Basic VLAN Configuration

Basic VLAN Configuration

RouterOS Version

Primary Version: 7.16 | Minimum: 6.0 | Difficulty: Intermediate | Time: 10 minutes

TL;DR (Quick Start)

For the impatient: here’s the 30-second version.

# Create VLANs on trunk interface
/interface vlan add name=vlan100 vlan-id=100 interface=ether2
/interface vlan add name=vlan200 vlan-id=200 interface=ether2
/ip address add address=10.100.0.1/24 interface=vlan100
/ip address add address=10.200.0.1/24 interface=vlan200

Overview

This guide demonstrates how to configure VLANs on MikroTik RouterOS using VLAN interfaces on top of a physical interface.

Prerequisites

• A MikroTik router running RouterOS 7.x or later
• Access to the router via SSH, WinBox, or WebFig

Configuration Steps

Step 1: Create VLAN 100 Interface

Create a VLAN interface with ID 100 on ether2:

/interface vlan add name=vlan100 vlan-id=100 interface=ether2 comment="Management VLAN"

Step 2: Create VLAN 200 Interface

Create a second VLAN for guest network:

/interface vlan add name=vlan200 vlan-id=200 interface=ether2 comment="Guest VLAN"

Step 3: Assign IP to VLAN 100

Configure an IP address on the management VLAN:

/ip address add address=10.100.0.1/24 interface=vlan100 comment="VLAN 100 Gateway"

Step 4: Assign IP to VLAN 200

Configure an IP address on the guest VLAN:

/ip address add address=10.200.0.1/24 interface=vlan200 comment="VLAN 200 Gateway"

Verification

Check 1: VLAN Interfaces

/interface vlan print

Expected Output:

Flags: X - disabled, R - running
 #   NAME     MTU  ARP        VLAN-ID  INTERFACE
 0 R vlan100  1500 enabled        100  ether2
 1 R vlan200  1500 enabled        200  ether2

Check 2: VLAN IP Addresses

/ip address print where interface~"vlan"

Expected Output:

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS          NETWORK        INTERFACE
 0   10.100.0.1/24    10.100.0.0     vlan100
 1   10.200.0.1/24    10.200.0.0     vlan200

Troubleshooting

Problem: VLAN traffic not passing

Symptoms: Devices in VLAN cannot communicate, no connectivity.

Causes & Solutions:

1. Switch port not configured as trunk - The connected switch must tag traffic:

   • Configure switch port as trunk/tagged for VLANs 100, 200
   • Verify with packet capture that tagged frames are being sent

2. Wrong VLAN ID - Verify VLAN IDs match on both ends:

   /interface vlan print

3. Parent interface down - Check the physical interface:

   /interface print where name=ether2

Problem: VLAN interface not running

Symptoms: VLAN interface shows without ‘R’ (running) flag.

Causes & Solutions:

1. Parent interface is down - Bring up the parent interface:

   /interface enable ether2

2. VLAN disabled - Enable the VLAN interface:

   /interface vlan enable vlan100

Problem: Inter-VLAN routing not working

Symptoms: Devices in different VLANs cannot reach each other.

Causes & Solutions:

1. IP forwarding disabled - Verify routing is enabled (it is by default)

2. Firewall blocking traffic - Check forward chain:

   /ip firewall filter print chain=forward

3. Devices have wrong gateway - Ensure devices point to the correct VLAN gateway IP

Problem: Only one VLAN works

Symptoms: One VLAN has connectivity, others don’t.

Causes & Solutions:

1. Native VLAN mismatch - Check if traffic is being sent untagged:

   /interface vlan print detail

   Verify the switch native VLAN configuration matches

Related Topics

Prerequisites

• Bridge Configuration - VLANs often run on top of bridges

Next Steps

• IP Address Configuration - assign gateway IPs to VLAN interfaces
• DHCP Server - provide IP addresses per VLAN
• DHCP Relay - centralized DHCP across multiple VLANs
• Firewall Basics - control inter-VLAN traffic

Advanced Topics

• Bridge VLAN Filtering - hardware-offloaded VLAN handling
• VLAN Fundamentals - in-depth VLAN concepts

References

• MikroTik VLAN Documentation