Last updated: December 11, 2012 at 20:26 pm

Super-basic example of a VLAN setup.  We have a WAP in our office that is dedicated as our ‘guest’ network.  Our current setup is clunky right now, but just imagine that it’s a UniFi or Ruckus WAP that is tagging all incoming traffic (in = from wireless clients TO the router) with a vlan10 tag.  (we have a managed switch in between the WAP and the router that is tagging the traffic, but it’s a mess. :-) )

So:

laptop -> WAP -> vlan10 tag gets added -> plugged into RB750GL port 3

We have vlan10 set up with it’s own DHCP server that hands out addresses on the .10.xyz subnet.  Here is how it’s set up.

vlan10-guest is attached to ether3

This is how it’s set up.  Set ether3’s Master Port to none.  Add a VLAN Interface (you can click the + on the Interface List or go to the VLAN tab and do the same).  Give the vlan interface a name, give it a vlan tag number to use, and attach it to a port that will be receiving traffic with that tag.  Note that my ether3 still has the default name even though it is no longer a ‘slave’ port.  Just an example of how the Name doesn’t actually mean anything…. but I should probably get around to changing that at some point…

Now you have a whole new virtual interface on your router. Let’s give it something to do. Set up a new DHCP server and assign the Interface to the new vlan interface you just created. First step is to assign an IP address to that vlan interface.

Next, create a new DHCP Pool to use for the vlan.

Next, add a new DHCP Server and have it use the new “vlan10 dhcp” pool. 

Now let’s set up a Network for that new DHCP server to use.  This will give the following info to any device that gets a DHCP address from the WAP:  use 192.168.10.1 as your Gateway to the internet, and use 8.8.8.8 for your DNS server.

New network – 192.168.10.0/24

That’s it! The WAP is now up and running and any device that connects to it will get a 192.168.10.xyz address.

Notice how I have “Active Addresses” that are coming from different DHCP servers. Also, when you make a static DHCP reservation, you can pick which DHCP server will hand out the address.


Comments

  1. J.O.

    Will the two VLAN’s be able to communicate with each other or are they completely separate? If separate how would you allow them to communicate but keep the traffic down between them, i.e. Control System on one VLAN, media downloading on another but still need the ability for the Control System to communicate with the media streamer .

    1. admin Article Author

      By default they should be able to talk to each other unless you have a firewall rule in place to block traffic between them. But, since they’re on different subnets, you will NOT get any broadcasting traffic between them. So chatty devices on one vlan (subnet) will not be heard by devices on another vlan (subnet). You can, however point a device to talk to something on another vlan if you need it to.
      The rules aren’t really about ‘vlans’ per se, they’re just rules about how subnets and networks work. Vlans are just a way to virtually keep some traffic separated.
      It’s a confusing concept at first…

  2. Eric

    So how would you set a firewall rule to only allow vlan 10 to access the Internet?

    Also can you save a general config with all the vlan’s configured and download into new units?

    1. admin Article Author

      Well, let’s say you had a main network of 192.168.1.0/24 and a ‘guest’ network of 192.168.10.0/24 on vlan10. In this case you would only want to block access FROM 192.168.10.0/24 that is trying to reach anything on 192.168.1.0/24. So you set up a firewall rule that does just that…

      Use – chain forward, src address 192.168.10.0/24, dst address 192.168.1.0/24, action drop

      You can also do it by setting up Address Lists. Go to Firewall / Address List. Add a new one and call it “LAN” or something and use 192.168.1.0/24, then hit OK. Add another one and call it “vlan10″ or something else, use 192.168.10.0/24, and hit OK.

      Then in the Firewall rule you would pick chain forward, go to the Advanced tab and use Src and Dst Address List and pick your “vlan10″ list for Src and your “LAN” list for Dst.

      Either way will block access from the new vlan to the existing LAN.

  3. Matt

    I want to VLAN tag a port or bridge of ports from one Mikrotik that is several hops away. I have the units connected via vpn and passing other data. What I need to do is segmeant of two ports of the router and put all that traffic into a vlan back to the main router to handle the vlan interface seperate. So Main Router (a) I want to treat vlan id=5 defferent than all other interfaces. At site (c) I have a 5 port Mikrotik. I want Port one to be the backhaul back to site(B) then to (A), bridge port 1 & 2 to all traffic coming in that port to go out vlan 5, ports 3 and 4 not to be vlan’d. I do not want a WAP or other divice to tag the traffic just the Mikrotik.

  4. Robin St.Clair

    With Mikrotik’s VLAN implementation, may Private VLANs be implemented? (nested), and if so can hosts on a PVAN be isolated from each other, and only able to communicate with the (promiscuous) port that only passes traffic through to the internet/WAN?

    it is not only important to isolate guest users from all the other network hosts but also from each other, and this is likely to become mandated in some jurisdictions.

  5. Sherry

    Ok that was awesome,

    now tell me what is the use of USE SERVICE TAG check box in mikrotik OS ? any suggestions ideas, or shall we just leave it as it is ? because i checked it and my VLANS are not communicating i dont know why !!

Leave a Reply

Your email address will not be published. Required fields are marked *


nine × = 54

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe without commenting