A Mikrotik router, thanks to its RouterOS operating system, offers much more advanced network functionalities than your internet box (the router generally provided by your internet provider). For example, it can offer the possibility of interconnecting networks through VPN tunnels (with wireguard or openvpn) or even offer dynamic routing functionalities (with ospf or bgp).
The idea of this lab will be to interconnect one or more LXC containers running on an Ubuntu machine to a Mikrotik router via a virtual private network transported over the home LAN. The use of a VLAN will ensure isolation between the home network and the lab network while remaining at level 2 of the OSI model, which is practical for ensuring the transparent operation of protocols such as DHCP.
This guide will guide you through the process of configuring the different equipment while allowing you to validate each step.
Lab Topology Link to heading
- Objective: LXD container gets an IP from the Mikrotik DHCP server over VLAN20.
1. Linux Host (Ubuntu + LXD) Configuration Link to heading
Since version 18.04, Ubuntu uses Netplan for network configuration, which allows for unified configuration management, whether you use NetworkManager or systemd-networkd.
Step 1: Create a VLAN interface on Ubuntu Link to heading
# /etc/netplan/01-vlan.yaml
network:
version: 2
ethernets:
eno1:
dhcp4: no
vlans:
vlan20:
id: 20
link: eno1
dhcp4: no
Apply the configuration:
sudo netplan apply
Step 2: Create LXD bridge on VLAN Link to heading
sudo lxc network create lxdbr0 vlan20 parent=vlan20
sudo lxc network attach-profile lxdbr0 default eth0
Step 3: Validate VLAN tagging Link to heading
# Check VLAN interface is up
ip link show vlan20
# Monitor outgoing VLAN 20 traffic
sudo tcpdump -i vlan20 -nn
2. Mikrotik Router Configuration Link to heading
Step 1: Create VLAN interface Link to heading
/interface vlan
add name=vlan-lab interface=bridge-wan vlan-id=20
Step 2: Attach VLAN to lab bridge Link to heading
/interface bridge port
add bridge=bridge-lab interface=vlan-lab
Step 3: Verify bridge status Link to heading
/interface bridge print detail
bridge-labshould havevlan-filtering=no(simpler test setup).vlan-labmight still showI(inactive) — this is normal until traffic passes.
Step 4: Enable VLAN interface Link to heading
/interface vlan disable vlan-lab
/interface vlan enable vlan-lab
- Confirm
vlan-labnow showsR(running):
/interface print
Step 5: Setup DHCP server on bridge-lab Link to heading
/ip pool add name=lab_pool ranges=192.168.100.10-192.168.100.200
/ip dhcp-server network add address=192.168.100.0/24 gateway=192.168.100.1
/ip dhcp-server add name=lab_dhcp interface=bridge-lab address-pool=lab_pool disabled=no
3. Switch Configuration Link to heading
Set VLAN mode = trunk on all ports connecting the LXD host and Mikrotik.
Enable ingress filtering if available.
Ensure VLAN 20 is allowed on trunk ports.
Verify MAC addresses of containers appear on VLAN 20 on the switch (dynamic MAC table).
4. Validation Steps Link to heading
Step 1: Check traffic on MikroTik Link to heading
/tool sniffer quick interface=bridge-wan vlan-id=20
- Should see DHCP Discover from LXD container.
Step 2: Check traffic on lab bridge Link to heading
/tool sniffer quick interface=bridge-lab port=67,68
- Should see DHCP Offers/ACKs from MikroTik server.
Step 3: Check container IP Link to heading
lxc exec test -- ip a
- Confirm container received an IP in the DHCP range (e.g., 192.168.100.10-200).
5. Optional: Production VLAN Filtering Link to heading
For more strict VLAN enforcement:
/interface bridge vlan
add bridge=bridge-lab tagged=bridge-wan vlan-ids=20
/interface bridge set bridge-lab vlan-filtering=yes
Ensures only VLAN20 traffic flows between bridge-wan and bridge-lab.
VLAN interfaces remain active without manual toggling.
✅ Conclusion Link to heading
VLAN 20 traffic is successfully bridged from LXD containers to the MikroTik lab network.
DHCP works seamlessly over the VLAN.
LXD containers can now fully participate in the lab network, isolated by VLAN.