VLANs - there has to be a simpler way!

RouterOS General
1

Hi all,
I have a hEX that I’d love to create a guest network with. I also have a cAPac that would supply the existing home network and new guest network from the hEX on ether3.

There are many tutorials out there, most deal with RoSv.6 which seem pretty hit and miss when it comes to v7.

I’ve seen this tutorial (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1) which while informative, is way too complex for what I’m trying to achieve here.

So to begin with, I already have a functioning hEX and cAPac as my home network. It uses the 192.168.1.0 subnet. I assume it’s using the default VLAN1 (default settings which I haven’t changed). I’m open to using whatever subnet for the guest network.

Could someone kindly point me to a tutorial that’s known to work, that delivers a VLAN guest network ONLY, or post a config here (one for a hEX and another for a cAPac) that’s known to work. Once I can see that everything is working I can then look at the config and learn how it all pieces together. Maybe after that I could add more VLANs confidently.

I’m currently using Ros v7.16.1

Many thanks in advance.

2

What if I told you that you don’t need a VLAN?

https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs

3

Thanks for this!

Just to be clear, this config only applies to the cAP? There’s no additional config for the hEX? If not, the new firewall rules being added to the cAP won’t affect the current set of rules on the hEX?

Cheers.

4

Interesting advice on the avoidance of learning how to use vlans…

Post both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc.)

PS, there are no firewall rules on my cap with vlans.

5

Assuming your home subnet is 192.168.10.0/24 and is identified as vlan10 and the guest network is identified as vlan20.
The IP address given to the cap is 192.168.10.5

cap

/interface bridge
add ingress-filtering=no name=bridgecap vlan-filtering=no
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface vlan
add  interface=bridgecap name=homeVLAN10  vlan-id=10
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=guest_Security \
    supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=home_Security \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5 band=5ghz-a/n/ac \
    channel-width=20/40mhz-Ce country=canada disabled=no frequency=5220 \
    guard-interval=long mode=ap-bridge name=homeWLan5 security-profile=\
    home_Security skip-dfs-channels=all ssid=5GHz-connection wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5 band=2ghz-g/n \
    basic-rates-b="" country=canada frequency=2437 guard-interval=long mode=\
    ap-bridge name=homeWLan2  rate-set=configured security-profile=\
    media_Security skip-dfs-channels=all ssid=2GHZ-connection supported-rates-b=\
    11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address= master-interface=\
    homeWLan5 multicast-buffering=disabled name=GuestWLan2 security-profile=\
    home_Security ssid=Guest5 wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
    wps-mode=disabled
add keepalive-frames=disabled mac-addres= master-interface=\
    homeWLan2 multicast-buffering=disabled name=Guest2 security-profile=\
    aug-b ssid=aug-bridge wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridgecap ingress-filteriing=yes frame-types=admit-priority-and-untagged  interface=homeWLan2 pvid=10
add bridge=bridgecap ingress-filteriing=yes frame-types=admit-priority-and-untagged  interface=guest-2  pvid=20
add bridge=bridgecap ingress-filteriing=yes frame-types=admit-priority-and-untagged  interface=homeWLan5 pvid=10
add bridge=bridgecap ingress-filteriing=yes frame-types=admit-priority-and-untagged  interface=guest-5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridgecap tagged=bridgecap,ether1 untagged=homeWLan2,homeWLAN5  vlan-ids=10
add bridge=bridgecap tagged=ether1 untagged=guestWLan2,guestWLAN5  vlan-ids=20
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=819
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=bridgecap list=TRUSTED
add interface=OffBridge2 list=TRUSTED
/ip address
add address192.168.10.5/24 interface=bridgecap network=192.168.10.0
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dns
set servers=192.168.10.1
/ip route
add  dst-address=0.0.0.0/0 gateway192.168.10.1 routing-table=main
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
6

Yes and no.
Yes, the “tangent’s way” only applies to the cAp, but no, the described approach is intended for a single device that has both the wi-fi and the internet, since you have another device (the hex) in the middle, some changes will likely be needed on the hex to allow traffic from 192.168.99.0 to access internet, BUT the article also touches on the (default/easy) way Mikrotik uses, that, being entirely at L2 level, is entirely inside the cAp.

If Anav will be so kind as to help you with the basics of VLANs, then the VLAN way is better, not so much because it is “better” (it is), but because if you manage to master the concepts, it is something that you can use/reuse/abuse also in different scenarios.

I know almost nothing about VLANs, but the base concept is clear, as I understand it, have on the same physical cable different “streams” of traffic coexisting without any possible interference/connections between them, so it is of more general use, the approach is more “general”.

Both the methods explained in tangent’s article, are more “specific”, they can be re-used, as he mentions, as an example to create a restricted iot wifi network, but they are more limited.

