DHCP in VLAN not working for virtual wireless interface

tunguskalabs · January 29, 2024, 10:30pm

Hi all,

I followed the VLAN guide and I the ethernet ports are working, with a HOME VLAN, a WORK VLAN and a GUEST VLAN. I have a PPPoE dynamic connection, and also followed the firewall guide. The problem is that the virtual interfaces that I created and associated with the VLANs are not giving IP addresses via DHCP. This is my configuration:

/export hide-sensitive
# 2024-01-27 06:27:30 by RouterOS 7.13
# software id = 65AU-E2NI
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:13:F3:B3 auto-mac=no comment=defconf igmp-snooping=yes igmp-version=3 mld-version=2 name=bridge port-cost-mode=short \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac country=brazil disabled=no distance=indoors frequency=5200 frequency-mode=superchannel mode=ap-bridge \
    ssid=loveandrockets wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX country=brazil disabled=no distance=indoors frequency=2447 frequency-mode=\
    superchannel mode=ap-bridge ssid=loveandrockets wireless-protocol=802.11
/interface wireless nstreme
set wlan1 disable-csma=yes
/interface vlan
add interface=bridge name=guest_vlan vlan-id=30
add interface=bridge name=home_vlan vlan-id=10
add interface=bridge name=work_vlan vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=pppoe-out1 use-peer-dns=yes user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=work supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BD master-interface=wlan1 name=wlan3 security-profile=guest ssid=maggie vlan-id=30 vlan-mode=use-tag \
    wds-default-bridge=bridge wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp-guest-pool ranges=192.168.10.100-192.168.10.200
add name=dhcp-pool-work ranges=192.168.20.2-192.168.20.254
add name=work_pool ranges=192.168.20.2-192.168.20.254
add name=guest_pool ranges=192.168.30.2-192.168.30.254
add name=home_pool ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h5m name=defconf server-address=192.168.1.1
add address-pool=work_pool interface=work_vlan name=work_dhcp server-address=192.168.20.1
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp server-address=192.168.30.1
add address-pool=home_pool interface=home_vlan name=home_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 bsd-syslog=yes remote=192.168.1.2 src-address=192.168.1.1 syslog-severity=info
add bsd-syslog=yes name=browsinglog remote=192.168.1.2 src-address=192.168.1.1 syslog-severity=info target=remote
add bsd-syslog=yes name=nas remote=192.168.1.2 src-address=192.168.1.1 syslog-facility=syslog syslog-severity=info target=remote
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BE master-interface=wlan2 name=wlan4 security-profile=work ssid=workshop vlan-id=20 vlan-mode=use-tag \
    wds-default-bridge=*1E wps-mode=disabled
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*16
# no interface
add action=drop chain=forward out-interface=*16
# no interface
add action=drop chain=forward in-interface=*17
# no interface
add action=drop chain=forward out-interface=*17
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=work frame-types=admit-only-untagged-and-priority-tagged interface=wlan4 pvid=20
add bridge=bridge comment=guest frame-types=admit-only-untagged-and-priority-tagged interface=wlan3 pvid=30
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan3 vlan-ids=30
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=*1B list=LAN
add interface=*1E list=LAN
add interface=home_vlan list=VLAN
add interface=work_vlan list=VLAN
add interface=guest_vlan list=VLAN

/interface wireless access-list
add authentication=no forwarding=no interface=wlan2 mac-address=F8:4D:89:86:44:94
add authentication=no forwarding=no interface=wlan2 mac-address=7C:2A:DB:8D:97:CA
/interface wireless sniffer
set multiple-channels=yes receive-errors=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.10.1/24 comment=guest interface=*1B network=192.168.10.0
add address=192.168.20.1/24 comment=work interface=*1E network=192.168.20.0
add address=192.168.20.1/24 interface=work_vlan network=192.168.20.0
add address=192.168.30.1/24 interface=guest_vlan network=192.168.30.0
add address=192.168.10.1/24 interface=home_vlan network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2,1.1.1.1 domain=tunguska.cc gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.2 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.2 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.2 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=300 max-concurrent-tcp-sessions=100 query-server-timeout=1s query-total-timeout=\
    2s servers=1.1.1.1,1.0.0.1,9.9.9.9

