Mastering VLANs and Trunking on MikroTik: Your Next Step in Network Wizardry Print

Greetings, fellow network enthusiasts!

This is Emmanuel Corels, your trusty admin from Emmanuel Corels Creatives. Now that we’ve conquered VPNs of nearly every flavor (PPTP, L2TP/IPsec, and OpenVPN), let’s pivot to another crucial topic in modern networks: VLANs (Virtual Local Area Networks) and trunking.

VLANs let you segment your network at Layer 2, keeping traffic separate and improving security and manageability. Trunking is how you carry multiple VLANs over a single physical link. Ready to become a VLAN superstar? Let’s roll!

1. What Are VLANs?

A VLAN is essentially a way to split one physical network into multiple, logical networks. Instead of deploying separate switches for each department (like IT, Sales, HR), you can create VLANs that act as if they’re separate networks—without extra hardware.

Benefits:

• Improved Security: Keep sensitive data on a separate VLAN.
• Easy Network Management: Group users/devices logically, not just physically.
• Reduced Broadcast Traffic: Each VLAN has its own broadcast domain.

2. VLAN Terminology

Before jumping in, let’s clarify a few terms:

• Access Port: A switch port that carries traffic for a single VLAN, usually for end devices.
• Trunk Port: A switch or router port that carries multiple VLANs, tagging packets with the VLAN ID.
• VLAN ID: A number (1-4094) that identifies a particular VLAN.

In MikroTik-land, you can create VLAN interfaces on top of physical ports or bridges. Each VLAN interface has a VLAN ID and is associated with a parent interface.

3. Common VLAN Scenarios

1. Department Segmentation: Each department (Finance, Sales, etc.) gets its own VLAN.
2. Guest Wi-Fi: Separate VLAN for guests, ensuring they can’t snoop on your internal traffic.
3. Voice VLAN: IP phones often run on a dedicated VLAN for QoS.

We’ll walk through a typical scenario: multiple VLANs (say VLAN10 for “Staff” and VLAN20 for “Guests”), trunked over one physical port connecting to another switch, and then access ports for each VLAN on either side.

4. Creating VLANs on MikroTik

4.1 Single Interface (No Bridge)

If you’re not using a bridge, you can create VLAN sub-interfaces directly on a physical port.

1. Interfaces -> VLAN
2. Click “+” to add a new VLAN interface.
   • Name: vlan10_staff
   • VLAN ID: 10
   • Interface: ether1 (for example)
3. Repeat for VLAN 20:
   • Name: vlan20_guest
   • VLAN ID: 20
   • Interface: ether1

Each VLAN now acts like its own interface, so you can assign IP addresses, DHCP servers, and firewall rules on them just like any other interface.

Command Line Example:

/interface vlan add name=vlan10_staff vlan-id=10 interface=ether1
/interface vlan add name=vlan20_guest vlan-id=20 interface=ether1

4.2 Using a Bridge

If you’re using a bridge to unify multiple ports, you typically create VLAN interfaces on the bridge itself. In more advanced setups, you might configure hardware offloading or “Bridge VLAN Filtering.”

1. Bridge Setup:

   • Bridge -> Add a new bridge, say bridge-lan.
   • Add ports (ether2, ether3, etc.) to the bridge under Bridge -> Ports if you want them to share the same Layer 2 domain.

2. Create VLAN Interfaces:

   • In Interfaces -> VLAN, create VLAN sub-interfaces on bridge-lan (instead of a single ether port) with VLAN IDs 10, 20, etc.

3. Enable VLAN Filtering (optional, for advanced setups):

   • Bridge -> VLANs: Here you can specify which ports carry which VLANs, whether they are tagged or untagged. This helps you define trunk and access ports.

Example: If ether2 is an access port for VLAN10, you’d set it to untagged for VLAN10 in the VLAN table, and if ether1 is a trunk port to another switch, it gets tagged for VLAN10 and VLAN20.

5. Assigning IP Addresses and DHCP

Each VLAN needs its own IP subnet to keep traffic separate. Let’s assume:

• VLAN10 (Staff): 192.168.10.1/24
• VLAN20 (Guest): 192.168.20.1/24

5.1 IP Addresses

1. IP -> Addresses
2. Click “+” and assign 192.168.10.1/24 to vlan10_staff.
3. Repeat for 192.168.20.1/24 on vlan20_guest.

5.2 DHCP Servers

If you want dynamic IP assignment:

1. IP -> DHCP Server
2. DHCP Setup, select vlan10_staff as the interface, follow the wizard.
3. Repeat for vlan20_guest.

6. Configuring Trunk Ports

To connect to another VLAN-aware switch or device over a single cable, you’ll want a trunk port that tags traffic for multiple VLANs:

• Make sure your MikroTik port is sending tagged frames for VLAN10 and VLAN20.
• On the other switch, configure the port connecting back to MikroTik as a trunk, passing VLAN10 and VLAN20 as tagged.

Bridge VLAN Filtering Example:

1. Bridge -> VLANs, add an entry for VLAN10:

   • VLAN ID: 10
   • Tagged Ports: bridge-lan, ether1 (the trunk interface)
   • Untagged Ports: ether2 (if it’s staff-only access)

2. Repeat for VLAN20.

7. Firewall Considerations

VLAN interfaces appear under Interfaces. You can treat them individually in your IP -> Firewall rules:

• Allow or Drop traffic between VLANs (e.g., staff shouldn’t see guest traffic).
• NAT each VLAN for internet access if needed (like using a masquerade rule for each VLAN interface going out WAN).

Example NAT Rule:

/ip firewall nat add chain=srcnat out-interface=ether1-wan src-address=192.168.10.0/24 action=masquerade

8. Testing and Troubleshooting

1. Check IP Config: Devices on VLAN10 should get addresses in 192.168.10.x.
2. Ping Gateway: Each VLAN’s gateway is the MikroTik interface IP.
3. Isolate VLANs: Devices on VLAN10 shouldn’t see VLAN20 by default unless you create specific firewall rules to allow it.
4. Tools -> Torch: Use MikroTik’s Torch tool on a VLAN interface to see if tagged traffic is going through.

Common Pitfalls:

• Missing VLAN Tag: If your device or switch expects VLAN10 tagged, but MikroTik is sending untagged, no dice.
• Bridge VLAN Filtering misconfiguration: Double-check tagged/untagged ports.
• DHCP Overlap: If two VLANs share the same IP range, things get messy.

9. Real-World Use Cases

• Guest and Corporate Wi-Fi networks on separate VLANs but using one physical AP/switch infrastructure.
• IoT Devices segregated for security.
• VoIP phones with a dedicated VLAN to ensure better QoS.

10. Wrapping It Up

With VLANs, you can elegantly slice and dice your network without a ton of extra hardware—just a few lines of config in your MikroTik. This is a game-changer for scalability, security, and cleanliness of your network topology.

Now that you’ve dipped your toe into VLAN magic, you might explore:

• Bridge VLAN Filtering in depth.
• 802.1Q trunking with multiple switches.
• Dynamic VLAN assignments using RADIUS for advanced user/device segmentation.

Stay curious, stay creative, and don’t hesitate to reach out for more MikroTik guidance. We’re on this networking adventure together!

Yours truly,
Emmanuel Corels, Admin
Emmanuel Corels Creatives

Stick around for our next deep dive—who knows which MikroTik superpower we’ll tackle next!