Community discussions

MikroTik App
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

New to Router OS / Trying to setup 3 Vlans on 3011-uias-rm

Sun Apr 24, 2022 3:59 am

Hey everyone,

Total newb here. I have been reviewing the wiki, broadening my understanding of Vlans, and have reviewed several youtube videos. I'll be short and simple, so let me know if I am being unclear; english is not my first language.

Use case: Trying to create 3 Vlans: 1 for servers, 1 for workstations, 1 for management. I will be trunking each to a switch (which is a separate matter, I am just trying to get this working).

Use Winbox - Enter into bridges, create 3 bridges: vlanserver, vlanworkstation, vlanmanagement. Associate ethernet 5 with server, ethernet 6 to workstation, ethernet 9 to management. Trunk each to ether 2 (which will connect to switch). Go to each individual bridge and select untagged 5 (for vlanserver), untagged 6 (for vlanworkstation), and untagged 9 (for vlanmanagement), and tagged for ether 2 (for each). One thing I noticed is that there is a bridge already created from the beginning, so I went into the menu for ports and removed that bridge for ports 5, 6, and 9, and replaced each with the respective vlan it is associated with (vlanserver to port 5, vlanworkstation to port 6, vlanmanagement to port 9).

Go to DHCP, DHCP server - use 10.10.10.1 for vlanserver, 10.10.20.1 for vlanworkstation, 10.10.30.1 for vlanmanagement.

Go to IP Address, create record for each vlanserver.

It doesn't seem to work? Everytime I plug in my ethernet cable to either port 5, 6, or 9 I do not receive ip address.

Separate question. I believe I have to go to the quickmenu to change the ip address to 10.10.30.1 if I am to use ether 9 /vlanmanagement to access the router, correct?

Thanks for the help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Router OS / Trying to setup 3 Vlans on 3011-uias-rm

Sun Apr 24, 2022 4:51 am

One bridge, ( no dhcp or subnets assigned to bridge )
Go to interfaces menu, select vlans, add vlans - use interface is bridge.

Then assign vlans with IP pool, IP address, dhcp-server, dhcp-server networks.

/interface bridge Ports: Assign Etherports to the bridge (trunk ports - no pvid), (access ports - with pvid), (Trunk ports -frame types vlan tagged only), (Access ports - frame types priority and untagged). both with ingress filtering=yes.

/interface bridge vlans: Assign tagging and untagging of ports

Turn bridge vlan filtering on.

Adjust firewall rules as necessary.

See reference: viewtopic.php?t=143620
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

Re: New to Router OS / Trying to setup 3 Vlans on 3011-uias-rm

Sun Apr 24, 2022 4:56 am

Thank you, sir. I will do the above and will report back. Much appreciated.
 
crosswind
just joined
Posts: 21
Joined: Tue Feb 18, 2020 3:47 pm

Re: New to Router OS / Trying to setup 3 Vlans on 3011-uias-rm

Sun Apr 24, 2022 4:57 am

Use Winbox - Enter into bridges, create 3 bridges: vlanserver, vlanworkstation, vlanmanagement.
you only want one bridge, and all VLANs will be created on that bridge. that's important when you want to trunk to another switch with .1q, but it's also the best way to configure things in nearly all cases.

first, create a bridge with VLAN filtering enabled, and create VLANs:
/interface bridge
add name=lan vlan-filtering=yes
/interface bridge vlan
add bridge=lan comment="servers network" tagged=lan vlan-ids=100
add bridge=lan comment="workstations network" tagged=lan vlan-ids=101
add bridge=lan comment="management network" tagged=lan vlan-ids=102
Associate ethernet 5 with server, ethernet 6 to workstation, ethernet 9 to management. Trunk each to ether 2 (which will connect to switch). Go to each individual bridge and select untagged 5 (for vlanserver), untagged 6 (for vlanworkstation), and untagged 9 (for vlanmanagement), and tagged for ether 2 (for each).
you don't need to manually configure "untagged" ports in the VLAN configuration. instead, set the PVID of the port, which will dynamically add the "untagged" configuration when the port is running:
/interface bridge port
add bridge=lan comment="server port" frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100
add bridge=lan comment="workstation port" frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=101
add bridge=lan comment="management port" frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=102
to configure your .1q trunk to switch, add the port and configure it as tagged in the configuration for each VLAN:
/interface bridge port
add bridge=lan comment="trunk to switch" frame-types=admit-only-vlan-tagged interface=ether2 pvid=1
/interface bridge vlan
set [find vlan-ids=100] tagged=lan,ether2
set [find vlan-ids=101] tagged=lan,ether2
set [find vlan-ids=102] tagged=lan,ether2
now you have VLANs working for L2 switching.

to run DHCP on each VLAN you need to add a VLAN interface for each VLAN, which lets the router itself communicate with the VLAN:
/interface/vlan
add interface=lan vlan-id=100 name=vlan100
add interface=lan vlan-id=101 name=vlan101
add interface=lan vlan-id=102 name=vlan102
now add an IP address and configure your DHCP server (along with appropriate firewall rules, etc.) on the three interfaces vlan100, vlan101 and vlan102.

you can see another example of this in the RouterOS bridge documentation.
Separate question. I believe I have to go to the quickmenu to change the ip address to 10.10.30.1 if I am to use ether 9 /vlanmanagement to access the router, correct?
i wouldn't recommend to use quickset for this sort of config. start from defconf and remove the things you don't want, or start from an empty configuration.

i showed terminal commands for this, but you can do all of this in WinBox, it's just easier to show commands than taking a load of screenshots.
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

Re: New to Router OS / Trying to setup 3 Vlans on 3011-uias-rm

Sun Apr 24, 2022 6:54 pm

Really appreciate the help. The second post with the command line helped a lot, and was easy to track.

Thanks again.

I’ll be reviewing other posts and the wiki for more ideas. Any pointers on how to isolate the management Vlan so just that ether port can access the mikrotik router? My guess is that that’s best practice.

Edit: just found the management access config on the wiki. Thanks all.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot] and 40 guests