Pinned for reference, please use :D! MikroTik Documentation for VLANS: help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching Switch Chip Features: help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Introduction
I spent two nights, essentially breaking my network, going in circles, trying to achieve something so simple in hindsight! I had such weird anomolies when doing this, for example ping absolutely fine to hosts, but no TCP sessions would stay established, later on 20 packets reply, 20 drop, etc etc. All because of the way I created the vlans on the bridges, which I tried two different ways according to docs I read. Painful, but I got there now thanks to this!
MikroTik definitely allows for the possibility of misconfiguration. Not totally sure why they allow you to configure things in certain ways which can break your setup. Glad to hear you got everything working!
@@TheNetworkBerg I think it's because they have the OS so standardized across so many models that some don't support certain things. Think CRS1xx vs CRS3xx switch configurations and hardware support.
I can't thank you enough for this video! I've been struggling with my configuration for almost a year, and you explained everything perfectly in this video.
This it the best video I've seen on demystifying the vlan setup on mikrotiks (and I'd watch a lot previously to get my head around it), as other have said the little tip on not applying pvid filtering until you're done the rest - seems obvious, but so easy to click and watch winbox / putty disappear :D - I've gotten into the habit of 'safe moding' first. Have shared with a colleague who's dipping their toe in with Mikrotik (so he's spared the pain of watching about a dozen conflicting videos and then still locking himself out - to be fair, he's got form for it, mainly with prod linux servers :D ). Also the block diagram bit was a great bit of advice. Thanks as always.
Indeed, finally, after watching dozens of videos that teach only the theory, but not really any actual practical aspects, I had my vlans set up across my MT Router and few other non MT switches and a unifi AP, in a matter of hours - which is my first time actually practically setting up vlans. Great stuff!!
Same here... understand exactly how VLANs work at the network level but struggled to work out how to configure them with conviction. Now I understand it pretty well. Couple of "What does that do?" or "Why do you have to do that?" but fundamentally sorted! I'm cramming because I need to set-up a client tomorrow. Their requirement is relatively simple: private LAN/Wireless around the farmhouse using Starlink then a wireless point-to-point bridge to client lodges & caravans. Want to segregate ALL the traffic across that bridge into separate VLAN (and later to apply queues). So all I ended up needing was a single untagged port on the router/switch on VLAN 10 with DHCP server running on same VLAN. Works a treat! Don't have to worry about what is upstream as everything passing through that single port gets tagged with VLAN 10. Understand the management port idea - will revisit that later. Might put a trunk in so can segregate the lodges and caravan park (mainly out of interest for reporting) but fortunately, the split between those two networks is also a Mikrotik PoE 5-port switch so can set-up VLANs on that as well. Have just done a little dance 🙂
Your small hint putting the bridge into bridge/vlan and don‘t add the software vlan into it in case of routing made my day. Never read this somewhere else. Thanks a lot
Thank you for this. I had set up my RB several years ago and had per-port VLANS. This method made trunking to a couple AP's and switches much 'cleaner'.
brilliant video understood exactly what you were doing. looking at getting a mikrotik network up and running I'm still using an edgerouter with an old hp switch and some ap's.
Awesome video....I did actually struggled quite a bit with overall understanding how to configure/create vlans on mikrotik. And here You provide in nice form all info I needed to understand it. Thanks for sharing it!
This video is GOLD thats all I can say... Wish I had this video a few years back.. I eventually worked out everything myself the hard way but this would have been a nice to have :P
I've just had one of those "eureka" moments. I've never understood really why there were two VLAN areas. One on the bridge and the other on the interfaces. Now I do!
Whilst I've sort of got VLAN working on Wi-Fi, this was a great video on VLANS on switches etc. Been putting it off for ages but you made it sound so simple :-) Can't uptick it enough.
I finally managed to get it working thanks to this video, but what I dont quite understand is why the vlan need to have bridge tagged if you put any L3 on the vlan (IP and DHCP)
Man, thank you so much. First Mikrotik device, RB951 and was struggling with the nuance of the Mikrotik way of doing things over 2 very late nights and got my basic config working thanks to this video in 30minutes!!. Subscribed.
Great video, got me up & running with my VLANS and a quick understanding and a good solid headhold around it being new to Mikrotik. Nice that this is also up to date on the interface as of now.
1. Its allways a good practice to have two separate configuration maps: 1. L2 network map with all phisical connections. 2. L3 network map wit IPs, networks, Vlans, trunk\accsess ports etc. It will be more easy to undurstand. 2. You made router on a stick configuration. The downcide of this is that trunk port will handle all inet-VLAN trafic and could be a botleneck. It will be great to see giude with L3 routing on a CRS3XX device with a HW offloading + NAT, QoS etc on a separate router (RB5009 or other). Its more like a real world configuration for a corporate network.
Very nice review........ glad to you see join the 2020's in terms of single bridge vlan filtering, for most routers and CRS3xxx series. The main difference between vlans between device acting as a switch or router (besides the obvious) is that the managment vlan is the only that needs to be identified AND the only one tagged with the bridge in /interface bridge vlan settings. On a serious note, good to focus on AX3, a very common home device. However you have indirectly discovered your next video. Explaining why switches and the AX3, which dont have a classic marvel switch chip but something called PHYs. These need to be discussed so we folks understand what they are doing under the hood ( clearly they must help the CPU in some capacity ). A comparison would be fantastic!!!
Same with my home AX2. It's got a Gigabit PHY (QCA8075) and no mention of "wire speed". I've been using an old hAP ac lite in the lab and that says it's got wire speed :-) Then again, for most of my clients these days, the majority of traffic is heading over the internet, it's going through the "layer 3" and firewall so not sure localised LAN switching is so much of a problem in this cloud based world. More useful when you had on-premises servers and wanted to switch traffic as fast as possible between workstations and servers?
Great video Thanks for Sharing your knowledge. Interested in a 4011 Vlan config with the 2 switches. Been trying to get it to work, but unable to get it working.
