GUIDE / LOCAL NETWORK / VLANS

VLANs.

The MikroTik VLAN model changed substantially between v6 and v7 (the bridge / switch-chip story converged). This page sets up three VLANs — trusted, iot, guest — on a single bridge with VLAN filtering. Plus the firewall rules that actually enforce the segmentation.

v6 vs v7 — the bridge model

RouterOS v6
RouterOS v7

Topology

  ether1 (WAN)
  ether2 (trunk: tagged 10, 20, 30) ── to a managed switch
  ether3 (access: untagged VLAN 10) ── desktop
  ether4 (access: untagged VLAN 20) ── IoT hub
  ether5 (access: untagged VLAN 30) ── guest AP
  wlan1  (tagged via separate SSIDs)
  

Three VLANs:

  • VLAN 10 — trusted — laptops, NAS, wired desktops.
  • VLAN 20 — iot — smart bulbs, vacuum, doorbell.
  • VLAN 30 — guest — guest Wi-Fi.

Step 1 — Bridge with VLAN filtering

Create the bridge, enable VLAN filtering, set the PVID for the management VLAN.

v7 6 lines · 432 bytes
/interface/bridge add name=bridge-vlan vlan-filtering=no
# Add ports — leave vlan-filtering=no for now; we'll flip it last so we don't lock ourselves out.
/interface/bridge/port add bridge=bridge-vlan interface=ether2
/interface/bridge/port add bridge=bridge-vlan interface=ether3 pvid=10
/interface/bridge/port add bridge=bridge-vlan interface=ether4 pvid=20
/interface/bridge/port add bridge=bridge-vlan interface=ether5 pvid=30

pvid is the VLAN that untagged traffic on the port gets assigned to. ether3 is an access port for VLAN 10 — untagged traffic going IN gets tagged 10; tagged traffic going OUT gets untagged. ether2 is a trunk — its pvid (default 1) won't matter because we'll only allow tagged frames on it.

Step 2 — Bridge VLAN table

Tell the bridge which VLAN IDs exist + which ports they live on. Tagged ports keep the VLAN tag; untagged ports strip/insert it transparently.

v7 3 lines · 311 bytes
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=10 tagged=ether2 untagged=ether3 comment="trusted"
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=20 tagged=ether2 untagged=ether4 comment="iot"
/interface/bridge/vlan add bridge=bridge-vlan vlan-ids=30 tagged=ether2 untagged=ether5 comment="guest"

Step 3 — VLAN interfaces (for the router-side IP + DHCP)

Each VLAN needs an interface on the router so we can assign an IP + run DHCP. These are tagged sub-interfaces of the bridge:

v7 20 lines · 1271 bytes
/interface/vlan add name=vlan-trusted vlan-id=10 interface=bridge-vlan
/interface/vlan add name=vlan-iot     vlan-id=20 interface=bridge-vlan
/interface/vlan add name=vlan-guest   vlan-id=30 interface=bridge-vlan

# IPs
/ip/address add address=10.10.10.1/24 interface=vlan-trusted
/ip/address add address=10.20.20.1/24 interface=vlan-iot
/ip/address add address=10.30.30.1/24 interface=vlan-guest

# DHCP servers — one per VLAN (see DHCP page for the full shape)
/ip/pool add name=trusted-pool ranges=10.10.10.10-10.10.10.250
/ip/pool add name=iot-pool     ranges=10.20.20.10-10.20.20.250
/ip/pool add name=guest-pool   ranges=10.30.30.10-10.30.30.250
/ip/dhcp-server/network add address=10.10.10.0/24 gateway=10.10.10.1 dns-server=10.10.10.1
/ip/dhcp-server/network add address=10.20.20.0/24 gateway=10.20.20.1 dns-server=10.20.20.1
/ip/dhcp-server/network add address=10.30.30.0/24 gateway=10.30.30.1 dns-server=10.30.30.1
/ip/dhcp-server add name=trusted-dhcp interface=vlan-trusted address-pool=trusted-pool
/ip/dhcp-server add name=iot-dhcp     interface=vlan-iot     address-pool=iot-pool     lease-time=4h
/ip/dhcp-server add name=guest-dhcp   interface=vlan-guest   address-pool=guest-pool   lease-time=2h
/ip/dhcp-server/enable trusted-dhcp,iot-dhcp,guest-dhcp

Step 4 — Flip VLAN filtering on

This is the locks-you-out step if you got the tagged/untagged config wrong. Do this from a console / serial port, not Winbox over the LAN you're about to reshape.

v7 1 lines · 52 bytes
/interface/bridge set bridge-vlan vlan-filtering=yes

Step 5 — Firewall: enforce the segmentation

VLAN tags by themselves don't prevent inter-VLAN traffic — the router will happily route between them. The segmentation lives in the forward chain.

v7 24 lines · 1517 bytes
# Interface lists for the firewall to reference
/interface/list add name=LAN-trusted
/interface/list add name=LAN-iot
/interface/list add name=LAN-guest
/interface/list/member add list=LAN-trusted interface=vlan-trusted
/interface/list/member add list=LAN-iot     interface=vlan-iot
/interface/list/member add list=LAN-guest   interface=vlan-guest

# Default: forward established/related + drop invalid (already in your input chain)

# Allow trusted → IoT (so you can manage IoT devices)
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-trusted out-interface-list=LAN-iot comment="trusted → IoT"

# Block IoT → trusted (default deny on initiated connections from IoT)
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-iot out-interface-list=LAN-trusted comment="IoT ↛ trusted"

# Block guest → everywhere except WAN
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-guest out-interface-list=LAN-trusted comment="guest ↛ trusted"
/ip/firewall/filter add chain=forward action=drop in-interface-list=LAN-guest out-interface-list=LAN-iot     comment="guest ↛ iot"

# Allow all LAN → WAN (NAT happens in srcnat separately)
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-trusted out-interface-list=WAN
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-iot     out-interface-list=WAN
/ip/firewall/filter add chain=forward action=accept in-interface-list=LAN-guest   out-interface-list=WAN

Wi-Fi VLANs

Different SSIDs map to different VLANs via the WLAN's vlan-id setting. WiFiWave2 + classic wireless syntaxes diverge — see Wi-Fi for the full shape. The summary: create one virtual AP per SSID, set vlan-mode=use-tag + vlan-id=N, and the bridge VLAN config above handles the rest.

Verify

v7 5 lines · 198 bytes
/interface/bridge/vlan print
/interface/bridge/host print
/ip/dhcp-server/lease print
# Confirm a client on ether3 gets a 10.10.10.x address (trusted),
# and a client on ether4 gets 10.20.20.x (iot)