/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=bad_dst_ipv4
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=10.0.5.1-10.0.5.254 list=allowed_to_router
add address=192.168.0.0/16 comment="internal networks, including VLANs" list=allowed_lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=notlan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="log ntp" dst-port=123 log=yes protocol=udp
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward disabled=yes layer7-protocol=reddit
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.1.2 to-ports=51413
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=53 protocol=udp to-addresses=192.168.1.2 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.1.8 protocol=udp src-address=192.168.1.0/24
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
    src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="accept UPnP" dst-address=239.255.255.250 log=yes log-prefix=unpn-preroute
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 log=yes log-prefix=bad_ip_bogon
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 log=yes log-prefix=bad_ip_bogon
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN log=yes log-prefix=global_wan src-address-list=\
    not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=allowed_lan in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN log=yes log-prefix=ip_out_range \
    src-address-list=!allowed_lan
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes distance=1 dst-address=10.0.5.0/24 gateway=*10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.1.0/24,192.168.88.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh address=192.168.1.0/24,192.168.10.0/24,192.168.20.0/24 port=2233
set www-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=no tls-version=only-1.2
set api address=192.168.1.0/24 disabled=yes
set winbox address=192.168.1.0/24 disabled=yes
set api-ssl certificate=*1 disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set forwarding-enabled=local host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.2 v9-template-timeout=1m
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=\
    ::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=\
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=\
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=\
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing pimsm interface-template
add disabled=no instance=*1 interfaces=LAN
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=router.tunguska.cc
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 disabled=yes
add action=nas topics=firewall
add action=nas prefix=dhcp topics=dhcp
add action=nas topics=info
add action=nas topics=warning
add action=nas topics=critical
add action=nas topics=error
add action=nas prefix=pppoe topics=pppoe
add action=remote prefix=ssh topics=ssh
add prefix=dhcp-connect topics=debug,dhcp,packet
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=200.189.40.8
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any help is appreciated!

holvoetn · January 30, 2024, 4:27am

Maybe you can mention which guides you followed ?? (VLAN and firewall)

I don’t like seeing stuff like this:

/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BE master-interface=wlan2 name=wlan4 security-profile=work ssid=workshop vlan-id=20 vlan-mode=use-tag \
    wds-default-bridge=*1E wps-mode=disabled
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*16
# no interface
add action=drop chain=forward out-interface=*16
# no interface
add action=drop chain=forward in-interface=*17
# no interface
add action=drop chain=forward out-interface=*17

/ip address
add address=192.168.10.1/24 comment=guest interface=*1B network=192.168.10.0
add address=192.168.20.1/24 comment=work interface=*1E network=192.168.20.0

1- error for interface on wds-default-bridge (why use that ?)
2- use of bridge filter with errors for interfaces
3- errors on ip address interfaces

Clean those errors first. Quite visible in export of config, so easy to spot.

I think however your problem is here:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=notlan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="log ntp" dst-port=123 log=yes protocol=udp
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward disabled=yes layer7-protocol=reddit
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN

You only accept input from interface-list=VLAN AFTER the drop from !LAN is already done.
BTW You should see that being logged as notlan in your logs.
This means your DHCP (and whatever else) requests, never reach your DHCP server. They get dropped.

You should move that last rule before the mentioned drop rule.

As a general recommendation it is advised to keep different chains together for better readability.
input with input, forward with forward, …

tunguskalabs · January 30, 2024, 3:32pm

Thanks for the info!

These are the guides I followed:

Router-Switch AP (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1)
Advanced Firewall, adapted from here (https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall)

I excluded the incorrect configurations, here:

/export hide-sensitive
# 2024-01-27 23:27:48 by RouterOS 7.13
# software id = 65AU-E2NI
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:13:F3:B3 auto-mac=no comment=defconf igmp-snooping=yes igmp-version=3 mld-version=2 name=bridge port-cost-mode=short \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac country=brazil disabled=no distance=indoors frequency=5200 frequency-mode=superchannel mode=ap-bridge \
    ssid=loveandrockets wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX country=brazil disabled=no distance=indoors frequency=2447 frequency-mode=\
    superchannel mode=ap-bridge ssid=loveandrockets wireless-protocol=802.11
/interface wireless nstreme
set wlan1 disable-csma=yes
/interface vlan
add interface=bridge name=guest_vlan vlan-id=30
add interface=bridge name=home_vlan vlan-id=10
add interface=bridge name=work_vlan vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=pppoe-out1 use-peer-dns=yes user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=work supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BD master-interface=wlan1 name=wlan3 security-profile=work ssid=workshop vlan-id=20 vlan-mode=use-tag \
    wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:13:F3:BE master-interface=wlan2 name=wlan4 security-profile=guest ssid=palomar vlan-id=30 vlan-mode=use-tag \
    wds-default-bridge=bridge wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=work_pool ranges=192.168.20.2-192.168.20.254
add name=guest_pool ranges=192.168.30.2-192.168.30.254
add name=home_pool ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h5m name=defconf server-address=192.168.1.1
add address-pool=work_pool interface=work_vlan name=work_dhcp
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp server-address=192.168.30.1
add address-pool=home_pool interface=home_vlan name=home_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 bsd-syslog=yes remote=192.168.1.2 src-address=192.168.1.1 syslog-severity=info
add bsd-syslog=yes name=browsinglog remote=192.168.1.2 src-address=192.168.1.1 syslog-severity=info target=remote
add bsd-syslog=yes name=nas remote=192.168.1.2 src-address=192.168.1.1 syslog-facility=syslog syslog-severity=info target=remote
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=work frame-types=admit-only-untagged-and-priority-tagged interface=wlan3 pvid=20
add bridge=bridge comment=guest frame-types=admit-only-untagged-and-priority-tagged interface=wlan4 pvid=30
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge,wlan3 vlan-ids=20
add bridge=bridge tagged=bridge,wlan4 vlan-ids=30
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=home_vlan list=VLAN
add interface=work_vlan list=VLAN
add interface=guest_vlan list=VLAN
/interface wireless sniffer
set multiple-channels=yes receive-errors=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.10.1/24 comment=guest interface=*1B network=192.168.10.0
add address=192.168.20.1/24 comment=work interface=*1E network=192.168.20.0
add address=192.168.20.1/24 interface=work_vlan network=192.168.20.0
add address=192.168.30.1/24 interface=guest_vlan network=192.168.30.0
add address=192.168.10.1/24 interface=home_vlan network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2,1.1.1.1 domain=tunguska.cc gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.2 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.2 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.2 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=300 max-concurrent-tcp-sessions=100 query-server-timeout=1s \
    query-total-timeout=2s servers=1.1.1.1,1.0.0.1,9.9.9.9
/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=bad_dst_ipv4
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=192.168.0.0/16 comment="internal networks, including VLANs" list=allowed_lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=notlan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="log ntp" dst-port=123 log=yes protocol=udp
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
    src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="accept UPnP" dst-address=239.255.255.250 log=yes log-prefix=unpn-preroute
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 log=yes log-prefix=bad_ip_bogon
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 log=yes log-prefix=bad_ip_bogon
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN log=yes log-prefix=global_wan src-address-list=\
    not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=allowed_lan in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN log=yes log-prefix=ip_out_range \
    src-address-list=!allowed_lan
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes distance=1 dst-address=10.0.5.0/24 gateway=*10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.1.0/24,192.168.88.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh address=192.168.1.0/24,192.168.10.0/24,192.168.20.0/24 port=2233
set www-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=no tls-version=only-1.2
set api address=192.168.1.0/24 disabled=yes
set winbox address=192.168.1.0/24 disabled=yes
set api-ssl certificate=*1 disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set forwarding-enabled=local host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.2 v9-template-timeout=1m
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=\
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 \
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing pimsm interface-template
add disabled=no instance=*1 interfaces=LAN
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=router.tunguska.cc
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 disabled=yes
add action=nas topics=info
add action=nas topics=warning
add action=nas topics=critical
add action=nas topics=error
add prefix=dhcp-connect topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=200.189.40.8
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I moved the allow VLAN rule above the drop LAN one, nothing changed, and the same happens if I disable all firewall rules. I can get a handshake from the wireless connection, meaning that I can connect to the AP - wrong password does not work, for example - but I can’t get an IP address to these virtual wireless interfaces. DHCP is working for the ethernet ports.

