VLANs on a bridge interface

When you start to work with VLANs in RouterOS there are three key things to know:
  1. How to make a Trunk port,
  2. How to make an Access port, and
  3. How to bring the traffic to layer 3 so that we can use services such as routing and dhcp.

A Trunk port is configured between two VLAN-aware devices, and simply acts as a forwarder for any VLAN-tagged traffic. This is achieved by tagging outgoing traffic on the selected port such the remote device will receive only tagged frames.

An Access port is one that allows non-VLAN-aware devices to connect with other devices on a VLAN. For example, you may wish to segregate printers on a virtual network - when you set up a new printer, you'll need to connect this printer to an Access port for the VLAN. This is achieved by removing the VLAN tags going to the client device, and tagging traffic coming back; this way the client does not receive any tagged frames.

(Image from the MikroTik Wiki: Bridge VLAN Table)

In RouterOS, we can add a VLAN interface under `Interface>VLAN`. This interface allows the operating system to interact with tagged frames, and hence enables the ability for RouterOS to interpret Layer 3 packets on a VLAN. This way you can utilize layer 3 services rather than just switching these frames.

Configuring a Trunk port is as easy as navigating to `Bridge>VLANs` and adding a new entry. All you will need to do is specify the interface you'd like to trunk, and then specify the VLAN IDs that you would like to tag. Note that the interface does not necessarily need to be a physical interface; for example we could configure a virtual WiFi interface as a Trunk port for multiple wireless printers connected to the AP.


To configure an Access port, you will need to navigate to `Bridge>VLANs` and add a new entry. Specify the VLAN IDs you would like to strip, and set the 'Untagged' interface to the port that you would like to configure as an access port. After you've done this, navigate to `Bridge>Ports` and open the configuration for the new access port. In this window, go to the 'VLAN' tab and set the PVID to the VLAN tag you'd like to add incoming traffic to. The PVID will tag ingressing the selected port on the router where the bidge>vlans section will either tag or untag traffic egressing that port the router.




Finally, navigate to Bridge>Bridge, open the configuration menu for the bridge interface, then in the 'VLAN' tab enable 'VLAN Filtering'.


Once this has been enabled, you can verify that there are entries under 'Current Tagged' and 'Current Untagged' under Bridge>VLANs :)



Now VLANs will go through the Bridge interface, but it will not allow you to route out or utilize Layer-3 services on the tagged traffic (e.g. DHCP), so we will need to do some more configuration if this is required.

First, go back to the Bridge>VLANs menu and edit the VLAN entry you'd like to configure. Then, set the Bridge interface itself as a tagged port.


Once you have added the Bridge interface as a trunk port, go to the Interface menu and add a new VLAN interface. Set the Interface to the bridge interface and make sure to specify the VLAN ID you would like to configure.


From there, any Layer-3 services will need to be added on this VLAN interface itself :) 


Now, any time you wish to configure VLANs on RouterOS you can repeat these steps for each VLAN ID you need to work with. With VLAN tables you are allowed to specify multiple ports and VLAN IDs in the same entry, but you cannot have multiple entries with the same VLAN ID, so keep that in mind when making entries which don't share the same port.