Skip to content
MikroTik RouterOS Docs

VLANs on MikroTik RouterOS: A Complete Guide

VLANs on MikroTik RouterOS: A Complete Guide

Section titled “VLANs on MikroTik RouterOS: A Complete Guide”

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 45 minutes

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”

For the impatient: here’s the 30-second version.

# Router-on-a-Stick: VLAN interfaces for inter-VLAN routing
/interface vlan add name=vlan100 vlan-id=100 interface=ether2
/interface vlan add name=vlan200 vlan-id=200 interface=ether2
/ip address add address=10.100.0.1/24 interface=vlan100
/ip address add address=10.200.0.1/24 interface=vlan200

Overview

Section titled “Overview”

Virtual LANs (VLANs) are the foundation of modern network segmentation. On MikroTik RouterOS, there are two fundamentally different approaches to VLAN implementation, and choosing the wrong one is the most common source of confusion and misconfiguration.

This guide explains both approaches, when to use each, and the critical differences that determine whether your network performs efficiently or becomes a troubleshooting nightmare.

The Two VLAN Paradigms

Section titled “The Two VLAN Paradigms”

1. VLAN Interfaces (Layer 3 Routing)

Section titled “1. VLAN Interfaces (Layer 3 Routing)”

A VLAN interface is a virtual interface that tags/untags traffic for a specific VLAN ID. It sits on top of a physical interface or bridge.

Use when: You need the router to participate in the VLAN - routing between VLANs, running services (DHCP, DNS), or terminating the VLAN.

VLAN Interface Hierarchy

2. Bridge VLAN Filtering (Layer 2 Switching)

Section titled “2. Bridge VLAN Filtering (Layer 2 Switching)”

Bridge VLAN filtering uses the bridge’s built-in VLAN table to control which VLANs can traverse which ports. The bridge acts as a managed switch.

Use when: You need to switch VLAN traffic between ports without the CPU processing every packet - the classic trunk/access port model.

Bridge VLAN Structure

The Critical Mistake

Section titled “The Critical Mistake”

Never create VLAN interfaces on physical ports that are also bridge members with the same VLANs. This creates a “VLAN in a bridge with a physical interface” misconfiguration that causes:

  • Packet duplication
  • Loops
  • Performance degradation (all traffic hits CPU)
  • Unpredictable behavior

If you need both switching AND routing, use Bridge VLAN Filtering with VLAN interfaces on the bridge itself, not the physical ports.

Understanding 802.1Q

Section titled “Understanding 802.1Q”

IEEE 802.1Q defines how VLAN tags are inserted into Ethernet frames:

802.1Q Frame Structure

Key terms:

  • Tagged frame: Has the 4-byte 802.1Q header inserted
  • Untagged frame: No VLAN header (native traffic)
  • PVID (Port VLAN ID): The VLAN ID assigned to untagged ingress traffic
  • Trunk port: Carries multiple VLANs (usually tagged)
  • Access port: Connects end devices (usually untagged)

Reserved VLAN IDs:

  • VLAN 0: Priority tagging only (no VLAN assignment)
  • VLAN 1: Default VLAN (often used for management, avoid in production)
  • VLAN 4095: Reserved

Part 1: VLAN Interfaces for Inter-VLAN Routing

Section titled “Part 1: VLAN Interfaces for Inter-VLAN Routing”

When your MikroTik device needs to route between VLANs (act as the gateway), you create VLAN interfaces and assign IP addresses to them.

Scenario: Router-on-a-Stick

Section titled “Scenario: Router-on-a-Stick”

A single router interface connects to a switch trunk port, handling multiple VLANs:

Router-on-a-Stick Topology

Configuration Steps

Section titled “Configuration Steps”

Step 1: Create VLAN Interfaces

Section titled “Step 1: Create VLAN Interfaces”

Create a VLAN interface for each network segment. The interface parameter specifies which physical port carries the tagged traffic.

/interface vlan add name=vlan100-mgmt vlan-id=100 interface=ether2
/interface vlan add name=vlan200-users vlan-id=200 interface=ether2

Why name matters: Use descriptive names like vlan100-mgmt rather than just vlan100. When troubleshooting at 2 AM, you’ll thank yourself.

Step 2: Assign IP Addresses

Section titled “Step 2: Assign IP Addresses”

Each VLAN interface becomes a gateway for that network segment:

/ip address add address=10.100.0.1/24 interface=vlan100-mgmt
/ip address add address=10.200.0.1/24 interface=vlan200-users

At this point, the router can:

  • Receive tagged traffic on ether2
  • Route between 10.100.0.0/24 and 10.200.0.0/24
  • Act as the gateway for devices in each VLAN

Step 3: Configure Services (Optional)

Section titled “Step 3: Configure Services (Optional)”

If the router should provide DHCP to each VLAN:

/ip pool add name=pool-vlan100 ranges=10.100.0.100-10.100.0.200
/ip pool add name=pool-vlan200 ranges=10.200.0.100-10.200.0.200