7

Daunting as it may seem in the beginning, once you grasp the concept and see the building blocks, VLANs are nothing to be afraid of.

8

Thanks for your kind sentiment.

It’s more that there seems to be no workable tutorial out there that fits a simple “add guest vlan only” option with MT. Most are more complex and for somewhat confusing when all you need is a simple guest network.

With the advent of several new vendors, like Grandstream who make vlans a simple process, I would have thought MT might have met the demand (because I can see I’m not alone with MT vlan config issues) by adding a vlan wizard in the same fashion as the DHCP set up utility under DHCP server. Something that one can enter the credentials as required and step through the process.

While I’m very thankful and appreciate very much the support given here, I think I might end up using other vendor’s gear that while still commercial/enterprise grade still creates an easier path to configure and maintain. When I have a bit more time I’ll come back and try some more suggestions because I really like MT’s architecture and would rather stick with it. I just wish MT wasn’t so bloody confusing!

9

I can understand your line of thought. However I guess that “VLAN wizard” will be out of scope of MT’s tools for a while. The reason being: VLAN is feature which in principle spans whole LAN (or at least extensive parts), which includes several LAN infrastructure devices (possibly by different vendors). And only way of configuring VLANs “with a single click” is to use some central management system. And Mikrotik doesn’t have one and (at seems so far) they don’t have any concrete plans to create one (although I don’t use any, AFAIK there are 3rd party management systems which can work with MT devices). Other vendors, who moved their management interfaces to cloud (many MT users hate this move), can somehow mimic a central management system via cloud management facilities.

10

If I may, there are some inconsistencies in the actual question.
There are seemingly two of them:

  1. Is there a simple way to VLAN?
  2. How can I have a Guest network?

Answers:
#1 No, it is a complex, advanced topic.
#2 Yes, actually two ways, one at L3 level (tangent) and one at L2 level (original Mikrotik). This latter is ALREADY included in a “quickset” feature.

If the two questions are combined into one, they become:
3) How can I have a Guest network through VLAN usage with a wizard that guides me through all steps?
the answer is simply:
#3 You cannot.

To the fourth question :open_mouth: .
4) Why doesn’t Mikrotik provide a VLAN wizard?
My personal answer is:
#4 You must be joking, in all these years the most they managed to provide is “quickset” that - at the most - produces a working configuration every -maybe - three attempts, and only if starting from a clean configuration, otherwise quickset is likely to botch the rest.

There are reasons why the first Rules of the Mikrotik Club (that I am patiently compiling :wink: ) are:

  1. You do not use VLAN1
  2. You DO NOT use VLAN1
  3. You do not use Quickset
  4. You do not use detect internet
    5)…
    :laughing:
11
12

@KiwiBloke

Totally not agree with you. i don’t want to go deep of what is the beneficios VLAN Filtering, as @pcunite has alredy explained.

However nowone is forsing you to use VLAN Filtering.

You can use the old methode of implemeting vlans, before VLAN Filtering took a place.

This is just one e.g.

https://mum.mikrotik.com/presentations/ID13/khomeini.pdf

13

Thanks @nichky. I tried the link, but while that helped me understand vlans more it didn’t really address my situation.

So I asked ChatGPT for a suggestion to create a guest vlan on an already existing network, trunked from router to access point. Here’s what it came up with…

To configure a MikroTik router for a guest VLAN with the subnet 10.10.10.0/24 and VLAN ID 20, where this VLAN will be trunked to an external access point, follow these steps:

  1. Create the VLAN interface on the MikroTik Router:
    This will define VLAN ID 20 on the physical interface that connects to the external access point (for example, ether1).

Steps:
Go to Interfaces → VLAN and add a new VLAN.

Name: guest_vlan20
VLAN ID: 20
Interface: ether1 (or whatever interface connects to the access point)
MTU: Leave as default (typically 1500)
You can create it using the following CLI command:

csharp
Copy code

/interface vlan add name=guest_vlan20 vlan-id=20 interface=ether1

  1. Assign IP Address to the VLAN Interface:
    Next, assign the IP address 10.10.10.1/24 to the newly created VLAN interface. This will serve as the default gateway for devices in the guest VLAN.

Steps:
Go to IP → Addresses and add the IP address.

Address: 10.10.10.1/24
Interface: guest_vlan20

Or using the CLI:

csharp
Copy code

/ip address add address=10.10.10.1/24 interface=guest_vlan20

  1. Set Up DHCP Server (Optional, for automatic IP assignment):
    If you want to assign IP addresses dynamically to devices in the guest VLAN, you can configure a DHCP server.

Steps:
Go to IP → DHCP Server and click Add.

