Using RouterOS to VLAN your network
This article is for system integrators, network administrators, and product enthusiasts looking for the definitive guide on how to design and setup VLAN networks using MikroTik. Follow along the light reading material and diagrams that make learning about VLAN an enjoyable topic. See the theory and then deep dive into the actual commands to implement it all. We'll discuss Access and Trunk ports, switching and routing, and guest access into our networks.
If you have a need to partition and isolate networks and devices from each other using the same physical hardware
, you maybe a good candidate for VLAN. If you have IoT devices, IP cameras, guests who need to use your WiFi, and a need to QoS who gets what, VLAN can make your network simpler to reason about. In micro-sized networks, it is possible to use other methods besides VLAN, but VLAN is never a wrong choice. This should give you the confidence to learn the VLAN concept knowing it will scale as your network and the number of devices grow.
Sometimes you see other terms alongside VLAN, such as Port Based VLAN, MAC Based VLAN, Native VLAN, and Voice VLAN. Some of these are really just names for what all is really the same thing. Maybe they use a different approach (automated vs manual) to get there, but ultimately, network devices are segmented. This document will focus on a manual Tag Based VLAN
approach. Dynamic VLAN assignment using Radius examples can come if we have knowledgeable feedback in those areas.
I focus on the most commonly requested scenarios: switch with separate router, WiFi router combo, guest WiFi, and public printer. Basically hardware and scenarios that mirror MikroTik’s product lineup. From these examples you’ll be able to create any custom configuration on your own. Security topics will be covered separately.
VLAN Terminology Overview:
Before discussing the various examples, we need to establish some common terminology and concepts about VLAN. In Tag Based VLAN, you'll be working with Access
ports, configuring IP Addressing & Routing
, and setting up IP Services
on VLAN interfaces. These elements combine to create a managed VLAN network. This virtual network can be as big or as little as you like. You'll be thinking about what to allow and what to block. Read each of these VLAN concepts below before using our configuration examples to understand how we use them on the command line.
These ports define the entry into your VLAN. They represent groups of devices that need access to each other but not other networks. You will group them by ID. In this documentation we use colors like Blue, Green, and Red to help us to visualize the ID numbers. Access ports are configured in a way that means ingress (incoming) packets are not expected to have tags and thus will get a tag applied. The egress (outgoing) packets, that are replying back to whatever was plugged in, get their tags stripped off. An optional security feature can remove malicious tags on incoming packets.
These ports are what carry everything you care about between VLANs. If Access ports represent groups of things, you could think of Trunk ports as what enables these groups to get to places they need to go, like other areas of the switch or network. Configuring a Trunk port means ingress packets should have tags and egress packets will have tags.
When designing your VLAN, you'll have reached your first step when you can logically think about Access port grouping and Trunk port interconnections. How many VLANs and devices will you need to work with? Who gets access to what? Don't rush this step. Take time to diagram to show others. When you have that understood, at least idealistically, you are ready to move on to IP Addressing & Routing.
IP Addressing & Routing:
To get your VLAN going you have to start somewhere and that's usually something termed the Native VLAN. As soon as we start working with network equipment, the base network, that base IP address scheme (that you used to initiate a connection to the router or switch) becomes the Native VLAN. This is mainly to distinguish it from VLANs you will create in the future. Note that a Native VLAN is not a requirement but rather something that continues to exist if you allow it. Since every VLAN you create should have a different IP addressing scheme, you'll use something different for each VLAN. If Native was 192.168.0.x, your VLAN Blue could be 10.0.10.x, Green is 10.0.20.x, and Red set to 10.0.30.x. Just make sure that all VLANs are unique.
With an IP address scheme in mind, your core equipment will get manual assignments. So, a router might be 192.168.0.1, a core switch 192.168.0.2, a WiFi AP 192.168.0.3, and so on. The router can now become the default gateway for your VLAN and any separate switches and devices. Using IP Services, you'll make this information available to the rest of the network.
The most well known is probably DHCP. Generally, every VLAN has its own DHCP server ensuring devices know about gateways and DNS servers they should use. When everything in the VLAN has an IP address, they'll talk to each other over the ethernet protocol making broadcasts and generating other network traffic between each other.
It is now that your VLAN has been born. If you have created more than one, then at this point you have a truly segmented set of networks. If you plug a PC into a Blue VLAN, it can see and communicate only with other devices on Blue but not anything on Green or Red. If a printer is plugged into Green VLAN, only devices on the Green network could access it. You can share resources across VLANs while still not allowing inter VLAN access. Just one of the benefits you'll be reading about in this document.
What follows is my best understanding of how to implement the stated goals in RouterOS v6.43 based on the documentation available. Feedback from MikroTik as well as fellow forum members is required to make this an accurate document. Please suggest changes that should be made. Let's make this issue a commonly understood one. Thank you.
You do not have the required permissions to view the files attached to this post.