VLAN segmentation is the first step towards a serious home network. With a MikroTik hEX or CCR, you can handle this entirely in RouterOS without needing an additional managed switch.
Network design
Four VLANs for a typical homelab setup:
| VLAN | ID | Subnet | Target | ||
|---|---|---|---|---|---|
| MGT | 10.10.0/24 | Router, switches, IPMI | |||
| SRV | 20 | 10.10.20.0/24 | Proxmox, k3s, NAS | ||
| TRU | 30 | 10.10.30.0/24 | Laptops, workstations | IOT | |
| IOT | 40.10.40.0/24 | Cameras, home automation |
Setting up bridge VLAN filtering
# Create bridge with VLAN filtering
/interface bridge add name=bridge1 vlan-filtering=yes
# Add all physical ports to the bridge
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=30
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=40
add bridge=bridge1 interface=ether5 pvid=20
# Trunk port to uplink switch (tagged for all VLANs)
add bridge=bridge1 interface=ether1VLAN interfaces for routing
# VLAN interfaces on the bridge
/interface vlan
add interface=bridge1 name=vlan10-mgt vlan-id=10
add interface=bridge1 name=vlan20-srv vlan-id=20
add interface=bridge1 name=vlan30-tru vlan-id=30
add interface=bridge1 name=vlan40-iot vlan-id=40
# IP addresses (router-on-a-stick)
/ip address
add address=10.10.10.1/24 interface=vlan10-mgt
add address=10.10.20.1/24 interface=vlan20-srv
add address=10.10.30.1/24 interface=vlan30-tru
add address=10.10.40.1/24 interface=vlan40-iotFirewall rules for segmentation
# IoT should NOT go to servers or management
/ip firewall filter
add chain=forward in-interface=vlan40-iot out-interface=vlan20-srv action=drop comment="IoT -> SRV blocking"
add chain=forward in-interface=vlan40-iot out-interface=vlan10-mgt action=drop comment="IoT -> MGT blocking"
# Servers are allowed out
add chain=forward in-interface=vlan20-srv connection-state=established,related action=acceptDHCP per VLAN
/ip pool
add name=pool-srv ranges=10.10.20.100-10.10.20.200
add name=pool-tru ranges=10.10.30.100-10.10.30.200
add name=pool-iot ranges=10.10.40.100-10.10.40.200
/ip dhcp-server
add address-pool=pool-srv interface=vlan20-srv name=dhcp-srv
add address-pool=pool-tru interface=vlan30-tru name=dhcp-tru
add address-pool=pool-iot interface=vlan40-iot name=dhcp-iotThis gives you a fully segmented network where IoT devices can never reach your servers or management interfaces.
What is the difference between bridge VLAN filtering and the old /interface vlan model?
Bridge VLAN filtering processes all VLAN logic on the bridge chip itself, allowing hardware acceleration on supported devices. The old model creates separate /interface vlan objects and is slower on cheaper hardware.
Can I combine trunk ports with access ports on the same MikroTik bridge?
Yes. In bridge VLAN filtering, you set per port whether it passes tagged (trunk) or untagged (access) traffic. Trunk ports get multiple VLANs tagged, access ports get one PVID untagged.
Lees het origineel in het Nederlands
← Lees in het Nederlands