I've been struggling with VLAN filtering for weeks now and finally found your video. You're saying that the bridge VLAN area is only for a switch chip. I have a CCR2004 which I've learned doesn't have a switch chip! Could this explain why setting VLAN filtering on seems to kill everything in my network?
thank you! one thing i was doing wrong, tagging the vlan as well as the bridge - it didnt show up as tagged with vlan filtering enabled; one more thing i learned is that i dont need software vlans (l3) if i dont plan to use dhcp or any other l3 service.
Shared to my connections on LinkedIn, not sure if that will help much - but hoping my techie connections will give it a bit of a boost. Just not a huge player in the UK enterprise space.
Very nice video. Can you do a bandwidth test to see if wirespeed is achieved? To see when is used switchchip and cpu. A wrong layout can decrease speed and bottlenecking.
Oh man.. I just got my RB5009UG+S+ and my head is spinning with trying to figure out the VLAN setup. I will get it... but damn my head hurts right now.
Great Video as always, one request we are not able to see your mouse cursor during recording, please enable it. so that we can see actually where you are clicking. Thank you.. 😊👌
Awesome video! This helped me a lot, I was able to configure all the VLANs I wanted to on my RB3011 and CRS125-24G. I'm now running into the issue you mentioned @7:13. My CPU is hitting 100% downloading anything. Do you have any advice on how to implement this VLAN structure with a router that has multiple switch chips?
Without seeing your mouse, and because you sometimes click on many things so fast, often just because you're trying to find it out yourself, it becomes hard to follow your lead.
Thank you for the critique, I do apologize if it was hard to follow the video. There is an older VLAN video I created that goes over different VLAN configurations and was aimed at the MTCRE exam, it is a bit more slow paced and the mouse is captured as well if that maybe helps you with what you are struggling with: ruclips.net/video/4BOYqtV4MCY/видео.htmlsi=x-uYF7VBBza7pGBe I would suggest keeping this newer video in mind though as the most optimal way to configure VLANs is through the bridge function as that uses the switch chip and will give you the best performance.
So if I want to add to your setup another switch on port 24 and give it access to management vlan10, port24 has to become trunk port and added to bridge VLAN10 settings as tagged? As a result VLAN10 tagged ports will be: ether23, ether24, bridge?
Hi! Great video... one suggestion.. could you make a video/test lab on configuring CRS1xx (CRS112) with inter vlan connections with switch chip? There are so many configs/tutorials on VLANs with bridging vlans but through the switch chip.. not so many.. ok.. crs112's can be seen as 'legacy' devices but they really help a lot when configuring simple networks with intervlans (several vlans like office, guests, cameras...). That would be a great deal! :) Tx
Hey Johnny! I have a few questions. I was working on a router with 5 local ports (ax3 actually), and a connected managed switch. I was having issues with getting the ports on the switch (UI USW-Lite-8-PoE) to properly work with the VLANs I setup following this video. But, that's not my question. I the process of trying to get help with this - others told me that router-on-a-stick does not use a bridge. I gather based on the idea that this would involve the CPU vs the switch chips? Other? Or is there anything to this statement and something to be avoided in relation to bridges and trunked VLANs for ROAS? I don't know how else, based on this video, how you could do it otherwise without ignoring the ax3 ports for use of the VLANs. Anything regarding software VLANs verses hardware VLANs? I'm think he was saying that using a bridge turns it into a software VLAN vs only being tagged directly on the trunk ports would be hardware VLANs? Thanks!
Hey, excellent videos. I have question and problem with LTE passthrough - to be more specific with management on LTE antena. Setup is: LTE LHGMM SW CSR328-24P-4S+ R CCR2004 Config is as follows: VLAN 10 - management VLAN 11 - passthrough VLAN10-bridge and VLAN11-bridge on router side and Switch DHCP Client on Router for WAN IP DCHP Client on LTE for management. LTE DHCP-Server -off VLANs configured under Interface/VLAN on ether1 interfaces. At the first it looks fine and works. But when you reboot device stack, Router is not getting anymore WAN IP form LTE antena. I watched Mikrotik video where they say that it should not be configured in such manner as i have. I tried to read docs which were referred in video but some how unsuccessfully :D Question is - will your VLAN config work for passthrough and is it the one that is mentioned in the video? ruclips.net/video/IZFAeLbujso/видео.htmlsi=XV4_hyq-hI8oP-DQ&t=304 Thanks!
Same question here as one can get to the router on the 192.168.88.0/24 network from the VLAN 10.0.10.0/24. I've come across this before? I think you have to add a firewall rule to block it.
It would've been good if you explained why the single bridge per ASIC method exists. I.e. rooted in the original Linux DSA and switchdev implementation. People who haven't worked with cumulus or whiteboxes with a Linux based OS, often think this is exclusive to MikroTik.
Nice, i will be doing this later when my expansion switch arrives. CRS326 of course. Can you please help me confoguring VLAN's for my RB5009 to get it working with IP-TV? I need to use a media splitter right now from my provider. Its a managed switch litteraly and has specific ports for TV and such.. There is VLAN config on that. My IP-TV box gets an ip of 10.x.x.x..
Using a Hex POE. While this configuration "works", it is not clear that takes advantage of hardware offloading. Is this method running in software/cpu only on the HEX POE? The QCA8337 "Switch" configuration as suggested in the Mikrotik documents is not working for IP connectivity to the HEX POE (tried the vlan-header=leave-as-is per the footnote) Any advice?
Can you make a video where you explain how to have several bridges which have e.g. port 2 untagged on vlan 20 and vlan 20 tagged on port 1 and a bridge with vlan 30 tagged on port 1 and tagged on port 3 and also the default vlan 1 untagged on port 3 must go over as pvid 1. Thx for the good Videos
one question, do the ports need to be part of the bridge you are configuring the vlans on to work properly? Lets say you have 2 bridges, one has all the ports, one has none, can the second bridge affect vlan tagging of ports even though the ports its tagging do not reside within itself?
