Mikrotik VLAN switching without bridging

One of the greatest networking vendors for homelabs is in my opinion Mikrotik, they offer great (often enterprise) features for a very compelling price. On the other hand it can be a bit daunting to configure and the firmware releases aren’t always equally stable. Last week I upgraded in my homelab one of two RB2011UiAS’s, which are I think the most popular Routerboards, for a CRS125, cause I was in need of more 1 gigabit ports.

Previously I did all my VLAN configuring using bridging, which works, but there is a faster way, by using the internal switch chip, instead of the CPU. So this upgrade was the perfect case for me, to change this. Because this can be a bit hard in understanding and most tutorials on the web are about bridging. I decided to do a little write-up, about how this can be done without bridging. I will take it even a bit further and making sure we have a management address configured on the switch and we can use the wireless network.

Before we actually start, a bit of understanding how the internals work, it is based on this site, but I will try to clarify it even a bit more.

A small disclaimer; the workings are described as far as my understanding goes, if you find any mistakes, please let me know!

In the below picture you find a simple logic representation of the inner workings.

The physical switch ports are connected to the switch chip and the switch chip has also a connection to the CPU. The CPU is where all the clever things happen, think about, routing, bridging, nat(-ting?), etc. So when we created simple interfaces for bridging the flow will go like the picture below.

There is nothing wrong with this and gives us great flexibility, but when you only need layer 2 switching this generates a lot of unnecessary pressure on the CPU. So this can be done more efficient by connecting the right interfaces on the switch chip, this way the traffic won’t need to pass the CPU, which is far more efficient. We can talk about “wire speed” here.

In the picture above interface ether01, ether02 and ether03 are connected with each other and ether01 is a trunk (=multi-vlan port), probably an uplink and ether02 and 03 could be access ports which go to a vlan unaware device a PC or printer for example.

This is the basic idea what we are going to set-up, although we make it a bit more complex. We want a management interface which must also be routable (i.e. for NTP and updates) and we want to connect the wireless.

So let’s say for example we have 4 vlans.

  • Servers – vlan 10
  • Clients – vlan 20
  • Wireless – vlan 30
  • Management – vlan 40

The interfaced are used as follow:

  • ether01 – Uplink / trunk
  • ether02 – trunk (vlan 40, vlan 10) (i.e. ESX)
  • ether03 – access port vlan 10 (i.e. NAS)
  • ether04 – access port vlan 20 (i.e. desktop)

What we would like to accomplish would look like this, assuming that we only need layer 2 switching for the vlans and that only the management vlan is routable.


Be aware that in this set-up devices in different vlans aren’t able to communicate with each other! Therefore you need a router or make a routable interface, like the management one.

The first step is to connect the interfaces to each other, this can be done by choosing a master-port and make the other interfaces slaves of it, in this example we choose to make “ether01” the master port.

After this we can start with the vlan configuration, which also consists of a few steps and is done differently than you see at more regular switch vendors (i.e. Cisco, HP).

We start deciding which vlans are needed on which port, important to see here is that switch1-cpu is actually a port and will forward the traffic to the CPU. So the management and the wireless vlan are needed on the switch1-cpu port.

Now we need to decide which ports are carrying “tagged” vlan traffic and which ports are receiving “untagged” traffic. In this example “ether03” and “ether04” will receive untagged traffic. To make this traffic go to the right ports we need to “tag” this traffic when we receive (ingress) it.

Now all the traffic that is coming in the switch is “tagged” correctly, we can decide where the “tagged” traffic may go (egress). We also need to specify the “switch1-cpu” port here, cause for the “switch chip” it is just a port, where traffic can go.

vlan 10 and 20 should be working by now. So now we only need to do something clever with the management and the wireless.
Let’s start with the management. We create a vlan interface, which can be handled by CPU.

Connect the management IP to this interface.

To make sure this interface can be used for updating ntp or download updates we need to make it routable. (assuming the router address is 10.10.10.1)

From now on this IP could be used for management.

The last step is the wireless, for this we also need to make a vlan interface, which we will bridge to the wireless interface. (for as far as I know this is the only way).

Create a bridge

The last step is to actually bridge the wireless with the vlan interface

That’s all! Hopefully it was any helpfull and will give you a clear understanding how things work.

Update 2015-07-15: Check this awesome Youtube explanation by David Gonzalez

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

26 thoughts on “Mikrotik VLAN switching without bridging

  1. Hi Rob — Talk about Excellent timing… I’ve been working on my CRS125 for the past week (Dec10-17) banging my head against the keyboard trying to find WHY I couldn’t connect a VLAN to a management interface (vlan 40 in your example)….Switch1-CPU. That was THE KEY. I didn’t even consider that the switching chip & cpu weren’t directly linked. Your writeup was great, it connected the missing dots in my head…. great job (and fantastic timing!) -Jeff

  2. Pingback: NFS through a seperate VMKernel adapter | Breek een been!

  3. Pingback: Using Mikrotik switch chip to do VLAN isolation | IT Management

  4. hi,

    I was trying to make my CRS work with VLANs for the past few days without any luck and hopefully your post will help (I also run CRS125G, 6.27).