Thanks again for your help!

tunguskalabs · January 30, 2024, 7:10pm

Progress: the wlan3 and wlan4 interfaces were with VLAN settings turned on in the Wireless/Wireless definitions. Removing these settings and now at least wlan3 has DHCP working! The 2G interface, wlan2, does not route to the internet, but that’s probably something minor. Any suggestions are still appreciated…

tunguskalabs · February 2, 2024, 10:20am

After housing my configuration, I decided to start again from scratch, and I got it working, finally. This is my end-state configuration, for anyone interested:

/export hide-sensitive 
# 2024-02-02 07:15:07 by RouterOS 7.13
# software id = 65AU-E2NI
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:13:F3:B3 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=brazil disabled=no distance=indoors frequency=5280 \
    frequency-mode=superchannel mode=ap-bridge secondary-frequency=auto ssid=loveandrockets wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX country=brazil disabled=no distance=indoors frequency=2447 frequency-mode=\
    superchannel installation=indoor mode=ap-bridge ssid=loveandrockets wireless-protocol=802.11
/interface vlan
add interface=bridge name=base_vlan vlan-id=99
add interface=bridge name=guest_vlan vlan-id=30
add interface=bridge name=home_vlan vlan-id=10
add interface=bridge name=work_vlan vlan-id=20
/interface pppoe-client
add ac-name=i-br-sp-scl-cli-hl4-01 add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=workshop supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:13:F3:BD master-interface=wlan1 name=wlan3 security-profile=workshop ssid=workshop
add disabled=no mac-address=2E:C8:1B:BF:E8:D6 master-interface=wlan2 name=wlan4 security-profile=guest ssid=paloma
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=home_pool ranges=192.168.10.2-192.168.10.254
add name=work_pool ranges=192.168.20.2-192.168.20.254
add name=guest_pool ranges=192.168.30.2-192.168.30.254
add name=base_pool ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=home_pool interface=home_vlan name=home_dhcp
add address-pool=work_pool interface=work_vlan name=work_dhcp
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp
add address-pool=base_pool interface=base_vlan name=base_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=99
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan4 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan3 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=home_vlan list=VLAN
add interface=work_vlan list=VLAN
add interface=guest_vlan list=VLAN
add interface=base_vlan list=BASE
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 interface=base_vlan network=192.168.0.0
add address=192.168.10.1/24 interface=home_vlan network=192.168.10.0
add address=192.168.20.1/24 interface=work_vlan network=192.168.20.0
add address=192.168.30.1/24 interface=guest_vlan network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.10.12 client-id=1:f8:4d:89:86:44:94 mac-address=F8:4D:89:86:44:94 server=home_dhcp
add address=192.168.10.2 client-id=1:90:9:d0:f:5a:8d mac-address=90:09:D0:0F:5A:8D server=home_dhcp
add address=192.168.10.4 client-id=1:0:6:78:b0:da:50 mac-address=00:06:78:B0:DA:50 server=home_dhcp
add address=192.168.10.5 client-id=1:4:27:28:ba:e8:c5 mac-address=04:27:28:BA:E8:C5 server=home_dhcp
add address=192.168.20.2 client-id=1:8:26:ae:39:f3:50 mac-address=08:26:AE:39:F3:50 server=work_dhcp
add address=192.168.20.10 client-id=1:88:66:5a:3c:6f:89 mac-address=88:66:5A:3C:6F:89 server=work_dhcp
add address=192.168.10.17 client-id=1:44:d2:44:8:e1:7d mac-address=44:D2:44:08:E1:7D server=home_dhcp
add address=192.168.20.11 client-id=1:d8:68:a0:9f:17:1c mac-address=D8:68:A0:9F:17:1C server=work_dhcp
add address=192.168.10.10 client-id=1:3a:e1:df:d:44:33 mac-address=3A:E1:DF:0D:44:33 server=home_dhcp
add address=192.168.10.11 mac-address=A8:B5:7C:FE:12:2A server=home_dhcp
add address=192.168.10.18 client-id=1:b8:27:eb:45:d1:d6 mac-address=B8:27:EB:45:D1:D6 server=home_dhcp
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=yes list=bad_dst_ipv4
add address=192.168.0.0/16 list=allowed_to_router
add address=192.168.0.0/16 comment="internal networks, including VLANs" list=allowed_lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow local net to router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=base_vlan
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Base_Vlan Full Access" in-interface=base_vlan
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2233
set www-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=no
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16 certificate=tunguska.cc.cer_0 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="allow established and related" connection-state=established,related
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="drop all" log-prefix=IPV6
/system clock
set time-zone-name=America/Sao_Paulo
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add prefix=login topics=system,info
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
[imarin@MikroTik] >

I ended up creating four VLANs: base, home, work and guest. The two real wlans share the same SSID, to make switching between 5 GHz and 2 GHz transparent, while wlan3 is the work wireless interface and wlan4 is the guest wireless interface. I dropped all those raw firewall rules for now. Any suggestions for improvement are still very welcome! Thanks.

