VLAN settings for home network

HelenMondor · June 2, 2025, 3:59am

I bought the Mikrotik Hap ax3 with the hope to improve security and privacy settings without knowing I dig a hole for myself. At the moment, I am trying to set up separations between the categories of devices using VLANs. The idea is, I will have a wifi interface for each VLAN group, and switch to them as needed.

I would like to set up these Mikrotik settings in a Mikrotik Hap ax3

Bridge_Main_Devices: Use VLAN 10 for all devices under normal usages

Has My_5GHz and My_2GHz wifi interfaces

Bridge_Admin: Use VLAN 100, only used to configurate NAS (and potentially router. How is it possible?)

Has ether2_NAS port

Bridge_IOT - Use VLAN 20

Has My_Devices (2.4 GHz wifi interface)

Has ether4_Verisure_hub port

My_X_Devices (2.4 GHz wifi interface) that use VLAN 30 (for unsafe IOT devices)

My_Guests (5 GHz wifi interface) that use VLAN 40 for guestgeometry vibes

This set up would leave me with 5 wifi SSID, which will clutter the wifi list (I guess I can hide some). Currently, no matter what I do, I can only create 2 wifi interfaces (1x5Ghz and 1x2Ghz). Is this the limitation of mikrotik?

Another way would be having only 1 wifi network and change the VLAN as needed, but I found that quite inconvenience comparing to switching to a saved wifi.

How do you guys handle VLAN? Am I doing it correctly?

P/s: Btw, can someone please explain me “VLAN Filtering” please? It seems like the VLAN works without enabling it, so why should I bother enabling it?

holvoetn · June 2, 2025, 6:38am

You only need 1 bridge.

Read and digest this excellent tutorial on setting up VLAN:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Setting up multiple SSIDs is no problem, you need to add a slave interface to a certain master interface.
See here for more info:
https://help.mikrotik.com/docs/spaces/ROS/pages/317128725/Configuring+standalone+access+point

As reference:
I have on my main router (RB5009 but if it runs ROS, it’s all conceptually the same) multiple VLANs for similar purposes as you.
Main vlan for my core network equipment: printer, switch, NAS, … and several wifi access points.
Separate VLAN for wifi clients of home users
Separate VLAN for wifi clients from IoT equipment
Separate VLAN for testing/setup purposes (I work quite a bit from home and when I need to setup client equipment, I use that access)
Separate VLAN for alarm equipment
Separate VLAN for home automation system
Separate VLAN for internet access to common equipment of appt building I live in (so it can use my internet line since it’s unlimited for me but it can not get onto the rest of my network)
etc etc.

VLAN filtering is where you can completely filter out traffic not meant to be processed by your device.
You can leave it off but then you lower the security fences, keeping the gates open (as a matter of speaking).
When it’s active, only traffic destined for a certain VLAN coming from a certain port is allowed. Nothing else.

Best practice when setting this VLAN stuff up, is to keep 1 port away from your bridge and use that port as entry for your router.
It’s far too easy to lock yourself out when you are in the learning stages. When this lockout happens, you can (in most cases) only reset to default config and start over again.
As someone mentioned here on the forum not too long ago, after the 5th time or so it becomes boring … so better safe then sorry.

anav · June 2, 2025, 11:30am

As per the reference once you go vlans, then the bridge does no DHCP, ip pool etc…
One simply identifies the access ports and trunk ports (in your case probably none) on the interface bridge ( ports/vlans) settings.

For OffBridge work, take ether5 for example…

Also to work on vlans as it can get sticky when applying vlans or trying to change from default to your stetup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the switch at any time…

Associated config entries ( remove ETHER5 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether5] name=OffBridge5
/ip address
add address=192.168.77.1**/30** interface=OffBridge5 network=192.168.77.0 comment=“Offbridge and Emerg access”
/interface list member
add interface=VLAN10-Home list=TRUSTED
add interface=OffBridge5 list=TRUSTED

Note: to access the router simply configure your PC/laptop with IPV4 settings of 192.168.77**.2** and via username and password you should have access.

Assumes
/interface list
add name=WAN
add name=LAN
add name=TRUSTED

Additionally
/ip neighbour discovery-setting
set discovery-interface-list=TRUSTED

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED