Community discussions

MikroTik App
 
tser239
just joined
Topic Author
Posts: 1
Joined: Sat Mar 25, 2023 11:56 am

How to implement VLAN in my Home-Network

Sat Mar 25, 2023 12:24 pm

Hello dear mikrotik user,

i am just learning about vlans, however there are so many options and i end up just confused every time.

I have a small home network which consists of a Mikrotik hAP ac lite (router, firewall, ap) and a TP-Link TL-SG108E managed switch.

I currently have two bridges (Bridge-LAN, Bridge-Guest). In the bridge-lan is my port to the switch and the "trusted" WiFi.

I would like to divide these two bridges/networks into vlans where all traffic goes through a trunk to the switch and from there I distribute vlans port based. Of course I also want to add my WiFi to these vlans.

I have tried many things, but every time something else did not work.

Below you can see my current configuration:
/interface bridge
add name=Bridge-Guest
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] disabled=yes name=LAN2
set [ find default-name=ether4 ] disabled=yes name=LAN3
set [ find default-name=ether5 ] name=LAN4 poe-out=off
set [ find default-name=ether1 ] name=WAN
/interface vlan
add interface=WAN name=VLAN-7-PPPoE vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN-7-PPPoE name=\
    PPPoE-Telekom user=xyz@xyz.de
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Security-Profile-TS \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=\
    Security-Profile-Guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=germany disabled=no \
    installation=indoor mode=ap-bridge name=WLAN-2GHz-Trusted \
    security-profile=Security-Profile-TS ssid="TS - Trusted"
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-eC \
    country=germany disabled=no frequency=5200 installation=indoor \
    mac-address=xy mode=ap-bridge name=WLAN-5GHz-Trusted \
    security-profile=Security-Profile-TS ssid="TS - Trusted"
add disabled=no keepalive-frames=disabled mac-address=xy \
    master-interface=WLAN-2GHz-Trusted multicast-buffering=disabled name=\
    WLAN-2GHz-Guest security-profile=Security-Profile-Guest ssid="TS - Guest" \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xy \
    master-interface=WLAN-5GHz-Trusted multicast-buffering=disabled name=\
    WLAN-5GHz-Guest security-profile=Security-Profile-Guest ssid="TS - Guest" \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=DHCP-Pool-LAN ranges=192.168.10.200-192.168.10.254
add name=DHCP-Pool-Guest ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=DHCP-Pool-LAN interface=Bridge-LAN lease-time=1h name=\
    DHCP-Server-LAN
add address-pool=DHCP-Pool-Guest interface=Bridge-Guest lease-time=1h name=\
    DHCP-Server-Guest
/interface bridge port
add bridge=Bridge-LAN interface=LAN1
add bridge=Bridge-LAN interface=WLAN-5GHz-Trusted
add bridge=Bridge-LAN interface=WLAN-2GHz-Trusted
add bridge=Bridge-Guest interface=WLAN-2GHz-Guest
add bridge=Bridge-Guest interface=WLAN-5GHz-Guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=Bridge-LAN list=LAN
/ip address
add address=192.168.10.1/24 interface=Bridge-LAN network=192.168.10.0
add address=192.168.20.1/24 interface=Bridge-Guest network=192.168.20.0
add address=172.20.4.1/24 interface=LAN4 network=172.20.4.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.100 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set servers=192.168.10.100
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=PPPoE-Telekom \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=\
    PPPoE-Telekom port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=PPPoE-Telekom \
    port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    PPPoE-Telekom
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Telekom
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=60001
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin

Below a quickly made diagram how i think it should look like at the end:
Image

Thank you for helping me in advance! :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to implement VLAN in my Home-Network

Mon Mar 27, 2023 3:39 am

When you want to use one bridge and you want to use the TPLINK as a proper vlan switch not port based, will help.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to implement VLAN in my Home-Network

Mon Mar 27, 2023 10:56 am

And of course also use 1 bridge, not two.
Configure a single bridge with VLAN filtering, and use a VLAN tag for the second network.
Of course it will lead to some performance degradation but you can avoid that by connecting all your high-performance devices to the switch, not the router.

Who is online

Users browsing this forum: rplant and 46 guests