/ip dhcp-server network add address=10.100.0.0/24 gateway=10.100.0.1 dns-server=10.100.0.1
/ip dhcp-server network add address=10.200.0.0/24 gateway=10.200.0.1 dns-server=10.200.0.1


/ip dhcp-server add name=dhcp-vlan100 interface=vlan100-mgmt address-pool=pool-vlan100
/ip dhcp-server add name=dhcp-vlan200 interface=vlan200-users address-pool=pool-vlan200

Verification

Section titled “Verification”

Check that VLAN interfaces are created and running:

/interface vlan print

Expected output shows both VLANs bound to ether2:

Flags: R - RUNNING
#   NAME            MTU  ARP        VLAN-ID  INTERFACE
0 R vlan100-mgmt   1500  enabled    100      ether2
1 R vlan200-users  1500  enabled    200      ether2

Verify IP addressing:

/ip address print where interface~"vlan

Part 2: Bridge VLAN Filtering for Switching

Section titled “Part 2: Bridge VLAN Filtering for Switching”

When your MikroTik device should act as a managed switch (passing traffic between ports based on VLAN membership), use Bridge VLAN Filtering.

Section titled “Scenario: Access Switch with Uplink”

Access Switch with Uplink Topology

Critical Concept: The Bridge VLAN Table

Section titled “Critical Concept: The Bridge VLAN Table”

The bridge maintains a VLAN table that controls:

  1. Which VLANs are allowed on each port
  2. Whether packets egress tagged or untagged
  3. What VLAN ID to assign to untagged ingress packets (PVID)

Ingress behavior:

  • Access port: Untagged packets get tagged with PVID
  • Trunk port: Tagged packets pass through; untagged get PVID

Egress behavior:

  • Tagged port: Packets sent with VLAN tag
  • Untagged port: VLAN tag stripped before sending

Configuration Steps

Section titled “Configuration Steps”

Step 1: Create the Bridge

Section titled “Step 1: Create the Bridge”

Create a bridge but do not enable VLAN filtering yet - you could lock yourself out:

/interface bridge add name=bridge1 vlan-filtering=no

Step 2: Add Ports with PVID

Section titled “Step 2: Add Ports with PVID”

Add ports to the bridge. Set PVID for access ports:

/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2 pvid=100
/interface bridge port add bridge=bridge1 interface=ether3 pvid=200

PVID has no effect until VLAN filtering is enabled.

Step 3: Configure the Bridge VLAN Table

Section titled “Step 3: Configure the Bridge VLAN Table”

Define which VLANs are allowed on which ports, and whether they should be tagged or untagged:

/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=100
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=200

Common mistake: Do NOT combine multiple VLANs with multiple untagged ports in one entry:

# WRONG - This allows VLAN 100 to leak to ether3 and VLAN 200 to leak to ether2!
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=100,200

Step 4: Enable VLAN Filtering

Section titled “Step 4: Enable VLAN Filtering”

Once configuration is complete, enable filtering:

/interface bridge set bridge1 vlan-filtering=yes

Warning: If you’re connected through the bridge, you may lose access. Always configure from:

  • A port not in the bridge
  • Serial console
  • Or configure management access first (see below)

Management Access Through the Bridge

Section titled “Management Access Through the Bridge”

To access the device through a bridge port using a management VLAN:

  1. Add the bridge itself as a tagged member of the management VLAN:
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
  1. Create a VLAN interface on the bridge (not a physical port):
/interface vlan add interface=bridge1 name=vlan99-mgmt vlan-id=99
/ip address add address=192.168.99.1/24 interface=vlan99-mgmt

The bridge interface is the “CPU port” - traffic destined for management goes through it.

Verification

Section titled “Verification”

Check the bridge VLAN table (including dynamic entries):

/interface bridge vlan print

Expected output:

Flags: D - DYNAMIC
#   BRIDGE   VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge1  100       ether1          ether2
1   bridge1  200       ether1          ether3

Check port configuration:

/interface bridge port print

Combining Both: Bridge with VLAN Routing

Section titled “Combining Both: Bridge with VLAN Routing”

The most common production setup: the MikroTik acts as both a switch AND the router/gateway.

Combined Bridge with VLAN Routing Topology

Configuration

Section titled “Configuration”
# Create bridge (VLAN filtering off initially)
/interface bridge add name=bridge1 vlan-filtering=no


# Add LAN ports
/interface bridge port add bridge=bridge1 interface=ether2 pvid=100
/interface bridge port add bridge=bridge1 interface=ether3 pvid=200


# Configure VLAN table - bridge is tagged because we route through it
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=100
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=200


# Create VLAN interfaces ON THE BRIDGE (not physical ports!)
/interface vlan add interface=bridge1 name=vlan100-mgmt vlan-id=100
/interface vlan add interface=bridge1 name=vlan200-users vlan-id=200


# Assign gateway IPs
/ip address add address=10.100.0.1/24 interface=vlan100-mgmt
/ip address add address=10.200.0.1/24 interface=vlan200-users


# Enable VLAN filtering
/interface bridge set bridge1 vlan-filtering=yes

Key insight: The VLAN interfaces are created on bridge1, not on ether2 or ether3. The bridge handles Layer 2 switching; the VLAN interfaces handle Layer 3 routing.

