Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Trying to wrap my head around VLANs

Post Reply
 
Skibbi
just joined
Topic Author
Posts: 9
Joined: Wed Oct 16, 2024 12:01 pm

Trying to wrap my head around VLANs

Thu Oct 31, 2024 2:01 am

So after years of using single LAN for all devices I decided to separate them with VLANs. I have hAP ac so after checking some tutorials I decided to give it a try. Here is my target setup:
VLANs.png
Basically my mobile phone, computer and proxmox servers should use 192.168.1.0 network, IoT devices 192.168.2.0, proxmox VMs either 192.168.5.0 or 192.168.6.0.
I've created following basic configuration - it is enough or I should add something more? I'm pretty sure I need to set something under /interface ethernet switch port but I'm not sure what exactly should I put there :( Of course i will prepare corresponding firewall rules later.
Code: Select all
/interface vlan
add comment=wifi-iot interface=bridge name=vlan2 vlan-id=2
add comment=proxmox-prod interface=bridge name=vlan5 vlan-id=5
add comment=proxmox-test interface=bridge name=vlan6 vlan-id=6
/ip pool
add name=default-dhcp ranges=192.168.1.30-192.168.1.60
add name=dhcp-vlan2 ranges=192.168.2.2-192.168.2.30
add name=dhcp-vlan5 ranges=192.168.5.2-192.168.5.62
add name=dhcp-vlan6 ranges=192.168.6.2-192.168.6.14
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
add address-pool=dhcp-vlan2 interface=vlan2 lease-time=3h name=wifi-iot
add address-pool=dhcp-vlan5 interface=vlan5 lease-time=1w name=proxmox-prod
add address-pool=dhcp-vlan6 interface=vlan6 lease-time=6h name=proxmox-test
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=switch1 vlan-id=2
add independent-learning=no ports=ether3,ether4 switch=switch1 vlan-id=5
add independent-learning=no ports=ether3,ether4 switch=switch1 vlan-id=6

# I'm not sure about this part
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=add-if-missing
set ether4 vlan-mode=secure vlan-header=add-if-missing
# ----

/ip address
add address=192.168.1.1/26 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.1/27 interface=vlan2 network=192.168.2.0
add address=192.168.5.1/26 interface=vlan5 network=192.168.5.0
add address=192.168.6.1/28 interface=vlan6 network=192.168.6.0
/ip dhcp-server network
add address=192.168.1.0/26 comment=defconf dns-server=192.168.1.5 gateway=\
    192.168.1.1 ntp-server=192.168.1.5
add address=192.168.2.0/27 dns-server=192.168.1.5 gateway=192.168.2.1 \
    ntp-server=192.168.1.5
add address=192.168.5.0/26 dns-server=192.168.1.5 gateway=192.168.5.1 \
    ntp-server=192.168.1.5
add address=192.168.6.0/28 dns-server=192.168.1.5 gateway=192.168.6.1 \
    ntp-server=192.168.1.5
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 2:14 am

Best resource is here --> viewtopic.php?t=143620

First mistake is mixing apples and oranges, once you have vlans, remove subnet from bridge so it does no dhcp, much less confusing.
Bridge ports are wrong
Not sure why you are even touching ethernet switch settings of any ILK be it ethernet switch vlan or port ?????

Clearly you chose the wrong youtube article. :-0

++++++++++++++++++++++++++++++++++

Another pointer........ the config is all interconnected, posting only part of the config is not a recipe for success.
Certainly should have the default set of firewall rules on the config before attaching anything to the WWW.

/export file=anynameyouwish (minus router serial n umber, any public WANIP information, keys etc. )
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 2:51 am

Looking at your config, it looks like you have followed or are applying what I see as "v6" logic to this. Nothing wrong with that at all unless you are running v7 or you want to get this done this year.

To cut a very long story short(er) - Once you go VLAN, you drive those VLAN's from your bridge menu, in Bridge > VLANs you'll find you can set tagged and untagged ports per vlan as well in ports you can set pvid for untagged traffic (not that you need to as your additional networks will all be tagged).

