 is actually L2 switch with WiFis, but should have possibility to configure it for same purposes as Mikrotik1 - in case of Mikrotik1 outage. I’ve attached picture for better understanding.

I have actually configured both Mikrotik for such configuration, but half of that configuration was in try and error model as some things didn’t make sense for me and still does not know what are they actually doing. I would not post for now any of configuration as that could lead someone of you to wrong direction, first I want to know what whould be a propper approach. Latter when someone post some how-to-do-it I will explain how I did it and we can discuss on that.
As I said before, my concern is on optimal and best performance configuration, not just “this is how it can work”. I can see some throughput issues in my configuration, so that is a real trigger for me to write and ask you for help.

Thanks in advance to everyone who will have any contribution to this discussion.
diagram.JPG

2

The commands will be different from IOS of course, but surely the concepts will be the same. They’re both implementing 802.1q, right?


VLAN/PVCID/tag/untag…Not sure why are there

They exist because needs differ. Unless you hope to have someone write the configuration for you, you will have to learn what each of these options means and evaluate which options you need to get the effect you want.


nothing seems logic to me

It might help to set up a few CHRs in your virtual machine environment of choice and try to configure them to do what you want. Some people like to add virtual network simulators like EVE to help with this, but for your purposes, attaching the VMs to the physical network should suffice.


I have a two Mikrotik RouterOS-es (hAP ac^2 and RB951G-2HnD)

Which is which on your diagram?

I ask because they’re not equivalent: the one on the left is the gateway router, so it will need to be configured to strip VLAN tags before transmission to the Internet, and to apply them on returning traffic so the replies get back to the proper VLAN. Presumably you’re using VLANs to isolate traffic, so you’ll also have firewalling rules that take the VLAN tag into account. A common use case here is an IOT network that can’t talk to other hosts on the LAN, only to the Internet.

The other RouterOS box is only going to be doing VLAN tagging on ingress, then port-based untagging on egress. It’s a much simpler configuration.


goes over “dump” switch

Is that a typo? Do you mean “dumb”, as in no VLAN awareness and no L3/routing capabilities?

If so, the biggest problem is that unless the stations connected to that switch are configured for host-side 802.1q tagged Ethernet, they’ll see no traffic from the wireless clients. Often there’s some “server” software on what you’re calling VLAN 1 which the WiFi boxes need to access: Plex, etc.

For purposes like this, the switch should have some minimal VLAN awareness. It doesn’t have to a be full RouterOS based smart switch, either. The MikroTik docs have a configuration for SwOS switches, for example, which you can translate to other typical L2 managed switches.


Everything that is connected to that “dump” switch should be in untagged VLAN1.

This is why you want a VLAN-aware switch in the middle: so you don’t have to use VLAN 1.

The problem with VLAN 1 is that it’s the default, so some network equipment will do weird things with it like allow it uncontrolled access to the management interface. If you’re going to to the trouble of setting up VLANs for isolation, you should do it all around and avoid VLAN 1.

So, you could have a configuration like VLAN 10 = management/admin; VLAN 20 = kids bedrooms, guest, and WiFi; and VLAN 30 = IOT devices. That gives you the ability to block VLANs 20 and 30 from messing with VLAN 10, whereas to use VLAN 1 means anyone that can generate untagged traffic is automatically on VLAN 1.

You can apply filters in RouterOS to say “no untagged traffic allowed,” but that’s a passive stance. You likely also want the ability to say, “the management VLAN gets these additional capabilities.”


I would not post for now any of configuration as that could lead someone of you to wrong direction

The problem with that plan is that without the configuration, we don’t know what you’re getting confused by. Showing what you have so far and giving concrete information about what isn’t working is much easier to give advice on than to a diagram and a wall of prose.

You say you’re a Cisco network engineer by profession. How does it make you feel when your end users hold back technical details? Give us the sort of problem report you’d like to receive.


I can see some throughput issues in my configuration

A configuration you’ve refused to share, giving issues you’ve not quantified.

Seriously, put yourself in our shoes: how are we supposed to react to that? The only option is to provide a canned configuration and hope it works for you.

With that in mind, have you read this? You will want to have your switch chips’ features in mind while doing all of this, since to do otherwise is to push more traffic through those little boxes’ CPUs than you must.

This is another good reason to have a smart switch in the middle: so you can delegate VLAN filtering to a box with hardware VLAN offload.


Mikrotik2 is actually L2 switch with WiFis, but should have possibility to configure it for same purposes as Mikrotik1 - in case of Mikrotik1 outage.

The best advice I have for you on that is to keep backups of your configurations via the RouterOS “/export” feature. That has a number of benefits, the one in this case being that it lets you take the configuration for one switch and apply it to another in an automated, repeatable manner.

I keep those backups in a version control system so I can roll back to old versions, create diffs between versions, and so forth.