Great video. Just what i needed. I just got that l009, and i am in full learning mode. would it be possible to make a video on creating firewall rules in this setup.. I'd like to separate the vlans by default but have them all have an internet connection (so devices can go to the internet but not to devices on other vlans). And maybe poke a hole for some servers.. (edit words vs. Dutch autocorrect..)
I think this video has so much great information in it but it's unfortunate that it's laid out in such a confusing way. I wish you redo this and keep it organized and concise.
Thanks for your opinion, I agree that the video can come off as a little disjointed. I think it's just one of those symptoms of trying to do everything in one session and doing everything in real-time so I am processing it in my head on the spot while doing things and recording and it might not translate that well into showcasing everything. So your wish may very well become true sometime in the future. I still think the information is useful to others that hit a snag at a certain space and need something to point them into another direction. If you are looking for some more structured stuff I do have a separate series I covered for the MTCRE. It does convey things a bit more structured though the possibility to accidentally misconfigure something is still there. You can take a look at the VLAN videos in this playlist: ruclips.net/video/4BOYqtV4MCY/видео.html
Question: Suppose I have RB5009 Series where port 1 = ISP1, port 2 = ISP2, port 3-5 = for Hotspot(10.0.0.1/24), port 6 = OLT pon1 (172.16.0.1/24), port 7 = OLT pon2, (172.16.0.1/24) then lastly port 8 = LAN (192.168.100.1/24). Knowing that I assigned each port/interface with each assigned IPs for that setup. Then, Do I still need to configure it in a VLAN setup or is it the same already with VLAN setup? Please help. Thanks in advance.
Great video, I wonder if you could fork off this and offer a VLAN tutorial for dealing with double tagging. For example were ISP's have SVID and CVID's to deal with. Can you use this way of doing VLANS to add the CVID to the bridge VLAN rather than adding new CVID's as sub interfaces to a parent SVID interface?
@@TheNetworkBergYes that's how I'm doing it, but I thought after watching your vid maybe there's a better way? I don't have a lab to test so will have to build one. Might be a fun experiment.
Hey. Ive tried setting up a single vlan using this method on my mikrotik router (RB3011UIAS-RM), the port for tagging is on 7 for which I have a cisco switch plugged in and set the port connecting the link cable to the two to trunk as well as a few others. I cant seem to get internet when connecting a laptop directly to the cisco switch. I can ping the vlan gateway, and configured dhcp and it gets an Ip, but for some reason the vlan has no internet
You say that Software defined VLANs are bind to the bridge, but what if you use VLANs on a bond? You bind those VLANs on the bond interface and not on the bridge. The bond interfaces go to the bridge. So what do you do if you are going to tag the ports in Bridge VLANs?
VLAN on Mikrotiks makes me sad. What takes hours of planning, mapping and configuration on Mikrotik takes minutes on Cisco. Don’t get me wrong, I like Mikrotik and have more of them than Cisco in my environments for others reasons.
I do agree that MT has many potentional pitfalls when it comes to adding a VLAN and makes it feel unnecessarily harder. Although there is one thing I remember well about Cisco and that is forgetting to use the "add" command when wanting to tag additional VLANs on a trunk, I think this has brought down more networks than it should have.
Don’t think you can expect much from them. The cost says it all. They are just not comparable at all. Everyone knows but mtik is actually fairly weak in their software, the “same OS for every of our product” starts to seem like a weakness. It seems glued and janky.
@@iRonMan-s7c You need to configure the router accordingly to whatever your needs are, for example if the service now is internet already in a vlan that is there in a network I want to tap into it and do double natting then that can be done. It all depends on your total objective really, depending on what it is you can efficiently plan and know what devices to use or what to not.
my plan is 1G I replace Huawei HG8240T5 Gpon with LXT-010S-H from LEOX and I'm install it in to Mikrotik RB5009 from Mikrotik I setup Vlan10 and PPPoE for Internet and It's work and I got internet connection but I couldn't figure out how to configure Vlan30 for VoIP
That is correct, although I think it is needed in order to actually hardware offload if your device has a switch chip so that the CPU does not handle the traffic.
Spend more time outlining the goal, preferably by drawing data paths, before making changes... you're going at a speed where only a network admin can follow you and those don't need this video.
Why this is better solution? I have created separate bridges for Server, Management, LAN etc. and on interfaces I have created vlan to each ports separately
Basically it boils down to throughput and hardware offloading. Multiple bridges may not support hardware offloading and traffic between the bridges will probably have to go through to the CPU to get processed. Depending on the model of your hardware this link to the CPU might be very small (Like 1Gb) and can easily impact performance like speed or cause packet loss. The other problem is that the CPU will have to deal with the forwarding and this can cause a spike in the CPU usage. If the CPU starts maxing out it can potentially cause the router to hang and will also provide a general negative experience. Perhaps your network isn't that big or you are using bigger routers and you just never really notice the impact on the CPU, it is strongly advised to use hardware offloading with a switch chip wherever possible for the best performance. Though there are also instances where traffic needs to pass to the CPU regardless and even having a switch chip will not improve your performance. This is why looking at the documentation is crucial in planning out your network.
@@TheNetworkBerg right now I'm using RB4011 without any disadvantages, but probably not full speed via the 2,5Gb/s connections to CPU, but You made my mind go crazy and probably I will change it after copy of configuration of course :)
Good idea for video if possible, filter rules on switch chip itself. What I noticed a lot, people are buying CRS devices and use them as routers... Mikrotik is confusing their customers with that naming scheme. As you said, CPU is limited and thus routing performance is bad...
@TheNetworkBerg yes it is! Backup files isn't great either. Every config variables are combined and also lots of random characters so it's really hard to read. My colleague needed to take pictures of all settings so it would be more easy for me to replicate and deploy to another switch. I don't know if I just can use the backup file and restore on the new switch? I would also like to see a basic VLAN setup. On just a switch with an uplink. Both on RouterOS and SwOS. Like i want to add some of the ports to VLAN 340 and nothing else. For example port 4, 7, 9, 11 and 15. I guess those ports need to be added aswell on the uplink port. As you show in this video.
