BG / EN / DE

About

Web development, server configuration and SEO with focus on measurable results — for Bulgarian and international clients.

hrimarcomfort.com
npdentalclinic.co.uk
prestige-airport-transfers.co.uk
cambridge-chauffeurs.co.uk

Language

EN

Contact

Follow Us

MikroTik VLAN Configuration — Small Office Guide

Step by step how to set up separate VLANs for guest Wi-Fi, IoT, staff and servers on a MikroTik router with RouterOS 7.

Blog — MikroTik VLAN Configuration — Small Office Guide
MikroTik VLAN Configuration — Small Office Guide
15 May 2026

Network segmentation with VLANs is one of the cheapest and most effective security measures in an office. With a MikroTik router you can isolate guest Wi-Fi, IoT, staff and servers in under 30 minutes. This guide uses "bridge VLAN filtering" on RouterOS 7.

Target topology

  • VLAN 10 — Management
  • VLAN 20 — Staff
  • VLAN 30 — Guest Wi-Fi (internet-only)
  • VLAN 40 — IoT
  • VLAN 50 — Servers

Step 1: Prepare the bridge

/interface bridge
add name=bridge1 vlan-filtering=no protocol-mode=none

Step 2: Add ports (trunk vs access)

/interface bridge port
add bridge=bridge1 interface=ether2 frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=40
add bridge=bridge1 interface=ether5 pvid=50

Step 3: Define VLANs on the bridge

/interface bridge vlan
add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether2
add bridge=bridge1 vlan-ids=20 tagged=bridge1,ether2 untagged=ether3
add bridge=bridge1 vlan-ids=30 tagged=bridge1,ether2
add bridge=bridge1 vlan-ids=40 tagged=bridge1,ether2 untagged=ether4
add bridge=bridge1 vlan-ids=50 tagged=bridge1,ether2 untagged=ether5

Step 4: VLAN interfaces on bridge

/interface vlan
add interface=bridge1 name=vlan10-mgmt vlan-id=10
add interface=bridge1 name=vlan20-staff vlan-id=20
add interface=bridge1 name=vlan30-guest vlan-id=30
add interface=bridge1 name=vlan40-iot vlan-id=40
add interface=bridge1 name=vlan50-servers vlan-id=50

Step 5: IPs + DHCP

/ip address
add address=10.10.10.1/24 interface=vlan10-mgmt
add address=10.10.20.1/24 interface=vlan20-staff
add address=10.10.30.1/24 interface=vlan30-guest
add address=10.10.40.1/24 interface=vlan40-iot
add address=10.10.50.1/24 interface=vlan50-servers

Step 6: Firewall — VLAN isolation

/ip firewall filter
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop in-interface=vlan30-guest out-interface-list=!WAN
add chain=forward action=drop in-interface=vlan40-iot out-interface=vlan20-staff
add chain=forward action=drop in-interface=vlan40-iot out-interface=vlan50-servers
add chain=forward action=accept in-interface=vlan20-staff out-interface=vlan50-servers

Step 7: Enable VLAN filtering

/interface bridge set bridge1 vlan-filtering=yes

Make sure you have an alternative way in (WAN with port-knock, console cable) before flipping this — a mistake locks you out.

Wi-Fi VLAN tagging

/interface wireless
set wlan1 vlan-id=20 vlan-mode=use-tag ssid=Office-Staff
set wlan2 vlan-id=30 vlan-mode=use-tag ssid=Guest-WiFi

Common mistakes

  • Turning on vlan-filtering before rules → lockout.
  • Trunk port without matching tagged VLANs.
  • Same VLAN with two pvid values.
  • No guest isolation → real security risk.

Need help with a MikroTik setup or audit? MikroTik configuration covers design, install, monitoring and training. Contact us.

Let’s Talk
Let’s Talk
Let’s Talk
Let’s Talk
Let’s Talk
Let’s Talk

Web development, server configuration and SEO with focus on measurable results — for Bulgarian and international clients.

Useful Links

Social

Contact

© 2026 Grozdev Digital. All rights reserved.