Community discussions

MikroTik App
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

How to create most basic VLAN

Sat Dec 04, 2021 8:30 pm

A month on and off trying to figure out VLANs and nothing. I can't find anything anywhere that tells how this is supposed to work. Is there somewhere or someone that can just show me the most basic, most primitive example of a working VLAN configuration, using bridge vlan filtering?

Scenario: One router (say hEX S) and One AP (Say wAP AC). Everything is up and working: PC connected to eth2 on router, AP connected from eth2 to eth5 on router, PC has access, Wifi is up and running. Without all the added security, without special management VLAN and firewalls, etc. What is the most basic way to construct a Guest VLAN on the AP, that puts it on a separate network from the default network and gives access to the internet? Is this scenario impossible? If so what is the simplest case scenario and a complete example that actually works? I want to learn this but I need something that works to build off of because there is nothing else available to learn from that adequately explains it. I've poured through the docs, all the referenced threads. I've been locked out of my router more times that I care to admit. I just need a basic working example to build off of. Then I can learn how to do it right, with full security. Please.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to create most basic VLAN

Sat Dec 04, 2021 8:51 pm

I can't find anything anywhere that tells how this is supposed to work. Is there somewhere or someone that can just show me the most basic, most primitive example of a working VLAN configuration, using bridge vlan filtering?
You can start from the links below:

viewtopic.php?t=143620
https://help.mikrotik.com/docs/display/ ... NFiltering
https://help.mikrotik.com/docs/display/ROS/VLAN
https://help.mikrotik.com/docs/display/ ... VLAN+Table
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: How to create most basic VLAN

Sat Dec 04, 2021 9:04 pm

Here you go.....
I basic Step-by-Step guide
assuming Guest-Network is vlan-id 111

Main Router (Mikrotik HEX s)
Step 1: Create Bridge
/interface bridge
add name=bridge1
Step 2: Create VLAN-Interfaces
/interface vlan
add interface=bridge1 name=vlan111 vlan-id=111
Step 3: Assign IP-Address
/ip address
add address=10.99.55.1/24 interface=vlan111 network=10.99.55.0
Step 4: Create DHCP-Server
/ip pool
add name=dhcp_pool0 ranges=10.99.55.100-10.99.55.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan111 name=dhcp1
/ip dhcp-server network
add address=10.99.55.0/24 dns-server=10.99.55.1 gateway=10.99.55.1
Step 5: Allown DNS-Request
/ip dns
set allow-remote-requests=yes
Step 6: Assign Interfaces to bridge
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: How to create most basic VLAN

Sat Dec 04, 2021 9:26 pm

Many ways to create and assign Clients to a "Guest" Network.
In this exemple a used a "Virtual" Wireless-Interface with a dedicated SSID


Wireless Access-Point (Mikrotik wAP ac)

Step 1: Create Bridge
/interface bridge
add name=bridge1
Step 2: Create Security-Profile for Guest
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GuestNetwork supplicant-identity="" \
    wpa2-pre-shared-key=123456789

Step 3: Create Wireless virtual Interface
(Assuming WLAN2 is configured and running for home-Network)
add comment=GuestNetwork disabled=no keepalive-frames=disabled mac-address=76:4D:28:E4:C3:ED master-interface=wlan2 \
    multicast-buffering=disabled name=wlan3 security-profile=GuestNetwork ssid=Guest vlan-id=111 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
Step 4: Assign Interfaces to bridge
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to create most basic VLAN

Sat Dec 04, 2021 10:07 pm

Simply use the first link provided,
viewtopic.php?t=143620

To help you when reading through this................

First Define the VLANS with interface bridge
Each VLAN gets ip pool, ip address, dhp-server, dhcp-server network.
Ensure all vlans are interface list members for LAN (bridge not required).
Clear and easiest NOT to use bridge for any data, so if you have a home vlan just use another vlan for that traffic.

Define
/interface bridge ports
which includes wired ethernet ports going to your users and WLANS
For any ports going directly to users and wlans you will need to set the PVID=XX number of vlan, this tells the router to assign that tag to incoming traffic and to strip it when leaving the port.
(access ports).