3

Yes, underneath protocols are defined by standards, so they are actually working same thing, but as I said, configuration is very strange to me.
From Cisco perspective, you need to define VLAN ID, and than on ports you can associate one or more VLAN ID and which of them is untagged on that port.
From Mikrotik perspective, you have to define a ne VLAN name in interfaces menu, but than, I have to choose on whitch interface is that VLAN assigned and which ID have. I cannot assigne same vlan to other ethernet. If I have same VLAN ID on other interface, I neet to create another VLAN interface with same VLAN ID and associate it with other port. And now, where to assign IP for that VLAN ID? Two different VLANs with same VLAN ID. Sorry but that is wierd.

On top of that, there is Switch menu for internal Mikrotik switch, where can also be defined behaviour of physical port. So, if I want some port to be in access port on some particular VLAN, I have at least 2 options how to do it, maybe even more (via switch configuration, or bridge with some VLAN).


I know what that mean, I am saying that I don’t know why that options are there where they are. Example is VLAN mode and VLAN ID on master and virtual WiFi interfaces. Whatever I put here, does not have infulence on my setup. I have a bridge with that wifi interface and VLAN, so clients that are connected on that SSID are allways in VLAN that I need it. That is the point why I’m talking about why are this options there if there is no differs.
From my logic perspective, VLAN ID should be VLAN to which Wireless interface is binded like access port. If you need RADIUS authentication so clients can be switchet to different VLANs, than VLAN mode should be “use tag” and on VLAN ID should be multiple VLANS that are allowed to exists on WiFi interface. I don’t know it this is case here as per documentation it is not clear:
https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#VLAN_tagging
And it seems that if WiFi interface is in bridge with some other interface or VLAN, that setting are complete ignored.


I have multiple Mikrotiks at home, so actually don’t need do it in VM, but it is a good hint for not to mess with wires, thanks!


Left one is RB951G.
Access to internet (ISP modem) is done by P2P link with separate subnet. It is not VLAN at all. Port on Mikrotik is associated to bridge and IP adress is associated to that bridge. As no other interface exists on that bridge, that bridge is actually unnessesery, but I put it there if I need some other Mikrotik port to temporary put in that network (for some troubleshooting purposes or so).
I have firewall, but does not using in account any VLAN tags; only IP adresses or interface lists. My IoT devices are actually not IoT devices, they don’t have access to interent, I have OnPrem automation software and I have access from internet to it (but via IPSEC VPN, so it is not just simply published to internet).


Yes, it is “dumb” not “dump” :slight_smile:
Actually, this switch is not important at all. It exists, but PC that I draw not, and it is not nessesery. Switch is here for some other purposes not relevant to this so lets not bother with it.
Also, VLAN1 is mentioned as it is actually by default native or untaged VLAN on most devices. I think that this is also something that is not important here


Reason for it is what I say in initial post. There are more ways how to acomplish this, and I would like to know a proper way for maximum performance

One simple way that works OK is:

  • create three bridges
  • associate IP adresses for each bridge (that would be gatewayas for VLANs)
  • create two vlans with some vlan ID-s on both routers and associate that vlans to port which are going to other router
  • associate that two vlans with two bridges, associate virtual wlans to them also
  • on third (aka native VLAN) bridge asocciate physical ports between routers and mail wlan interface
  • for other access ports, associate them to respective bridge, depending to which network they needed to be.

Other is actually using switch and all that VLAN ID with tag/untag and other options that are not clearly documented so acctualy I don’t know how to do that.

My current setup is a mix of theese two approach. I’m asking to someone point me in right direction.

And that is another thing that confuses me, as it is clearly that same thing can be done with different approach, so not sure what is right way. If something works, does not mean that is configured good.


I completely understand you, but here is not situation that I need help with some specific issue. I need to see correct approach how to something to do on Mikrotik.

Let me say this way:
If you have 4PCs, and 2PC have to communicate with each other, but not with other two, you can do different things.
You can simply put 2PCs in one network, let say 192.168.0.0/28 and other two in 172.16.0.0/28 and put them on same “dumb” switch. They cannot communicate with each other and mission acomplished.
BUT…is it that acctualy true? Off course not…they are at same L2 so if you need security and really separate this by using VLANs, than this is a way how this should be done.


Yes I have, because of that I started to use switch feature, but it is not clearly to me how to acomplish this with WiFi interfaces.


Yes, that is one approach, but that means that configuration of ports and everything else should be identical and devices should be identical. I have on mind some other HA automated alternatives, that secondary Mikrotik became primary gateway and start routing traffic, so my mind was on some automatic firewall rules sync and virtual active IPs (like HSRP on Cisco). Probably this can be acomplished manualy by creating sripts, netwatch and similar techniques, but would be great if this allready exists. I still didn’t searched for this, first I would like to make a proper working configuration.

Thanks!