ISP VLAN Network Design: Segmentation & Traffic Isolation with MikroTik
Running all your ISP traffic on a flat network is a recipe for broadcast storms, security holes, and management chaos. This guide covers VLAN-based network design for ISPs — separating subscriber traffic, management, OLT signalling, and server networks with MikroTik.
Why VLANs Are Essential for ISPs
A flat Layer 2 network with no VLAN segmentation works for 20 subscribers. Beyond that, you will face: massive broadcast domains slowing everything down, subscribers discovering each other's devices, management traffic exposed to subscriber networks, and no way to apply per-segment policies.
VLANs create virtual network segments that isolate traffic at Layer 2. Think of them as invisible walls between different types of traffic on your network.
Recommended VLAN Architecture for ISPs
Here is a proven VLAN layout used by ISPs of all sizes:
| VLAN ID | Name | Purpose | Subnet |
|---|---|---|---|
| 1 | Native | Default (avoid using) | N/A |
| 10 | Management | Router, switch, OLT management | 10.10.0.0/24 |
| 20 | Servers | RADIUS, DNS, ISPbills, monitoring | 10.20.0.0/24 |
| 100-199 | Subscribers | PPPoE subscriber VLANs per POP | 10.100.x.0/24 |
| 200 | OLT-Mgmt | OLT management and provisioning | 10.200.0.0/24 |
| 300 | VoIP | Voice traffic (if applicable) | 10.30.0.0/24 |
| 999 | Guest/Quarantine | Isolated segment for testing | 192.168.99.0/24 |
Configuring VLANs on MikroTik
Create VLAN interfaces on your core router and assign IP addresses for inter-VLAN routing:
# Create VLAN interfaces on the trunk port /interface vlan add name=vlan10-mgmt vlan-id=10 interface=ether1-trunk add name=vlan20-servers vlan-id=20 interface=ether1-trunk add name=vlan100-subs vlan-id=100 interface=ether1-trunk add name=vlan200-olt vlan-id=200 interface=ether1-trunk # Assign gateway IPs /ip address add address=10.10.0.1/24 interface=vlan10-mgmt add address=10.20.0.1/24 interface=vlan20-servers add address=10.100.0.1/24 interface=vlan100-subs add address=10.200.0.1/24 interface=vlan200-olt
Inter-VLAN Routing and Access Control
Not all VLANs should be able to talk to each other. Use firewall rules to control inter-VLAN traffic:
# Allow management VLAN to reach everything /ip firewall filter add chain=forward src-address=10.10.0.0/24 action=accept comment="VLAN: Mgmt → All" # Allow servers to reach subscriber VLANs (for RADIUS, DNS) add chain=forward src-address=10.20.0.0/24 dst-address=10.100.0.0/16 action=accept comment="VLAN: Servers → Subscribers" # Block subscribers from management and OLT VLANs add chain=forward src-address=10.100.0.0/16 dst-address=10.10.0.0/24 action=drop comment="VLAN: Block Subs → Mgmt" add chain=forward src-address=10.100.0.0/16 dst-address=10.200.0.0/24 action=drop comment="VLAN: Block Subs → OLT" # Block subscriber-to-subscriber cross-VLAN add chain=forward src-address=10.100.0.0/16 dst-address=10.100.0.0/16 action=drop comment="VLAN: Block Sub ↔ Sub"
VLAN Configuration on Managed Switches
Your managed switches connect OLTs, access points, and servers. Configure trunk and access ports appropriately:
- Trunk ports — carry multiple VLANs tagged (uplinks between switches and router)
- Access ports — carry a single VLAN untagged (device-facing ports)
- OLT uplink — trunk with subscriber VLAN(s) + OLT management VLAN
- Server ports — access port on VLAN 20 (or trunk if server needs multiple VLANs)
- Management port — access port on VLAN 10
How ISPbills Fits Into a VLAN Architecture
ISPbills sits on the server VLAN (VLAN 20) and communicates with:
- MikroTik routers via API (port 8728/8729) on the management VLAN
- RADIUS on the server VLAN for subscriber authentication
- OLTs via SNMP/SSH on the OLT management VLAN
- Subscribers indirectly through RADIUS and router API for provisioning, suspension, and monitoring
Ready to Automate Your ISP?
ISPbills handles billing, network provisioning, and customer management — free for up to 99 subscribers.
Start Free Trial →Tags
Ready to Transform Your ISP Business?
Join hundreds of ISPs across Bangladesh and South Asia who trust ISPbills to manage their operations. Start your free trial today — no credit card required.