Creating VLANs on Mikrotik
First, create the VLANs on the Mikrotik router, and assign them to the ether2 interface. Doing this step will automatically set 802.1q trunking on the ether2 interface, and will take down the link for normal untagged traffic. This will create an outage until the rest of the steps are complete, you have been warned.
add comment="Home" interface=ether2 name="VLAN 100 - HR" vlan-id=100
add comment="VideoCam" interface=ether2 name="VLAN 150 - VideoCam" vlan-id=150
add comment="Raspberry" interface=ether2 name="VLAN 175 - Raspberry" vlan-id=175
I've taken the time to name the VLAN interfaces and give them a useful comment, and I suggest you do the same. This will make administering VLANs and onboarding new administrators easier. As mentioned earlier, creating the VLANs and assigning them to the physical ether2 interface automatically changed encapsulation to 802.1q, even though you won't see that if you print the interface details. This is one of those non-intuitive things mentioned before.
Addressing VLAN Interfaces
Next we'll put IP addresses on the VLAN interfaces so they can function as gateways:
add address=192.168.100.1/24 comment="Home Gateway" interface="VLAN 100 - HR"
add address=192.168.150.1/24 comment="VideoCam Gateway" interface="VLAN 150 - VideoCam"
add address=192.168.175.1/24 comment="Raspberry Gateway" interface="VLAN 175 - Raspberry"
Again, I took the time to add comments and you should as well. At this point we have our VLANs, and they have usable addresses. If you're using static IP addressing on your network that's pretty much it for VLAN configurations. The next (optional) steps are setting up DHCP instances on the VLAN interfaces, so that clients inside each network segment can get dynamic addresses. First, create the address pools that DHCP will hand out:
DHCP for VLAN Networks
First set up IP address pools for each VLAN:
add name=Home ranges=192.168.100.2-192.168.100.254
add name=VideoCam ranges=192.168.150.2-192.168.150.254
add name=Raspberry ranges=192.168.175.2-192.168.175.254
Next, set up the DHCP networks with options for DNS (Google public servers) and the gateways:
/ip dhcp-server network
add address=192.168.100.0/24 comment="HR Network" dns-server=188.8.131.52,184.108.40.206 gateway=192.168.100.1
add address=192.168.150.0/24 comment="VideoCam Network" dns-server=220.127.116.11,18.104.22.168 gateway=192.168.150.1
add address=192.168.175.0/24 comment="Guest Network" dns-server=22.214.171.124,126.96.36.199 gateway=192.168.175.1
In this case I'm using Google's Public DNS service, and the internal gateways are set to the IP addresses you assigned before on the VLAN interfaces.
Lastly we'll spin up the DHCP server instances on the VLAN interfaces, using the pools you set up earlier:
add address-pool=HR disabled=no interface="VLAN 100 - HR" name=HR
add address-pool=VideoCam disabled=no interface="VLAN 150 - VideoCam" name=VideoCam
add address-pool=Raspberry disabled=no interface="VLAN 175 - Raspberry" name=Raspberry
The pools correspond with the networks set up previously, and that's how the DHCP options like gateway and DNS are associated with a particular DHCP instance. I like spinning up DHCP for each VLAN, so you can control lease times, options, etc individually for each network segment. This gives you a lot of flexibility to tweak and monitor DHCP across the organization.
Switch VLAN Configuration
At this point you'll need to assign access ports on your switches to specific VLANs, and the clients that are plugged into those should pull DHCP addresses from the Mikrotik and live happily inside their respective VLANs. It's up to you now to decide what VLANs should be able to talk to each other, and implement those Forward - Accept rules in the firewall. As a rule I like to only allow traffic forwarded to VLANs that is absolutely necessary. Allowing all traffic between VLANs bypasses the security of segmenting your network in the first place.
Original info Author: