VLAN configuration confirmation please

I’m new to VLANs with Mikrotik so I just need confirmation for my set-up please.

I have four VLANs;

vlan20 (guests - need internet access)
vlan40 (staff wired - need internet access)
vlan50 (staff wireless - need internet access)
vlan100 (management - no internet access necessary)

I have a couple of NetGear L2 switches.

I have set-up a DHCP server for each VLAN with the exception of VLAN100 (management as the switches’ IP addresses are static)

Here’s my thinking;

vlan40 and vlan50 need to be routed to each other so I create a bridge and add those two vlans to that bridge. Correct?

vlan20 I just masquerade for straight net access. (do I use the In. Bridge Port option?)

vlan100 I don’t reference at all because of the static IPs and the lack of net access needed. Correct?

Is it as simple as this?

Thanks for the input.

Bridges connect the same network. Since VLANs are unique logical networks, you do not want to bridge them, you want to route between them. The router will simply route traffic between the networks for you unless you explicitly drop that traffic via firewall rules. Just masquerade all traffic from internet enabled VLANs to the internet and potentially set up firewall rules to drop undesired traffic to the management VLAN.

Felix

Thanks Felix, makes sense.

So I need this type of rule?

/ip firewall filter add chain=forward in-interface=vlan40 out-interface=vlan20 action=drop

This should drop any packets from the guest vlan wandering over to the staff vlan?


Confirm I cannot masquerade an in-interface so I’ll need create a src-address-list and use that for the masquerade or just masquerade everything?

Thanks for the help.

The drop rule is correct.

I wouldn’t masquerade everything - I’d explicitly use a src-address-list and an out-interface:

/ip firewall nat add chain=srcnat action=masquerade src-address-list=Local_NAT_Networks out-interface=outside

Felix

Thanks Felix.

Keep well.