Hi,

I am curently using RouterBOARD 750G r2 as main router in my house.
Port 1 is WAN
Port 2 default (bridge) 192.168.88.0/24
Port 3 default (bridge) 192.168.88.0/24
Port 4 Trunk port for VLANs 100,200 and 50
Port 5 default (bridge) 192.168.88.0/24

Port is going to a managed switch and next to VMware lab.
Now I would like to use port 5 on Mikrotik as access port for vlan 100.

Except for excluding from bridge, what else do I have to do in order to get vlan on port 5 (direct access / untagged)

Thank you in advance for your answer!

BR, Matic

The usual, read some references, make an attempt, fail come back here post your config get some pointers, work on attempt #2.

Oh, you were looking for a spoon, umm I dont see any!

(For just the vlan portion) you could try here
https://help.mikrotik.com/docs/display/ ... +Switching

how do you handle vlan currently ?
switch ethernet
bridge vlan filtering
or just bridges ?

Sorry for a late response.

Actually, at the beggining I didnt use VLANs, but only default network 192.168.88.0/24
Than I expand my infrastructure and implement a VMware lab for which I needed VLANs.
I configured them only on one mikrotik port (eth4).

What I did is just defining VLANs under Interface list and attach them under eth4
Curently eth4 is trunk port for 3 vlans and others are access ports with default network 192.168.88.0/24

Since the cabling from the mikrotik to my apartment is quite tricky, I would need to configure 1 or 2 access ports with vlan 100 on that Mikrotik device.
eth4 stays trunk port, eth3, eth5 would than be access port for specific vlan.

I tried bridge VLAN filtering, but it didnt worked.
Actually, there is even visible some traffic in status tab. Any idea what i did wrong?

ONE BRIDGE<
Identify all required subnets
Create vlans all belonging to bridge
each vlan gets IP pool, address, dhcp-server, dhcp-server network
identify access and trunk ports via /interface bridge ports
identify all tagged and untagged ports via /interface bridge vlans
turn on bridge vlan filtering
adjust firewall rules etc..
bridge only used for bridge function (no dhcp etc.....)

vlan filtering works well!!

ONE BRIDGE<
Identify all required subnets
Create vlans all belonging to bridge
each vlan gets IP pool, address, dhcp-server, dhcp-server network
identify access and trunk ports via /interface bridge ports
identify all tagged and untagged ports via /interface bridge vlans
turn on bridge vlan filtering
adjust firewall rules etc..
bridge only used for bridge function (no dhcp etc.....)

vlan filtering works well!!

Hey, thanks for the guidance

Please let me know if I correctly sum up the process:

1. Get rid of the second bridge I created. Instead use the "primary" bridge (in my case "bridge2")
2. Remove all VLAN configuration from Interface list > VLANs (as mentioned before, I am using that setting for eth4 to trunk the vlans)
3. Assign back all ports to primary bridge "bridge2" (Bridge > Ports)
4. Create VLANs in Bridge > VLANs
5. Mark tagged and untagged ports (Bridge > VLANs)
6. Turn on VLAN filtering for "bridge2"
Question: Is under VLAN Filtering PVID 1? Additional question is, should I than point all VLAN subnets to bridge2 interface, right?

NOpe.
Define vlans,
give them ip pool, address, dhcp-server, dhcp server-network
When you define the vlans you will need to put in an interface choice which is the bridge.

Add ports to bridge ports /interface bridge ports
add tagged or untagged vlans to ports /interface bridge vlans

etc...
viewtopic.php?t=143620

NOpe.
Define vlans,
give them ip pool, address, dhcp-server, dhcp server-network
When you define the vlans you will need to put in an interface choice which is the bridge.

Add ports to bridge ports /interface bridge ports
add tagged or untagged vlans to ports /interface bridge vlans

etc...
viewtopic.php?t=143620

I checked all tutorials and followed your instructions but somehow when I turned on filltering, nothing worked. Not sure what caused the issue
Before I completely reconfigure vlan settings, I wanted to have for instance on eth5 untagged vlan 66.
When I activated vlan filtering all lights started blinking in the same patern and of course I lost the connection.

I was checking several times my configuration and the only thing which might could cause an issue is dhcp pool of .88 to point on bridge2. Dont know...

The safest thing is to configure the bridge and vlans from OFF the bridge.....
Check this link out for a safer approach......
viewtopic.php?t=181718

The safest thing is to configure the bridge and vlans from OFF the bridge.....
Check this link out for a safer approach......
viewtopic.php?t=181718

Hi Anav,

I decided to prepare a configuration from scratch. I followed your instructions from the link you provided earlier.

Here is my configuration from GUI perspective:

• Nothing really special from photo 1 and 2

• On photo 3, i would ask you if it is recommended to turn of "Ingress filtering"? I checked that on on my friend Mikrotik and he has that filtering off.

Since the initial configuration was not working, I gave it a try...

• On photo 4, you can see I now added to the bridge also all VLANs. This is also something I didnt noticed in your script. What do you think about that option?

• Something I didnt know at the begining, and noticed at your script is, that in tagg/untag tab, you always have to add a bridge (photo 5).
  Please tell me, is that also the case for access port / untagged ?

Thank you in advance for your answer!

Please provide export of config, the pictures if required will be asked for of specific items.
/export hide-sensitive file=anynameyouwish.

The other thing that would help is a network diagram.....

I should look something like that.

(1) Diagram seems to be missing base vlan............
(2) Pools screwed up
add name=VMOTION_POOL ranges=192.50.200.254-192.168.50.50
add name=EXTRA_POOL ranges=192.60.200.254-192.168.60.50

add name=VMOTION_POOL ranges=192.168.50.254-192.168.50.50
add name=EXTRA_POOL ranges=192.168.60.254-192.168.60.50

(3) Why is ether1 on the bridge??

(4) YOu dont add vlans to bridge ports (only etherports and wlans are considered bridge port entities.
Delete
add bridge=bridge interface=VMOTION_VLAN50
add bridge=bridge interface=MGMT_VLAN100
add bridge=bridge interface=PROD_VLAN200
add bridge=bridge interface=EXTRA_VLAN60
add bridge=bridge interface=BASE_VLAN

(5) Ether1 is not part of the bridge, nor has anything to do with management vlan.
delete
add bridge=bridge tagged=bridge,ether1 vlan-ids=99

(6) Nope, the interface for addresses are the vlans....
add address=192.168.99.1/24 interface=bridge network=192.168.99.0

add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0


(7) Dumbest rules I have seen in a long time................. which dark corner of the youtube were you looking.

Clearly you dont understand firewall rules.
Look at the first rule. YOU let EVERYTHING hit your router from WAN side and LAN side.
Besides a huge security issue, if that was your intent, why bother with any further input chain rules. They will never be seen because you have matched all traffic.
/ip firewall filter
add action=accept chain=input

(8) Another case in point not understanding firewall rules......... Besides the above fact that further rules would never be seen but take a look here.
We know that the Base vlan (vlan99) is a member of the in-interface-list VLAN and therefore you have accomplished nothing with the second rule below.
/interface list member
add interface=BASE_VLAN list=VLAN

add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN

(9) No idea what the purpose of this source nat setup is for ?????????????????
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=all
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge


(10) typically this would be your BASE interface list.
/ip neighbor discovery-settings
set discover-interface-list=!dynamic

(11) Missing the usual
/tool mac-server mac-winbox
set allowed-interface-list=BASE

>>>>> All smart devices should get their IP on the BASE subnet.