MikroTik VLAN Routing Configuration with Manageable Switch

A VLAN (Virtual LAN) is a group of computers, servers, network printers and other network devices that behave as if they were connected to a single network. VLAN is a logical topology that divides a single broadcast domain into multiple broadcast domains. VLAN is a layer 2 method. So, a manageable switch is required to manage VLAN in your network and a router is required to route and control your inter-VLAN.

VLAN increases network security and performance as well as improves IT efficiency. So, it will be a better plan to implement VLAN in your network. If you have or manage MikroTik Router and manageable switch, VLAN implementation in your network is not so difficult. In this article, I will show how to easily configure inter-VLAN routing with MikroTik Router and manageable switch.

Core Devices and IP Information

To configure a VLAN network and inter-VLAN routing, I am using a MikroTik RouterBoard 1100 AHX2 (RouterOS v6.38.1) and Level One (GEP-2450) manageable switch. IP information that I am using for VLAN network configuration are given below.

  • WAN IP 192.168.30.2/30 and Gateway IP 192.168.30.1
  • LAN networks: 10.10.20.0/24, 10.10.30.0/24 and 10.10.40.0/24
  • DNS IP: 8.8.8.8 and 8.8.4.4

This IP information is just for my R&D purpose. Change this information according to your network requirements.

Important VLAN Terms

There are two important VLAN terms that must keep under your knowledge otherwise you may face difficulty while configuring VLAN in your manage switch.

  • Access Link/Port: This type of link is only part of one VLAN and it is referred to as the native VLAN of the port. Any device attached to an access link/port is unaware of a VLAN membership – the device just assumes that it is a part of a broadcast domain but it has no understanding of the physical network.
  • Trunk Link/Port: Trunks can carry multiple VLANs. A trunk link is a point to point link between two switches or between a switch and router. These carry the traffic of multiple VLANs (from 1 to 1005 at a time). Trunking allows you to make a single port part of multiple VLANs at the same time.

Network Diagram

To configure a VLAN network with MikroTik Router and manageable switch, I am following a network diagram like below image.

MikroTik VLAN with Manageable Switch
MikroTik VLAN with Manageable Switch

In this network, MikroTik Router’s WAN (ether1) interface is connected to ISP having IP Address 192.168.30.2/30 and ether2 interface which is connected to a manageable switch is MikroTik’s LAN interface. We will create three VLAN (VLAN 20, VLAN 30 and VLAN 40) in LAN interface and its network will be 10.10.20.0/24, 10.10.30.0/24 and 10.10.40.0/24 respectively. We will configure inter-VLAN routing in our MikroTik Router and we will also configure VLAN in our manage switch (Level One GEP-2450) where 1-5 ports will keep under VLAN 20 (for Marketing Department), 6-10 ports will keep under VLAN 30 (for Sales Department), 11-15 ports will keep under VLAN 40 (for HR Department) and 16-23 ports will keep under default VLAN 1. Port 24 will be trunk port and other ports are access port.

MikroTik Inter VLAN Routing Configuration with Manageable Switch 

We will now start inter-VLAN routing configuration. Complete VLAN configuration can be divided into two parts.

  • Inter VLAN Routing Configuration in MikroTik Router
  • VLAN Configuration in Manageable Switch

Part 1: Inter VLAN Routing Configuration in MikroTik Router

If multiple VLANs are implemented on a manageable switch, a router is required to provide communication between these VLANs. We know that switch is a layer 2 device. So, switch forwards only Ethernet header and cannot check IP header. For this reason, we must use a router that will work as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN. Routing process between VLANs is knows as inter-VLAN routing.

To configure inter-VLAN routing, we will create a trunk link between MikroTik Router and our manage switch that will carry traffic from three VLANs (VLAN 20 and VLAN 30 and VLAN 40). The following steps will show how to configure inter-VLAN routing as well as other basic configuration in our MikroTik Router.

