By Vince in homelab

MikroTik VLANs are Six commands from the CLI

Replaced two daisy-chained 1G Netgear switches with a MikroTik CRS309 for 10G. The CLI made the entire VLAN setup six commands.

MikroTik VLANs are Six commands from the CLI
Photo by Matthias Speicher / Unsplash

I recently picked up a MikroTik CRS309-1G-8S+ for 10G switching between my Proxmox nodes, NAS, and OPNsense box. Eight SFP+ ports, hardware-offloaded switching, RouterOS.

This replaced two Netgear 1G switches (an 8-port and a 5-port) I'd daisy-chained together, so it was a jump from 1G to 10G for the whole homelab.

Should be straightforward. Well, it was, once I stopped fighting the GUI.

The WebFig GUI is powerful and can do quit a lot, and that's probably the problem. VLAN configuration throws you into bridge ports, VLAN tables, and filtering toggles spread across multiple tabs with no obvious order of operations. After an hour of clicking around I went looking at MikroTik's own wiki docs for VLANs, and even those use CLI commands in their examples. That was the hint. I SSH'd in instead.

After that things started to make sense. RouterOS has a hierarchical CLI that maps directly to the config structure. /interface/bridge/vlan is exactly where VLAN entries live, /interface/bridge/port is where port settings go. Tab completion and ? show you what's available at every level.

The whole VLAN setup, start to finish, was this:

/interface/bridge/port remove [find interface=ether1]

/interface/bridge/vlan add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus8 untagged=sfp-sfpplus5 vlan-ids=10
/interface/bridge/vlan add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus8 vlan-ids=30
/interface/bridge/vlan add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus8 vlan-ids=50

/interface/bridge/port set [find interface=sfp-sfpplus5] pvid=10 frame-types=admit-only-untagged-and-priority-tagged

/interface/bridge set bridge vlan-filtering=yes

That's it. Three VLANs (10, 30, 50) trunked across five ports (each Proxmox host runs VMs on different VLANs, so trunking all three over one SFP+ link beats wasting a NIC per VLAN), one access port for the AP on VLAN 10, and VLAN filtering enabled.

The first command pulls ether1 out of the bridge to keep a dedicated management interface. Misconfigure VLANs and you can still get back in through the management port.

The order matters here. You define the VLAN entries before enabling filtering. If you flip vlan-filtering=yes first, the bridge starts enforcing rules against an empty VLAN table and every port goes dead. Not a fun way to learn that lesson (though the management port would save you).

I also disabled the two spare ports (to be used for LAGG experiments later) since they still have a default PVID of 1 even with no VLAN membership:

/interface/bridge/port remove [find interface=sfp-sfpplus6]
/interface/bridge/port remove [find interface=sfp-sfpplus7]
/interface disable sfp-sfpplus6
/interface disable sfp-sfpplus7

After cabling everything up, here is a quick iperf3 between one of the Proxmox nodes and the NAS:

$ iperf3 -c 192.168.50.43
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  10.9 GBytes  9.38 Gbits/sec    0             sender
[  5]   0.00-10.00  sec  10.9 GBytes  9.38 Gbits/sec                  receiver

9.38 Gbits/sec, zero retransmits. About as good as 10G gets. The H flag on /interface/bridge/port print confirms hardware offload is active, the switch ASIC forwards at full line rate without touching the CPU.

I will admit coming from two 1G Netgear switches, seeing that number for the first time was pretty satisfying.

A few RouterOS CLI quirks worth knowing: there's no ls, you use print (or print detail for all properties). .. goes up one level, / goes to root. [find ...]locates items by property rather than index number, so your commands survive reordering. /export dumps the current section as re-pasteable commands, which is how I built these notes.

The MikroTik SSH experience turned out to be genuinely enjoyable compared to the Netgear web UIs (or Webfig too) where VLAN config meant several pages of dropdowns and hoping the apply button actually saved. The config hierarchy makes sense, the commands read clearly, and you can get a full VLAN setup done in under five minutes once you know the pattern.