VLANs, pt.2: vlan-filtering and management VLAN

To say truth, after 10+ years working in IT, this configuration method still blows my head :-)

I love this video as well as every video you have made. I think it would be even more helpful to see every CLI command you write in an adjacent window at the same time as the result in a GUI. In complex videos like the one with VLANs, we have to do them in the lab and see the result in a GUI to be sure that we understood. You do a great job with the videos and we learn new tricks.

wow! you have done a great job, thank you! add that "bridge ports = ingress, bridge vlan= egress" to the wiki

You should create a topic on the MikroTik forum to cover the VLAN mini-series, and post exports of the sample configurations for reference.
I also think an additional video where you configure the hAP ac2 with a trunk link to the CRS326 would be useful. Then the hAP ac2 should be configured to do inter-vlan routing, as well as provide dhcp server, internet access and firewall configured on the hAP ac2. Then demonstrate how devices connected to the different vlans can communicate with each other via the hAP ac2. Possibly configure a "guest vlan" that can not establish a connection to a "trusted" vlan, but the trusted vlan can connect to a device on the guest vlan, the return traffic being allowed by an established/related rule in the forwarding chain.
Then configure a vlan-filtered bridge on the L009 with access ports for each vlan. This should then act as another vlan-aware switch, with a management connection on vlan 99, but no other vlan interfaces.
Then show that the access ports on the L009 can communicate with the the access ports on the CRS326 and CRS112, and as long as they are in the same vlan, that no (significant) CPU resources are used.
A bonus would be configuring wifi on the hAP ac2 with different SSIDs, and how the access ports associated with each vlan/SSID can communicate.

This is a great overview and tutorial for how VLANs work on RouterOS. I feel like I understand it all much better now. Thanks especially for including the MGMT configuration and demonstrating HW offload + CPU access works with a practical example.

Clear as mud; moved from a Hex to a Tplink Smart Switch and setup in 5 mins.

I want to clarify that your work is very much appreciated by me

Nice video, exactly what I have looking for quite some time. I manage a broad variety of devices and always got stock with vlans. Now I do inderstand the, better. Thanks a lot.

One of the best explanations for begginers that get to see. In my work field we use this exact settings in action in a very poppulared hotel
Well done saving me hours of explanation from my superior that i couldn't undestand without trainning

Nice, detailed video. I run similar setups, but this is a very clear description of the CRS configurations.

thanks for a great video on a topic which bugged me for some years where i could have used that video to save me a lot of mind-lock-ups xD
i had to figure it out mostly with the old docs and by trail and error :)
great for beginners and users new to VLANs in ROS!

Thank you so much! I was struggling to get a hAP ax2 to trunk on an interface and have the two different WiFi interfaces on different VLANs, etc. This video and your showing the configuration as you built it helped me to understand *where* in the GUI (Winbox) I needed to set the VLANs and what options vlan-filtering and ingress-filtering. There are just too many ways to go wrong in the GUI. I think in the future, I'll be using the CLI to manage my hAP.

Thanks so much for this video, it did clarify a lot or questions I had about VLAN setup in Mikrotik

Thank you! Everything quick and clear.

Excellent video as always 😊

Thanks for the great video ! would be nice to see how to config a wifiwave2 AP with vlans, i.e Router (CAPsMAN) + Switch + wifiwave2 AP.

Pretty useful, specially for the non bridge vlan filtering method (CRS1xx, CRS2xx with HW), that is most of the times missed in examples.

This is very useful, after struggling with ROMON in a 700 plus device network. :-(

QinQ or VXLAN or VPLS video IMO

Thanks! Please, can you make a video about vlans , qos and multiple ssid ? It might be useful to separate lan access, iot devices, media devices, etc

Loved this video and it explained more than I could understand from the manuals. For future videos I would love it if you build on this to cover wireless vlan's using Capsman and a management network? It may be a bit long for some.

Thanks for the detail video to let us know different approach vlan setup in Mikrotik device

QinQ in the next video would be great thanks. If you could explain what happens when a Mikrotik Switch receives a QinQ frame as well that would be great. If I have the L3 QinQ interfaces on a Mikrotik Router and I just want my Mikrotik Switch to receive/forward the QinQ frames to the Router how would you do this (No VLAN stripping or anything like that just a trunk forward).

Yes. Very helpful

Should the bridge only have 1 trunk or are multiple trunks acceptable?
Does master and slave port configuration apply anywhere?
Last video you mentioned STP and RSTP. How is this config safe to use with these protocols or are there other considerations?
I think going over wireless access points where you have multiple SSIDs which each corresponds to different VLANs plus management VLAN would be great.
Also how to properly handle mdns between vlans and prevent flooding.