Couple of advisories though:
ALWAYS use safe mode, when you think you have VLAN configured and you turn on vlan filtering in bridge as it is needed - first time round you rarely have it configured well so safe mode will bail you out.
If you are tagging all other traffic, change your native vlan to something other than 1, it's better practise to do this.
I would be tempted to run ether3 and 4 as untagged vlan 5 & 6 respectively, it's an "easier" config to and your Proxmox setup will be simpler. You're not gaining anything by having 2 ports with trunked network unless Proxmox is sitting on 3 networks, untagged and the 2 tagged?
Top
 
Josephny
Forum Veteran
Forum Veteran
Posts: 768
Joined: Tue Sep 20, 2022 12:11 am
Location: New York, USA

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 3:09 am

I just want to say that I have never been able to get a useful environment using VLANs.

I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough.

I don’t know why, and I can’t suggest how to improve it, but, as I leaned in college, graduate school (2 different programs), and decades in business, if I am confused about something, other people are also.

Consider this a plea for help, not a criticism.
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 3:28 am

I just want to say that I have never been able to get a useful environment using VLANs.

I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough.

I don’t know why, and I can’t suggest how to improve it, but, as I leaned in college, graduate school (2 different programs), and decades in business, if I am confused about something, other people are also.

Consider this a plea for help, not a criticism.
I worked for 5 years with Mikrotik daily and didn't mnage to grasp VLAN. I have had a 5 year hiatus and then recently only after learning and implementing Cisco VLAN have I gone back over MikroTik VLAN in order to get it right. It's not the same but the difference was I understood the concepts better. (I maintain Cisco VLAN is so much more natural and less convoluted).
Top
 
KiwiBloke
newbie
Posts: 25
Joined: Sat Jan 27, 2024 10:25 am

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 3:31 am

I just want to say that I have never been able to get a useful environment using VLANs.

I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough.

I don’t know why, and I can’t suggest how to improve it, but, as I leaned in college, graduate school (2 different programs), and decades in business, if I am confused about something, other people are also.

Consider this a plea for help, not a criticism.
+1
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1581
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 3:34 am

VLANs are easy once you get the hang of it. I am a little odd that I don't use a bridge in my router at all. However the router is not doing any switch functions - every port is a different LAN or VLAN trunk. All switch functions are done in separate managed switches (CSS326 running SwitchOS).
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 1:30 pm

Yeah, k6 but your from KAL EYE 4RN EYE EH ................... freakish ;-))

There is logic and rules, it works, the reference is accurate.
Top
 
Josephny
Forum Veteran
Forum Veteran
Posts: 768
Joined: Tue Sep 20, 2022 12:11 am
Location: New York, USA

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 3:15 pm

KAL EYE 4RN EYE EH
I try to keep up with code/acronyms/etc., but huh???

BTW, K6, I'm a KC2
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 4:59 pm

KAL EYE 4RN EYE EH
I try to keep up with code/acronyms/etc., but huh???

BTW, K6, I'm a KC2
Its not code just a pronounciation schema.
Californicators are a tad odd. ;-)
Top
 
Josephny
Forum Veteran
Forum Veteran
Posts: 768
Joined: Tue Sep 20, 2022 12:11 am
Location: New York, USA

Re: Trying to wrap my head around VLANs

Thu Oct 31, 2024 5:19 pm



I try to keep up with code/acronyms/etc., but huh???

BTW, K6, I'm a KC2
Its not code just a pronounciation schema.
Californicators are a tad odd. ;-)
Oh! Got it now!

Couldn't agree more. Glad to see more people who recognize NYC as the center of the English speaking world and the only non-accented English speakers (;-)
Top
 
JulioAlbanese
just joined
Posts: 3
Joined: Thu Dec 28, 2023 8:20 am

Re: Trying to wrap my head around VLANs

Wed Nov 06, 2024 3:02 pm

Best resource is here --> viewtopic.php?t=143620

First mistake is mixing apples and oranges, once you have vlans, remove subnet from bridge so it does no dhcp, much less confusing.
Bridge ports are wrong
Not sure why you are even touching ethernet switch settings of any ILK be it ethernet switch vlan or port ?????