Now just to remember when and when NOT L3 HW offload happens. I wish I didn't have to remember....so more expensive L3 switches it is for me even for homelab.
Strange, has yours ports been added to a VLAN filtered bridge? Have ran this same setup on 25Gb, 40Gb & 100Gb interfaces and I get full throughput without CPU bottle-necking.
@@TheNetworkBerg I checked it on 10 and 100 Gb cards but the result was the same on both. So I thought that I do some configuration mistake and I set everything up again and the result was the same - CPU 100%
Yeah it is extremely frustrating especially for someone trying to learn about VLANs, and then having people shout at you that you are doing it wrong. Even though the MikroTik allows you to do it and in some cases MikroTik suggests configuring a VLAN a certain way :(
@@TheNetworkBerg they should fix routers os and command to create vlan should know mikrotik hardware has switch chip or no!there should be only one way to create vlan
This video is rich, but the movement of your cusor is the problem. Teach like you know that some persons hands need to be held. move slowly for people to follow properly.
I have a question, would this be possible 1 router and one unmanaged switch In the network 3 vlans 'guest, servers, IOT, the device gets put on 'guest' my default and with Mac address I can assign then to the vlans
Hey Johnny! I have a few questions. I was working on a router with 5 local ports (ax3 actually), and a connected managed switch. I was having issues with getting the ports on the switch (UI USW-Lite-8-PoE) to properly work with the VLANs I setup following this video. But, that's not my question. In the process of trying to get help with this - others told me that router-on-a-stick does not use a bridge. I gather this is based on the idea that this would involve the CPU vs the switch chips? Other? Is there anything to this statement and something to be avoided in relation to bridges and trunked VLANs for ROAS? I don't know how else, based on this video, you could do it otherwise without ignoring the ax3 ports for use of the VLANs. Anything regarding software VLANs verses hardware VLANs? I'm think they were saying that using a bridge turns it into a software VLAN vs only being tagged directly on the trunk ports would be hardware VLANs? Thanks!
Hello, I think this documentation from MT directly covers a lot of the "How can I wrongly configure a VLAN on MikroTik" questions. help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration But there are two ways you can go about it really. 1) Select a port you want to connect to the switch and configure the VLANs you want down to the switch and use this interface for the VLANs. (This is where you are creating a software VLAN and binding it to a physical interface, you go to the VLAN configuration and create a VLAN from there, essentially the CPU will handle this traffic) 2) Configure a bridge with VLAN-Filtering enabled and tag the vlans to the bridge and assign each VLAN to the trunk port from the VLANs tab that you want down to the switch. (This is where the ASIC will handle the traffic) So in essence using a single bridge is where you would be using the hardware whereas just tagging vlans to an interface is software based. But it's not bad using a software VLAN, if the CPU is powerful enough which on an AX3 for the most case is you can achieve decent speed and it is the most common setup compared to ROAS on something like a Cisco device. It's also very common to create a software based VLAN if let's say your ISP gives you a VLAN to configure on your WAN port and you need to route traffic out via this VLAN.
Pinned for reference, please use :D!
MikroTik Documentation for VLANS:
help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
Switch Chip Features:
help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Introduction
I spent two nights, essentially breaking my network, going in circles, trying to achieve something so simple in hindsight! I had such weird anomolies when doing this, for example ping absolutely fine to hosts, but no TCP sessions would stay established, later on 20 packets reply, 20 drop, etc etc. All because of the way I created the vlans on the bridges, which I tried two different ways according to docs I read. Painful, but I got there now thanks to this!
MikroTik definitely allows for the possibility of misconfiguration. Not totally sure why they allow you to configure things in certain ways which can break your setup. Glad to hear you got everything working!
@@TheNetworkBerg probably the same reason why the t-shirts exist with the Linux command *sudo rm -rf /* on them 🙂
@@RobNicholson1234 haha just imagine! Now I need to find a shirt like that.
@@TheNetworkBerg I think it's because they have the OS so standardized across so many models that some don't support certain things. Think CRS1xx vs CRS3xx switch configurations and hardware support.
I can't thank you enough for this video! I've been struggling with my configuration for almost a year, and you explained everything perfectly in this video.
Great to hear!
This it the best video I've seen on demystifying the vlan setup on mikrotiks (and I'd watch a lot previously to get my head around it), as other have said the little tip on not applying pvid filtering until you're done the rest - seems obvious, but so easy to click and watch winbox / putty disappear :D - I've gotten into the habit of 'safe moding' first. Have shared with a colleague who's dipping their toe in with Mikrotik (so he's spared the pain of watching about a dozen conflicting videos and then still locking himself out - to be fair, he's got form for it, mainly with prod linux servers :D ). Also the block diagram bit was a great bit of advice. Thanks as always.
Indeed, finally, after watching dozens of videos that teach only the theory, but not really any actual practical aspects, I had my vlans set up across my MT Router and few other non MT switches and a unifi AP, in a matter of hours - which is my first time actually practically setting up vlans. Great stuff!!
Same here... understand exactly how VLANs work at the network level but struggled to work out how to configure them with conviction. Now I understand it pretty well. Couple of "What does that do?" or "Why do you have to do that?" but fundamentally sorted! I'm cramming because I need to set-up a client tomorrow. Their requirement is relatively simple: private LAN/Wireless around the farmhouse using Starlink then a wireless point-to-point bridge to client lodges & caravans. Want to segregate ALL the traffic across that bridge into separate VLAN (and later to apply queues). So all I ended up needing was a single untagged port on the router/switch on VLAN 10 with DHCP server running on same VLAN. Works a treat! Don't have to worry about what is upstream as everything passing through that single port gets tagged with VLAN 10.
Understand the management port idea - will revisit that later.
