VLANs on WAN

Hello

I’m trying to set up VLANs on mikrotik - without success

Basically my new ISP gave me INTERNET on VLAN 554 with PPPoE and on VLAN 555 there is IPTV
ISP told me that IPTV STB device will get DHCP address from ISP so there is no need for DHCP server for vlan 555
and I’ve asked ISP do I need to set up IGMP Proxy and answer was No


so far my test configuration looks like:

# Bridge

/interface/bridge/set [find name=bridge] name=bridge1

# VLAN

/interface vlan
add interface=bridge1 name=vlan554 vlan-id=554
add interface=bridge1 name=vlan555 vlan-id=555

/interface bridge port
add bridge=bridge1 interface=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
/interface/bridge/port/set [find interface=ether2] pvid=554 frame-types=admit-only-untagged-and-priority-tagged
/interface/bridge/port/set [find interface=ether3] pvid=554 frame-types=admit-only-untagged-and-priority-tagged
/interface/bridge/port/set [find interface=ether4] pvid=555 frame-types=admit-only-untagged-and-priority-tagged
/interface/bridge/port/set [find interface=ether5] pvid=555 frame-types=admit-only-untagged-and-priority-tagged

/interface bridge vlan
add bridge=bridge1 vlan-ids=554 tagged=bridge1,ether1 untagged=ether2,ether3
add bridge=bridge1 vlan-ids=555 tagged=bridge1,ether1 untagged=ether4,ether5

/ip dhcp-client/remove [find interface=ether1]

# PPPoE

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan554 name=pppoe-out1 password=passwd use-peer-dns=yes user=usr

/interface list member
add comment=defconf interface=pppoe-out1 list=WAN

# VLAN filtering

/interface/bridge/set [find name=bridge1] igmp-snooping=yes
/interface/bridge/set [find name=bridge1] vlan-filtering=yes ingress-filtering=yes

full config: (without vlan filtering on)

# 2025-03-10 12:15:18 by RouterOS 7.18.2
# model = E50UG
/interface bridge
add admin-mac=CUT auto-mac=no comment=defconf igmp-snooping=yes name=bridge1
/interface vlan
add interface=bridge1 name=vlan554 vlan-id=554
add interface=bridge1 name=vlan555 vlan-id=555
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan554 name=pppoe-out1 use-peer-dns=yes user=usr
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=554
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=554
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=555
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=555
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2,ether3 vlan-ids=554
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether4,ether5 vlan-ids=555
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip dhcp-server
add address-pool=default-dhcp interface=bridge1 name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

after setting that configuration I’m disconnected from device and I’m not getting IP from mikrotik device so something is wrong
so it would be great if someone could help me

I’ve also got few questions:

1. I just don’t know if interface vlan should be added to ether1 or to bridge1 ? In my example I’ve added it to bridge1 (suggestion from chatgpt)
2. is turning on vlan filtering with default pvid 1 is fine because ofc we’ve got two incoming vlans?
3. I was even experimenting with two bridges - one for internet and one for IPTV but I think its not recommended on Hex E50UG that I have? and I’ve got problem with adding ether1 to vlans because I can assign only it to one bridge

if config above will be working my plan is to check if I need to add

/ip firewall filter
add action=accept chain=forward in-interface=vlan555 place-before=0
add action=accept chain=input in-interface=vlan555 place-before=0
add action=accept chain=output out-interface=vlan555 place-before=0
add action=accept chain=forward out-interface=vlan555 place-before=0

/interface list member
add interface=vlan555 list=WAN

something like that for IPTV

Hi,

I would make the following changes. (Sorry I haven’t tested them)

/interface bridge port
add bridge=bridge1 comment=LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1
add bridge=bridge1 comment=LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=1
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=555
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=555
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1 pvid=200 comment=“200=unused”

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=554
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether4,ether5 vlan-ids=555

/interface list member
add comment=defconf interface=vlan554 list=WAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=pppoe-out1 list=WAN
add comment=“555 is wan” interface=vlan555 list=WAN
add comment=defconf interface=bridge1 list=LAN


Plug into ether2 or ether3 to get a LAN interface.
(Should get an IP from 192.168.88.0/24)

Vlan555 is bridged direct to endpoint devices on ether4, ether5 (iptv box?)
The internet interface (pppoe on vlan554) is connected to ether1.

Could possibly add vlan554 directly to ether1, and pppoe client to vlan554.
Though I think current scheme of adding to pppoe to vlan554 and vlan554 to bridge and then through to ether1 might be better (if less efficient)

pvid=200 on ether1 to prevent it leaking vlan1/bridge traffic.

edit: Highlight changes

That works perfectly, thank you rplant !

Though this work I’m just wondering is this the optimal way to do it? why configure the vlan using bridge filtering whilst this kind of device the vlan should be config in switch menu? or the vlan tagged interface could also attach directly to ether1, i’m just curious thanks!

Whether to use switch menu or bridge mostly depends on device model. Some older devices (those with a bit older Qualcomm switch chips, such as QCA8337, various Atheros 8xxx) indeed require using switch menu to enable VLAN manipulation in switch chip. General approach is to use bridge menus and let it offload L2 operations to underlying hardware if feasible. Bridge configuration also works on devices which don’t have switch chips (various CCR devices).

Attaching VLAN interfaces directly to (off-bridge) ethernet interface is, again, a feasible things to do when those VLANs are all terminated on router. With requirement of passing some VLANs to the rest of ethernet ports (in case of @mero3, the OP, that’s VLAN 555 for IPTV) it’s much better to add WAN physical interface to bridge and configure VLAN filtering there (or on switch chip if used device is one of those wanting such setup … the WAN physical port still has to be member of unified bridge in this case) … The alternative would be to use additional bridge(s) to pass such VLAN(s) to different physical interfaces … which would mean definite loss of HW-based switching for those VLANs.

Hm, but looking at OP’s config export, they have a hEX refresh (E50UG), which means with ether1 being the WAN port, putting it in the bridge will still result in everything involving that port using the CPU (no HW offload), including VLAN filtering and bridging.

If OP has an additional external switch for their “VLAN 1” subnet, maybe it’s better to remove ether1 from the bridge (use it only as management port for instance) and use ether2 as the WAN port instead. And connect the external dumb switch to ether3 for additional ports. Then VLAN filtering works with hardware offload again, and VLAN 555 is bridged by hardware between the 3 ports (ether2, ether4, ether5).

Yes, it will use CPU. But when adding ether1 to bridge, L2 configuration is pretty simple (less details to screw setup) … even though it doesn’t make any difference performance-wise. I’d guess that using single VLAN-enabled bridge versus using multiple non-VLAN bridges is still slightly more CPU-friendly … but probably only slightly.

Yes, using any of ether2-ether5 as port connecting towards ISP is in this case sane decision. With or without external switch … whether to use it or not is then up to desired network setup. In my own case I’m providing a LAN segment for internet access to IPTV boxes but I have to pass IPTV VLAN between WAN port and those LAN ports. So I went with unified bridge which carries also WAN IP VLAN.