Clearly you chose the wrong youtube article. :-0

++++++++++++++++++++++++++++++++++

Another pointer........ the config is all interconnected, posting only part of the config is not a recipe for success.
Certainly should have the default set of firewall rules on the config before attaching anything to the WWW.

/export file=anynameyouwish (minus router serial n umber, any public WANIP information, keys etc. )






You're on the right track with your VLAN setup. For the /interface ethernet switch port part, setting vlan-mode=secure and vlan-header=add-if-missing should work for basic configurations, but you might need to adjust this based on your specific switch chipset or port roles. Just ensure the ports are tagged correctly for each VLAN, and don't forget to configure your firewall rules to isolate traffic between VLANs as needed. I came across this essayroo.org site while looking for help with my academic workload. Their process was straightforward, and the essay I received was impeccable. The content was engaging, thoroughly researched, and formatted perfectly. It was exactly what I needed to stay on top of my coursework. This service has been a tremendous help, and I’ll continue to use it for future assignments.
Thanks for the topic link, you made my day.
Last edited by JulioAlbanese on Tue Nov 19, 2024 8:03 am, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Wed Nov 06, 2024 5:10 pm

I worked for 5 years with Mikrotik daily and didn't mnage to grasp VLAN. I have had a 5 year hiatus and then recently only after learning and implementing Cisco VLAN have I gone back over MikroTik VLAN in order to get it right. It's not the same but the difference was I understood the concepts better. (I maintain Cisco VLAN is so much more natural and less convoluted).
Its the beer your drinking........putrid UK tar.......... probably warm too. ;-)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Wed Nov 06, 2024 5:12 pm

I just want to say that I have never been able to get a useful environment using VLANs.

I’ve read the always-recommend post here, reads tons of other articles, watched videos and there is nothing that explains it and instructs in their construction clearly enough.

I don’t know why, and I can’t suggest how to improve it, but, as I leaned in college, graduate school (2 different programs), and decades in business, if I am confused about something, other people are also.

Consider this a plea for help, not a criticism.
Whether its a hex router with 3 vlans, a hex acting as a switch with X vlans, or my ccr1009 with 20 vlans. All works like butta.
the linked article is gold.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12980
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to wrap my head around VLANs

Wed Nov 06, 2024 6:54 pm

I just want to say that I have never been able to get a useful environment using VLANs.

Well, VLAN is a tool ... Most people use tools because they have a task to do and certain tools fit the task perfectly (but one has to know different tools reasonably well to identify best tool for certain task). Some people use tools for fun and to learn how to use them properly. And some people use a tool (or two) they are familiar with to perform all sorts of tasks.[*]

So either you never ran into situation which calls for VLANs ... or you didn't see that VLANs are perfect fit and you solved tasks with other networking tricks (perhaps less perfect, but good enough). Or VLANs was not the perfect tool. Or you simply didn't work the rask properly because of your flakey knowledge of VLANs.

[*] There was a period if time when our BFF @anav answered "use VLANs" to every question. Since he learned about wireguard, he's split between both answers.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21908
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to wrap my head around VLANs

Wed Nov 06, 2024 7:15 pm

hahaha......... listen if you only need two subnets, nothing wrong with one bridge and one separate subnet or two separate subnets and no bridge.
But if you choose any of the above, you are denying yourself the satisfaction of using vlans, and the sense of accomplishment and the ability to lord such skills over the masses, who are clearly inept, incapable or insane. :-)
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: Trying to wrap my head around VLANs

Sat Nov 09, 2024 12:32 am

I worked for 5 years with Mikrotik daily and didn't mnage to grasp VLAN. I have had a 5 year hiatus and then recently only after learning and implementing Cisco VLAN have I gone back over MikroTik VLAN in order to get it right. It's not the same but the difference was I understood the concepts better. (I maintain Cisco VLAN is so much more natural and less convoluted).
Its the beer your drinking........putrid UK tar.......... probably warm too. ;-)
I don't drink :lol:
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6762
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Trying to wrap my head around VLANs

Sat Nov 09, 2024 11:14 pm

You'll die in 2 days then... :lol:

(PS same here 8) )
Top
Post Reply

Who is online

Users browsing this forum: anav, patrikg and 22 guests
  4. RouterOS
  5. Beginner Basics