Skip to content
MikroTik RouterOS Docs

VLANs on Wireless

VLANs on Wireless

Section titled “VLANs on Wireless”

Summary

Section titled “Summary”

VLANs provide the possibility to isolate devices into different Layer 2 segments while still using the same Layer 1 medium. This is very useful in setups where you want to separate different types of devices or users. This feature is also very useful for wireless setups since you can isolate different Virtual APs and restrict access to certain services or networks by using Firewall.

A common scenario is separating a Guest AP from a Work AP on the same physical device, ensuring guest traffic cannot access internal network resources.

How It Works

Section titled “How It Works”

RouterOS wireless interfaces support VLAN tagging through the vlan-id and vlan-mode parameters. When configured:

  • Wireless clients associate with specific SSIDs (either the main interface or Virtual APs)
  • Traffic from each SSID is tagged with the configured VLAN ID
  • Bridge VLAN filtering handles the Layer 2 forwarding and tag manipulation
  • Clients in different VLANs cannot communicate directly at Layer 2

The key parameters for wireless VLAN configuration are:

ParameterDescription
vlan-idThe VLAN ID to assign to traffic from this wireless interface
vlan-modeControls VLAN tagging behavior: disabled, use-tag, no-tag

Configuration

Section titled “Configuration”

Example Topology

Section titled “Example Topology”
        VLAN 111 (Work)
            |
    +-------+-------+
    |              |
   R1             R2 (AP with Virtual APs)
    |              |
    +-------+-------+-------+
            |       |       |
        VLAN 111   VLAN 222 (Guest)
            |       |
           R3      R4

In this example:

  • R2 is an access point with two SSIDs
  • VLAN 111 carries work network traffic
  • VLAN 222 carries guest network traffic
  • R1 is the main router with VLAN interfaces
  • R3 and R4 are wireless clients connecting to respective SSIDs

R1 Configuration (Main Router)

Section titled “R1 Configuration (Main Router)”

Create VLAN interfaces on the ethernet interface to make it a VLAN trunk port, then add IP addresses on VLAN interfaces:

/interface vlan
add interface=ether1 name=vlan111 vlan-id=111
add interface=ether1 name=vlan222 vlan-id=222


/ip address
add address=192.168.1.1/24 interface=vlan111
add address=192.168.2.1/24 interface=vlan222

R2 Configuration (Access Point)

Section titled “R2 Configuration (Access Point)”

Configure the main wireless interface and create a Virtual AP for the second SSID. It is important to set vlan-mode to use-tag on both interfaces:

/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=vlan111 ssid=vlan111 vlan-id=111 vlan-mode=use-tag
add disabled=no master-interface=wlan1 name=wlan2 security-profile=vlan222 ssid=vlan222 vlan-id=222 vlan-mode=use-tag

Create a bridge with VLAN filtering enabled and add the necessary bridge ports:

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes


/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2


/interface bridge vlan
add bridge=bridge1 tagged=ether2,wlan1 vlan-ids=111
add bridge=bridge1 tagged=ether2,wlan2 vlan-ids=222

R3 Configuration (Work Client)

Section titled “R3 Configuration (Work Client)”

Add an IP address on the wireless interface and configure a security profile compatible with R2’s work SSID:

/ip address
add address=192.168.1.3/24 interface=wlan1


/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan111

R4 Configuration (Guest Client)

Section titled “R4 Configuration (Guest Client)”

Add an IP address on the wireless interface and configure a security profile compatible with R2’s guest SSID:

/ip address
add address=192.168.2.4/24 interface=wlan1


/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan222

VLAN Mode Options

Section titled “VLAN Mode Options”

The vlan-mode parameter on wireless interfaces controls how VLAN tags are handled:

ModeDescription
disabledVLAN tags are not added or removed. Traffic is passed as-is.
use-tagAll traffic from this interface is tagged with the configured vlan-id. Incoming tagged traffic is forwarded based on the tag.
no-tagThe VLAN tag is removed from outgoing traffic. Incoming untagged traffic is assigned the configured vlan-id.

For most wireless VLAN configurations, use-tag is the appropriate choice as it ensures all traffic is properly tagged.

Bridge VLAN Filtering

Section titled “Bridge VLAN Filtering”

Bridge VLAN filtering since RouterOS v6.41 provides VLAN-aware Layer 2 forwarding and VLAN tag modifications within the bridge. This is the recommended method for wireless VLAN configurations.

Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched. This does not affect wireless interfaces as traffic through them cannot be offloaded to the switch chip either way.

VLAN filtering is not required for basic VLAN functionality but is highly recommended for security. Without VLAN filtering, it is possible to forward unknown VLAN IDs in certain scenarios. Disabling VLAN filtering does have performance benefits in high-throughput scenarios.

Security Considerations

Section titled “Security Considerations”

When deploying wireless VLANs, consider the following security measures:

  • Use strong encryption (WPA2-PSK or WPA3) for each SSID
  • Configure firewall rules to restrict inter-VLAN communication
  • Use separate security profiles for each VLAN
  • Consider using client isolation within each SSID to prevent wireless clients from communicating directly
  • Monitor VLAN traffic for unexpected patterns

Troubleshooting

Section titled “Troubleshooting”

Clients Cannot Obtain IP Address

Section titled “Clients Cannot Obtain IP Address”

Verify that:

  • The VLAN interface exists on the router with the correct VLAN ID
  • The DHCP server is bound to the correct VLAN interface
  • The bridge VLAN table includes the wireless interface as tagged
  • vlan-mode=use-tag is set on the wireless interface

Clients Can Access Other VLANs

Section titled “Clients Can Access Other VLANs”

Check that:

  • Bridge VLAN filtering is enabled
  • Firewall rules properly block inter-VLAN traffic
  • No other bridging paths exist between VLANs
  • The bridge VLAN table does not allow undesired VLAN forwarding

Slow Wireless Performance

Section titled “Slow Wireless Performance”

Potential causes include:

  • VLAN filtering causing CPU processing of all traffic
  • Insufficient wireless channel bandwidth
  • Interference from nearby networks
  • High load on the bridge CPU

See Also

Section titled “See Also”