Setting up VLAN for a specific port

ProfessionalN00b · May 30, 2025, 7:09am

Hello

First, this is my home setup. I have exported the switch’s default-ish configuration and can reset it at any time.

I know very little of advanced networking, so I’m probably going to use incorrect wording and may not explain myself correctly.

I have currently a Unifi gateway, where I have configured a list of VLANs and a Mikrotik CRS312-4C+8XG switch, downstream from the gateway.
I started with the VLAN business pretty much in the beginning of current month. And between the gateway and devices connected directly to it, everything seems to work, except the switch.

Now, I tried to follow a couple of YouTube videos on how to configure a VLAN to a specific port, but I couldn’t get any of it working. Either the examples were localized to Mikrotik and there were steps missing when the VLANs are coming from somewhere else or I didn’t understand how to do it. Or both.

An example scenario would be like so:

I have a gateway with a VLAN of 24
Gateway connects to port 8 of the switch
A TV is connected to port 3 in the switch
The TV should be in the VLAN 24.

Basically I’m trying to isolate the TV from the rest of the network.

Is the gateway even relevant in this picture? If I configure multiple brand devices to use a specific VLAN ID, should it all just work?
If I configure the same VLAN in the switch that I have in the gateway, do I have to worry about RSTP?

erlinden · May 30, 2025, 8:08am

Your best starting point with VLAN on MikroTik (also known as the Bible):
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

You are probably looking for the term “access port”.

anav · May 30, 2025, 12:12pm

Also post your complete config
/export file=anynameyouwish ( minus device serial numbers, any public WANIP information, keys )

ProfessionalN00b · June 1, 2025, 3:18pm

# 2025-06-01 18:14:11 by RouterOS 7.19.1
# software id = 619I-3SLA
#
# model = CRS312-4C+8XG
# serial number = 
/interface bridge
add admin-mac=macaddress auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Gateway
set [ find default-name=ether2 ] comment=Telekas
set [ find default-name=ether6 ] comment=Lauakas
set [ find default-name=ether7 ] comment="Suur Synology"
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=combo1
add bridge=bridge comment=defconf interface=combo2
add bridge=bridge comment=defconf interface=combo3
add bridge=bridge comment=defconf interface=combo4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
/ip address
add address=10.0.1.2/26 interface=ether1 network=10.0.1.0
/ip dns
set servers=10.0.1.1
/ip firewall address-list
add address=10.0.1.0/26 list=Clients
add address=10.0.2.0/26 list=Servers
add address=10.0.254.0/29 list="Internet of Crap"
add address=10.0.1.10/31 list="Trusted Hosts"
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=ping disabled=no dst-address=10.0.1.0/26 gateway=10.0.1.1 \
    routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.0.1.1 \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Tallinn
/system swos
set address-acquisition-mode=static static-ip-address=10.0.1.2

anav · June 1, 2025, 4:06pm

Once you go vlans on any MT device its often better to go all vlans with bridge as interface.
The switch gets an IP address from the management or trusted vlan
Only the trusted vlan gets tagged to the bridge in /interface bridge vlan settings.
The defacto ref for vlans in general is http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Also to work on vlans as it can get sticky when applying vlans or trying to change from default to your stetup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the switch at any time…
Lets use port the already designated management port since its only 10/100 anyway. I think, just guessing they call this ether9 ??

Associated config entries ( remove ETHER9 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether9] name=OffBridge9
/ip address
add address=192.168.77.1**/30** interface=OffBridge9 network=192.168.77.0 comment=“Offbridge and Emerg access”
/interface list member
add interface=mgmt-vlan list=MGMT
add interface=OffBridge9 list=MGMT

Note: to access the router simply configure your PC/laptop with IPV4 settings of 192.168.77**.2** and via username and password you should have access.