Might put a trunk in so can segregate the lodges and caravan park (mainly out of interest for reporting) but fortunately, the split between those two networks is also a Mikrotik PoE 5-port switch so can set-up VLANs on that as well.
Have just done a little dance 🙂
Amazing video, practical example of how to set up really helps with understanding the whole concept!
Thank you for this. This is by far the most comprehensive and helpful video I've seen on this. Really helped me understand how Mikrotik does VLANs.
Your small hint putting the bridge into bridge/vlan and don‘t add the software vlan into it in case of routing made my day. Never read this somewhere else. Thanks a lot
Yeah that can definitely catch some people out, myself included :P
Thank you for this.
I had set up my RB several years ago and had per-port VLANS. This method made trunking to a couple AP's and switches much 'cleaner'.
Yeah this definitely feels cleaner for setups like that, glad I could help :D!
brilliant video understood exactly what you were doing. looking at getting a mikrotik network up and running I'm still using an edgerouter with an old hp switch and some ap's.
Great content, nice and detailed.
It's great to have content like this where you talk about best practices, dos and don'ts.
Keep it coming
Awesome video....I did actually struggled quite a bit with overall understanding how to configure/create vlans on mikrotik. And here You provide in nice form all info I needed to understand it. Thanks for sharing it!
This video is GOLD thats all I can say... Wish I had this video a few years back.. I eventually worked out everything myself the hard way but this would have been a nice to have :P
I watched the video with morning breakfast ☕
Doing it right now in front of my coffee while giving assistance to a customer 😂
I've just had one of those "eureka" moments. I've never understood really why there were two VLAN areas. One on the bridge and the other on the interfaces. Now I do!
Those moments are always awesome :D!
Whilst I've sort of got VLAN working on Wi-Fi, this was a great video on VLANS on switches etc. Been putting it off for ages but you made it sound so simple :-) Can't uptick it enough.
I finally managed to get it working thanks to this video, but what I dont quite understand is why the vlan need to have bridge tagged if you put any L3 on the vlan (IP and DHCP)
Man, thank you so much. First Mikrotik device, RB951 and was struggling with the nuance of the Mikrotik way of doing things over 2 very late nights and got my basic config working thanks to this video in 30minutes!!. Subscribed.
Great video, got me up & running with my VLANS and a quick understanding and a good solid headhold around it being new to Mikrotik.
Nice that this is also up to date on the interface as of now.
1. Its allways a good practice to have two separate configuration maps: 1. L2 network map with all phisical connections. 2. L3 network map wit IPs, networks, Vlans, trunk\accsess ports etc. It will be more easy to undurstand.
2. You made router on a stick configuration. The downcide of this is that trunk port will handle all inet-VLAN trafic and could be a botleneck. It will be great to see giude with L3 routing on a CRS3XX device with a HW offloading + NAT, QoS etc on a separate router (RB5009 or other). Its more like a real world configuration for a corporate network.
@@OstJoker that is a great suggestion.
Glad to see more videos from you on 'tik.
Got this working on my test hap lite and Cisco switch. Great video to follow along
Very nice review........ glad to you see join the 2020's in terms of single bridge vlan filtering, for most routers and CRS3xxx series. The main difference between vlans between device acting as a switch or router (besides the obvious) is that the managment vlan is the only that needs to be identified AND the only one tagged with the bridge in /interface bridge vlan settings.
On a serious note, good to focus on AX3, a very common home device. However you have indirectly discovered your next video. Explaining why switches and the AX3, which dont have a classic marvel switch chip but something called PHYs.
These need to be discussed so we folks understand what they are doing under the hood ( clearly they must help the CPU in some capacity ). A comparison would be fantastic!!!
Same with my home AX2. It's got a Gigabit PHY (QCA8075) and no mention of "wire speed". I've been using an old hAP ac lite in the lab and that says it's got wire speed :-) Then again, for most of my clients these days, the majority of traffic is heading over the internet, it's going through the "layer 3" and firewall so not sure localised LAN switching is so much of a problem in this cloud based world. More useful when you had on-premises servers and wanted to switch traffic as fast as possible between workstations and servers?
Great video Thanks for Sharing your knowledge. Interested in a 4011 Vlan config with the 2 switches. Been trying to get it to work, but unable to get it working.
I've been struggling with VLAN filtering for weeks now and finally found your video. You're saying that the bridge VLAN area is only for a switch chip. I have a CCR2004 which I've learned doesn't have a switch chip! Could this explain why setting VLAN filtering on seems to kill everything in my network?
and as always,great explanation.thanks for giving this much of efforts.
thank you! one thing i was doing wrong, tagging the vlan as well as the bridge - it didnt show up as tagged with vlan filtering enabled; one more thing i learned is that i dont need software vlans (l3) if i dont plan to use dhcp or any other l3 service.
Great explanation as always!
Shared to my connections on LinkedIn, not sure if that will help much - but hoping my techie connections will give it a bit of a boost. Just not a huge player in the UK enterprise space.
Very nice... Well explained !!!. Any QOS Videos for voip etc on Mkrotik ??
It was very usefull. Thanks
Very nice video. Can you do a bandwidth test to see if wirespeed is achieved? To see when is used switchchip and cpu. A wrong layout can decrease speed and bottlenecking.
VLAN neverending story :)
Oh man.. I just got my RB5009UG+S+ and my head is spinning with trying to figure out the VLAN setup. I will get it... but damn my head hurts right now.
Great Video as always, one request we are not able to see your mouse cursor during recording, please enable it. so that we can see actually where you are clicking.
Thank you.. 😊👌
That was a very nice, informative video. Thanks a lot for your efforts.
Awesome video! This helped me a lot, I was able to configure all the VLANs I wanted to on my RB3011 and CRS125-24G. I'm now running into the issue you mentioned @7:13. My CPU is hitting 100% downloading anything. Do you have any advice on how to implement this VLAN structure with a router that has multiple switch chips?
so helpfull ! Thanks a lot !