Mesquite · February 3, 2024, 1:47pm

Very nice!

Comments:

you can remove the old reference to IP pool 192.168.88…
you can add ingress filtering=yes to all your /interface bridge port lines.
you can remove bridge from LAN interface list
not sure why you dont have base vlan as part of interface list VLAN?
your should remove/disable ip dhcp client settings as pppoe WAN is all done under different settings. ( unless this is a wan2?)
you can remove old static dns setting for 192.168.88.1
your input chain concept of allowing base_vlan, all other vlans, src-address-list to the input chain makes little sense from a functional or security perspective.

add action=accept chain=input comment=“Allow local net to router” src-address-list=allowed_to_router
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=base_vlan
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN

The first rule allows 192.168.0.0/16 to the router
The second rule allows 192.168.0.0/24 to the router
The third rule allows 192.168.[10,20,30].0/24 to the router.

The source-address-list approach is optimal but it should only contain IP addresses that the admin uses (static dhcp lease addresses)

from the admin devices on base vlan
from the admin devices on home vlan
from the admin devices on work vlan
(wifi and wired)
any remote VPN addresses

What the local sunets ONLy need is typically access to the router for DNS services ( sometimes NTP).
add action=accept chain=input comment=“Allow admin to router” src-address-list=allowed_to_router
add action=accept chain=input comment=“DNS - TCP” dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment=“DNS - UDP” dst-port=53 in-interface-list=LAN protocol=udp

I leave you to relook at the forward chain and figure out what makes more sense and to see redundancies etc…
I would not leave winbox address as wide open, if going to use this entry, only put in the subnets the admin will be accessing the router from.
Note winbox access is limited tot he BASE VLAN only at the moment and thus if accessing router from other subnets like home or work, they need to be included in BASE interface list.
Hence why I prefer the source-address list as the defacto control over who has access.
/tool mac-server mac-winbox
set allowed-interface-list=BASE

You can remove all IPV6 rules etc (disable IPV6 as well) if not being used.

tunguskalabs · February 3, 2024, 9:58pm

Thank you so much for your help! I cleaned up the rules and now it looks like this:

/ip firewall address-list
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNS
add address=8.8.4.4 comment="google DNS" list=GOOGLE_DNS
add address=192.168.10.11 comment=roku list=redirect_dns
add address=192.168.10.7 comment=chiba list=redirect_dns
add address=192.168.10.7 list=allowed_to_router
add address=192.168.10.12 list=allowed_to_router
add address=192.168.0.0/24 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow list to router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow query DNS server in router  - UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow query DNS server in router - TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googledns
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=fw_invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat comment="fix the ntp client by changing its source port 123 with something higher (mikrotik forum 794718)" protocol=\
    udp src-port=123 to-ports=12400-12440
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=udp src-address-list=redirect_dns
add action=masquerade chain=srcnat dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=tcp src-address-list=redirect_dns
add action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=udp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=tcp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53

Everything seems to be working as expected:

only machines on the allowed_to_router can access it
removed redundant rules
added a fix for NTP because of my crappy ISP
I’m redirecting DNS requests from a specific list (cof cof Roku cof cof) to a pihole
not sure if I need to keep the remove google dns from there, but I’ll keep it for now.

I’m a bit confused by the counters for NAT: they show as zero for the src rules in masquerade, but without these rules, the DNS queries are not redirected. Is this expected?

Thanks a bunch again!

karlisi · February 5, 2024, 8:50am

Default masquerade rule catches all, so nothing will go to next srcnat rules. Perhaps these srcnat rules are not needed, only dstnat rules?

tunguskalabs · February 5, 2024, 11:06pm

You are correct. Leaving the catch-all srcnat and removing the two below didn’t influence the dst nat ones, and I continue to capture the DNS requests of a very misbehaved appliance in my network.