+++++++++++++++++++++++++++
As for the config, if you dont have a management or trusted vlan you should and thats were the switch gets its IP address from.
Remember this device is acting as a switch and not a router!
It would appear your trunk port to the upstream router is ether8.
Need to assume your management vlan as 10.20.99.0/24 and and IP assigned to switch is 10.20.99.2
Assume you have home or trusted vlan 10.0.1.0/24 lets call this vlan10
Assume you have a server vlan 10.0.2.0/24 lets call this vlan20
Assume you have an Media vlan 192.168.24.0/24 lets call this vlan24

Example config, but will be understandable after reading the reference.
Also, it is not clear what vlans or subnets exist on main router etc and how you are getting those subnet to the switch assuming a TRUNK Port with all vlans tagged?
If its UNIFI etc, it may very well be that the management vlan is coming untagged and the rest of the subnets as tagged vlans on a HYBRID port to the switch…
If so will make amendments.

model = CRS312-4C+8XG

serial number =

/interface bridge
add admin-mac=macaddress auto-mac=no comment=defconf name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged { add both at very end }
/interface ethernet
set [ find default-name=ether9] name=OffBridge9
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=99
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether1 pvid=10 comment=“to user 1”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=20 comment=“to Server A”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=24 comment=“to dumb TV”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=99 comment=“to admin”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 comment=“trunk port to smart device (another switch or ap)”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8 comment=“trunk port to router”
/ip neighbors-discovery
set neighbors-discovery-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether8,ether5 untagged=ether1 vlan-id=10 { assuming vlan10 goes to switch/ap on ether5 }
add bridge=bridge tagged=ether8,ether5 untagged=ether2 vlan-id=20 { assuming vlan20 goes to switch/ap on ether5 }
add bridge=bridge tagged=ether8 untagged=ether3 vlan-id=24
add bridge=bridge tagged=bridge,ether8 untagged=ether4 vlan-id=99
/interface list members
add interface=vlan-mgmt list=MGMT
add interface=OffBridge9 list=MGMT
/ip address
add address=10.20.99.2/24 interface=ether8 network=10.20.99.0
/ip dns
set servers=10.20.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.20.99.1 routing-table=main
/system clock
set time-zone-name=Europe/Tallinn
/ntp client
enabled=yes server=10.20.99.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

ProfessionalN00b · June 7, 2025, 10:28pm

All my current attempts following this guide have ended up with me getting locked up each time. I tried to follow some YouTube videos, and in these cases, I didn’t get locked out, but as soon as I enabled VLAN filtering, I no longer had access to VLAN 2.

What I want to achieve is this:
Networks (for the sake of this exercise, all the networks share the 192.168.0.0/16 subnet):

Client machines - no VLAN/default network - 192.168.1.0/26
Servers - VLAN 2 - 192.168.2.0/26
Untrusted IoT crap - VLAN 254 - 192.168.254.0/29

Requirements:

Clients will have access to VLAN 2. Firewall on the Unifi gateway will see to it that only trusted hosts can actually access the servers.
VLAN 254 will be able to access VLAN 2 (TV access to DLNA service on the NAS. NAS and Unifi firewalls will restrict access only to the TV.)

With the default config on the switch, I can access all the VLANs.

My current state:
After applying VLAN filtering on the bridge, TCP/ICMP against VLAN 2 will be unsuccessful from the 192.168.1.0/26 subnet, including the switch.