Without seeing your mouse, and because you sometimes click on many things so fast, often just because you're trying to find it out yourself, it becomes hard to follow your lead.
Thank you for the critique, I do apologize if it was hard to follow the video. There is an older VLAN video I created that goes over different VLAN configurations and was aimed at the MTCRE exam, it is a bit more slow paced and the mouse is captured as well if that maybe helps you with what you are struggling with:
ruclips.net/video/4BOYqtV4MCY/видео.htmlsi=x-uYF7VBBza7pGBe
I would suggest keeping this newer video in mind though as the most optimal way to configure VLANs is through the bridge function as that uses the switch chip and will give you the best performance.
So if I want to add to your setup another switch on port 24 and give it access to management vlan10, port24 has to become trunk port and added to bridge VLAN10 settings as tagged? As a result VLAN10 tagged ports will be: ether23, ether24, bridge?
Hi! Great video... one suggestion.. could you make a video/test lab on configuring CRS1xx (CRS112) with inter vlan connections with switch chip? There are so many configs/tutorials on VLANs with bridging vlans but through the switch chip.. not so many.. ok.. crs112's can be seen as 'legacy' devices but they really help a lot when configuring simple networks with intervlans (several vlans like office, guests, cameras...). That would be a great deal! :) Tx
wow 1 of the best pretty forward hap3 ax6 mkstly bought equipment for home lab thank u, i hope i will be able to somewhat replicate & set this up
Hey Johnny! I have a few questions. I was working on a router with 5 local ports (ax3 actually), and a connected managed switch. I was having issues with getting the ports on the switch (UI USW-Lite-8-PoE) to properly work with the VLANs I setup following this video. But, that's not my question. I the process of trying to get help with this - others told me that router-on-a-stick does not use a bridge. I gather based on the idea that this would involve the CPU vs the switch chips? Other? Or is there anything to this statement and something to be avoided in relation to bridges and trunked VLANs for ROAS? I don't know how else, based on this video, how you could do it otherwise without ignoring the ax3 ports for use of the VLANs. Anything regarding software VLANs verses hardware VLANs? I'm think he was saying that using a bridge turns it into a software VLAN vs only being tagged directly on the trunk ports would be hardware VLANs? Thanks!
Very usefull thank !
thanks for the video, very useful
Just what I needed, thanks!
Hey, excellent videos. I have question and problem with LTE passthrough - to be more specific with management on LTE antena.
Setup is:
LTE LHGMM
SW CSR328-24P-4S+
R CCR2004
Config is as follows:
VLAN 10 - management
VLAN 11 - passthrough
VLAN10-bridge and VLAN11-bridge on router side and Switch
DHCP Client on Router for WAN IP
DCHP Client on LTE for management.
LTE DHCP-Server -off
VLANs configured under Interface/VLAN on ether1 interfaces.
At the first it looks fine and works. But when you reboot device stack, Router is not getting anymore WAN IP form LTE antena.
I watched Mikrotik video where they say that it should not be configured in such manner as i have.
I tried to read docs which were referred in video but some how unsuccessfully :D
Question is - will your VLAN config work for passthrough and is it the one that is mentioned in the video?
ruclips.net/video/IZFAeLbujso/видео.htmlsi=XV4_hyq-hI8oP-DQ&t=304
Thanks!
thank you video tutorial, now it solve my confusion about mikrotik vlan. I have a question, how can i restrict access between vlans?
Same question here as one can get to the router on the 192.168.88.0/24 network from the VLAN 10.0.10.0/24. I've come across this before? I think you have to add a firewall rule to block it.
Hey, it'sThe Network Barry :)
awesome new looking 😊
It would've been good if you explained why the single bridge per ASIC method exists. I.e. rooted in the original Linux DSA and switchdev implementation. People who haven't worked with cumulus or whiteboxes with a Linux based OS, often think this is exclusive to MikroTik.
Great video, thank you!
Hi could you please do a wifi setup video especially with the new wifi packages.
Missed your content
Nice, i will be doing this later when my expansion switch arrives. CRS326 of course.
Can you please help me confoguring VLAN's for my RB5009 to get it working with IP-TV?
I need to use a media splitter right now from my provider. Its a managed switch litteraly and has specific ports for TV and such..
There is VLAN config on that. My IP-TV box gets an ip of 10.x.x.x..
Hello, I was wondering if it is possible to have the firewall with different rules in each Vlan?
Using a Hex POE. While this configuration "works", it is not clear that takes advantage of hardware offloading. Is this method running in software/cpu only on the HEX POE? The QCA8337 "Switch" configuration as suggested in the Mikrotik documents is not working for IP connectivity to the HEX POE (tried the vlan-header=leave-as-is per the footnote) Any advice?
Small question, why do you use the IP Address for the hAP ax3 in range 192.168.99.1/24 and for the CRS326 192.168.99.2/24 ?
🙏 thanks, more and more pls...
Gothic 2, such a great game!
Definitely one of my favorite games ever, I still replay it every couple of years
Can you make a video where you explain how to have several bridges which have e.g. port 2 untagged on vlan 20 and vlan 20 tagged on port 1 and a bridge with vlan 30 tagged on port 1 and tagged on port 3 and also the default vlan 1 untagged on port 3 must go over as pvid 1.
Thx for the good Videos
one question, do the ports need to be part of the bridge you are configuring the vlans on to work properly? Lets say you have 2 bridges, one has all the ports, one has none, can the second bridge affect vlan tagging of ports even though the ports its tagging do not reside within itself?
Great video. Just what i needed. I just got that l009, and i am in full learning mode. would it be possible to make a video on creating firewall rules in this setup.. I'd like to separate the vlans by default but have them all have an internet connection (so devices can go to the internet but not to devices on other vlans). And maybe poke a hole for some servers.. (edit words vs. Dutch autocorrect..)
Funny you should mention it was busy recording just that today 😉
@@TheNetworkBerg haha, excellent, looking forward to it.