  • Login to MikroTik Router using winbox with admin privilege credential.
  • Click on Interfaces menu item. Interface List window will appear. Click on VLAN tab and then click on PLUS SIGN (+). New Interface window will appear.
  • Put interface name (Marketing VLAN 20) in Name input box and put VLAN ID (20) in VLAN ID input box and choose your physical interface (ether2) that will be used as trunk link from Interface dropdown menu and then click on Apply and OK button. Similarly, create VLAN 30 (Sales VLAN 30) and VLAN 40 (HR VLAN 40) interfaces. Your VLAN interface list window looks like below image.
  • Go to IP > Addresses menu item and click on PLUS SIGN (+). In New Address window, put WAN IP address (192.168.30.2/30) in Address input field and choose WAN interface (ether1) from Interface dropdown menu and then click on Apply and OK button.
  • Click on PLUS SIGN (+) again and put VLAN 20 network’s gateway IP (10.10.20.1/24) in Address input box and choose VLAN 20 interface (Marketing VLAN 20) from Interface dropdown menu and then click on Apply and OK button. Similarly, put VLAN 30 gateway IP (10.10.30.1/24) on Sales VLAN 30 interface and VLAN 40 gateway IP (10.10.40.1/24) on HR VLAN 40 interface.
  • Go to IP > DNS and put DNS Server IP (8.8.8.8 or 8.8.4.4) in Servers input field and click on Apply and OK button.
  • Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). Under General tab, choose srcnatfrom Chain dropdown menu and click on Action tab and then choose masquerade from Action dropdown menu. Click on Apply and OK button.
  • Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway input field and put WAN Gateway address (192.168.30.1) in Gateway input field and click on Apply and OK button.
VLAN Interface List
VLAN Interface List

Inter VLAN routing and other basic configuration in MikroTik Router has been completed. Now MikroTik Router is ready to route VLAN 20, VLAN 30 and VLAN 40. In the next part, we will configure VLAN in our Level One manageable switch.

Part 2: VLAN Configuration in Manageable Switch

In this part, we will create our three VLANs (VLAN 20, VLAN 30 and VLAN 40) and configure access port and trunk port in our manage switch. Any manageable switch can be used for this purpose. As I have Level One (GEP-2450) switch available, I am doing VLAN configuration in this manage switch. If you have other manageable switch, find the manual in Google about how to configure VLAN in that specific manage switch.

Level One (GEP-2450) switch is a web smart manageable switch. So, we can manage this switch using web GUI. GEP-2450 switch has 24 Ethernet port. Among them, we will use 1-5 ports as VLAN 20 access port for Marketing Department, 6-10 ports as VLAN 30 access port for Sales Department, 11-15 ports as VLAN 40 access port for HR Department and 16-23 ports will keep under default VLAN 1. Port 24 will be used as trunk port and all other ports will be used as access port.  The following steps will show you how to configure VLAN in Level One (GEP-2450) switch properly.

  • Connect port 24 with your MikroTik Router’s ether2 port with a RJ45 cable. This link will be used as trunk link.
  • Connect your PC and switch with a RJ45 cable. Use switch port one of 16-23 ports for this connection.
  • Default IP address of Level One (GEP-2450) switch is 192.168.1.1/24. So, assign an IP address of this block in your PC and then type https://192.168.1.1 in your favorite web browser. Now it will ask to provide password. Default password for Level One (GEP-2450) switch is So, put this password and hit enter. Now you will find configuration GUI for the switch.
  • Go to VLANs > VLAN Mode and ensure VLAN Mode is Tag-based.
  • Go to VLANs > VLAN Group. Tag-Based VLAN Configuration page will appear.
  • Put VLAN ID (20) in VLAN ID input box and click on Add button. VLAN Setup page will appear. Select port 1-5 and port 24 and then click on Apply button. Similarly, create VLAN 30 and VLAN 40 and select port 6-10 and port 11-15 respectively and port 24 for both VLAN. You will find your created VLAN in VLAN Configuration List area.
  • Select VLAN ID 1 and click on Modify button. VLAN Setup page for VLAN 1 will appear. Unselect port 1-15 and click on Apply button.
  • Now click on Port Config button under VLAN Port Configuration area. VLAN Per Port Configuration page will appear. Change PVID 0 to 20 from 1-5 ports, 0 to 30 from 6-10 ports and 0 to 40 from 11-15 ports. All ports Role will be Access except port 24. Choose Trunk role for port 24 from Role dropdown menu. Click on Apply button.

VLAN configuration in Level One (GEP-2450) switch has been completed. VLAN Group page now looks like below image.

VLAN Configuration in Level One (GEP-2450) Switch
VLAN Configuration in Level One (GEP-2450) Switch

Now connect your Marketing PC to 1-5 ports, Sales PC to 6-10 ports and HR PC to 11-15 ports. If everything is OK, your desired PC will be able to get internet connection through your manage switch and MikroTik Router.

