GUIDE / LOCAL NETWORK / VLANS
VLANs.
The MikroTik VLAN model changed substantially between v6 and v7 (the
bridge / switch-chip story converged). This page sets up three VLANs
— trusted, iot, guest — on a
single bridge with VLAN filtering. Plus the firewall rules that
actually enforce the segmentation.
v6 vs v7 — the bridge model
Topology
ether1 (WAN) ether2 (trunk: tagged 10, 20, 30) ── to a managed switch ether3 (access: untagged VLAN 10) ── desktop ether4 (access: untagged VLAN 20) ── IoT hub ether5 (access: untagged VLAN 30) ── guest AP wlan1 (tagged via separate SSIDs)
Three VLANs:
- VLAN 10 —
trusted— laptops, NAS, wired desktops. - VLAN 20 —
iot— smart bulbs, vacuum, doorbell. - VLAN 30 —
guest— guest Wi-Fi.
Step 1 — Bridge with VLAN filtering
Create the bridge, enable VLAN filtering, set the PVID for the management VLAN.
/interface/bridge add name=bridge-vlan vlan-filtering=no
# Add ports — leave vlan-filtering=no for now; we'll flip it last so we don't lock ourselves out.
/interface/bridge/port add bridge=bridge-vlan interface=ether2
/interface/bridge/port add bridge=bridge-vlan interface=ether3 pvid=10
/interface/bridge/port add bridge=bridge-vlan interface=ether4 pvid=20
/interface/bridge/port add bridge=bridge-vlan interface=ether5 pvid=30 pvid is the VLAN that untagged traffic on the port gets assigned to. ether3 is an access port for VLAN 10 — untagged traffic going IN gets tagged 10; tagged traffic going OUT gets untagged. ether2 is a trunk — its pvid (default 1) won't matter because we'll only allow tagged frames on it.
Step 2 — Bridge VLAN table
Tell the bridge which VLAN IDs exist + which ports they live on. Tagged ports keep the VLAN tag; untagged ports strip/insert it transparently.
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=10 tagged=ether2 untagged=ether3 comment="trusted"
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=20 tagged=ether2 untagged=ether4 comment="iot"
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=30 tagged=ether2 untagged=ether5 comment="guest" Step 3 — VLAN interfaces (for the router-side IP + DHCP)
Each VLAN needs an interface on the router so we can assign an IP + run DHCP. These are tagged sub-interfaces of the bridge:
/interface/vlan add name=vlan-trusted vlan-id=10 interface=bridge-vlan
/interface/vlan add name=vlan-iot vlan-id=20 interface=bridge-vlan
/interface/vlan add name=vlan-guest vlan-id=30 interface=bridge-vlan
# IPs
/ip/address add address=10.10.10.1/24 interface=vlan-trusted
/ip/address add address=10.20.20.1/24 interface=vlan-iot
/ip/address add address=10.30.30.1/24 interface=vlan-guest
# DHCP servers — one per VLAN (see DHCP page for the full shape)
/ip/pool add name=trusted-pool ranges=10.10.10.10-10.10.10.250
/ip/pool add name=iot-pool ranges=10.20.20.10-10.20.20.250
/ip/pool add name=guest-pool ranges=10.30.30.10-10.30.30.250
/ip/dhcp-server/network add address=10.10.10.0/24 gateway=10.10.10.1 dns-server=10.10.10.1
/ip/dhcp-server/network add address=10.20.20.0/24 gateway=10.20.20.1 dns-server=10.20.20.1
/ip/dhcp-server/network add address=10.30.30.0/24 gateway=10.30.30.1 dns-server=10.30.30.1
/ip/dhcp-server add name=trusted-dhcp interface=vlan-trusted address-pool=trusted-pool
/ip/dhcp-server add name=iot-dhcp interface=vlan-iot address-pool=iot-pool lease-time=4h
/ip/dhcp-server add name=guest-dhcp interface=vlan-guest address-pool=guest-pool lease-time=2h
/ip/dhcp-server/enable trusted-dhcp,iot-dhcp,guest-dhcp Step 4 — Flip VLAN filtering on
This is the locks-you-out step if you got the tagged/untagged config wrong. Do this from a console / serial port, not Winbox over the LAN you're about to reshape.
/interface/bridge set bridge-vlan vlan-filtering=yes Step 5 — Firewall: enforce the segmentation
VLAN tags by themselves don't prevent inter-VLAN traffic — the router will happily route between them. The segmentation lives in the forward chain.
# Interface lists for the firewall to reference
/interface/list add name=LAN-trusted
/interface/list add name=LAN-iot
/interface/list add name=LAN-guest
/interface/list/member add list=LAN-trusted interface=vlan-trusted
/interface/list/member add list=LAN-iot interface=vlan-iot
/interface/list/member add list=LAN-guest interface=vlan-guest
# Default: forward established/related + drop invalid (already in your input chain)
# Allow trusted → IoT (so you can manage IoT devices)
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-trusted out-interface-list=LAN-iot comment="trusted → IoT"
# Block IoT → trusted (default deny on initiated connections from IoT)
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-iot out-interface-list=LAN-trusted comment="IoT ↛ trusted"
# Block guest → everywhere except WAN
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-guest out-interface-list=LAN-trusted comment="guest ↛ trusted"
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-guest out-interface-list=LAN-iot comment="guest ↛ iot"
# Allow all LAN → WAN (NAT happens in srcnat separately)
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-trusted out-interface-list=WAN
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-iot out-interface-list=WAN
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-guest out-interface-list=WAN Wi-Fi VLANs
Different SSIDs map to different VLANs via the WLAN's vlan-id
setting. WiFiWave2 + classic wireless syntaxes diverge — see
Wi-Fi for the full shape. The summary:
create one virtual AP per SSID, set vlan-mode=use-tag
+ vlan-id=N, and the bridge VLAN config above handles
the rest.
Verify
/interface/bridge/vlan print
/interface/bridge/host print
/ip/dhcp-server/lease print
# Confirm a client on ether3 gets a 10.10.10.x address (trusted),
# and a client on ether4 gets 10.20.20.x (iot)