Need help securing your MikroTik routers? An extended copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post is now available. Check out the Amazon Kindle version or see the printable version on our website.
VLAN trunking and routing is one of the most basic and essential skills that a network administrator can have. Segmenting the network with VLANs is required for PCI, HIPAA, and other compliance standards, and it helps keep some measure of order and sanity in large network infrastructures. Setting up VLANs on a Mikrotik router and configuring VLAN trunking is easy, even if a couple of the steps are less-than-intuitive.
- VLAN Design
- VLAN Trunking Protocols
- VLAN Topology
- Creating VLANs on Mikrotik
- Addressing VLAN Interfaces
- DHCP for VLAN Networks
- Switch VLAN Configuration
The first step in segmenting the networking isn't done on the router at all, it's done on the whiteboard - deciding how to structure your VLANs. If a network has to be HIPAA or PCI compliant this decision is easier because it's spelled out in black and white what has to be segmented. If segmenting a network is happening for another reason, like a company mandate to improve security, then it's a bit "up in the air" but still doesn't have to be hard.
For the most part I like to mirror the organizational structure with VLANs. Each department typically gets its own VLAN, because each department is its own logical group with a unique function, and probably has its own security needs. Servers and storage get their own VLANs, or (preferably) their own switching hardware if that's in the budget. I like being able to firewall and monitor traffic per-department, and having their traffic going through virtual VLAN interfaces lets me use tools like Torch or NetFlow. Guest networks get their own VLANs that are firewalled from accessing the internal network. Wireless networks get their own VLANs too, keeping wireless chatter, IOS / Android and App updates, etc off the other networks. Once you decide who gets their own VLAN it's time to create them and segment the network.
VLAN Trunking Protocols
Mikrotik routers handle VLANs much like any other platform - 802.1q trunking is used between switches and the router, and tagging is done like you'd expect on Cisco, Juniper, Brocade, or other platforms with a simple VLAN ID. While Cisco offers other encapsulation methods like (the now deprecated) ISL, Mikrotik only supports the industry-standard 802.1q protocol. Using 802.1q you can trunk VLANs from a Cisco, HP, or other switch to a Mikrotik router, and let the Mikrotik handle the routing, firewalling, bandwidth throttling, etc.
For this scenario we only have one router, and we'll create VLANs for HR (192.168.100.0/24), Accounting (192.168.150.0/24), and Guests (192.168.175.0/24). If you can create 3 VLANs you can create 30, so I'm keeping the example brief. The IP addresses for each VLAN were also chosen randomly, it's up to you to choose an IP scheme that fits your organization. The router is connected to a switch on ether2, with an 802.1q trunk link in between. This is also known as a "router on a stick" type configuration. I'm not going to be specific about the switch being a Cisco, HP, or whatever switch because 802.1q trunking is almost the same across platforms. Just check your vendor's documentation for setting it up on a trunk port. The router also has a WAN connection on ether1 that clients in the VLANs will use to access the Internet via a default route to the ISP's gateway.
Creating VLANs on Mikrotik
First, create the VLANs on the Mikrotik router, and assign them to the ether2 interface. Doing this step will automatically set 802.1q trunking on the ether2 interface, and will take down the link for normal untagged traffic. This will create an outage until the rest of the steps are complete, you have been warned.
/interface vlan add comment="HR" interface=ether2 name="VLAN 100 - HR" vlan-id=100 add comment="Accounting" interface=ether2 name="VLAN 150 - Accounting" vlan-id=150 add comment="Guests" interface=ether2 name="VLAN 175 - Guests" vlan-id=175
I've taken the time to name the VLAN interfaces and give them a useful comment, and I suggest you do the same. This will make administering VLANs and onboarding new administrators easier. As mentioned earlier, creating the VLANs and assigning them to the physical ether2 interface automatically changed encapsulation to 802.1q, even though you won't see that if you print the interface details. This is one of those non-intuitive things mentioned before.
Addressing VLAN Interfaces
Next we'll put IP addresses on the VLAN interfaces so they can function as gateways:
/ip address add address=192.168.100.1/24 comment="HR Gateway" interface="VLAN 100 - HR" add address=192.168.150.1/24 comment="Accounting Gateway" interface="VLAN 150 - Accounting" add address=192.168.175.1/24 comment="Guests Gateway" interface="VLAN 175 - Guests"
Again, I took the time to add comments and you should as well. At this point we have our VLANs, and they have usable addresses. If you're using static IP addressing on your network that's pretty much it for VLAN configurations. The next (optional) steps are setting up DHCP instances on the VLAN interfaces, so that clients inside each network segment can get dynamic addresses. First, create the address pools that DHCP will hand out:
DHCP for VLAN Networks
First set up IP address pools for each VLAN:
/ip pool add name=HR ranges=192.168.100.2-192.168.100.254 add name=Accounting ranges=192.168.150.2-192.168.150.254 add name=Guests ranges=192.168.175.2-192.168.175.254
Next, set up the DHCP networks with options for DNS (Google public servers) and the gateways:
/ip dhcp-server network add address=192.168.100.0/24 comment="HR Network" dns-server=126.96.36.199,188.8.131.52 gateway=192.168.100.1 add address=192.168.150.0/24 comment="Accounting Network" dns-server=184.108.40.206,220.127.116.11 gateway=192.168.150.1 add address=192.168.175.0/24 comment="Guest Network" dns-server=18.104.22.168,22.214.171.124 gateway=192.168.175.1
In this case I'm using Google's Public DNS service, and the internal gateways are set to the IP addresses you assigned before on the VLAN interfaces.
Lastly we'll spin up the DHCP server instances on the VLAN interfaces, using the pools you set up earlier:
/ip dhcp-server add address-pool=HR disabled=no interface="VLAN 100 - HR" name=HR add address-pool=Accounting disabled=no interface="VLAN 150 - Accounting" name=Accounting add address-pool=Guests disabled=no interface="VLAN 175 - Guests" name=Guests
The pools correspond with the networks set up previously, and that's how the DHCP options like gateway and DNS are associated with a particular DHCP instance. I like spinning up DHCP for each VLAN, so you can control lease times, options, etc individually for each network segment. This gives you a lot of flexibility to tweak and monitor DHCP across the organization.
Switch VLAN Configuration
At this point you'll need to assign access ports on your switches to specific VLANs, and the clients that are plugged into those should pull DHCP addresses from the Mikrotik and live happily inside their respective VLANs. It's up to you now to decide what VLANs should be able to talk to each other, and implement those Forward - Accept rules in the firewall. As a rule I like to only allow traffic forwarded to VLANs that is absolutely necessary. Allowing all traffic between VLANs bypasses the security of segmenting your network in the first place.