Posted it last night, feel free to pop to the the latest video on my channel and let me know if this helps you or if you are still having issues.
Did you test mlag on mikrotik switches? Is it working fine?
I think this video has so much great information in it but it's unfortunate that it's laid out in such a confusing way. I wish you redo this and keep it organized and concise.
Thanks for your opinion, I agree that the video can come off as a little disjointed. I think it's just one of those symptoms of trying to do everything in one session and doing everything in real-time so I am processing it in my head on the spot while doing things and recording and it might not translate that well into showcasing everything.
So your wish may very well become true sometime in the future. I still think the information is useful to others that hit a snag at a certain space and need something to point them into another direction.
If you are looking for some more structured stuff I do have a separate series I covered for the MTCRE. It does convey things a bit more structured though the possibility to accidentally misconfigure something is still there. You can take a look at the VLAN videos in this playlist:
ruclips.net/video/4BOYqtV4MCY/видео.html
Question:
Suppose I have RB5009 Series where port 1 = ISP1, port 2 = ISP2, port 3-5 = for Hotspot(10.0.0.1/24), port 6 = OLT pon1 (172.16.0.1/24), port 7 = OLT pon2, (172.16.0.1/24) then lastly port 8 = LAN (192.168.100.1/24).
Knowing that I assigned each port/interface with each assigned IPs for that setup. Then,
Do I still need to configure it in a VLAN setup or is it the same already with VLAN setup?
Please help. Thanks in advance.
Hello, will there be a future video about the hybrid port/hybrid vlan on Mikrotik with an example?
I can definitely do something like a Hybrid port video as well :)
Great video, I wonder if you could fork off this and offer a VLAN tutorial for dealing with double tagging. For example were ISP's have SVID and CVID's to deal with. Can you use this way of doing VLANS to add the CVID to the bridge VLAN rather than adding new CVID's as sub interfaces to a parent SVID interface?
Interesting concept, will have to test it out because honestly the way I've always been doing it is as a sub interface.
@@TheNetworkBergYes that's how I'm doing it, but I thought after watching your vid maybe there's a better way? I don't have a lab to test so will have to build one. Might be a fun experiment.
Hey. Ive tried setting up a single vlan using this method on my mikrotik router (RB3011UIAS-RM), the port for tagging is on 7 for which I have a cisco switch plugged in and set the port connecting the link cable to the two to trunk as well as a few others. I cant seem to get internet when connecting a laptop directly to the cisco switch. I can ping the vlan gateway, and configured dhcp and it gets an Ip, but for some reason the vlan has no internet
Are you masquerading internet bound traffic out from this vlan?
You say that Software defined VLANs are bind to the bridge, but what if you use VLANs on a bond? You bind those VLANs on the bond interface and not on the bridge. The bond interfaces go to the bridge. So what do you do if you are going to tag the ports in Bridge VLANs?
Why weren't VLAN settings used for the 3** series switch in this section?
/interface ethernet switch vlan
May i ask your sir , shoud i change the PVID on bridge to vlan100 in case that i want the change native vlan to 100 ?
thank you
thank you sir...
are you experienced in taming scary monster living under /switch menu on crs1xx devices? (i'm not only talking about vlans)
VLAN on Mikrotiks makes me sad. What takes hours of planning, mapping and configuration on Mikrotik takes minutes on Cisco. Don’t get me wrong, I like Mikrotik and have more of them than Cisco in my environments for others reasons.
I do agree that MT has many potentional pitfalls when it comes to adding a VLAN and makes it feel unnecessarily harder.
Although there is one thing I remember well about Cisco and that is forgetting to use the "add" command when wanting to tag additional VLANs on a trunk, I think this has brought down more networks than it should have.
Don’t think you can expect much from them. The cost says it all. They are just not comparable at all. Everyone knows but mtik is actually fairly weak in their software, the “same OS for every of our product” starts to seem like a weakness. It seems glued and janky.
Suppose there is a router after the switch instead of a computer to receive the service via vlan interface, what will the configuration be like?
@@iRonMan-s7c
You need to configure the router accordingly to whatever your needs are, for example if the service now is internet already in a vlan that is there in a network I want to tap into it and do double natting then that can be done. It all depends on your total objective really, depending on what it is you can efficiently plan and know what devices to use or what to not.
Or on fortigate. I have MT home and fortigate at work. Loved MT until I tried fortigate...
What would happen if we changed the PVID on the bridge from 1 to 99, i.e. the PVID of the management vlan
my plan is 1G I replace Huawei HG8240T5 Gpon with LXT-010S-H from LEOX and I'm install it in to Mikrotik RB5009
from Mikrotik I setup Vlan10 and PPPoE for Internet and It's work and I got internet connection but I couldn't figure out how to configure Vlan30 for VoIP
Sir how about multiple crs with failover using layer 3
Modifying /adding vlan need to off the VLAN filtering and once you are done we need to enable it again? Is that correct?
No you do not need to do that if you want to add or remove any new vlans to the bridge.
@@TheNetworkBerg appreciate your reply 🙂, how to add other vlan? Can we just add it to the existing vlan and just will work?
@@jimmmaximilia2913 yeah you can just add additional VLANs by going to the vlan tab clicking on the + and adding any new vlans.
@@TheNetworkBerg appreciate your response. Thank you. 👍
it works even without bridge\vlan filtering enabled.
That is correct, although I think it is needed in order to actually hardware offload if your device has a switch chip so that the CPU does not handle the traffic.
Spend more time outlining the goal, preferably by drawing data paths, before making changes... you're going at a speed where only a network admin can follow you and those don't need this video.
Why this is better solution?