    I am confused because examples listed on official site http://wiki.mikrotik.com/wiki/Manual:CRS_examples do not work (for me) and I do not understand why. The main problem I see is egress vlan translation or discarding the tag which complicates things significantly.
    So, if I understand correctly, you need to do three things in order to make VLAN work:
    * create VLANs (interface ethernet switch vlan), which will basically connect appropriate ports in groups; ie add ether1 and ether2 into vlan-id=10
    * create ingress vlan translation, so if you have computer connected to the port that all traffic comming into the switch will be apropriately tagged (so that new-customer-vid=10)

    And finally (and this is where documentation fails if I understand correctly):
    * create egress-vlan-translation so that when traffic exits the switch is not tagged anymore (new-customer-vid=0)
    In my opinion if you do not do this last step, exit port will end up to be trunk with tagged traffic. Do I get this right?

    I was also confused with the role of cpu-switch, and while in your setup you need it involved because of communication with wireless interface, in my case where I do not have built-in wireless – I technicaly do not have to add cpu-switch to any of my LAN interfaces?

    Also, based on above, if I decide to put all of my ports to VLANs and do not include cpu-switch in at least one of them, I should loose connection with CPU and management of the device will not be possible anymore (until forceful factory reset)?

    • Your completely right, the CPU switch is basically used to connect other components outside the “switch chip”. Management could be one of them.

      You can always use the console port in case you need to access the device, although I really prefer an IP address, which also makes updating easy.

  5. Thank you Rob for sharing and explaining ho to take advantage of the switch logic on routerboard devices. I was looking for this kind of configuration, I was not able to put it together using the documentation on Mikrotik website. In fact, if we look more in detail, the information is there, I don’t know why we don’t actually see a clear example on their website.My setup is very similar to what you are describing here. The only exception is some vlans are DMZs and they are protected by access lists.
    Her is something I would like to add to your tutorial above:
    When configuring a bridge interface, it becomes a master interface and the vlan interface has a slave role.

    If not using the wireless bridge (a bridge interface in general), the firewall access rules can be applied on vlan interfaces.
    If a bridge is configured and vlan interfaces are attached to the bridge, all the firewall access rules have to be addressed using the bridge interface.

    We see this when access rules are already applied on vlan interfaces and later we add the vlan interfaces to a bridge. The access firewall rule on vlan interfaces will turn red and a message will be displayed:
    –in/out-interface matcher not possible when interface (vlanXY) is slave – use master instead (bridge-XYZ)

  6. Rob,

    Being new to Mikrotik, vlans, and routing in general, is it possible for you to illustrate how a router would connect to the CRS? or simply a dump of the router configuration? I’m still trying to piece this together. 🙂 I might add that I have come closer to figuring this out with using your illustrations than any where else.. Thank you.

    • Hi Tim,

      Last weekend, I’ve been working on the same.. I’m not that familiar with networking either, but this is what I’ve pieced together: http://dpaste.com/2G5HVHV

      Its basically 2 vlans: 1 for my PPPoE session from my ISP, and another for my LAN (vlan 10). I’ve also configured a DHCP server, pool, DNS & wifi with a bridge on vlan10.

      I hope this might help a bit.

      @Rob,

      Since you’ve switched from bridges to the switch chip, I hope you might be able to help me a bit:

      I’m basically trying to configure a trunk port for my 2 vlans, to a 2nd Mikrotik device.

      Neither with the switch or a regular bridge, I’m able to achieve this:

      /interface ethernet switch egress-vlan-tag
      add tagged-ports=ether1-gateway,ether2-trunk vlan-id=4
      add tagged-ports=ether2-trunk,switch1-cpu vlan-id=10

      /interface ethernet switch ingress-vlan-translation
      add new-customer-vid=10 ports=ether2-trunk,ether3,ether4,ether5,ether6,ether7,ether8
      add new-customer-vid=4 ports=ether9

      /interface ethernet switch vlan
      add ports=ether2-trunk,ether3,ether4,ether5,ether6,ether7,ether8,switch1-cpu vlan-id=10
      add ports=ether1-gateway,ether2-trunk,ether9 vlan-id=4

      The same with a bridge:

      CRS125:
      /interface bridge
      add name=br-iptv
      add name=br-trunk
      /interface bridge port
      add bridge=br-trunk interface=ether1-gateway
      add bridge=br-trunk interface=ether2-trunk
      add bridge=br-iptv interface=vlan4
      add bridge=br-iptv interface=ether9
      /interface vlan
      add interface=br-trunk l2mtu=1584 name=vlan4 vlan-id=4

      RB951 (the configuration stays the same, just bridged):
      /interface bridge
      add name=br-iptv
      add name=br-vlan10
      /interface bridge port
      add bridge=br-iptv interface=vlan4
      add bridge=br-iptv interface=ether2
      /interface vlan
      add interface=ether1-trunk l2mtu=1594 name=vlan4 vlan-id=4

      By the way, if I connect a STB (IPTV vlan 4, KPN) to ether9 when vlan 4 is configured as a bridge, does work.

