Trying to wrap my head around VLANs

So after years of using single LAN for all devices I decided to separate them with VLANs. I have hAP ac so after checking some tutorials I decided to give it a try. Here is my target setup:

Basically my mobile phone, computer and proxmox servers should use 192.168.1.0 network, IoT devices 192.168.2.0, proxmox VMs either 192.168.5.0 or 192.168.6.0.
I’ve created following basic configuration - it is enough or I should add something more? I’m pretty sure I need to set something under /interface ethernet switch port but I’m not sure what exactly should I put there Of course i will prepare corresponding firewall rules later.

/interface vlan
add comment=wifi-iot interface=bridge name=vlan2 vlan-id=2
add comment=proxmox-prod interface=bridge name=vlan5 vlan-id=5
add comment=proxmox-test interface=bridge name=vlan6 vlan-id=6
/ip pool
add name=default-dhcp ranges=192.168.1.30-192.168.1.60
add name=dhcp-vlan2 ranges=192.168.2.2-192.168.2.30
add name=dhcp-vlan5 ranges=192.168.5.2-192.168.5.62
add name=dhcp-vlan6 ranges=192.168.6.2-192.168.6.14
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
add address-pool=dhcp-vlan2 interface=vlan2 lease-time=3h name=wifi-iot
add address-pool=dhcp-vlan5 interface=vlan5 lease-time=1w name=proxmox-prod
add address-pool=dhcp-vlan6 interface=vlan6 lease-time=6h name=proxmox-test
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=switch1 vlan-id=2
add independent-learning=no ports=ether3,ether4 switch=switch1 vlan-id=5
add independent-learning=no ports=ether3,ether4 switch=switch1 vlan-id=6

# I'm not sure about this part
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=add-if-missing
set ether4 vlan-mode=secure vlan-header=add-if-missing
# ----

/ip address
add address=192.168.1.1/26 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.1/27 interface=vlan2 network=192.168.2.0
add address=192.168.5.1/26 interface=vlan5 network=192.168.5.0
add address=192.168.6.1/28 interface=vlan6 network=192.168.6.0
/ip dhcp-server network
add address=192.168.1.0/26 comment=defconf dns-server=192.168.1.5 gateway=\
    192.168.1.1 ntp-server=192.168.1.5
add address=192.168.2.0/27 dns-server=192.168.1.5 gateway=192.168.2.1 \
    ntp-server=192.168.1.5
add address=192.168.5.0/26 dns-server=192.168.1.5 gateway=192.168.5.1 \
    ntp-server=192.168.1.5
add address=192.168.6.0/28 dns-server=192.168.1.5 gateway=192.168.6.1 \
    ntp-server=192.168.1.5

Best resource is here → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

First mistake is mixing apples and oranges, once you have vlans, remove subnet from bridge so it does no dhcp, much less confusing.
Bridge ports are wrong
Not sure why you are even touching ethernet switch settings of any ILK be it ethernet switch vlan or port ???

Clearly you chose the wrong youtube article. :-0

++++++++++++++++++++++++++++++++++

Another pointer… the config is all interconnected, posting only part of the config is not a recipe for success.
Certainly should have the default set of firewall rules on the config before attaching anything to the WWW.

/export file=anynameyouwish (minus router serial n umber, any public WANIP information, keys etc. )

Looking at your config, it looks like you have followed or are applying what I see as “v6” logic to this. Nothing wrong with that at all unless you are running v7 or you want to get this done this year.

To cut a very long story short(er) - Once you go VLAN, you drive those VLAN’s from your bridge menu, in Bridge > VLANs you’ll find you can set tagged and untagged ports per vlan as well in ports you can set pvid for untagged traffic (not that you need to as your additional networks will all be tagged).

Couple of advisories though:
ALWAYS use safe mode, when you think you have VLAN configured and you turn on vlan filtering in bridge as it is needed - first time round you rarely have it configured well so safe mode will bail you out.
If you are tagging all other traffic, change your native vlan to something other than 1, it’s better practise to do this.
I would be tempted to run ether3 and 4 as untagged vlan 5 & 6 respectively, it’s an “easier” config to and your Proxmox setup will be simpler. You’re not gaining anything by having 2 ports with trunked network unless Proxmox is sitting on 3 networks, untagged and the 2 tagged?

I just want to say that I have never been able to get a useful environment using VLANs.

I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough.

I don’t know why, and I can’t suggest how to improve it, but, as I leaned in college, graduate school (2 different programs), and decades in business, if I am confused about something, other people are also.

Consider this a plea for help, not a criticism.

I worked for 5 years with Mikrotik daily and didn’t mnage to grasp VLAN. I have had a 5 year hiatus and then recently only after learning and implementing Cisco VLAN have I gone back over MikroTik VLAN in order to get it right. It’s not the same but the difference was I understood the concepts better. (I maintain Cisco VLAN is so much more natural and less convoluted).

+1

VLANs are easy once you get the hang of it. I am a little odd that I don’t use a bridge in my router at all. However the router is not doing any switch functions - every port is a different LAN or VLAN trunk. All switch functions are done in separate managed switches (CSS326 running SwitchOS).

Yeah, k6 but your from KAL EYE 4RN EYE EH … freakish )

There is logic and rules, it works, the reference is accurate.

I try to keep up with code/acronyms/etc., but huh???

BTW, K6, I’m a KC2

Its not code just a pronounciation schema.
Californicators are a tad odd.

Oh! Got it now!

Couldn’t agree more. Glad to see more people who recognize NYC as the center of the English speaking world and the only non-accented English speakers (

Thanks for the topic link, you made my day.

Its the beer your drinking…putrid UK tar… probably warm too.

Whether its a hex router with 3 vlans, a hex acting as a switch with X vlans, or my ccr1009 with 20 vlans. All works like butta.
the linked article is gold.

Well, VLAN is a tool … Most people use tools because they have a task to do and certain tools fit the task perfectly (but one has to know different tools reasonably well to identify best tool for certain task). Some people use tools for fun and to learn how to use them properly. And some people use a tool (or two) they are familiar with to perform all sorts of tasks.[*]

So either you never ran into situation which calls for VLANs … or you didn’t see that VLANs are perfect fit and you solved tasks with other networking tricks (perhaps less perfect, but good enough). Or VLANs was not the perfect tool. Or you simply didn’t work the rask properly because of your flakey knowledge of VLANs.

[*] There was a period if time when our BFF @anav answered “use VLANs” to every question. Since he learned about wireguard, he’s split between both answers.

hahaha… listen if you only need two subnets, nothing wrong with one bridge and one separate subnet or two separate subnets and no bridge.
But if you choose any of the above, you are denying yourself the satisfaction of using vlans, and the sense of accomplishment and the ability to lord such skills over the masses, who are clearly inept, incapable or insane.

I don’t drink

You’ll die in 2 days then…

(PS same here )