Define
/interface bridge vlans
Although the router creates rules for access ports dynamically they will not show up on a config and I like to map the bridge ports to bridge vlans when reviewing a config so I always manually include the settings. In general each vlan gets an entry/line
basic structure
add bridge=bridge tagged=bridge, (and any other etherports carrying multiple vlans (trunk ports) vlan-id=xx
add bridge=bridge tagged=bridge untagged= (any ether ports on the vlan that are going to PCs or WLANS - aka are actually access ports ) vlan-ids=xy

Note: you can combine for a single vlan both tagged and untagged ports/wlans.

Last step: SELECT BRIDGE itself and change vlan-filtering from NO to YES.

DONE! Then come back with firewall rule change requests as most people get into trouble viewing youtube videos etc.......
IN other words state what you want to control or any other functionality desired ............
Last edited by anav on Sat Dec 04, 2021 11:31 pm, edited 1 time in total.
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: How to create most basic VLAN

Sat Dec 04, 2021 10:21 pm

I can't find anything anywhere that tells how this is supposed to work. Is there somewhere or someone that can just show me the most basic, most primitive example of a working VLAN configuration, using bridge vlan filtering?
You can start from the links below:

viewtopic.php?t=143620
https://help.mikrotik.com/docs/display/ ... NFiltering
https://help.mikrotik.com/docs/display/ROS/VLAN
https://help.mikrotik.com/docs/display/ ... VLAN+Table
Thank you. Unfortunately, while I have learned a great deal from those links--and I have read all of those pages many, many times--I have not learned how to create a working VLAN from them. Esp the examples in the first link...those have locked me out of my router countless times, requiring many resets and starting over. There is nothing there teaching a new, non-professional user, the first steps in creating and understanding VLANs.
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: How to create most basic VLAN

Sat Dec 04, 2021 10:28 pm

Many ways to create and assign Clients to a "Guest" Network.
In this exemple a used a "Virtual" Wireless-Interface with a dedicated SSID
Thank you! This is a great first step. This is tremendously helpful. Most of these steps are familiar from my previous attempts. I suspect on a few occasions, my problem has been mixing various methods of setting up VLANs. Using your directions, I was able to easily create a working VLAN. And I think I understand pretty much all of it. Thank you!!!

The next step: How can I set up this same network using the Bridge VLAN Filtering method?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: How to create most basic VLAN

Sat Dec 04, 2021 11:07 pm

@simsrw73: May I ask why you are so keen to use the "bridge vlan filtering" Feature ?

Because, For a small SOHO-Network this Feature isn't necessary, when
the Guest-Network is only provided over Wireless & Vlan.
The Step-by-Step guide i gave you works just fine...
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: How to create most basic VLAN

Sat Dec 04, 2021 11:18 pm

@simsrw73: May I ask why you are so keen to use the "bridge vlan filtering" Feature ?

Because, For a small SOHO-Network this Feature isn't necessary, when
the Guest-Network is only provided over Wireless & Vlan.
The Step-by-Step guide i gave you works just fine...

The Step-by-Step you provided is extremely helpful in understanding VLANs, but the small example network is just something basic to build on. I have and will have a ton of devices on a number of different VLANs. Guest VLAN, POE Security Cameras, IOT devices run by Home Assistant, and VoIP phone (I work from home). This will be ultimately set up on RB5009 & CRS328-24P (which is ordered and sitting on a boat somewhere...), and my CRS112-8G, retiring my hEX S.

I'm just trying to learn, using the most basic scenario possible, in a way that I can then translate to the new hardware when it arrives. I do appreciate your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to create most basic VLAN

Sat Dec 04, 2021 11:29 pm

As stated, its easy.
If you can do it with one vlan you can do it with 100 vlans.
The concept and approach is the same.
Do not use the bridge for any subnets and your are golden.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: How to create most basic VLAN  [SOLVED]

Sun Dec 05, 2021 12:02 am

I understand, you need at least 2 vlan to test/learn bridge filtering

Here is a very basic exemple on the hEXs with 2 vlans
Network A vlan111 10.10.111.0/24
Network B vlan222 10.10.222.0/24


