i’d like to confirm, im doing this right, i wanted to achieve untagged-vlan!
What i did: instead of putting the VLAN interface on the port itself (i need only one phisycal port for each subnet), i’ve put the port in a bridge and added the vlan to the bridge, after that the bridge got an private ip address and ive set up a dhcp server on the bridge, but i gave the ip address the port itself (and not the bridge).
Am i doing this right?
I did the same to an other port (the for was 192.168.4.1/24 the second 192.168.5.1/24) and did the firewall rules, so its seperated on layer 3 too.
Before theese settings i checked, i could ping from one client the other and vica versa. After theese settings i couldn’t and i checked the ARP table on the windows machines and didnt saw any other subnets i should have seen, in case i misconfigured something.
thank you for your answer, i see you are really active on theese forums
Now i don’t want to tag, cuz the person who needs it, has two “not-smart” switches, usually i like to use tagged vlan with smart-switches
Now, in this case, i only need one (untagged) vlan / port, but in an other case, where i’d need to have more, i would just put more ports into the bridge (the "vlaned"bridge).
Is this correct?
it seems to work perfectly, but everywhere i search in google, i see 10+ sites long descriptions, how u should do vlans and a lot are outdated and not deleted (i think mikrotik tutorials are really outdated or wrongly done, but thats just my opinion), but i think “vlaning” in mikrotik is easy, cuz i tried how it was logical for me and it worked like a charm, i just wanted a pro say, yeah mate, you are doing it the right way!
The way you did VLANs are the way they can be done on routers … where any ingress packet needs to be routed to another L3 subnet.
If you want to do it the way they are done on switches … where ingress packets get forwarded to other interfaces within same VLAN with the least amount of processing … then your way is not the way to do it.
VLANs on Mikrotik are not easy and yes, official documentation has room for improvement. That’s why @pcunite wrote a nice tutorial on how to do it in a way which is portable between all RouterBoard devices running ROS >=6.42.
There are many other ways how to configure VLANs, many give better performance but depend on particular features, provided by hardware switch chips, and are thus not portable between different RB models.
One more question: if i do not bridge ports, i only use ONE, than i dont have any layer 2 connection between two ports right? So this way i can just give thoose two ports two seperate seubnets and do a layer 3 firewall filter (like forward from 192.168.0.0/24 to 192.168.1.0/24 drop) and i achieve the same? Could please someone verify for me, that two (not bridged, simple “standalone”) ports do not have any L2 connection?
if you mean this: “But what also possible: extend the access port (=untagged port) with “dumb” switch”, than sorry, i misunderstood it, i thought you said i should do untagged vlans (not untagged ports ) with dumb switches…
But if there is basically no L2 connection, than there is really no need for a “bridged-vlanned” port, makes it just more complicated without gaining anything from it!
My english is not the best, so if you wanted to tell me this, than sorry m8 and thank you again!
) with dumb switches…