# 2025-06-08 01:14:58 by RouterOS 7.19.1
# software id = 619I-3SLA
#
# model = CRS312-4C+8XG
# serial number = 
/interface bridge
add admin-mac=MA:CA:DD:RE:SS auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] name=Management
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=combo2 ] disabled=yes
set [ find default-name=combo3 ] disabled=yes
set [ find default-name=combo4 ] disabled=yes
set [ find default-name=ether1 ] comment=Gateway
set [ find default-name=ether2 ] comment=Telekas
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment=Lauakas
set [ find default-name=ether7 ] comment="Suur Synology"
/interface vlan
add interface=bridge name="Internet of Crap" vlan-id=254
add interface=bridge name=Servers vlan-id=2
/interface list
add name="Management List"
add name=LAN
add name=Incoming
/port
set 0 name=serial0
/user group
add name=custom policy="local,telnet,ssh,reboot,read,write,policy,test,winbox,\
    password,sniff,sensitive,!ftp,!web,!api,!romon,!rest-api"
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=combo1
add bridge=bridge comment=defconf interface=combo2
add bridge=bridge comment=defconf interface=combo3
add bridge=bridge comment=defconf interface=combo4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=254
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=254
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether8 vlan-ids=254
add bridge=bridge tagged=ether1,bridge untagged=ether7 vlan-ids=2
/interface list member
add interface=Management list="Management List"
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether1 list=Incoming
/ip address
add address=192.168.88.1/24 comment=defconf interface=Management network=\
    192.168.88.0
add address=192.168.1.2/26 interface=bridge network=192.168.1.0
add address=192.168.254.6/29 interface="Internet of Crap" network=192.168.254.0
add address=192.168.2.63/26 interface=Servers network=192.168.2.0
/ip dns
set servers=192.168.2.2,192.168.2.3
/ip firewall address-list
add address=192.168.1.0/26 list=Clients
add address=192.168.2.0/26 list=Servers
add address=192.168.254.0/29 list="Internet of Crap"
add address=192.168.1.10/31 list="Trusted Hosts"
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Tallinn
/system identity
set name=Svits
/system swos
set address-acquisition-mode=static static-ip-address=192.168.1.2
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list="Management List"
/tool mac-server mac-winbox
set allowed-interface-list="Management List"
/user settings
set minimum-password-length=20

Visual guide:
All the VLANs come from the Unifi gateway to the first port. In the future, I want to limit the VLANs only to 2 and 254, or the ones that are actually used on the switch.
NAS’s main VLAN is 2, but for DLNA to work, I added another port to VLAN 254, where the TV is.

loloski · June 7, 2025, 10:57pm

Remove one of the ports from the bridge e.g ether5 and use that as your management port and connect to the device via MAC with winbox in this way you’re not going to lock yourself if you have a wrong configuration that’s a start.

I don’t read your configuration but I will create you a basic configuration and work from there and start to wrap your head around it and make an incremental steps to learn it
this configuration applies for CRS3xx switch chip not for MT smaller device

/interface bridge add name=LAN
/interface bridge port
add bridge=LAN interface=ether1 pvid=10 # VLAN 10 Access Port
add bridge=LAN interface=ether2 pvid=10 # VLAN 10 Access Port
add bridge=LAN interface=ether3 pvid=20 # VLAN 20 Access Port
add bridge=LAN interface=ether4 pvid=20 # VLAN 20 Access Port

/interface bridge vlan # This being handle dynamically as soon as you set a pvid on the port but it's no harm on doing this manually
add bridge=LAN tagged=LAN untagged=ether1,ether2 vlan-ids=10
add bridge=LAN tagged=LAN untagged=ether3,ether4 vlan-ids=20 

/interface/bridge/set vlan-filtering=yes 0

/interface vlan add interface=LAN name=VLAN10 vlan-id=10
/ip address add address=192.168.10.1/24 interface=VLAN10

/interface vlan add interface=LAN name=VLAN20 vlan-id=20
/ip address add address=192.168.20.1/24 interface=VLAN20

If you do it right when you plug your PC to either port ether1 and ether2 you should be able to ping 192.168.10.1 for ether3 and ether4 you should be able to ping 192.168.20.1, like I said start from small and adapt this to your liking, I hope this help

ProfessionalN00b · June 8, 2025, 7:37am

Yes, I’ve made it this far now that I know to remove port ether9 (labelled Mgmt/Boot on the switch) from the bridge and use it to revert my last changes, but other than that, I haven’t had noticeable progress.

ProfessionalN00b · June 8, 2025, 12:01pm

After trying a few days to get it working unsuccessfully, I decided to connect the TV directly to the gateway and assign it to an appropriate VLAN in a couple of minutes, and everything is like I want it to be now.
I guess it was too difficult for me on the switch.

Thanks to all who tried to help!