Step 1: Create bridge
/interface bridge
add name=bridge1
Step 2: Create VLAN'S
/interface vlan
add interface=bridge1 name=vlan111 vlan-id=111
add interface=bridge1 name=vlan222 vlan-id=222
Step 3: Assign IP-Address
/ip address
add address=10.10.111.1/24 interface=vlan111 network=10.10.111.0
add address=10.10.222.1/24 interface=vlan222 network=10.10.222.0
Step 4: Create DHCP-Server
/ip pool
add name=dhcp_pool1 ranges=10.10.111.100-10.10.111.199
add name=dhcp_pool2 ranges=10.10.222.100-10.10.222.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan111 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan222 name=dhcp2
/ip dhcp-server network
add address=10.10.111.0/24 dns-server=10.10.111.1 gateway=10.10.111.1
add address=10.10.222.0/24 dns-server=10.10.222.1 gateway=10.10.222.1
Step 5: Allow DNS-Request
/ip dns
set allow-remote-requests=yes
Step 6: Assign Bridge vlan
This is the "tricky" part and work in connection with Step 7 (pvid)
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether2 vlan-ids=111
add bridge=bridge1 tagged=bridge1,ether5 untagged=ether3,ether4 vlan-ids=222
Step 7: Assign Interfaces to bridge
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=111
add bridge=bridge1 interface=ether3 pvid=222
add bridge=bridge1 interface=ether4 pvid=222
add bridge=bridge1 interface=ether5
Step 8: Activate vlan-Filtering
/interface bridge set bridge1 vlan-filtering=yes



et voila !!

In the following exemple
-> If you plug in your PC in port ether2 you will be in vlan111 and get an IP of 10.10.111.X
-> if you plug in your PC in port ether3 or 4 you will be in vlan222 and get an IP of 10.10.222.X
-> if you plug in your PC in port ether5 you won't obtain any IP, except if you manually set a VLAN-Tag (111 or 222)
-> Ether5 is more of a typical configured for a Switch or an Wireless-Anntenna.
-> ether2,3 and 4 is more of a typical Access-point (PC and co..)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to create most basic VLAN

Sun Dec 05, 2021 12:09 am

It seems that people don't find them attractive enough for some reason, but this and following examples in manual IMHO show the basics very well:

https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

It's really simple:

- create bridge
- add all ports that should participate in vlans
- for each port set correct pvid (id of vlan that should be untagged on that port)
- in "/interface bridge vlan" define what vlans should be tagged and untagged and where
- if the router itself should participate in given vlan (instead of acting just like a switch), add "/interface vlan" for it on top of bridge, and IP address(es), dhcp server, ... to this interface
- enable vlan filtering on bridge

That's it. If you want to avoid resetting whole router when you mess up, keep one port separate, so that you can always use it to access router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to create most basic VLAN

Sun Dec 05, 2021 4:58 am

Man we are holding his hands already I guess Sob you thought his toes needed holding too. ;-)

As for separate port let say want to use port 4 for 'other' access
a. name port to ether4_access
b. ensure not on bridge
c. give ip address of lets say 192.168.3.2 network 192.168.3.0
d. ensure you add ether4_access to the LAN interface ( or management interface if you have one)
e. ensure you have added ether4 network to winbox port (allowed addresses 192.168.3.0/24).
f. ensure ether4_access is allowed to the router on the input chain
g. plug laptop in with ipv4 ip address set to lets say 192.168.3.5 gateway 192.168.3.1 and netmask 255.255.255.0

You should be able to configure the route and access the router from here separate from any Bridge settings.
 
User avatar
simsrw73
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Apr 17, 2021 10:53 pm
Location: Atlanta, GA (US)

Re: How to create most basic VLAN

Sun Dec 05, 2021 4:23 pm

I understand, you need at least 2 vlan to test/learn bridge filtering

Here is a very basic exemple on the hEXs with 2 vlans

Thank you! Thank you!!! This taught me a lot. I still have some questions, but I'm going to play around with it now and see what I can figure out. It's hard to learn without a working, basic starting point, without all the other stuff that was causing me to lock up my router. I realize that I'm the one screwing that up somehow, but couldn't learn where I was going wrong. This is exactly what I needed to help me on my way. A simple, minimal, and complete working example. Something to build on. Thank you!

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], mtkvvv and 37 guests