VLAN configuration for home network

Mike65Rivne · January 17, 2024, 1:53pm

Hello, Everyone !

I have RB951G-2HnD as my home router and want to make it correctly VLAN configured with such VLANS:

VLAN 88 → home network, wired untagged, with access to router
VLAN 10 → guest network, wired tagged
VLAN 20 → IoT network, wired tagged + router’s wlan1 untagged

So I want to apply this configuration:

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=88
add bridge=bridge1 interface=ether3 pvid=88
add bridge=bridge1 interface=ether4 pvid=88
add bridge=bridge1 interface=ether5 pvid=88
add bridge=bridge1 interface=wlan1 pvid=20

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=88
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether4,ether5 untagged=wlan1 vlan-ids=20

/interface vlan
add interface=bridge1 name=vlan88 vlan-id=88
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan10 vlan-id=20

/ip address
add address=192.168.88.1/24 interface=vlan88
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20

/interface bridge
add name=bridge vlan-filtering=yes

Off course for every network will be also configured dhcp-server and ip-pools and networks will be isolated one from another.

Please, community tell me do I understand VLAN correctly:

Will such configuration work?
Will VLAN 88 clients have winbox access to router via IP 192.168.88.1 address ?
Will wireless IoT devices “untaggly” connected to router’s wlan be in VLAN 20 network ?

Thank You.

erlinden · January 17, 2024, 3:20pm

Sure

Will VLAN 88 clients have winbox access to router via IP 192.168.88.1 address ?

Depends on your firewall (that is totally missing in your post)

Will wireless IoT devices “untaggly” connected to router’s wlan be in VLAN 20 network ?

Yes

To read more about VLAN:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

And in addition:
What are you going to do with your guest vlan? There is no implementation other than being available through eth ports tagged.
I would expect that there are 3 SSID’s, each seperated by it’s own VLAN.

Mike65Rivne · January 17, 2024, 3:33pm

I have attached my current firewall rules to original post - plaese take a look
For each ether port will be connected other vendor AP with 3 WiFi SSID configured (untagged Home, tagged Guest and tagged IoT) and free wired ethernet ports of such APs will be used for “untaggly” connecting PCs, Smart TVs and game consoles.

Thank You !

erlinden · January 17, 2024, 4:01pm

Mmm…not to fond of your firewall:

Can you please order them: first input then forward chain?
Am I correct that you don’t want anything accessing your router (except for ICMP)?

The longer I look…
…well, just go back to defaults and add VLAN’s to the correct interface list. Currently it is a total mess.

To help you further can you please share your complete config?

/export file=anynameyoulike

Remove serial and any other private info and post between code tags by using the </> button.

Mike65Rivne · January 17, 2024, 4:08pm

Yes - i don't want anything accessing my router (except for ICMP)

Mike65Rivne · January 17, 2024, 4:17pm

Thank You for helping - I will try to set VLANs in such configuration

erlinden · January 18, 2024, 7:47am

If you want to have some documentation on VLAN, please read this post:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Mike65Rivne · January 18, 2024, 8:05am

Thank You - it is great article - now I will choose which configuration to apply for my network...

anav · January 18, 2024, 2:24pm

When you do and run into issues, the best thing to do is export the full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc…)

LLU

Mike65Rivne · January 18, 2024, 8:11pm

Thank You - I will do such next time !