      (ps, I’ve posted my progress @ http://www.reddit.com/r/mikrotik/comments/30petb/helpcrs125_vlans_w_switch_chip/, unfortunately without any replies).

  7. I have a CRS125
    egress-vlan-translation with new-customer-vid=0 does not work for me((
    Outgoing traffic to vlan still is tagged.
    This is my config
    /interface ethernet
    /interface ethernet switch egress-vlan-translation
    add customer-vid=21 new-customer-vid=0 ports=ether21
    /interface ethernet switch ingress-vlan-translation
    add new-customer-vid=21 ports=ether21
    /interface ethernet switch vlan
    add ports=ether21,ether24 vlan-id=21

  8. I was trying to do a limited version of your script, but find that I can’t even get the ‘management’ port pinging when my ‘default gateway’ is connected to ethernet1. Any help would be appreciated. Your faq is good!

    # jan/02/1970 18:55:28 by RouterOS 6.30.1
    # software id = 7D1K-Q7HZ
    /interface vlan
    add interface=sfp-sfpplus1 l2mtu=1584 name=management vlan-id=104

    /interface ethernet
    set [ find default-name=ether1 ] master-port=sfp-sfpplus1
    set [ find default-name=ether2 ] master-port=sfp-sfpplus1
    set [ find default-name=ether3 ] master-port=sfp-sfpplus1
    set [ find default-name=ether4 ] master-port=sfp-sfpplus1
    set [ find default-name=ether5 ] master-port=sfp-sfpplus1
    set [ find default-name=ether6 ] master-port=sfp-sfpplus1
    set [ find default-name=ether7 ] master-port=sfp-sfpplus1
    set [ find default-name=ether8 ] master-port=sfp-sfpplus1
    set [ find default-name=ether9 ] master-port=sfp-sfpplus1
    set [ find default-name=ether10 ] master-port=sfp-sfpplus1
    set [ find default-name=ether11 ] master-port=sfp-sfpplus1
    set [ find default-name=ether12 ] master-port=sfp-sfpplus1
    set [ find default-name=ether13 ] master-port=sfp-sfpplus1

    /interface ethernet switch egress-vlan-tag
    add tagged-ports=switch1-cpu,sfp-sfpplus1 vlan-id=104

    /interface ethernet switch ingress-vlan-translation
    add new-customer-vid=104 ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10

    /interface ethernet switch vlan
    add ports=”switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,sfp-sfpplus1″ vlan-id=104

    /ip address
    add address=192.168.3.1/24 interface=management network=192.168.3.0

    /ip route
    add distance=1 gateway=192.168.3.2

    /system routerboard settings
    set boot-device=nand-only

    /tool romon port
    add

  9. i am trying to configure a crs125 with a complicated vlan config, i hope you can help me with it, i have to internet connections of the internet provider i the datacenter, both are vlan tagges (vlan 1205 and vlan 2205) and the have a ip adres of 192.168.123.22/30 and 192.168.223.22/30. i want to have vlan 1205 on port 23 and vlan 2205 on port 24, and the other ports are in vlan 400 with a public ip range, for security i have changed it (2.2.1.97/28), so when a computer is conectit to vlan 400 he neet to have a ip adres from 2.2.1.97/28 range and then he can go on the internet.

    i have tride to configure this and i can ping the gateway on vlan 1205 and 2205, i only don’t get it to work to 8.8.8.8 or google.com etc.

    Any help form you would be appreciated,

    regards, bjorn

  10. I want to ask, if i want to combine crs and ccr to routing different vlan, is i need to declare like this ” /interface ethernet switch vlan> add ports=ether01,ether02,ether03 vlan-id=10″ in crs ? or only declare in ccr ?

  11. Great article, thanks!

    I just don’t understand the logic behind the need to create a bridge for the vlan interface on the wlan.

    Is that because RouterOS won’t allow you to create a vlan interface directly on the wlan interface?

  12. Hello,
    I am trying to configure a port hybrid in my Mikrotik CRS125 (Vlan 6 untagged and vlans 23, 24 tagged), in this port I’m going to connect an AP Ubiquity (with vlans: 6 (management), 23(SSID Users), 24(SSID Clients)).. In the other hand, I have a dhcp server connect in other switch (Cisco). When I’m connecting to the wifi ssid-Users (vlan 23 tagged) I don’t recieved IP, idem with wifi ssid-Clients (Vlan 24 tagged). Only I recieve IP when vlan are untagged.

    ¿Any idea?

  13. Hey Rob
    . I have the same setup, the older one (red) works fine with sfp and pppoe but the newer one didnt work, the pppoe connection wil not work.

    I have the whole backup into the white one

    What is the different between the routers

    Grt Rob

  14. Hi Rob, bit late to the party, but maybe you can help me out.
    Actually I have a straight forward setup. Two vlans, internal and external connected by a firewall.
    My question is, if I move the switch-cpu to the internal vlan, so I can manage the CSR via IP from internal machines, do I still get wire speed on the internal vlan or is all traffic in this vlan routed through the CPU?

  15. Hello Rob! Great guide!

    I was wondering, when I create untagged VLAN ports, I seem to be prevented from administrating the switch from that untagged port, even via MAC, how do I combat this?

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*