VLAN Configuration Guide
RouterOS v7+ VLAN setup and tagging.
Prerequisite: Ensure you have completed IP Addressing & Subnets before configuring VLAN IPs (Step D).
Prerequisites
- RouterOS: v7 or later.
- Hardware: Switch or router with VLAN-capable physical interface (most ether, sfp).
- Access: WinBox, SSH, or serial console.
Configuration Flow
Step B–C: Routed VLAN (VLAN Interface)
For L3 gateway per VLAN, create a VLAN interface on the physical port:
/interface vlan add name=vlan100 vlan-id=100 interface=ether1
/ip address add address=192.168.100.1/24 interface=vlan100Step D: Bridge VLAN Filtering (v7 L2)
For L2 switching with VLANs, use the RouterOS v7 bridge VLAN table. Create bridge, add ports, define VLANs, enable filtering:
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge vlan add bridge=bridge1 tagged=ether1 vlan-ids=100
/interface bridge vlan add bridge=bridge1 untagged=ether2 vlan-ids=100
/interface bridge port set [ find interface=ether2 ] pvid=100
/interface bridge set bridge1 vlan-filtering=yesStep D: Configure IP (Bridge VLAN)
For L3 on a VLAN in bridge VLAN filtering, create a VLAN interface on the bridge:
/interface vlan add name=vlan100 vlan-id=100 interface=bridge1
/ip address add address=192.168.100.1/24 interface=vlan100Step D: IP and Bridge
For subnet notation, see IP Addressing & Subnets.
VLANs and Tunnels
When segmenting traffic for VPN peers, combine with VPN Tunnels for interface assignment.
Security
After VLAN interfaces are active, apply Firewall Best Practices to Input and Forward chains.
Common Pitfalls
- Driver: Some interfaces do not support VLAN. Check
/interface printfor VLAN support. - Trunk vs access: Upstream switch port must be trunk (tagged) if carrying multiple VLANs.
- Bridge vs routed: Bridge for L2 switching; routed VLAN for L3 gateway per VLAN.
- VLAN ID mismatch: vlan-id must match the tagged traffic from the upstream device.
- Bridge VLAN lockout: Enabling
vlan-filtering=yeswithout a VLAN including the management port drops untagged traffic. Ensure management interface has correct pvid and bridge vlan entry before enabling.