Introduction
I purchased a MikroTik Hex-S a few years ago to handle routing for my house. It sits between my cable modem and 4 ethernet cables that bring internet to other rooms.
Homelab
In my real example I wanted to enable a VLAN on the Hex-S to isolate two pairs of the physical network interfaces (ports). In my case these are two computers I use for work. I want them to be isolated from other devices on my home network, such as the Nest thermostats, media center PC, and the XBOX. Call me paranoid but I’d bet those IoT devices like to snoop on your network.
Intuition
Taking a step back it’s tempting to think about VLANS from the perspective of wrangling the physical ports. This is how other network vendors present them. Basically we want to
- Create a new private network
- Associate LAN ports with that new network
But with MikroTik, you do not get a simple wizard to create VLANs thinking in terms of these two steps. Instead you get low level building blocks you have to assemble yourself. You have to configure the switch at the layer 2 level, the layer 3 level, enable DHCP yourself, and manually edit the firewall rules - all to create even the simplest example of a private VLAN.
Section 0 [Upgrade]
My first mistake was trying to setup VLANs on the Hex-S while running an older version of RouterOS 6. After many hours of banging my head against the desk, upgrading to RouterOS 7 made it possible to use VLANs. Turns out this was documented on the Mikrotik website and I just didn’t read it.
Working through the standard upgrade steps makes upgrading RouterOS very easy.
The rest of this guide assumes a router in the default configuration.
Section 1 [Layer 2]
The first step is to establish the underlying Layer 2 VLAN(s). Each VLAN will
be given its own unique VLAN ID. The actual values are not relevant, just pick
numbers you can remember (e.g. 20). ID 1 is a special case
(the default).
- Click on Bridge, click on Ports.
- Set the PVID for each Interface (e.g.
20) - A trunk can be left with PVID
1
- Click on Bridge, click on Ports.
- Click to create New Bridge VLAN
- Set the Bridge to bridge (there should be only the one)
- Set the VLAN ID (e.g.
20) - Specify Tagged Ports
- should include bridge
- should include any trunk interfaces (i.e. using a second switch)
- Specify Untagged Ports
- should enclude ’endpoint’ devices (e.g. a computer) that do not know about VLANs
- Repeat for each VLAN
Section 2 [Layer 3 network]
The next step is to establish CIDR network to associate with each VLAN. We do this by creating a software VLAN the CPU understands.
- Click on Interfaces, click on new VLAN
- Set the VLAN name (anything)
- Set the VLAN ID
- Set Interface to bridge (should be just the one)
- Repeat for each VLAN
- Click on IP -> Addresses, click on New Address
- Set the (CIDR) Address (e.g.
10.1.20.0/24) - Set the Interface to the associated VLAN
- Repeat for each VLAN
Section 3 [Layer 3 DHCP]
With the addresses in place, we configure DHCP to assign IP addresses to each VLAN (assumuing you do not want to manually assign static IPs).
- Click IP -> DHCP Server, select Networks, click New
- Set the Name (anything)
- Set the Address of the VLAN network (e.g.
10.1.20.0/24) - Set the Gateway (e.g.
10.1.20.1) - Set the DNS Servers
- e.g. Google
8.8.8.8and8.8.4.4 - e.g. Cloudflare
1.1.1.1and1.0.0.1
- e.g. Google
- Repeat for each VLAN network
Section 4 [Enable Filtering]
The last step to configuring the VLANs is to turn on VLAN filtering on the router bridge. Doing this will cause the router to drop all connections - if your configuration is correct you should reconnect in a few seconds.
- Click on Bridge -> Bridge, click on bridge
- Select VLAN tab for the bridge
- Check VLAN Filtering (turn it on)
- Check Ingress Filtering (turn it on)
- Click Apply
- Connection will drop!
- Should reconnect after a few seconds
- If reconnect fails …
- Try switching to a port with no VLAN configuration
- Do factory reset if nothing else works
Section 5 [Firewall]
Create firewall rules blocking VLAN traffic as desired. From the switch chip perspective the VLANs are working - but because our VLAN interfaces are connected to the router’s Layer 3 bridge, cross VLAN connetion is currently still possible.
We must enable IP tables filtering on the router to prevent cross network traffic.
- Click on IP -> Firewall
- Select Filter Rules tab
- Click New
- Set Chain to forward
- Set Src. Address / Dst. Address to block unwanted traffic
- Could also configure Address List(s) first for convenience
- Select Action -> Action: drop
- Check Log to help debug with an easy to spot Prefix
- Click Apply
- Repeat for any additional rules
Help
Everything in this guide is from personal experience of configuring a device after watching video tutorials from the YouTube channel @TheNetworkBerg
-
Mastering VLAN Configuration on MikroTik, Step-by-Step Guide
-
How to protect and restrict VLAN traffic on Mikrotik
If you’re new to VLANs I highly recommend this video from YouTube channel @djp_video. It provides a distinct visual explanation of what happens to each packet in a VLAN configuration.
- Network Virtual LANs (VLANs) Explained Simply