I have created separate bridges for Server, Management, LAN etc. and on interfaces I have created vlan to each ports separately
Basically it boils down to throughput and hardware offloading. Multiple bridges may not support hardware offloading and traffic between the bridges will probably have to go through to the CPU to get processed. Depending on the model of your hardware this link to the CPU might be very small (Like 1Gb) and can easily impact performance like speed or cause packet loss. The other problem is that the CPU will have to deal with the forwarding and this can cause a spike in the CPU usage. If the CPU starts maxing out it can potentially cause the router to hang and will also provide a general negative experience. Perhaps your network isn't that big or you are using bigger routers and you just never really notice the impact on the CPU, it is strongly advised to use hardware offloading with a switch chip wherever possible for the best performance. Though there are also instances where traffic needs to pass to the CPU regardless and even having a switch chip will not improve your performance. This is why looking at the documentation is crucial in planning out your network.
@@TheNetworkBerg right now I'm using RB4011 without any disadvantages, but probably not full speed via the 2,5Gb/s connections to CPU, but You made my mind go crazy and probably I will change it after copy of configuration of course :)
Good idea for video if possible, filter rules on switch chip itself. What I noticed a lot, people are buying CRS devices and use them as routers... Mikrotik is confusing their customers with that naming scheme. As you said, CPU is limited and thus routing performance is bad...
Great video but for life of me, can’t seem to get it working
I have a problem with vlans...my queues are not working well ..mk cpu is freaking high
I want to see this with SwOS aswell.. its a little bit more complicated there
I will see if I can get SwOS installed to check for the changes from my understanding it is a bit different
@TheNetworkBerg yes it is! Backup files isn't great either. Every config variables are combined and also lots of random characters so it's really hard to read. My colleague needed to take pictures of all settings so it would be more easy for me to replicate and deploy to another switch. I don't know if I just can use the backup file and restore on the new switch?
I would also like to see a basic VLAN setup. On just a switch with an uplink. Both on RouterOS and SwOS.
Like i want to add some of the ports to VLAN 340 and nothing else. For example port 4, 7, 9, 11 and 15.
I guess those ports need to be added aswell on the uplink port. As you show in this video.
Now just to remember when and when NOT L3 HW offload happens. I wish I didn't have to remember....so more expensive L3 switches it is for me even for homelab.
This lec required in Urdu translation.. i.e Urdu language
Mikrotik needs to write a tool like the windows tool in python that can be used on OS's other than Windows. A universal tool.
You mean WinBox? Lot of discussion about controllers and the apps on the forums.
also they did just that now
❤
everything works, but with larger traffic of 1GB (10GB sfp links) my cpu is loaded at 100%
Strange, has yours ports been added to a VLAN filtered bridge? Have ran this same setup on 25Gb, 40Gb & 100Gb interfaces and I get full throughput without CPU bottle-necking.
@@TheNetworkBerg I checked it on 10 and 100 Gb cards but the result was the same on both. So I thought that I do some configuration mistake and I set everything up again and the result was the same - CPU 100%
i wish you'd redo this. make a plan first and stop bouncing all over the place. its so confusing to watch.
its still not make any sense when you can configure vlan many ways! its not user friendly practice at all! p.s but great video!
Yeah it is extremely frustrating especially for someone trying to learn about VLANs, and then having people shout at you that you are doing it wrong. Even though the MikroTik allows you to do it and in some cases MikroTik suggests configuring a VLAN a certain way :(
@@TheNetworkBerg they should fix routers os and command to create vlan should know mikrotik hardware has switch chip or no!there should be only one way to create vlan
If you could be a little slower with a mouse, I can't follow this, something you already new and something that is totally new for me.
This video is rich, but the movement of your cusor is the problem. Teach like you know that some persons hands need to be held. move slowly for people to follow properly.
Thank you for the constructive feedback, I do appreciate it and agree
Is that a Finnish accent?
I love the Finnish people, but no, my accent is South African.
@@TheNetworkBerg Oh, so you're Afrikaans.
@@mockingmoniker7443 that is correct yes, I am Afrikaans.
When they integrate Ai there will be no network engineers.
Then we can all finally retire and take a break. Though in all seriousness this is the case for almost all industries.
😂😂😂
Messy video. Your previous videos on the topic are better.
I have a question, would this be possible
1 router and one unmanaged switch
In the network 3 vlans 'guest, servers, IOT, the device gets put on 'guest' my default and with Mac address I can assign then to the vlans
Hey Johnny! I have a few questions. I was working on a router with 5 local ports (ax3 actually), and a connected managed switch. I was having issues with getting the ports on the switch (UI USW-Lite-8-PoE) to properly work with the VLANs I setup following this video. But, that's not my question. In the process of trying to get help with this - others told me that router-on-a-stick does not use a bridge. I gather this is based on the idea that this would involve the CPU vs the switch chips? Other? Is there anything to this statement and something to be avoided in relation to bridges and trunked VLANs for ROAS? I don't know how else, based on this video, you could do it otherwise without ignoring the ax3 ports for use of the VLANs. Anything regarding software VLANs verses hardware VLANs? I'm think they were saying that using a bridge turns it into a software VLAN vs only being tagged directly on the trunk ports would be hardware VLANs? Thanks!
Hello, I think this documentation from MT directly covers a lot of the "How can I wrongly configure a VLAN on MikroTik" questions.
help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration
But there are two ways you can go about it really.
1) Select a port you want to connect to the switch and configure the VLANs you want down to the switch and use this interface for the VLANs. (This is where you are creating a software VLAN and binding it to a physical interface, you go to the VLAN configuration and create a VLAN from there, essentially the CPU will handle this traffic)
2) Configure a bridge with VLAN-Filtering enabled and tag the vlans to the bridge and assign each VLAN to the trunk port from the VLANs tab that you want down to the switch. (This is where the ASIC will handle the traffic)
So in essence using a single bridge is where you would be using the hardware whereas just tagging vlans to an interface is software based.
But it's not bad using a software VLAN, if the CPU is powerful enough which on an AX3 for the most case is you can achieve decent speed and it is the most common setup compared to ROAS on something like a Cisco device.
It's also very common to create a software based VLAN if let's say your ISP gives you a VLAN to configure on your WAN port and you need to route traffic out via this VLAN.