VLANs on Mikrotik Routers

post 6.41 firmware

www.andisa.net 01423 290029

 • Post firmware v6.41 VLAN configuration has changed on a Mikrotik.

• Previously you would add a VLAN interface to each physical

interface and then bridge each VLAN across ports.

• Now you will create a single bridge and then decide which ports are
tagged or untagged.

www.andisa.net 01423 290029

 • Here’s a sample config with DHCP running on each VLAN.

• We will configure:
Eth1 with no VLAN configuration.
Eth2 with VLAN10, 11, 12 tagged. This will act as a trunk port.
Eth3 with VLAN10, 11, 12 tagged. This will act as a trunk port.
Eth4 with VLAN10 untagged and a PVID of 10. This will act as an access point
for PCs to connect to.

• DHCP will hand out addresses on:

192.168.10.0/24 on VLAN10
192.168.10.0/24 on VLAN11
192.168.10.0/24 on VLAN12

www.andisa.net 01423 290029

www.andisa.net 01423 290029
 STEP 1 Make DHCP Work on each VLAN

1. Add a bridge
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=no

2. Add a VLAN interface to the bridge (this will hold the IP address and the DHCP server.
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN11 vlan-id=11
add interface=bridge1 name=VLAN12 vlan-id=12

3. Add the DHCP server config and IP address to each VLAN interface
/ip pool
add name=VLAN10 ranges=192.168.10.1-192.168.10.50
add name=VLAN11 ranges=192.168.11.1-192.168.11.50
add name=VLAN12 ranges=192.168.12.1-192.168.12.50
/ip address
add address=192.168.10.254/24 interface=VLAN10 network=192.168.10.0
add address=192.168.11.254/24 interface=VLAN11 network=192.168.11.0
add address=192.168.12.254/24 interface=VLAN12 network=192.168.12.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254
add address=192.168.11.0/24 dns-server=192.168.11.254 gateway=192.168.11.254
add address=192.168.12.0/24 dns-server=192.168.12.254 gateway=192.168.12.254
/ip dhcp-server
add address-pool=VLAN10 disabled=no interface=VLAN10 name=VLAN10
add address-pool=VLAN11 disabled=no interface=VLAN11 name=VLAN11
add address-pool=VLAN12 disabled=no interface=VLAN12 name=VLAN12

www.andisa.net 01423 290029

 STEP 2 Add the physical ports to the bridge and tag traffic.

1. Add ports to the bridge

/interface bridge port
add bridge=bridge1 hw=no interface=ether3 The PVID allows no
add bridge=bridge1 hw=no interface=ether2 VLAN aware devices
add bridge=bridge1 interface=ether4 pvid=10 such as PCs to
“inherit” the PVID of
2. Tag the traffic the port
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3,VLAN10 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2,ether3,VLAN11 vlan-ids=11
add bridge=bridge1 tagged=bridge1,ether2,ether3,VLAN12 vlan-ids=12
Eth4 is untagged on
VLAN10

Don’t forget to add the bridge itself

into the tagged interfaces on every
VLAN otherwise traffic wont flow!
If you don’t do this then you wont
get DHCP addresses.
NOTICE that HW offload is disabled because
of the Tik were using. Make sure its on to
avoid high CPU
3. Turn on VLAN filtering on the bridge (We left this off earlier so that we didn’t lose access.
/interface bridge
set vlan-filtering=yes [find name=my-bridge]

www.andisa.net 01423 290029

 Now you should have operational VLANS

Andy Morrison is owner and senior IT guru for Andisa IT

Consultants Ltd.
We provide Mikrotik consultancy world wide with specialisms
in Router and Wireless technologies.

Our projects include working closely with business owners to

ensure that their IT is supporting their plans, working
alongside other IT providers so help them implement Mikrotik
routers and wireless, and also building our own hosting
environment in Leeds where we provide Office 365, Private
hosted Exchange, web / email hosting and VoIP systems.

www.andisa.net 01423 290029