Add VLAN on MikroTik
Last updated
Was this helpful?
🇬🇧 English
Last updated
Was this helpful?
Sometimes you might want to separate your guest network from your private network. This guide will help you to set up a VLAN on your Social WiFi network, so that any Access Points connected on a particular physical interface and tagged with the same VLAN tag will relay proper packets where you want them to go.
Before you get started with this guide, you will need to configure Social WiFi service on your MikroTik router. Please refer to this guide in order to do so.
Your VLAN ID will also need to be configured on your Access Points and any switch located in between them and the MikroTik router. This setup will be different depending on your device manufacturer, model and operating system.
The installation guide for MikroTik assumes that the hotspot service will be running on physical port 3, handling untagged traffic. Let's assume, that you want to instead have a hybrid port, where untagged traffic goes to default LAN network (no Social WiFi) and traffic tagged with VLAN ID 20 goes to the guest network (with Social WiFi enabled).
This article shows one of the available ways to configure a VLAN on a MikroTik device. There are at least 2 other ways to do it. "bridge vlan filtering" is the recommended one, unless you're after VLAN hardware offloading, in which case you need to consult examples specific to you MikroTik model.
Always make a backup of your configuration and download it to your computer, in case something goes wrong. Wrong VLAN configuration may cut you off from the router.
VLAN ID 20 is used an example, change the VLAN ID to the one appropriate in your case.
To add a VLAN using this method, please go to Interfaces->"+"->VLAN. Add the name, set your VLAN ID and set interface to "bridge".
Now, go to Bridge -> VLANs -> "+" and configure the VLAN filtering as follows:
VLAN IDs
20
Tagged
bridge, ether3
Adding "bridge" as tagged interface is important, it makes DHCP server and other CPU-related services work. More on that topic here: https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-TaggedaccesswithVLANfiltering
Now, go to IP->Addresses, IP->DHCP-Server, IP->Hotspot and change interfaces from "sw" to "vlan20" for every single window opened as follows:
Now, go to Bridge->Ports and change "ether3" bridge from "sw" to "bridge":
If you're connecting through the MAC Address, keep in mind that you'll get kicked out from the WinBox after the next two changes. Just reconnect shortly after.
Now, go back to Bridge(1.) and turn on bridge VLAN filtering for "bridge" as follows. Make sure to leave "PVID" at 1.
Everything should be working by now. The last thing left to do is to delete the "sw" bridge, to do that go to the Interfaces->Interface, select the "sw" bridge and press X (3.).
This method is simpler, but no longer recommended, due to possible issues in more complex networks. See: https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANinabridgewithaphysicalinterface
Interfaces -> Add -> VLAN
VLAN ID
[your VLAN ID]
Interface
[interface on which your APs are connected]
Bridge -> Ports -> Add
Interface
[choose the VLAN you created]
Bridge
sw
OK
If your AP is connected on the port you configured (in this case, ethernet port 3) and has properly set VLAN tagging, then you should be free to enjoy Social WiFi service without impacting your main network!