Name: guest_vlan20_dhcp
Interface: guest_vlan20
Address Pool: guest_pool
Gateway: 10.10.10.1 (the router’s address in this VLAN)
DNS Server: (optional) You can use a public DNS server, e.g., 8.8.8.8.
You will also need to create a DHCP Pool:

bash
Copy code

/ip pool add name=guest_pool ranges=10.10.10.2-10.10.10.254
Finally, add the DHCP Server:

csharp
Copy code

/ip dhcp-server add name=guest_vlan20_dhcp interface=guest_vlan20 address-pool=guest_pool disabled=no

  1. Create Firewall Rules to Isolate the Guest VLAN (Optional):
    If you want to isolate guest users from your internal network, create firewall rules to block traffic between the guest VLAN and your internal network.

Example: Block traffic from the guest VLAN to the internal LAN:
Go to IP → Firewall → Filter Rules and click Add.

Chain: forward
Src. Address: 10.10.10.0/24
Dst. Address: 192.168.0.0/24 (example internal subnet)
Action: drop
Or use the CLI:

css
Copy code

/ip firewall filter add chain=forward src-address=10.10.10.0/24 dst-address=192.168.0.0/24 action=drop

  1. Configure the Access Point to Tag VLAN 20:
    On the external access point, you need to ensure the VLAN tag 20 is properly assigned to the guest network. The exact steps depend on your access point model, but typically, you will:
    Set the VLAN tag for the guest network to 20 on the access point.
    Set the access point to operate in 802.1q trunking mode for the interface connecting to the MikroTik router (or configure the SSID to tag the traffic with VLAN 20).

  2. Test Connectivity:
    Connect a device to the access point.
    Ensure it gets an IP in the 10.10.10.0/24 range, and check if it can reach the gateway 10.10.10.1 (the MikroTik router).
    Verify that the device in the guest VLAN cannot access other networks (depending on your firewall rules).
    Summary Configuration Overview:

VLAN ID: 20
Subnet: 10.10.10.0/24
Router IP (Gateway): 10.10.10.1
DHCP Range: 10.10.10.2 - 10.10.10.254
Firewall Rule: Block access to internal network (192.168.x.x) from the guest VLAN (10.10.10.x).

CLI Configuration:
bash
Copy code

/interface vlan add name=guest_vlan20 vlan-id=20 interface=ether1
/ip address add address=10.10.10.1/24 interface=guest_vlan20
/ip pool add name=guest_pool ranges=10.10.10.2-10.10.10.254
/ip dhcp-server add name=guest_vlan20_dhcp interface=guest_vlan20 address-pool=guest_pool disabled=no
/ip firewall filter add chain=forward src-address=10.10.10.0/24 dst-address=192.168.0.0/24 action=drop

This should set up your MikroTik router to properly handle the guest VLAN traffic, provide IP addresses to connected clients, and optionally isolate the guest network from the rest of your internal network.

I’d really appreciate it if someone could check it out and offer thoughts as to how well it might work please.

Would I be right in assuming the dst-address in the filter firewall setting would be 192.168.1.0/24 (rather than 192.168.0.0/24) if that was the home network subnet?

I could give it a go but we’re on the road atm and it’s my home network router with a custom config that I’d rather not tamper with if possible.

Thanks again for all your help.

14

No one here is interested in looking at chat GPT outputs.
What is in your interest is to put in the work to generate what you think is your best effort.
Try to understand what each line in the config SAYS, and its purpose.
Learning, is not done through bypassing the use of ones synapses
Perhaps in vernacular you may understand, unlike nz sheep we are able to say no! :wink:

15

So ChatGPT has a reason to know that VLAN itf needs to be attached to ether1 ?
That’s certainly going to work :confused:

Since you already referred to this EXCELLENT VLAN tuorial:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Read, digest, comprehend, experiment, hit the wall, read again, understand more … that’s a learning process.

16

If you want to devolve into insults, fine. It shows the level of your intelligence is in the gutter.

Whether you want to bury your head in the sand and deny the help that Ai can give is your loss.

I can see why so many think this forum to be toxic. I hoped they were wrong, turns out I was wrong. Sadly, like Hotel California, you can check out but never leave. More the pity.

17

Thanks holvoetn, much appreciated. Something I forgot to add.

18

Cry me a river… I am well aware of AI and how important it is and the impact it will have especially in the battlespace domain. Basically any decision making that requires analyzing large chunks of data no matter how disparate, at near or at real-time, gives a competitive advantage to those with superior AI capability, be it in business or at war.

This has nothing to do with decision making capability, its about learning how to config the router… If you dont want to learn, feel free to stay in the AI space until it gives you all the answers you seek, without assistance and you can blindly forge ahead. Until then you will get real feedback.

Eventually AI will be able to answer questions sufficiently so that it can explain the config, in a useful manner and in a way that is tailored to ones level of experience and to the specific set of requirements that one has. We are not yet at that that amazing educational turning point, but yes, in the future the need for this forum will be moot.