I like the comments below. I also turn on Subtitles when listening and the commands you are discussing are behind the subtitles. I am somewhat struggling with VLANs in general - besides the multiple ways they are implemented in Mikrotik OSs. I would also love to see diagrams or animations - showing what is happening with the data packets as they are travelling the network, though the ports and bridges to get a better understanding of what tags are seen where. I know this is more complicated to ask but would be very helpful.

Really good examples. Is there a code output of what is described? May I ask?

Should rb5009 vlans be configured in the same manner as crs112 ?
Would be nice to see "tagged vlans over wifi ssid"

can we set a trunk port to allow all vlans , while set other ports in hyprid configuration for example in voip scenarios ?

Would be good to share final configuration as text so it's easier to copy and adjust for similar setups.

So if you want to make multiple VLANs, with DHCP, etc, you need to also make an interface VLAN for every VLAN? Does every other switch also require a interface VLAN for every VLAN or just he management VLAN?

for Internet Tagged VLAN (PPPoE) using this method do improve performance for 2Gbps internet plan?

Idea for the next video: Advanced capsman configuration please!

10:01 but when we add an IP address to the network port itself on the laptop then it should work?

Thank you so much for this detailed video and all the explaination. I have 3 routers behind each other and started a trunk from the first to the last. The devices I have in use are RB5009, CRS328 and hAP ax².
I tried the complete same settings with all 3 devices to route the trunk and the VLANS through. It all worked with CRS328 and hAP ax². But after hours I am not able to bring also the RB5009 in the row.
In the video you decribed the topic with different settings for CRS1xx/CRS2xx. Is there something similar with my RB5009 or should it work like you showed in the video until 14:24?

Please make a video about the firewall managle marking and how the packets get marked and when the mark is replaced. Thnx

I just received the crs510, there is already a bridge configured for management, is this bridge HW offloaded? Or do i need to create a 2nd bridge which is hardware offloaded ? Also, my trunc will be a 100Gbit port, do i need to add vlans to each of the 4 25Gbit ports that make up the 100Gbit connection, or do i only need todo the settings on the first qfsp28-1-1 port ?

15:38 why that is so? Why the software can't do it at the same way like on the bigger switches?

I don't get why the term bridge is used. Isn't that an outdated network device to just bridge 2 networks?

Yes all is clear. However work was on L2 only. Third video should discuss L3 and how to isolate on that level please. All possible isolation options not just simple drop rules.

Another clear and well constructed presentation, thanks Druvis.

8:15 I learned sth. new. You don't have to put the access ports for some VLAN into the bridge VLAN menu as untagged.

CapMan + Vlan {possible vlan configuration from capman?} + quest and internal wifi ?

Some video graphics error at 3:33 for example.

HI, what OS do you using ? THX for answer

My only complaint about this is how you do it all _only_ from the CLI. You have a UI, Show how to do the same steps in the UI, AS WELL as the CLI.... :argh:

Druvis, what linux distribution you are using?

brave taking this topic on....

Nice video series, but it's too dense, even if incomplete. First of all, all those options are not suitable for every device. You need to check the support pages for VLAN switching to see what's best for your device and its hardware. Also configuring the bridges differently than your physical chips can lead to weird routing and bottlenecks. In my opinion the videos should have been structured differently. Something like, first video should talk about Vlans in general. Without mentioning anything about hardware technicalities or mikrotik specifics. Second should be a general presentation of how routeros and winbox abstract the various vlan details into the various entities like bridges, interfaces etc. And then, it should be separate videos about each router generation, device type (like APs) or even specific models that requires special attention to optimize things like hardware offloading.

I am amazed only by vlan configuration on linux OS. Can you tell me which OS is this?

is it silly to set up vlans on a home switch , one vlan for a firestick , one vlan for the PC and another one for the ps5

This is too difficult. After 50+ configuration attempts of a hybrid port against a bridge I am lost in the rabbit hole

Good vídeo, spanish version? 😅😅

we need a new thread for this in forum, just for basic one not advanced one, maybe with winbox config step by step, cli command is nigtmare for beginner 😁😁😁

I am strongly, interested, because I just have to configure my LGH LTE18 RouterOs Kit, but your illustration is useless to me, following your illustration (even if it helped me with Google Translation) it is only in English. Although I have made every effort to simulcast your explanation. It was all in vain. Is there an alternative? Thank you.

You are an amazing teacher! Please create more highly technical videos. Why not tackle hardware off-loading and utilizing the best of a switch and a router. Each with different types of supported hardware off-loading. :) I write that because I have a crs326-24g switch and a ccr2004 passive cooled router. I find that you can use the switch as a router and vice versa but the switch has l3-hw-offloading where the router does not and I do not understand the hardware offloading the router does exactly.