Security Considerations

Section titled “Security Considerations”

Ingress Filtering

Section titled “Ingress Filtering”

By default, the bridge only checks VLANs on egress. Enable ingress filtering to drop unauthorized VLANs immediately:

/interface bridge port set [find interface=ether1] ingress-filtering=yes
/interface bridge port set [find interface=ether2] ingress-filtering=yes
/interface bridge port set [find interface=ether3] ingress-filtering=yes

Frame Type Filtering

Section titled “Frame Type Filtering”

Restrict what frame types each port accepts:

# Trunk port: only accept tagged frames
/interface bridge port set [find interface=ether1] frame-types=admit-only-vlan-tagged


# Access ports: only accept untagged frames
/interface bridge port set [find interface=ether2] frame-types=admit-only-untagged-and-priority-tagged
/interface bridge port set [find interface=ether3] frame-types=admit-only-untagged-and-priority-tagged

VLAN Hopping Prevention

Section titled “VLAN Hopping Prevention”

An attacker could send double-tagged frames to “hop” into another VLAN. Prevent this:

  1. Use a dedicated native VLAN (not VLAN 1)
  2. Enable ingress filtering on all ports
  3. Use frame-type restrictions
  4. Never use the same VLAN as both tagged and untagged on the same port

Troubleshooting

Section titled “Troubleshooting”

”I enabled VLAN filtering and lost access

Section titled “”I enabled VLAN filtering and lost access”

The bridge resets when VLAN filtering is toggled. If you were connected through the bridge:

  1. Connect via serial console or a port not in the bridge
  2. Disable VLAN filtering: /interface bridge set bridge1 vlan-filtering=no
  3. Verify your management VLAN configuration
  4. Re-enable filtering

”Traffic between VLANs doesn’t work

Section titled “”Traffic between VLANs doesn’t work”

Check:

  1. Are VLAN interfaces created on the bridge (not physical ports)?
  2. Is the bridge tagged for those VLANs in the VLAN table?
  3. Are IP addresses assigned to VLAN interfaces?
  4. Is IP forwarding enabled? (/ip settings print)

“Access port device can’t get DHCP

Section titled ““Access port device can’t get DHCP”

Verify:

  1. PVID is set correctly on the access port
  2. The VLAN is in the bridge VLAN table with the port as untagged
  3. DHCP server is listening on the correct VLAN interface

Useful Debug Commands

Section titled “Useful Debug Commands”
# See bridge VLAN table with current ports
/interface bridge vlan print


# Check host table (which MACs seen on which ports/VLANs)
/interface bridge host print


# Monitor bridge port statistics
/interface bridge port monitor [find]


# Check if hardware offloading is active
/interface bridge port print detail

Common Configurations Reference

Section titled “Common Configurations Reference”

Basic Access Switch (2 VLANs)

Section titled “Basic Access Switch (2 VLANs)”
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2 pvid=10
/interface bridge port add bridge=bridge1 interface=ether3 pvid=20
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20
/interface bridge set bridge1 vlan-filtering=yes

Router-on-a-Stick (Layer 3)

Section titled “Router-on-a-Stick (Layer 3)”
/interface vlan add name=vlan10 vlan-id=10 interface=ether1
/interface vlan add name=vlan20 vlan-id=20 interface=ether1
/ip address add address=10.10.0.1/24 interface=vlan10
/ip address add address=10.20.0.1/24 interface=vlan20

Combined Switch + Router

Section titled “Combined Switch + Router”
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether2 pvid=10
/interface bridge port add bridge=bridge1 interface=ether3 pvid=20
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=20
/interface vlan add name=vlan10 vlan-id=10 interface=bridge1
/interface vlan add name=vlan20 vlan-id=20 interface=bridge1
/ip address add address=10.10.0.1/24 interface=vlan10
/ip address add address=10.20.0.1/24 interface=vlan20
/interface bridge set bridge1 vlan-filtering=yes

References

Section titled “References”

Configuration Steps

Section titled “Configuration Steps”

This section provides a minimal testable configuration that validates the core VLAN interface concepts from this guide.

Step 1: Create VLAN Interface

Section titled “Step 1: Create VLAN Interface”

Create a VLAN interface for testing:

/interface vlan add name=vlan100-test vlan-id=100 interface=ether2

Step 2: Assign IP Address

Section titled “Step 2: Assign IP Address”

Assign an IP address to act as the gateway for this VLAN:

/ip address add address=10.100.0.1/24 interface=vlan100-test

Verification

Section titled “Verification”

Verify the VLAN interface was created correctly:

/interface vlan print where name=vlan100-test
/ip address print where interface=vlan100-test
Section titled “Related Topics”

Prerequisites

Section titled “Prerequisites”

VLAN Implementation

Section titled “VLAN Implementation”

Inter-VLAN Routing

Section titled “Inter-VLAN Routing”

Security

Section titled “Security”