Block Inter VLAN Communication

Sometimes it may be your requirements to block inter VLAN communication. For example, you may want that your Marketing Department cannot communicate with Sales Department. In this case, you have to apply firewall rule to block inter VLAN communication because by default MikroTik allow inter VLAN communication. The following steps will show how to create firewall rule to block inter-VLAN communication.

  • Login to MikroTik Router and go to IP > Firewall menu item and click on Filter Rules tab and click on PLUS SIGN (+). New Firewall Rule window will appear.
  • Choose forward from Chain dropdown menu.
  • Put Marketing Department’s IP block (10.10.20.0/24) in Src. Address input box and Sales Department’s IP block (10.10.30.0/24) in Dst. Address input box.
  • Choose tcp from Protocol dropdown menu.
  • Click on Action tab and choose drop from Action dropdown menu.
  • Click on Apply and OK button.

This firewall rule blocks all TCP connections coming from Marketing PC to Sales PC. Similarly, you can block all TCP connections or UDP connections coming from Sales PC to Marketing PC by creating another firewall rule and changing source address block, destination address block and protocol.

If you face any confusion to follow above steps properly, watch my video tutorial about MikroTik VLAN routing configuration with manageable switch. I hope it will reduce your any confusion.

MikroTik inter-VLAN routing configuration with manageable switch has been discussed in this article. I hope, you will be able to create VLAN in your network with MikroTik Router and manageable switch. However, if you face any confusion while configuring VLAN, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Why not a Cup of COFFEE if the solution?

mikrotik-vlan-routing-configuration-with-manageable-switch

ABU SAYEED

I am a system administrator and like to share knowledge that I am learning from my daily experience. I usually work on MikroTik, Redhat/CentOS Linux, Windows Server, physical server and storage, virtual technology and other system related topics. Follow Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

20 comments

  • Avatar for Lepden Lepden

    Does Vlans only work with managed switch? If no, how does it work with unmanaged switch ?
    BTW I love your resources and tutorials. very detailed. I wish you can help monitor and build my small ISP network remotely for a certain fee of course 🙂

  • Avatar for Saheed Abubakar Saheed Abubakar

    Hi Sayeed…
    God will continue to increase your knowledge and understanding for sharing all these vital knowledge.
    Can I use any manageable Cisco switch with a Mikrotik Router for VLAN configuration ?
    Thanks.

  • Avatar for Desesperadito Desesperadito

    Hi there!
    I set up my owns vlan with 2 mikrotik devices. One of them its a CRS switch 1xxseries. The vlans works with dhcp and i have access to internet but cannot do ping between vlans and i dont know why 🙁
    could u help me? any ideas?

    • Please check routing table (IP>Routes) and find that routing created or not between two VLAN. If you find routing table entry, it should work otherwise create a static route entry.

  • Avatar for Rodel A. Rodel A.

    Hello sir, how can i connect my vlans on internet? i use ccr 1036 12g-4s, port 3 is the ISP, port6 is the trunk port , there are 12vlans on the trunk port..my dhcp server is the ccr..

  • Avatar for hajji hajji

    will it work on raspberry pi?

  • Avatar for Hiel Hiel

    Thanks for the great tutorial!
    Can we do vlans on this scenario: Mikrotik router to> unmanaged switches to> clients?
    Vlans will be configured on MK router of course. But can it pass traffic to both lan and vlan networks?

  • Avatar for David David

    Thanks sayeedh. Does this still work with router OS 6.4.xx?
    If using a mikrotik cloud switch as main switc does vlan creation trunking and access port defining on tbe switch be same as router?

  • Avatar for Sittiemartronix Sittiemartronix

    Is it possible to have a multiple vlan tagged in a single port?

  • Avatar for Dena Dena

    Thank you! Great explanation!

  • Avatar for Kirt Kirt

    Hello Sayeed,

    You’ve done an excellent Job on explaining the creation of vlans on Mikrotik. I’ve created 4 vlans that I do not want to communicate with each other on a Mikrotik hex PoE router and an RB260GS switch. The question I have is how show I create the firewall rule to prevent the vlans from talking to each other as I tried the Rules you gave as an example then pinged from one vlan to the other and the pings were successful for a while before I finally received request time out. Caj you please give an example firewall rule that would work in my case. I thank you in advance for any help you can give.

  • Avatar for Marek Marek

    hey man, thanks for your manual, but how do you access switch later on? I mean if you imagine that you need to access manageable switch from any VLAN – how to setup an IP address of the switch?

    Thanks, Marek

Leave a Reply

Your email address will not be published. Required fields are marked *

*